AlexWatson

Websense Security Labs™ researchers have discovered a widespread cybercrime campaign utilizing the Mevade malware that appears to be originating from Russia and Ukraine and primarily targeting the business services, government, manufacturing, and transportation sectors in the US, UK, Canada, and India.

In this post we analyze the malware, command and control characteristics, and attack infrastructure used in this campaign.

 

Executive Summary

Websense research performed on 3rd party feeds indicates that this campaign has infected hundreds of organizations and thousands of computers world-wide and appears to be used for a variety of purposes, including redirecting network traffic and click fraud, as well as search result high-jacking. However, the extensible Mevade malware provides a very capable mechanism for data theft through reverse proxying capabilities. Websense customers are protected against attacks such as this at multiple stages of the attack cycle, including attack infrastructure and C2 protocol.

• Websense Labs researchers have observed a massive cyber campaign that appears to have originated from Russia and the Ukraine beginning around July 23, 2013, and that continues today
• Targeted industries include: Business Services, Government, Manufacturing, and Transportation
• Targeted countries include: USA, United Kingdom, Canada, and India (among others)
• The malware analysis of Mevade below shows use of a reverse proxy capability (similar to Shylock), indicating a very flexible dropper that is well suited to rerouting network traffic, targeted theft of information, and facilitating lateral movement through target networks by creating a network-level backdoor
• We have observed the command and control infrastructure, detailed below, hosting malware and exploits such as CVE-2012-4681, dating back to August 2012
• We have observed links with this campaign’s malware (7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC) are associated with the large spike in Tor (Onion Router) which was presumably providing anonymity for the cyber criminals C&C servers in August 2013
• The heavy use of attack infrastructure (C2 servers) located in Ukraine and Russia and Mevade malware links this group to a potentially well-financed cyber-crime gang operating out of Kharkov, Ukraine and Russia

Special thanks to Websense Labs Researchers Jack Rasgaitis and Gianluca Giuliani for their contributions to this report.

 

Targeted Industries

 

Targeted Locations vs. Command and Control Infrastructure

 

 

Malware Callbacks

The malware calls back with GET requests of the following example format: 

 

• http://updsvc.net/updater/3ad219fe94fbcaba3687c5298358998d/2

 

A signature can be built with /updater/[32 random characters]/[1 or 2]

Examples:

 

• /updater/28d949f1d82631dac4539d5d1ac21d6c/2
• /updater/5eafaed947ea36a0ccec58e788a77b35/2
• /updater/389b71b07d4d376a70952a1b1c571d68/2
• /updater/01e8d75a7a368f854bcef52136985092/2
• /updater/660c989f210fd7027085731478ab5922/2
• /updater/fbd1375f6a9049ad9dbd0e0a38be4a8a/2
• /updater/5122379f40e7431638125d6ee939827c/2
• /updater/cd9d21a004c3a578ac0da997193315be/2
• /updater/43028ea498e6ec76f5b69d47f0ede71e/2
• /updater/5f3f651c20e5bfd5ddab74536ddb3b7b/2
• /updater/bae58af607a8c88c08b9843aaec0327f/2

 

Domains being used for command and control:

 

• service-stat.com
• updservice.net
• autowinupd.net
• autoavupd.net
• service-update.net
• full-statistic.com
• service-statistic.com
• stetsen.no-ip.org
• autodbupd.net
• automsupd.net
• titanium.onedumb.com
• statuswork.ddns.info
• fullstatistic.com
• service-statistic.com
• autosrvupd.net
• full-statistic.com
• fullstatistic.com
• service-update.net
• storestatistic.com
• updsvc.net
• fullstatistic.com
• reservestatistic.net
• srvupd.com
• automsupd.net
• stotsin.ignorelist.com
• autosrvupd.net
• autosrvupd.net
• reserve-statistic.com
• autodbupd.net
• workstat.hopto.org
• service-statistic.com
• full-statistic.com
• srvupd.com
• updsvc.net
• automsupd.net
• autosrvupd.net
• assetsstatistic.com
• assetsstatistic.com
• assetsstatistic.com
• srvupd.com
• updsvc.net
• reserve-statistic.com
• reserve-statistic.com
• autodbupd.net
• fullstatistic.com
• reservestatistic.net
• reserve-statistic.com
• srvupd.com
• updsvc.net
• fullstats-srv.net
• stats-srv.com
• fullstats-srv.com
• statssrv.com
• reserv-stats.net
• reserv-stats.com
• pushstatistics.com
• stats-upd.net
• reservstats.com
• push-statistics.net
• push-stats.net
• push-stats.com
• fullstatistic.com

 

Interestingly, most of the domains above are registered with the following contact email address: gmvjcxkxhs@whoisservices.cn contact info: “Whois Privacy Protection Service|Whois Agent”, which indicates a single service was used to register these domains. A quick search of our domain registration database indicates that over 7,000 domains have been registered using this service. 

The majority of Command and Control related IP addresses can be attributed back to the following ASN:

AS44050

Country: RU

Registration Date: 2007-11-09

Registrar: ripencc

Owner: PIN-AS Petersburg Internet Network LLC

 

Malware Analysis

 

• Malware sha1=7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC Size=369152
• Historically seen hosted at: hxxp://service-stat.com/attachments/v4_sl.exe

 

Microsoft first detected this malware as Mevade.A on July 2, 2013.

 

Static Analysis of Malware (SHA1 7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC)

As you can see below, the malware is using an integrated services language based on SQL, called WQL (SQL for Windows Management Interface). Below you can see a snippet of code that queries the target system’s database to learn the security settings.

 

 

Here is the direct WQL query to the Windows Management Interface to learn more about installed AntiVirus.  

 

 

The malware authors were kind enough to leave us a list of AV engines that they were attempting to detect.

 

 

Interestingly, the malware attempts to detect the existence of the “Sandboxie” tool commonly used by researchers to analyze malware. Below is a check executed by the malware for the presence of Sandboxie DLLs.

 

 

Below, we see a direct check executed by the malware to search for Oracle/Sun VirtualBox services.

 

 

AV and Security checks complete, install the malware service…

The malware contains a “Resources” section that is used by the code as shown below.

 

 

This confirms our suspicion that the software we have analyzed so far is a loader program to install the malware service.

 

 

The obfuscated code below is used to confirm that the security checks above executed correctly.

 

Once the security checks have been validated and the resources section properly decoded, the loader attempts to install the malware as a service. Below is the sequence of functions offered by the installer.

 

Interestingly, the buffer below contains references to the “3proxy” open source proxy software that we have previously seen associated with the Shylock/Caphaw malware.

 

 

3proxy is a tiny proxy which can be installed on Windows-based systems (hxxxp://www.3proxy.ru/) .  More information about 3proxy below. 

 

 

Why Embed 3proxy in Malware?

A lightweight proxy such as 3proxy provides functionality in advanced malware to allow attackers to tunnel traffic directly through the malware and directly onto a target network. In these cases, the Proxy is configured as a reverse proxy, with the ability to tunnel through NAT (Network Address Translated) environments to create a connection to the attacker’s infrastructure and initiate a backdoor directly into the target network (in this case, using SSH over port 443). The use of reverse proxies indicates that the cyber-criminals plan to manually scan a network and move laterally towards more critical apps and information (such as databases, critical systems, source-code, and document repositories) than might exist on the original machine that has been compromised. 

Details on Shylock’s use of 3proxy:

 

• Shylock malware to the 3proxy.ruP: Pray Before You Buy With Shylock  http://baesystemsdetica.blogspot.co.uk/2013/03/pray-before-you-buy-with-shylock.html

 

Historical Similarities

IP addresses associated with the Command and Control domains above have been associated with hosting the Java 0-day CVE-2012-4681 in August, 2012.

 

• http://malware.dontneedcoffee.com/2012/08/java-0day-cve-2012-4681-update.html

Malware sample associated with the recent spike in Tor (Onion Router) traffic observed in September 2013

 

• http://blogs.technet.com/b/mmpc/archive/2013/09/25/mevade-and-sefnit-stealthy-click-fraud.aspx

Websense Security Labs™ Websense ThreatSeeker® Intelligence Cloud has discovered that attacks utilizing the most recent Internet Explorer zero-day (CVE-2013-3893) are more prevalent than previously thought.  In this write up we shall analyze the exploit code and perform analysis on the dropped malicious file.

 

Executive Summary

• We have seen the CVE-2013-3893 exploit targeting
  Japanese firms in the financial industry hosted on a Taiwanese IP
  address.
• Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command and control server as far back as July 1, 2013. These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan.
• Commonalities in C&C infrastructure, domain registrations, exploit techniques and malware link this threat actor to the Operation DeputyDog and Hidden Lynx attack crew.
• This alleged hackers-for-hire crew has committed ongoing attacks against businesses, stealing vital information, allegedly dating back to 2009.
• Our telemetry indicates that these attacks have enough variations to indicate that different high-profile attack teams may be using the same tool sets.
• Websense has protected our customers from the CVE-2013-3893 exploit observed in the wild using real-time analytics that have been in place for nearly three years.

 

A Reminder…

In our previous post (Up to 70% of PCs Vulnerable to Zero-Day: CVE-2013-3893) we covered a remote code execution vulnerability (CVE-2013-3893) that exists across all versions of Internet Explorer. This vulnerability exploits the way that Internet Explorer accesses an object in memory that has been deleted or not properly allocated, allowing an attacker to execute arbitrary code affecting current users with Internet Explorer.

An exploit leveraging this vulnerability was first discovered in very targeted attacks located in Japan. First disclosed in a Wepawet security advisory on August 29th, 2013, Microsoft released a security advisory (KB2887505) providing details on the vulnerability and a Fix-It solution on September 17th, 2013. Websense researchers reviewed our third-party telemetry feeds to determine the potential attack surface and risk associated with this exploit, and determined that nearly 70% of Windows-based PCs are vulnerable. While the vulnerability can theoretically affect all versions of Internet Explorer, the exploit is targeting only users of IE8 and IE9 who are running the Windows 7 and XP operating systems.

The Exploit

On September 25th, 2013, at 00:39 PST, Websense real-time security analytics stopped an exploit against one of our customers (a major financial institution based in Japan) leveraging CVE-2013-3893 being hosted on a Taiwanese IP address (220.229.238.123). The exploit was hosted at the following URL (hxxp://220.229.238.123/tn/images/index.html). It is worth noting that in addition to specific analytics designed to stop this exploit, three different Websense real-time analytics protected our customers from this threat dating back for more than 3 years.

Below is a screenshot of the Exploit code for CVE-2013-3893 that is hosted on the Taiwanese IP (220.229.238.123). It is interesting that the JavaScript exploit is not obfuscated and is delivered in clear-text, while the shell code and dropper discussed below are both obfuscated.

 

 

Screen shot of the exploit’s obfuscated shell-code:

 

 

We were quickly able to recover the XOR key (9F) and de-obfuscate the shellcode with a clear-text  attack to reveal the dropper file. While the delivery mechanisms are very similar, it is interesting to note that the URI path, IP address and image file names are different than those noted in the analysis of the Operation DeputyDog attacks, as this shell code attempts to drop “./tn/logo.jpg” from the IP address (220.229.238.123).

Analysis of the JPG file, when XORed with 0x95 reveals an executable titled “runrun.exe” (38db830da02df9cf1e467be0d5d9216b):

 

 

A clear-text attack on the logo.jpg file revealed that it is actually a Windows executable (when XORed with 0x95) with the following attributes:

$ time ~/obfuscation/xray.pl logo.jpg 

Opening file: “logo.jpg”

  94BC: [^95] “runrun.exe”

  782C: [^95] “user32.dll”

  79D6: [^95] “KERNEL32.dll”

  7A14: [^95] “ADVAPI32.dll”

    E0: [^95] “PE”

    4D: [^95] “!This program cannot be run in DOS mode.”

  776C: [^95] “Microsoft Visual C++ Runtime Library”

  7C76: [^95] “GetProcAddress”

Network Analysis

The runrun.exe immediately performs a DNS lookup for login.momoshop.org

 

 

Next, runrun.exe initiates an HTTPS connection handshake to login.momoshop.org (210.17.236.29), which is terminated by the server. For some reason, the client never sends a SYN/ACK to continue the HTTPS handshake. More on this when we finish reversing the malware. 

 

 

Interestingly, momoshop.org was registered on March 16, 2013, by the registrant listed above. This domain is unusually old (6 months) in the context of the other C&C domains that we have seen associated with the malware and that were registered just days before the attacks.

 

Telemetry Data

Websense Labs researchers are currently confirming telemetry from the ThreatSeeker network with possibly compromised Taiwanese hosts communicating to the C&C server (180.150.228.102) associated with malware variants (8aba4b5184072f2a50cbc5ecfe326701 and bd07926c72739bb7121cec8a2863ad87) dating back to July 1st, 2013, indicating that attacks from the threat actor identified in the Operation DeputyDog report may have started earlier than previously thought and may not be limited only to Japan.  More on this soon.

 

Conclusion

1. We have seen the CVE-2013-3893 exploit targeting Japanese firms in the financial industry, being hosted on a Taiwanese IP address (hxxp://220.229.238.123/tn/images/index.html) as of September 25th at 00:39 PST.

2. Websense has three real-time analytics (one has been in place for nearly three years) that blocked the CVE-2013-3893 exploit from compromising customers.

3. ThreatSeeker Intelligence Cloud reports a potential victim organization in Taiwan attempting to communicate with the malicious C&C server (180.150.228.102) associated with the CVE-2013-3893 exploit as early as July 1st, 2013.

4. The C&C server above can be associated with the Bit9 compromise. The contact email address 654@123.com was used to register the domain blankchair(dot)com which points to the malicious C&C server (180.150.228.102). The same email address was used to register a C&C server downloadmp3server(dot)servemp3(dot)com (66.153.86.14) associated with the Bit9 attacks.  

5. Websense Threat Intelligence indicates that the threat actor’s attacks were not limited only to Japan as previously reported. The use of separate IP addresses, domain registrations, and permutations to dropper locations indicates a high degree of segmentation between attacks and different teams using the same tool sets, exploits and C&C infrastructure.

 

The real-time analytics deployed in ACE (our Advanced Classification Engine) were able to detect and stop the attack above at three stages independent of the zero-day exploit (CVE-2013-3893) for which we had built specific protection. These analytics were able to detect the techniques used to deliver and obfuscate the exploit and malware, protecting our customer from being compromised. This is a great example of how offering protection from multiple stages of an attack can stop even highly targeted, low volume threats with cutting edge exploits.