Tuesday, 23 April 2013

New Targeted Attack On Taiwanese Government & Tibetan Activists Open Up a Can Of Worms – GrayPigeon, Hangame & Shiqiang gang

We observed new targeted attacks targeting various personnel with pro-Tibetan views.  The targets? We’ve seen targets at various branches of the Taiwanese government as well as a professor at the Central University Of Tibetan Studies in India.
Taiwan is a logical target since they have a history of accepting Tibetan refugees. Also, the other target is a professor at the Central University Of Tibetan Studies in India—a institution founded by the first Prime Minister of India with the Dalai Lama himself. It was established in 1967 to educate exiled Tibetans and to preserve Tibetan culture and history.
The attackers, called the “Shiqiang gang“[1], show a consistent modus operandi. They use similar remote administration tool (RAT) payloads, stolen certificates, and seem to target anyone pro-Tibetan. The RAT payload in this attack in called “GrayPigeon,” also known as ”Huigezi” in Chinese[2]. It is very popular in the Chinese webspace which indicates that the attackers speak the language. The RAT payload has multiple layers of encryption making it harder to identify.

Attack Vector:
The threat arrives in the form of a targeted email with an XLS attachment. The content  of the emails are as shown below in Figure 1 and Figure 2. The email attempts to draw on the sentiments of the Taiwanese government and activists towards the exiled members of the Tibetan government.
Figure 1

Figure 2
The content of both the emails are similar and roughly translate to:
To friends who care about the Tibetan government-in-exile
Now we publish this for you <<Tibetan government-in-exile offices in the Americas 2013 for the second half the year with detail list requesting for comments>>
Do not distribute this letter and this is only for friends who care about this
Also hope that you can actively participate in our activities in the second half of the year
                   Office of the Tibetan government-in-exile in the Americas
                    Chinese chief liaison officer Gongga Tashi kungatashi

Technical Analysis: How the Attack Works
The attached file in both emails is the same (2010790755b4aca0edc3c50ee8480c0b) When opened, the XLS file exploits CVE-2012-0158 and launches a decoy document as shown in Figure 3. The decoy document contains a ruse as usual and this time it states that Tibetan fonts are missing. In the background, it drops a series of files eventually leading to the launch and execution of 2013soft.dll. This in turn injects a RAT payload in to explorer.exe.
Figure 3
Analysis of Payload:
The main functionality lies within 2013soft.dll (28426ddc3c49635c11a2ee72118e9814) and the subsequent DLL it decrypts and injects in to explorer.exe (05eda4aaa49b2409f52cf2356f4a91db).
On inspection of 2013soft.dll, it is evident that this payload contains a rather large resource section. The MAIN stub in resource section holds large amount of data however it appears to be encrypted.
Figure 4
On dynamic analysis of the payload, it becomes clear that the Main stub eventually decrypts to the final DLL payload. The stub is loaded into memory and decrypted using the loop shown in Figure 5. It operates on 8 bytes of data at a time and uses the 16 bytes key “1234567890ABCDEF”. This, in addition to that fact that it uses the constant value 0x9E3779B9, gives away the algorithm as TEA (Tiny encryption algorithm). The TEA algorithm uses this value as the Delta constant.
Figure 5
It then jumps to the decrypted stub after setting the memory region it resides in as executable. The start of this decrypted MAIN stub contains an XOR decryption loop shown in Figure 6. This decryption loop decrypts the remainder of the stub. Notice how the XOR key “0x27691C” is only 3 bytes in length but the EAX pointer is incremented by 4. This means the first byte in every 4 bytes (little endian) is not subjected to XOR.
Figure 6
You would think we have the payload after two levels of decryption but not in this case. It jumps to another shellcode, which performs a rolling byte XOR decryption using a 4 byte key on the latter part of the stub.
Figure 7
Now we are getting somewhere as we can see an MZ file header interspersed with other characters past the “MinxxxA” marker as shown in Figure 8. This data is then subjected to what appears to be a custom decompression algorithm, following which it is injected into a new instance of explorer.exe
Figure 8
The injected DLL payload is a variant of the RAT called “GrayPigeon“[2] also known as “Huigezi” which is popular in the Chinese web space. It is written in Delphi and contains comprehensive functionality. The RAT uses various Pascal modules [3] such as “TscreenCaptureUnit.pas” and “UnitServices.pas” also widely seen on Chinese forums and associated with this RAT.
It creates a mutex “\BaseNamedObjects\windows!@#$” and sets up startup persistence by adding a registry key “\Software\ts\Explorer\run\2013Soft\run = rundll32.exe C:\WINDOWS\2013soft.dll,Player”. In this case the RAT was observed key logging and storing the data under C:\WINDOWS\2013soft.log along with the corresponding Window names.
It then uses the same TEA (Tiny Encryption algorithm) described earlier to decrypt the address of the command and control server “help.2012hi.hk”. It reuses the key “1234567890ABCDEF” for TEA decryption. It makes a DNS query specifically to Google’s DNS server and it attempts to connect to the resolved server on port 91.
Figure 9
We observed the following outbound communication on port 91.
Figure 10
This GrayPigeon RAT instance we analyzed had extensive functionality and a summary of the features is listed below:
  • Determine Host name and OS version
  • Ability to log keystrokes and mouse events
  • Ability to capture users screen
  • Ability to use Telnet protocol
  • Ability to send and receive files
  • Sniff URL addresses from Internet Explorer and read form values
  • Get list of active services
  • Ability to shutdown/restart etc.
Connection to Shiqiang Gang:
We mined for other samples talking to the same C&C infrastructure and we found two with the md5sums 4e454584403d5521abea98d21ee26f72 and 7de5485b7dd154a9bbd85e7d5fcdbdec which drop Hangame RAT and GrayPigeon RAT respectively. The RAT payloads in these instances also phone home to help.2012hi.hk. This C&C domain was also referenced in a white paper published by Symantec as part of the overall campaign coined the Elderwood project [4]. The campaign in the current instance and related samples are more in line with Tibetan themed attacks on NGOs and Taiwanese officials. The campaign also heavily uses stolen certificates. These have been attributed with the Shiqiang gang as discussed by Snorre Fagerland from Norman[1] and also discussed by Trend [5] and AlienVault [6].
Figure 11
The decoy document associated with 7de5485b7dd154a9bbd85e7d5fcdbdec also has a Taiwanese target as evident from the contents of the document.
Figure 12
Also, both these two variants interestingly have digital certificates in the payload [1]. The certificate for 4e454584403d5521abea98d21ee26f72 is a stolen certificate that has already been revoked.
        Version: 3 (0×2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
            Not Before: Dec  8 00:00:00 2011 GMT
            Not After : Dec  7 23:59:59 2012 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Xuri Weiye Technology Co., Ltd., OU=Digital ID Class 3 – Microsoft Software Validation v2, CN=Shenzhen Xuri Weiye Technology Co., Ltd.
The certificate for 7de5485b7dd154a9bbd85e7d5fcdbdec appears to be modified manually and is invalid.
        Version: 3 (0×2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=Beijing, L=Beijing, O=CA365, CN=CA365 Free Root Certificate
            Not Before: Oct 23 10:47:29 2010 GMT
            Not After : Oct 23 10:47:29 2011 GMT
        Subject: C=CN, ST=shanghai, L=shanghai, O=International Test User, OU=Market, CN=International Test User
 Hashes of Analyzed Samples:
  • 2010790755b4aca0edc3c50ee8480c0b
  • e0dfe50c38ac7427ba4f3fcf4a35da74
  • f17bbcef66f82552a23fdd494bb20d81
  • 28426ddc3c49635c11a2ee72118e9814
  • 05eda4aaa49b2409f52cf2356f4a91db
  • 4e454584403d5521abea98d21ee26f72
  • 7de5485b7dd154a9bbd85e7d5fcdbdec

Chinese Hackers Take Aim at American Drones

China has its own fairly sophisticated drone program, but that has not prevented the country from being unduly curious about how other countries manage theirs. A sophisticated hacking initiative called Operation Beebus has set its sights on drone programs in both the United States and India, and experts believe that the culprits behind the hacking effort are the notorious Comment Crew — hackers who operate as part of the Chinese military.
The information comes by way of FireEye Labs, a high-profile tech security firm. Since December 2011, hackers have attempted to slip malicious DOC and PDF files into important aerospace, defense and communications machines.
Operation Beebus utilizes the exact same methodology as the Comment Crew: It creates bogus text documents and seeds them with very subtle malware. Later, the Crew can extract sensitive information from a protected system via a backdoor. Although the malware compromises the computers, it does nothing to harm them: Operation Beebus wants information, and likely won't risk damaging its prize.
The backdoor pretends to be software from Google or Microsoft, which renders it hard to detect, especially since it does not harm users' computers in any way. Once in place, the backdoor allows alien IP addresses access to private files.

If the Comment Crew is indeed responsible, it's hard to say what the group's ultimate goal is. The organization has been fairly broad in choosing targets. It has attempted to hack into vital systems in companies that produce drones, as well as academic institutes with military funding that research the devices.
The Comment Crew is also interested in more than just drones. In 2012, it targeted North American and Spanish energy companies to learn about their automation processes. The group has also hacked the New York Times database to learn about sources for a damning exposé on the Chinese prime minister, and tried to shut down Tibetan activist websites. The Comment Crew typically seeks protected information, opting for outright harassment less frequently.
Most of the DOC and PDF files are unreadable nonsense, intended only to spread malware. However, one document provides a key misdirection: an analysis of a potential Pakistani drone program, purportedly penned by one Aditi Malhotra. Malhotra is a real person, and an expert not only on drone warfare, but also on the links between the Chinese and Pakistani militaries.
&lt;p&gt;Your browser does not support iframes.&lt;/p&gt;
Whether Malhotra actually wrote the document is difficult to say, and it's highly unlikely that she would identify herself so brazenly if she were involved in the attacks. Furthermore, Malhotra is Indian: Indemnifying herself through an attempted hack on her own government would be counterproductive. Although the attacks are veiled in Pakistani garb, FireLabs asserts, responsibility still likely lies with China.
Everyday users don't have much to worry about from Operation Beebus, since it has only targeted major players in the drone industry. Even so, avoiding strange attachments is always sound advice. If you're a member of the DIY drone community, keep an eye out for emails from unfamiliar senders, as well.
Operation Beebus wants some very specific information and likely has nothing good planned for it. Hijacking drones may not be commonplace just yet, but that capability could raise some serious questions about widespread drone use.

Source Tech news Daily

Twitter Malware: Spreading More Than Just Ideas

News, blogs, opinions – Twitter is one of the most popular social networks for spreading ideas. It has revolutionized the way millions of people consume news. With 288 million active users, Twitter is the world's fourth-largest social network. So it’s no surprise that Twitter is also being used for spreading malware.

Trusteer researcher Tanya Shafir has recently identified an active configuration of financial malware targeting Twitter users. The malware launches a Man-in-the-Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, which has been used as a financial malware to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time the attack is targeting the Dutch market.  However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry.   
The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim. 
Here is an excerpt from the injected Javascript code:
Here are some examples of the tweets posted by the malware from victim accounts. (Tweets containing explicit content were omitted from this blog post).
Original text (in Dutch): 
"Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris"
(English translation: "Our new King William will earn even more than Beatrix. Check his salary")
Original text (in Dutch):
"Beyonce valt tijdens het concert van de superbowl, zeer funny!!!!"
(English translation: "Beyonce falls during the Super Bowl concert, very funny!!!!")
Original text (in Dutch): 
"topman [Dutch Bank] gaat ervandoor met onze miljoenen!! De minister heeft weer het nakijken... zie"
(English translation: "CEO of [Dutch Bank] is off with our millions!! The minister is inspecting again... see". We have removed the Bank’s name from the original tweet)
The tweets include the following malicious links (all appear to be inactive at the moment):
Trusteer researchers found these texts in multiple Twitter posts indicating that this attack has been successful at ensnaring victims.
Protecting users and enterprise endpoints from this attack
This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing. Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious.
While Trusteer did not inspect the URLs involved, it is quite possible that these URLs lead to malicious webpages. If so, when the browser renders the webpage’s content an exploit can silently download the malware to the user’s endpoint (a drive-by download).
This type of attack increases the need for enterprise exploit prevention technology: By blocking the exploitation of vulnerable endpoint user applications, like browsers, and preventing the malware download, exploit prevention technology stops the attack and prevents the malware from spreading and infecting more users. External sources like web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted. Such content should only be opened while monitoring the application state to ensure it is operating legitimately. Stateful Application Control should be used for analyzing what the application is doing (operation) and why it is doing it (state), to determine if an application action is legitimate or malicious