Taiwan is a logical target since they have a history of accepting Tibetan refugees. Also, the other target is a professor at the Central University Of Tibetan Studies in India—a institution founded by the first Prime Minister of India with the Dalai Lama himself. It was established in 1967 to educate exiled Tibetans and to preserve Tibetan culture and history.
The attackers, called the “Shiqiang gang“[1], show a consistent modus operandi. They use similar remote administration tool (RAT) payloads, stolen certificates, and seem to target anyone pro-Tibetan. The RAT payload in this attack in called “GrayPigeon,” also known as ”Huigezi” in Chinese[2]. It is very popular in the Chinese webspace which indicates that the attackers speak the language. The RAT payload has multiple layers of encryption making it harder to identify.
Attack Vector:
The threat arrives in the form of a targeted email with an XLS attachment. The content of the emails are as shown below in Figure 1 and Figure 2. The email attempts to draw on the sentiments of the Taiwanese government and activists towards the exiled members of the Tibetan government.
Figure 1
Figure 2
|
To friends who care about the Tibetan government-in-exile
Now we publish this for you <<Tibetan
government-in-exile offices in the Americas 2013 for the second half
the year with detail list requesting for comments>>
Do not distribute this letter and this is only for friends who care about this
Also hope that you can actively participate in our activities in the second half of the year
Office of the Tibetan government-in-exile in the Americas
Chinese chief liaison officer Gongga Tashi kungatashi
|
Technical Analysis: How the Attack Works
The attached file in both emails is the same (2010790755b4aca0edc3c50ee8480c0b) When opened, the XLS file exploits CVE-2012-0158 and launches a decoy document as shown in Figure 3. The decoy document contains a ruse as usual and this time it states that Tibetan fonts are missing. In the background, it drops a series of files eventually leading to the launch and execution of 2013soft.dll. This in turn injects a RAT payload in to explorer.exe.
Figure 3
The main functionality lies within 2013soft.dll (28426ddc3c49635c11a2ee72118e9814) and the subsequent DLL it decrypts and injects in to explorer.exe (05eda4aaa49b2409f52cf2356f4a91db).
On inspection of 2013soft.dll, it is evident that this payload contains a rather large resource section. The MAIN stub in resource section holds large amount of data however it appears to be encrypted.
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
It creates a mutex “\BaseNamedObjects\windows!@#$” and sets up startup persistence by adding a registry key “\Software\ts\Explorer\run\2013Soft\run = rundll32.exe C:\WINDOWS\2013soft.dll,Player”. In this case the RAT was observed key logging and storing the data under C:\WINDOWS\2013soft.log along with the corresponding Window names.
It then uses the same TEA (Tiny Encryption algorithm) described earlier to decrypt the address of the command and control server “help.2012hi.hk”. It reuses the key “1234567890ABCDEF” for TEA decryption. It makes a DNS query specifically to Google’s DNS server 8.8.8.8 and it attempts to connect to the resolved server on port 91.
Figure 9
Figure 10
- Determine Host name and OS version
- Ability to log keystrokes and mouse events
- Ability to capture users screen
- Ability to use Telnet protocol
- Ability to send and receive files
- Sniff URL addresses from Internet Explorer and read form values
- Get list of active services
- Ability to shutdown/restart etc.
We mined for other samples talking to the same C&C infrastructure and we found two with the md5sums 4e454584403d5521abea98d21ee26f72 and 7de5485b7dd154a9bbd85e7d5fcdbdec which drop Hangame RAT and GrayPigeon RAT respectively. The RAT payloads in these instances also phone home to help.2012hi.hk. This C&C domain was also referenced in a white paper published by Symantec as part of the overall campaign coined the Elderwood project [4]. The campaign in the current instance and related samples are more in line with Tibetan themed attacks on NGOs and Taiwanese officials. The campaign also heavily uses stolen certificates. These have been attributed with the Shiqiang gang as discussed by Snorre Fagerland from Norman[1] and also discussed by Trend [5] and AlienVault [6].
Figure 11
Figure 12
|
Certificate:
Data:
Version: 3 (0×2)
Serial Number:
38:93:f1:3d:d3:9f:e0:88:fd:f5:4e:e0:08:ae:38:e1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc.,
OU=VeriSign Trust Network, OU=Terms of use at
https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing
2010 CA
Validity
Not Before: Dec 8 00:00:00 2011 GMT
Not After : Dec 7 23:59:59 2012 GMT
Subject: C=CN, ST=Guangdong,
L=Shenzhen, O=Shenzhen Xuri Weiye Technology Co., Ltd., OU=Digital ID
Class 3 – Microsoft Software Validation v2, CN=Shenzhen Xuri Weiye
Technology Co., Ltd.
|
The certificate for 7de5485b7dd154a9bbd85e7d5fcdbdec appears to be modified manually and is invalid.
|
Certificate:
Data:
Version: 3 (0×2)
Serial Number:
02:fe:4b:0a:55:23:56:65
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=CA365, CN=CA365 Free Root Certificate
Validity
Not Before: Oct 23 10:47:29 2010 GMT
Not After : Oct 23 10:47:29 2011 GMT
Subject: C=CN, ST=shanghai, L=shanghai, O=International Test User, OU=Market, CN=International Test User
|
- 2010790755b4aca0edc3c50ee8480c0b
- e0dfe50c38ac7427ba4f3fcf4a35da74
- f17bbcef66f82552a23fdd494bb20d81
- 28426ddc3c49635c11a2ee72118e9814
- 05eda4aaa49b2409f52cf2356f4a91db
- 4e454584403d5521abea98d21ee26f72
- 7de5485b7dd154a9bbd85e7d5fcdbdec
