Recently, we came by an interesting targeted attack which was evading most antivirus products. This is a recent spearphish targeting various Tibetan and human rights activists. It demonstrates the level of effort put into infiltrating their groups with some unique characteristics, relative to the many other exploits targeting CVE-2012-0158. Here’s how such e-mails appear:
Interestingly, the Democractic Party of HK is another group whose web servers we discovered were compromised and unknowingly spreading APT related exploits and backdoors, targeting its politically motivated visitors. We previously wrote about it here.
The attachment was delivered to a long list of Tibetan community, activists, and human rights supporters, coming from the spoofed account of another Tibetan activists’ address that oddly was exposed by the breached database of the Stratfor incident. A person’s name was never associated with the user account in the exposed Stratfor database, so at this point we don’t know how well the attackers know the Tibetan community. On the technical side of things, there are some interesting characteristics to this 266Kb attachment, which is a normal size for a lot of the spearphish we see. The file is an exploit posing as a Word document targeting buggy code in mscomctl.ocx, known as CVE-2012-0158. Once Word opens the file, the application parses the command words, finding that it should load the MSComCtlListView ActiveX Control. However, this file’s content that forces desired control flow is unlike the metasploit PoC that mostly all CVE-2012-0158 exploits exhibit. First off, the file header does not represent the extremely common RTF implementation of the exploit, looking like this:
Instead, the entire file is implemented as a single OLE stream .doc file. Here is the very start of the file signifying the file type. This type of content is unusual for the CVE-2012-0158 spearphish we have seen to this point:
This file type implementation appears to be unique for the exploit. These guys aren’t depending on Metasploit or the COTS exploit kits for their development. Because a number of scanners were looking for embedded objects or OLE streams along with \object and \objocx command words, many could skip over this implementation entirely.
When the file opens and execution proceeds to the vulnerable code causing the stack overflow, ecx is set to 0xc00. This value is much tighter than mostly all of the other code out there at 3,072 bytes of code. Unlike almost all the other exploit code, this shellcode stub requires no NOP sled whatsoever. However, just like all the other code out there, the exploit code returns into the middle of an instruction to custom make a jmp esp instruction within mscomctl.ocx and pivot into its shellcode stub. The stub itelf is fairly common, setting up the stack and then decoding the remaining 2k bytes of shellcode blob with an xor 0x70 loop – another simple obfuscation trick to stymie static analysis.
The code then locates the PEB and walks the loaded module list, identifying the memory location of the first entry in that list. This location will be used later for API lookups, while avoiding calls to GetProcAddress from unusual memory locations (another anti anti-malware evasion).
Calls to the shellcode’s import address resolution function is interspersed with calls to the loaded module base address locator function. Here it copies the “shlwapi.dll” string to the stack and pushes its ptr to the stack for a LoadLibraryA call:
The custom ImportHashAddressResolution function is a custom implementation of GetProcAddress to resolve addresses of win32api functions. Oddly, some of these functions include CreateFileMapping, MapViewofFile, and ImageHLP.ResolveRVAtoVA. These are unusual calls to implement in order to load libraries and locate functions without using the commonly used API calls.When the exploit finally creates Ax.tmp (f3219d66e36924ded709fe0da1d5d2c8 – Kaspersky “Backdoor.Win32.Agent.cjqi”) in %temp%, it decrypts the file content in memory with a simple “xor – ror” loop prior to writing the file out to disk. These simple loops help to hide malicious executable content without appearing too suspicious.
The very last of its evasive techniques embedded in the exploit includes a jump two instructions past the normal entry of kernel32.WinExec, skipping the preamble altogether. A number of behavioral based security products implement user-mode hooks on functions like WinExec and ShellExecute, which this jump would altogether hop over.
As a conclusion, it seems the exploit development teams behind some of these APT attacks are slowly upping their skills and game, working hard to avoid detection by AV products. At the moment, the CVE-2012-0158 attacks are the most popular, however, we can assume the recently discovered IE 0-days are soon expected to replace them.
We will further detail the dropped backdoor and related communications in an upcoming post.