TheVOHOCampaignAnInDepthAnalysis

Christopher C. ElisanPrincipal Malware Scientist

RSA NetWitness

Agenda

• AboutMe

• AboutUs

• VOHOCampaign

• QuestionsandAnswers

About Me

• PrincipalMalwareScientist– RSANetWitness

• Authorof“Malware,Rootkits&Botnets:ABeginner’sGuide”(bit.ly/mrbbook)

• PastAdventures– Damballa (2009-2012)– F-Secure(2006-2009)– TrendMicro(1998-2006)

• @Tophs

ChristopherC.Elisan

About UsAdvanced Threat Research & Intelligence

• EstablishedinApril,2012• HQReston,VirginiawithaGlobalScopeandRepresentation

• Heritagedatingbacktothelate1990sfeaturinga‘who’swho’ofresearchers

• Elite,highlyskilledteamfocusingonthefollowingareas:– Maliciouscode&contentanalysis– Threatresearch&ecosystemanalysis– Automationexpertise

• Focusedonthethreatecosystemandprofilingthreatactors

• Mission:– ToprovideRSANetWitnesscustomerscoverttacticaland

strategicthreatintelligenceonadvancedthreats&actors

Attribution: Who Was Behind VOHO

• Gotthisquestionalot…• Attributionisdifficult:– Botnets– Registrar/Registrynon-cooperation(I’mlookingatyouICANNJ)

– Anonymizationservices:TOR,Proxy,VPN– DHCP– VirtualMachineImages

• Wehavesomeverysoundideas…

VOHO Campaign• VOHO– June/July2012byRSAFirstWatch

• InitiallyconfusedwithElderwood(similarMO‘waterholing’;differentinfrastructure)

• iSightPartnersreferredtoitaspartofthe‘Mourdour’Trojancampaign

– Somesharedinfrastructure• MultistageCampaign– Redirection

• HeavydependencyonJavaScriptontwospecificdomainsformajorityofpromulgation

• Leverages“WaterHole”techniqueheavily– TOOà TOIà Compromiseà Exploitationà Enumerationà Exfiltrationà Promulgation

VOHO Campaign

• VOHOCampaignfocusedheavilyon:– Geopoliticaltargets(especiallyusefulinredirection/promulgationtoexploitsites)

– DefenseIndustrialBase(DIB)– Highconcentrationsofactivitynotedfromageointelligenceperspectivein:• Boston,Massachusetts• Washington,D.CandNOVA• NortheasternNewJerseyandNewYorkCity

VOHOCampaign

“WateringHole”PivotSites

PoliticalActivism

DefenseIndustrialBase

MetroBoston•FinancialSvcs

MetroWashington,

DC•Government•Education

C2 & Covert Channel Communications Paths

• TherewereseveralIPaddressesofnoteinthiscampaign• Wedidn’tpublishthemallinourpublicpaperduetocontinuedresearchonthecampaignandassociatedcampaigns

• Hereisalist ofC2,ControllerChannels,andassociates– 58.64.155.59(gh0stRATC2)– 58.64.155.57(gh0stRATC2)– 58.64.143.245(gh0stRATC2)– 58.64.158.111(gh0stRATC2)– 64.26.174.74(www.torontocurling.com)– 134.255.242.47(VOHOgh0stController)– 113.10.180.163(www.goophone.hk)*– 113.10.103.170(“starhub”SouthKoreanbroadband)– 113.10.113.39(“starhub”SouthKoreanbroadband)

VOHOCampaign

PhaseI• Iframe.js

– Iframe.jschecksifthevisitingmachineisrunningaWindowsOSandInternetExplorer.Italsosetsacookievalue(presumablytotrackindividualvisits).IfthevisitingmachineisrunningaWindowsoperatingsystemandInternetExplorer,itforwardtomodule.php.

• Module.php– Module.phpusesasimpleredirectionscript

toredirectthebrowsertoEngine.js• Engine.js

– Engine.jslooksforprocessesrelatedtothefollowingantivirusenginesusinganoldervulnerabilityinInternetExplorer(CVE-2007-4848)thatallowslocalfileenumeration.• TrendMicro• McAfee• Symantec

VOHOCampaign

xKungFooScript

VOHOCampaign

• If.htm– Checksifthevisitinghost’suseragent

reflectsisoneofthefollowing:• Unknown• WindowsXP• Windows2003• WindowsVista• Windows7

• Checksifthevisitinghostslanguagesettingsare:– English– Chinese– French– German– Japanese– Portuguese– Korean– Russian

• Enblue.htm– Enblue.htmusestheCVE-2012-1889XML

vulnerabilitytocompromisethevisitingbrowser,whichresultsinapullandinstallationofthegh0stRATmalware.

– Thisscriptalsoappearstobecodereuseofascriptseenonpastebin asfollows:

– http://pastebin.com/VfmuhEiq

• Book.cab– Book.cab,thefinalpayload,isan

obfuscatedexecutablewhich,whende-obfuscatedusingXOR95,isthegh0stRATsamplenamed“vptray.exe”(e6b43c299a9a1f5abd9be2b729e54577)

VOHOCampaign

PhaseII- ExploitChain– SunJava• PhaseIIofthiscampaignwasobservedJuly16-18th,2012,using

thesameinfrastructure,butwithadifferentdirectoryfortheexploitchainfilesasfollows:– hxxp://xxxxxxxxxxxxxxcountymd.gov(orotherwaterholesite)à

hxxp://www.xxxxxxxcurling.com/Docs/BW06/iframe.jsà– hxxp://www.xxxxxxxcurling.com/Docs/BW06/module.phpà– hxxp://www.xxxxxxxcurling.com/Docs/BW06/engine.jsà– hxxp://www.xxxxxxxcurling.com/Docs/BW06/if.htmà– hxxp://www.xxxxxxxcurling.com/Docs/BW06/applet.jar

•

VOHOCampaign

• If.htm– Inthiscase,allofthescripts

wereidenticalupto“if.htm”,whichinsteadcontainedajavacallthatloadedapplet.jar,aswellasalargeblobofobfuscatedcodeasa“param”element.ThislargeblobofcodeisabinaryobfuscatedwithXOR77,whichthejavaappletdeobfuscates andrunsas“svohost.exe”(2fe340fe2574ae540bd98bd9af8ec67d).

• FakeSymantecUpdate• FakeMicrosoftUpdate

TheVOHOMalwareFamilies

FakeSymantecUpdate

• VPTray.EXE• UPXcompressedbinary• LocalSettings\Tempfolder• Autostart

– HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Version\Run– HKEY_USERS\<User’sSecurityID>\Software\Microsoft\Windows\Current\Version\Run– Value=SymantecUpdate– Data=

43:3a:5c:44:4f:43:55:4d:45:7e:31:5c:41:44:4d:49:4e:49:7e:31:5c:4c:4f:43:41:4c:53:7e:31:5c:54:65:6d:70:5c:56:50:54:72:61:79:2e:65:78:65:00• C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VPTray.exe

• ProtectiveMechanisms– RegistryEditorisdisabled– WindowsSystemRestoreisdisabled

FakeMicrosoftUpdate

• SVOHOST.EXE• UPXcompressedbinary• LocalSettings\Tempfolder• Autostart

– HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Version\Run– HKEY_USERS\<User’sSecurityID>\Software\Microsoft\Windows\Current\Version\Run– Value=MicrosoftUpdate– Data=

43:3a:5c:44:4f:43:55:4d:45:7e:31:5c:41:44:4d:49:4e:49:7e:31:5c:4c:4f:43:41:4c:53:7e:31:5c:54:65:6d:70:5c:73:76:6f:68:6f:73:74:2e:65:78:65:00.• C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svohost.exe

• ProtectiveMechanisms– RegistryEditorisdisabled– WindowsSystemRestoreisdisabled

Victim Notification

Victim Notification • Endeavoredtonotifyvictims-- ~1000• Response– None– Anger/Fear/Panic /Frustration– Curiosity– SenseofUrgency

• LEResponse– Wishedwe’dnotifiedthemfirstastheyfeltourresearchcausedsomepartiesto‘panic’

• Altruisticintent;nosalespitch

VOHOCampaignTheTrooper

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

TotalExposurebyRedirect TotalCompromises

TotalExposureandCompromise

• Totalof32,160uniquehosts• Representing731uniqueglobal

organizations• Redirectedfromcompromisedweb

serversinjectedwiththeredirectiframetotheexploitserver

• Oftheseredirects,3,934hostsor12%wereseentodownloadtheexploitCABandJARfiles(indicatingasuccessfulexploit/compromiseofthevisitinghost)

• Basedonourpreviousunderstandingofexploitcampaigns,indicatesaverysuccessfulcampaign.

VOHOCampaignTheTrooper

0 500 1,000 1,500 2,000 2,500

CORPORATE

DIB

EDU

FEDGOVT

FINANCIAL

HEALTHCARE

ISP

LOCALGOVT

OTHERGOVT

UTILITIES/SCADA

CompromisesbyIndustry

0 100 200 300 400 500 600 700

CORPORATE

DIB

EDU

FEDGOVT

FINANCIAL

HEALTHCARE

LOCALGOVT

OTHERGOVT

UTILITIES/SCADA

CompromiseByIndustry(withoutISP)

TheVOHOCampaignPaper

Authors:

Will Gragido, Sr. Manager RSA First WatchChris ‘Tophs’ Elisan, Principal Malware Scientist RSA First WatchJon McNeil, Principal Threat Researcher RSA First WatchAlex Cox, Principal Threat Researcher RSA First WatchChris Harrington, Threat Researcher, EMC CIRC

THANKYOUTHANKYOU