Recent information on the new 0-day bug in IE 10 exploited in an active Advanced Persistent Threat (APT) prompted Seculert’s Research Lab to dig even deeper. Our investigation began with a look at the malware behind the 0-day attack that exploited a Internet Explorer (IE) vulnerability in order to imitate a website belonging to GIFAS, Groupement des Industries Francaises Aeronautiques et Spatiales, the French aerospace industries association. In a recent blog post, Websense intimated a connection between the malware used in this attack and the VFW.org attack previously identified by FireEye. However, with further research our malware experts have drawn a different conclusion.
Figure 1: Fake GIFAS page (left) vs. Real GIFAS website (right)
Seculert’s Research Lab took a look at the 0-day exploit focusing on the malware that was installed by exploiting the 0-day vulnerability in IE. According to Websense, the exploit files were uploaded to VirusTotal on January 20, 2014 for analysis by the attackers, presumably to confirm if an anti-virus would be able to stop the attack. It should be noted that VXShare was the first to upload the malicious file. Looking at the screenshot in Figure 1, the attack probably started 3 days prior on January 17, 2014. Seculert was able to extract the specific malware from the exploit SWF (flash) file with the MD5: c869c75ed1998294af3c676bdbd56851.
Same 0-day Exploit, Different Malware
Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer (Figure 2). The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C). Seculert’s investigation has concluded that the C&C is hosted on the same server as the exploit, located in the United States. Moreover, typical red flags would remain unraised as the malware itself has a valid digital certificate. The certificate belongs to MICRO DIGITAL INC. and is valid since March 21, 2012 (Figure 5).
Figure 2: Seculert Elastic Sandbox report showing the malware’s behaviors
Targeting Remote Users of a Specific Company
As revealed by this attack, the malware changed the hosts files (Figure 3) of the infected machines. This behavior is usually related to pharming in which attackers change IPs of specific domains to those of their own phishing servers.
Figure 3: Hosts file on infected device with a list of aerospace company’s secure domains
But what is disturbing about this attack is that the same behavior accomplished a completely different goal. The domains that were added to the hosts file by the malware provide remote access to the employees, partners, and 3rd party vendors of a specific multinational aircraft and rocket engine manufacturer (Figure 4). The IPs added belong to the real remote access web servers and by adding the records to the hosts file the attackers ensured that there would be no DNS connectivity issues. Whenever the infected machines connect to the remote assets, the attackers are able to steal the sensitive credentials. This is the first time we have seen a malware change a hosts file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites.
Seculert sees the behavior of targeting remote users as a growing trend among adversaries. You may recall that the initial intrusion into Target’s corporate network was accomplished by using stolen 3rd party credentials. This launched what is considered one of the most extensive point-of-sale attacks in history affecting millions of Target’s customers.
Figure 4: Example of secure remote access website as listed in the hosts file
Figure 5: Digital certificate of the malware signed by fake MICRO DIGITAL INC. company
The main differences in this attack (below) lead us to conclude that the group behind the attack is different than previously hypothesized. And furthermore, due to the similarities between this malware and exploit techniques to an attack that occurred a year ago, and described by SpiderLabs, it is more likely that the same adversaries are responsible for both attacks.
Main differentiators between the attacks:
- Same IE10 0-day exploit, different malware
- The C&C of the attack targeting the aerospace engine manufacturer is located on the same US-based server as the IE exploit. The other attack uses different C&C server as the exploit.
- The attackers which targeted the aerospace engine manufacturer registered their own domain names. Deputy Dog attackers usually use free Dynamic DNS services.
- An older version of the malware was used in January 2013 to conduct the same type of attack
Shout out to SpiderLabs for their team work on this project. Check out their post here.
Contributors: Adi Raff and Barak Gabai