The precedence of Cyberwar from China APT-3
Yet another Chinese APT, it seems like china is getting ready with cyberwarfare. Like APT-1 and APT-2 this thread also started with phishing email, but it targets were limited to public, defense, private, Supply chain sectors, Non-profit, Biotechnology, Construction, Education and Energy.
In 2013 Chinese based thread actors thought of creating threads for stealing information using Java, Adobe and Internet Explorer (default browser for XP and 2007). Bug Hunters who were really working hard found various enumeration techniques to exploit java with minimum user interferences. This was bad news for the thread actors. So they planned to espionage and steal information from the above sectors using Adobe and Internet Explorer.
Numerous mails to employees were drafted and sent to the Defense and Aerospace Industry. Some sample e-mails are shown below
Sample-1:
- Save between $200-450 by purchasing an Apple Certified Refurbished iMac through this link. Refurbished iMacs come with the same 1-year extendable warranty as new iMacs. Supplies are limited, but update frequently.
Sample-2:
- One Month's Free Membership for The PLAYBOY ClUB 1080P HD VIDEOS 100,000 PHOTOS 4,000 MODELS Nude Celebrities, Playmates, Cybergirls & More! Click hxxp://join.playboysplus.com/signup/ To Get a Free Plus Member Now & Never Miss Another Update. Your Member referrals must remain active. If anyone getting "Promotion not available" for 1 month free membership, you might get the issue up to 48 hrs once your membership is expired and make sure to clear out cookies or use another browser or use another PC.
Don't hesitate --->Go to Sale
Whenever a user clicks the above hyperlinks they are redirected to the new websites like
- hxxp://report.perrydale[.]com/ema/RR201507[.]pdf------194.44.130.179
- hxxp://vic.perrydale[.]com/logo2.jpg-----------------------------107.20.255.57
- hxxp://rpt.perrydale[.]com/en/rep201507101[.]pdf--------23.99.20.198
and they are asked to automatically download the adobe flash player plugin into the system. This was actually a .flv or .swf file in it. These aren't any legit files they are the actual malwares that were injected into the system using the Adobe Vulnerability (CVE-2015-3113)--zero day. Once the file is downloaded the user then installs the file which then extracts the malware. The actual path of the malware in Windows XP is
- “C:\Users\Public”
once the file is decompressed the file is split into two sections
- test.exe
- doc.exe(CVE-2014-4113)
When the test.exe file is installed the windows checks for the Internet Explorer version and the Adobe versions. Then it checks whether the current user has admin users by checking "whoami" If all were right then it starts to create a connection to the CnC server which stores all the stolen information. It initially creates a socket connection via TCP port 1913 and then to confirm it again it also opens another TCP port 81. Once both the data from two different ports are verified. The APT-3 starts its initial phase of thread. Those SOCK5 connections were arriving form following IP's
- 192.157.198.103
- 192.184.60.229
The Other file doc.exe is used to create a string named as 4113.pdb
The no 4113 is used to indicate the (CVE-2014-4113), This was found during forensic investigation.
Once both the files are ready, the malware starts its work. The Internet Explorer version from IE-8 to IE-11 were affected with same kind of buffer overflow attacks. The attackers used to send more packets to the stack register/pointer by leveraging the ASLR(Address Space Layout Randomization) and libc functions. The ASLR is used to block the attacker to perform injection attacks easily in the binary level. ASLR is used to randomize the address of the base address. Commonly used ASLR bypass technique CVE-2013-0634.
Gaping with this vulnerability the attacker also bypass the Data Execution Prevention(DEP) by using Return Line Programming(RLP). The ROP/RLP is used a kind of attack where the attacker reverses the entire application and creates a custom payload based on the data provided on the particular firmware. This is difficult to do, as attackers can't inject malicious scripts available to the public. By doing this the attacker can take control of the victim system and can multiple vulnerabilities. This ROP is also injected in gadgets using link concepts. This is like a DoS/Brute force attack. By doing this the intruder can steal all valuable instructions like cookies and all secured information transmitted within secured space.
For more details visit our sitemaps.
Comments