AN ANALYSIS ON TARGETED TROJAN ATTACK WITH “INTERVIEW” AS A SOCIAL ENGINEERING TOOL

An Analysis on Targeted Trojan Attack with “Interview” as a Social Engineering Tool

By Antiy CERT

Download

 

First release: December 3, 2015, 10:21

Update: December 5, 2015, 5:21

 

1. Overview


 

In the evening of December 2, 2015, Antiy earlier-warning monitor system perceived the following information: a famous writer released a message in the Sina Weibo (Note: Sina Weibo is the largest social network in China that specializes in providing microblog services, like Twitter), exposed that someone sent a malicious code link which is pretended as “Interview outline” file through Weibo private message function.

According to Weibo screenshot link, Antiy CERT downloaded the sample and performed the analysis. With the deep analysis, we collated the event process and its relevant malicious code mechanism.

2. “Interview” Event


 

As shown, the blog was released on December 1, 23:24. A writer received “Interview outline” from a reporter called “Feng Xiang from Southern Weekly” (Southern Weekly is a comprehensive press in China), and the ““Interview outline” was stored in network disk because the report “does not known” his contact information. But, the file in the network disk causes an alert from anti-virus software.

image003

Figure 1 An alert from the anti-virus software

e003

Remark: This English version is translated and presented from the original version

First, we find the true file link according to Weibo screenshot, as shown, the file link indicates Baidu Wangpan. (Note: Baidu Wangpan is a cloud storage service provided by Baidu, and users can store own files to Wangpan for sharing and view.

image004

Figure 2 The downloaded address alerted is Baidu Wangpan

The owner of Baidu Wangpan is “Feng Xiang from Southern Weekly”; its creation time is 17:04 on November 30, 2015.

image005

Figure 3 “Feng Xiang from Southern Weekly”

e005

Remark: This English version is translated and presented from the original version

At the same time, we find that another Weibo celebrity raised doubts on November 30.

image006

Figure 4 Doubts to “Feng Xiang from Southern Weekly”

e006

Remark: This English version is translated and presented from the original version

For this, we search the information about “Feng Xiang from Southern Weekly” through Weibo, and find that his fans only up to three hundred, while anther “Feng Xiang” has fans up to over 10 hundreds, and their avatar pictures are similar. Because the name of Sina Weibo can be changed freely, so we could not determine if the malicious code is sent by “Feng Xiang from Southern Weekly”. The relationship of characters is as follows:

image007

Figure 5 The relationship of characters

e007

Remark: This English version is translated and presented from the original version

They are so similar that we could not get the truth according their images. We have collated the event process:

e008

Figure 6 Attack process

Although the attack uses the social engineering to cheat, but still now, no celebrities are “attacked”. We analyze the samples.

3. File Information


 

 

File name Southern Weekly Interview Outline.rar
MD5 F2928482E9F7443EDED6B366AAD554F9
File size 1.16 MB (1,217,174 bytes)
File format RAR archive data, v1d, os: Win32

There is only one EXE file in the package:

Original file name Southern Weekly Interview Outline.exe
MD5 EA878E08F10057B2477090C8017AF587
Processor architecture X86-32
File size 5,238 KB (5,364,268 bytes)
File format BinExecute/Microsoft.EXE[:X86]
File time 2015-11-30 16:51:21 (From the package)
Timestamp 53973C2B->2014-06-11 01:11:07(File timestamp can be fake.)
Digital signature YES(Fake Microsoft Signature, invalid digital signature)
Development tool n/a
Shell tool n/a

As shown, the EXE file is similar with Word document.

e009

Figure 7 Southern Weekly Interview Outline Icon

The file has digital signature, which cannot be verified online, so we suspect that a static fake digital signature has been applied.

e010

Figure 8 Fake Microsoft digital signature

While the generated file VSTquanjuhe.com has the fake sogou digital signature:

e011

Figure 9 Fake sogou digital signature of VSTquanjuhe.com

The generated file ing.exe has fake NVIDIA digital signature:

e012

Figure 10 Fake NVIDIA digital signature of ing.exe

 

4. Sample Analysis


The program will create archive named “$NtUninstallKB1601A$” at root directory of C disk after operation, which includes BinBackup and tools. The whole directory architecture is as follows:

image013

Figure 11 The whole directory architecture of archive that released by malware

The file names and file size in this directory architecture are as follows:

Directory File Name File Size
.\ bmd.vbe 10.4 KB (10,698 bytes)
.\ gsxt.bat 1.26 KB (1,299 bytes)
ABAZ\ 1.exe 69.5 KB (71,168 bytes)
ABAZ\ sl2.db 70 bytes (70 bytes)
ABAZ\ speedmem2.hg 21.0 KB (21,504 bytes)
ABAZ\ XueTr.dll 261 KB (267,776 bytes)
ABAZ\ XueTrSDK.sys 362 KB (370,688 bytes)
BinBackup\MYTEMP\ 8.3f 169 bytes (169 bytes)
BinBackup\ abc.os 3.00 KB (3,072 bytes)
BinBackup\ abc1601.dat 341 KB (350,190 bytes)
BinBackup\ inst.ini 293 KB (300,990 bytes)
BinBackup\ lang1.lnk 3 KB (3,172 bytes)
BinBackup\ lang2.lnk 3 KB (3,338 bytes)
BinBackup\ links.ini 404 KB (413,742 bytes)
BinBackup\ mew.1r 42.6 KB (43,646 bytes)
BinBackup\ mtfile.tpi 86.3 KB (88,462 bytes)
BinBackup\ os.bat 242 bytes (242 bytes)
BinBackup\ super.inf 7.01 KB (7,180 bytes)
BinBackup\ test1.pfx 107 KB (110,030 bytes)
BinBackup\ test2.pfx 95.1 KB (97,484 bytes)
BinBackup\ ua.lnk 1 KB (1,046 bytes)
BinBackup\ ub.lnk 1 KB (668 bytes)
BinBackup\ Win1.bat 1.53 KB (1,570 bytes)
BinBackup\ Win2.bat 764 bytes (764 bytes)
Tools\ cmd.exe 336 KB (344,576 bytes)
Tools\ ing.exe 192 KB (197,320 bytes)
Tools\ ua.exe 483 KB (495,568 bytes)
Tools\ VSTquanjuhe.com 51.5 MB (54,035,320 bytes)

 

The flow chart of sample execution is as follows:

e014

Figure 12 Flow chart of sample execution

The sample is a self-extracting program, it uses more than a dozen encryption scripts to execute malicious functions, encrypts after being executed and runs unzipped program VSTquanjuhe.com. It uses identification to check whether there is “C:\\$NtUninstallKB1601A$\\BinBackup\\Images\\FreeImage.dll” to check if it is runningVSTquanjuhe.com.  Use extremely complex unzip passwords to unzip links.ini and identified whether there is a folder “C:\Windows\SysWOW64” to check whether the system version has a 64-sit operating system, and 32-bit operating system and 64 – bit operating system call for different encryption scripts to execute. 32-bit operating system (except Windows 8) adds registry startup by script, and restarts the operating system, and then reuses complex passwords to decrypt multiple files. After being unzipped, the excusable file shotdown.exe,shotdown.exe will release a encrypted RAR file called FreeImage.dll. By restarting the system, it uses decryption script and manual anti-virus tools “XueTr” covering 360 security software white list file, and delete anti-virus software Windows Defender file, running unzipped files ing. exe (bundle files, release VBS script), using the ing. exe to release script unzipped RAR file FreeImage.dll to get a backdoor and then run. The program file can use the method of replacing files to add rules to bypass Tencent computer butler detection. The 64 – bit operating system and the branch function of Windows 8 system is the same as the 32-bit operating system. The main difference is to restart the system once instead of twice, uncover 360 security software white list file. Their ultimate goal is to run two backdoor.

5. Derivative File Analysis


 

File path name Main functions
ABAZ\1.exe XueTr Command line version for BAT and VBS script calls, to duplicate and delete files.
ABAZ\XueTr.dll XueTr depends on dynamic link library file.
ABAZ\XueTrSDK.sys XueTr depends on driver file.
Tools\ua.exe RAR command line tools for BAT and VBS script calls, to unzip the files.

These derivative files are four common utility class programs.

5.1 Calling relationship and function description of Inst.ini unzip file

Init.ini File uses ini as extensions, but it is actually a RAR file package.

e015

Figure 13 inst.ini unzip file function

bmd.vbe is an encrypted script file, which contains multilayer encryption, the eventually decrypted code is as follows:

image016

Figure 14 bmd.vbe decrypted plaintext code

Its main function is to add the registry startup: “C:\$NtUninstallKB1601A$\BinBackup\ub.lnk”. Then it calls gsxt.bat to replace the security software white list file to achieve the goal of bypassing security software killing.

e017

e018

Figure 15  Replace security software white list

Therefore, it can be found that the function of inst.ini is to add ub.lnk startup, and attempt to bypass security software killing.

5.2 links.ini unzip files and basic function description:

links.ini uses ini as extensions, but it is actually a RAR file package.

e019

Figure 16 links.ini unzip files function description

File ua.lnk deletes the start menu and Tencent Security Steward registry entries, and modifies files with suffix as .1r and .3f , which can open in the form of vbe and inf .

image020

Figure 17 ua.lnk code

Unzipped files in the vbe varies script uses JScript Encode algorithm to encrypt, such as code snippet of mew. 1 r script is as below:

 image021

Figure 18 Encrypted mew.1r code

Script’s multiple encryption and repeated decrypted plaintext code snippet is shown below. The script is used to open the MYTEMP folder and call the SendKeys function to simulate the keyboard operation, realize the selected configuration file 8.3 f (inf format in fact) and perform the operation of registry installation:

image022

Figure 19 Encrypted mew.1r part code

 

5.3 Backdoor Analysis

The terminal goal of this incident is to install backdoor program in user’s system. We have found two backdoor programs according to above analysis:

Original File Name FreeImage.exe unninst.exe
MD5 66FF6F32FF7096206B48D8006854C568 2A0C3E7262AD136D9D776A99E18A03CB
Processor Architecture X86-32 X86-32
File Size 686 KB (702,464 bytes) 660 KB (676,352 bytes)
File Pattern BinExecute/Microsoft.EXE[:X86] BinExecute/Microsoft.EXE[:X86]
Time Stamp 4981F684->2009-01-30 02:33:40 4981F684->2009-01-30 02:33:40
Digital signature None None
Developing Tool Borland Delphi 6.0 – 7.0 Borland Delphi 6.0 – 7.0
Shell Tool None None

 

These two backdoor are of the same local action: enabling system program svchost.exe and injecting into it.

FreeImage.exe injection:

e023

Figure 20 FreeImage.exe injects into svchost.exe

unninst.exe injection:

e024

 

Figure 21 unninst.exe injects into svchost.exe

The online address can be found by code analysis:

  Domain Name Port IP Geography Address
FreeImage.exe C***la.meibu.net 3529 115.**.***.239 BGP Data Center of Aliyun, Tsingtao, Shandong
unninst.exe 1048****er.meibu.net 3529 115.**.***.239 BGP Data Center of Aliyun, Tsingtao, Shandong

The jumping address of the dynamic domain is 115.**.***.239. It can be concluded that the backdoors belong to the same network action and function. Meanwhile, according to the analysis took by Antiy CERT analysts on backdoor code and online data package, it can be deduced that the backdoors are generated by the same remote generator. And the remote control software is the specific version of RemoteABC that is modified by Hupigon source code.

The remote control software owns the following functions:

  • File management
  • Process management
  • Service Management
  • Sharing management
  • Plug-in management
  • Enabling video and audio remotely
  • ……

6. Summary


 

According to above analysis result, it indicates that the attackers in this incident have the following operating features:

  1. Faking ID with the help of Weibo
  2. Dropping malware to targeted people by Baidu Wangpan
  3. Bypassing the protection mechanism provided by system security tools by using the tool software that is usually used to deal with malware
  4. Compromising the security tool software through making use of the vulnerabilities of known security tool software

 

We have concluded the following enlightenment according to above features:

  1. The Internet companies should strengthen the monitoring and governance of user’s fake ID.
  1. The online storage vendor should strengthen the security detection of storage content to avoid being used to spread malware.
  1. The developers of tool software should try to add obvious confirming functions of user interaction when they develop functions that might bypass or compromise system security mechanism to avoid being used maliciously.
  1. The developing vendors of security tools should release the upgrading patch immediately after they found security vulnerabilities and suggest users’ upgrading to avoid attackers’ bypassing, which would result in bringing false impression to users.

 

 

Appendix 1: Sample MD5 in This Incident


 

0C5261CB53CF17E0A03CA1E6A230430B 29017A44550FBC8AA4D64820044F54EC
1E6726ED20B88CD2C3E546306E5A3C72 34220AFE857F99A493F4171482E7E8FE
2A0C3E7262AD136D9D776A99E18A03CB 480145BA7EE820C20AB7D2AD97F95005
3B86EC0243AB626A11787DA0C53C302A A133284DA52E3CC848C175D73732E88A
3EE804C0D1AB806BB837FE061A80B457 AFFB80A87F53E67CA886935E44D2BB6E
5D47C0554EE28E8532F0430CF8235195 B3E18430E5353F6FEF2E787551A78921
35D779D412FA3682330162FAEDC7D26E B60F57B01A0382C9D9372E78D95D6386
40E292484019A58AD3AA5C99EF993614 B5713261E7338431FF430DE6E1ACE47A
44FADA41819963DD353E62026011F6D5 BDB0A5261D139F7B4804C6B03A3E909F
45ADCB2BDD43FB32F4BA9542E7788F13 C0C457F28C7657FB5B99E2CDD447EED9
53F88B226236125C816B795BFB8E239E D2B983C66658C8A3DEF1E77E12AB8689
66FF6F32FF7096206B48D8006854C568 EB5F29A9A9EDCD600F2846403E4B4223
110F6A386798757904892EDB5866A453 F0F1038A3F455EAFEAB73944CC09FC08
887E9654A1E8C956013BB5961A4FDC6B FB24C79B390D3CA14755C1F3DF3E6600

 

Appendix 2: About Antiy


Starting from antivirus engine research and development team, Antiy now has developed into an advanced security product supplier with four research and development centers, nationwide detection and monitoring ability as well as products and services covering multiple countries. With a fifteen-year continual accumulation, Antiy has formed massive security knowledge and promoted advanced products and solutions against APT with integrated application of network detection, host defense, unknown threat identification, data analysis and security visual experiences. With the recognition of technical capacity by industry regulators, customers and partners, Antiy has consecutively awarded qualification of national security emergency support unit four times and one of the six of CNNVD first-level support units. Antiy detection engine for mobile is the first Chinese product that obtained the first AV – TEST (2013) annual awards and more than ten of the world’s famous security vendors choose Antiy as their detection partner.

More information about antivirus engine:

http://www.antiy.com

http://www.antiy.net

More information about Antiy anti-APT products:

http://www.antiy.cn