FireEye has
discovered a campaign leveraging the recently announced zero-day
CVE-2013-3893. This campaign, which we have labeled ‘Operation
DeputyDog’, began as early as August 19, 2013 and appears to have
targeted organizations in Japan. FireEye Labs has been continuously
monitoring the activities of the threat actor responsible for this
campaign. Analysis based on our Dynamic Threat Intelligence cluster
shows that this current campaign leveraged command and control
infrastructure that is related to the infrastructure used in the
attack on Bit9.
Campaign Details
On September 17, 2013 Microsoft published details
regarding a new zero-day exploit in Internet Explorer that was being
used in targeted
attacks. FireEye can confirm reports that these attacks were directed against
entities in Japan. Furthermore, FireEye has discovered that the
group responsible for this new operation is the same threat actor
that compromised
Bit9 in February 2013.
FireEye detected the payload used in these attacks on August 23,
2013 in Japan. The payload was hosted on a server in Hong Kong
(210.176.3.130) and was named “img20130823.jpg”. Although it
had a .jpg file extension, it was not an image file. The file, when
XORed with 0x95, was an executable (MD5: 8aba4b5184072f2a50cbc5ecfe326701).
Upon execution, 8aba4b5184072f2a50cbc5ecfe326701 writes
“28542CC0.dll” (MD5: 46fd936bada07819f61ec3790cb08e19) to this location:
C:Documents and SettingsAll
UsersApplication Data28542CC0.dll
In order to maintain persistence, the original malware adds this
registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun28542CC0
The registry key has this value:
rundll32.exe “C:Documents and
SettingsAll UsersApplication Data28542CC0.dll”,Launch
The malware (8aba4b5184072f2a50cbc5ecfe326701) then connects to a
host in South Korea (180.150.228.102). This callback traffic is
HTTP over port 443 (which is typically used for HTTPS encrypted
traffic; however, the traffic is not HTTPS nor SSL encrypted).
Instead, this clear-text callback traffic resembles this pattern:
POST /info.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Agtid: [8 chars]08x
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 180.150.228.102:443
Content-Length: 1045
Connection: Keep-Alive
Cache-Control: no-cache
[8 chars]08x&[Base64 Content]
The unique HTTP header “Agtid:” contains 8 characters
followed by “08x”. The same pattern can be seen in the POST content as well.
A second related sample was also delivered from
111.118.21.105/css/sun.css on September 5, 2013. The sun.css file was
a malicious executable with an MD5 of bd07926c72739bb7121cec8a2863ad87
and it communicated with the same communications protocol described
above to the same command and control server at 180.150.228.102.
Related Samples
We found that both droppers, bd07926c72739bb7121cec8a2863ad87 and
8aba4b5184072f2a50cbc5ecfe326701, were compiled on 2013-08-19 at
13:21:59 UTC. As we examined these files, we noticed a unique fingerprint.
These samples both had a string that may have been an artifact of
the builder used to create the binaries. This string was
“DGGYDSYRL”, which we refer to as “DeputyDog”. As such, we
developed the following YARA signature, based on this unique attribute:
rule APT_DeputyDog_Strings
{
meta:
author = “FireEye
Labs”
version = “1.0”
description =
“detects string seen in samples used in 2013-3893 0day
attacks”
reference =
“8aba4b5184072f2a50cbc5ecfe326701”
strings:
$mz = {4d 5a}
$a =
“DGGYDSYRL”
condition:
($mz at 0) and $a
}
We used this signature to identify 5 other potentially related samples:
MD5 | Compile Time (UTC) | C2 Server |
---|---|---|
58dc05118ef8b11dcb5f5c596ab772fd 58dc05118ef8b11dcb5f5c596ab772fd |
2013-08-19 13:21:58 2013-08-19 13:21:58 |
180.150.228.102 180.150.228.102 |
4d257e569539973ab0bbafee8fb87582 4d257e569539973ab0bbafee8fb87582 |
2013-08-19 13:21:58 2013-08-19 13:21:58 |
103.17.117.90 103.17.117.90 |
dbdb1032d7bb4757d6011fb1d077856c dbdb1032d7bb4757d6011fb1d077856c |
2013-08-19 13:21:59 2013-08-19 13:21:59 |
110.45.158.5 110.45.158.5 |
645e29b7c6319295ae8b13ce8575dc1d 645e29b7c6319295ae8b13ce8575dc1d |
2013-08-19 13:21:59 2013-08-19 13:21:59 |
103.17.117.90 103.17.117.90 |
e9c73997694a897d3c6aadb26ed34797 e9c73997694a897d3c6aadb26ed34797 |
2013-04-13 13:42:45 2013-04-13 13:42:45 |
110.45.158.5 110.45.158.5 |
Note that all of the samples, except for
e9c73997694a897d3c6aadb26ed34797, were compiled on 2013-08-19, within
1 second of each other.
We pivoted off the command and control IP addresses used by these
samples and found the following known malicious domains recently
pointed to 180.150.228.102.
Domain | First Seen | Last Seen |
---|---|---|
ea.blankchair.com ea.blankchair.com |
2013-09-01 05:02:22 2013-09-01 05:02:22 |
2013-09-01 08:25:22 2013-09-01 08:25:22 |
rt.blankchair.com rt.blankchair.com |
2013-09-01 05:02:21 2013-09-01 05:02:21 |
2013-09-01 08:25:24 2013-09-01 08:25:24 |
ali.blankchair.com ali.blankchair.com |
2013-09-01 05:02:20 2013-09-01 05:02:20 |
2013-09-01 08:25:22 2013-09-01 08:25:22 |
dll.freshdns.org dll.freshdns.org |
2013-07-01 10:48:56 2013-07-01 10:48:56 |
2013-07-09 05:00:03 2013-07-09 05:00:03 |
Links to Previous Campaigns
According to Bit9,
the attackers that penetrated their network dropped two variants
of the HiKit
rootkit. One of these Hitkit samples connected to a command
and control server at downloadmp3server[.]servemp3[.]com that resolved
to 66.153.86.14. This same IP address also hosted
www[.]yahooeast[.]net, a known malicious domain, between March 6, 2012
and April 22, 2012.
The domain yahooeast[.]net was registered to 654@123.com. This email
address was also used to register blankchair[.]com – the domain that
we see was pointed to the 180.150.228.102 IP, which is the callback
associated with sample 58dc05118ef8b11dcb5f5c596ab772fd, and has been
already correlated back to the attack leveraging the CVE-2013-3893
zero-day vulnerability.
Threat Actor Attribution
Conclusion
While these attackers have a demonstrated previously unknown
zero-day exploits and a robust set of malware payloads, using the
techniques described above, it is still possible for network defense
professionals to develop a rich set of indicators that can be used to
detect their attacks. This is the first part of our analysis, we will
provide more detailed analysis on the other components of this attack
in subsequent blog post.