The Mutter Backdoor: Operation Beebus with New Targets

FireEye Labs has
observed a series of related attacks against a dozen organizations in
the aerospace, defense, and telecommunications industries as well as
government agencies located in the United States and India which have
been occurring at least as early as December of 2011. In at least one
case, a decoy document included in the attack contained content that
focused on Pakistan military advancements in unmanned vehicle, or
“drone” technology.

Technically, these attacks exploited previously discovered
vulnerabilities via document files delivered by email in order to
plant a previously unknown backdoor onto victim systems. The malware
used in these attacks employs a number of interesting techniques to
“hide in plain sight” and to evade dynamic malware analysis systems.
Similar to, though not based on the attacks we saw in South Korea, the
malware tries to stay inactive as long as possible to evade dynamic
analysis detection methods.

We have linked these attacks back to Operation
Beebus
through the C&C infrastructure along with the similar
targets and timeline observed. Although some of the targets of these
attacks overlapped with Beebus targets, there were many new targets
discovered including some in India. As we uncover more targets related
to these attacks, we are seeing a common link between them: unmanned
vehicles, also known as “drones”. The set of targets cover all aspects
of unmanned vehicles, land, air, and sea, from research to design to
manufacturing of the vehicles and their various subsystems. Other
related malware have been discovered through the same C&C
infrastructure that have a similar set of targets, that when included
bring the total number of targets to more than 20 as of this writing.
These targets include some in academia which have received military
funding for their research projects relating to unmanned vehicles.

Infiltration

All of the attacks we have observed occurred through document
exploits attacking known vulnerabilities. We have seen RTF and XLS
files used for delivery. Searching the internet for the author and
document names yields information regarding South Asia
politics. Although all of the document exploits we have analyzed drop
a decoy document, most of them are either empty or filled with
unreadable data with two exceptions.

mutter-decoy-doc

One is an article about Pakistan’s indigenous UAV industry which is
attributed to author Aditi Malhotra, an Indian writer and Associate
Fellow at the Centre for Land Warfare Studies (CLAWS) in New Delhi.
Although we are not sure this particular work is actually hers, we did
find a reference to a similarly named article “Pakistan’s UAV
programme: Ambitious, with some friendly help.” Unfortunately, this
document was not available. Other works of hers on a similar note
include “India’s Silence on Chinese Incursions” and “China and
Pakistan: Dangerous Liaisons.”

The other decoy document is contact info for an American with a
military provided email address from Joint Base Andrews in Maryland,
but with a physical address in Pakistan titled “Family Planning
Association of Base (FPAB).” It looks like they took the “Family
Planning Association of Bangladesh” and combined it with “Joint Base
Andrews.” The title of the email field is “FPAP Email”, “FPAP” could
stand for “Family Planning Association of Pakistan.” Ultimately, we
could make no sense from this information.

The Mutter Backdoor

Two different versions of the same backdoor were used in all of
these attacks. In every case we have found, the main component is a
DLL dropped by an executable compiled minutes after the DLL. The
dropper shares the same decoding functions as the DLL and performs
some modifications on the DLL that will be described later. There was
one unique case we found where the initial dropper was a
self-extracting archive that utilizes Visual Basic and batch scripts
to download and install the DLL instead of extracting it from a resource.

Mutter is HTTP proxy aware, and attempts to determine if a proxy is
required and what the proxy details are if necessary. It uses
google.co.in to perform such tests. It uses HTTP to communicate with
the C&C server and expects an encoded string between a pair of
<p> tags in the response. The URL in the request
has one parameter, “i”, which is set to an encoded representation of a
string that follows this format:

<Mutter version#>-<campaign marker?>-<victim
hostname>-<victim IP address>

We are not certain about the second part of this string, it may be
either a campaign marker or an extension of the version number. In all
our cases, it is set to either “SN0” or “SN1.” Actual strings are
shared in the appendix information at the end of this blog.

mutter-callback

This HTTP request pictured in the screenshot is from the older
version of Mutter. The newer versions of Mutter have a very similar
HTTP request, but with the Host and
Connection headers swapped.

The response string is decoded and parsed for the following commands:

“m”: executes a shell command

“u”: uploads a file to the victim (downloads a file from the
victim’s perspective)

“d”: downloads a file to the attacker (uploads a file from the
victim’s perspective)

“R”: removes the auto-run registry value

These commands are referenced in the code in this order, and when
said aloud it sounds like “mutter”, hence the name chosen for the
malware. In the earlier version of this backdoor, the “d” command was
referenced, but the code had not been implemented yet. In both
versions, another command string “f” appears along with the others,
but is not referenced in the code. This perhaps indicates a future
feature to be added.

This malware employs several interesting evasion techniques. For
starters, it employs several “hide in plain sight” techniques common
to malware used in targeted attacks. It specifies fake properties,
pretending to be Google or Microsoft.

mutter-dropper-properties

mutter-dll-properties

This brings us to the next “hide in plain sight” tactic we noticed.
Observe the size of the file above. It’s a whopping 41 megabytes. With
rare exception, malware typically have a small size usually no larger
than a few hundred kilobytes. When an investigator comes across a file
megabytes in size, he may be discouraged from taking a closer look.
Interestingly, the original size of this particular DLL is around 160
kilobytes, although the PE headers already indicate its future size as
shown below. The dropper will decode this DLL from its resource
section, drop it onto the victim’s system, and proceed to fill its
resource section with randomly generated data. This has another useful
side effect of giving each DLL a unique hash, making it more difficult
to identify.

mutter-dll-size

In addition to these hiding techniques, this malware also appears to
employ techniques to possibly evade dynamic malware analysis systems.
This has been an ongoing trend in malware development that we and
others have observed several times in past. The malware author will
add code to delay the execution of the important functionality for
some period of time with the idea being that if the malware stalls for
long enough, the dynamic malware analysis system will give up on it
and pass it off as benign. This malware has two routines that we could
find no other purpose than for such an evasion.

One routine is a function that simply runs a series of loops,
incrementing a local variable over and over, thousands of times. It
ultimately disregards the final value of this variable, meaning that
the function serves no purpose. This function is called many times
throughout the rest of the code. It may have been implemented for the
purpose of wasting time.

Another routine seems to have a similar goal, but with a different
approach. This time, a loop is implemented with a call to sleep for a
short time. This loop occurs many times, and each time it will also
allocate a chunk of memory on the heap, performing math operations on
it and printing it to the console over and over again. Keep in mind
that this memory is not initialized to any value and is not used for
anything later in the code, it is essentially junk memory. This seems
to be another means of wasting time.

We detect this malware as Backdoor.APT.NS01.

C&C Details

Most of the domains registered for C&C use in this campaign were
done so through the free dynamic DNS Provider ChangeIP.com. Dynamic
DNS is a popular option for domain registration since it is free and
provides a convenient level of anonymity.  Looking at passive DNS
records for other domains pointing to the IP addresses used to host
the C&C services turned up many other related domains. Various
subdomains of the domain winsupdate.com have pointed to several IPs
pointed to by the Mutter domains. This is interesting because this is
the name of the folder created by Mutter on victims’ systems.
Furthermore, this domain is not a publicly available dynamic DNS
provider and the email address used to register this domain is
binalakshminp@yahoo.com.  We cannot be certain, but this
name could be in reference to Binalakshmi Nepram, a writer-activist
born in Manipur India who is fighting for disarmament. This fits the
theme we have observed from other clues left behind in decoy
documents. Another domain that is indirectly linked is
agfire.com with this interesting registration information.

mutter-agfire-info

Agni is the Hindu god of fire. Notice the combination of India and
China references here. The email address used to register this domain
was also referenced in a Chinese developer forum, but nothing else
interesting was discovered about it.

The IP addresses hosting the C&C services are scattered all over
the world and are believed to be compromised hosts.

Attackers, Targets, and Timeline

The attackers appear to be the well known and prolific “Comment
Group” as we had stated in our previous
blog on Operation Beebus
. This link was made through finding
several overlapping IP addresses used by Mutter and Beebus such as the following.

mutter-c2-link

The theme of these attacks appears to be South Asia politics. The
hints scattered throughout the documents and domain registrant
information were laid on pretty thick which is something be wary of.
The only legible, sensible decoy document observed so far is revealing
of the interests of at least one of the targets of this campaign:
namely the military threat of Pakistan against India and its growing
relationships with other countries including China. The particular
topic of this decoy document also appears to be a common link between
most of the targets we have seen: unmanned vehicles.

The timeline below outlines the events specific to Mutter that we
had visibility into. This campaign is still ongoing with Mutter
callbacks being made to this day.

mutter-timeline

Appendix

Documents

Exploit Document MD5 Exploit Exploit Document Filename Decoy Document Title Decoy Document Author Decoy Document Last Modified First Seen

b5f4a9aac67b53762ed98fafd067c803
b5f4a9aac67b53762ed98fafd067c803

CVE-2012-0158
CVE-2012-0158

NA
NA
Pakistan’s
Indigenous UAV industry
Pakistan’s Indigenous UAV
industry
GOPAL GURUNG GOPAL GURUNG Aug 2nd
2010
Aug
2nd 2010
Aug 27th 2012
Aug 27th 2012

92643bfa4121f1960c43c78a3d53568b
92643bfa4121f1960c43c78a3d53568b

CVE-2008-3005
CVE-2008-3005

2012_3_12.xls
2012_3_12.xls

NA
NA

NA
NA
Jan 26th
2003
Jan
26th 2003
Mar 22nd 2012
Mar 22nd 2012

4d5a235048e94579aab0062057296186
4d5a235048e94579aab0062057296186

CVE-2010-3333
CVE-2010-3333
Change of
Address.doc
Change of Address.doc

Tele: 2619 4428
Tele: 2619 4428

kdly
kdly
Dec 6th
2011
Dec
6th 2011
Dec 7th 2011 Dec 7th 2011

589f10e2efdd98bfbdc34f247b6a347f
589f10e2efdd98bfbdc34f247b6a347f

CVE-2010-3333
CVE-2010-3333
Urgent
message.doc
Urgent message.doc

NA
NA

Administrator
Administrator
Feb 2nd
2003
Feb
2nd 2003
Mar 2nd 2012 Mar 2nd 2012

fd9777c90abb4b758b4aff29cfd68b98
fd9777c90abb4b758b4aff29cfd68b98

CVE-2012-0158
CVE-2012-0158

NA
NA
Tariq
Masud
Tariq Masud

Haroon-ur-Rashid/Administrator
Haroon-ur-Rashid/Administrator

Sept 11 2012
Sept 11 2012

 
 

Malware

Dropper Filename Dropper MD5 DLL Filename Mutex C&C
Host
Decoded “i” Value Compile Time

update.exe
update.exe

725fc0d7a8e7b9e01a83111619744b6f
725fc0d7a8e7b9e01a83111619744b6f

msdsp.dll
msdsp.dll

654234576804d
654234576804d

cdind.antivirup.com:8081
cdind.antivirup.com:8081

V0.9.6Y-SN1-<hostname>-<IP
address>
V0.9.6Y-SN1-<hostname>-<IP
address>
Aug 28th 2012
Aug 28th 2012

igfxtray.exe
igfxtray.exe

681a014e9d221c1003c54a2a9a1d9df8
681a014e9d221c1003c54a2a9a1d9df8

winsups.dll
winsups.dll

mqe45tex13fw14op0
mqe45tex13fw14op0

http.4pu.com:80
http.4pu.com:80

V0.7-SN0-<hostname>-<IP
address>
V0.7-SN0-<hostname>h;-<IP
address>
Aug 28th 2012
Aug 28th 2012

NA
NA

6aac76fc8309e29ea8a7afea48ae9b29
6aac76fc8309e29ea8a7afea48ae9b29

msdsp.dll
msdsp.dll

654234576804d
654234576804d

oracledata.ns01.us:80
oracledata.ns01.us:80

V0.9.6X-SN1-<hostname>-<IP
address>
V0.9.6X-SN1-<hostname>-<IP
address>
Aug 12th 2012
Aug 12th 2012

ctfmon.exe
ctfmon.exe

d5640ae049779bbb068eff08616adb95
d5640ae049779bbb068eff08616adb95

winsups.dll
winsups.dll

mqe45tex13fw14op0
mqe45tex13fw14op0

mydns.dns2.us:443
mydns.dns2.us:443

V0.7-SN0-<hostname>-<IP
address>
V0.7-SN0-<hostname>-<IP
address>
Aug 2nd 2010 Aug 2nd 2010

igfxtray.exe
igfxtray.exe

681a014e9d221c1003c54a2a9a1d9df8
681a014e9d221c1003c54a2a9a1d9df8

winsups.dll
winsups.dll

mqe45tex13fw14op0
mqe45tex13fw14op0

http.4pu.com:80
http.4pu.com:80

V0.7-SN0-<hostname>-<IP
address>
V0.7-SN0-<hostname>-<IP
address>
Aug 2nd 2010 Aug 2nd 2010

igfxpers.exe
igfxpers.exe

06d5dddd4c349f666d84a91d6edc4f8d
06d5dddd4c349f666d84a91d6edc4f8d

msdsp.dll
msdsp.dll

NA
NA

NA
NA

NA
NA

 
 

Thanks to Darien Kindlund for his assistance in research.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips