The Sunshop Campaign Continues

We recently detected what we believe is a continuation of the Sunshop
campaign that we first revealed on May 20, 2013.

This follow-on to the Sunshop campaign started on July 17, 2013. In
this latest wave the attackers inserted malicious redirects into a
number of websites – at least two of which were also compromised in
the May 2013 edition of this campaign. The most prominent sites
compromised in this round of the campaign were maintained by a Human
Rights organization and an organization involved in science and
technology policy development.

The compromised websites redirected victims to
www[.]vwalls[.]com/maxi/enough/wildpost/files/2977.html. This page was
last modified on July 17, 2013 at 09:51:01 GMT and contained the
following code:

<applet archive=”MnDK6AQJbV9qSo15.jar”
code=”Xxploit.class” width=”1″ height=”1″>

Payloads

A .jar file with the same filename and md5 hash of
8b88de786a219340ff04bc53de196f46 was uploaded to VirusTotal.com on
July 19, 2013. This malicious .jar exploited CVE-2013-2423 and dropped
an interesting variant of Trojan.APT.9002.

The dropped payload had a md5 hash of
f4ba5fd0a4f32f92aef6d5c4d971bf14 and was compiled on June 25, 2013.
This Trojan.APT.9002 variant called back to appupdate[.]myvnc[.]com.
This domain resolved to 58.64.205.53 – one of the same command and
control IP address used in the Sunshop campaign.

A related .jar file with the filename fiUJ3OTjBWZEUH8H.jar (md5:
04ad4f479997ca7bf8de216a67e23972) was also found. This jar file was
first uploaded to VirusTotal.com on July 17, 2013. This malicious jar
also exploited CVE-2013-2423 and dropped a modified 9002 RAT payload
with the md5 53c5570178403b6fbb423961c3831eb2. This variant called
back to intelupdate[.]hopto[.]org which resolved to 58.64.205.52. It
is possible that fiUJ3OTjBWZEUH8H.jar was used first then swapped out
for MnDK6AQJbV9qSo15.jar for this instantiation of the Sunshop campaign.

Evasion

The typical 9002 variant sends the ascii characters ‘9002’ as the
first 4-bytes of its communications back to the command and control
server. In contrast, this modified variant sent the ascii characters
‘0113’ as the first 4-bytes back to its command and control server.

Variant Hex encoded Beacon between Victim and C2

9002
9002
39 30 30 32
0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00
00
39 30
30 32 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00
00

0113
0113
30 31 31 33
0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00
00
30 31
31 33 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00
00

This change, while seemingly minor, would evade signatures that
looked for the entire 24-byte string of the beacon packet. Bytes 5
through 24 are constant across both variants and are therefore better
candidates for signatures. FireEye detects both variants as Trojan.APT.9002.

Conclusion

We are almost certain that the same actors responsible for the
original Sunshop campaign executed these most recent attacks. We
observed the following commonalities between the two attack cycles:

– At least two of the same strategic websites were compromised

– A variant of the same Trojan.APT.9002 malware was dropped

– The same c2 IP, 58.64.205.53, was used in both attacks

While it is unclear what prompted the modification of the
Trojan.APT.9002 backdoor, it is possible that the adversary felt this
modification would increase the attacks chances of success.

It is also unclear how easy it is for the adversary to implement
this change in the network protocol. This change could in theory be
enabled through an easy to use GUI builder or it could as complex as
making changes to the source code. The level of complexity of this
change and availability of either a builder or the source code will
dictate how often we would expect to see similar changes in this tool.

This example of evasion at the network level also demonstrates the
importance of crafting robust signatures that will survive the changes
in techniques, tactics and procedures made by the adversary.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips