Latest Adobe PDF exploit used to target Uyghur and Tibetan activists
March 2013 by AlienVault
Based on the samples we found we believe this group has been running a SpearPhishing campaign from the last few weeks. The files we have analyzed are PDF files that contain code to exploit CVE-2013-0640. Once the victim opens the file, the system gets infected and a lure document is displayed to the victim.
The exploit filenames include:
2013-Yilliq Noruz Bayram Merikisige Teklip.pdf
???.pdf
arp.pdf
Based on the lures we found it seems the same group is targeting both Tibet and Uyghur activists in the same campaign.
The Javascript code inside the PDF files is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.
The shellcode will create the file AcroRd32.exe in the Temp folder. That file decrypts an encrypted block using XOR operations with the key “0l23kj@nboxu”.
The malicious payload will perform the following operations:
– Copy \WINDOWS\system32\wuauclt.exe to %APPDATA%\wuauclt\wuauclt.exe
– Drop a malicious DLL under %APPDATA%\wuauclt\clbcatq.dll
– Execute %APPDATA%\wuauclt\wuauclt.exe
Note that wuauclt.exe is a benign system executable. Once the system file is executed, the malicious DLL will be loaded. This technique is known as DLL search order hijacking.
The malicious DLL will be loaded when wuauclt.exe is executed. It is important to show that clbcatq.dll is not exporting all the methods that the original clbcatq.dll has. It only implements the ones that are required to run the malicious code - Screenshots can be found at http://labs.alienvault.com/labs/
Once the malicious DLL is loaded, the malicious code will generate the following HTTP request: http://labs.alienvault.com/labs/wp-content/uploads/2013/03/Screen-shot-2013-03-13-at-11.53.14-AM1.png
The server will reply with an encrypted block of code that will be decrypted. The decrypted content is actually a DLL that exports the following functions:
GetWorkType
InfectFile
The payload will drop the following files:
\WINDOWS\system32\wbem\4BA5E980.PBK
\WINDOWS\system32\wbem\mstd32.dll
The InfectFile function will modify some code in the system library WINDOWS\system32\mswsock.dll. Screenshot of patched DLL - http://labs.alienvault.com/labs/
If we take a look at WSPStartup_0: Screenshot at http://labs.alienvault.com/labs/
We can see how the malicious DLL mstd32.dll will be loaded every time the system library mswsock.dll is loaded by a program.
The file mstd32.dll is signed using a certificate issued to “YNK JAPAN Inc. We have seen that certificate being used to sign malware dropped in several NGO attacks in the past.
Then the malicious code will perform the a HTTP request every few seconds
The final payload is detected as Trojan.Win32.Swisyn and it has a lot of functionality to monitor and steal data from the infected system.
We have identified the following C&C servers for both payloads:
ly.micorsofts.net
ip.micrsofts.com
xdx.hotmal1.com
hy.micrsofts.com
All the DNS names are pointing to 60.211.253.28 at this time.
Both domains have been registered using the same mail address:
micorsofts.net
Created: 2008-05-12 01:51:10
Expires: 2013-05-12 01:51:10
Last Modified: 2012-05-02 13:26:38