The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security .
Dale was kind enough to share a copy of the spear phishing email that he posted about here. This spear phish contained a link to a zip file hosted at hxxp://research.digitalvortex.com/. The downloaded zip file had the following properties:
This archive contained an executable with the following properties:
When executed in a lab environment this executable installed a Trojan downloader with the following properties:
Path: C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsvr.exe
As shown by this VirusTotal report, this downloader was only detected by 7 of 42 antivirus products. This downloader connects to a command and control server at hxxp://hint[.]happyforever[.]com via the following GET request:
GET /logo.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
The logo.html contained encoded instruction and payload. A snippet of the response is as follows:
The above text can be decoded via the following two-step process. First, decode with the standard base64 alphabet and then apply a single byte XOR key of 0×42. The <head> tag will decode to:
These commands instruct the spoolsvr.exe downloader to retrieve and decode a secondary payload contained in the <body> tag executable. The <title> tag will decode to:
This command instructs the spoolsvr.exe downloader to save the secondary payload decoded from the <body> tag onto the victim machine as tanghl.exe.
The tanghl.exe file is a Remote Access Trojan that gives the attacker full control of the victim machine. This tanghl.exe file had the following properties:
Path: C:\Documents and Settings\Administrator\Local Settings\Temp\tanghl.exe
This RAT attempts to connect to another command and control server at 126.96.36.199 over port 80. Communications between the RAT and the control server are encoded via base64 and a single byte XOR key of 0x6b.
The above patterns of attack are very similar to attacks carried by the actors responsible for the Shady RAT campaign documented by McAfee. Similarities include the use of encoded commands hidden in otherwise normal looking webpages as well as an overlap in the command and control infrastructure used in this attack with previous Shady RAT attacks.
Ned Moran is a member of the Shadowserver Foundation (www.shadowserver.org) where he spends his time researching targeted attacks. He can be reached at ned /at/ shadowserver /dot/ org.
Image by Razza Mathadsa