2011年12月31日 星期六

APT Attack against Hong Kong Political Parties

Story
Recently, I have received two samples from two fellows who work in political party. It is all about election of coming Chief Executive. Meanwhile, those guys have joined the election recently as well. Then I simply submit the samples to various sandbox es and engines for analysis.

Wepaweb:-
Basically, if you passed these two samples to Wepaweb for analysis, it hanged and sucks.



JSUNPACK:-
If I pass them to JSUNPACK, it shows you some decoded script, be frank, it doesn't help me up at all, however, it is good to see it decodes a lot at least.


GFI Sandbox:-

Afterwards, I submitted the samples to GFI sandbox, it seems it cannot tackle files with Chinese filename, alright, let me change to English one. An analysis shows me that there is nothing wrong with the sample and I cannot even get the result on another sample (i.e. aha, may be, the engine is struggling against the decoding:)):

SandBox results for 111226EC_members_contact list.pdf
Analysis ID: 3053
Date Analyzed: 2011-12-30 13:13:56
Sandbox Attributes: IE 9, Office 2003, Adobe Reader 9.4, Flash 10.1, Java 6
MD5 Hash: cd151586b11090878fc495f3cea59525
Filename: 111226EC_members_contact list.pdf
File Type: PDF document, version 1.7
Digital Behavior Traits
Injected Code NO
More than 5 Processes NO
Copies to Windows NO
Windows/Run Registry Key Set NO
Makes Network Connection NO
Creates EXE in System NO
Starts EXE in System NO
Starts EXE in Documents NO
Deletes File in System NO
Hooks Keyboard NO
Creates Hidden File NO
Creates DLL in System NO
Creates Mutex YES
Alters Windows Firewall NO
Checks For Debugger NO
Could Not Load NO
Opens Physical Memory NO
Modifies Local DNS NO
Starts EXE in Recycle NO
Creates Service NO
Modifies File in System NO
Deletes Original Sample NO
VirusTotal Results
No Results

Manual Decoding Kungfu:-
I have used typical manual analysis "kungful" including Javascript extraction and shellcode identification, it seems it cannot be helpful to identify the exploit indeed. However, the finding is that it uses a lot of simple but annoying obfuscation indeed (4 diagrams shown below). However, I do feel disappointed with the above sandboxes and analysis tool, which readily can't help researchers indeed.







Xescan Engine:-
However, let me try it out with our Xecure Engine, we have identified both samples with CVE-2009-4324 and 2010-2883 (Credit to Mila Parkour as she got this one out ;-)). I have found that the samples do not originate from any big and major evil task force, it looks it is a new emerging one. Finally, I say "Good Luck" to my fellows.



3 則留言:

  1. If you want to grab the samples, please let me know. :)

    回覆刪除
  2. The JS code style reminds me a lot of those who pushed out some of the first 2462 files. Specifically the use of variables that use one character of varying lengths. It seems this time they threw in a lot more try/except clauses to break the build, but retained some of the same function names. I have mappings of these names being used since 2009/2010 in different exploits.

    回覆刪除