Malware RSS Feed

The Spring Dragon APT

Malware Alerts - Wed, 06/17/2015 - 03:07

Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT. A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label “the Lotus Blossom Operation“, likely named for the debug string present in much of the “Elise” codebase since at least 2012: “d:\lstudio\projects\lotus\…”.

The group’s capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years. Instead, the group is known to have employed half day spearphish exploits, strategic web compromises, and watering holes employing fake Flash player update re-directions. The group’s spearphish toolset includes PDF exploits, Adobe Flash Player exploits, and the common CVE-2012-0158 Word exploits including those generated from the infamous “Tran Duy Linh” kit. While ongoing attacks by the Spring Dragon APT take us back to a focus on Vietnam, they appear to have rolled out a steady mix of exploits against defense subcontractors around the world and government related organizations in VN, TW, PH, and other locations over the past few years. Let’s take a quick look at a couple more examples of their intrusion capabilities that haven’t been mentioned elsewhere.

Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned. But Spring Dragon’s infiltration techniques there were not simply 0158 spearphish, they also compromised sites. In one case, they replaced specialized font installers needed to render Myanma font. You can see an image here of the “Planet Myanmar” website in late 2012 distributing such a package. All of the zip links were redirected to a poisoned installer zip file. The download name was “”, and it dropped a “setup.exe” that contained several backdoor components, including an Elise “wincex.dll” (a42c966e26f3577534d03248551232f3, detected as Backdoor.Win32.Agent.delp). It beacons out with the typical Elise GET request “GET /%x/page_%02d%02d%02d%02d.html”, as documented in the Lotus Blossom paper.

Another APT later abused this exact site to deliver malicious VBS (CVE-2014-6332) exploits in November of 2014 with a Lurid variant payload. And that same group also served a malicious PDF exploit (CVE-2010-2883) from this site in June 2012 as “Zawgyi Unicode Keyboard.pdf”. Even earlier than that, they spearphished with that same PDF exploit object later hosted on the website under different file names. In November 2011, they used filenames appropriate for their spearphishing targets with this exploit like “台灣安保協會「亞太區域安全與台海和平」國際研討會邀 請 函_20110907.pdf” (“Taiwan Security Association International Seminar Invitation – the Asia-Pacific regional security and peace in the Taiwan Strait”), “china-central_asia.pdf”, “hydroelectric sector.pdf”, and various governmental related proposals. In this case, there was unexpected overlap from two APT.

Another interesting technique that we observed in use against government targets was a campaign that lured recipients to a site redirecting users to a spoofed Flash installer site.

This site in turn redirected users to a Flash installer bundled with the common Elise backdoor, eventually communicating with and its usual “GET /14111121/page_321111234.html HTTP/1.0″.

hxxp:// → redirected to
hxxp:// (Trojan-Dropper.Win32.Agent.ilbq)

While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past, Spring Dragon employs more involved and creative intrusive activity as well.

The Duqu 2.0 persistence module

Malware Alerts - Mon, 06/15/2015 - 10:30

We have previously described how Duqu 2.0 doesn’t have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated.

The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks.

During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on other side. By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.

In essence, the drivers are redirecting network streams to and from the gateway machine that runs it. To forward connections, the attacker first has to pass a network-based “knocking” mechanism by using a secret keyword. We have seen two different secret keywords in the samples we collected so far: “romanian.antihacker” and “ugly.gorilla”.

We described one of these drivers in our whitepaper about Duqu 2.0 (see “The ”portserv.sys” driver analysis” section). Let us repeat some of the most important details. The driver listens to the network and expects a special secret keyword (“romanian.antihacker” in that case). After that, it saves IP of the host that passed the correct secret keyword and starts redirecting all packets from port 443 to 445 (SMB) or 3389 (Remote Desktop) of that server. This effectively allows the attackers to tunnel SMB (i.e. remote file system access) and Remote Desktop through the gateway server while making it look like HTTPS traffic (port 443).

In addition to the “romanian.antihacker” driver, we have discovered another one which did a similar job, however, supporting more connections in a more generic way:

  1. If the driver recognizes the secret keyword “ugly.gorilla1” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 445 (SMB)
  2. If the driver recognizes the secret keyword “ugly.gorilla2” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 3389 (RDP)
  3. If the driver recognizes the secret keyword “ugly.gorilla3” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 135 (RPC)
  4. If the driver recognizes the secret keyword “ugly.gorilla4” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 139 (NETBIOS)
  5. If the driver recognizes the secret keyword “ugly.gorilla5” then all traffic from the attacker’s IP will be redirected from port 1723 (PPTP) to 445 (SMB)
  6. If the driver recognizes the secret keyword “ugly.gorilla6” then all traffic from the attacker’s IP will be redirected from port 443 (HTTPS) to 47012 (currently unknown).

We would like to note that one port here looks quite suspicious: 47012. So far, we haven’t seen any other Duqu 2.0 components using this port, nor have we found any other common malware, backdoor or legitimate software using this port (also according to SANS). However, considering that this port number was hardcoded into the malware this may be a good indicator of compromise for Duqu 2.0.

Part of the malware with array of secret keywords

This 64-bit driver contains an internal DLL name, “termport.sys”, while the filename in the filesystem was “portserv.sys”. This most likely means that the attackers change filenames for different operations and detection of this attack should not solely rely on names of the files. The compilation timestamp is apparently fake here: “Jul 23 18:14:28 2004”. All the discovered driver files were located in “C:\Windows\System32\drivers\”.

Perhaps the most important part of this attack strategy is the digital signature used for the 64-bit driver. Because this is a mandatory requirement on 64-bit Windows systems, the driver had a valid digital signature. It was signed by “HON HAI PRECISION INDUSTRY CO. LTD.(also known as “Foxconn Technology Group”, one of the world’s largest electronics manufacturers).

Digital signature of attacker’s driver

According to the information from the driver it was signed at 20:31 on 19.02.2015. Below are some more details provided by SysInternal’s sigcheck utility:

Verified:              Signed
Signing date:   20:31 19.02.2015
Description:        Port Optimizer for Terminal Server
Product:               Microsoft Windows Operating System
Prod version:   6.1.7601
File version:   6.1.7601 built by: WinDDK
MachineType:   64-bit
MD5:     92E724291056A5E30ECA038EE637A23F
SHA1:   478C076749BEF74EAF9BED4AF917AEE228620B23
PESHA1: F8457AFBD6967FFAE71A72AA44BC3C3A134103D8
PE256:  2891059613156734067A1EF52C01731A1BCFB9C50E817F3CA813C19114BFA556
SHA256:  BC4AE56434B45818F57724F4CD19354A13E5964FD097D1933A30E2E31C9BDFA5

According to Wikipedia “Foxconn Technology Group” is the world’s largest electronics contract manufacturer and is headquartered in Tucheng, New Taipei, Taiwan.

Major customers of Foxconn include or have included some of the world’s largest enterprises:

  • Acer Inc.
  • Apple Inc.
  • BlackBerry Ltd.
  • Cisco
  • Dell
  • Google
  • Hewlett-Packard
  • Huawei
  • Microsoft
  • Motorola Mobility
  • Nintendo
  • Nokia
  • Sony
  • Toshiba
  • Xiaomi
  • Vizio

Foxconn manufactures several popular products including BlackBerry, iPad, iPhone, Kindle, PlayStation 4, Xbox One and Wii U.

The same certificate was used by the manufacturer to sign several WatchDog Timer Kernel drivers (WDTKernel.sys) for Dell laptops in February 2013.


During our previous research into Stuxnet and Duqu we have observed digitally signed malware (using malicious Jmicron and Realtek certs). Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers. We have no confirmation that any of these vendors have been compromised but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron. This was confirmed in the 2014/2015 attacks, when we observed infections associated with hardware manufacturers from APAC, including ICS and SCADA computer equipment manufacturers.

Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.

Finally, it’s interesting that the Duqu attackers are also careful enough not to use same digital certificate twice. This is something we have seen with Duqu from both 2011 and 2015. If that’s true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates.

Both Verisign and HON HAI have been informed about the use of the certificate to sign the Duqu 2.0 malware.


Sample MD5 (portserv.sys): 92e724291056a5e30eca038ee637a23f

Serial number of Foxconn certificate used by Duqu attackers:

‎25 65 41 e2 04 61 90 33 f8 b0 9f 9e b7 c8 8e f8

Full certificate of the malicious driver:


The Mystery of Duqu 2.0:a sophisticated cyberespionage actor returns

Malware Alerts - Wed, 06/10/2015 - 08:00

Duqu 2.0 Technical Paper (PDF) can be found here
Indicators of Compromise (IOC) can be found here

Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our internal systems.

Following this finding, we launched a large scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project – until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform “Duqu 2.0”.

Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.

From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.

At Kaspersky Lab, we strongly believe in transparency, which is why we are going public with this information. Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.

More details can be found below:

Duqu 2.0: Frequently Asked Questions
Press release

Duqu 2.0 – Indicators of Compromise (IOCs) MD5s

Action loaders:





Yara rules rule apt_duqu2_loaders { meta: copyright = "Kaspersky Lab" description = "Rule to detect Duqu 2.0 samples" last_modified = "2015-06-09" version = "1.0" strings: $a1="{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide $a2="\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide $a4="\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide $a5="Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide $a8="SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide $a9="SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide $a7="SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide $b1="MSI.dll" $b2="msi.dll" $b3="StartAction" $c1="msisvc_32@" wide $c2="PROP=" wide $c3="-Embedding" wide $c4="S:(ML;;NW;;;LW)" wide $d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase $d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40} condition: ( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 ) or ( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 ) } rule apt_duqu2_drivers { meta: copyright = "Kaspersky Lab" description = "Rule to detect Duqu 2.0 drivers" last_modified = "2015-06-09" version = "1.0" strings: $a1="\\DosDevices\\port_optimizer" wide nocase $a2="romanian.antihacker" $a3="PortOptimizerTermSrv" wide $a4="ugly.gorilla1" $b1="NdisIMCopySendCompletePerPacketInfo" $b2="NdisReEnumerateProtocolBindings" $b3="NdisOpenProtocolConfiguration" condition: uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000 }

To check your network for Duqu’s 2.0 presence, you can also use the open IOC file available here.

Microsoft Security Updates June 2015

Malware Alerts - Tue, 06/09/2015 - 17:37

Microsoft releases eight security bulletins today, updating a set of forty five software vulnerabilities. This month’s updates touch a smaller set of Microsoft software, but two of the Bulletins address kernel-level vulnerabilities and require a restart. Some are being exploited as a part of serious targeted attack activity:

  • Windows Kernel, win32k.sys (MS15-061)
  • Internet Explorer – critical
  • Windows Media Player – critical
  • Microsoft Common Controls
  • Microsoft Office
  • Active Directory Federation Services
  • Exchange Server

Two are rated Critical (MS15-056 for Internet Explorer and MS15-057 for Windows Media Player) because of their remote code execution severity. The Internet Explorer bulletin alone fixes over 20 memory corruption vulnerabilities in the IE codebase.

Most interesting of all the bulletins this month turns out to be MS15-061, patching eight different software flaws in the kernel. In particular, cve-2015-2360 was a difficult find, and this 0day was reported by our own talented colleague Maxim Golovkin. This issue presented itself within win32k.sys, which fails to properly free memory after use. It might be rated “Important” as an escalation of privilege vulnerability, but defending against its deployment as a part of targeted attack activity is most certainly critical.

Please update your Windows systems asap.

Infosecurity Europe 2015

Malware Alerts - Thu, 06/04/2015 - 04:23

This week we joined droves of vendors and executives in celebrating InfoSecurity Europe’s 20 year anniversary. The venue, the London Olympia, is a behemoth filled wall-to-wall with company banners, awkward sales pitches, gimmicky totebags, gift lightsabers, and ‘free’ prosecco readily exchanged for cloud security pitches.

Security vendors, security vendors everywhere

This year, the organizers wisely decided to add a small conference annex under the banner of ‘Intelligent Defence’ with the intention of attracting a more content-oriented crowd. The talks were largely research-oriented and included a fair serving of IoT bashing and malware hunting.

Here we presented our ongoing research project on whitelisting titled ‘Wolf in Sheep’s Clothing: Your next APT is Already Whitelisted’ – stay tuned for an extensive analysis!

Intelligent Defence included notable presentations by Andrew Hay (OpenDNS), Daniel Mende (ENRW), and Sergey Bratus (Dartmouth). Hay gave us a preview of his ‘labor of love’ paper on IoT beaconing in the enterprise (found here), an extensive research into the domain queries common IoT products perform out of the box and their unregulated penetration into industry verticals.

Daniel Mende walked us through performing an analysis of proprietary network protocols, effectively lifting the veil of security by obscurity by not just showcasing the failure of this particular nameless protocol but also providing the crowd with a sense of the relative ease with which these protocols can be probed, dismantled, and effectively obviated.

Finally, Sergey Bratus shared a brilliant exposition of the complex relationship between defensive and offensive computing, partially defined in terms of ‘weird machines‘  to ease a widespread difficulty in describing the dynamics that enable fruitful InfoSec research  – that difficulty subsequently leads to problematic regulatory over simplifications like the expansion of the Wassenaar arrangement currently under consideration.

Intelligent Defence is a strong step in the right direction for Europe’s largest InfoSec conference. We hope to see you there next time.

Change that password!

SANS Tip-of-the-Day - Wed, 06/03/2015 - 22:36


Subscribe to RIT Information Security aggregator