01 Nov 2012 03:00 AM
Thanks to the Websense® ThreatSeeker® Network, we have detected that an Iranian website has been compromised to serve a Remote Administration Tool (RAT) called VertexNet. This website does not have a high Alexa rank, but is one of a few cases which has caught our attention. The targeted website (hxxp://www.sarifire.ir) seems to be a portal documenting the activities of firefighters in the city of Sari, located in northern Iran. Given Iran's high profile in recent news stories, we decided to analyze this case. At this time, the website still seems to be injected, as shown below:
In the following snippet of code, we see yet another Java-driven attempt to install the specified ".exe" file referenced by the URL hxxp://thesilentecho.com/tmp/kav.exe:
Although at this time the JAR file is not available, a quick Google search using the name of the Java class ("alakazam.class") in the code snippet above reveals the following Pastebin submission (http://pastebin.com/DbT64XfG). This code seems directly related to the Java JAR file used in this attack:
In the red box, we see the same parameter name that is used in the applet section of the injected website. Also, from what we see, the website seems to be compromised from the server side, because every requested web page contains the same injected code. As reported recently in a previous blog post, the injected code does not exploit any Java vulnerabilities. Instead, it tries to load the binary file "kav.exe" using the "url" parameter. We decided to focus our attention on looking for some interesting patterns, which led our investigation to suspect a targeted attack, based on the kind of malware used and the website's audience. Although this is a government-affiliated portal, the targeted users could be civilians as well as users from inside the government's LAN. We submitted the binary file for Websense ThreatScope™ analysis, with the following result:
The full report is found here: http://aceinsight.websense.com/fileanalysisreport.aspx?rid=8C0C7F7F736D4AFDB075F766AE466C87. From the network traffic exchanged between an infected system and the C&C, it is possible to retrieve clear syntax of the commands sent as the first dialogue. For example, the following command:
is quite self explanatory, revealing the UID, the LAN IP address, the computer name (cmpname parameter), and other geographical data. The parameter "ver" is the release version of this RAT. This kind of HTTP request is usually present on botnets and implemented around the HTTP protocol as a way to communicate with the C&C. At the time of this analysis, the domain "www.chat-mr.com" looks like it has expired, but the whois information seems to have been continuously updated. Here is the graph view from Robtex:
We started a static analysis of the binary file "kav.exe" (MD5: F6B258F2C3F10A5D35C8FF852FB6A004). The file is not packed, permitting easy access to clear text strings. One of the most interesting is this one:
The string above represents a debug file used during the building of the binary "kav.exe", in which we clearly see the name of the RAT: VertexNet. An Internet search led us to one of the forums where this RAT has been reported:
From other strings, we can determine the features implemented in this RAT, as follows:
As confirmed also by an analysis released by an individual researcher, VertexNet has the usual features of other tools of this kind, such as: downloads files from a URL, runs new processes, updates the C&C, forces the user to visit a URL, and so on. We think that one of the most used features may be the activation of a keylogger, highlighted in the screenshot above.
Due to the potential audience for this website, we tried to figure out the reasons of this attack. We can be lead into thinking that this could be a reconnaissance attack with the aim of breaching the systems of some affiliated government internet user. Due to the tools used (the VertexNet RAT is free, as well as the control panel) we could reach the conclusion that this is probably an isolated injection to impact some systems, thanks to some misconfiguration inside the hosting provider of this website.
Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine).