20 Nov 2012 01:33 AM
Thanks to the Websense® ThreatSeeker® Network, Websense Security Labs™ recently detected an unusual domain name that we have analyzed. The domain name, "inte1sat", substitutes the number "1" for the lower case letter "l", an example of "leet" substitution that surfaced in the 1980s and is still used today. (Leet is a method of constructing words by substituting numbers for letters.)
The first step in our investigation was to look into the content of the URL: hxxp://www.inte1sat.com:
As so often happens, the content revealed what appeared to be another Java exploit attempt. We decided to set aside content analysis for the moment and investigate instead the domain name spelled in its normal alpha-English form: "Intelsat.com". Googling Intelsat.com we learned that it is a company involved in satellite technologies and satellite-enabled services (including IP trunking, telecommunications, and more).
Although it was tempting to conclude that "inte1sat.com" is just a "typo squatting domain", we proceeded to Google "www.inte1sat.com" with the following interesting result:
At first glance, as shown above, it appears that the domain is specified in documents stored on the USA Federal Communications Commission (FCC) website. The FCC mandate states: "The Federal Communications Commission regulates interstate and international communications by radio, television, wire, satellite and cable in all 50 states, the District of Columbia and U.S. territories."
At this point we looked at the publicly accessible PDF files that came up in the Google search. When we looked for instances of "inte1sat.com" in the files, we didn't find any. The only explanation we could think of, which is highly speculative, is that there might be a misidentification of the character "l" by the OCR algorithm of the Google PDF caching mechanism when the PDFs files are scanned or faxed as shown below:
Although we couldn't yet connect any dots, the collection of weird indications kept us going. We decided to return to the content of the original domain.
The content clearly shows that it is using Metasploit to retrieve a JAR file that uses the well-known CVE-2012-4681 that hijacks the JAVA Security Manager by generating exceptions. Evidence of this is shown below:
Here is the code used to generate the exceptions:
When the exploit is successfully executed, it loads and runs the EXE binary file "IrFKDDEW.exe" embedded in the JAR file. The MD5 of this file, as reported here, indicates that it leads to a backdoor. We submitted the binary file to Websense ThreatScope™ and it detected malicious threats as reported here. Analyzing just the network traffic generated by the malware, we discovered the following behavior:
Each HTTP request was directed to the following domain:
By retrieving and examining the HTTP stats from Wireshark, we discovered that the requested URLs are unique, except one that is called twice. Also, the pattern of requested URLs looks something like a pseudo random generation algorithm:
The URLs are "called" on a regular time interval. C&C (command and control) is "net.chiquita-brands.com" hosted at IP address 220.127.116.11. Robtex provides this information about that IP address:
Looking at our ThreatSeeker Network database, we see that this host has been known since July 9, 2012. We also note that it appears to be largely unknown to the greater security community, according to Virustotal.
Next we used Robtex to examine the WHOIS record for chiquita-brands.com:
Using the registration information, we found a paper authored by Command Five that indicates that the contact has been registering domains involved in APT and corporate cyber espionage attacks. The entire document is available here: http://www.commandfive.com/papers/C5_APT_SKHack.pdf
We cannot confirm that there is a problem in the Google OCR PDF caching mechanism that results in instances of "inte1sat.com" showing up in search results, particularly those of papers hosted by the FCC. We can conjecture that if there is a flaw, it is being exploited via a typo squatting technique to deliver an exploit.
Continuing our search, we discovered additional strong evidence. Going back to the beginning of the analysis, it turns out that the IP address 18.104.22.168, where "inte1sat.com" is hosted, also hosts many other domains. Four especially attracted our interest. Specifically:
- hxxp://net.peasoul.com has been used in Chinese hacking activities and in targeted attacks as reported in this Pastebin link: hxxp://pastebin.com/yKSQd5Z5
- hxxp://www.attwirelessnetwork.com is another obvious typo squatting domain for the original hosted at www.wireless.att.com (AT&T Wireless website )
- hxxp://www.rad-waste.org is a clear typo squatting domain for the original web site: hxxp://www.radwaste.org, a Web site for radioactive waste management professionals
Each of the typo squatting hosts are active at this time and contain the following content:
Using Robtex to retrieve the WHOIS information, we discovered that three of the domains are registered to the name "Xiaohua Dai":
Registrar for hxxp://rad-waste.org
Registrar for hxxp://attwirelessnetwork.com
Registrar for hxxp://inte1sat.com
Only one is registered to another name (Jiaxin Technology - Yong Liu):
Registrar for hxxp://peasoul.com
There are also several other domains detected on IP address 22.214.171.124, including ssl.mailyuidyahooapis.com and bloomberg-global.com. These may also be used for typo squatting attacks, but at this time those sites are not active.
Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine).