In the previous part of our report, we analyzed  the malicious content detected in the domain "rotary-eclubtw.com". We detected the exploitation code for the vulnerability CVE-2012-4792 and analyzed the Flash file which was used to contain the heap spray code and the shell code. In this part we are going to show some of the details that we extracted from the shell code and from behavioral analysis of the malware installed after a successful exploiting attempt. We have also added some details related to the domain name using the WHOIS records and internal data.

Why are waterhole attacks occurring? What is the attackers' objective, both here and in other cases? As we learned from this analysis, the malware is used to steal files from compromised computers, while also enabling monitoring of the user's emails and other activities. We also found suspicious ties to sites potentially targeting high technology suppliers, perhaps in Taiwan. Read on for details of the attack.

From the shellcode contained in the SWF file mentioned in the first part of this blog, we have extracted and disassembled, specifically, the Windows XP shellcode. To do this, we used the tool shell2exe which allowed us to obtain a consistent PE file by inputting the sequence of bytes of the shellcode. There is also an online version of this tool provided by sandsprite.org. In the following screenshot we can see the first stage which decrypts the remaining code using the XOR key "2Eh":

After this first stage the execution flow is passed to the code just decrypted, which, as its first action, tries to create a file in the operating system temp path named "dw20.exe":

Another interesting detail is the search in memory for the string "KONG" which as mentioned in the first part of our analysis, has been used as a prefix of the content of the variable "THISISIT" in the first HTML code from which we started this analysis. So, once this string is detected in memory, the file created previously, "dw20.exe", is filled up with the value of the array "THISISIT" stripped of the marker "KONGK":

Once the encoded file is detected in memory it is passed to another assembly routing which applies another XOR operation using the key "BFh":

Following the logic of the shell code, we had extracted the encoded stream and applied the XOR on it, obtaining a file with MD5: 1ad6afeec913f4c3a0ffce0093cddf21. At this time the file seems to have a low detection as reported here. We submitted this file to the Websense® ThreatScope™ service with the following result:

The full report is available here. The initial lookup of this .EXE file seems to produce some suspicious details. Firstly it is signed with an invalid certificate as shown below:

A suspicious resource section named  "DATA" was also detected, which is loaded and decrypted at runtime:

The code where this resource is referenced was found during the dynamic analysis, and is loaded afterwards by the function called at the address 0x00403f02:

Following the execution of this file, we noticed the creation of the file "ntshrui.dll"  and the use of the Windows system file: "wdmaud.drv": 

The file "ntshrui.dll" has been submitted to Virustotal and the report again shows a low detection of malware, but thanks to these two file names we located a Microsoft report, from which we can deduce that we are talking about the same family of malcode (named Fucobha.A). From the Microsoft analysis it is also possible to see that while this malware is used specifically to download files from the impacted systems, it also permits monitoring of emails and the user's activity. Also, the report shows that the same behavior is used in the persistence mechanism as an injection in a new instance of the process "explorer.exe" as shown here:

In the previous screenshot, it is possible to see unusual network activity in the process "explorer.exe" - in fact, once executed, the malware contacts the host "hxxp://www.rotary-eclub.com" ( IP address 118.212.64.23 TCP port 4356 ) to start sending information gathered from the impacted system as follows:

As is possible to see from the network traffic, the information exchanged between the impacted system and the C&C is encrypted:

The first message contains encrypted basic information (such as the operating system version, installed service pack, local IP address and so on) for the impacted system.  We tried to analyze the injected code in the process "explorer.exe" and discovered the parser that handles the commands once they are decrypted. Here we can see the check for two specific commands: "ptt" and "skc":

The WHOIS information for the C&C "hxxp://www.rotary-eclub.com" provides a strong link with the host "hxxp://www.rotary-eclubtw.com" as shown below:

Here is the WHOIS information for the C&C domain:

By googling for YOVOLE.COM, we found that this Chinese Service Provider has been reported as one of the most active for phishing related attacks as detailed in this report. Also, using our internal database we detected that the registrant "2207406762@qq.com" has recently registered other interesting domain names. Specifically:

From this it is possible to detect a weird coincidence: zhiaoit and zy-intl are keywords which on Google provide results related to high technology suppliers as shown below:

Still another note: using the location address gathered from the WHOIS information, we can see via Google Maps the geographical location where the C&C is hosted is actually just across from the island of Taiwan:

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine). 

Thanks to Websense® ThreatSeeker® technology, it has been possible to detect a domain which we believe is involved in a spear phishing campaign against the users of a Rotary Club online service.  The Rotary Club (also called Rotary International) is an organization that provides humanitarian services, encourages high ethical standards in all vocations, and promotes charity actions. Since the Rotary Club is a worldwide organization, each country has a number of  local "clubs" for each region and they have also established an online service called  "Rotary eClub".  

Specifically, we discovered another attempt to exploit the Internet Explorer vulnerability CVE-2012-4792, which was discovered in a "water holing" attack against the USA Council of the Foreign Relations website (http://www.cfr.org). The results of our analysis were in accordance with those reported in this blog: apparently another worldwide campaign against several organizations which have in some way attracted the interest of the attackers due to the specific audiences for their sites. In this first part of the analysis, we will report our investigation into the obfuscated code and the exploit code detected. In the second part, we will present the analysis of the unusual mechanism implemented in the shellcode that runs the malware which is installed if the exploit is successful. We will also look at some details of the malware behavior and expose some details behind the involved domains and the infrastructure of this attack.  

The suspicious domain in our analysis is "rotary-eclubtw.com", which has apparently been registered to target the Taiwanese users of the Rotary eClub service as shown in the following screenshot:

To find more information about the Rotary eClub located in Taiwan , we used the regional "Club" locator available on the Rotary official Web site:

One of the interesting results from that research is as follows:

The comparison between the domain under investigation (hxxp://rotary-eclubtw.com) and the legitimate Web site http://www.rotaryeclub.org.tw appears to show a case of typo-squatting, and the maliciousness of that domain is confirmed by looking at the content, as shown below:

At first glance, the content seems to be split into two well-defined blocks. Further analysis confirms that the same page hosts the malicious script that is assigned to the JavaScript variable "c" as shown below, and an encoded stream assigned to the variable "THISISIT":

"THISISIT" is the container for a stream which at first glance seems to be a nonsense array of characters with a prefix "KKONG". In the next part of our analysis we will better understand the role of this specific "marker" and how it has been used by the attackers.

The main function which is called during the loading of the page is the function "download()" referenced in a HTML object named  "test":

By deobfuscating the value of the Javascript variable "c", we obtain the clear code and can see that the "download()" function is implemented in the first obfuscated block mentioned before. It uses the API XMLHttpRequest()  to detect the correct version of the Ajax dialect to use for dealing with the dynamic HTML modules of this exploitation mechanism:

We can also see the call to the function "callback()":

This is an Ajax convention to verify the availability of one file. The function callback() is called if available to gather information about the impacted system in order to guess the best pairs of parameters to start the exploitation process. For this reason, it is possible to detect the code used to guess the operating system version or, as reported below, for the detection of a Microsoft Office module available on Windows 7. This specific check is useful for the attackers because if one of the two ActiveX controls (SharePoint.OpenDocument.4 or SharePoint.OpenDocument.5) is present in the running operating system, they can use that to gain access to a specific DLL, distributed by default on Windows 7 systems, which permits the running of malicious code by bypassing memory randomization protection mechanisms such as ASLR:

To continue with the implementation of the "callback()" function, we notice a reference to another file named "DOITYOUR02.html" in each  "<object>" section:

The file DOITYOUR02.html looks like this:

which once decoded becomes:

The "load()" function is an Ajax function that loads data from a server and puts the returned data into the selected element. In this case the element is  "test": the same name as the HTML object mentioned before. This makes it as a unique HTML object used by all the dynamic HTML modules during the exploitation process. Following the code of the function "loader()", it is possible to detect the removal, through the regular expression, of the string "jj" from the obfuscated content stored in the file "DOITYOUR01.TXT". Following this step manually:

we obtained an hexadecimal stream:

which converted to ASCII became:

The code above is the exploit code which is responsible, due to an "user after free" bug, for triggering the Internet Explorer vulnerability (CVE-2012-4792). This vulnerability is also called "CButton IE 0day" and in the snippet of code above, the steps to reproduce the "user after free" bug are highlighted in red. By working backwards it is possible to see the big picture of the flow: if the conditions for exploiting this vulnerability are good, the Flash file named "logo229.swf" is executed, and in the meantime the exploitation code hosted using the HTML file "DOITYOUR02.html" is also executed as reported before. 

The SWF file contains the heapspray code which facilitates the arbitrary code execution if the exploit is successful. Looking into the SWF file, we can see that is not the real heapspray code that we expected, but just a loader of another SWF file created "in memory": 

The content above is the disassembled ActionScript code which, after Base64 decoding, created in memory and ran another SWF file. To obtain the original file we used this easy and dirty Python script:

From this SWF file, we finally got access to the ActionScript HeapSpray code as follows:

The call of the ActionScript class "ExternalInterface"  permits a straightforward communication between the ActionScript code executed by the FlashPlayer and the SWF container. In our case the container is the starting HTML which is provided when calling the suspicious Web site:

We can also see the use of the ID "test" as already highlighted several times. The value returned is assigned to the variable "_loc_3" and is used to detect the correct sequence of the ROP instructions and the shellcode to run. What follows is the use of the variable _loc_3 to select the best Windows7 conditions to run the malicious payload :

The malicious file to be executed is loaded by the shellcode looking in memory rather than for a file in the Web cache, as happened in the attack against the CIFR.ORG Web site. This is a interesting difference because it means that the chain of attack uses fewer files which can be detected by an AV for example. The shellcode has been extracted by the malicious SWF file obtained previously:

In the next part we will look at the shellcode and the dropped malware, discussing an interesting technique used in this attack to deliver malware using only the HTML content. This is a little bit different from the first attack where this Internet Explorer vulnerability was discovered, since for the cfr.org Web site attack, the malware was deployed on visitors' systems with a technique called "drive by cache", using a file with the extension ".jpg" (named "xsainfo.jpg") to contain the executed malware. In this case, it seems that the malicious file is retrieved from the rendered content in the memory of the initial HTML page. We will also look at exposing information and details about the infrastructure behind the involved hosts and domains. 

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine). 

First, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.

The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publicly available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.

Websense customers are protected from this threat by Websense ACE (Advanced Classification Engine).

The vulnerability, as recently announced in Microsoft Security Advisory 2794220, affects users of Microsoft Internet Explorer versions 6, 7, and 8 and could allow attackers to remotely execute code on vulnerable machines by simply having the victim visit a malicious website.

As seen countless times in the past, typical tactics for enticing victims to visit these malicious sites often include tricking them into clicking links in fake emails, or simply compromising legitimate websites to serve malicious payloads to their unsuspecting visitors.

This particular vulnerability is caused by how Internet Explorer accesses an object in memory that has been deleted or improperly allocated. Exploitation can then result in memory corruption, which in turn could allow an attacker's own code to be executed within the context of the current user, or as if it was being run by that user.

At this time, Microsoft has not released a patch in order to address this vulnerability. However it has provided an easy one-click 'Fix It' solution. Internet Explorer versions 9 and 10 are listed as not being vulnerable.

Websense Security Labs™ are continuing to monitor this situation and, as a member of the Microsoft Active Protection Program (MAPP), are working with Microsoft in order to provide the best protection to our customers.

Update:

Microsoft has issued an Out Of Band update for CVE-2012-4792, which you can read about here.