360 Security Guard · 2016/06/15 11:06

Author: 360 Eye Lab

0 x00 probe,


Man is doing, god is watching.

Recently, 360 Eye Lab captured a targeted attack sample targeting India, which used the patch of sandworm vulnerability to bypass vulnerability CVE-2014-6352. After analysis and confirmation, we believe that this is a new sample of APT attack named “Operation C-Major” released by Trend Micro in March this year. For more information about Operation C-Major, please refer to the reference link below.

This paper mainly analyzes cVE-2014-6352 vulnerability and analyzes a practical case of using this vulnerability to execute targeted attack.

0x01 Vulnerability Analysis


The vulnerability exploited by the sample is CVE-2014-6352, which is a patch Bypass (MS14-060) problem of CVE-2014-4114. It can run embedded malicious programs without pop-up warning Windows in administrator mode or when UAC is closed. Compared with the cVE-2014-4114 utilization sample, the CVE-2014-6352 sample features no INF embedded, only an OLE object embedded in PE. From an attacker’s point of view, such samples can cut both ways. In administrator mode, PE files can be executed without warning window, bypassing the MS14-060 patch. However, if you are not in administrator mode, even if the victim does not have the MS14-060 patch installed, the embedded EXE file will be prompted to execute.

We know that the cause of cVE-2014-4114 vulnerability is that when the CPackage::Load method of Packager. DLL loads the corresponding OLE composite document object, there are different processing processes for different types of composite documents, among which the untrusted source files embedded in some composite documents are not processed. This allows an attacker to forge the CLSID of an OLE composite document to execute a particular file:

packager! Branches that handle different types of compound documents in the Cpackage:: Load method

In the MS14-060 patch, Microsoft addressed this vulnerability by adding the MarkFileUnsafe function:

Packager! In ms14-060 Cpackage: : EmbedReadFromStream method

Ms14-060 packager not installed! Cpackage: : EmbedReadFromStream method

MarkFileUnsafe() sets the Security Zone of the file by calling IZoneIdentifier::SetId. The 3 parameter is URLZONE_INTERNET, which indicates that the file is from another computer.

However, the vulnerability is not just a failure to process files from untrusted sources; an attacker can also alter the execution flow by forging the CLSID of OLE composite documents and OLE Verbs in XML. The problem is that an EXE file, even if marked with URLZONE_INTERNET, will no longer pop up with a message indicating that the file is from another computer, but with a UAC prompt:

Therefore, you only need to construct the specific CLSID and OLE Verb to execute the EXE program in the second administrator permission of the right-click interface, and then you can bypass the restrictions imposed by the MS14-060 patch with the UAC or administrator permission disabled. Below, we show the whole process of vulnerability utilization in combination with the samples captured from outside.

0x02 Sample analysis


. We got the first, a vedio PPSX PPT file, MD5 for b6a1ee16de885c70682a7a8e4c1b556c, look from VirusTotal upload source is from India. Unzip this PPSX and you can see that it has an OLE object embedded in it, and a PE file embedded in it:

In video.ppsx\ PPT \slides\slide1.xml, the embedded object ID = rId3 is specified

In video.ppsx \ PPT \slides\_rels\ slide1.xml.rels, rId3 is specified to the oleobject1.bin mentioned earlier

The CLSID corresponding to the composite document is {0003000C-0000-0000-C000-000000000046}, corresponding to CLSID_OldPackage, then according to the above analysis, CPackage: : Load call CPackage: : PackageReadFromStream further processing, PackageReadFromStream will pass CPackage: : EmbedReadFromStream release the PE file embedded in a temporary directory.

packager! CPackage: : EmbedReadFromStream invokes the packager! The function CopyStreamToFile releases the embedded PE to putty.exe in the temp directory and sets the file flag via MarkFileUnsafe:

The end user’s actions are then responded to using the CPackage::DoVerb method. In CPackage::DoVerb, the second parameter is evaluated first, which is specified in the video. PPSX \ PPT \slides\slide1.xml:

The parameter constructed in the sample is 3, so enter the flow of performing operations using popup menu commands:

When GetMenuItemInfo is called, the second parameter, uItem, represents the location of the menu. In this case, the parameter is 1, which is the second item in the right-click menu. For exe files, the second item in the right-click menu is “Run with administrator privileges.”

Finally SHELL32 is called! CDefFolderMenu: : InvokeCommand method, then will be to try to administrator privileges to run the putty. Exe, close the UAC in or administrator mode, it bypasses the MS14-060 protection silently performs a PE file.

0x03 Analysis of the released program


putty.exe

The PUtty. exe file released by the PPT file is actually a renamed and confused one. .net application, MD5 for 78 fab9978ae4de4f684908f47fdc2333, this program is actually a Dropper.

After de-obfuscation, we can clearly see the program code, first traversing whether there is a soft kill process:

In fact, the sample here is not a traversal search, but divided into multiple traversal interspersed in the functional code, each search for one or two soft kill process, the search for soft kill process is as follows:

Ekrn. Exe (ESET)

Guardxkickoff. Exe (IKARUS)

AvastSvc.exe

btagent.exe

Bdagent. Exe (BitDefender)

Avgui. Exe.

The data is then read from the resource and decrypted into a PE file

Start the CMD process, copy itself as %temp%\net\health.exe and add the registry startup key

HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Windows – the load automatically run after this value can be specified in the user login program file.

Then copy regasm.exe to %temp%\svhost.exe

Then start svhost.exe in Suspend mode, inject the previously decrypted PE, and resume the thread.

Finally, write the health.exe.bat file to the %temp%/net/ directory and run it

The code for health.exe.bat is as follows, which iterates through the process to see if svhost.exe is started, or if it is not.

svhost.exe

Set a value di in HKEY_CURRENT_USER to determine if the system has been infected:

Set HKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS to 1, which is used to turn off attachment manager checking:

Then start netsh.exe from the command line and add firewall rules to allow it to pass through the firewall

The command line is as follows

#! shell netsh firewall add allowedprogram "C:\Users\***\AppData\Local\Temp\svhost.exe" " svhost.exe" ENABLECopy the code

Apply for a memory space to store the received/sent data and start the network connection:

C&C address: 191.101.23.190

Port number: 5552

Collect the victim’s system information, including online time, system version, system bits, disk information, current users, and so on, and send it:

Then open a thread loop to check whether the socket is readable (receive command) :

After reading the command, start a new thread to perform the corresponding operation according to the command:

Open the keyboard record thread and will record the information stored in the registry HKEY_CURRENT_USER \ SoftWare \ ce99f8fa1676b15364293a0db3d6a707:

Set the boot option:

After the command is received, the corresponding command is processed and the corresponding function is executed in the switch according to the command. The detailed analysis is not needed here. Some functions and corresponding commands are given as follows:

  • rnDownload/execute the file
  • CAPScreen monitor
  • unAutomatically deletes, starts, and terminates processes
  • upOnline update
  • ExLoad the plug-in
  • GTVAccess to the registry HKEY_CURRENT_USER \ SoftWare \ ce99f8fa1676b15364293a0db3d6a707 the keyboard record information
  • STVSet the registry HKEY_CURRENT_USER \ SoftWare \ ce99f8fa1676b15364293a0db3d6a707 began to record keyboard

0x04 IOC


type value
C&C 191.101.23.190:5552
Downloader URL Pcdopune.com/ad/video.pp…

0 x05 summary


The C&C address, found on the publicly available IOC platform, is identical to a C&C listed in Trend Micro’s “Operation C-Major” report released in March. In addition, other samples associated with the downloaded domain pcdopune.com were almost identical to the malicious macro samples reported in the report, leading us to believe that this is a C-major related attack.

According to the data of 360 Threat Intelligence Center, we found that the sample mentioned in this paper is only one type of Dropper used in C-Major. Vulnerabilities such as CVE-2010-3333 and CVE-2012-0158 were also used for malicious code implantation, and even macros and scripts were also used. The PE samples used are more flexible. The indications are that the group behind Operation C-Major is actively using every implant they can get their hands on, most likely a professional organization with a background and some technical expertise.

Refer to the link

  • Documents.trendmicro.com/assets/pdf/…
  • www.cnblogs.com/Danny-Wei/p…
  • www.openoffice.org/sc/compdocf…