Archive for April 4th, 2017
You See What Happens When I Get Bored? china.org.cn –> media.president.ir –> rodong.rep.kp —> TURLA?
So yeah, I was bored earlier and when I am bored my brain likes to take a walk down the darker hallways of the intertubes. Today I was plinking around with ThreatCrowd as is my wont, and I decided to start messing about with .gov.kp addresses. So I did a search for just .gov.kp which netted me nada. So I went back to the drawing board and looked up all the .kp addresses out there. I messed around a bit and hit rodong.rep.kp which had the nugget of the day I was looking for.
See that big purple thing? Yeaaaaaahhhh that is malware activity and a has all the hallmarks for nation state malware kids! Upon looking closer at this closer at this you can see that this piece of malware is talking to other interesting places like Iran and China! This really piqued my interest because just look at those addresses huh? Iranian mil sites, the presidents site, their news service (FARS) and china! Now what could be happening here kids? Was this malware or something else? Is the anticipation killing you yet?
Right! So I then started to circle out to the other sites on TC and of course clicked on the malware hash itself to see what the deal was here and when this all came about. To my surprise this malware and the activity happened last year in June. The malware was run privately on Hybrid on June 22nd 2016 but if you look closely at the image at the top of this piece, you see that the post is listed as December 3rd 2016? How does that work one wonders? Is this a post to the site after the original piece was uploaded? Was there something going on here that made the dates all messed up? In any case, the fact that this was posted privately to Hybrid in June shows that someone was either testing their malware or someone just found this and decided to post it privately to not trip up they had found it.
The sample itself is the php on the site (http://forum.china.org.cn/viewthread.php?tid=175697) which is not around at the moment to attempt to gather a sample directly. I also checked The Wayback Machine too and alas they did not have the site cached on the date or after where I would need to get the sample. At the time of testing this malware injected an exe (FP_AX_CAB_INSTALLER64.3×3) in temp and begins the work of pwning the system. It drops some files on the system and within the process is an IP address (220.127.116.11) which is in China.
Ok, so I pivot over to the malware 866fd7c29b0b6082c9295897d5db9e67 and whoa, look at all the malware traffic! It’s a festival out there man! Looks like someone is using a flash update to pwn all the things in Iran, China, and DPRK maybe huh? When you look at the malware C2 call outs it makes in the Hybrid analysis you can see them all. But when i start looking at the sites in the binary it is then I start to see where the other sites have bad histories and the files that seem to have been a part of the arcology.
Pattern match: “http://forum.china.org.cn/archiver/”
Pattern match: “http://www.china.org.cn/node_7077424.htm”
Pattern match: “http://forum.china.org.cn/main.php”
Pattern match: “http://18.104.22.168/uc/en_uc_admin/avatar.php?uid=248308&size=middle”
Pattern match: “http://forum.china.org.cn/viewthread.php?tid=175697&page=1#pid261371″
Pattern match: “http://www.b14643.de/Spacerockets_1/Rest_World/Simorgh-IRILV/Gallery/Simorgh.htm”
Pattern match: “http://www.jajusibo.com/imgdata/jajuilbo_com/201505/2015051137439063.jpg”
Pattern match: “http://www.jajusibo.com/serial_read.html?uid=20376§ion=sc38”
Pattern match: “http://media.president.ir/uploads/org/144022966897383700.jpg”
Pattern match: “http://media.farsnews.com/media/Uploaded/Files/Images/1394/05/31/13940531000590_PhotoI.jpg”
Pattern match: “http://static2.bornanews.ir/thumbnail/ttNMJfA47E4M/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://static2.bornanews.ir/thumbnail/SQ8qder1eiAx/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://static2.bornanews.ir/thumbnail/WoR50ZKvbOvU/hsPvu53JYc4ZMdL-GggwrIzh2hzU5xtVFQP8bK_wEHTWBrL3vxxKeZCrWjxHgZzZ8wnBrYkXU3QMHDsygonvkmg5kwqDkuu0pz2Zr-6LSnsZsz9y7UBP4tOzeGfnkG3Doo_lkYGgn2HQLYzD7Q9EqmO9y02FRvdV2ZvL5vX-_oL5SMFaqVjbXcnvO0GLTcsXON4tIh35SxI,/”
Pattern match: “http://www.president.ir/en/88795”
Pattern match: “http://i.imgur.com/0ayxQnW.png?1”
Other hits for the hash:
Threat Miner: https://www.threatminer.org/host.php?q=22.214.171.124
Threat Miner: https://www.threatminer.org/host.php?q=126.96.36.199
It gets stranger with the sites that this thing attempts to connect with as well. All of the connections are GET’s on port 80 so is this just polling sites or are some of these carriers of malware second stage? I have yet to go through all of them but one stood out already in the odd department (in red) this site came up dirty on more than one occasion and also the site resides in the US but has a guy from Iran ostensibly as owner who has a Yahoo account for an email. When you look at the site it seems to be a pro Iran mil site that kind of mirrors many of the others in Iran (think Geoshitties from hell) but why is an official site like this being hosted in the US huh?
|media.president.ir||188.8.131.52||Iran (ISLAMIC Republic Of)|
|media.farsnews.com||184.108.40.206||Iran (ISLAMIC Republic Of)|
|static2.bornanews.ir||220.127.116.11||Iran (ISLAMIC Republic Of)|
|rodong.rep.kp||18.104.22.168||Korea Democratic People’s Republic of|
|http://www.jajusibo.com||22.214.171.124||Korea Republic of|
An address inn memory though there was this little hit: bzip.org When looking at this site it has been rather naughty over time and has a high hit ratio for malware: This site also seems to be tied to APT activity.
This site has a lot of trojan activity over time so this may be the hit we are looking for. When I dug into this site I located the key piece of information that I believe nails this as Turla activity. When you look up the domain for bzip.org you get an email address attached; email@example.com which then turns up in the ThreatMiner report as being a C2 for Turla. So, it looks like my boredom has maybe led me to RU APT activities against CN/IR/DPRK in June of last year.
Is this in fact the case? Has anyone else seen this? I will keep plinking along but do take a look you malware mavens and see what you think.