IntroductionA few weeks ago Trend Micro published in their blog the post below: The Siesta Campaign: A New Targeted Attack Awakens. Here they share their research about a targeted attack suffered by all kinds of industries: Energy, Finance, Health care, Public administration... Some days after that, FireEye published in their blog a post called A Detailed Examination of the Siesta Campaign where they accuse APT1 group or another group that uses the same tactics and tools as the guilty party of these attacks.
Thanks to Trend Micro has shared the malware sample's checksum of one variant, I've been able to get a copy of it to get deep into this issue.
Spear-Phishing and Social Engineer Techniques
It is said (in both posts) that this campaign began with an spear-phishing email with links to archives. The file was named "Questionaire Concerning the Spread of Superbugs February 2014.exe" and it was compressed in a ZIP file hosted in a remote server.
I guess that the attackers used the same technique described in APT1 report written by Mandiant. The file could have a PDF extension but the file name actually includes serveral spaces after “.pdf” followed by “.exe”, the real file extension. In the picture bellow you will see the file that looks like a PDF file.
If we change to detail view we will see a PDF file...
... but it actually is not a PDF file... It looks like a PDF but it is an executable file...
That is the way this file will be showed in the Desktop. That really seems a PDF file for a untrained eye.
When we run what appears to be a PDF file, the executable drop a real PDF file and it is opened... The normal user could thing that nothing weird has happened... The user received and e-mail with a PDF and now it is already opened...
... but it drops another executable in the background called UIODesrvr.exe. This file is the real malware.
If we look at all process running in our machine, we will see that this malware is being executed.
Brief Malware AnalysisThat file was compiled at 2014/02/19.
The first thing the malware does is to connect to www[.]skyslisten[.]com which seems to be the C&C server. This server isn't currently available.
The User-Agent used by the malware is "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0)".
We can see in our IDA that the first thing the malware does is to check if that code ">SC<" is written within HTML code at the domain mentioned above. If it exists, then it tries to locate some commands written in the web server to be executed. According to Trend Micro, these are the commands used in by this malware.
“run1” open a remote shell
“run2” pipe shell commands from URL1
“run3” pipe shell commands from URL2
“http” pipe shell commands from C2
“x_” sleep for specified number of minutes
This is the typical behavior of a backdoor to begin to start with a lateral movement.
Tracking the attacker
As we said before, the domain www[.]skyslisten[.]com seems to be the C&C server. The picture bellow will show you who registered this domain.
This guy registered microsofthomes[.] com. FireEye says in their report that this domain is directly connected with the last one mentioned above.
The picture bellow will show you some domains registered by this guy. Only five domains from more than a total of roughly 17,000 domains registered with this same email address said by Trend Micro.
When we talk about APT or Targeted attacks, examples of well-known sophisticated Malware like Stuxnet, Flame, Careto and security breaches suffered by companies like Google, RSA, Adobe, Apple came to my mind ... But as we have seen, it is not necessary to develop a sophisticated malware to perform a Targeted Attack. Obviously, the most sophisticated attack will be most successful...