On December 24, 2015, Unit 42 identified a targeted attack, delivered via email, on a high profile Indian diplomat, an Ambassador to Afghanistan. The body and content of the email suggest that it was crafted and spoofed to look like it was sent by the current Defence Minister of India, Mr. Manohar Parrikar, commending the Ambassador on his contributions and success.
India has been a key nation in building and funding Afghanistan’s infrastructure and economic development, which includes setting up iron ore mines, steel plants, power plants and transportation systems, helping reconstruct the Salma Dam and constructing a new Parliament Complex for the Afghan Government.
Given India’s significant contributions to the development of Afghanistan, it is likely that there may be groups or nations who would be interested in tracking and spying on key individuals who officially represent India in Afghanistan.
Overview of Rover infection
Figure 1 gives an overview of the exploitation, infection and C2 communications of the 'Rover' Trojan campaign targeting a victim running Windows XP.
Figure 1: Overview of the infection flow and C2 communications
Rover Trojan Infection Steps:
- RTF file exploits CVE-2010-3333 and downloads an executable from newsumbrella[.]net.
- The executable file downloaded from newsumbrella[.]net is executed on the victim machine.
- The executable 'file.exe' is a downloader which is used to call out to a server with the IP '220.127.116.11' and download the main Rover malware along with plugins used by the Rover malware.
- Rover malware and plugins are downloaded and installed on the victim machine.
- Data exfiltrated from the victim machine.
Targeting and Infection
Figure 2 shows an email which was sent to the Ambassador of India, appearing to commend the contributions the Ambassador has made in the development and success of projects on national interest, and attaching a letter of appreciation with a file name, “Appreciation_letter.doc”.
The attachment is an RTF file which exploits a specific vulnerability in Microsoft Word, CVE-2010-3333.
Figure 2: Spear phishing email sent to the Ambassador of Afghanistan
If the recipient of the e-mail opened the attachment in a vulnerable version of Word, the exploit code would download and execute a file from the domain newsumbrella[.]net as shown in Figure 3 below.
Figure 3: Hexdump showing the domain and the executable downloaded
During the time of analysis the executable file systemupdateAPI.exe was no longer being hosted on the newsumbrealla[.]net domain. However, we have noticed the same domain hosting another executable in the past within the same parent directory and having a similar naming for the folders as shown below
newsumbrella[.]net/ne3s/file[.]exe – hosted earlier
We believe that the executables hosted under the parent directory ‘ne3s’ are variants of the same downloader Trojan, which was used to download the Rover Trojan. The file, file.exe, contains the following debug information that indicates the file was originally named systemupdateAPI.exe.
Figure 4: Debug information of downloader program
By analyzing file.exe, we can see that it is a downloader, which creates ‘c:\system’ directory and depending on the OS version used, downloads the main Rover payload along with multiple DLL modules from 18.104.22.168.
Figure 5: Code snippet showing the OS version check and the subsequent download from 22.214.171.124
If the infected system is running an OS version prior to Windows Vista, it would download the following files from 126.96.36.199:
- WindowsSecurityService2.exe ('Rover' main module)
- Cxcore210.dll (OpenCV)
- Highgui210.dll (OpenCV)
If the OS version is Windows Vista or later, it would download the following files from 188.8.131.52 :
- WindowsSecurityService3.exe ('Rover' main module)
After retrieving these files, the downloader Trojan executes the main module. Even though the main modules use different library versions, the functionality of the backdoors are identical.
By analyzing the files downloaded to the victim machine, we can see that the executable WindowsSecurityService2.exe imports the four DLL files that were downloaded to the same directory. The four DDLs are cxcore210.dll, highgui210.dll, OpenAL32.dll and libsndfile-1.dll as shown in Figure 6
Figure 6: Executable and DLLs downloaded to the victim machine
Attributes of the Rover variant
Size : 337920 bytes
Type : PE32 executable (console) Intel 80386, for MS Windows
Architecture : 32 Bits binary
MD5 : 76429f8515768f9f5def697e71071f51
SHA1 : d04ce934561934f758d77dfa944bd6743dd82cff
SHA256: 7757517ae6b4d513a57826f9ab65bd070d99d25ac526cfae3e9955c3c7cd457assdeep : 6144:JabBRNUKgZ9SN0jzoFBB9hcrpXwg9xXYOGl93XO2rQLfbTpLuO7bIWjRO5gjPNq:JarSKu6yzoF8rpAqXYv3XOgQLfnpLuOu
imphash : b5aa366f452feb9f4dff3c72157ca1f9
Date : 0x5637227B [Mon Nov 2 08:44:43 2015 UTC]
Language : ENGLISH
CRC: (Claimed) : 0x59736, (Actual): 0x59736
Entry Point : 0x43e3c8 .text 0/5
 cxcore210.dll (OpenCV module)
 highgui210.dll (OpenCV module)
The author of 'Rover' used the following open source projects to implement the main functionalities of this custom malware.
OpenCV – Taking photos from the web cam
OpenAL – Recording Audio
Libsndfile – C library used for reading and writing audio files
LibCurl – For all network communications
OpenCV and OpenAL
OpenCV is a library of functions written primarily for building real time computer vision applications, image processing and also machine learning. It has seen wide acceptance in security systems, medical image analysis, unmanned vehicles, visual surveillance, object tracking, Artificial Intelligence and many other applications.
OpenAL is a cross-platform audio API for rendering multichannel three-dimensional positional audio (i.e., It is a means to generate audio in a three-dimensional space.) Earlier versions of OpenAL were opensource but later versions (since v1.1) have been proprietary.
Once executed, Rover creates following registry entry to execute itself when the computer reboots.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System Application" = c:\system\WindowsSecurityService[2 or 3].exe
The malware then creates six threads, each with a different job:
- Stealing Files from HDD
- Search files on USB
Figure 7: Threads created by the malware
This sends heartbeat signal on HTTP to the C2 server at 184.108.40.206 every five seconds and checks whether the C2 server is running.
This saves screenshots as c:\system\screenshot.bmp and sends it to the C2 server at 220.127.116.11 every 60 minutes.
Figure 8: Screenshots sent to C2 server at 18.104.22.168
3. Finding specific file types on Removable Drive:
This thread searches for for files with the following extensions on removable drives and copies them to ‘c:\system’ every 5 seconds.
This logs key strokes at ‘c:\system\log.txt’ and sends captured data to the C2 every 10 seconds
5. Stealing specific file types from Hard Drive:
This thread searches for for files with the following extensions on fixed drives and sends them to C2 every 60 minutes.
Figure 9: Document file being sent to C2
This thread obtains backdoor commands from C2 every 10 seconds and executes them. Backdoor commands are listed below:
|CAMERA||Take photos using system webcam and store them as c:\system\camera.jpg before sending to the C2.|
|AUDIO||Record audio from default audio input as c:\system\audio.ogg and sending it to the C2.|
|SCREEN||Take a screenshot and save it as c:\system\screenshot.bmp then send it to the C2.|
|KILL||Remove persistence registry entry and terminate itself.|
Though 'Rover' is unsophisticated and lacks many modern features common to advanced malware, detection rate of the 'Rover' is extremely low. At the time of this writing, two out of three samples on VirusTotal were not detected by any Antivirus product
Figure 10: No detection by any AV product on Virustotal
Figure 11: Low detection rate
OpenCV has been extensively used by organizations, government bodies, and research groups for real time capture, image manipulation, object detection and many other uses in new forms of Human-Computer interaction, security systems, driver-less cars among many others. OpenCV was also used by the Mars Rovers to send captured data back to Earth.
It is interesting to see the very code used in such significant projects also being used to track and spy on individuals being targeted and which can remain undetected by traditional security systems. Though 'Rover' is an unsophisticated malware lacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the objectives of the threat actor behind the campaign in exfiltrating information from the targeted victim. It is important to understand the techniques and tools being used by such threat actors to better defend and protect organizations from such threats.
Palo Alto Networks AutoFocus users can identify this threat using the Rover tag.
Downloader hosting links:
|Filename||File Type||SHA 256|