Confucius Says...Malware Families Get Further By Abusing Legitimate Websites

This post is also available in: 日本語 (Japanese)

Introduction

When malware wants to communicate home, most use domain names, allowing them to resolve host names to IP addresses of their servers. In order to increase the likelihood of their malware successfully communicating home, cyber espionage threat actors are increasingly abusing legitimate web services, in lieu of DNS lookups to retrieve a command and control address. This negates the requirement to make DNS requests for domains that may be considered malicious and are therefore blocked. For attackers, that's an advantage because it allows their initial communications channel to be obscured amongst other traffic to legitimate services.

This blog post examines two similar malware families that utilize the aforementioned technique to abuse legitimate websites, their connections to each other, and their connections to known espionage campaigns. The first of which we call ‘CONFUCIUS_A’, a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY (aka ByeByeShell) first reported by Rapid7 in 2013. The second of which we call ‘CONFUCIUS_B’, which has a loose link to the series of attacks associated with Operation Patchwork and The Hangover Report.

Confucius says… resolve your command and control domains using web services.

In 2013, Rapid7 reported on a series of relatively amateur attacks against Pakistani targets. For a long time after the report was published, little changed in how the attackers operated. Although many of the attacks we see today from the group remain the same, we began observing a new backdoor, CONFUCIUS_A, being dropped by the attackers starting in early 2014. Specifically, the command and control addresses used across multiple SNEEPY samples were being used by CONFUCIUS_A samples. In the case of just one or two samples, without temporal overlap, this may not be deemed a strong link to CONFUCIUS_A, however it occurs across a great deal of the infrastructure we have observed.

In most cases where we have been able to identify the droppers, the attack begins with an executable file being sent directly to targets via e-mail. Occasionally the attackers leverage builders for known document exploits, but most of the time they still use self-extracting binaries. The themes of the phishing e-mails vary according to the target, but invariably the file is compiled with an icon that matches the expected content. Examples of the themes used in attacks using CONFUCIUS_A and the surrounding cluster of activity include:

• Invitations to events relevant to the recipients
• Pornographic material
• Fake updates to popular software products
• News content
• Political content

We have limited evidence of who the targets are, but they appear to primarily be based in the Middle East and parts of Asia, with a focus on Pakistan. In addition to those targets, there are occasional targets seen at enterprises across the globe.

Early samples of the CONFUCIUS_A malware did not use any legitimate web services for DNS resolution; however, more recent samples of the CONFUCIUS_A malware use a range of legitimate web services to resolve command and control addresses, the highest profile of which are Yahoo and Quora. The malware was given its name based on the content of one of the first pages we saw being retrieved to determine a command and control address, which is written in the style of a ‘Confucius says’ joke. See Figure 1.

Figure 1 – An example of Quora page contacted by the malware.

Sometimes malware communicates with legitimate web services simply to perform a connectivity check, but in this case the page was too specific to suggest that was what the attackers were doing. So we decided to investigate how the malware processed the resulting content.

If this is the question, what is the answer?

For the purposes of illustrating how the command and control address is decoded we will look at the sample with SHA256: a21b956e1be9dcfa8a28c38dc0bb0657508b5588bcf1435052700aea22910d7d. This sample of the malware requests the page shown below in order to determine what IP to POST to.

Figure 2 – The Quora page contacted by the malware to retrieve its command and control address.

Reading through the answer, it all makes sense until the section highlighted is reached. By looking at the underlying code, we found that CONFUCIUS_A is looking for keywords between the phrases “suggested options are” and “hope it will help” and decoding the interim phrase. The decoding is done using a simple lookup table, as shown in Figure 3.

Figure 3 – A memory dump from a CONFUCIUS_A sample showing the lookup table used by the malware, the table is truncated for presentation purposes.

The lookup table begins with the marker for the beginning and end of the useful content, and then contains 255 words, each of which corresponds to a number (for example prudent == 255). Using this lookup table in memory it can then derive the command and control address from the text between the markers, “fill plate clever road” becomes 91.210.107[.]104.

Figure 4 – HTTP POST request made to command and control server

Additional malware contacting Yahoo and Quora

During our investigation into the CONFUCIUS_A malware, one of the ways we tried to identify variations of the backdoor was by looking for samples that communicated with the same legitimate services as known CONFUCIUS_A samples. In doing so, we encountered another set of samples exhibiting very similar behavior, which we refer to as CONFUCIUS_B, due to their similarity, and their likely similar origins. Unfortunately, we have fewer details about how CONFUCIUS_B malware is delivered or the targets it intends to hit.

For the purposes of this write-up we will follow the chain of dropped files from the dropper with SHA256: 627724fa447e3937f3cdc5388285935a52d6970a616f4ac3d02e583d160cbfc0.

Enter CONFUCIUS_B…

At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A, and they are also packaged in plain SFX binary files. The CONFUCIUS_B executable is disguised as a PowerPoint presentation, using a Right-To-Left-Override (RTLO) trick and a false icon. When executed, the self-extracting RAR package drops four files to the %AppData% folder, as shown in Figure 5.

Figure 5 – The files dropped by CONFUCIUS_B

Fancy.vbs executes fancy.bat, which in turn opens the presentation and runs the second stage executable svchost.exe. As with CONFUCIUS_A, the initial beacons from this svchost.exe are also to Yahoo and Quora, but the pages contacted, whilst odd did not contain any obvious markers, rather they appeared to be entirely gibberish:

Figure 6 – An exemplary Quora page contacted by the malware.

So far, the execution chain, involving an SFX RAR and multiple scripts is similar to some samples of SNEEPY, which we associate with CONFUCIUS_A, but this is where the similarities between CONFUCIUS_A and CONFUCIUS_B begin to diverge. Svchost.exe has a custom obfuscation scheme not seen in CONFUCIUS_A. This obfuscation allows us to quickly identify all of the CONFUCIUS_B variants; their hashes are included at the end of this post. The obfuscation routine is given in Figure 7.

Figure 7 – The obfuscation routine shared across all CONFUCIUS_B samples.

Underneath that custom obfuscation lies a UPX packed executable which contains the Yahoo and Quora functionality that originally piqued our interest. After unpacking the UPX code, we began reverse engineering the resulting binary to see how CONFUCIUS_B interacted with the Yahoo and Quora pages it initially requested. We discovered that CONFUCIUS_B pieces together its DNS resolution from keywords in the Yahoo and Quora posts similar to that of CONFUCIUS_A.

CONFUCIUS_B takes certain keywords in the Quora and Yahoo pages and applies them to a lookup table in memory. Using that lookup table an IP address to POST to is derived. The way this is done can be seen in a memory dump from the running process when it contacts a relevant address, for example as shown in Figure 8.

Figure 8 – A memory dump of a CONFUCIUS_B illustrating the lookup table and initial beacon address.

The lookup table takes key words and assigns them numbers, or a ‘.’ character, in order to build an IP address, and is arranged as shown in Table 1.

Table 1 – Lookup table used by the malware to determine it’s command and control address.

By applying the lookup table to the Quora page shown in Figure 6, we can derive the IP the malware will POST to next for further communications.

Using our lookup table, giving us an address of 149.202.110[.]2:

This method of substituting words for components of an IP address, and the repeat use of Yahoo and Quora are novel, which suggest it is likely that the same malware author, or group of malware authors, authored both backdoors.

Link to Patchwork and test samples

The domain “com-account-jfnjkr[.]xyz” is linked to the CONFUCIUS_B attacks as it was a C2 for the sample c975954fbb473ed8ce3a98ca2c4977bf22d2413db01eda87599524969565836f, which downloads CONFUCIUS_B. On May 24, 2016, the same domain hosted the sample 8cfd559756630d967bb597b087af98adc75895a1ec52586d53a2d898e4a6e9b0; a basic file stealer malware associated with the Patchwork attackers, via a shared mutex: {9754893678976458374658764387563876}.

All of the CONFUCIUS_B samples share the same mutex, “rCkBs1Uj493NaMXYY1LZ”. Pivoting through samples in Palo Alto Networks AutoFocus, we were able to find what appears to be an early test sample of the malware that creates the same mutex; the SHA256 of the sample is 0bd7db12ba8d9ce9d29983ef76205864dce146eb14cebe32a3431f994cc770ee. We believe it is a test sample, as the configured command and control domain for this sample is ‘breachframework[.]com’. This can also be linked back to known CONFUCIUS_B sample via a shared SSL certificate. Breachframework[.]com previously resolved to 5.135.85[.]16, which used the certificate f6438919d27d08aa545e2f90b58d445cccac6c09, the same certificate was used by 104.23.35[.]15, a known command and control address for CONFUCIUS_B. These relationships are summarized in Figure 9.

Figure 9 – An overview of the link to the test infrastructure.

Conclusion

In this blog post, we discussed two separate malware variations that behave in very similar ways and use similar techniques to acquire a C2 address, with both using Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains. Although we cannot link the two clusters of activity by their infrastructure, the technique used to resolve domains is unusual. We also believe that both clusters of activity have links to attacks with likely Indian origins, the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover. The two malware families themselves are also very similar, and therefore we think that the shared technique is an indication of a single developer, or development company, behind both CONFUCIUS_A and CONFUCIUS_B. It is likely that the two clusters of activity are operated by two different operators; however, as the command and control infrastructure used by each cluster differs in the choices of hosting providers.

Palo Alto Networks AutoFocus customers can further explore these malware families and related campaigns with the tags:

• Confucious_A
• Confucious_B
• ApacheStealer
• Sneepy

All samples discussed in the blog and those in the appendix are detected as malicious by Wildfire.

IPS customers are protected by IPS signature 14150.

Exemplary hashes, command and control domains and resolver URL’s are given below.

SHA256 List:

Resolver URL list:

https://www.quora.com/Is-bingle-hate-and-love-the-green-or-it-fire-couple-fire-tell-
me-you-like-or-couple-weed-or-hate-weed-with-deedy-love-claggy-1
https://answers.yahoo.com/question/index?qid=20160301074835AA7cF60&sort=N
hxxps://in.answers.yahoo.com/question/index?qid=20160229024628AA4XQ7r
hxxp://www.nefuri.com/hi_is_bingle_hate_and_love_the_green_or_it_fire_couple_fire_tell
_me_you_like_or_couple_weed_or_hate_weed_with_deedy_block_claggy_1562153.html
hxxp://www.answerlib.org/qv/20160229115557AAXc2Ib.html
hxxps://in.answers.yahoo.com/question/index?qid=20160229115557AAXc2Ib
hxxps://www.question.com/what-are-the-precautions-for-diphtheria-tetanus-998506.html
hxxp://findnerd.com/list/view/How-to-make-a-simple-settings-page-in-android/15891/
hxxp://able2know.org/topic/312620-1
hxxp://bs71.blog.com/2016/03/01/performing-namaz/
hxxp://www.linkibl.com/l/define-simple-support-boundary-condition-of-a-beam-solid-
mechanics
hxxp://www.education.com/question/working-model-depict-buoyancy/
hxxp://www.quora.com/Where-can-I-find-Port-de-Vaire
hxxp://www.fixya.com/support/t25556697-intel_desktop_board_dh67cl_having_vga
hxxp://www.education.com/question/scientist-calculate-distance-planets
hxxp://technology.blurtit.com/4492774/import-mri-ct-and-microct-data
hxxp://bs71.blog.com/2016/03/01/performing-namaz/
hxxp://www.linkibl.com/l/define-simple-support-boundary-condition-of-a-beam-solid-
mechanics
hxxps://www.quora.com/Is-bingle-hate-and-love-the-green-or-it-fire-couple-fire-tell-
me-you-like-or-couple-weed-or-hate-weed-with-deedy-love-claggy-1
hxxps://www.quora.com/How-fertilization-takes-place-in-Plants

C2 Addresses:

adhath-learning[.]com
stepontheroof[.]com
ns1[.]b3autybab3s[.]com
stilletowheels[.]com
b3autybab3s[.]com
fierybarrels[.]com
mail[.]cooperednews[.]info
ns2[.]cooperednews[.]info
teensechs[.]com
newstodayreviews[.]com
ns2[.]softwares-free[.]com
www[.]fierybarrels[.]com
ns1[.]cooperednews[.]info
znaniye-onlayn[.]com
cooperednews[.]info
nophoz[.]com
twigreader[.]com
zadnitsa[.]com
bookerstream[.]com
teens3xweb[.]com
romanrugby[.]com
130dozen[.]com
transseksualov[.]com
cutedazzle[.]com
speedeagles[.]com
www[.]templetom[.]com
gallopingroses[.]com
didlynews[.]info
ns2[.]didlynews[.]info
ns1[.]didlynews[.]info
purple-banana[.]com
uchitel-nitsa[.]com
couchypotatoes[.]com
your3x[.]com
trk[.]greatleonidas[.]com
greatleonidas[.]com
chucknorr[.]com
tangyball[.]com
templetom[.]com
younghogs[.]com
www[.]cutedazzle[.]com
neistovo[.]com
roseauster[.]com
www[.]gallopingroses[.]com
onepickle[.]com
wond3rfulworld[.]com
ns2[.]b3autybab3s[.]com
softwares-free[.]com
www[.]romanrugby[.]com
gomadweb[.]com
wetcottonballs[.]com
ns1[.]softwares-free[.]com
sechshun8[.]com
newsscrapper[.]com
jobs[.]undp[.]tangyball[.]com
news-letters-4u[.]com
magzinehog[.]com
jupanto[.]com
www[.]tumblebin[.]com
little-nuts[.]com
fullhalfempty[.]com
mysugarbin[.]com
ftp[.]wond3rfulworld[.]com
blog[.]younghogs[.]com
ww2[.]younghogs[.]com
www[.]younghogs[.]com
ww1[.]younghogs[.]com
mx2[.]newstodayreviews[.]com
mx1[.]newstodayreviews[.]com
mx3[.]newstodayreviews[.]com
www[.]onepickle[.]com
quicktime[.]softwares-free[.]com
tumblebin[.]com
ns1[.]bidux[.]com[.]avtofrom[.]us
www[.]nophoz[.]com
breachframework[.]website
breachframework[.]com
com-account-jfnjkr[.]xyz
104[.]219[.]250[.]204
216[.]189[.]148[.]125
149[.]202[.]110[.]2
104[.]219[.]250[.]205
5[.]135[.]85[.]16
78[.]128[.]92[.]101
206[.]221[.]188[.]98
104[.]232[.]35[.]15
5[.]39[.]23[.]192
95[.]211[.]135[.]167
46[.]165[.]207[.]109
95[.]211[.]38[.]134
46[.]165[.]249[.]223
95[.]211[.]135[.]162
46[.]165[.]207[.]140
46[.]165[.]207[.]120
95[.]211[.]107[.]75
94[.]242[.]219[.]203
95[.]211[.]38[.]133
46[.]165[.]207[.]112
95[.]211[.]3[.]135
91[.]210[.]107[.]107
46[.]165[.]207[.]114
91[.]210[.]107[.]108
95[.]211[.]205[.]142
95[.]211[.]107[.]71
46[.]165[.]207[.]116
95[.]211[.]135[.]168
46[.]165[.]207[.]134
46[.]165[.]207[.]98
46[.]165[.]207[.]113
46[.]165[.]207[.]138
94[.]242[.]219[.]199
46[.]165[.]207[.]142
46[.]165[.]207[.]99
95[.]211[.]107[.]72
95[.]211[.]38[.]135
46[.]165[.]207[.]132
46[.]165[.]207[.]108