The trend of attackers using stolen digital certificates to disguise their malicious executables is on the rise. The Shiqiang group is known to employ spear-phishing attacks against nongovernmental organizations along with a history of using stolen digital certificates in their campaigns. One of the malicious signed binaries comes as part of a doc file that exploits the CVE-2012-0158 vulnerability.
The graph below highlights the timeline of the attack, ordered by the compiler-generated time stamp of the binary. The first known binary is identified as a prototype and the similarity is calculated based on the assembly code of all the variants. It is interesting to observe the trend and the modifications that have gone into the variants.
The group has been very active since July 2013 and is known to use two valid digital certificates as part of their campaign.
- Zhengzhou hanJiang Electronic Technology Co., Ltd. Expires 9/1/2013
- Jiangxi you ma chuang da Software Technology Co., Ltd. Expires 12/14/2014
These certificates were issued by Thawte and Versign, respectively. Although the first certificate expired in September 2013, the second certificate is still valid and actively used in the campaigns.
The threat vector is a doc file that exploits the CVE-2012-0158 vulnerability and contains a decoy document. Upon execution in a vulnerable environment, the doc file drops an embedded executable (kav.exe) that is digitally signed, which in turn drops another DLL file that is signed by the same digital certificate.
Kav.exe drops two files in %Allusersprofile%\Application Data\Microsoft\Network:
Msnetwork.dll is registered as a layered service provider (LSP). By inserting itself to the LSP chain, the dll can be loaded whenever an application uses winsock. Once in the stack, an LSP can intercept and modify inbound and outbound Internet traffic. Msnetwork.dll checks the host process it is being loaded into and injects aesen.dat and desen.dat into explorer.exe.
Encrypt.dat is an XOR-encrypted file that contains the list of control servers. If the malware can connect to any one of the control servers mentioned in encrypt.dat, it receives additional commands from the server.
The malware injects pskyen.dat into the skype.exe process to monitor communications. It can also clean up the infection to erase any traces.
Some of the other known remote server addresses in this campaign:
McAfee Advanced Threat defense provides zero-day protection against the malicious doc file based on its behavior.
I would like to thank Saravanan Mohankumar for his assistance in this research.