Avatar

On June 6, 2013, malwaretracker.com released an analysis of Microsoft Office-based malware that was exploiting a previously unknown vulnerability that was patched by MS12-060. The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists. On June 7, 2013, Rapid7 released an analysis of malware dubbed ‘KeyBoy,’ also exploiting unknown vulnerabilities in Microsoft Office, similarly patched by MS12-060, but allegedly targeting interests in Vietnam and India. The indicators of compromise (IoCs) listed by Rapid7 match some of the indicators of compromise listed previously by malwaretracker.com.

IoCs published by malwaretracker.com.
IoCs published by malwaretracker.com.
IoCs published by Rapid7.
IoCs published by Rapid7.

As we have seen in some previous targeted malware attacks, the attackers in this incident are taking advantage of services like changeip.com to establish free subdomains in their infrastructure. While TRAC is sure that many subdomains used at changeip.com have no malicious purpose, there is no denying the fact that attackers mounting targeted attacks are also attracted to these ‘free’ services. Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar. Not many professional organizations have valid reasons to allow traffic to domains offered by changeip.com, so blacklisting these domains is an option.

One of the second-level domains listed as an IoC is phmail.us. Subdomains at phmail.us have been linked to malicious activity dating back as far as December 2011. Based on the patterns of subdomain registration over time in DNS, TRAC believes this is an example where the attackers registered their own second-level domain. The WHOIS data, including the address, postal code and telephone number, is obviously forged.

Fake WHOIS record data for phmail.us.
Fake WHOIS record data for phmail.us.

An eclectic group of subdomains has been used at phmail.us, including the following:

cpnet.phmail.us
dnd.phmail.us
hoasen.phmail.us
inquirer.phmail.us
phattai.phmail.us
rfa.phmail.us
sscdtt.phmail.us
ttbc.phmail.us
www.phmail.us
yah00.phmail.us
yl.phmail.us
ynsc.phmail.us

While watching some of these domains using passive DNS a peculiar pattern emerges. For a long period of time, many of the DNS responses for a hostname will return 127.0.0.1, but every so often, presumably when a likely target is on-the-hook, the domain name servers return a routable IP. Perhaps this is a tactic designed to evade or postpone eventual detection and assist in staying below the radar. Note in the following graphic the DNS server replied 717 times with 127.0.0.1; however during that same time, the real routable IPs were also offered to certain requesters.

Passive DNS from ISC.org for a subdomain at phmail.us.

Another IoC second-level domain from this group (phdns01.com) exhibits exactly the same WHOIS and passive DNS patterns:

silence.phdns01.com
symantec.phdns01.com
www.phdns01.com
hanoihcm.phdns01.com
sscd.phdns01.com

Passive DNS from ISC.org for a subdomain at phdns01.com

TRAC recommends analyzing DNS traffic for these IoCs on your own networks. In this case, maintaining the latest patches would also have thwarted the attacks, and is always an excellent idea. Additionally, blacklisting the domains offered by changeip.com using local RPZs, firewalls, Cisco IronPort Web Security Appliance (WSA), or Cloud Web Security (CWS) are additional options that can help add an extra level of security.

Thanks to Craig Williams and Emmanuel Tacheau for their assistance in co-writing this blog post.



Authors

Jaeson Schultz

Technical Leader

Cisco Talos Security Intelligence & Research