Knock Knock Knocking on EhDoor (The Curious Case of an EPS file)


INTRODUCTION

This all started with the great analysis and blog done by RSA in August 2017 about a phishing wave targeting Russian Banks. This was followed by another great blog by McAfee on the same subject but my focus will be on a specific aspect mentioned in the RSA blog which is the exploit used.“FireEye discovered a malicious docx exploiting a zero day vulnerability in Microsoft’s Encapsulated Postscript (EPS) filter, in the summer of 2015. This EPS exploit was assigned CVE-2015-2545. In March 2017, FireEye observed both nation state and financially motivated actors using EPS zero day exploits assigned as CVE-2017-0261 and CVE-2017-0262, prior to Microsoft disabling EPS rendering in its Office products with an update in April 2017.”

PART 1 - ADDITIONAL SAMPLE RELATED TO THE PHISHING CAMPAIGN.

One thing I took from the analysis done on the samples from the RSA blog was the name of the EPS file which was “image1.eps”. If you take that and search it, one of the results have the MD5 “667c7f50177a64b4cb30aad8d4d0360e”.

Looking at the document “выписка по счету клиента.docx” which translates to “statement of the customer account.docx” in more detail reveals similarities regarding to the use of XOR obfuscation techniques mentioned in the RSA blog, look at the snippet below

PART 2 - FROM AN EPS FILE TO THE EHDOOR BACKDOOR

In the RSA blog it was mentioned that different actors are borrowing the exploits above and in most cases are using it as is, so continuing from PART 1 and the EPS file name, I wanted to try and see if I can find some interesting samples – I know it is a bit crazy and might return all kind of results but sometimes that by itself is interesting.
In doing so, I came across this sample titled “peace-along-the-border-is-not-a-one-process-says-Lt-gen-ds-hooda.doc”. Looking up the name Lt. Gen. DS Hooda returns a news article of an Indian news outlet with the same name of the sample.
The article itself talks about a strategic geographical conflict area of the Kashmir zone and the General name is referencing “Lieutenant General Deependra Singh Hooda who has had a unique ringside view of Kashmir affairs in recent times, both as chief of the Udhampur-based Northern Army Command and prior to that as General Officer Commanding of the Nagrota-based 16 Corps.”
When I came across the sample I did not make much of it other than it looks interesting with the naming convention of the lure and I put it on the side burner to analyze further later since I was more focused on the RSA blog.
That all changed when Reuters released a story on August 28, 2017 about India & Pakistan hit by spy malware. In the article, there is a description about the potential lure documents used: “To install the malware, Symantec found, the attackers used decoy documents related to security issues in South Asia. The documents included reports from Reuters, Zee News, and the Hindu, and were related to military issues, Kashmir, and an Indian secessionist movement.”
Based on the article and the sample I came across from earlier, I wanted to see if they are indeed connected and if I had stumbled upon one of these lure documents.
In the Reuters article, Symantec dubbed the final payload as Ehdoor and a quick google search for that name brings up the Symantec technical details for the backdoor.
Looking further into the backdoor details and researching a bit, I was able to find a couple of samples of the backdoor in Open source.
Looking at some interesting PDB strings from the sample above – notice the EH reference relating to EHDoor - I tried to see if I can find additional details and information about this malware

I was able to come across this blog in Chinese which the title translate to “An Analysis of APT Events in Pakistan” which is a great write up and fantastic analysis of the campaign. The blog is actually referencing the work of the Chinese 360 team and this analysis from back in June.
Lo and behold, they analyzed the same sample “peace-along-the-border-is-not-a-one-process-says-Lt-gen-ds-hooda.doc” showing that this lure document ended up delivering the EHDoor backdoor described in the Reuters article. Additional IoCs are also available in the Chinese link but I am also including them at the bottom of the blog.

BUT WAIT, THERE IS MORE

While analyzing and researching the samples, I noticed the re-occurrence of the “FLTLDR.exe” process being invoked/run as part of the exploit chain. This got me interested to find out more and it was easily cleared out by the FireEye Blog where they state
“Upon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in “restore” operand.”
This is interesting as to now we can do some unique searches to find out samples that have that EXE invoked and that can point us to samples related to EPS exploits.
Using the Advanced Searching functionality within Hybrid Analysis and under the Sample Context field, I was able to find many samples that have the above mentioned EXE and below are some interesting ones.
0b0635b6ba23f1ab5aed4111c0af1fbb - Shelter for Rohingyas temporary
I was able to find this sample on the QuickSand sandboxing site as well tagged with CVE-2017-0261. It was also tagged with executable_win which indicates that it has an embedded EXE in it. Some of the extracted strings are really interesting as shown below.
Searching for other samples with some of these strings doesn't return a lot of results. As a matter of fact it comes back with one main sample which seems to communicate to 84.200.2[.]12. This IP seems to be associated with NETWIRE malware but I can not confirm the final payload for the above sample or the upcoming one.

8ad3a448ce47c6c723e5843bef885313 - 3/58 detection on VT as of the writing of this blog and is also available on Quick Sand and contains the strings as shown above.

Another way that can yield similar results would be searching for this 
“cmd  /C ooxWord://”

CLOSING NOTES

This analysis continues to show that certain tools/exploits can be used by multiple different adversary groups with different motivations. From financially motivated attackers with the phishing campaigns against Russia and Ukraine to the more strategic geopolitical lures that might indicate an advanced adversary with potential espionage motivation.

IoCs FROM THE 360 CHINESE REPORT


Current vacancies.doc
peace-along-the-border-is-not-a-one-process-says-Lt-gen-ds-hooda.doc
Name of Facilitators revealed.scr
isi_report_of_2016.rar
Pakistan army officers cover blown.pdf
Ramadan Mubaraq.rtf
MD5
154ee0c3bb8250cae00d5ed0e6f894b4
4f4cc89905bea999642a40d0590bdfa3
6d7ef5c67604d62e63aa06c4a7832dac
842e125beca97c185b33235e54e77d3a
9cddfd8fa9dc98149e63f08f02a179cf
c2be017b2fb3ad6f0f1c05ef10573b90
c43bab60cbf7922a35979e4f41f9aa9e
c5f76015b2cb15f59070d2e5cfdd8f6e
cbd2340e37b2ae9fc85908affbb786a7
d0dd1c70581606aa2a4926c5df4a32ee
1b41454bc0ff4ee428c0b49e614ef56c
PDB
E:\EHDevelopmentSolution3\EHDevelopmentSolution3\Release\DefenderReference.pdb
D:\EH_DEVELOPMENT_SVN\EHDevelopmentSolution3\EHDevelopmentSolution3\Release\EsstnalUpdte.pdb
D:\EH_DEVELOPMENT_SVN\EHDevelopmentSolution3\EHDevelopmentSolution3\Release\ProcNeo.pdb
E:\EHDevelopmentSolution3\EHDevelopmentSolution3\Release\AdminNewDll.pdb
E:\EHDevelopmentSolution3\EHDevelopmentSolution3\Release\AdminServerDll.pdb
E:\EHDevelopmentSolution3\EHDevelopmentSolution3\Release\MSOBuild.pdb
C:\Users\Fire\Documents\Visual Studio 2015\Projects\newfiles sent\newfiles\obj\Release\Pro-Gaurd.pdb
E:\EHDevelopmentSolution3\EHDevelopmentSolution3\Release\WelcomeScrn.pdb
C&C
185.109.144[.]102:80       
http://185[.]109 [.]144[. ] 102/DistBuild/DefenderReference.exe
http://185[ . ] 109[.]144 [ . ]102/DO_NOT_NEED_A_URI
185.109.144[.]102:443    Tcp
tes.sessions4life[.]pw    
http://tes[. ] sessions4life[.] pw/quiz/WelcomeScrn.exe
138.197.129[.]94:80         
http://13894/logo.doc
Mutex
EHWinHTTPWebServiceCall_MUTEX
EHGetListerUploaderExeStateNeo_MUTEX

ADDITIONAL IoCs

выписка по счету клиента.docx
MD5
667c7f50177a64b4cb30aad8d4d0360e
0b0635b6ba23f1ab5aed4111c0af1fbb
8ad3a448ce47c6c723e5843bef885313




Comments

Popular posts from this blog

A Quick Dip into MuddyWater's Recent Activity

HOW DO YOU LIKE DEM EGGS? I LIKE MINE SCRAMBLED, REALLY SCRAMBELED - A LOOK AT A RECENT more_eggs SAMPLES

POWERSING - FROM LNK FILES TO JANICAB THROUGH YOUTUBE & TWITTER