We’ve been seeing an increase in Taidoor downloaders in the wild, but instead of embedding the backdoor in email attachments, the current trend in Taidoor-related attacks is to include an attachment with a Taidoor-downloading Trojan.
Based on the sample set we gathered, it appears this type of technique has only been used this year. For the most part, the delivery method is a socially-engineered email with an attachment that exploits the MS12-027 MSCOMCTL.OCX RCE Vulnerability (CVE-2012-0158) , which is becoming the favorite exploit of several groups. In this case, the targets are mostly Japanese companies and US Defense contractors.
Embedded in the document files is a simple downloader. Like Taidoor, this downloader comes with a packer but instead of using the RC4 decryption/encryption method, a simple XOR is used to decrypt the downloader component with the 16-bit hardcoded key below:
- 22 3A 58 40 79 A1 16 11 89 F3 C7 66 37 90 3B 00
Zeroes are skipped and left as is.
The component is saved as ntuser.cfg in the %User Profile% folder and the registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NTUCF = rundll32 %User Profile%\ntuser.cfg,Config is created to maintain its persistence.
It then connects to its server using the following distinct parameters:
//fc.asp?est=[campaign code]&hn=[computer name]&ha=[ip address]&hm=[mac address]&hv=[path of AV installed]&hb=[system type (64 or 86)]&hp=[proxy]
To decode the parameters, we need to XOR the parameter values starting from “hn” with 07. The server should reply with a 200ok message before it attempts to download another .HTML file named “dw.html”. This contains a link to the .PDF file it downloads and decrypts a portion of it using the same decryption method as its packer with another hard-coded key:
- 21 5A 52 46 35 A7 16 11 89 F3 C7 66 37 90 3B 00
It then saves the decrypted code as ~db98.tmp in the Temp Folder, which is the Taidoor component. Technically, it could be any file, but so far, all the samples point to Taidoor. The Taidoor packer changed a bit, as it now checks for HKLM\ SOFTWARE\KasperskyLab in addition to the HKLM\SOFTWARE\McAfee registry key. It can be recalled that this registry key checking is used to determine which process will invoke the executable file. Below are the processes used in relation to these registry keys:
- HKLM\ SOFTWARE\KasperskyLab – verclsid.exe {malware path and filename}.exe
- HKLM\SOFTWARE\McAfee – services.exe {malware path and filename}.exe
- Default – svchost.exe {malware path and filename}.exe
Other than that, the main Taidoor binary is the same as the old variants.
Previous Downloader
Back in 2011, a Halloween-themed targeted attack also used a Taidoor downloader, which was encrypted in a “JPG” file.
The “JPG” file is typically located in /images/question.jpg of the server and the decoded binary is saved as “sys.exe” in the Temp folder.
It uses both B64 and RC4 to encrypt and hide the Taidoor binary in the “JPG” file. The outer layer (the one sent over the network) is encoded using B64. Once decoded, the RC4 key is a 6-byte sequence that is still encrypted with a simple XOR.
Although, we see minimal variants in the wild, we are still monitoring this for any changes or updates. And while the “PDF” downloader seems to be the current tool of the gang, it is interesting to note that they have a penchant for embedding the payload in popular file types.
Campaign Tags
Campaign tags embedded in the binaries are sent to the server via the est parameter in the initial beacon to the C&C node. So far, we have seen the following tags/codes used:
- 66
- 0208com
- jp
- nato
- asia2
- tib
- 002
- kk
- 1030
To make it a bit harder to track, the command-and-control (C&C) infrastructure used for this campaign are free dynamic domain names registered with ChangeIP.
Looking at the previous activities of the related IP addresses, {BLOCKED}.227.69 was also used in a Japanese-related attack last year. The RAT used then was from an open source project called “Network Administrator”.
SAJDELA (Network Administrator)
Also known as BKDR_SAJDELA, “Network Administrator” was consistently used in 2011 attacks but has since declined in number. Interestingly though, some samples are repackaged using government seals as icons.
Since Network Administrator is an open source project, its presence in a system and network is easily identifiable. The most telling are the dropped component named %System%/csrls.dll and the registry key below:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Athene
Network connection is identified by the string “Gabby” and the information “[machine name][ip address][hardcoded country]” sent to the server. Like the IP addresses, the port number is also hardcoded in the binary or specified in the builder, whichever way you’re looking at them.
As BKDR_SAJDELA is from an open source project, we needed to separate the samples used for malicious intent from those legitimately used. To do this, we established the connection among binaries and campaigns based on the C&C server and the ports used.
From the image above, it is evident that the Taidoor downloader is entrenched in what used to be a very active C&C of Sajdela. This could mean nothing, however, as the IP {BLOCKED}.227.69 is no longer replying to Sajdela binaries in port 6386 and it could have been reassigned since then. But we do not want to discard the history of related activities.
Conclusion
It is common for bad actors to use tools to perform several tasks or to move from one tool to another. Historical evidence shows that the Taidoor gang likes to keep their attacks simple. They use known and tested exploits and malware like SIMBOT variants that have basic functionalities.
The main binary seems to be compiled every time a new C&C is added, which leaves little space to add new modules and functions. So adding a downloader that gathers basic information on top of the old RAT actually makes a lot of sense. They can now filter the data and sort the relevant information according to the campaign or victim without disrupting the old setup.
While highly improbable, there is also a possibility that another group is responsible for this new method – one that has access to the original Taidoor and is more inclined to organized data. Either way, we advise users to block the traffic below from their perimeter network:
- / fc.asp?est=[campaign code]&hn=[computer name]&ha=[ip address]&hm=[mac address]&hv=[path of AV installed]&hb=[system type (64 or 86)]&hp=[proxy]
And to monitor/flag traffic with the following details:
- /images/question.jpg
- B64-enccoded with the string “yxyyyxyy” in the message
With additional information from Nart Villeneuve and Matsukawa Bakuei
Leave a reply
