Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority

Recently, we’ve come across an interesting spam campaign aimed at French users. The campaign itself uses a well-crafted lure that is likely to catch the attention of its would-be victims. In addition, the malware used – the GootKit backdoor – contains several unusual technical characteristics. Both of these highlight how this campaign was quite well thought-out on the part of the attackers.

Spam: Using the French Ministry of Justice

This campaign starts with email in French that uses varying subject lines:

  • Copy du jugement (translated to: “Copy of judgment”)
  • L’information sur la comptabilité (translated to: “The information on accounting”)
  • Paiement (translated to: “Payment”)
  • Urgent 

The email’s text reads as follows:

Selon la décision du tribunal n° 184, afin de recouvrir les sommes dues auprès du débiteur, et en vertu des procédures d’exécution n° 135-01, la saisie de votre propriété a été prononcée.

Vous pouvez obtenir une copie de cette décision auprès du greffe du tribunal.

Une copie du jugement se trouve dans le fichier ci-joint.

This content can be roughly translated as:

According to the court decision No. 184, to cover the amounts due from the debtor, and under enforcement proceedings No. 135-01, seizure of your property has been pronounced.

You can obtain a copy of the decision to the court registry.

A copy of the judgment is in the attached file.

The email contains a Microsoft Word document (alternately named copy du jugement.doc or paiment.doc) which the user is asked to open. This file has the SHA1 hash of 9b7cf1b6255a7dc26b346fdcccbfc4755db020bf.

Once opened, this document downloads and opens a decoy image from the file hosting site savepic.su (which is displayed below). It also contains a macro which downloads and runs a backdoor.

Figure 1. Decoy image shown when opening the Microsoft Office document

The image is a reproduction of a letter from the French Ministry of Justice. It is a letter typically sent to individuals stating that the Ministry cannot assist with cases that are already before courts. This letter could have been obtained from a compromised system or email inbox, or by an accomplice working on behalf of the attackers. (References to the individual who originally received this letter were already blurred when downloaded.)

It’s worth noting that the text used in the email contained no typos or grammar mistakes. This is unusual, as spammed messaged frequently included such mistakes (whatever language they use). This suggests that a French speaker, or someone well-versed in French was responsible for writing the above text. Combined with the authentic decoy image, it’s not difficult to see how a French user would not instantly realize he had been a victim of spam.

Size and scope of campaign

Over a two-day period in the middle of March, we estimate that the images were downloaded and viewed more than 1,700 times. Based on the email addresses, both corporate and home users were targeted by this threat. We are unaware of any public or private data breaches that contained the list of recipients,  which suggests that the addresses were gathered from various online sources.

We also found other spam campaigns that used the same malware families for their malware droppers and payloads. Other countries, such as Italy, are now being targeted as well. For instance, we noted a sample email with an attachment named documente copy.doc, which had the following subject names:

  • vi invieremо il doсumentо рer confermаrе il раgamеntо
  • case number 647
  • Information
  • hello

These malware samples consistently used images uploaded to savepic.su. This made it easy to count the number of times each picture was downloaded. We found that each image was viewed between 1,700 and 10,000 times.

Backdoor payload

After the user opens the malicious document and executes the embedded macro, it then downloads and executes the dropper (SHA1 hash: f9772fcfbcaac9c4873989a1759a5c654eec440e). First, it first creates an Application Compatibility Database with an .SDB extension containing its own patch code, which is installed via the sdbinst command. Explorer.exe is then started with the command-line parameter issdb. The patch code is then injected by shim and then executed.

The exact method used here is unusual, and was first described in a research paper titled Persist It: Using and Abusing Microsoft’s Fix It Patches published by Jon Erickson at Black Hat Asia 2014. The paper described how developers could create an .SDB file that modifies or changes its behavior during its execution. We have seen how this particular method sideloads .DLLs, but this is the first time it has been used to patch a loader.

Figure 2. SDB overview via sdb-explorer

This patch is about 6 kilobytes in size, and patches memory at 5 different memory locations within kernel32.dll in order to run its patched code on the fly. This technique is used not only to patch explorer.exe, but other processes as well.

The patch code will detect the operating system version in order to get the appropriate version of GootKit (as both 32- and 64-bit versions are available.) They can be downloaded from two distinct URLs:

  • hxxps://repvisit[dot]com:80/rbody32 (32-bit version)
  • hxxps://repvisit[dot]com:80/rbody64 (64-bit version)

It’s worth noting that the download server uses HTTPS. To do this, it uses a self-signed certificate that identifies the site as My Company Ltd, while the real file names of the downloaded files are node32.dll.rk or node64.dll.rk, respectively.

Figure 3. HTTP headers of download server

Once the .DLL file is downloaded and loaded, the malware is ready to perform its routines and it now communicates to its command-and-control (C&C) server located at hxxps://VersatileGreenwood[dot]net:80/200.

Figure 4. HTTP headers of C&C server

Two things about the C&C server are apparent. While it has a different URL, it has the same IP address as the download server. Also, the HTTP reply leaks some information about the server: the X-Powered-By: Express header indicates it is powered by the Express web framework for the Node.js platform.

Adding a Fake Certificate Authority

One of GootKit’s abilities is to monitor network traffic, even when encrypted. How does it do this? In a similar manner to the recent Superfish incident: it adds a fake root certificate authority to the system. However, it does this in an unusual way.

GootKit essentially takes an existing root certificate on the system and adds a duplicate certificate (of its own creation) with the same name. However, upon closer examination, we noted two key differences: the fake certificate expires in 2020, and its RSA key length is only 1024 bits.

Figure 5. Fake certificate – 1024-bit key on the left, private key on the right

GootKit uses the fake certificate to perform man-in-the-middle (MITM) attacks against any HTTPS traffic. Because the fake certificate uses the same name as a randomly chosen legitimate certificate already present on the system, it is very hard to detect this problem.

Remote Access Capabilities

While the remaining capabilities of GootKit are in line with its known features, it does seem to have added one new feature: the command RunVNC. This suggests it can now make use of the VNC protocol to give an external user (presumably the attacker) direct access to the victim’s machine.

Figure 6. List of available functions

Additional payloads

We monitored the dropper to see if it was used to spread threats other than GootKit. We found that the malware also drops and also spreads CryptoWall and online banking malware.

Conclusion

This entire campaign was quite well thought out, with one exception. The social engineering used in the email was a cut above most. Gootkit appears to have picked up some fairly interesting and advanced behavior. However, requiring that macros be turned on for the user to be affected is very much the sign of an amateur. The mix is an odd one, to say the least.

Whatever the case, these attacks are still ongoing. We expect these to continue and victimize more users. It is also likely that future attacks will remove the need for macros to be enabled by default.

Users are protected from this threat via Trend Micro™ Security software, which safeguards against malware, phishing, and other Internet threats. Businesses are also protected with Endpoint Security in Trend Micro™ Smart Protection Suite as it offers multiple layers of protection.

Indicators of compromise

SHA1 hash Detection Name Notes C&C server(s)
9b7cf1b6255a7dc26b346fdcccbfc4755db020bf W2KM_EMDROP.AA GootKit final payload
19ff788685ce9c8ec48848dfc4ef56abe99d657b W2KM_DROPR.ED GootKit final payload
fb2ed685fc58077a7849eb4b000e2cf320cf5181 W2KM_BARTALEX.CE GootKit final payload
4d56c9b7e40e0c0916e5f1468e650f66a4ccee87 W2KM_DROPR.ED GootKit final payload
f9772fcfbcaac9c4873989a1759a5c654eec440e BKDR_GOOTKIT.D GootKit repvisit.com
VersatileGreenwood.net
4095c19435cad4aed7490e2fb59c538b1885407a BKDR_GOOTKIT.D GootKit repvisit.com
VersatileGreenwood.net
2a84a60e7596de95940834779ce49a5d598800d0 W2KM_BARTALEX.CE CryptoWall Final payload
24aeb8369a24c5cfd6a9c9bfef1d793ae80fd854 W2KM_BARTALEX.CE CryptoWall Final payload
82d644bed4fdcc9953c935b4e246bdb410fbfa32 TROJ_CRYPWALL.L CryptoWall
2a79d6be983dc7b4145bbb67426f1849ae2976fa TROJ_CRYPWALL.L CryptoWall

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority

Read more: Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority

Story added 31. March 2015, content source with full text you can find at link above.