[ Technical Analysis: Deceiving ‘Parked Domain’ & several .SG sites serves exploits ]

I have reported the following Singapore website(s) which might be serving malicious content to SingCERT back in 29th November 2014.
But i have just checked today and all of these site(s) are still serving the same malicious content.
Even though they told me back in 1st December that they have notified all relevant partie(s). O_o”

For the 1st website, I happened to chanced upon this while checking out of Lego related stuff.
Severity: Malware Hidden Inside JPG EXIF Headers
Confidence: Certain
Host: h–p://www[.]thebroerscafe[.]sg
Path: /wp-content/uploads/2013/05/Lego-workshop[.]jpg

Issue Description:
The malicious content hide its data in the EXIF headers of a JPEG image.
So how does malicious content in the EXIF headers of a JPEG image get executed.
Basically, it used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.
If you were to view the EXIF info of the following image:
h–p://www[.]thebroerscafe[.]sg/wp-content/uploads/2013/05/Lego-workshop[.]jpg

You will see something like this.

Image 1 : Exif info of Malicious JPG file

So if you look at it from Notepad++ or from a Hex Editor.
It’s hidden here as shown in the image below.

Image 2 : Malicious JPG opened in Notepad++

Please note the EXIF PHP code in Model information, but also the string /.*/e in Maker.
Once the base64 string is being decoded, the code translates into:

Basically, it evaluates whatever it gets through the POST parameter zz1.
But this is an image, how does this code get executed?
Thanks to the PHP exif_read_data function –

The PHP function preg_replace will interpret the content as PHP code thanks to the string /e (the Maker field in the EXIF data). This will execute the eval code in the second EXIF field (Model). So basically this is a backdoor that will execute any command inside the zz1 POST parameter. The /e pattern modifier is deprecated since PHP 5.5.0, thats good news.

So basically this is a two component backdoor that comprises of a JPEG file with malicious EXIF data, and a PHP code that executes it.
This PHP code can be easily inserted into any other PHP file found in the server, probably not noticed easily.

As the website is using TimThumb and TimThumb had been known to have several security vulnerabilities for years. I would probably recommend the website owner to discontinue the usage of TimThumb.

If anyone is interested to learn about about this, you can read it here.
Related Links:
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html
http://securelist.com/blog/research/58196/malware-in-metadata/

For the 2nd website,
Severity: Redirection to possibly ExploitKit
Confidence: Certain
Host: h–p://www[.]hinhuatdj[.]com
Path: /index[.]html

Issue Description:
If you take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 3 : Source of Index.html in www[.]hinhuatdj[.]com

Please don’t run the script unless you know what you are doing. Once you safely decoded it, you will see this.

Image 4 : Decoded Javascript pointing to Malicious website

A quick check against VirusTotal, you will see that it’s been flagged as malicious previously by Kaspersky and Sucuri

This is the Virustotal report on the website.
https://www.virustotal.com/en/url/57186289dcea318fc52dbfe1ccd850cb5c2e1ffdf3b6be136330cfad1a169f40/analysis/1417239062/

For the 3rd website,
Severity: Compromised website
Confidence: Certain
Host: h–p://www[.]mdas[.]org[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.
The links seem to be be porn urls.

Image 5 : Injected html codes

Visitors to this website might accidentally clicked on the porn urls and potentially be exposed to other malicious stuff..
The IP address of this website is currently at 111.235.138.70
111.235.138.70 currently belongs to Vodien Internet Solutions Pte Ltd which is a local web hosting company.

For the 4nd website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://333bakkutteh[.]com
Path: /index[.]html

Issue Description:
If you were to view the page source of the website in a safe manner. You may find that this website is currently being “Parked” or not in use.

However, if you were take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 6 : Injected html codes

Based on personal experiences, i can straight away recognise this as ExploitKit.
Visitors to this website will be exposed to the exploits served by this ExploitKit immediately.
The IP address of this website is currently at 112.140.185.140
112.140.185.140 currently belongs to sparkstation.net which is a .SG web hosting company.

For the 5th website,
Severity: Serving ExploitKit
Confidence: Certain
Host: h–p://fonghsiang[.]com[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.

Image 7 : Injected html codes

For the 6th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://hychem-ap[.]com[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 8 : Injected html codes

For the 7th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://actinium[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 9 : Injected html codes

Based on personal experiences, i can straight away recognise that all are ExploitKit.
Visitors to these website(s) will be exposed to the exploits served by this ExploitKit immediately.
The IP address of both h–p://fonghsiang[.]com[.]sg/ & h–p://hychem-ap[.]com[.]sg are currently at 203.142.25.182 & h–p://actinium[.]sg/ is currently at 202.157.153.5

Both 203.142.25.182 & 202.157.153.5 currently belong to Webvisions Pte Ltd which is a .SG web hosting company.
The impact of these domains is that innocent visitors with no protection could become the next victims if both the malicious scripts and C2 are still working.
This is a “REMINDER” to everyone not to trust a “site” by its cover and always exercise caution. Attacker(s) are always thinking of new ways to trojanised victim(s).
The attacker(s) here are clever to hide the malicious code like they did here because they can easily trick victim(s) who might have thought that the site(s) as “already expired” or “suspended” by the hosting provider”.
But in reality, it’s not the case.

Happy Reversing
Jacob Soo

[ Technical Teardown: PHP WebShell ]

[ How it starts ]
Today, my personal scanner found yet another PHP WebShell.
Since we at VXSecurity.sg haven’t write anything on PHP WebShell, I will be writing one on it today.
So what is a “PHP WebShell”?
A PHP WebShell can give a malicious hackers access to perform the following actions:

  • Archive or extract files
  • Brute-force logins for FTP, MySQL, pgsql
  • Create or delete folders
  • Download files
  • Encode or decode files
  • Open a bash shell command, which allows the remote attacker to execute remote commands
  • Open files
  • Rename files
  • Run SQL commands
  • Search folders
  • Show active connections
  • Show computers the infected computer had access to
  • Show running services
  • Show user accounts
  • Show IP configuration
  • Connects to certain servers

A PHP WebShell also allows attacker(s) to connect to the server(s) for the purpose of receiving arbitrary information, sent by a malicious hacker, about your PC and/or server.
Today, i found this PHP WebShell from http://www[.]motorossarkany[.]hu/images/hir_41_1[.]jpg

[ Sample used in the analysis ]
MD5: 379f63c3df8570a479017757c0826d2e
SHA1: 3f86bd230c01c54d356d910c5ba161b2857ee5fb
PHP WebShell Sample
The pw to the zip is “infected29A

[ Tool Used ]
Notepad++

[ Analysis of the .JPG file ]
If we were to use any hex editor or Notepad++ to open up this .jpg file, the following image is what you will see.

php.webshell.01 Image 1 : hir_41_1.jpg

We can see right here that it’s basically a .php file instead of a .jpg file.
In this case, we can safely say that the .htaccess file is set to run JPG as PHP files. This is why although the file extention is GIF or JPG the PHP code will be executed.

Let’s try decoding the top portion of the script and we should get back this..

Hmmm…seems like $_F and $_X is not used. Or is it?
As we reach the bottom of the file, we saw another interesting part of the script as shown in the image below.

php.webshell.02 Image 2 : Decoding 2nd part of the PHP WebShell

As we can see here, we already got the value of “$OOO0000O0“. The value is “base64_decode”
So basically, it’s just base64 decoding of

Image 3 : String to be base64 decoded

After we had base64 decode it, we will get back the following piece of code.

To avoid anyone from accidentally running the script.
Just replace the above code snippet with the following code snippet.

Now if you run the script again, you should be able to get back 2 .txt files (“file_x.txt” & “file_R.txt”).
I did this just to show you what are the differences between the 2 for those who are not familiar with PHP.

Ok we should be able to see the actual PHP WebShell as shown below.
php.webshell.03
Image 3 : Final Deobfuscated PHP WebShell

So the things that i hope SysAdmins learnt here is that always do your due diligence checks on your webserver and check your .htaccess files if there are any.
If you see new image files and lots of entries in the access logs, do check the files.

I hope this is useful to someone out there.

Happy Reversing
Jacob Soo

[ Technical Analysis: Scoop.apk ]

[ How it starts ]
I started to write about this particular malware before Christmas in 2014 but it was left sitting in the draft for so long until i decided to take a break from #EquationAPT today. It all started when i got a sms as shown below.

IMG-20141220-WA0002
Figure 1 – Initial SMS

I hardly take any photos and the Sarah i knew don’t even SMS me. So i found a bit weird. So what is special about this sample was that it uses a technique typical of computer worms to spread itself.

This particular piece of malware rely on social engineering to convince the user to click on the shortened link in the sms and install/run the malicious APK package.

[ Sample used in the analysis ]
MD5: 9187B180E741312AA0FF36EF6FE7DC51
SHA1: 322ABA633607F635F5581E8D7F53794566BCB80B
Malware Sample: Scoop
Password is “infected29A

[ Initial Analysis ]
Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As you can see from the AndroidManifest.xml, it ask for quite a lot of permissions.

[ SMS Propagation ]
One of the more interesting functions that i’ve found is how it tried to spread itself.
As you can see from the image below.
sms.sending.code
Figure 2 – The worm’s SMS sending code

What is rather typical of this malware is that it is leaking SMS messages, call history & contact lists of the victim(s).
One of the characteristic of this malware is that it will fetch data from one of the hardcoded URLs in the APK with a HTTP POST.
The typical data that it will fetch will look like the code snippet below.

Other interesting stuff is that it will go to “http://topemarketing.com/app[.]html” to fetch a new copy of Scoop.apk

The malicious url in the SMS, https://bit[.]ly/s_-c will redirect you to http://secret-message[.]net/

This malicious page will refresh and direct user to this malicious .APK file.

As i’ve already done quite a number of articles on reversing Android Malware.  Today we will be going through other stuff which might aid us in our investigation and see how this malware operate. The interesting thing here is we can see the statistics kindly provided to us by Bit.ly for all Bit.ly shortened URLs by appending a “+” sign without the double quotes like this:
https://bitly[.]com/s_-c+

You will see the stats as of then when i analyse this .apk. From the statistics given, we can see that most of the target(s) are from Singapore. 🙁

secret-message.net.001

Figure 3 – Statistics of bit.ly url

What is even more interesting sir, the same author of the malicious .APK file actually got several other domains spreading same .APK file.
You can check out the other shortened bit.ly links by the same guy here.
https://bitly.com/u/othv2

Interestingly, one of the links leads to the Android app in PlayStore.
https://play.google.com/store/apps/details?id=com.savemebeta

secret-message.net.002

Figure 4 – Another app by Malware Author

Sadly, the app was removed before i downloaded it.  The URL in the PlayStore belongs to same domain as the other malicious links.

Could it be same guy? 😛

topemarketing[.]com points to 162.255.116.80
tombolaworld[.]com points to 192.64.112.120
secret-message[.]net points to 62.210.83.139

One other interesting thing is…2 of the domains are bought around 2009 and 2010 and expired in 2011 according to who.is as shown here. http://who.is/domain-history/topemarketing.com

But did this guy bought them in 2014?
Or did she/he bought all those expired domains so that user(s) might think it’s still legit. Or it had been the malware author all along and she/he decides to use WhoisGuard later on.  Probably need the whois records to verify here. 🙁

The worm is targeted mostly against Singapore and French Android users according to the statistics from Bit.ly.  Not sure why the domains are still alive.  Our advice to user(s) on how they can protect themselves effectively are:

  1. Restrict the installation of applications from unknown source
  2. Don’t click on suspicious links as Malware authors might use it as their social engineering tricks
  3. Always use an updated anti-virus solution on your Android device if you don’t know how to analyse the application

Happy Reversing,
Jacob Soo