Attackers Exhibit ‘StrangeLove’ for Middle Eastern Targets
02 July 2013
On the 25th June 2013 Context detected and analysed a malicious downloader in the same family as that previously responsible for the deployment of the ‘MM Core’ implant - malware that FireEye first made public in their article Trojan.APT.BaneChant. Context’s Threat Intelligence analysts uncovered that the secondary payload, Trojan:W32/MMCore has been updated, likely in response to the exposure of BaneChant.
This version, labelled as ‘2.1-LNK’, tags the egressed communications with ‘StrangeLove’ opposed to the previously identified ‘2.0-LNK’ version that was using ‘BaneChant’. Perhaps this tag is also a reference to music on a movie soundtrack - in this case Tim Burton’s ‘Frankenweenie’ – or maybe to the cult classic film ‘Dr. Strangelove’.
One notable difference was that the downloader (first stage) expects binary data which includes the JFIF header, 20 bytes that was missing from the previous incarnation. The downloaded data is obfuscated using the ‘Shikata ga nai’ encoder, likely in an effort to avoid detection by anti-virus products.
Similar to the downloaders used to deploy BaneChant and its predecessors, this latest downloader connects to a domain that redirects via an HTTP 302 response to another that houses the second stage implant. In this case the outgoing request takes the form:
GET /images/banners/foo.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2)
with the subsequent redirection to www.solidsec.net:80.
At the time of analysis, pingr.redirectme.net resolved to 188.8.131.52 (as do many domains provided by noip.com), with www.solidsec.net resolving to 184.108.40.206.
The functionality of MM Core remains the same, with only
minor changes. Specifically, the
temporary file created for ‘download and execute’ commands, uses a prefix
string of ‘jv’ instead of ‘java’, and the path to the implant is now:
In this instance, outgoing communication of MM Core is via
HTTP POSTs to:
and uses MIME multipart message boundary:m
Context has been tracking this adversary since December 2012 and will shortly release more details on infrastructure and attribution.