Attackers Exhibit ‘StrangeLove’ for Middle Eastern Targets

Response - 2nd July 2013

On the 25th June 2013 Context detected and analysed a malicious downloader in the same family as that previously responsible for the deployment of the ‘MM Core’ implant - malware that FireEye first made public in their article Trojan.APT.BaneChant[1]. Context’s Threat Intelligence analysts uncovered that the secondary payload, Trojan:W32/MMCore has been updated, likely in response to the exposure of BaneChant.

This version, labelled as ‘2.1-LNK’, tags the egressed communications with ‘StrangeLove’ opposed to the previously identified ‘2.0-LNK’ version that was using ‘BaneChant’.  Perhaps this tag is also a reference to music on a movie soundtrack - in this case Tim Burton’s ‘Frankenweenie’ – or maybe to the cult classic film ‘Dr. Strangelove’.

One notable difference was that the downloader (first stage) expects binary data which includes the JFIF header, 20 bytes that was missing from the previous incarnation.  The downloaded data is obfuscated using the ‘Shikata ga nai’ encoder[2], likely in an effort to avoid detection by anti-virus products.

Similar to the downloaders used to deploy BaneChant and its predecessors, this latest downloader connects to a domain that redirects via an HTTP 302 response to another that houses the second stage implant.  In this case the outgoing request takes the form:

GET /images/banners/foo.jpg HTTP/1.1
Accept: images/jpeg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2)
with the subsequent redirection to

At the time of analysis, resolved to (as do many domains provided by, with resolving to

The functionality of MM Core remains the same, with only minor changes.  Specifically, the temporary file created for ‘download and execute’ commands, uses a prefix string of ‘jv’ instead of ‘java’, and the path to the implant is now:

In this instance, outgoing communication of MM Core is via HTTP POSTs to:

and uses MIME multipart message boundary:
Context has been tracking this adversary since December 2012 and will shortly release more details on infrastructure and attribution.

1st Stage (Downloader)



2nd Stage (MM Core)

(in memory)




© Copyright 2013 Context Information Security