Myanmar President websiteWebsite of the President of Myanmar
Evi grave by waterhole attack on the website of the President of Myanmar
Department 42 thinks that the threats have chosen this website to create a water point to collect information about people in Myanmar, people engaged in politics with the nation and/or organisations doing businesses in Myanmar. Department 42 has indications that the site has been accessible to those who are threatened since November 2014, if not before.
Soon after we notified the site owners of the infections, they took them out. The new website with the same contents is managed under "", which contains several artefacts and links to the initial contents under "president-office.gov. mm", but not the exploits of the site. The well-known waterhole features, interesting features of the supplied AKA Vidgrab probe and the associated security threats are discussed in this forum.
The" script.js" also included an IF RAME (Figure 2), of which Section 42 thinks that the threats are exploiting the site visitors' browser. The contents of "script. js" and the HTTP reply from the web servers were analysed. It is interesting that the webservers, especially Drupal 7, uses HTTP replies that contain the box "Last-Modified" for cacheing.
Verifying the reply to the filename "script.js" containing the injecting IFRS and finding a "last-modified" date of "Wed, 24 December 2014 02:38:58 GMT", suggesting that the attacker injecting the IFRS on December 24, 2014. Unfortunately, we do not have direct or indirect control over the contents of this site and queries for permission currently lead to an HTTP 404 not found bug.
However, regardless of the security hole our Wild Fire system recognized the load during transfer and classifies the data files as viral. There is another known malign scriptworthy virus that was posted on the President of Myanmar's website in November 2014, a months before the injecting of the IF RAME described in this diary seems to have occurred.
VirtuallyTotal captures the content at the following URL, which hosts a VBScript that uses CVE-2014-6332 to deploy a downloadeder Trojan: The downloadeder Trojan had the following properties: As a result, threats that have or have not been injecting the malignant IFRS have had a constant interest in endangering the site's users since at least November 2014.
A world-renowned organisation of the petroleum and natural resources industries on May 12, 2015 went to the following address, which hosts the water point on the website of the President of Myanmar: A visit to this site led to the retrieval of a version of the Evilgrab Trojan used in previous spy campaigns.
In our analyzing our system we found some interesting functions in this example of Vilgrab, called version'V2014-v05', which has the following attributes: The example from evilgrab tries to identify certain anti-virus devices on an affected system and only runs if it does not recognize the Kaspersky, TrendMicro, Symantec's Norton, ESET or AVG anti-virus devices.
There are two integrated dynamically linked library (DLL) in the original document payload: it uses one of them to download the second one, which contains the functionality. This executes an install procedure by saving both dolly files and the paths to the original download in the Windows system in coded format to the following registration keys:
Whereas earlier releases of the Evilgrab software also install their functionality at those location, the install procedure, even within the original payment load, contains an interesting anti-analysis technology based on the Strict Exemption Handlers (SEH) to call important features. At first, the Eviligrab payload uses the SSH to perform the install procedure by configuring the SSH to call certain features in the case of an exemption and to contain arbitrary exit -causing an exemption.
The Evilgrab uses the Seeh and enforced exception anti-analysis technology to make the whole analyzing procedure more difficult. Evilgrab, for example, uses the assembler in Figure 3, which shows a call to a feature we called'divBy0_invokeExceptionToCallXor58'. This example uses this technology to call features we called'createWinlogonProcessAndInjectCode' and'launchInjectedCode'.
Then it assigns several segments of storage within the winlogon.exe processes with VirginAllocEx and write files to these segments with write ProcessMemory, which includes the packed Payload decoded with the function'xorBufferBy58'. The program also sends a set of shellcodes to the starting point of the Winlogon.exe file to download the DLL, which is in charge of getting the functionality codes from the Windows directory and its execution.
If the last exit in the original Evilgrab payload was thrown, the SEH will call the'launchInjectedCode' feature to continue the suspended'winlogon.exe' operation to start the evilgrab feature bar. EVILGRIB is a fully operational RAT that enables security administrators to interoperate with vulnerable security threats to extrude intrusion.
It is quite interesting how this load communicating with your C2 rack is done. Earlier publicly debated evidence sent a flare of "\x01\x00\x00\x00\x00\x00\xx" to the C2 servers, but this load sends a faked HTTP query to the C2 servers instead of this flare. Uses unprocessed jacks to transmit information to and from its C2 servers, allowing the Payload to create its own packages.
First four byte in this package specify the length of the following information and the rest are information sent to the C2 Series. EVILGRAPH uses this package format for all communication with the C2-Servers. Besides the abnormality in the first four byte, the HTTP host box in the EVILGRIB query is also abnormal because it contains a full web address instead of just the host name of the webster.
Once the Eviligrab payload has sent this spoofed HTTP requestseacon, it will receive a reply from the 2 servers and check if there is a particular reply to verify that the payload was communicating with an Eviligrab 2 servers. Check the answer of the C2 servers for the following: It would be useful to use the HTTP 400 bad request bug because a web browser would require the HTTP requests to begin with an HTTP connection, but it starts with four byte for the aforementioned length of it.
At ContagioDump, Mila saw the same 2 reply to Evilgrab in a shipping paper that CVE-2012-0158 exploited in August 2013, but this example did not use the faked HTTP query as a flare, as can be seen here. As soon as Evilgrab receives the corresponding answer from C2C to its signal, it will send a 4096 byte package to the D2C 2 relay containing the following:
EVILGRAPHER contains a fully equipped instruction handle that allows an administrator to interoperate with the compromised system to perform telemanagement activity and datafilter. 0xc1Uninstall evilgrab. Besides the handlers, the function codes of EVILGRIB also contain the following additional functions: Plug-in support - evilgrab lists the %USERPROFILE%\\WindowsPlugin directory and executes all executables with the suffix".exe".
Quality of Q Q - Evilgrab watches the window connected to Tencent's quality message programme and scratches off string storage to capture notifications. Unity 42 has developed a ChopShop engine to analyze package capture files that contain the communication between Evilgrab and its R2 client. Evilgrab load capacity supplied by the waterhole had the following hard-coded domain names, which it uses as R2 servers:
The following extra subsubdomains are available on the websecexp[. ]com domain: Dns.websecexp[. com was also used as 2 servers for an example of the 9002 Trojan, which is another utility for spy-crawling. In December 2013, this top level domain was already dissolved to the IP adress 59.188.16[. ]130, which also contains the following top level domain names.
He is familiar with the ceshi.mailpseonfz[. ].com top level domain, which hosts C2 servers for another example of Emilgrab, and a copy of the 9002 Trojan. In the timeframe in which the above mentioned 9002 C2 servers and 9002 servers were housed, the same group will reuse the same environment over a years-to-15.
Conspiracy-makers have been compromising the Myanmar President's website to build a waterhole to spread infection to the site's users. On the basis of information gathered in our threats inteloud, the water point was operational and delivered a malignant load in May 2015. The open sourcecity indicates that the site may have been a waterhole with an exploited CVE-2014-6332 in November 2014.
The establishment of a water point on this website implies that the threatening players, who may include more than one group, want to gather information about people in Myanmar, people engaged in policy relationships with the nation, and/or organisations doing trade in Myanmar. In May 2015, the water pit provided the visitor with a version of the Evilgrab Trojan via an unidentified weak point.
EVILGRIB itself uses an interesting anti-analysis technology to add the necessary complexities to the Trojan's analyses. Furthermore, the load capacity of this water point, which houses 2 server for other load capacities and 9002 Trojan specimens, is shared by this one. Threateners have been using this infra-structure for attack since at least 2013.
The waterhole assault shows that threatening groups continue to use this attacking vectors, as it is much harder to analyse and identify than traditional spearfishing intrusion. As soon as a threatening player has full command of the web host of the water point, the player can check when to begin and stop the distribution of harmful contents, which necessitates continuous surveillance of the website's data flow to see if and when the assault takes place.
In this case, however, the security players used the old infra-structure again to accommodate the 2-server load for the supplied load, which facilitated recognition and allocation.