Nitro Attack: Points of interest

Symantec's report on the Nitro malware stealing secrets in the chemical industry is a rather fascinating read. This post is to point out a few points of interest.

First, a summary from my Computerworld colleague Gregg Keizer:

Attackers used an off-the-shelf Trojan horse to sniff out secrets from nearly 50 companies, many of them in the chemical and defense industries, Symantec researchers said today.

The attack campaign -- which Symantec tagged as "Nitro" -- started no later than last July and continued until mid-September, targeting an unknown number of companies and infecting at least 48 firms with the "Poison Ivy" remote-access Trojan (RAT).

Poison Ivy, which was created by a Chinese hacker, is widely available on the Internet, including from a dedicated website .

The malware has been implicated in numerous attacks, including the March campaign that hacked the network of RSA Security and swiped information about that company's SecurID authentication token technology.

In a paper published today ( download PDF ), Symantec researchers spelled out their analysis of the Nitro attacks and the use of Poison Ivy.

Some nuggets from the report:

Page 4

The method of delivery has changed over time as the attackers have changed targets. Older attacks involved a self-extracting archive with a suggestive name, for example: “Human right report of north Africa under the war.scr”.

The most recent attacks focusing on the chemical industry are using password-protected 7zip files which, when extracted, contain a self-extracting executable. The password to extract the 7zip file is included in the email. This extra stage is used to prevent automated systems from extracting the self-extracting archive. Some example file names using this technique include:

--AntiVirus_update_package.7z

--acquisition.7z

--offer.7z

--update_flashplayer10ax.7z

Page 5

Threat details

When the self-extracting archive file is executed, it will drop two files. Examples of file names that are used include:

•%Temp%\happiness.txt

•%Temp%\xxxx.exe

The executable file, xxxx.exe in this case, is then executed. The second file, happiness.txt, contains custom code in binary format that is encrypted and used by xxxx.exe. The xxxx.exe file copies happiness.txt to C:\PROGRAM FILES\common files\ODBC\ODUBC.DLL and to C:\WINDOWS\system32\jql.sys.

It then loads the contents of the encrypted file and

injects it into the explorer.exe and iexplore.exe processes.

The injected code copies xxxx.exe to %System%\winsys.exe and connects

to the Command and Control (C&C) server on TCP port 80.

The communication with the server is a handshake using an encryption algorithm (Camellia). Once the Trojan establishes the server’s authenticity, it expects a variable-size block of binary code that is read from the server straight into the virtual space for iexplore.exe and then executed.

When an executable is compiled, the compiler will store some metadata in the compiled executable. One particular piece of relevant metadata is the location of the compiled code on disk. The path in this instance contained Chinese characters and was:

C:\Documents and Settings\Administrator\??\?????\????\Release\????.pdb

This translates to:

C:\Documents and Settings\Administrator\[Desktop]\[New Folder]\[read the file]\Release\[read the file].pdb

Page 6

Command and Control (C&C)

When executed, the Poison Ivy threat, or Backdoor.Odivy, connects to a command and control (C&C) server over TCP port 80. A number of different C&C domains and IP addresses were identified. The domains and IPs are listed in table 1.

The majority of samples connect to a domain; however one subset of

samples connected directly to the IP address 204.74.215.58, which belonged to the Chinese QQ user mentioned previously and was also associated with antivirus-groups.com.

Related Attacks

Several other hacker groups have also begun targeting some of the same chemical companies in this time period. Attackers are sending malicious PDF and DOC files, which use exploits to drop variants of Backdoor.Sogu.

This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users.

Determining if the two groups are related is difficult, but any relationship appears unlikely. The attackers described in this document use a very basic delivery platform; compressed self-extracting archives sometimes sent to a large number of recipients.

The Sogu gang, in contrast, use PDF and DOC files in very tailored, targeted emails. The Sogu gang use a custom developed threat – Backdoor.Sogu, whereas the group described in this document use an off the shelf threat – Poison Ivy. While the number of Sogu targets is currently small relative to the Poison Ivy attacks, we continue to monitor their activities.

Summary

Numerous targeted attack campaigns are occurring every week. However, relative to the total number of attacks, few are fully disclosed. These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage, military institutions, and governmental organizations often in search of documents related to current political events and human rights organizations.

This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs, formulas, and manufacturing processes.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies