Threat Research

The Curious Case Of The Document Exploiting An Unknown Vulnerability – Part 2: RATs, Hackers and Rihanna

By Roland Dela Paz | August 24, 2015

Previously my colleague Wayne talked about an interesting document exploit targeting CVE-2015-1641. In this post, we will talk about who might be behind the attack.

We start our correlation with the analysis of the exploit payload - a remote administration tool (RAT) with MD5 6bde5462f45a230edc7e7641dd711505 (detected as MSIL/Agent.QOO!tr). This RAT looks new to us; hence we suspected that it may either be a new RAT family or a custom RAT that was developed for a specific attacker (hacker). It is compiled with Microsoft Visual Basic .NET with the following backdoor commands listed in its code:

Figure 1

Figure 1. RAT backdoor commands

It also contains the following program database (PDB) reference in its code:

D:\\1-Visual Basic Proggetti\\UtilityWarrior\\UtilityWarrior\\obj\\Debug\\UtilityWarrior.pdb

As such, we will call this RAT “Utility Warrior”.

Utility Warrior connects to the C&C server login.loginto.me which resolves to 23.249.225.140. We have seen quite a few malicious DNS names pointing to this IP address including uaelab.mypsx.net. Interestingly, uaelab.mypsx.net serves as a C&C server for (at least) 3 AlienSpy RAT with MD5’s 7bb1f568a9877c1177a134a273ad744f, b411d5fd45711e2223d0d85e84850d3f, and 7f44125412432e2533fb76cf49642dd1 where the last 2 MD5s also connects to another site - notyourbusiness.net - to download further components. Below is a graph of these relationships:

Figure 2. Relationship of Utility Warrior to other AlienSpy RATs

Notyourbusiness.net, on the other hand, shows the following registrar information which is obviously fake:

Figure 3. Registration information for notyourbusiness.net

However based on our research, the email hktristars@gmail.com was also used to register a number of other dodgy domains. This includes kuwota.com and creditbeuar.com which hosted some more unknown/custom RATs. These RATs phoned home to the exact same C&C IP address, 23.249.225.140:

Figure 4. Other domains registered by hktristars@gmail.com

 

An interesting email address in our hands leads to the question - who is hktristars?

We found the following Freelancer profile:

Figure 5. Freelancer.com profile for the handle hktristars

There is not much information on this profile. However we can see that the user is from Nigeria. Also the fact that Hktristars created a profile on a Freelancer site may indicate the man behind it may not have a regular day job. But what has he been doing?

We saw the following post from the same handle in the forum trojanforge.co:

Figure 6. hktristars' post on trojanforge.co

To those unfamiliar, Virtual Network Computing (VNC) backconnect allows a hacker to open a backdoor to a machine while bypassing Windows firewall. 

We were also able to locate the following advertisements from the same handle where he appears to be looking for someone to code an obfuscation program and RAT for him:

Figure 7. Hktristars looking for a developer of an obfuscation program

Figure 8. Hktristars looking for a RAT developer

Additionally, it appears that Hktristars uses the services of SBXChanger, an E-currency exchange site:

Figure 9. Hktristars' feedback on SBXChanger

For someone who facilitates illegal activities online, this makes sense as e-currency provides crooks the benefit of anonymity.

Finally, the email address hktristars@gmail.com revealed the following Google Plus profile with the name “pawan chohan”:

Figure 10. Hktristars' Google Plus profile

Again, there is not much information available; but we noticed that all the contacts of this profile are individuals from Nigeria also. The name "Pawan Chohan" sounds more like an Indian name than Nigerian, so it is likely a fake name. However for the sake of calling him a name, let's use Pawan anyway.

At this point we can tell that Pawan, a.k.a. Hktristars, is more than likely a Nigerian hacker. He also outsources his tools to third parties by posting advertisements in order to conduct cybercrime. This aligns with our findings in part 1 of this blog where we found that CVE-2015-1641 exploits are available for sale on the Internet. But where did he buy the Utility Warrior RAT?

Utility Warrior RAT and “Dodosky”

In figure 4 above we can see that one of the custom RATs Pawan used is 84f169c2ff66175c415dca6e3d1d7a11 (detected as W32/Teno.3E61!tr). This RAT’s code - also developed in Visual Basic - contained the following Structure with an interesting string “DODOSKY”:

Figure 11. W32/Teno.3E61!tr's struct code

Searching the same string online leads to a Youtube account with title “Dodosky™ | Hacking & Modding”. The home page includes a video advertisement of a RAT that the user developed. Although it is a different RAT from W32/Teno.3E61!tr, it is also written in Visual Basic. We can also find a profile description from this account with some interesting details:

Figure 12. Dodosky's youtube profile description

Remember Utility Warrior’s PDB reference? Well, there was no “Dodosky” string in it but it was also compiled in VB .NET. More interestingly, the top level folder contained the word “Progretti” which is an Italian word for “project”:

D:\\1-Visual Basic Proggetti\\UtilityWarrior\\UtilityWarrior\\obj\\Debug\\UtilityWarrior.pdb

Due to these similarities, while not obvious, we believe that Edoardo a.k.a. Dodosky coded both the unknown RAT (W32/Teno.3E61!tr) and Utility Warrior for Pawan, and that Pawan is a regular customer of Edoardo. It is also worth noting that Edoardo also uses the handle "๖ۣۜVekzy๖ۣۜHere" in hackforums.net where he advertises his hacking team who produces malicious tools for sale.

Conclusion

Based on our findings above, we believe that Pawan is an amateur Nigerian hacker who relies on a circle of amateur hackers, such as Edoardo, to buy cybercrime tools and conduct illegal activities. However, Pawan poses a threat to victims of his RAT and may cause considerable damage if the RAT infections are not remediated immediately. Below is a summary of Pawan’s malicious activities:

  • Use of document exploits and macros to drop RATs
  • He used at least 5 unknown/custom RATs
  • It is likely that he uses other commercial RATs aside from AlienSpy, but we are unable to confirm
  • Some of the RATs he used are signed
  • He also registered other domains that is unrelated to his RAT campaigns. Hence, we highly suspect that he is engaged to other online crimes as well.

Fortinet detects all malicious files and blocks all malicious URLs and IPs discovered during this research.

Related IPs and URLs:
173.[REMOVED].51
23.[REMOVED].140
JAMES.[REMOVED].COM
cyber.[REMOVED].com
http://[REMOVED]/spoolscv.exe
http://[REMOVED]gu/s.exe
http://[REMOVED]/~docswift/security.jar
http://[REMOVED]/svchosts.exe
http://[REMOVED].com/version-check.exe
http://[REMOVED].net/kelvin.jar
http://[REMOVED].net/y.exe
http://www.[REMOVED].com/human.exe.exe
jack.[REMOVED].com
john.[REMOVED].org
[REMOVED].com
login.l[REMOVED].me
[REMOVED].net
uaelab.[REMOVED].net
www.[REMOVED].com

Related MD5s:
2b4b0ba685522de8398d14d540b41a3a
2c3adf843acf69c56b5ced66d919ae6f
3e486ce5fbcc8fed0172bf19f4013cba
65eb2ddc65eb4b963061fe01ad0069df
6bde5462f45a230edc7e7641dd711505
78904b8c4831f368f6a51f640c5540d8
7bb1f568a9877c1177a134a273ad744f
7e8e3fa76f2e41fca6d8b81fea4dea5d
7f44125412432e2533fb76cf49642dd1
84f169c2ff66175c415dca6e3d1d7a11
a5b2acfa5b86bc31740ca0af1d2cd2d8
ae6b65ca7cbd4ca0ba86c6278c834547
b411d5fd45711e2223d0d85e84850d3f
baccbf655d0a7ff171a4fef7cfdc47e1
e023335a2a96bf7a8e9c4c1439182a1f

-= FortiGuard Lion Team =-