New Poison Ivy Activity Targeting Myanmar, Asian Countries

The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months.

Technical Details

The PIVY variant that ASERT has observed has exhibited some newer behavior that we have not seen discussed previously. The samples drop a decoy doc – usually hinting clearly at the target, a DLL named ActiveUpdate.dll and the PIVY shellcode file as Active.dat. The ActiveUpdate.dll and Active.dat files are created in a directory that follows the format  ActiveUpdate_ [0-9]{3}. The executable copies rundll32.exe to ActiveFlash.exe and then executes the new file with the path to the DLL and installs itself for automatic startup via a .lnk in the Windows Startup folder. ESET identified these samples as “Win32/Korplug.I[F-I] variant“, possibly due to the appearance of the malware using DLL sideloading with rundll32 to load the dropped DLL and perform its malicious actions. This deployment tactic dates well into last year (and possibly before) using different executable names for the rundll32 copy and the base directory name, however this post will only cover a subset of the variant using “ActiveUpdate”.

Illustration of execution process of one PIVY Sample

Illustration of execution process of one PIVY Sample

The compile times on these binaries also closely correlate to the times they were first observed in-the-wild and some samples contained timestamp-like entities in the various campaign IDs fields in the malware configuration.

The decrypted configuration appears to be slightly modified in such a way as to confuse some publicly available tools that parse the configuration data. The campaign ID is not fully null-padded – there is now one null-byte and a string of repeating “x” characters that will cause confusion for some scripts. Additionally, the C2s are no longer null-padded – each hostname ends with a null-byte that is then followed by a string that will look something like “0.1127.0.0.1127.0.0.100000”. This string will change slightly with each Command & Control (C2) server – the portions that start with “1” will change to 2 for the second C2, 3 for the third, etc. These values end up being present elsewhere in memory without the extra items and only small tweaks are needed to fix the parsing.

The hostname webserver.servehttp[.]com is observed in a number of PIVY samples, some of which are covered in this post. Additionally, the IP resolved to by this hostname overlapped with fileshare.serveftp[.]com which was used in an earlier and seemingly unrelated PIVY sample.

Decoy Document and Targeting Information

A number of PIVY samples were observed to be targeting Myanmar and several other countries in Asia. While the exact targets and delivery methods are not known to ASERT at this time, the documents and submission sources provide strong hints as to the motivations and potential targets of these exploitation campaigns. The sample described in the previous section – a7d206791b1cdec616e9b18ae6fa1548ca96a321 – was observed to be targeting Myanmar in late November 2015. The compile timestamp on the sample was November 2, 2015, the apparent timestamp in the filename appears to be referencing a report that was released on November 25, 2015 and it was first seen late evening in the US on November 24, 2015 which would equate to November 25 in Myanmar. The document was dropped as “STEP Democracy Year 1 Acheivements_25112015.docx” and was also dropped by SHA1 724166261e9c2e7718be22b347671944a1e7fded with the name “Year1achievementsv2.docx“, but that sample uses a different communications password over the same set of C2s. The documents may be drafts of a final report released in December by the International Institute for Democracy and Electoral Assistance (IDEA), a part of the STEP Democracy initiative.  The IDEA is “part of the European Union-funded project Support to Electoral Processes and Democracy (STEP Democracy)” whose goal is to support democracy worldwide. The IDEA has been working with Myanmar before and after their recent election to ensure “peaceful, transparent and credible elections.” Part of this work includes publishing reports and drafts such as those referenced above. In this case, the bait file document metadata contains a company name of “IDEA” with an author of “Sophia” – possibly referencing a current member of the organization and a last edited date of November 20, 2015. The content of the document details a debate around the democratic elections in Myanmar. This timeline would put the targeting past the elections that occurred in early November, but appears to still be focused on individuals interested in democracy inside of Myanmar. The targeting of the post-election Myanmar appears to be following the same style as what was mentioned in the “Uncovering the Seven Pointed Dagger” paper by ASERT. In this case however it appears that threat actors began using references to the STEP organization to continue their likely spearphish tactic by leveraging content relevant to post-election Myanmar. A possible connection exists given that the C2 for these samples – jackhex.md5c[.]com – resolved to an IP contained within 103.240.203.0/22 as did a 9002 RAT sample in the Seven Pointed Dagger exploitation campaign. A “LURK0” Gh0strat and another PIVY domain were also observed to have resolved to IPs contained within this range, making this subnet more suspicious from a targeted attack perspective.

STEP Democracy Year 1 Acheivements_25112015.docx

Dropped document referencing Myanmar’s democratic process

A number of documents that appear to be economically focused were also observed recently and one of these samples also references Myanmar. This sample used a campaign ID of “mm20160405” and dropped a document named “Chairman’s Report of the 19th ASEAN Regional Forum Heads of Defence Universities, Colleges, Instiutions Meeting, Nay Pay Taw, Myanmar.doc” that references an Association of Southeast Asian Nations (ASEAN) meeting that took place in Myanmar in September of 2015. The timing of this sample is quite different from the earlier sample and seems to suggest at least a followup campaign due to the malware compilation timestamp of March 28, 2016, combined with an apparent timestamp value in the campaign ID of April 5, 2016 and the fact that the binary was first observed in the wild on April 11, 2016. The mutex specified in the configuration – 20150120 –  is the same mutex used in the earlier sample that dropped a document referencing the STEP program, but this mutex is also used in many other PIVY samples that use the “ActiveUpdate” directory structure and is likely not useful for identifying the campaign or a relationship between samples outside of possibly sharing a similar version. The C2 used in this sample – admin.nslookupdns[.]com – resolved to an IP contained in the subnet 118.193.218.0/24. Similar to the previous sample discussed, ASERT has observed an overlap between many other malware families including Nitol, Gh0strat, and another PIVY sample that uses “ActiveUpdate“. This sample’s C2 domain is news.tibetgroupworks[.]com which provides an obvious suggestion at targeting dynamics, however no decoy documents were dropped and no further information was discovered to help support the targeting hypothesis.

Dropped document referencing ASEAN meeting in Myanmar

Dropped document referencing ASEAN meeting in Myanmar

Continuing on with the theme of campaigns targeting ASEAN, sample 31756ccdbfe05d0a510d2dcf207fdef5287de285 drops a decoy document named “Robertus Subono-REGISTRATION_FORM_ASEAN_CMCoord2016.docx” that references an ASEAN Humanitarian Civil Military Coordination meeting that took place in Bangkok between March 28 and April 1 2016. The document purports to be a registration form for an attendee from Indonesia and is supposed to be sent to a Thailand Ministry of Defense email address. The sample has a compilation date of March 10, 2016, was first observed by ASERT on March 20, 2016 and also contains an invalid digital signature claiming to be signed by Google. Coupling the campaign ID of “modth” with the purpose and location of the meeting and the email address this form is supposed to be mailed to, a possible target of this sample could be Thailand’s Ministry of Defense. The C2s used by this sample overlap with the prior sample that references the ASEAN meeting in Myanmar nearly perfectly – the first C2 uses port 80, whereas the prior sample used 81 and they both use the same mutex and password. This overlap suggests a possible ongoing targeting towards ASEAN members and meetings that they hold.

Decoy document dropped by 31756ccdbfe05d0a510d2dcf207fdef5287de285 referencing an ASEAN meeting in Thailand

Decoy document dropped by 31756ccdbfe05d0a510d2dcf207fdef5287de285 referencing an ASEAN meeting in Thailand

The decoy document “2016.02.29-03.04 -ASEM Weekly.docx” dropped by ec646c57f9ac5e56230a17aeca6523a4532ff472 was also interesting in that it was not in English like the other two observed documents – Google Translate identifies the language in the document as Mongolian.

Decoy document references an Asia-Europe Meeting (ASEM)

Decoy document references an Asia-Europe Meeting (ASEM) dropped by ec646c57f9ac5e56230a17aeca6523a4532ff472 

The decoy document 1.docx that is dropped by f389e1c970b2ca28112a30a8cfef1f3973fa82ea shows as corrupted when executed in a sandbox, but manual recovery yielded a document in Korean with a malware campaign ID of kk31. The document appears to reference Korean language schools abroad and the telephone number present yields an affiliation with the Korean Ministry of Foreign Affairs, but the intended target is unclear at this time.

Korean language decoy document

Korean language decoy document dropped by 

Sample f389e1c970b2ca28112a30a8cfef1f3973fa82ea dropped a decoy document named “Commission on Filipinos Overseas & Dubai.doc“, but this document did not render correctly in a malware sandbox or manually. VirusTotal revealed a sample from the Philippines which suggests that they, not Dubai / UAE, were the targets. The C2s for this sample used webserver.servehttp[.]com, also exhibited by many of the recent samples which suggests the same actor may be involved in this campaign activity.

Conclusion

As this post and other recent posts detail, PIVY continues to evolve and be used in a myriad of targeted exploitation campaigns – not unlike many other targeted malware families such as PlugX or the Dukes. This will certainly not be the last evolution of PIVY, and ASERT continues to monitor these threats as they are discovered.  I would also like to say thank you to Curt Wilson of ASERT for his assistance with research covered in this post.

IOCS

Configuration elements and additional information for samples discussed in this article.

SHA1: a7d206791b1cdec616e9b18ae6fa1548ca96a321
First Seen: Nov. 24, 2015
Name:STEP Democracy Year 1 Acheivements_25112015.exe
Decoy Doc: STEP Democracy Year 1 Acheivements_25112015.docx
Campaign ID: om
C2s: 	jackhex.md5c.net:8080
	jackhex.md5c.net:53
	jackhex.md5c.net:53
Mutex: 20150120
Password: 18703983384

SHA1: 724166261e9c2e7718be22b347671944a1e7fded
First Seen: Nov. 23, 2015
Name:Year1achievementsv2.exe
Decoy Doc: Year1achievementsv2.docx
Campaign ID: om
C2s: 	jackhex.md5c.net:8080
	jackhex.md5c.net:53
	jackhex.md5c.net:53
Mutex: 20150120
Password: 15911117665

SHA1: 675a3247f4c0e1105a41c685f4c2fb606e5b1eac
First Seen: April 7, 2016
Name: Commission on Filipinos Overseas & Dubai %E2%80%AEcod.doc
Decoy Doc: Commission on Filipinos Overseas & Dubai.doc
Campaign ID: gmkill
C2s: 	webserver.servehttp.com:8080
	webserver.servehttp.com:8080
	webserver.servehttp.com:8081
Mutex: 20150120
Password: 13813819438

SHA1: 63e00dbf45961ad11bd1eb55dff9c2771c2916a6
First Seen: April 11, 2016
Name: 1.exe
Decoy Doc: Chairman's Report of the 19th ASEAN Regional Forum Heads of Defence Universities, Colleges, Instiutions Meeting, Nay Pay Taw, Myanmar.doc
Campaign ID: mm20160405
Domain Created: December 17, 2015
C2s: 	admin.nslookupdns.com:81
	admin.nslookupdns.com:53
	admin.nslookupdns.com:8080
Mutex: 	20150120
Password: 52100521000

SHA1: 31756ccdbfe05d0a510d2dcf207fdef5287de285
First Seen: March 20, 2016
Name: Unknown
Decoy Doc: Robertus Subono-REGISTRATION_FORM_ASEAN_CMCoord2016.docx
Campaign ID: modth
Domain Created: December 17, 2015
C2s: 	admin.nslookupdns.com:80
	admin.nslookupdns.com:53
	admin.nslookupdns.com:8080
Mutex: 	20150120
Password: 52100521000

SHA1: ec646c57f9ac5e56230a17aeca6523a4532ff472
First Seen: March 10, 2016
Name: 2016.02.29-03.04 -ASEM Weekly.docx.rar^2016.02.29-03.04 -ASEM Weekly.docx.exe
Decoy Doc: 2016.02.29-03.04 -ASEM Weekly.docx (Mongolian language)
Campaign ID: wj201603
Domain Created: January 14, 2016
C2s:	web.microsoftdefence.com:8080
	web.microsoftdefence.com:8080
	web.microsoftdefence.com:80
Mutex: 20150120 
Password: 80012345678

SHA1: f389e1c970b2ca28112a30a8cfef1f3973fa82ea
Name: Unknown
Decoy Doc: 1.docx (corrupted but recoverable, Korean language)
First Seen: April 9, 2016
CampaignID: kk31
C2s: 	webserver.servehttp.com:59148
	webserver.servehttp.com:59418
	webserver.servehttp.com:5000
Mutex: 20160301
Password: 13177776666

SHA1: 49e36de6d757ca44c43d5670d497bd8738c1d2a4
Name: Unknown
Decoy doc: 1.pdf, references project in Vietnam requesting an email to a Thailand email address
First Seen: March 10, 2016
C2s: 	webserver.servehttp.com:59148
		webserver.servehttp.com:59418
		webserver.servehttp.com:1024
Mutex: 20160219
Campaign ID: mt39

Discovered during investigation, but do not drop decoy docs, exhibited similar configuration padding
SHA1: ef2618d58bd50fa232a19f9bcf3983d1e2dff266
Name: 2.tmp
Decoy Doc: None
First Seen: June 3, 2015
Domain Created: May 29, 2015
C2s:	news.tibetgroupworks.com:80
	news.tibetgroupworks.com:80
	news.tibetgroupworks.com:80
Campaign ID: 213
Mutex: 2015012


SHA1 Hashes

63e00dbf45961ad11bd1eb55dff9c2771c2916a6
675a3247f4c0e1105a41c685f4c2fb606e5b1eac
49e36de6d757ca44c43d5670d497bd8738c1d2a4
cbbfc3b5ff08de14fdb2316f3b14886dfe5504ef
a7d206791b1cdec616e9b18ae6fa1548ca96a321
ec646c57f9ac5e56230a17aeca6523a4532ff472
ef2618d58bd50fa232a19f9bcf3983d1e2dff266
f389e1c970b2ca28112a30a8cfef1f3973fa82ea

Unique C2 Hostnames

news.tibetgroupworks.com
web.microsoftdefence.com
admin.nslookupdns.com
jackhex.md5c.net
webserver.servehttp.com

Comments are closed.