Video Screencast Help
Security Response

Nitro attackers have some gall

Created: 12 Dec 2011 14:59:01 GMT • Updated: 23 Jan 2014 18:18:07 GMT • Translations available: 日本語
Symantec Security Response's picture
0 0 Votes
Login to vote

Authored by Tony Millington and Gavin O’Gorman

The intercepted email in this blog was provided by Symantec.cloud.

The Nitro Attacks whitepaper, published by Symantec Security Response, was a snapshot of a hacking group’s activity spanning July 2011 to September 2011.  The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi. That is, they are sending targets a password-protected archive, through email, which contains a malicious executable. The executable is a variant of Poison IVY and the email topic is some form of upgrade to popular software, or a security update. The most recent email (Figure 1) brazenly claims to be from Symantec and offers protection from “poison Ivy Trojan”!

Figure 1 Fake malicious email

Furthermore, the attachment itself is called “the_nitro_attackspdf.7z”. The attachment archive contains a file called “the_nitro_attackspdf                            .exe”. (The large gap between the “pdf” and “.exe” is a basic attempt to fool a user into assuming that the document is a PDF, when it is really a self-extracting archive.)

Figure 2 Contents of the attachment, including the genuine report

When the self-extracting executable runs, it creates a file called lsass.exe (Poison IVY) and creates a PDF file. This PDF file is none other than our own Nitro Attacks document! The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity.

The threat, lsass.exe, copies itself to “%System%\web\service.exe” and attempts to connect to the domain “luckysun.no-ip.org”. This domain resolves to an IP, which is hosted by the same hosting provider that hosted most of the previously encountered IP addresses. Figure 3 is a partial graph of the domains involved, including the most recent activity.

Figure 3 Network map

Table 1 lists the latest emails intercepted by Symantec .cloud and the MD5s of the associated threat samples.

Subject

File name

MD5

Detection

Symantec Security Warning!

The_nitro_attackspdf .exe

90e793e64e63317db15f4a64be8b56f9

Trojan.ADH

so funny

123.doc.exe

0b1b0fe45a179f75a5c4c3bad21ca185

Backdoor.Bifrose

N/A

learning materials.doc .exe

eb404fe1eec399127ac39336427503ac

Backdoor.Bifrose

adobe update

Adobe Reader Update.exe

d3ee44d903876bd942fc595c96151df8

Trojan.ADH

Adobe Reader Upgrade Rightnow!

Install_ reader10_en_air_gtbd_aih.exe

d6404d5c7a65a23d8d1687fe1549d21e

Backdoor.Odivy

Safety Tips

Q329834_WXP_SP2_ia364_ENU.exe

14c9d01d152e25e98e6ee8758ecfa9a8

Trojan.Dropper

Table 1 most recent emails and samples

Despite the publishing of the whitepaper, this group persists in continuing their activities unchecked. They are using the exact same techniques - even using the same hosting provider for their command and control (C&C) servers. The domains have been disabled and Symantec have contacted the relevant IP hosting provider and continue to block the emails through the .cloud email scanning service.

Symantec.cloud customers have been and continue to be protected from attacks performed by this group.