Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150904-272-Malware
Bytes
-HanJuan Dro
p
s New Tinba
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 04 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This Malwarebytes blog report discusses a recent sighting of the elusive Exploit Kit
(EK) HanJuan. Separately, the Dutch security firm, Fox-IT, has identified the payload observed
being dropped by EK as Tinba v2. No details on the new version of Tinba were provided in this
report. The report provides quite a bit of detail about the flow of the attack, screenshots of URL
redirects, screenshots of IDA Pro, and screenshots of Fiddler web debugger. However, there is
nothing interesting or unique about how the malware implements code injection and API
hooking. Code injection is accomplished via the standard methods and APIs (VirtualAllocEx()
and NtProtectVirtualMemory()).
(S//NF) HanJuan appears to be using URL shortener services (Adf.ly in this case) to embed links
to malicious websites. After a complex chain of malvertising redirects, the EK is loaded and one
of two exploits is executed (either an Adobe Flash exploit CVE-2015-0359 or an Internet
Explorer exploit CVE-2014-1776) in order to drop its payload to disk. It is an interesting note
that this round of HanJuan attacks uses very recent and fresh exploits.
CVE-2015-0359 is a Double Free vulnerability in Adobe Flash versions up to 17.0.0.134
CVE-2014-1776 is a Use-After-Free (UAF) vulnerability in MS IE versions 6 through 11
(S//NF) The payload dropped is designed to steal user information from browsers. Standard
browser hooking is implemented to steal specific website logon credentials.
(S//NF) HanJuan uses an interesting unpacking and Explorer PID detection techniques. The
unpacking technique involves a ROP gadget that is believed to hinder analysis. In order to locate
the PID for Explorer, its target process for injection, it searches for a known window name of
“Shell_TrayWnd”, which is used by the Explorer process. Once the Explorer process is found, it
appears HanJuan uses standard injection techniques to inject the malware into the Explorer
process.
(S//NF) Persistence is obtained in the standard, pedestrian way; via copying the executable to
..\AppData\Roaming\ and creating a “Run” key in the registry.
(S//NF) If Firefox is installed, the malware will modify the browser settings by disabling the
SPDY protocol. The report does not explain how SPDY is disabled.
(S//NF) In communicating with its command and control (C2) servers, HanJuan uses a unique ID
for each infection, which consists of the hard disk serial number combined with the OS install
date.
(S//NF) HanJuan injects code into every browser running in order to hook specific APIs for each
browser type in order to intercept logon credentials for selected websites. It detects the selected
websites by comparing URL strings in the browser.
(S//NF) While it is slightly interesting that HanJuan uses Shell_TrayWnd to find the Explorer
PID and that it uses such fresh exploits, we don’t view these aspects of the malware to be PoC
material. No PoCs are recommended from this report.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh