- 1. Overview
- 2. Payload delivery
- 3. RAT analysis
- 4. C&C mechanism
- 5. Clues
- Appendix: Feedback on false positive detection results on Sophos Community
Operation Mermaid is a series of outbound APT attacks that target government entities. It has been active for 6 years since April, 2010 with a latest activity being detected in January, 2016. As of now, we have captured 284 pieces of malicious code samples and 35 C&C domains connected to it. Sufficient evidence has been found that Mermaid turns out to be the APT organization behind the attacks on Denmark Embassy.
It was in June, 2015 that we encountered the first piece of malicious code utilized in Operation Mermaid. Correlation analysis was conducted right after that. However, as the malicious code wasn’t actively used in China, it was hard to track down how the payload was delivered and what targets and industry the Mermaid gang was intended to attack. Fortunately, with the help of Big Data Analysis, it was verified that the earliest attack was in April, 2010 along with hundreds of malicious sample documents being exposed in front of us. We suspected that watering hole was used in the payload delivery process. After analyzing the content of the lure documents and other intelligence information, we preliminary concluded that stealing sensitive data from English speaking and Persian speaking countries is the organization’s primary purpose.
In January 2016, the Centre for Cyber Security (CFCS) of Denmark, which is a sector in the Danish Defense Intelligence Service (DDIS), published a report “Phishing without catch – Ministry of Foreign Affairs under Attack” which revealed an APT attack against the Ministry of Foreign Affairs (MFA) conducted from December 2014 to July 2015. The reported stated that the attacker succeeded in affecting machines with malware via phishing emails.
The APT campaign unmasked by CFCS is the very Operation Mermaid we detected in June 2015. The spear-phishing email attack targeting the Ministry of Foreign Affairs of Denmark is part of the entire operation, which backs up the opinion that Operation Mermaid is aimed at government entities, at least including the Ministry of Foreign Affairs of Denmark. It also shed light on the exposure of attack method – spear-phishing email is one of payload delivery method adopted by this group.
Furthermore, through analysis on relevant clues, we inferred that the organization behind the operation should be from the Middle East.
OLE is the abbreviation for Object Linking and Embedding. It is a system for linking and embedding data, images, and programs from different sources. Though the attackers didn’t exploit any vulnerability, the malicious documents that they took advantage of are very misleading.
Attackers can create phishing document while users are sending emails, Word documents and PowerPoint files via Outlook. In Operation Mermaid, attackers adopted PowerPoint OLE Phishing documents inserted with PE files to initiate the attacks. Sometimes, one PPT can contain several malicious PE documents, which results in the situation where the pop-up windows of security alerts continue to showing up even after users click the ”Cancel” button. Then if the windows keep popping-up, users with low security awareness will just click “Run” button to end this annoyance.
Picture 1 Pop-up window when the PowerPoint OLE phishing document is executed
Picture 2 PowerPoint phishing document that contains several PE files
Website kurdistannet.org (a daily independent online Kurdish newspaper) was found to be embedded with malicious URL. We suspected that the site is very likely to has been made use of in the watering hole attacks. The site is in Kurdish and the primary news on it is about Iraq and Kurdistan, which indicates that the targets must be interested in Kurdish news and are familiar with Persian.
When we tried to visit the site again on April 14th, 2016, the malicious link was found still there after we analyzed the source code of the webpage, but obviously it has already been invalid. This suggests that the administration of the Kurdistannet hasn’t been aware of the attacks.
Picture 3 Homepage of site Kurdistannet
Picture 4 Source code of the malicious link embedded in site Kurdistannet
|Website infected with Trojan||kurdistannet.org|
|Malicious code embedded||
|Sucuri’s detection result||https://sitecheck.sucuri.net/results/kurdistannet.org|
|Sucuri’s detection result (Google’s web cache)||https://webcache.googleusercontent.com/search?q=cache:lLMBPzClHwkJ:https://sitecheck.sucuri.net/results/kurdistannet.org+&cd=7&hl=zh-CN&ct=clnk&gl=tw|
|Google’s web cache timestamp||04:25:17, January 24th, 2016, GMT|
The table above shows the records of site Kurdistannet being infected with Trojan. According to the timestamp of Google’s web cache on site Sucuri, it is certain that Kurdistannet has been embedded with malicious link since January 24th, 2016.
Picture 5 Detection result of Kurdistannet on Sucuri
We also noticed that some parent documents are from URLs. According to the file name extensions the URLs direct to, rather than inducting users into clicking to run the URLs, it is more likely that these URLs are run and executed either when other downloader Trojans send out download requests or when the vulnerability exploit is successfully triggered by vulnerability exploit documents or watering hole sites.
|Source URL||http://wep.soon.it/doc/v28n1f1.tmp http://www.bestupdateserver.com/infy/update.php?cn=nlzoetws011185&ver=6.2&u=3%2f12%2f2015%20%2023%3a50%3a38|
Table 1 Source of the samples – 1
Table 2 Source of the samples – 2
This part discusses the self-camouflage for binary executable files on file names, file name extensions and file icons.
In Operation Mermaid, attackers compressed sample documents and lure documents into exe files by making use of the self-extracting feature of WinRAR. Lure documents include many file types, for instance, installation patches, development environment, videos, pictures and Word documents, etc. However, it is rare to see that parent exe file change its file icon into Word icon or image icon.
The RAT utilized in Operation Mermaid was named as SD RAT. Seeing from the sample codes, there should be two versions of the SD RAT – samples before 2012 are defined as Version One (V1) while the ones after 2012 are Version two (V2).
SD RAT usually disguised itself as exe file by using self-extracting feature of WinRAR. The disguise comes in many magnifications like patches, development environment, videos, images, Word documents, etc. The V1 of SD RAT pretended to be an image while in V2, the Trojan disguised itself as an air plugin of Aptana.
SD RAT is mainly used as a key logger to collect user information (eg: information about PC, content on the clipboard, etc.) and upload to specific servers. It can also download and run exe files (not found yet) from the servers.
|Data theft in uploading process||Detailed information|
|Relevant PC information||PC name, user name, CPUID, MID, IP, on-going task list, system version, UAC, IE version, Windows catalogs, temporary path, time zone, disk space, system keyboard type, system language, etc.|
|.ini files||Timestamp of the installation, number of successful/failed deliveries, number of downloads|
|.dat files||Execution logs of the programs and content recorded through keyboards, content in the address bar on the browser, content on the clipboard|
The execution of the two versions of the SD RAT followed the similar procedure and they both called the same function while creating the windows. In the function they called, they would firstly create two timers with one for syncing the latest content on the clipboard and the other for downloading exe files and uploading user information.
There are some slight differences in the two versions in the way they use key logger. In V1, one of the timers called the function GetAsyncKeyState to carry out key logging. In V2, the key logging is completed through two steps – registering hot key registration and then responding to specific messages. Another difference is on the way they recorded the content on the clipboard. In V1, it was realized through setcllipboard and responded to _WM_DRAWCLIPBOARD;_ while in V2, it would differentiate whether the URL and scripts are encrypted or not. But in the later variants of V2 after 2015, almost all the scripts were encrypted.
Though there are differences in the way they realized the functionalities and in attack techniques, the overall architectures and the roles they played in the attack are the same. Even the functions that are decrypted by the scripts are the same.
To bypass detection or just a bug?
V2 has the procedure to check if the Avast catalog exists or not. If not, the malware would cease its execution process immediately. This is interesting as it’s the opposite of the common tactics that malware will only be executed when there is no antivirus software installed. The reasons of this bizarrerie might be:
- The primary targets are devices that are installed with Avast Antivirus
- This is just a bug in the development of the malware.
Another odd situation is that when V2 detected other antivirus software (except for Avast), the attacks would still be executed continuously rather than being stopped, but with more caution.
To elaborate, it firstly checked if the catalog of Kaspersky Lab existed. If Kaspersky’s antivirus software had been installed, V2 would conduct deletion with high cautions. The deleted target is the startup item of the plugins under the path of C:\Documents and Settings\Administrator\ApplicationData\Adobe\airplugin*.dat (if the path exists). If Kaspersky hadn’t been installed on the device, the Trojan would delete all the startup items in the registry whose names start with “airplugin”.
Afterwards, V2 would write its own startup items in the registry. The detection of antivirus catalog (listed in table below) was always on in this process. If any of the antivirus software had been installed already, V2 would call winexec to run the BAT file for the registration; otherwise, the Trojan would conduct registration directly.
|Norton Internet Security|
|Symantec\Symantec Endpoint Protection|
|Norton 360 Premier Edition|
|Norton Security with Backup|
Then SD RAT V2 would delete the exe file of the existing plugins. After double-confirming the above antivirus software had been installed, SD RAT moved and renamed its own exe file under path C:\Documents and Settings\Administrator\ApplicationData\Adobe. If no antivirus was installed, it would just copy and paste the exe files.
Picture 6 Relationship between domains and registered email addresses
Through analysis on the WHOIS info of the dominant domains, excluding dynamic ones, the owner can be tracked via the following email addresses:
Throughout our analysis on C&C communications, a piece of false positive feedback on security vendor Sophos’ online community aroused our attention:
|Relevant info of the false positive result||URL|
|Websites that got the false positive resule||hXXp://updateserver1.com hXXp://bestupdateserver.com/|
Picture 7 Feedback on for false positive result on Sophos Community
User aj58 reported in Sophos Community about a false positive detection result of two sites he owns. Aj58 claimed that McAfee has revised the status of his sites from malware sites to non-malicious sites, so Sophos need to remove his sites from their blacklist as well. Moderator Scott Klassen replied that as long as MacAfee revised the status, Sophos would show the same result as Sophos’s UTM (Unified Threat Management) is based on MacAfee Smartfilter XL. Aj58 continued to state that on VirusTotal, the two sites were still marked as malicious by Shopho. (But as of now, the latest status has been revised to “unrated site”.)
The above feedback makes us think of a similar case from the 007 Group in which attackers took chances to submit their malware to security vendors with purpose of either getting them whitelisted or spying into their detection mechanism.
Here are our speculations about the attacker’s intensions of their feedback submission attempt in Operation Mermaid:
To start with, the user name on Sophos Community is aj58 and it is very easy to be associated with the email addresses email@example.com and firstname.lastname@example.org which were tracked down by the WHOIS info of the two sites reported. This indicates that whether the user was accustomed to using this user name or he wanted to create connection to the websites on purpose.
Furthermore, the two sites owned by aj58 are also the very C&C domains in the Operation Mermaid. From 2010 to 2015, Trojans that are associated with these two C&C servers have also been detected. Usually, the more the malicious domains are exposed, the shorter time they are active. However, if the C&C server is only for supporting attack aiming at specific targets and its influencing range is under strict control, the server will be used for much longer time.
Doubtful Point 1:
According to our analysis, the main roles of the two C&C servers are not only to check the internet environment, but also to upload stolen information and to download other malware. Therefore, we speculated that there are two possibilities: a. the two domains are registered and owned by the organization behind Operation Mermaid; b. the two domains are trusted sites and were just used as stepping-stone in the operation.
Why does malware check the internet environment?
Normally malware will check the local internet environment before its attacks by sending requests to websites like Google, Microsoft, etc. It will continue the execution only when the environment matches its preconditions.
Doubtful Point 2:
We found that among all the C&C servers in Operation Mermaid, excluding dynamic servers, at least eight servers have the same registration email address as the two mentioned by aj58. Possible conjectures could be: a. the two domains mentioned by aj58 are registered and owned by the organization behind Mermaid; b. these two domains along with the other eight are all trusted websites. Only the two sites got blacklisted are the targets of Mermaid Group and were used as stepping-stones in the cyber-attack.
Doubtful Point 3:
All these sites, including the two mentioned by aj58, neither provide web service externally nor have the service page.
Doubtful Point 4:
We noticed that it was on July 25th, 2015 that aj58 reported the false positive detection result. However, another three sites also owned by aj58 have already been marked as “sinkhole” by virustracker.info on July 1st, 2015. According to the back-and-forth comments on Sophos Community, aj58 is quite concerned about the security status of his sites. We suspect that if his sites were taken control by others, aj58 would have continued reporting his doubts. Though we have no clue whether aj58 contacted virustracker.info or not, it can be deducted from the WHOIS info of the three sites below that the current owner must be virustracker.info.
Table 3 C&C domains that are taken over by security vendors
Other doubtful point:
The reporting date of false positive is July 25th 2015; nevertheless, the date of cyber-attack on Denmark Embassy showed the last attack is July 24th, 2015.
As a summary, there is higher chance that aj58 is the organizer behind the Operation Mermaid. But as we haven’t got sufficient proof, the possibility still exists that aj58 might just be an innocent victim.
In last section, we mentioned that there were three C&C servers being taken over by security vendors. Usually, a security vendor only takes over a website when they are 100% sure the site is a sinkholes site that has been taken advantage by attackers.
|C&C that were taken over by security vendors|
|C&C host domains||short-name.com bestwebstat.com myblog2000.com|
|WHOIS info Before July 1st email@example.com|
|Before July 1st firstname.lastname@example.org|
|After July 1st email@example.com|
|IP Before being marked as a sinkhole||126.96.36.199|
|Before being marked as a sinkhole||188.8.131.52|
|After being marked as a sinkhole||184.108.40.206|
Table 4 Source of the Samples – 3
Picture 8 Screenshot of the lure documents – 1
Picture 9 Screenshot of the lure documents – 2
The two screenshots of lure documents show that the main language used by the attackers is Persian.
|Sample MD5||OLE Object path|
|260687b5a29d9a8947d514acae695ad4||C:\Users\ya hosain\Desktop\power point .exe|
Table 5 Paths of the PE files embedded by using OLE
The above table shows the paths of the PE files embedded into PowerPoint documents by using OLE. This is the local paths on the attackers’ computers. Judging from related user names such as “ya hosain” and “ya ali”, these users are located in the Middle East. The file attribute of the PPT lure documents is in Persian provides another piece of proof.
Table 6 Title of the PPT
|MD5 of the video||1c401190a40bc5c03dc5711c57b4b416|
|Original file name of the video||badhejiabshiraz_x264_003.mp4|
The content of the video and the original file name “badhejiab” are all linked with the Middle East.
The same feature is found in the samples of Operation Mermaid. The samples all contain a short paragraph of news which was copy-and-pasted from some news sites. But these paragraphs of news don’t perform any practical function in the execution.
The below paragraph is exported from one of the samples that is about Syria issue.
|News in the document||In his only interview ahead of COP21, the UNs climate summit which opens next Monday, the Prince of Wales suggested that environmental issues may have been one of the root causes of the problems in Syria|
Picture 10 Screenshots of related news page
Picture 11 Working timetable of the attackers
Picture 12 Modification time of RAR self-extracting files
The registration email address of the C&C domain is firstname.lastname@example.org.
Picture 13 Screenshots of similar domains
Concluded from the clues above, along with its relationship with the targets, we suspected the organization behind Operation Mermaid should be from the Middle East.
Below is the feedback letter and back-and-forth comments between user aj58 and moderators of Sophos on Sophos Community:
|Submission Time||25 Jul 2015 10:53 PM|
I made Contact with sophos (https://secure2.sophos.com/en-us/threat-center/reassessment-request.aspx) to report false positive,
but after many days I have not receive any response.my request was……
your product detect two of my site as malware.
your latest updated trial version does not detect any file in my sites as malware.
also there is not any binary, program, apk or any dangerous file in my sites.
please remove my sites from your black list as soon as possible
|Submitter||Scott Klassen (Moderator)|
|Submission Time||25 Jul 2015 5:11 PM|
|Submitted Content||Sophos will not contact you back to let you know the results, only if they feel that more information is required, which is almost never.
Request the change at the source.
Go to https://www.trustedsource.org/, create an account.
Then https://www.trustedsource.org/en/feedback/url, choose McAfee Smartfilter XL, which is what the UTM used. When you check a URL, you are
then presented with the option of submitting a suggested correction.
|Submitter||Michael Dunn（Sophos staff）|
|Submission Time||27 Jul 2015 3:45 PM|
|Submitted Content||I suspect that if you are indeed safe you are going to have a lot of work to do. Many companies are detecting you as bad.|
|Submission Time||28 Jul 2015 10:07 PM, in reply to Michael Dunn|
|Submitted Content||thanks …
mcafee has changed the state of my sites. (trustedsource.org)
|Submission Time||29 Jul 2015 3:35 AM|
|Submitted Content||Sophos uses the trustedsource database for UTM, so if it has been changed at trustedsource for the McAfee XL database it will be propagated to
where UTMs can get the change, normally within a few hours. No need to contact Sophos.
|Submission Time||5 Aug 2015 10:30 AM|
|Submitted Content||trustedsource result have been changed a few days ago but virustotal still is showing my sites detected as Malicious by shopho|
|Submission Time||5 Aug 2015 9:54 PM|
|Submitted Content||Ne te plaignes pas ici, AJ. Nous sommes tous des utilisateurs et n’ont aucune effet sur le fonctionnement de Sophos.
There’s a Reassessment Request form on the Sophos website.