Targeted Attack Analysis – Mirage

Between the 25th and the 27th of November, some public institutions in Europe were affected by a wave of targeted attacks (TAs). These attacks, which were made through e-mail, were very interesting: they made use of an infrastructure which had already been used in the past, in other malware campaigns.

As in most of these attacks, the infection vector was a spearphishing campaign. The e-mail messages had a MS Word document attached to them, and this document contained an embedded exploit that takes advantage of a vulnerability which has been known since 2012, more specifically, CVE-2012-0158.

The domain in the “FROM” field of the e-mails belongs to one of the most well-known humanitarian organizations, which made the e-mail messages look completely reliable.

The subjects in the different e-mails made reference to dates close to those of the attacks, except for one of them, which advertised the “Top 10 Cities with the Most Beautiful Women”… quite appealing.

Fw: 2013-11-27
Fw: Top 10 Cities with the Most Beautiful Women
RV: Teheran 2013-11-25

The same references appeared in the names of the attached files.

Top 10 Cities with the Most Beautiful Women.doc

Thanks to the existing patching and updating policies, the attack’s impact was null: the MS Word document took advantage of an old vulnerability that affects ActiveX controls and allows remote code execution, butthis vulnerability had already been patched in April 2012.

Alter calculating the hash function for each file, it became obvious that we were dealing with only two different documents.


After checking these MD5 at Virustotal, we could see that someone had already uploaded them before. Therefore, from that moment onwards, the samples were processed as public information.

I will now briefly break down the analysis. This is not a complete analysis of the samples. I will only show the useful information that we have used to solve the incident.

The following files were dropped after the execution of each of the two documents.

I have highlighted in red the files that were considered malicious by Even if these files share their names, their hashes are not equal. We will see why later on.

Even though, cross-referencing these with previous tables, some identical files can be found.

The reception of the different e-mails in such a tight time window, together with the download of some identical files when opening the document indicate that probably both attacks are related.

If you want to take an in-depth look at the analyses, you can find them in the following links at
1598f39b5d670eb0149141df7bbcc483 @
60fd6b6bcf73586284ab8c403c043c6e @

After executing the files in a cuckoo box and infecting a virtual machine by manually executing the files named “kav.exe”, we were able to see that each one of the samples would connect to a different domain: 

This explains why, even if the behavior is equal in both files, the MD5 signature is different for each of them.

In addition, thanks to some information received from external sources, the following domain can also be added to thislist:

When requesting one of these domains, we always have the same response:

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Date: Wed, 27 Dec 2013 15:23:45 GMT
Accept-Ranges: bytes
Content-Length: 362
X-Cache: MISS from ta-prx21
X-Cache-Lookup: MISS from ta-prx21:3128
Via: 1.0 ta-prx21 (squid/3.1.20)
Connection: keep-alive

...U.n.d.e.r. .C.o.n.s.t.r.u.c.t.i.o.n.<./.s.p.a.n.>.<./.d.i.v.>.

By accessing the domain through an outdated browser, we cannot see any kind of odd behavior and we obtain the expected response:

With all these data, the hypothesis of everything being part of the same attack is reinforced.


By doing whois to the domains, the following email addresses and domain name registers appeared:


All the domains, as well as the e-mail addresses of the domain registers, point to China, as it can be seen in this list of e-mails related to TAs originated in China.

A quick search on Google about de involved e-mailsis enough to see that the address dnsjacks[at]yahoo[dot]com is related to a Mirage campaign originating from China.

Analyzing the requests that appeared in the Mirage campaign and comparing them with the ones found in the attack, we can find some similarities.

Imageextracted from
Request from one of oursamples.
At first glance, we can see that they use the same fields (“hl” and “meta”). If we add another of the requests from the campaign analyzed Secureworks, the “q” field also appears:

Image extracted from
Here is an image which summarizes the investigation related to the attribution:

Based on the data obtained during the investigation, we can conclude that the attack came from China.

In addition, if we analyze the receivers of the e-mails, we can see that this attack didn’t have only one target, but rather that several public institutions in Europe were targeted.

The fact that an infrastructure from the past was being used, together with the sending of e-mails with a lot of receivers and the nature of Mirage malware, allows us to conclude that this was not a stealthy attack.This makes us think that this attack was just an attempt to steal very specific information (probably financial information) in a quick way.

This kind of attack is quite common in public institutions and it is very common to use spearphising as the infection vector. The use of trusted domains such as a well-known humanitarian organization makes this e-mail seem legit,which turns its detection into a very hard task.

Either way, the prevention of these attacks is usually simple and it comes hand in hand with a quick implementation of the software updates and security patches. This is because most of these attacks do not use 0days, but, instead, they use well-known vulnerabilities which are already patched. For example, in this case, they were using a vulnerability that was more than one year old.

In order to detect if your organization has been affected by this wave of TAs, just search for the domains listed above in the navigation logs.

I hope this article has been useful or that, at least, it has been interesting to read.

Web reputation checking in incident handling

Sometimes when we have an incident, it involves too many domains to check them by hand. In order to deal with them and discriminate as a first instance, I’ve developed a small script that checks the reputation of each domain using the API of Web of Trust.

Web of Trust is a service used to mark websites depending on their reputation. Reputation is based in different factors. One of them depends on malware presence, but there are some others, such as a rating based in the users’ votes.

One thing that I really like about the WoT API is that it returns different codes according to the reason why a website’s reputation is bad, i.e. if the reason of the bad reputation is that the website contains adult material, WoT API will return the code 401, and if it contains malware, WoT API will return 101. This is very good to handle some incidents because, in most cases, if a domain has a bad reputation because it is an adult website, and for that reason only, in a first examination, we would leave it as a legit domain.

In order to use this script you just need to register in the WoT, get an API key, and introduce it in the line:


You can find the script in my github repo.

Finally, let’s try the script. First, we’ll need a file with the list of domains we want to check. In the example we will use a file that I called domains.txt and that contains the following domains:

In order to run the script, we just need to feed it with a file containing the domain list to be checked:

xgusix@ender:~$ python domains.txt 
	Trustworthiness: Excellent [59]
	Child safety: Very Poor [53]
	[*] Categories:
		[403] Questionable Gruesome or shocking [14]
		[401] Negative Adult content [73]
		[501] Positive Good site [59]
	Trustworthiness: Good [7]
	[*] Categories:
		[501] Positive Good site [7]
	Trustworthiness: Very Poor [12]
	[*] Categories:
		[101] Negative Malware or viruses [30]

As you can see, in the beginning of the investigation, we can discard and, as they are labeled as “Good site”, and its trustworthiness is at least Good. is not labeled, so we should have to go further on the investigation. In the last case,, it’s already labeled as a malicious domain, “Malware or viruses”, so it would be a good starting point for the investigation.

Right now, the script shows all the results, but with a very simple modification you can add some logic into it and automate the process a bit more. I am also planning to add more reputation engines to the script. With more sources, the initial discrimination will be more accurate and save time in the incident handling process.

Any feedback or comments are welcome.


Two days ago, I had an e-mail in my inbox with this link. It seemed to be something serious, especially coming from Dragos Ruiu (@dragosr), the creator of the pwn2own contest, as he doesn’t need this kind of thing in order to be famous or make a name for himself. After reading it, I was a little bit scared.

As there isn’t a lot of information or an “official” report about this, I will give you some facts about his research and his findings:

    • He found a malware that infects hardware.
    • He found it installed in some laptops with Windows systems installed, but it proved to be somehow platform independent as it can infect a BSD system and OSx is not immune.
    • It reflashes the system BIOS, and it is resilient: even after flashing the BIOS with a legit firmware, it will still be there. This forces the researcher to use a new machine for each test.
    • It uses communication via SDR (Sotftware Defined Radio) to bridge air gaps (computers out of the network). It works even if the wireless and Bluetooth cards are physically removed.




    • It reflashes all USB drives plugged into an infected system, including external USB CD drives. It doesn’t affect the files in the USB, it directly infects the firmware.
    • Just plugging an infected memory stick in a clean system will infect it… without even needing to mount it!

      “I didn’t even mount the volume and it was infected.”



    • In infected Windows systems, some extra .ttf and .fon files appear – three of them (meiryo, meiryob, and malgunnb) have a size that is bigger than expected.
    • When trying to extract those files, they disappear from the burnt CD.




  • A list of the md5 of files was uploaded to this link.

Right now, I don’t know if this could be maximum trolling, or not. I personally don’t think Dragos would play with his reputation like this. If we are facing a new kind of threat, we will need to be prepared for it.

What’s worse, until today there’s no clue of what the malware purpose is. I’ll try to keep you posted, and I highly recommend you to follow @dragosr and the hashtag #badBIOS on twitter in order to be updated about this topic.

[NOTE] If you are interested in a sample, keep an eye on @xylit0l posted this in

Re: New Bios Malware
 by Xylitol » Sun Oct 13, 2013 9:23 pm
Talked to r00tbsd over irc, he have an image of the infected bios but got no time 
for the moment to add it on



YARA 101

What is YARA?

When speaking about malware detection, there are mainly three ways of determining if a file is malicious: signatures, heuristics and string signatures.

The most widespread in the antivirus detection systems is the signature based detection, i.e. based in the HASH of a file, check it against a signature database and see if this file has previously been detected as malware. This kind of signature is useless for the detection of unknown malware, and to evade this system you just need to recompile the code in a different system or change a single bit.

In order to try to stop these evasion methods, the heuristic method is usually the chosen one. This method relies on the behaviour of the executable file and, according to the actions that it performs inside the system, it decides if it’s dealing with a malicious file. The main issue of this method is that, as many legit programs perform suspicious actions, it can generate a big amount of false positives.

Last but not least, there is the method which this article refers to: string signatures. This method is based in another kind of signatures, different from the aforementioned kind. Instead of using HASH signatures, it uses text or binary strings that uniquely identify a malware sample. That way, even if the file has been tampered with, if it still contains those string signatures, the analysts will be able to detect and classify the malware sample.

[Read more…]