Symantec is observing limited targeted attacks using a new backdoor Trojan, Backdoor.Korplug. This backdoor surfaced earlier this year in March 2012. In these attacks, the targets are sent a crafted email containing a malicious attachment, typically in the form of a password protected zip file containing a malicious executable or in the form of an Office document exploiting Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). Here we will detail an interesting technique used to launch the payload.
We have already seen attackers make use of stolen certificates from legitimate companies in an attempt to add additional levels of trust to a binary. Korplug does not rely on stolen certificates; instead it piggybacks on legitimate signed executables in order to run its code within the privileged process. Let’s see how they do it!
Figure 1. Targeted email with malicious attachment
In a typical attack vector the malicious document is attached to a targeted email and then sent to the victim. When the document is opened, it will exploit the MSCOMCTL.OCX RCE vulnerability and, if successful, will drop and run the main payload.
Here is part of the shellcode used to drop and run the payload:
Figure 2. Shellcode drop and payload run
The payload will also drop and run a harmless document displaying a warning—an attempt to trick the user into thinking that the document cannot be displayed (Figure 3). However, if the user has a recent version of Microsoft Word installed, and has applied the patches provided by Microsoft, the user would be protected and the attackers would not be able to leverage this exploit in the first place.
Figure 3. Decoy document
Symantec detects the payload as Backdoor.Korplug, but its code is more complex than typical back doors seen in targeted attacks. Also, its structure indicates that this threat comes from a framework organized into several different components. Each one of these components performs a specific task, including a keylogger plugin and a screen capture plugin.
The payload contains three encrypted modules:
Figure 4. Malicious attack structure
The interesting part is that the rc.exe file is a legitimate Windows file that will load the malicious rc.dll file. That malicious rc.dll file then loads a copy of the payload (the blob within the rc.hlp file).
Figure 5. Certificate of legitimate rc.exe file
Piggybacking legitimate rc.exe file
If the rc.exe file is a legitimate executable, why does it load a malicious DLL file? Well, let’s have a look at its import table:
Figure 6. Imported functions from rc.dll file
This executable imports two functions from the rc.dll module . Normally, when loading, the rc.exe file imports a legitimate rc.dll file (a Windows component needed for the rc.exe file to run properly). However, if a malicious rc.dll file is present in the same directory as the malicious rc.exe file, then the executable will load this malicious DLL file first, instead of loading the legitimate one from the Windows system directory. This is normal behavior for Windows.
The rc.dll file is a bridge to load any other component the attacker chooses:
Figure 7. Code from the rc.dll file which loads the rc.hlp payload
The DLL file reads a binary blob from the rc.hlp file and then executes it.
Putting it all together
The full order of the attack is:
- Exploit document opened with malicious payload
- Payload drops rc.exe, rc.dll, and rc.hlp files
- Payload runs legitimate rc.exe file signed by Microsoft so it will run unrestricted
- Malicious DLL file loaded to trusted rc.exe process
- Binary blob (copy of payload) in rc.hlp file loaded to trusted rc.exe process
- Main payload (Backdoor.Korplug) runs in trusted rc.exe process
The threat can now load any other component it wants—and if it needs to run another privileged process it can just reuse the same trick.
So, the rc.exe file is a legitimate Windows component: it does not contain vulnerabilities, hidden backdoors, or bugs—and it is not badly written. This trick may, in theory, work on any signed executable that imports code from external modules, although certain conditions are necessary for it to work.
This trick is cheap, but effective, and we are seeing this piggybacking technique used in attacks more frequently. Symantec, however, detects all the malicious components of this threat: the targeted email, the malicious document, the payload executable, and the malicious DLL file.
Symantec detects this malware as Backdoor.Korplug and Bloodhound.Exploit.457. To stay safe, never open suspicious emails or emails from unknown senders, and keep your antivirus definitions up to date.
Check out the latest Symantec Intelligence Report highlighting the latest trends on targeted attacks.