Earlier this month, FortiGuard Labs researchers published findings about a malware campaign exploiting a PowerPoint vulnerability. Cybercriminals, however, are equal opportunity exploiters, so just recently an interesting targeted malware campaign was found to be using another document vulnerability. Only this time, it’s a Hangul Word Processor (HWP) document leveraging the already known CVE-2015-2545 Encapsulated PostScript (EPS) vulnerability.
HWP is a popular alternative to Microsoft Office in South Korea, especially within government agencies. So it is not uncommon for attackers to use this attack vector for spear phishing Korean-speaking targets. In this particular campaign, the contents of the discovered malicious documents are related to some of the political issues in the country. This too is very common approach for malware operations targeting public institutions.
Aside from this campaign’s motivation, what grabbed our attention was the way it utilizes pCloud, a free cloud service, for data storage and communication. Although this technique has been used before by other malware campaigns, it is still not a common strategy. We also discovered, based on the samples we gathered, that the malware, which we call CloudTap, has been in use for over a year.
Hidden Payload in a JPEG image
The two documents that were found being used by this campaign contain excerpts of articles concerning issues on nuclear power and labour policies in South Korea.
Fig. 1 Malicious document about a protest on South Korean nuclear policy
An Encapsulated PostScript file is embedded in the document, practically hidden from the untrained eye of a regular user. And as with all objects in an HWP document, the script needs to be decompressed using zlib to reveal the actual shellcode, which eventually downloads an executable file from http://price365[dot]co[dot]kr/abbi/head0.jpg.
Once this file is executed it downloads another file with JPEG image header.
Fig. 2 Decompressed shellcode binary with the download URL
As expected, this image is embedded with an executable binary that is encrypted with a simple single-byte xor key. This disguise is an attempt to take advantage of some anti-malware system’s way of optimizing their services by limiting their scans and sandbox procedures to only executable file types that are commonly used by malware.
Fig. 3 Partially decrypted executable payload in the image
FortiGuard identifies the embedded malware as CloudTap, based on its usage of a cloud service that is discussed later in this article.
We also uncovered previous samples of this malware, one of which was a debug version, that were compiled in early 2016 – suggesting that that this malware has been roaming for over a year.
Fig.4 Compile time of an earlier sample
Sizing Up the Victim
With targeted attacks, malware actors commonly survey the landscape of the system to initially look for interesting artefacts and to determine the next stage of the operation, such as deeper network intrusion or simply identifying any resources in the system that are deemed valuable. In this particular attack, the payload searches for documents and attempts to extract credentials stored by browsers.
Aside from simple mangling of key strings, the payload executable goes straight to business without any use of anti-analysis techniques.
List Processes and Documents with Specific Extensions
The malware proceeds by listing all the running processes in the system, possibly to check for any interesting applications that the victim uses or to spot any anti-virus products.
Then it starts looking for documents with specific extensions - “.hwp”, “.doc”, “.docx”, “.pdf”, “.ppt”, “.pptx”. It does this to all directories in fixed and removable drives found in the system, except the root drive.
Fig.5 Code snippet to search for specific documents
When searching the root drive, it only looks into specific directories where documents are commonly saved – My Documents/Documents, Desktop, Recent documents, etc. Contrary to the previous routine though, the files being listed in this part are no longer limited by extension.
Fig. 6 Malware looks for any files from selected directories in the root drive
Only having a list of document file paths, it’s hard to tell what type of information interests the author of this malware at this point. Perhaps the threat actor is trying to look for documents with possible confidential contents for extraction, or simply documents that can be used for subsequent phishing attempts.
Multiple Methods Used to Extract Credentials
Using several techniques, this attack attempts to extract credentials stored by Microsoft Windows and specific browsers.
To get login credentials stored by Internet Explorer, it enumerates the credentials using the CredEnumerateW API while filtering the result to only thise items that start with “Microsoft_WinInet_”. The credentials are then decrypted using CryptUnprotectData in conjunction with the GUID “abe2869f-9b47-4cd9-a358-c22904dba7f7” as the decryption entropy.
Another method it uses is through the registry, “Software\Microsoft\Internet Explorer\IntelliForms\Storage2”, which is used by IE to store autocomplete credentials.
The SecurityXploded site published a detailed explanation of these two techniques on this link.
Before proceeding to the next browser, it tries to extract credentials from the Windows Vault, which is another built-in credential storage from Microsoft. This is done through the use of the Vault Client Access Library (vaultcli.dll).
Then it finally moves on to extracting credentials stored by the Chrome browser, which is locally stored in
Free Cloud Service pCloud Used as the C&C Server
As mentioned, this attacker utilizes the cloud storage service pCloud developed by pCloud AG, a Swiss-based IT company. The service has been around since 2013. Conveniently, upon sign up it offers 10GB of free storage without the need of email verification.
Fig. 7 Main interface of a pCloud account
After obtaining and encrypting the targeted data with AES, it is written to a file and uploaded to the cloud with filename
There are several advantages to using a cloud service as a C&C server. First and foremost, it’s a lot easier to setup and there are a lot of free cloud storage services out there with more than enough functionalities for such purpose. As a result, attackers no longer need to setup their own web servers or compromise others, and at the same time it is assured to always be online and accessible. Moreover, it is more complicated to do forensic investigations because there is simply little information to work with. Contrary to using a compromised web site, in this case there is no actual machine to do forensics on or a web admin that might spot the malware traces. Lastly, accounts for such services are protected by privacy policies, which can be a pain to work with if information is needed about a certain account.
These are the email accounts used to register the pCLoud accounts in this campaign, including disposable ones. Since first discovered and documented, this list may have grown or changed:
Data Exfiltration and Further Infiltration
By using pCloud APIs this campaign is able to easily upload data from the victim as well as download additional tools or malware into the affected system.
For obvious reasons, using the APIs related to file operations requires that a session key must first obtained from the service through logging in. Using the userinfo API with the email and password of the account, the malware attempts to obtain the session key that will be used in subsequent API calls. Note that the requests below are done using HTTPS, but we forced the malware to use HTTP for the purpose of showing details of the requests.
Fig. 8 Communication between pCloud and malware during login
Using a previously obtained session key, the malware proceeds to upload the file with the encrypted data to the cloud storage through the uploadfile API. The data contains the following information:
- MAC Address
- Running Processes
- List of Files
The file is then deleted from the system afterwards.
Fig. 9 Malware uploads encrypted stolen data to pCloud account
After uploading the stolen data, the malware starts looking for a file with the filename
For instance, the MAC address filename of the .lst file that this malware downloads signifies that the victim with that MAC address will be the only one to receive the specific file. Therefore, we can assume that the content of the .lst file, which was later found to contain a list of download URLs, is tailored for specific victims. This can also mean that the attacker only chooses specific victims to pursue based on previously gathered data. Regardless, if the MAC addresses are spoofed they are still unique identifiers that are tied to specific targets, possibly for a second stage of the attack. This assumption supports the idea that previous data gathering is just the reconnaissance stage of the attack and that the next stage depends on the victim’s environment. Below is the main function for the downloader function.
Fig.10 Summary of the download-execute routine
After successfully downloading the .lst file, the malware deletes it from pCloud, making it impossible for malware analysts/researchers to know what the second stage of attack was. If the download fails, the malware tries again for as long as 5 hours, the maximum time that the malware resides in the system before terminating itself. For now, we can only speculate what tools or malware are being used by this campaign in their victim’s system.
The list is also encrypted using AES, and based on how the malware parses the downloaded file, it contains a list of URLs separated by new lines. Eventually, the malware downloads and executes every item on the list.
Fig. 11 Function to download and execute items on the list
1. Apply the patch released by Hancom that covers the CVE-2015-2545 vulnerability.
2. FortiGuard Antivirus service detects the malicious HWP files as MSOFFICE/CVE20152545.HWP!exploit, the payload as W32/Cloudtap.A!tr.pws, and the crafted JPEG file as DATA/CloudTap.JPG!tr.dldr
3. FortiGuard Web Filtering service blocks all C&C and related URLs.
4. FortiSandbox rates the HWP file as High Risk.
This article shows how targeted attacks are getting more and more difficult to probe. The attackers are becoming more cautious about leaving traces of their attacks. Combined with the advantages of using the free cloud storage services we discussed in this blog, it would not be surprising if more and more malware campaigns did adopt this free and easier setup.
-= FortiGuard Lion Team =-
936ff56db5512899427188afc4eabf537e715a756f772de07b79420f42531227 – W32/Cloudtap.A!tr.pws
33ba0917bc161205d1afc8e7a6b6e29f92f08edeb385d75dcf81ececf07d3441 – W32/Cloudtap.A!tr.pws
ab9d37e0ea007708dd685632255fbf66c240d7747ba0882ceb96cbffb047fc42 – W32/Cloudtap.A!tr.pws
f4d38e2f43962ec50461b27a62b87fac2420d718066fbe59efb0e678ec36a70b – W32/Cloudtap.A!tr.pws
03cb9e34996df6bb4a38ed08ed6ab77a399906ea19d5e2c969eeb762b6e050cb – W32/Cloudtap.A!tr.pws
fb413df2516d0af9bbb4d5ae98ae6f7e0985a36013ddd3b088f3c087f48e8f2b – W32/Cloudtap.A!tr.pws
43f23a0c6af8f891f0623353cad0e9607c967b77d3549ad19b959f78f383cde3 – W32/Cloudtap.A!tr.pws
24f4f345b077881566bb58f54674f2e79a28937f76e9555982a9c7b6365831db – DATA/CloudTap.JPG!tr.dldr
a0359a6054ff3b245ca661ef5c51dd605410b946e1f0eff6f6898b2368b0ef7e - MSOFFICE/CVE20152545.HWP!exploit
7e90786ba4eef2b552c745a6b65110908a5ef5c89f68b337d66d75ace020b91b - MSOFFICE/CVE20152545.HWP!exploit
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.