A few days ago, CERT-Georgia published a great report describing a cyber espionage campaign. The report states the malware was found in Georgian Governmental Agencies including ministries, parliament, banks and NGO's. The report also mentions that the purpose of the malware was "Collecting Sensitive, Confidential Information about Georgian and American Security Documents” and it establishes a connection with Russian Official Security Agencies.
AlienVault has analysed the infection vectors as well as the malware behavior and has found some IOC’s and signatures in order to detect the presence of the malware in your systems.
Below is the full analysis or you can read it here (with screenshots): http://labs.alienvault.com/labs/index.php/2012/georbot-botnet-a-cyber-espionage-campaign-against-georgian-government/
To compromise the victims, the attackers placed JavaScript code or iFrames into websites leading to exploit code. The compromised websites include Georgian Government servers like ema.gov.ge.
Other examples are:
- ema.gov.ge
- 31.214.140.214
- 178.32.91.70
- georgiaonline.xp3.biz
- 31.31.75.63
The malicious javascript present includes code that exploits several vulnerabilities including CVE-2010-0842, CVE-2006-3730, MS06-057 and some Java exploits.
Examples of exploit codes found:
178.32.91.70 [/] modules[/]docs[/]newexp[.]jar https://www.virustotal.com/file/9bf88bf15ffa6888ec2a3bd9e8dc6d13b650f1122ca69cface9ccf777c32e259/analysis/
178.32.91.70 [/] modules[/]docs[/]Java-2010-0842[.]jar
Once the exploit code is executed, the payload calc.exe that contains the malware is downloaded from the remote server.
The malware uses a custom packer to evade security products. It also uses obfuscation to hide both the configuration values and the API calls. The malware uses byte substraction operations to hide the strings including the configuration values.
We can use the following Yara rule to detect the obfuscated binary:
rule GeorBotBinary
{
strings:
$a = {63 72 ?? 5F 30 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C}
condition:
all of them
}
Based on the deofuscated strings we can also write a Yara rule to detect the presence of the malware in memory:
rule GeorBotMemory
{
strings:
$a = {53 4F 46 54 57 41 52 45 5C 00 4D 69 63 72 6F 73 6F 66 74 5C 00 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 00 52 75 6E 00 55 53 42 53 45 52 56}
$b = {73 79 73 74 65 6D 33 32 5C 75 73 62 73 65 72 76 2E 65 78 65}
$c = {5C 75 73 62 73 65 72 76 2E 65 78 65}
condition:
$a and ($b or $c)
}
We use both the registry key used to maintain persistence and the executable name that the malware creates on the system (in version >=5 of the malware those values are stored on wide strings).
If we have a memory image of a system we can use Volatility to look for processes matching our Yara rule:
$ python vol.py -f /Users/jaime/tmp/geor.img yarascan -y GeorBotMemory.yara
Volatile Systems Volatility Framework 2.1_alpha
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004055b3 53 4f 46 54 57 41 52 45 5c 00 4d 69 63 72 6f 73 SOFTWARE\.Micros
0x004055c3 6f 66 74 5c 00 57 69 6e 64 6f 77 73 5c 43 75 72 oft\.Windows\Cur
0x004055d3 72 65 6e 74 56 65 72 73 69 6f 6e 5c 00 52 75 6e rentVersion\.Run
0x004055e3 00 55 53 42 53 45 52 56 00 2e 64 6f 63 00 2e 78 .USBSERV..doc..x
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059a6 73 79 73 74 65 6d 33 32 5c 75 73 62 73 65 72 76 system32\usbserv
0x004059b6 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 53 5c .exe.C:\WINDOWS\
0x004059c6 73 79 73 74 65 6d 33 32 5c 75 73 62 63 6c 69 65 system32\usbclie
0x004059d6 6e 74 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 nt.exe.C:\WINDOW
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059ae 5c 75 73 62 73 65 72 76 2e 65 78 65 00 43 3a 5c \usbserv.exe.C:\
0x004059be 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 WINDOWS\system32
0x004059ce 5c 75 73 62 63 6c 69 65 6e 74 2e 65 78 65 00 43 \usbclient.exe.C
0x004059de 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d :\WINDOWS\system
Network traffic
The malware uses HTTP to communicate with the C&C server. It contains several commands to upload and retrieve information from the victim. It also looks for malware updates every once in a while. In early versions the update version was requested from /modules/docs/upload/calc.exe on the C&C server.
In newer versions, the malware performs a request to /calc.php and the server sends base64 encode content (it can be done using content from different servers at the same time).
When the malware starts it sends a request to the C&C (screenshot here: http://labs.alienvault.com/labs/index.php/2012/georbot-botnet-a-cyber-espionage-campaign-against-georgian-government/)
Every minute it sends a HTTP request to the C&C to ask for instructions.
In newer versions the parameter “cam” was also introduced that tells the C&C whether the infected system has a webcam.
/index312.php?ver=5.1&cam=0&p=cert123&id=401acd00
You can use the following snort to detect the presence of this malware in your network:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot requesting update”; flow: to_server,established; content:”/modules/docs/upload/calc.exe”; http_uri; classtype:trojan-activity; sid:1111111112; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot initial checkin”; flow: to_server,established; content:”POST”; http_method; nocase; content:”.php?ver=”; http_uri; content:”&p=cert123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111113; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot checkin”; flow: to_server,established; content:”.php?ver=”; http_uri; content:”&p=bot123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111114; rev:1;)
Emerging Threats Pro has coverage for previous versions (see “ETPRO TROJAN TDSS.xcn”) but the rules I posted will work with newer versions of the malware as well.
Based on the behavior of the malware we wrote this OpenIOC rule: http://labs.alienvault.com/labs/wp-content/uploads/2012/10/Screen-shot-2012-10-31-at-6.50.01-PM.png