A tale of Pirpi, Scanbox & CVE-2015-3113
23 July 2015
In the past year, PwC has notified the public about developments relating to the ScanBox reconnaissance framework on several occasions. There has recently been public reporting which relates to possible deployment of malware via ScanBox for the first time. While the report references activity related to a zero-day exploit against Adobe Flash (CVE-2015-3113), it does not detail the delivery mechanism used for this zero-day, which in fact uses ScanBox as part of the process.
In the second of our public ScanBox reports, we reported that in addition to attackers using the framework in conjunction with Strategic Web Compromises (SWCs), we were also observing the attackers sending phishing emails to targets. We referred to this as ‘Phishing at the Watering Hole’ (Figure 1). This short blog, available to our intelligence customers since the 3rd July, details this technique in action and how a variant of ScanBox is used to infect victims with the Pirpi malware.
Figure 1 – “Phishing at the Watering Hole” – an explanation of how attackers used ScanBox with phishing attacks initially.
Since our initial report in February 2015, it has become apparent that the threat actor behind this particular set of emails was APT3 or Gothic Panda, often referred to in the open source as ‘Pirpi’. The attackers were sending emails where victims would be linked both to a website the attacker had compromised, and in another tab to the genuine content they were expecting.
At present, we have no reason to believe that any malware was served to visitors when this technique was used in early January, beyond the ScanBox keylogging and profiling of visiting machines.
However, this was not the only time that Pirpi used ScanBox – they continued to send phishing emails to organisations across a variety of sectors, using a similar technique to open a second tab of legitimate content. In their most recent rounds of phishing, and possibly in rounds before, the Pirpi attackers used the ScanBox framework to profile victims, and then select those who met the given requirements for infection. This is effectively the same principle as that behind most of the popular Exploit Kits – where once victims meet a specific set of requirements, they are served an exploit. In this case it is believed that whitelist by version of Windows/Flash was the requirement for infection.
It is unclear at present if victims were also selected by their IP address being whitelisted or not. The chain of infection for the flash zero-day when used in conjunction with ScanBox is as follows:
- Victim receives phishing email, with link to compromised site, with a unique one-time-use landing page per victim.
- After a 0.4 second delay, the framework attempts to load the flash zero day for qualifying victims.
The obfuscation for PluginDetect was fairly basic, and worked by building a huge array of strings in hexadecimal characters, these were then converted to ascii and substituted into the relevant functions in which they were required. To illustrate how this might appear, the same function is given side by side in Figure 2.
Figure 2 – The code used, shown first pre deobfuscation, and then afterwards
Once substituted, the code is slightly more readable; however the attackers have also used a set of variable names likely to have been also substituted in an automated fashion, which makes things more difficult. However we can still clearly see that the code matches that which can be built on the PinLady website.
We believe the primary benefit to the attacker of using the ScanBox framework to wrap the PluginDetect code, rather using just the PluginDetect on its own, is that they are able to better record success rate of infections. As discussed in our subscriber only article ‘ScanBox – going ServerSide’ (CTO-TIB-20150430-0B), the ScanBox server side code gives the attackers techniques which allow them to whitelist visitors, as well as track their results in a back end database.
The Pirpi attackers are becoming increasingly well known for these attacks, following a number of public reports on the group, it is unclear if the repeated public coverage they are currently receiving will lead to a change in tactics by the group, who have used broadly the same tactics, techniques and procedures (TTPs) for the past few years.
PwC intelligence customers have access to indicators and associated IDS rules in report CTO-TIB-20150703-01A.
We specialise in providing the services required to help clients resist, detect and respond to advanced cyber-attacks. This includes crisis events such as data breaches, economic espionage and targeted intrusions, including those commonly referred to as APTs. If you would like more information on any of the threats discussed in this bulletin please feel free to get in touch, by e-mailing [email protected]