Context’s Threat Intelligence analysts uncovered that the secondary payload, Trojan:W32/MMCore has been updated, likely in response to the exposure of BaneChant.
This version, labelled as ‘2.1-LNK’, tags the egressed communications with ‘StrangeLove’ opposed to the previously identified ‘2.0-LNK’ version that was using ‘BaneChant’. Perhaps this tag is also a reference to music on a movie soundtrack - in this case Tim Burton’s ‘Frankenweenie’ – or maybe to the cult classic film ‘Dr. Strangelove’.
One notable difference was that the downloader (first stage) expects binary data which includes the JFIF header, 20 bytes that was missing from the previous incarnation. The downloaded data is obfuscated using the ‘Shikata ga nai’ encoder, likely in an effort to avoid detection by anti-virus products.
Similar to the downloaders used to deploy BaneChant and its predecessors, this latest downloader connects to a domain that redirects via an HTTP 302 response to another that houses the second stage implant. In this case the outgoing request takes the form:
GET /images/banners/foo.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2)
with the subsequent redirection to www.solidsec.net:80.
At the time of analysis, pingr.redirectme.net resolved to 184.108.40.206 (as do many domains provided by noip.com), with www.solidsec.net resolving to 220.127.116.11.
The functionality of MM Core remains the same, with only minor changes. Specifically, the temporary file created for ‘download and execute’ commands, uses a prefix string of ‘jv’ instead of ‘java’, and the path to the implant is now:
In this instance, outgoing communication of MM Core is via HTTP POSTs to:
and uses MIME multipart message boundary:m
Context has been tracking this adversary since December 2012 and will shortly release more details on infrastructure and attribution.