On November 12, 2016, Mustafa Ali CAN, a successful player of “Pi Hediyem Var,” contacted me after receiving an alert from his antivirus software while visiting a government website. In our correspondence, he mentioned that the antivirus had identified a malicious JavaScript code on the site, labeling it as JS/Kryptic.I. As a cybersecurity expert aware that various APT groups target our government sites, I decided to thoroughly investigate the malicious JavaScript code that triggered the alarm.
When visiting the site, instead of encountering a malicious JavaScript code attempting to exploit your system, you are presented with a malicious JavaScript code and message attempting to use social engineering to deliver malware (a dropper). To locate the malicious JavaScript code, you examine the source code and find that it is hidden in a comment posted on April 10, 2015, at the following URL: http://pol.google.com.mooo.com/ajax/libs/jquery/jquery-2.1.5.ack.min.js. Of course, you may wonder how we can be sure if this is malicious code added to an old comment. The answer to this question lies in the compilation date of the malware, which will be revealed in the later sections of this text.
When I downloaded and began analyzing the JavaScript code, I observed that obfuscation techniques had been applied to the code. To quickly resolve this, I used the js-beautify and node-js tools included with REMnux, which allowed me to easily deobfuscate the code and uncover the hidden web addresses within it. In the first line of the jquery-2.1.5.ack.min.js file (which I initially named mal.js, then renamed obfuscated.js during analysis), I found the address of the central server where the malware would be loaded from: http://codebase.google.com.mooo.com/ajax/libs/jquery/. The fact that both pol.google.com.mooo.com and codebase.google.com.mooo.com were redirected to a server owned by a university’s faculty of education in Turkey further supported the possibility that this server had been compromised by malicious actors. Additionally, the inability of Sucuri’s malware scanner to detect the malicious code on the website suggested that it might have been customized by the attackers.
When I examined the deobfuscated JavaScript code with the help of auxiliary tools, it became clear that the attackers were targeting users of Windows, Linux, and macOS operating systems. If the operating system was Windows and Flash was installed, the malware (1. downloader/dropper) would be delivered through Adobe AIR. If Flash was not installed and the browser was Firefox, the malware would be delivered via a Firefox extension. In cases where neither of these conditions was met, but the browser was Internet Explorer, the JavaScript code would create a system file via an HTA file. For Linux or macOS operating systems, if the browser was Firefox, the malware (1. downloader) would be delivered through JavaScript. If these conditions weren’t met, but the target system had Java installed, the malware would be delivered through a malicious JAR file. The hidden code used the string “M4St3Rm4pp3d” as a key during the downloader creation process. (I suspect this string was the signature of the malware developer.)
According to the operating system, malicious software downloaded and executed from the address http://softwareupdates.ignorelist.com/globalupdates/ included unixupdate (sha1: 5D09C139746C8A9855CE341A63687E2E86A47FAE), osxupdate (sha1: 1A441A1E80F88CEBE0D1E20CE06E2144743C5955), and winupdate (sha1: EEC0B83017F59B8D15ED630107160D71950C7888). Upon analyzing the winupdate (which is actually downloaded and executed as a binary within a VBS file) on the Windows operating system, I discovered that it was also a downloader (2nd stage downloader). After converting the hex values of the PE within the VBS file to binary using the xxd tool, I was able to extract the winupdate.exe file.
After running the Winupdate program, which was compiled on March 24, 2015, I observed that it injected itself into the WMIC process. It then created two files under the %temp% directory: AdobeUpd.exe (sha1: 013E276E46732F2B8D4CC0489886B6CCE7C229A4) and AdobeUpdate.exe (sha1: A8B1C28D3F6D977F9D2ABF386197C57DE67667A6).
When I first analyzed the AdobeUpd.exe program using the VB Decompiler tool, I found that after execution, it copied the AdobeUpdate.exe program from the %TEMP% directory to the %WINDIR%\System32\AdobeUpdate.exe folder. Additionally, to ensure it could run automatically upon system restart, it created the AdobeUpdate service.
Meanwhile, after the unixupdate program is run on Linux, it copies itself under the user’s HOME directory as .unixupdate and appends its directory to the end of the .bashrc file. This behavior is something I would like to share with Linux users as well.
After the AdobeUpdate program was executed, it attempted to connect to command and control servers embedded in its source code through ports 80, 8080, and 443. What was particularly interesting was that many of these command and control servers were located in Turkey. When trying to connect to the IP addresses, it became apparent that some of these IP addresses were associated with DVR devices. Given that IoT devices, particularly those used in DDoS attacks, are often exploited as jump points in targeted attacks, this is unlikely to surprise anyone at this point.
Of course, after 1.5 years since the malware was compiled, expecting the command and control centers to still be operational would be unrealistic, so unfortunately, I couldn’t find a working command and control center. As a result, I decided to focus on decrypting the data that the AdobeUpdate.exe program tried to send to the login.php page of the command and control center as soon as it was executed. Knowing that the AdobeUpdate.exe program injected code into the WMIC process, I attempted to locate the injection point using IDA Pro, but I was disappointed by technical difficulties that prevented successful identification.
As someone who always found Immunity Debugger more practical, I turned to it for help. However, this time, Immunity Debugger crashed as well. Just as I was feeling stuck, x64dbg, a tool that is fast becoming a contender for OllyDbg’s throne, came to the rescue. Since I found that AdobeUpdate.exe was developed in Visual Basic and the injected malicious code used the CallWindowProc API to execute code from memory, I decided to search for the starting values of the PE file format (magic header) 4D5A90 in memory before the API call. After successfully locating the core of the malware in memory, I dumped it to disk for further analysis.
When I analyzed the malware that I had dumped to disk with IDA Pro, it didn’t take long to discover that the data being sent to the command and control center was encrypted using the RC4 symmetric encryption algorithm. The string WePWNhouses12345 was used to generate the key for the RC4 encryption, which suggested the possibility that this malware was developed with the intention of targeting home users.
After discovering the string used to generate the key, I decided to write a Python program to decrypt the RC4-encrypted data. The result was a tool I named Polgov Decryptor. With this tool, I hope that those who have performed full packet capture on their networks in the past will be able to decrypt any encrypted data that may have been exfiltrated from their systems.
As a result, based on the information gathered from sandbox reports, it is evident that an advanced piece of spyware, whose name I am unable to identify, has been targeting Linux, Windows, and macOS users for an extended period. This spyware is capable of stealing audio, keystrokes, and password information. The use of the LUA scripting language, which we often encounter in APT malware, further suggests the possibility of an organized group being behind this threat. Finally, it would be wise for both Windows, Linux, and macOS users to be cautious and vigilant while browsing websites.
Before concluding this article, I would like to thank the Cyber Crime Department for responding to my report and initiating an investigation. As a responsible citizen, I look forward to our next interaction. Until then, I wish everyone a safe and secure day.
