Wonknu: A Spy For The 3rd ASEAN-US Summit

In the era of APT’s, it feels like something is amiss when there is a forum of governments and no malware arises. But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint.

A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre (ARC) was compromised. Malicious code was appended to the compromised script file, which redirected a visitor to 43.240.119.35. (At the moment, this malicious script is not accessible.)

Redirection Traffic

Redirection Traffic

While still compromised, the ARC website also hosted an archive with the filename: the 3rd ASEAN Defence Ministers’ Meeting.rar. This contained malware that we detect as Backdoor:W32/Wonknu.A.

Wonknu is signed by Awarebase Corp., an information management solutions company whose customers include those from the Defense sector.

Wonknu Cert

Wonknu Cert

The malware drops a copy of itself to the system as c:\programdata\kav.exe. It then connects to 43.240.119.40:443 and functions as a backdoor that is able to accept the following commands:

  • GetsSysteminfo – Retrieve version information.
  • GetDiskInfo – Retrieve disk drive information.
  • GetFileList – Retrieve directory listing.
  • DownloadFile – Download file.
  • UpFile – Upload file.
  • RunExeFile – Run an executable file.
  • FileData – Write data to file.
  • DelFile – Delete a file.
  • NewDir – Create a directory.
  • CmeShell – Run a command from the shell.
  • Terminate Process
  • Enumerate Process

We tried to search for similar samples and found another one that used the same certificate.

Signed downloader

Signed downloader

This malware was first seen sometime around early August of this year. During that time, it could be downloaded from sft.spiritaero.com (Spirit AeroSystems is one of the largest producers of commercial aerostructures).

This malware pretends to be a Java file, Javaw.exe Version 6.0.0.105 to be exact. The original Java file was modified to include malicious code that downloads a file from 178.79.181.246. The downloaded file will be saved as Java_Down.exe on the affected machine. This URL is also currently inaccessible.

Downloader Code

Downloader Code

In addition, we’ve also found that this particular IP hosted Jquery.js, similar to the case above, but at the moment we are unable to obtain a copy of it as well.

URLs and IPs:
43.240.119.40:443
http://arc.asean.org/the%203rd%20ASEAN%20Defence%20Ministers'%20Meeting.rar
http://43.240.119.35/arc/Jquery.js
http://178.79.181.246/microsoft/Java_Down.exe
http://178.79.181.246/microsoft/jquery.js
https://sft.spiritaero.com/java/javaws.exe
Filenames:
the 3rd ASEAN Defence Ministers' Meeting.rar
the 3rd ASEAN Defence Ministers' Meeting.exe
c:\programdata\kav.exe
Java_Down.exe
Hashes:
a096a44aee0f0ff468c40488eab176d648b1c426
068fa495aa6f5d6b4e0f45c90042a81eecdaec2c
Detections:
Backdoor:W32/Wonknu.A
Trojan-Downloader:W32/Wonknu.B


Articles with similar Tags