In the era of APT’s, it feels like something is amiss when there is a forum of governments and no malware arises. But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint.
A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre (ARC) was compromised. Malicious code was appended to the compromised script file, which redirected a visitor to 22.214.171.124. (At the moment, this malicious script is not accessible.)
While still compromised, the ARC website also hosted an archive with the filename: the 3rd ASEAN Defence Ministers’ Meeting.rar. This contained malware that we detect as Backdoor:W32/Wonknu.A.
Wonknu is signed by Awarebase Corp., an information management solutions company whose customers include those from the Defense sector.
The malware drops a copy of itself to the system as c:\programdata\kav.exe. It then connects to 126.96.36.199:443 and functions as a backdoor that is able to accept the following commands:
We tried to search for similar samples and found another one that used the same certificate.
This malware was first seen sometime around early August of this year. During that time, it could be downloaded from sft.spiritaero.com (Spirit AeroSystems is one of the largest producers of commercial aerostructures).
This malware pretends to be a Java file, Javaw.exe Version 188.8.131.52 to be exact. The original Java file was modified to include malicious code that downloads a file from 184.108.40.206. The downloaded file will be saved as Java_Down.exe on the affected machine. This URL is also currently inaccessible.
In addition, we’ve also found that this particular IP hosted Jquery.js, similar to the case above, but at the moment we are unable to obtain a copy of it as well.
220.127.116.11:443 http://arc.asean.org/the%203rd%20ASEAN%20Defence%20Ministers'%20Meeting.rar http://18.104.22.168/arc/Jquery.js http://22.214.171.124/microsoft/Java_Down.exe http://126.96.36.199/microsoft/jquery.js https://sft.spiritaero.com/java/javaws.exe
the 3rd ASEAN Defence Ministers' Meeting.rar the 3rd ASEAN Defence Ministers' Meeting.exe c:\programdata\kav.exe Java_Down.exe