Recent MNKit Exploit Activity Reveals Some Common Threads

Anthony Kasza


Unit 42 recently identified a variant of MNKit-weaponized documents being used to deliver LURK0 Gh0st, NetTraveler, and Saker payloads. The documents were delivered to targets involved with universities, NGOs, and political/human rights groups concerning Islam and South Asia. Reuse of this MNKit variant, sender email addresses, email subject lines, attachment filenames, command and control domains, XOR keys, and targeted recipients show a connection between the different payload families delivered.

MNKit is the name given to a builder that generates CVE-2012-0158 exploit documents. The documents are in MHTML format and install a malicious payload on the compromised host. We believe MNKit is privately shared between multiple attack groups, but is not widely available.

Information about previous attack campaigns using MNKit is available in the following reports:

For more details on MNKit, see the Sophos publication, Office exploit generators.

Typical MNKit MHTML files have used User123 or User323 as the Author and LastAuthor element values within their DocumentProperties sections and C:/2673C891/Doc1.files/ as a file directory location. The samples discussed in this blog use User323 and User426 as Author and LastAuthor element values and C:/23456789/Doc1.files/ as a file directory location.

MNKit 1

LURK0 Delivery

LURK0 is a family of remote access trojans derived from Gh0st RAT. It has been used by attack groups for years, as discussed by CitizenLab in a publication from 2012 on Tibet-related information operations and has been fairly well analyzed in publicly available reporting. Contained within a subset of the MNKit exploit documents were malicious SFX PE files that delivered LURK0 implants. These PE files were encoded using a decrementing XOR function with the key beginning at 127. Within each SFX are five files:

The execution of the self-extracting zips side-loading of LURK0 payloads is identifiable by the registry key they create

The hashes and compile times of the malicious RasTls.dll files follow:

www.amerikauyghur[.]top and dge.123nat[.]com are two command and control domains resolved by the malware. The first domain was previously mentioned by Arbor Networks in a report detailing the targeting of Tibetan, Hong Kong, and Taiwanese interests in their report, The Four-Element Sword Engagement. A subdomain of 123nat[.]com, manhaton.123nat[.]com, was also referenced in Arbor’s report as a LURK0 command and control domain. Below shows the LURK0 string used in the first five bytes of an implant beacon.

MNKit 2

Saker Delivery

Saker, often also called ‘Xbox’ and ‘Mongall’, is a malware family used by targeted attack groups who have also deployed NetTraveler and Gh0stRAT.

Two of the sending addresses used to distribute the above LURK0 samples, dolkun2015@gmail[.]com and duqdiniishlari@gmail[.]com, were also used to distributed other types of malware. By observing overlaps in the sending and receiving email addresses as well as the filenames of attachments, we were able to identify additional MNKit exploit documents that also included self-extracting PE files. These PE files were again XOR encoded in the attached documents using the same decrementing key (beginning with 127). These additional SFX PE files are password protected using one of the following passwords:

Instead of including RasTls.exe to sideload payloads (as the LURK0 payloads did), within each of the embedded PEs is a single DLL file named msdis.dll which exports a function named JustTempFun. The recently compiled and deployed msdis.dll files’ SHA256 hashes and compile timestamps follow:

Saker samples construct strings during execution. One such string is the origin of the malware’s name.

MNKit 3

The Saker PEs also contain a user agent strings (also constructed manually during execution) of Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 1.1.4531) and Mozilla/6.0 (compatible; MSIE 9.0; Wis NT 8.1; .NET CLR 2.13431). This second user agent is similar to the user agent, <code>Mozilla/4.0 (compatible; MSIE 6.0; Wis NT 5.0; .NET CLR 1.1.4322), as outlined by FireEye in 2014.

The command and control locations for the Saker samples delivered via MNKit follow:

amerikauyghur[.]top overlaps with the LURK0 samples previously mentioned. Both onebook[.]top (registered with a registrant email address of interestbook@sina.com and bsnl.wang (registered with a registrant email address of jgjop@yahoo.com) have resolved previously to 103.232.222[.]20.

Using AutoFocus, we were able to locate additional samples that resolved to these domains. The samples are a mix of LURK0, Saker, and PlugX. Their hashes follow:

Pivoting from the first rather unique user agent string we located the following Saker samples on totalhash:

These samples beacon to www.togolaga[.]com (103.246.246[.]221) and unisers[.]com (123.254.104[.]32) which respectively were mentioned by the Sophos Rotten Tomatoes publication.

Within AutoFocus the user-agent string was also seen being used by the following Saker sample hashes:

These resolve and connect to the following domain names:

notebookhk[.]net, also mentioned in the Rotten Tomatoes report, was at one point a known PlugX command and control domain. This domain as well as www.dicemention[.]com are noted Korplug (often used to load PlugX) domains outlined by ESET in a blog post here. These domains as well as other overlapping indicators, such as the export function name JustTempFun, were discussed by ProofPoint in a 2015 publication on PlugX targeting Russian military and telecom organizations and by Kaspersky in part 1 of their publication on NetTraveler.

NetTraveler Delivery

NetTraveler is a backdoor used to install other malware, steal information, and provide remote control of a compromised system. The targets previously mentioned by Kaspersky Lab of the NetTraveler operators aligns closely with the recipients of a new set of samples.

Three additional MNKit documents were located as MNKit exploit attachments. Unfortunately, we were unable to locate emails the attachments were sent with. These three samples also included SFX PE files encoded using the same decrementing XOR. Within each PE are three files which side-load NetTraveler. The files are named:

The hashes and compile timestamps for each fslapi.dll follow:

The fslapi.dll files load their accompanying fslapi.dll.gui files that are XOR encoded. The decoded fslap.dll.gui DLLs include the following embedded URLs, the first of which was previously documented by Unit 42 as a red herring within NetTraveler samples.

The fslapi.dll files contain an overlay that is used to decode the real C2 as documented in the same Unit 42 NetTraveler blog. The decoded command and control URLs include:

MNKit 4

Both domains have previously resolved to 103.231.184[.]163 which has also hosted www.tassnews[.]net www.info-spb[.]com, both of which have also been used as NetTraveler command and control domains. www.tassnews.net is also the resolved by

the SFX PE (encoding using the same decrementing XOR) decoded from

another sample of this MNKit variant.

Tassnews[.]net was registered with a registrant email address of ghjksd@gmail[.]com and info-spb[.]com was registered with a registrant email address of kefj0943@yahoo[.]com. Riaru[.]net was registered with a registrant email address of fjknge@yahoo[.]com on 29 March 2016, which also registered one other domain name, yandax[.]net, on 16 June 2016 using the same authoritative DNS servers and registrar. Interfaxru[.]com was registered with a registrant email address of ganh@gmail[.]com on 18 April 2016 using the same registrar and authoritative DNS servers as riaru[.]net and yandax[.]net. Only one domain name is currently registered by ganh@gmail[.]com, however it would be no surprise if an additional domain is registered by this registrant in the near future.

Putting it All Together

While MNKit has been associated with multiple different groups the reuse of domain names, IPv4 addresses, phishing themes, XOR schemes, and email accounts are strong evidence for linkage between these new attacks and the previously documented ones. The change in PE SFX contents over the three sets of SFX PE files between February 2016 to March 2016, March 2016 to April 2016, and April 2016 to June 2016 time frames show a slight deviation is payload but consistencies in delivery methods. The best defense against MNKit is to ensure your systems are patched for CVE-2012-0158, but in situations where this isn’t possible, exploit mitigation technology like Traps is warranted.

While attribution is a challenging art, it’s likely whoever is behind these recent attacks is, through infrastructure, malware families and delivery techniques, somehow related to the previously reported attacks. The attackers have been active for years, will likely continue to be active, and seem to prefer to change tactics only subtly.

AutoFocus users can track the malware discussed above using the following tags:

Examined MNKit Samples and Payloads

MNKit MIME attachments carrying LURK0 payloads:

LURK0 payload files contained within MNKit documents:

MNKit MIME attachments carrying Saker payloads:

Saker payload files contained within MNKit documents:

MNKit MIME attachments carrying NetTraveler payloads:

NetTraveler payload files contained within MNKit documents:

 

 

 

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS