Spying via XLS files	Posted by Mikko @ 11:10 GMT

We see targeted attacks and espionage with trojans regularily. Here's a typical case.

A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apparently to just one person.

When opened, this is what the XLS looked like:



However, in reality the malicious file had already exploited Excel and taken over the computer by the time you saw this.

The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them.

These DLL files are backdoors that try to communicate back to the attackers, using these sites:

• feng.pc-officer.com
  
• ihe1979.3322.org

Right now, host ihe1979.3322.org does not resolve at all, and feng.pc-officer.com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks.

The domain name pc-officer.com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before.

See this ISC blog entry from September 2007. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer.com, not feng.pc-officer.com.

If you haven't read about Ghostnet yet, now would be a good time.

PS. We don't know what area is shown in the map image. If you do, please leave a Comment.

Updated to add, Wednesday the 7th of April:

We kept monitoring the host feng.pc-officer.com. As expected, it became alive for a short period yesterday.

Here's what our logs look like:

   Tue 7 Apr 2009 16:13:21    63.64.63.64
   Tue 7 Apr 2009 16:14:17    63.64.63.64
   Tue 7 Apr 2009 16:15:13    63.64.63.64
   Tue 7 Apr 2009 16:16:09    216.255.196.154
   Tue 7 Apr 2009 16:17:04    216.255.196.154
   Tue 7 Apr 2009 16:18:00    216.255.196.154
   Tue 7 Apr 2009 17:40:33    216.255.196.154
   Tue 7 Apr 2009 17:41:29    216.255.196.154
   Tue 7 Apr 2009 17:42:25    216.255.196.154
   Tue 7 Apr 2009 17:43:21    63.64.63.64
   Tue 7 Apr 2009 17:44:17    63.64.63.64
   Tue 7 Apr 2009 17:45:13    63.64.63.64

IP 63.64.63.64 is just a placeholder; 216.255.196.154 is the real control server. They only bring it online sporadically, trying to avoid detection.

The IP is located in Spokane, USA:   

% whois 216.255.196.154
   
   OrgName:    One Eighty Networks
   OrgID:      OEN-1
   Address:    118 N Stevens
   City:       Spokane
   StateProv:  WA
   PostalCode: 99201
   Country:    US

Updated to add, Thursday the 9th of April:

It changed again. Host feng.pc-officer.com is now pointing to 211.234.122.84.

This IP is located in Seoul. South Korea:   

% whois 211.234.122.84
   
   [ IPv4�ּ� ��� ��� ���� ]
   ���������ȣ       : ORG137200
   �����             : (��)����������
   �ּ�               : ������ ������
   ���ּ�           : 261-1
   ������ȣ           : 135-010

---