we will detail our discovery of the next two versions of MM Core, namely “BigBoss” (2.2-LNK) and “SillyGoose” (2.3-LNK). Attacks using “BigBoss” appear likely to have occurred since mid-2015, whereas “SillyGoose” appears to have been distributed since September 2016. Both versions still appear to be active.
Targeted Regions And Industries
In 2013 MM Core was reported to target Middle Eastern and Central Asian countries. Our own telemetry suggests that both Africa and the United States have also been recent targets. The following list shows the targeted industries we have observed:
- News & Media
- Government – Defence
- Oil & Gas Manufacturing
MM Core Capabilities
An overview of MM Core backdoor’s functionalities is as follows:
- Send infected system’s computer name, windows version, system time, running processes, TCP/IP configuration, and top level directory listings for drives C to H
- Download and execute file
- Download and execute file in memory
- Update itself
- Uninstall itself
Previously the MM Core downloader component was downloaded and executed through shellcode by a DOC file exploiting CVE 2012-0158. However, the new DOC exploit we found exploits a more recent CVE-2015-1641 Microsoft Word vulnerability which it uses to extract embedded malware. The extracted malware is then executed by leveraging a DLL side-loading vulnerability.
The DOC file we analysed (SHA1 d336b8424a65f5c0b83328aa89089c2e4ddbcf72) was named “US pak track ii naval dialogues.doc”. This document exploits CVE-2015-1641 and executes shellcode which drops a legitimate Microsoft executable along with a trojanised DLL named “ChoiceGuard.dll”. The shellcode then executes the Microsoft executable, causing the malicious DLL to automatically be loaded into the file when it is run – hence the term “side-loading”. The DLL downloads and executes the file-less MM Core backdoor in memory, which uses steganography to hide itself inside a JPEG file. The JPEG contains code to decrypt itself using the Shikata ga nai algorithm.
Once decrypted and executed in memory, the MM Core backdoor will extract and install an embedded downloader when it is first run and add it to Windows start-up for persistence. This downloader, which is similar to the first trojanised DLL, is then executed and will download the MM Core JPEG once again, executing it in memory like before. This time MM Core will conduct its backdoor routine which will send off system information and await further commands.
An overview of this infection process is as follows:
Some of the downloader components we found (i.e. “ChoiceGuard.dll”) are signed with a valid authenticode certificate from Russian organisation “Bor Port”:
We suspect that this may be a stolen certificate as it is very unlikely that a malware author would sign malware with their own organisation’s certificate.
UPDATED MALWARE ARTEFACTS
Newer versions of MM Core use updated version tags, mutexes, and filenames as compared with their 2013 counterparts. These are listed in the table below:
The MM Core actors have made significant efforts to prevent security researchers from tracking their infrastructure. The first two versions of MM Core back in 2013 used spoofed registrant information in order to register the C2 domains, whereas the new campaigns use C2s registered using a registrant privacy protection service. This makes it more difficult to track the actors’ infrastructure using WHOIS data.
The actors have also registered their domains on BigRock, a popular web hosting company, in order to blend in with the noise of legitimate sites that are hosted on the same infrastructure.
FORCEPOINT PROTECTION STATEMENT
Forcepoint™ Customers Are Protected Against This Threat Via TRITON® ACE At The Following Stages Of Attack:
- Stage 5 (Dropper File) – The malware components are prevented from being downloaded and/or executed.
- Stage 6 (Call Home) – Network traffic used by the downloaders and MM Core is identified and blocked.
MM Core is an active threat targeting multiple countries and high profile industries. It is interesting to note that even though MM Core’s version has incremented twice, the core backdoor code has remained almost the same apart from the new file and mutex names. Largely this is perhaps due to the file-less nature of its payload, which may also explain why the majority of the updates were in the delivery mechanism. At the same time this demonstrates that the attackers behind MM Core very well know what they are doing, updating the malware just enough to keep their operation under the radar after all these years.
On the other hand, while the volume of related MM Core samples remain low, we noticed that the MM Core downloader shares code, techniques and network infrastructure with a trojan called “Gratem”, as well as sharing the same authenticode certificate for recent samples. Gratem is a more active downloader malware family which has been distributed since at least 2014. Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered.
INDICATORS OF COMPROMISE
d336b8424a65f5c0b83328aa89089c2e4ddbcf72 (US pak track ii naval dialogues.doc)
Dropper/Downloader Samples (SHA1)
MM Core Unpacked DLL Samples (SHA1)
Related Gratem Samples (SHA1)
Dropper/Downloader Payload Locations
MM Core Payload Locations
MM Core C2s
Gratem Second Stage Payload Locations