MIRAGE

1. MIRAGE CPSC 620 Project By Neeraj Jain HiranmayiPai

2. Table of Contents • Introduction • Background • Analysis • Identification of Victims • Threat Factors • Conclusion

3. Introduction • What is a malware? • What is a “Mirage” malware?

4. Background • Is linked to the same hackers behind the RSA breach last year [1]. • Mirage shares attributes with the malware families JKDDOS and Lingbo • Mirage Trojan targets mid-level to senior-level executivesby sending out spear-phishing email.`

5. Analysis • Distribution Vector • Behavior Analysis • Control and Command Server Operations • Variants

6. Distribution Vector • The spear phishing emails contain an attachment that includes a malicious payload that installs a copy of Mirage. • CTU researchers have identified several files that drop and execute a copy of Mirage onto a target system. These "droppers" are designed to look and behave like PDF documents.

7. Behavior Analysis • There are two main variants of the Mirage Trojan. • Variants are based on the way the trojancommunicates with the command and control (C2) servers. • When Mirage executes, the original file copies itself to a folder under C:\Documents and Settings\<USER>\ or C:\Windows\ and then deletes the original file. • CTU researchers have observed the following filenames created after execution: svchost.exe ,ernel32.dll, thumb.db, csrss.exe, Reader_SL.exe, MSN.exe

8. Control and Command Server Operations - 1 • Mirage tries to send a system profile by contacting the C2 server using a standard HTTP request. • This profile contains the CPU speed, memory size, system name and username. • It is observed that this communication occurs over ports 80, 443 and 8080

9. Control and Command Server Operations - 2 • Variant 1

10. Control and Command Server Operations - 3

11. Control and Command Server Operations - 4 • The second variant of Mirage uses HTTP GET requests

12. Variants • Several Mirage variants are customized for specific need, not for widespread targeting. • One of the variant was found configured with the default credentials of the targeted environments web proxy servers.

13. Identification of Victims

14. Threat Actors • When investigating the DNS addresses of the C2 servers, CTU researchers identified several IP addresses of hosting companies based in the United States that are running HTran. • In the CTU research team's 2011 analysis of HTran, the software's author was identified as a member of the Chinese hacker group HUC, the Honker Union of China.

15. Conclusion • Mirage represents only one small piece of malware involved in an ongoing worldwide campaign[2]. • The IP addresses of the systems used by hackers to remotely control Mirage-infected machines belong to the China Beijing Province Network (AS4808), as did three of the IP addresses used in the Sin Digoocampaign [3]. • For companies in the targeted industries, using active intrusion detection and prevention systems as well as DNS monitoring for malicious domains is essential to detecting this activity.

16. References • http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/ • http://www.securityweek.com/cyber-espionage-campaign-targets-oil-companies • http://www.theregister.co.uk/2012/09/21/mirage_cyberespionage_campaign/