In this report, Citizen Lab Security Researcher Morgan Marquis-Boire describes analysis performed on malicious software used to compromise a high profile dissident residing in the United Arab Emirates. The findings indicate that the software is a commercial surveillance backdoor distributed by an Italian company known as Hacking Team. The report also describes the potential involvement of vulnerabilities sold by the French company, VUPEN.
In July of this year, Morgan Marquis-Boire and Bill Marczak published analysis of what appeared to be FinSpy, a commercial trojan from the FinFisher suite of surveillance tools sold by Gamma Group International. Their report, From Bahrain with Love: FinFisher’s Spykit Exposed?, presented evidence consistent with the use of FinSpy to target Bahraini dissidents, both within Bahrain and abroad.
A range of other companies sell surveillance backdoors and vulnerabilities for what they describe as “lawful intercept tools.” Recently CSO magazine published an article reporting on claims by anti-virus company Dr Web that a backdoor known as “Crisis” or “DaVinci” was, in fact, the commercial surveillance tool “Remote Control System” sold by Milan, Italy-based lawful intercept vendor Hacking Team1. According to an article published by Slate, the same backdoor was used to target Moroccan citizen journalist group Mamfakinch2.
This report examines the targeting of Mamfakinch and evidence suggesting that the same commercial surveillance toolkit described in these articles appears to have also been used in a recent campaign targeting Ahmed Mansoor, a human rights activist based in the United Arab Emirates (UAE). Additionally, it examines the possibility that a vulnerability linked to the French company VUPEN was used as the vector for intrusion into Ahmed Mansoor’s online presence.
The findings of this report contribute to a body of evidence of a growing commercial market for offensive computer network intrusion capabilities developed by companies in Western democratic countries. While the majority of these companies claim to sell their products to a restricted client base of law enforcement, military, and intelligence agencies, this report shows another example of commercial network intrusion tools being used against dissidents in countries with poor human rights records.
The market for commercial computer network intrusion capabilities has become a focus of controversy and debate about regulatory and legal controls that might be exercised over sales to such regimes or uses of the technology to target dissidents. Following the publication of From Bahrain with Love: FinFisher’s Spykit Exposed, the U.K. government reaffirmed that existing controls restricting the export of cryptographic systems apply to the Gamma Group’s exports of FinSpy.
In general, targeted malware attacks are an increasing problem for human rights groups, who can be particularly vulnerable to such attacks due to limited resources or lack of security awareness.
Recent Background: Da Vinci and Mamfakinch.com
On Friday the 13th of July 2012, the Moroccan citizen media and journalism project Mamfakinch3 was targeted by an electronic attack that used surveillance malware. Mamfakinch.com, a website that is frequently critical of the Moroccan government, received a message via their website directing recipients to a remote webpage:
The text, which hints at a sensitive scoop or lead translates roughly as “please don’t mention my name and don’t say anything at all [about me] I don’t want to get mixed up in this”.
The logs of the website reveal this message was sent from Moroccan IP space:
184.108.40.206 – - [13/Jul/2012:20:48:46 +0100] “GET /wp-content/plugins/wp-cumulus/tagcloud.swf?r=8659047 HTTP/1.0″ 200 34610 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
220.127.116.11 – - [13/Jul/2012:20:48:47 +0100] “GET /nous-contacter/?_wpcf7_is_ajax_call=1&_wpcf7=2782 HTTP/1.1″ 200 9886 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
18.104.22.168 – - [13/Jul/2012:20:50:08 +0100] “POST /nous-contacter/ HTTP/1.1″ 200 139 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
22.214.171.124 – - [13/Jul/2012:20:50:12 +0100] “GET /nous-contacter/ HTTP/1.1″ 200 9887 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
126.96.36.199 – - [13/Jul/2012:20:50:14 +0100] “GET /nous-contacter/?_wpcf7_is_ajax_call=1&_wpcf7=2782 HTTP/1.1″ 200 9888 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
The IP from which the targeting message was uploaded (188.8.131.52) is from a Moroccan range dedicated to mobile 3G Internet users in the capital Rabat and its surroundings:
The page, found at http://freeme.eu5.org/scandale%20(2).doc prompted the user for the installation of malicious java, file, “adobe.jar”:
This file then facilitated the installation of a multi-platform (OSX and Windows) backdoor.
Length Date Time Name
——— ———- —– —-
253 2012-07-09 14:33 META-INF/MANIFEST.MF
374 2012-07-09 14:33 META-INF/SIGNAPPL.SF
888 2012-07-09 14:33 META-INF/SIGNAPPL.DSA
0 2011-09-15 11:07 META-INF/
3853 2011-09-15 11:07 WebEnhancer.class
1043456 2012-07-09 16:33 win
993440 2012-07-09 16:33 mac
2042264 7 files
In the contents of the .jar you can see files called “win” and “mac” which correspond to windows and OSX backdoors respectively:
The windows backdoor contains a variety of clear-text strings which are found in the SSH-client, “Putty”. The OSX version of the backdoor, however, contains what appear to be to debug strings referencing the name of the developer, ‘Guido’:
Execution of the windows backdoor writes the following files to disk:
The file ‘ZsROY7X.-MP’ appears to provide the main backdoor functionality:
It is executed via rundll32 and the following registry entry created to ensure persistence:
Processes such as iexexplorer.exe and wscntfy.exe are infected. Examination of loaded modules for “wscntfy.exe” reveals:
The backdoor has been identified as a variant of a commercial backdoor sold by the Italian Company “Hacking Team”. First identified by Russian Antivirus company Dr Web on July 25th, 2012, the backdoor has been called “Remote Control System,” “Crisis” and “DaVinci”.
The Hacking Team Remote Control System (RCS) is described in a leaked copy of their promotional literature as:
“A stealth, spyware-based system for attacking, infecting and monitoring computers and smartphones. Full intelligence on target users even for encrypted communications (Skype, PGP, secure web mail, etc.)”4
The Hacking Team public website stipulates that their technology is sold only to a restricted customer base:
“...we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”5
UAE Human Rights Activist Compromised
Ahmed Mansoor is a prominent UAE blogger and one of the ‘UAE Five’, a group of Emirati activists who were imprisoned from April to November 2011 on charges of insulting President Khalifa bin Zayed Al Nahyan, Vice President Mohammed bin Rashid Al Maktoum, and Crown Prince Mohammed bin Zayed Al Nahyan of the United Arab Emirates6.
This email, sent from a suggestively titled e-mail address, urges the recipient to read a ‘very important message’ and it contained the following attachment:
The attachment is malicious. To the user it appears to be a Microsoft Word document, however it in fact is an RTF file containing an exploit which allows the execution of code that downloads surveillance malware.
This document exploits a stack-based buffer overflow in the RTF format that has been previously characterized:
“Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka “RTF Stack Buffer Overflow Vulnerability.”7
When Ahmed Mansoor opened the document, his suspicions were aroused due to garbled text displayed. His email account was later accessed from the following suspicious IPs:
IMAP United Arab Emirates (184.108.40.206) Jul 26 (1 day ago)
IMAP United Arab Emirates (220.127.116.11) Jul 25 (2 days ago)
IMAP United Arab Emirates (18.104.22.168) Jul 24 (3 days ago)
IMAP United Arab Emirates (22.214.171.124) 6:54 am (3 hours ago)
Analysis of “veryimportant.doc”
The file “veryimportant.doc” is a downloader that downloads the second stage of the malware via HTTP:
The 2nd stage is called “veryimportant.doc2”:
The executable code is downloaded from: http://ar-24.com/0000000031/veryimportant.doc3
Similar in behavior and appearance to the windows version of the RCS backdoor which targeted Mamfakinch, ‘veryimportant.doc3’ contains a variety of clear-text strings which are found in the SSH-client, “Putty”. On execution, “veryimportant.doc3” writes the following files to disk:
The following command is run, executing the file: “V46lMhsH.shv”
This then infects the following processes:
For example if we examine the process ‘wscntfy.exe” the following modules are loaded:
C:\WINDOWS\system32\winhttp.dll 4d4f0000 59000
C:\WINDOWS\system32\ws2_32.dll 71ab0000 17000
C:\WINDOWS\system32\ws2help.dll 71aa0000 8000
C:\WINDOWS\system32\ole32.dll 774e0000 13d000
C:\WINDOWS\system32\oleaut32.dll 77120000 8b000
C:\WINDOWS\system32\imm32.dll 76390000 1d000
Examination of this process in the memory of an infected machine reveals the following functions are hooked by the malware:
Function: ntdll.dll!NtEnumerateValueKey at 0x7c90d2ee
Function: ntdll.dll!NtQueryDirectoryFile at 0x7c90d76e
Function: ntdll.dll!NtQueryKey at 0x7c90d85e
Function: ntdll.dll!NtQuerySystemInformation at 0x7c90d92e
Function: ntdll.dll!RtlGetNativeSystemInformation at 0x7c90d92e
Function: ntdll.dll!ZwDeviceIoControlFile at 0x7c90d27e
Function: ntdll.dll!ZwEnumerateValueKey at 0x7c90d2ee
Function: ntdll.dll!ZwQueryDirectoryFile at 0x7c90d76e
Function: ntdll.dll!ZwQueryKey at 0x7c90d85e
Function: ntdll.dll!ZwQuerySystemInformation at 0x7c90d92e
Function: kernel32.dll!CreateFileW at 0x7c810800
Function: kernel32.dll!CreateProcessA at 0x7c80236b
Function: kernel32.dll!CreateProcessW at 0x7c802336
Function: kernel32.dll!DeleteFileW at 0x7c831f63
Function: kernel32.dll!MoveFileW at 0x7c821261
Function: kernel32.dll!ReadConsoleA at 0x7c872b5d
Function: kernel32.dll!ReadConsoleInputA at 0x7c874613
Function: kernel32.dll!ReadConsoleInputExA at 0x7c874659
Function: kernel32.dll!ReadConsoleInputExW at 0x7c87467d
Function: kernel32.dll!ReadConsoleInputW at 0x7c874636
Function: kernel32.dll!ReadConsoleW at 0x7c872bac
Function: USER32.dll!CreateWindowExA at 0x7e42e4a9
Function: USER32.dll!CreateWindowExW at 0x7e42d0a3
Function: USER32.dll!GetMessageA at 0x7e42772b
Function: USER32.dll!GetMessageW at 0x7e4191c6
Function: USER32.dll!PeekMessageA at 0x7e42a340
Function: USER32.dll!PeekMessageW at 0x7e41929b
Function: GDI32.dll!CreateDCA at 0x77f1b7d2
Function: GDI32.dll!CreateDCW at 0x77f1be38
Function: GDI32.dll!DeleteDC at 0x77f16e5f
Function: GDI32.dll!EndDoc at 0x77f2def1
Function: GDI32.dll!EndPage at 0x77f2dc61
Function: GDI32.dll!GetDeviceCaps at 0x77f15a71
Function: GDI32.dll!SetAbortProc at 0x77f44df2
Function: GDI32.dll!StartDocA at 0x77f45e79
Function: GDI32.dll!StartDocW at 0x77f45962
Function: GDI32.dll!StartPage at 0x77f2f49e
Function: ADVAPI32.dll!CreateProcessAsUserA at 0x77e10ce8
Function: ADVAPI32.dll!CreateProcessAsUserW at 0x77dea8a9
Function: imm32.dll!ImmGetCompositionStringW at 0x7639548a
A registry key is added which ensures the persistence of the backdoor after reboot:
The file “V46lMhsH.shv” appears to perform the main backdoor functionality:
Further investigation of the implant reveals strings relating to popular anti-rootkit and anti-virus software, suggesting evasion of specific products:
We can also see the targeting of popular browsers:
And popular messaging clients:
The windows implant includes a signed AMD64 driver. The certificate was issued by Verisign to “OPM Security Corporation”.
|CommonName:||OPM Security Corporation|
|Validity (GMT):||Mar 28, 2012 – Mar 28, 2015|
|Class:||Digital ID Class 3 – Software Validation|
|Organization:||OPM Security Corporation|
|Organizational Unit:||Digital ID Class 3 – Microsoft Software Validation v2 Applications|
OPM security appears to be a Panama based company8:
Republic of Panamá
From their website9:
“From Panama to the World, OPM Security Corporation provides personal and institutional security tools and anonymity to you and your business.”
OPM Security is an OPM Corporation company10. On their website, http://taxhaven.us, OPM Corporation states:
“O.P.M. CORPORATION, has been one of the leading providers of Offshore services since 1992 (check 266794). Through our headquarters in Panama, our Caporaso & Partners Law Office (check 25210) and correspondent offices in South America and Caribbean, we offer the best offshore packages.”
Command and Control
This malware calls back to the command and control domain: ar-24.com
This domain is registered through GoDaddy:
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
As of October 1st, 2012 this domain appears to be pointing to a Linode11 instance:
During August 2012, for a short period, this domain resolved to 126.96.36.199:
descr: Office Of Sh. Tahnoon Bin Zayed Al Nahyan
descr: P.O. Box 5151 , Abu Dhabi, UAE
The physical address in the domain record (P.O. Box 5151, Abu Dhabi, UAE) matches the address for the corporate headquarters of Royal Group, which is a conglomerate of companies based in the UAE.
This malware contains the following strings:
[Inf. Module]: Spread to VMWare %S
- VMWare Installation...........OK
- WM SmartPhone Installation....OK
- USB Drive Installation........OK
The strings describing the Virtual Machine infection are the same as those described in the Symantec report on the Moroccan malware.
In addition to the similarities between the sample that Symantec and Dr. Web identified as being written by Hacking Team, “veryimportant.doc” is very structurally similar to this sample found on Virus Total.
This sample uses the following domain for command and control: rcs-demo.hackingteam.it
This information indicates that the sample matching “veryimportant.doc” may be a demo copy of the Hacking Team RCS backdoor. Promotional materials for this backdoor advertise the following features:12
Remote Control System can monitor and log any action performed by means of a personal computer:
Keystrokes (any UNICODE language)
Chat, email, instant messaging
Remote Audio Spy
The same promotional document mentions “Zero-day exploits” as a possible remote infection vector.
An additional sample which appears to install HackingTeam RCS was discovered in Virus Total.
This sample uses an exploit that has similarities in shellcode with “veryimportant.doc” however, the exploit it uses is newer, the Adobe Flash Player “Matrix3D” Integer Overflow13. Searching for the origin of this exploit revealed a public mailing list post taking credit for discovery of this bug stating: “This vulnerability was discovered by Nicolas Joly of VUPEN Security”.
VUPEN are a French Security company who provide a variety of services including the sale of:
“...extremely sophisticated and government grade exploits specifically designed for offensive missions.”14
They claim to have discovered the vulnerability in January of this year at which point they shared this with their customers, prior to public disclosure in August:
2012-08-21 – Public disclosure
The sample appears to have been created in May of 2012 prior to public disclosure:
While VUPEN take public credit for the discovery of this bug, it is possible that the exploit used here was not written by VUPEN but was independently discovered and weaponized by another party.
The use of social engineering and commercial surveillance software attacks against activists and dissidents is becoming more commonplace.
For at risk communities, gaining awareness of targeted threats and exercising good security practices when using email, Skype, or any other communication mechanism are essential. Users should be vigilant concerning all e-mails, attached web links, and files. In particular, carefully assess the authenticity of any such materials referencing sensitive subject matter, activities, or containing misspellings or unusual diction. If you believe that you are being targeted be especially cautious when downloading files over the Internet, even from links that are purportedly sent by friends.
For further tips on detecting potential malware attacks and preventing compromise, see Citizen Lab’s recommendations for defending against targeted attacks.
Malware analysis and report by Morgan Marquis-Boire.
Additional analysis by Andrew Lyons, Bill Marczak and Seth Hardy.
Thanks to Eva Galperin of the Electronic Frontier Foundation for activist outreach work with Mamfakinch.
Thanks to Chris Davis and The Secure Domain Foundation for malware and DNS information.
Additional thanks to John Scott-Railton.
11 https://www.linode.com/ – A company which provides virtual server hosting.
About Morgan Marquis-Boire
Morgan Marquis-Boire is a Technical Advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto. He works as a Security Engineer at Google specializing in Incident Response, Forensics and Malware Analysis.