We looked in to the HIKIT malware in our previous article. Mandiant stated that this malware stole data from the contractor companies that worked with the Department of Defense (DoD). The major evidence that led to this conclusion was that these contractor companies were among the clients of Mandiant and that they were infected and the data Mandiant obtained by examining these infections.
It is not possible to find a detailed explanation or analyse about HIKIT online. As we previously stated, despite the technical analysis, those behind this malware are still unknown. According to Mandiant, it is possible that an APT group of Chinese origin is behind it.
Our current study, in contrast to the previous, is less about the technical analysis and more about the investigation of the case. As previously stated, we have decided to dig deeper into the source of this malware.
The previous analysis did not cover a detailed explanation as to how this malware spreads. As a result of our studies, we have discovered that this malware exploited the Java Script codes run on “Microsoft Explorer” to infect systems.
So, where did the infection come from? It was not possible for us to list all outcomes as carrying out separate investigations for each and every one of them would take a great deal of time. However, it will be possible to carry out these studies when a system is directly targeted. Our focus was the malware that we analysed as HIKIT is a malware with many variations.
As stated above, we started our study by identifying which websites hosted this “exploit” code. We obtained a list of sites that used the "exploit" code. These sites are as follows:
The Domain List
Many of our investigations on each domain did not result in solid evidence. The reason was that we were unable to find any registered domains. Only one of them had information on the domain name. We continued our researches on this domain name and the name it was registered to and identified the other domain addresses registered to the e-mail address we came across, nevertheless, it should be noted that these website might have been hacked to be used as a medium to spread various malwares.
Other Registired Domain Names
We have found out that many of the site names above were registered to the e-mail address below. By looking into the site names and the domain WHOIS records of that date, it can be understood that these records were made on purpose.
At the beginning, we said that the dropped used to infect HIKIT was possible via the Java Script code that runs on MS Internet Explorer. Actually, our studies consisted of not only these but also other security weaknesses present in different applications. The Adobe Flash Player applications is just one of these.
So far, we had information on how HIKIT infected; however, there was not any information on the C&C servers. When we looked into the servers the above domains were connected to, the results were as follows;
The IP addresses that directly communicate with the above addresses, in other words, where initial attacks for HIKIT were carried out, communicate with the headquarters via many points. The major communications was via the server in Spain. The most transmittance of malware to this server is from China.
The IP address of the server overseeing the malware distribution in China points to the location below. When we made an enquiry on the same point for the resident instead of location, we came up with "People's Republic of China – Guiyang People’s Government.” This increased our suspicion that the distribution headquarters of this malware was a Chinese government facility. However, we are still uncertain as we do not have any solid evidence at hand.
With the below communications are still active, it can be said that this malware is about very different vectors. When we looked into the Exploit Kit software used, we mostly came across the software named “Blackhole Exploit Kit.”
It is still not possible to make certain statements about the source of HIKIT malware, it has a very fragmented structure and it is hard to present the obtained data with undeniable evidence. The graph structure above covers many vectors that have an organic connection with HIKIT. While many of the domain names are of German and Russian origin, servers that host the domains and that are the origin of spread are scattered among many facilities. While the major origin of spread is China, malwares are distributed from many different countries such Indonesia, Hungary, Romania and Korea.
As a result, while it is impossible to reach a final decision about the source, our research mostly circling around China, considering the current threats as well, gives a significant amount of ideas as to the source of the malware.
Trend Micro – Deep Discovery Inspector
We used the product Trend Micro – Deep Discovery Inspector in our research to finding the HIKIT malware over the web. Deep Discovery Inspector is capable of scanning malwares over the web and, with its “Virtual Analyzer” module, analysing them in detail.
Firstly, we positioned the Trend Micro Deep Discovery Inspector onto the work environment we created and relayed our web traffic to Deep Discovery Inspector over the spine switch. Having started to monitor our web traffic, Deep Discovery managed to catch the HIKIT malware we received as seen above.
The log included various data such as the source of the malware, the infected IP address and protocol information. If you like, you can get the results of the analyse carried out over the cloud by connecting to Trend Micro’s Threat Connect platform in order to better examine the malware.
We preferred to connect to the Threat Connect platform to see these details. To that end, it is sufficient to just open the details of the malwares caught by Deep Discovery and click on the name of the threat.
When you request detailed information about the threat, Deep Discovery will automatically direct you to the Threat Connect Platform. Then, it is possible to see the results of the analysis carried out by Trend Micro laboratories. The page covers the summary of the malware and a visualized organic connection graph.
It is possible to see the details by clicking on the graphs. Then, we can reach sample reports and obtain more detailed information about HIKIT. The map on the same screen shows which countries the malware named HIKIT is most active.
The sample report above shows the systems affected by, file format of and the processes created or affected by the malware. If that much detail about the malware is not enough, Trend Micro Threat Connect can dig even deeper and show the effects made in each stage of operation.
The “execution flow” tab on the same screen may show which resources the malware uses on the system and the modifications it makes by the second. The API used and the Mutex objects created by the malware in order not to infect an already-infected system are listed above.
It is possible to display details by clicking on the related objects and records, for instance, the figure below covers the Registry values created or modified via the system.
Trend Micro Deep Discovery and Threat Connect can present reports about the malwares it detects that are comprehensible to normal users. It also provides explanations as to how the malware can be deleted manually.
The above figure explains how to delete HIKIT malware step by step. Additionally, it provides various methods on how to perform that depending on the malware.
ATTACHMENT: The HIKIT Rootkit Analysis (Part 2)