Targeted Tracking

Targeted malware attacks as a result of advanced persistent threats (APTs) are not new, especially for human rights organizations. One aspect of targeted malware that is becoming much more common is a greater level of research by attackers about their intended targets. While this research, in general, requires more human interaction, there are ways of automating some steps in the process of information gathering, sometimes by using the same techniques as the targeted malware itself.

A Tibetan human rights organization recently received an email claiming to be from a person working for the International Campaign for Tibet, sharing a link about the Dalai Lama’s recent visit to the United States. As the message was unsolicited, and has a few suspicious features, the organization forwarded the email to us for analysis.

A couple of characteristics immediately stand out in the message. The first is that the email address is suspicious: the name is misspelled, and comes from a Yahoo webmail address. The second is that the link address points to a dynamic DNS hostname, which then redirects to the actual page (on tibet.net). Dynamic DNS providers are frequently used to host malware command and control (C2) servers, so that if the IP has to change, the malware will still be able to phone home. An article on a legitimate website should not need to go through a dynamic DNS redirector with a custom ID field. Something is definitely wrong with this email.Checking the headers of the email shows that it originated from the same IP address that the dynamic DNS name points to, and did in fact go through the Yahoo email servers:


The page in the link is a redirect to the legitimate site:

Note that the ‘id’ field from the original link and the field from the actual article URL are not the same. The value in the original field is not used here, so maybe it is there for another reason? Also note the similarity between the value in the link ‘id’ field and the ‘t’ field in the DKIM-Signature header. The ‘t’ field is a timestamp, so it is a safe assumption that the ‘id’ field value was also generated by a time function.

In addition to the redirect, the page has a little extra something for the user who visits it. Zero-size IFrames are never a good sign:

The content of getinfo.php is JavaScript that profiles the user’s system, specifically looking for versions of programs frequently used in targeted Trojan attacks. In addition to gathering information about Flash, Adobe Acrobat or PDF Plugin, MS Office, and JustSystems Ichitaro, the JavaScript also collects information about the browser, browser plugins, and computer:


Once the script has collected all of this information, it sends it via another PHP script:


This information can be used in developing and personalizing targeted attacks. By profiling the versions of document readers and the browser version, an attacker would be able to craft a targeted attack that is almost guaranteed to succeed on the first try. The ‘id’ field in the original link can be used to connect the information back to the email address to which the link was sent. As it is very likely that the emails were generated and sent with a script, the attacker could now have a large database of targets and their vulnerabilities. It is interesting to see this sort of information gathering without any exploits; it is a sign that the attacker is more interested in stealth and long-term benefit than immediate compromise.