So in a Filename: survey-questions_2011.xls (MD5:4031049fe402e8ba587583c08a25221a) of the CVE-2011-0609 affecting Adobe Flash Player that came all bundled up nicely in a Microsoft Office 2003 Excel spreadsheet (binary file format version) .xls I came across some wonderful little linkages pointing DIRECTLY at the hostile actors who leverage unwavering CyberEspionage Operations targeting our government on a daily basis. 

Just so you know, these are “professional” government military and intelligence operatives who are tasked and order by their goverments to aggressively steal the lifeblood of our nations innovation and secrets.  They are typcially as has been reported staff assigned or attached to the Technical Reconaissance Bureaus in each of China’s 7 Military Regions.    I use the term professional loosely due to their half ass malware, and their horrible operational security.  This time however there is a direct linkage. 

The malicious .xls file is embedded with 2 Adobe flash files which implement the exploit.  Other parties are analyzing the actual vulnerability and tracking Adobe’s patch rollout of it.  The malicious .xls extracts to disk a dropper executable (.exe) and executes it.  The dropped exe file (MD5: 1E09970C9BF2CA08EE48F8B2E24F6C44) is 46,048 bytes.  What is interesting about this dropper is that it actually is a self extracting Microsoft Cabinet file .CAB.  This is a compression format usually used in the installation of programs. 

The dropper then brute force searches for excel.exe and terminates the malicious .xls instance and decodes, drops and executes a malicious exe payload named svchost.exe (MD5:90993B5279365B204148E8B04EDF477F) whose size is 65,536 bytes. 

Here is the decoder.  and its C equivalent.  Its a simple XOR operation.  Typically dropper payloads will be binded as resources in the Resource section of the PE file, and can be viewed obfuscated or not with a Resource Viewer. This method foils those types of cursury static analysis. 

It also drops to the Recycler / Recycled folder depending on the OS version check and then deletes itself afterwards.

It also drops a “Clean” Excel .xls file named crsenvironscan2.xls (MD5:1990C787E54A7E96E4CB550D83E9D3F4) filesize 29,184 bytes and then opens it for the user to view.   The malicious .xls was a blank Excel spreadsheet with no data.    The operator actually was smart and scrubbed the Metadata out of the malicious .xls file prior to sending it usually they dont and there are a huge wealth of linkages to attack campaigns in the thousands of samples (aka digital weapons) that have been fired over the years.

Here is where it gets good.  This LONG TIME Chinese CNE operator should go the fuck back to Espionage camp because the idiot actually modified the content of the “clean” .xls before binding it to the dropper.  So you find his real online handle in the .xls Metadata under the Last Saved By: section.

Welcome to the world Linxder! or should I introduce you as .  You see there is now an of  on in the open public. Your use of “Customized” malware, one of which has been reported as extensively using 

For anyone who is clueless as to this guy I would highly encourage you to research anything and everything about him.  He has an  that is just dripping with goodness going back to 2002.  His is extremely active in Visual C++ and other Chinese hacking forums, Does custom development, collaborates with many other hackers and CNE operators.  His of him and his friends shows collaborative malware development research, research and builders on PDF exploit embedding, Flash exploits and protection/obfuscation and other general hacking topics. 

Another as reported by the Internet Storm Center was used to use the payload Poison Ivy which is Heavily used by a subset of CNE operators.  However this is less interesting from an attribution standpoint.

To wrap up this little bombshell fuckup, Thanks for the Softball Silly Dragon. I urge anyone with an interest in cyber espionage, cyber security, and investigative research skills, to data mine deep and hard the background of this attack, the networks and associates of Linxder and the 15 or so other 0-days that they and a few other select militar groups have developed and burned attacking our nation.  For the foreign minister idiot denials that say we dont have the proof you can take this and shove it.  Your lucky your systems in your copy cat country are not zeroized.  They would be if I was running the show.

This is a call to China to public acknowledge this, apprehend and arrest Linxder and investigate fully this cyber attack.  Extradite him to the United States to be prosecuted under espionage statues.  Quit your operational activities or pay the price.

Be the first to like this post.

4 Responses to “Adobe Flash 0-day, China CNE Operators LoVeZ ‘em”

  1. htk said

    nice article :D

  2. said

    hi can u share the sample.

    my email is abhilyall[at]gmail[dot]com

  3. said

    brilliant as usual.

  4. said

    hi nice article. can u share the sample? rgds

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>