Surtr Malware

The Surtr Malware is a threat that has been utilized between 2012 and 2014 to target Tibetan activists mainly. However, cybersecurity experts believe that variants of the Surtr Malware may have been used against other targets as well. The attacks targeting the aforementioned activists were executed with the help of phishing emails. The emails appeared to be sent by well-known figureheads of certain Tibetan organizations. The phishing emails contained three different, corrupted attachments. The corrupted attachments were macro-laced and programmed to take advantage of known Microsoft Office vulnerabilities, including CVE-2012-0158. Users running outdated versions of software tools are risking becoming targets to attackers like the authors of the Surtr Malware.

When the Surtr Malware infects a PC successfully, it will set up folders in the %APPDATA% directory of the system. That would be where the threat would keep its components and also the data collected during the operation. To keep persisting on the compromised host, the Surtr Malware would tamper with the Windows Registry, which would allow it to run every time the infected system is rebooted.

When the Surtr Malware has completed these steps, it will proceed with the attack by connecting to the C&C (Command & Control) server of the attackers. Next, the Surtr Malware will download a second-stage payload from the C&C server. Once the threat has established an active connection with the C&C server, it will await the commands of its operators. The creators of the Surtr Malware can use it to:

• Fetch and run files from a specified remote URL.
• Provide a list of all the files and directories on the system’s hard drive, as well as removable flash drives and other storage devices.
• Execute remote commands.
• Run a keylogging module that collects the keystrokes of the target and transfers them to the attackers’ C&C server.

Surtr Malware's Payload Used to Target System Files

Researchers with Toronto’s Citizen Lab analyzed a sample of the Surtr malware that was used in targeted attacks against Tibetan organizations. The fake emails sent to the victims were carrying three attached MS Word documents with the .doc extension. All three files were delivering the Surtr malicious payload.

The files posing as Word documents are really RTF files that exploit vulnerability CVE-2012-0158 in MS Word that was patched in later versions of the software.
Surtr drops its payload in the system’s temporary files folder and makes a new explorer or iexplore process on the victim’s system, then injects itself in the newly created process, using the CreateRemoteThread function. The following directories are also created on the target system:

%ALL USERS%/Application Data/Microsoft/Windows/123
%ALL USERS%/Application Data/Microsoft/Windows/Burn
%ALL USERS%/Application Data/Microsoft/Windows/LiveUpdata_Mem

The payload is also copied in the Burn and LiveUpdata_Mem directories. The copies are named using either the system’s assigned name or using six random characters. Both versions are given .dll extensions. The new copies have a lot of empty byte data in them, which might be a trick trying to convince some antivirus software that those are legitimate files.

The next step is for Surtr to connect to its command and control server and drop the second stage payload in %ALL USERS%/Application Data/Microsoft/Windows/Burn/_[assigned system name].log. Surtr is capable of listing files and directories on the victim’s system, including external drives connected to it, can execute commands remotely and log keystrokes.

In order to store collected information from the victim machine, Surtr creates a number of directories:

%ALL USERS%/Application Data/Microsoft/Windows/MpCache
%ALL USERS%/Application Data/Microsoft/Windows/nView_DiskLoydb
%ALL USERS%/Application Data/Microsoft/Windows/nView_KeyLoydb
%ALL USERS%/Application Data/Microsoft/Windows/nView_skins
%ALL USERS%/Application Data/Microsoft/Windows/UsbLoydb

The different folder names hint as the different information stored in them. One curious detail is that the malware’s keylogger module places a fixed constant to the original value of the logged character. The data collected in those directories is first compressed, then transferred over to the C2 server.
The malware ensures it runs at system startup by adding a key to the system registry.

Despite the fact that the Surtr Malware has been used to target Tibetan activists only, it is not unlikely that its authors may have modified and reused the threat’s code in other harmful campaigns. If you want to fight shy of falling victim to a threat similar to the Surtr Malware, you should always make sure that all your software utilities are up-to-date. Also, do not forget to install a genuine, trustworthy anti-malware solution.