HackerHouse have been investigating social engineering attacks performed with Digital Rights Management (DRM) protected media content. Attackers have been performing these attacks in the wild to spread fake codec installers since Microsoft introduced DRM to it’s proprietary media formats. Despite their prevalence we could not find many tools to misuse these formats. We found only a small number of blog posts  on identifying the files being used to spread malware. We observed some interesting behaviours during our analysis which we have shared here. DRM is a licensing technology that attempts to prevent unauthorised distribution and restrictive use of a media file. It works by encrypting the video and audio streams with an encryption key and requesting a license (decryption key) from a network server when the file is accessed. As it requires network connectivity it can cause users to make network requests without consent when opening a media file such as a video file or audio file. WMV is using Microsoft Advanced Systems Format (ASF) to store audio and video as objects. This file format consists of objects that are labelled by GUID and packed together to make a media package. A number of tools such as ffmpeg & ASFView support opening, viewing and browsing these objects. There are three objects with the following GUID’s which are of interest for these attacks.
298AE614-2622-4C17-B935-DAE07EE9289C - Extended Content Encryption Object
2211B3FB-BD23-11D2-B4B7-00A0C955FC6E - Content Encryption Object
2211B3FC-BD23-11D2-B4B7-00A0C955FC6E - Digital Signature Object
An example of a Content Encryption Object taken from a malware sample is shown here.
An example of the same files Digital Signature Object is also shown below.
The objects are used with a Microsoft license server, configured via a DRM profile, when encoding objects using an SDK. Microsoft have two products which support creating these objects (Windows Media Encoder & Microsoft Expression Encoder). DRM is expensive business and unless you use the SDK to develop your own application you will likely need to make use of a license provider to encrypt your WMV files using these tools and also for signing purposes. If you want to build your own Microsoft DRM signing solution the price-tag is around $10,000.
The object we are most interested in is the “Extended Content Encryption Object” which contains the “WRMHEADER” information documented at . This object contains UTF-16 formatted XML and is responsible for making license requests to a specific URL set in the LAINFO tag. A user can set this tag to any URL they want and when an application with DRM opens the file, it will launch a internet explorer instance to view the information URL. An example of one of these headers (taken from a recent malware sample) can be seen here.
If you were to modify the above WRMHEADER or any of the three identified GUID objects you would find that on opening in Windows Media Player you are prompted with the following warning from Windows Media Player.
However, this warning DOES NOT appear if the DRM license has been signed correctly and the Digital Signature Object, Content Encryption Object and Extended Content Encryption Object contain the appropriate cryptographic signing performed by an authorised Microsoft License Server profile. There are several free DRM providers who could sign your media for you however as the barrier to entry to the DRM market is the aforementioned price tag, it makes you wonder how these files are being signed in the wild! As these “signed WMV” files do not present any alert to a user before opening them they can be used quite effectively to decloak users of the popular privacy tool TorBrowser with very little warning. For such an attack to work your target candidate must be running TorBrowser on Windows. When opening/downloading files, TorBrowser does warn you that 3rd party files can expose your IP address and should be accessed in tails. This is not an attack against Tor or the TorBrowser directly but a useful way that could be leveraged to identify people attempting to access illegal media content (such as Daesh propaganda). The video below shows an attack being performed against a vulnerable desktop configuration, exposing the IP address of a TorBrowser user. Happy Hacking!