Today’s attackers are adapting to their targets so well that they have successfully integrated various trusted enterprise services, commonly used within today’s corporate world, as key infrastructure within multiple phases of their attacks. These attackers are simply repurposing seemingly benign Service Profile Infrastructure (SPI) to ensure additional survivability of their exploitation operations, knowing all the while that most enterprises are unable to inspect high volume web traffic, or mitigate traffic to such services. What makes these findings so significant is that they represent the fluid nature of persistent threats. As an example a Chinese threat group has been observed staging a malicious document containing a custom backdoor that interacts with WordPress, then delivering it via Dropbox. In doing so, the attackers did not have to compromise the “easy to mitigate” midpoint infrastructure that has been previously seen in traditional targeted attacks; such as SMTP relay servers or web servers.
In recent months, we identified numerous targeted malware campaigns that clearly demonstrate that sophisticated threat groups are continuing to target their victims using Cloud based platforms within the targeting, command and control (C2) and data exfiltration phases of the attacks. This incident reinforces that Comment Crew, aka APT1, is not the only Chinese Advanced Persistent Threat (APT) group using web-enabled content as a C2 technique to interact with their victim’s hosts, a technique which some threat analysts often mis-attribute. Below, we highlight how these particular sophisticated threat actors have implemented trusted, cloud-based services within their targeting and C2 attack phases. Based on threat intelligence of this particular threat developed within ThreatConnect.com, it is highly likely that this activity is part of the same Chinese APT threat group that compromised the New York Times for several months during the fall of 2012.
Operational Caveat: We contacted the affected service providers to notify them of the malicious SPI being abused to facilitate targeted attacks. We also shared details and background associated with the specific threat group and their activities.
Phase One: Targeting via Dropbox
The Chinese APT group, previously identified as being responsible for the New York Times compromises has also been routinely observed using the legitimate Dropbox file sharing notification feature to email their targets links to malicious binaries staged within the DropBox cloud. The attackers have simply registered for a free Dropbox account, uploaded the malicious content, and then publicly shared it with their targeted users.
- By implementing SPI the attackers at various stages of their operations, the attackers were able to establish and maintain the following advantages:
- The attackers could easily anonymize themselves and their subscriber account(s).
- The attackers could mask themselves behind the trusted Dropbox brand, increasing credibility and the likelihood of victim interaction with the malicious file from either personal or corporate Dropbox users.
- The attackers could easily target their victims by delivering a target URL to the malicious content using the trusted Dropbox email infrastructure, vice using traditional methods such as SMTP relays.
- The attackers could deliver malicious content that could evade traditional detection and mitigation methods.
In one example, the attackers used the following link to spearphish their victims:
The file appears to be a Association of Southeast Asian Nations (ASEAN) policy document. The ASEAN is an international, non-governmental, geo-political and economic association that represents the interests of ten Southeast Asian countries. This suggests the recipients would likely have an interest in, or an affiliation with the ASEAN, most likely individuals or representatives of regional member nations. The ASEAN itself, as well as many of the associated regional member nations, would be of strategic diplomatic, economic, or military interest to China.
Upon deeper examination of the malicious file, we identified that the document was actually a Word document format that contained an embedded malicious binary called “2013 US-ASEAN Business Council Statement of Priorities in the US-ASEAN Commercial Relationship Policy Paper.scr.” The Word document is an excerpt taken from an Asia-Pacific Economic Cooperation (APEC) organizational document that can be found here. The original document was a 2012 annual report for APEC trade ministers.
This binary is detected by antivirus as a known APT implant identified as “Yayih”. The “Yayih” implant has been in use for several years by Chinese APT and was also seen in conjunction with the CVE-2012-0754 flash zero day exploit mentioned in a March 2012 Contagio Dump posting.
When extracted, the binary uses an Adobe PDF icon to mimic a legitimate PDF document, then drops a benign decoy PDF upon execution. Interestingly, the name of the decoy document is “US-ASEAN Business Council INTERNAL DRAFT” which contained draft talking points referencing an array of strategic US-ASEAN economic and trade policy priorities. If this document is indeed an internal document with draft talking points, it would likely only be available to the attackers had they previously compromised an entity within ASEAN or an affiliate of the US-ASEAN Business Council. This highlights how sophisticated threats will often leverage stolen data, collected from previous or on-going intrusions, to enable follow-on targeting campaigns.
After dropping the decoy PDF, the binary copies itself to %TEMP%msinfo.exe and creates a configuration file “aumLib.ini” in the Local SettingsApplication Data folder. The binary also creates a unique mutex ‘trade1’. The reference to “trade” within the mutex likely served as a targeting campaign code identifier, which is keeping with the charter of ASEAN, providing additional evidence as to the possible intent and operational goals of the attackers.
Phase Two: WordPress Web C2 Explained
Once a victim was successfully targeted with the “Yayih” implant, the malware contacted a WordPress blog. It would then read attacker staged content from within the blog posting to obtain a secondary domain, IP address and port number of a second stage C2 host.
In this example at “gressered.wordpress[.]com”, we found multiple blog posts, all of which had likely served as content for specific targeting campaigns. The same C2 configuration was “hiding in plain sight”. However, it is entirely possible that the attackers could have modified the second stage C2 configuration at any point previously. The earliest post was dated July 31, 2012, suggesting that this specific blog has been in use for nearly a year as a first stage interaction point.
Many of the blog posts that contained the C2 configuration were associated with news articles related to geopolitical events, likely of interest to potential targets.
Web C2 Examples:
The C2 setting is found within plain text on the rendered HTML page surrounded by six formatted characters on each side, using ‘@’ as a delimiter for the C2 IP address or hostname, and the ‘#’ as a delimiter for the C2 port.
These identified Web C2 configurations instruct the binary to connect back to IP Address 202.2.104[.]188 (Funafuti, Tuvalu) via TCP/443. They also all contain a configuration setting using the integer value ‘1’ surrounded by six ‘$’ characters, the purpose of which is possibly an internal setting to enable or disable certain malware functionality.
Increased focus on sophisticated threats by enterprise security teams are driving threat groups to adopt unconventional targeting and exploitation techniques outside of what has been traditionally observed by integrating and using borrowed infrastructure from trusted parties to carry out malicious exploitation activities.
This serves as yet another example of how sophisticated threats are successfully leveraging trusted SPI to facilitate the initial targeting and C2 phases of their exploitation operations. Few enterprise net defense teams are adequately resourced or enabled to detect targeted attacks and subsequent C2 web sessions that use trusted SPI chaining techniques. Unfortunately, host and network-based security solutions alone are not entirely adequate in stopping or detecting this nature of threat. Detection and mitigation requires a shared perspective and understanding of the adversary, how they operate, the infrastructure that they use, the capabilities they possess, and how it applies to a targeted individual, industry, or sector.
Details of this threat have been shared with the ThreatConnect.com community within Incident “20130513A: ASEAN Yayih Trojan”. If you or your organization are interested in obtaining crowd-sourced threat intelligence that increases your awareness of sophisticated threats, please register at ThreatConnect.com and join our community.