Posted
History is made when the notable details of past events are recorded and others can then learn from and study them. For example, you can go to any library and read about the Civil War. You can read about the many tactical skirmishes and battles. You can also learn about the outcomes of these tactical engagements, and how they influenced larger operational campaigns, where two primary belligerents executed against longer-term strategies. Many of these strategies influenced future warfare tactics and were iteratively improved upon, over time, through lessons learned. These improvements were achieved by dissecting the data points, and the successes as well as failures of those engagements, which had been recorded and made available to historians.
While not all-encompassing, there are notable cross-sections between the modern digital world and the conventional flesh and bone one. Today’s netDefense and threat intelligence professionals understand that at the “tactical fight” level. They understand and acknowledge the need for an organization to effectively memorialize and accumulate knowledge to successfully execute their jobs. Unfortunately, there are professionals within the security industry who only look at a threat from the vantage point of an assembly line worker. They mitigate each threat as it comes down the line and wait for the next one, never looking to the past in an effort to anticipate the future.
Fortunately, ThreatConnect users are enabled to aggregate their existing private threat intelligence, analyze it against other data services and security events, and ultimately to act on the information. In the following example, we will highlight how Comment Crew (aka APT1) has recently operationalized legacy infrastructure and is using it to target a variety of victims. As cliché as it may be, even in cyber, history repeats itself.
Executive Summary:
In mid-March 2014, the ThreatConnect Research Team identified an active Comment Crew server that was hosting malicious executable malware implants made to appear as legitimate document files (within SFX RAR executables). These malware implants dropped decoy documents that included recent news articles and reports relevant to current geopolitical events, including the circumstances surrounding missing Malaysia Airlines flight MH370, and recent European economic and Trans-Atlantic trade related news.
The Comment Crew infrastructure naming convention similarities and malware attributes highlight a likely overlap with the Siesta Campaign. These indicators were shared within premium ThreatConnect industry and subscriber communities on the 17th of March within Incident 20140314B: Comment Crew HFS APT Campaign.
The command and control (C2) server 184.82.120[.]136 (Scranton, PA) recently hosted malicious content via TCP/8080 from the domains outlined in the graphic below:
Most noteworthy is that both gmailboxes[.]com and marsbrother[.]com have long been identified by ThreatConnect Research, numerous security industry researchers, and the U.S. Government as being associated with Comment Crew (aka APT1) for several years. The first noted public reference to these domains was in 2011. This indicates that the attackers are comfortable actively reusing old infrastructure despite security industry awareness. The adversaries are likely maintaining operational successes because some security professionals possess short-term memories and myopic approaches when it comes to threat intelligence. Retaining this historic knowledge, with the ability to iteratively enrich it over time is a key characteristic of a mature threat intelligence platform. In this case, ThreatConnect allowed ThreatConnect Research and any other user who had imported and consumed legacy Comment Crew / APT1 indicators to enrich and track the infrastructure. Had users chosen to do so, they would have been immediately alerted by ThreatConnect to any infrastructure or context changes.
ThreatConnect Research observed that the C2 server (184.82.120[.]136) had multiple ZIP and password-protected RAR files which contained the malware implants likely used in other spearphishing campaigns.
The C2 server also hosted other executables and utilities disguised as .gif files, many of which have been identified as malicious tools and libraries used by the spear-phished implants most likely for lateral movement and network persistence.
Staged Spearphishing Payloads:
The following primary weaponized spearphish payloads consisted of fake document implants. ThreatConnect Research was able to recover the following files:
Malaysia Flight MH370 Theme:
- Malaysia_Airlines_flight_MH370_What’s_needed_to_find_it.zip (MD5: a4ea7b217f61adc2931edcb2416942ab)
- Malaysia Airlines flight MH370 What’s needed to find it.rtf.exe (MD5: fa9694553e5f9a9443ff4a5229798d32)
- zerk.exe (MD5: 8842babc819e2024541dcff62c003fe6)
This implant clearly refers to the news surrounding Malaysia Airlines flight MH370, and leverages a decoy document containing an article excerpt from here.
Netherlands Pulse Trawl Fishing Theme:
- pppp.zip (MD5: 4d7a5f722a36e95712410844848bdbe3)
- Agreement to double pulse trawl licences.exe (MD5: 331c16e915eedb18ca9477df4c88109c)
- WINWORD.EXE (MD5: 0cf73c57f17b200ac7aac7688ae59265)
This implant contained a decoy document taken from a Dutch government website.
The article refers to approval of pulse trawl licenses for Dutch fishermen, which were initially rejected by the European Parliament.
Transatlantic Economy Theme:
- Transatlantic Economy 2014 press release – March 10 2014.zip (MD5: 336C8F0C8BDE5B4BB3974ECDD53B1FAB)
- Transatlantic Economy 2014 press release – March 10 2014.exe (MD5: 3568f13f839a0551986292f7c9137aa5)
- notepad.exe (MD5: 8842babc819e2024541dcff62c003fe6)
This implant uses a decoy document from here.
Final Stage Command & Control:
The final stage implant MD5: 8842babc819e2024541dcff62c003fe6 was dropped by both the Malaysia Airlines MH370 themed dropper and the 2014 Transatlantic Economy themed dropper, while the Trawl licenses themed implant dropped a different MD5, 0cf73c57f17b200ac7aac7688ae59265.
These final stage implants are variants of the Comment Crew MiniASP Trojan, and connect to the following malicious URLs on a likely compromised website:
- [http:]//www.ustoo[.]com/cap2k/demo.png
- [http:]//www.ustoo[.]com/cap2k/dc.asp
- [http:]//www.ustoo[.]com/cap2k/di.asp
- [http:]//www.ustoo[.]com/cap2k/index.asp
- [http:]//www.ustoo[.]com/cap2k/index1.asp
- [http:]//www.ustoo[.]com/cap2k/rd.asp
www.ustoo[.]com is affiliated with the Medical themed Us TOO International Prostate Cancer Support Community.
These www.ustoo[.]com callback URLs are remarkably similar to the previously reported Siesta Campaign related MiniASP callbacks found at:
- [http:]//www.heliospartners[.]com/images/demo.png
- [http:]//www.heliospartners[.]com/images/device_blog.asp,
- [http:]//www.heliospartners[.]com/images/device_input.asp
- [http:]//www.heliospartners[.]com/images/device_mail.asp
Notably, the demo.png files found at both of these locations have the same image and contain the same algorithm for decrypting the encoded executable payload embedded within them. This encryption algorithm was documented on Page 72 of the Mandiant APT1 Appendix C: Malware Arsenal.
The encoded final stage implant from [http:]//www.ustoo[.]com/cap2k/demo.png decoded to the MD5: B6618129FE6ED94969527E63141429C2 (taskhostx.exe). This decoded implant is a variant of the Comment Crew Eclipse RAT, and connects to the malicious dynamic command and control domain account.jumpingcrab[.]com on IP address 103.25.56[.]44 (Adelaide, Australia).
Conclusion:
Having the ability to regularly retain, enrich and manage knowledge is a basic requirement for any threat intelligence platform. Analysts must be able to automate and develop context around a threat, allowing them to understand the past and better prepare a defense against dynamic threat actors.
This enhanced understanding allows security professionals to adequately deliver effective decision support so that business leaders can make timely decisions. Mature enterprise netDefense and threat intelligence teams who are archiving data regarding specific threats and procedurally applying enrichments, analytics and context, would have had the opportunity to preposition mitigation scenarios around gmailboxes[.]com dating back to August of 2011 (which predates the Mandiant APT1 report).
Threat intelligence teams who were actively tracking gmailboxes[.]com subdomains within ThreatConnect would have also identified the March 11th DNS resolution to 184.82.120[.]136, enabling follow-on threat discovery processes. If they acted on this information they would have the ability to mitigate any C2 activity with a victim enterprise. The reality is that attackers do not necessarily have to create new infrastructure in order to facilitate new targeting campaigns, so data retention is vital when using threat intelligence to protect from any threat, “advanced” or otherwise.