In February, we posted “Burning Down the House for Fun and Profit.” In that opinion piece we discussed the possible pros and cons associated with the February 18, Mandiant APT1 report and corresponding digital indicator appendix on APT1, aka “Comment Crew”.
It has been approximately two months since the public disclosure that was welcomed by some and condemned by others. Many within the global security industry, both public and private sectors, speculated that the group’s tactics, tools and procedures (TTPs) would change drastically in response to the disclosure. Many even predicted the dissolution or a significant long term decrease of “Comment Crew" activity in addition to other Chinese cyber espionage threat groups.
As of late April 2013, Chinese cyber espionage threat groups have clearly continued their activity. In the example given below, we will highlight that “Comment Crew" is still conducting exploitation operations. In fact, there has been little change. They have not significantly retooled their traditional implant technologies, command and control (C2) capabilities, or modified their target selection process, as some expected they would.
It is important to note that our observations are based on a single source of evidence. It is possible that there are other unknown instances of either new or undetected “Comment Crew" capabilities, infrastructure, or activity. One working theory for the lack of any noteworthy change is that “Comment Crew" does not need to make any significant changes to continue conducting successful exploitation operations. The “Comment Crew" actors may have achieved a satisfactory balance of conducting successful exploitation operations by maintaining a certain level of survivability while using existing C2 infrastructure. Or perhaps, they have developed new midpoints in addition to implementing hostbased detection evasion techniques.
The Server and Targeting Theme:
On April 21, we observed an “in the wild” HFS file server that was hosting a malicious ZIP file and HTML based command and control (C2) at "downloads.zyns[.]com". The hosted ZIP contains a modified variant of “Comment Crew" malware similar to the implant identified by Mandiant as “WEBC2-QBP.” According to the creation dates on the file server, the files were available starting on April 19, 2013. It is important to caveat that the use of the HFS server should not be considered a strong indicator for “Comment Crew" activity alone, as the HFS server is commonly used by many Chinese and non-Chinese threat actors.
The ZIP file named “MODSIM-DetailedWorkingAgenda.zip” contained an executable with a fake PDF icon that dropped a separate decoy PDF document. This decoy document mimics an invitation and conference agenda for the MODSIM World Conference & Expo 2013.
The MODSIM conference is a Modeling & Simulation event sponsored by the National Defense Industrial Association (NDIA). The areas of industry and government involved in this conference include “Defense, Healthcare/Medicine, Engineering & Applied Science, Information Assurance & Cyberwarfare, Cross-Cutting Applications in M&S, Education/Workforce Development, Transportation, and Manufacturing.” Nearly all of these sectors and industries have been identified in China’s Twelfth Five-Year Guideline as a part of their economic growth and social development strategy. So it comes as no surprise that the Shanghai based “Comment Crew" would be targeting individuals, organizations, and affiliates related to this or other associated industry conferences.
The aforementioned ZIP file also contained a separate legitimate PDF presentation called ”Overview_and_Intro.pdf”. It is an unclassified presentation on future US military training technologies, and represents the traditional Defense Industrial Base (DIB) targeting that we have seen from legacy “Comment Crew" activity. It is also important to highlight that “Comment Crew" will often repurpose exfiltrated data as content to facilitate follow-on targeted attacks.
Meet "WebC2-AABB": A New Version of "WebC2-QBP"
The malicious binary has a compilation time of April 19, 2013, correlating with the upload time on the HFS file server. The malware operates in a traditional manner by requesting the page also found at hXXp://downloads.zyns[.]com/software.htm and searching for an encoded HTML comment command.
The comment type used with this malware is very similar to the WEBC2-QBP malware comment structure, as highlighted in Mandiant’s APT1 malware appendix. However, in this case, the identifier string and decryption key is different.
Original WEBC2-QBP Command String:
<!--<2010QBP 2FB6D82DC70665D5F0B06B8614D6E295C25ABC5B84DCE21E 2010QBP//-->
New WEBC2-AABB Command String:
In the new variant, “2010QBP” has been replaced by “AABB”, and the string “META=” has been added at the beginning of the comment. The binary blob in the middle of the comment is a DES encrypted malware command, similar to the original WEBC2-QBP commands, except the new command requires a different decryption key.
Original WEBC2-QBP Crypto Key:
New WEBC2-AABB Crypto Key:
The attackers have made the encryption key more complex without changing the algorithm, most likely in order to avoid detection while not requiring development of new malicious code. In the above comment tag observed from “software.htm”, the command decodes to “run ipconfig /all”.
Previous Infrastructure Associations:
In reviewing the dynamic C2 domain at “downloads.zyns[.]com” we can confirm that the domain was likely active between late May 2012 and mid November 2012. Within that six month timeframe, the "downloads.zyns[.]com" domain resolved to 122.155.3[.]140, which has also been used to host over a dozen other “Comment Crew" C2 domains. However, as of late April 2013, "downloads.zyns[.]com" has resolved to 108.177.181[.]66. Researching "downloads.zyns[.]com" within OpenDNS’s Security Graph reveals that there are only a few instances of observed DNS requests originating from Chinese sources during April 19th and 20th 2013. This activity, in addition to the April 19 compile time and upload to the HFS server could be indicative of functions testing and pre-operational staging.
Since February, many within the security industry have been anxiously awaiting confirmation that “Comment Crew" is still active. Their current targeting strategy is using legacy capabilities, with slight modifications, keeping with what has been previously observed in targeting campaigns. This new activity directly corresponds with the upcoming NDIA MODSIM Aerospace and Defense industry conference (April 30 through May 2, 2013) and could serve as evidence of pre-operational staging or testing.
The totality of evidence leads us to believe that that “Comment Crew” is still in the game and up to their old tricks, using familiar tactics to target their victims. The February disclosure appears to have done little to stem the onslaught of cyber espionage from this or other Chinese threat groups.
The information related to this blog posting has been shared within Incident “20130424: Return of the Crew” to members of the ThreatConnect.com community. If you are an organization that has been affected by the “Comment Crew" threat group and would like to work collaboratively with other organizations, or you are interested in acquiring additional crowdsourced threat intelligence, please join the ThreatConnect community by registering for a free account at ThreatConnect.com.
Associated Yara Rule:
author = "Cyber Squared Inc"
description = "Detection for new modified variant of WEBC2-QBP Comment Crew/APT1 binary. Also detects original WEBC2-QBP."
in_the_wild = true
$aabb = "AABB//"
$qbp = "QBP//"
$strcmd = "dmd /c"
($aabb and $strcmd) or ($qbp and $strcmd)