- CyberSpy -
Last update 09.10.2017 12:36:27
Introduction List Kategorie Subcategory 0 1 2 3 4 5
Recently discovered RANCOR cyber espionage group behind attacks in South East Asia
27.6.2018 securityaffairs CyberSpy
Security researchers at Palo Alto Networks have uncovered a new cyber espionage group tracked as RANCOR that has been targeting entities in South East Asia.
According to the experts, the RANCOR APT group has been targeting political entities in Singapore, Cambodia, and Thailand, and likely in other countries, using two previously unknown strain of malware. The two malware families were tracked as DDKONG and PLAINTEE.
The hackers leverage spear phishing messages using weaponized documents containing details taken from public news articles on political news and events. These decoy documents are hosted on legitimate websites, such as the website of the Cambodia Government, and Facebook.
“Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. ” reads the analysis published by PaloAlto Networks.
“Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.”
The recent campaign appears related to the KHRAT Trojan, a backdoor that was associated with the China-linked APT group tracked as DragonOK (also known as NetTraveler (TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT i).
The KHRAT RAT provides attackers with the typical set of RAT features, including remote access to the victim system, keylogging, and remote shell access.
One of the IP addresses for the domains associated with the KHRAT backdoor led the researchers to websites mimicking popular technology companies (i.e. facebook-apps[.]com). The experts linked the malware PLAINTEE and a loader to the domain, they were able to analyze only six samples that were associated with 2 separate infrastructure clusters.
PaloAlto researchers discovered that both clusters were involved in the campaigns that targeted organizations in South East Asia.
Experts found at least one attack against a company leveraging a Microsoft Office Excel document with an embedded macro to execute the malware. The malware was hidden in the EXIF metadata property of the document. This technique was used last year by the Russia-linked APT group Sofacy.
Researchers uncovered another attack leveraging an HTML Application file (.hta), and a series of attacks that used DLL loaders.
“We identified three unique DLL loaders during this analysis. The loaders are extremely simple with a single exported function and are responsible for executing a single command.” continues the analysis.
The DDKONG was first detected in February 2017, it was used by other attackers in the wild differently from PLAINTEE that was used exclusively by the RANCOR group.
An interesting feature of the PLAINTEE malware it the use of a custom UDP protocol for network communications.
“The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families.” Palo Alto concludes. “These families made use of custom network communication to load and execute various plugins hosted by the attackers,”
RANCOR Cyber Espionage Group Uncovered
26.6.2018 securityweek CyberSpy
A cyber espionage group that has remained undetected until recently, has been targeting South East Asia with two previously unknown malware families, according to Palo Alto Networks.
The group, referred to as RANCOR, has been targeting political entities in Singapore, Cambodia, and Thailand, but might have hit targets in other countries as well. The group mainly uses two malware families, DDKONG and PLAINTEE, the latter apparently being a new addition to its arsenal.
According to Palo Alto's reserachers, the attacks likely begin with spear phishing emails and use decoy documents containing details taken from public news articles on political news and events. These documents are hosted on legitimate websites, including a website belonging to the Cambodia Government, and Facebook.
The newly discovered campaign appears related to the KHRAT Trojan, a backdoor associated with the China-linked cyber espionage group known as DragonOK.
One of the IPs the KHRAT associated domains started resolving to in February 2018 led the researchers to websites mimicking popular technology companies, including one named facebook-apps[.]com. The researchers connected two malware samples to the domain, namely a loader and PLAINTEE.
Only six samples of the malware were found, and the researchers managed to link them to two infrastructure clusters that do not appear to overlap. Both clusters, however, were involved in attacks targeting organizations in South East Asia, and the malware was observed using the same file paths in each cluster.
At least one of the attacks used a Microsoft Office Excel document with an embedded macro to launch the payload. The main malicious code was embedded in an EXIF metadata property of the document. In another attack, an HTML Application file (.hta) was used, while other attacks used DLL loaders.
One of the DLLs downloaded a decoy from a government website that was previously used in a KHRAT attack and two DLLs (out of three) were found hosted on this same compromised website (the domain was likely hacked again in early 2018).
First observed in February 2017, the DDKONG malware might be used by multiple threat actors.
First observed in October 2017, PLAINTEE appears to be exclusively used by the RANCOR attackers. The malware uses a custom UDP protocol for its network communications, can add persistence on the victim machine, ensures only a single instance is running, and then starts collecting general system information.
The malware also beacons to the command and control (C&C) server and attempts to decode a configuration blob. After the server responds, the malware spawns several new threads to load and execute a new plugin that is to be received from the C&C in the form of a DLL with an export function of either ‘shell’ or ‘file’.
The researchers believe the attackers were sending commands to the malware manually, due to a long period of delay between these commands (automated commands are performed quicker).
“The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families. These families made use of custom network communication to load and execute various plugins hosted by the attackers,” Palo Alto concludes.
FireEye Denies Hacking Back Against Chinese Cyberspies
26.6.2018 securityweek CyberSpy
In his latest book, New York Times correspondent David Sanger describes how cybersecurity firm Mandiant hacked into the devices of Chinese cyberspies during its investigation into the threat group known as APT1.
Mandiant, now owned by FireEye, published its famous report on APT1 back in 2013 when it was led by CEO Kevin Mandia. The company at the time released information apparently showing that the Chinese military had been conducting sophisticated cyber-espionage operations.
In his book, “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” Sanger describes how he was allowed to watch Mandiant hack into the hackers’ systems. An excerpt of Sanger’s book shared on Twitter by Thomas Rid, a Professor of Strategic Studies at Johns Hopkins University, reads:
“Ever resourceful, Mandia’s staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients – mostly Fortune 500 companies – Mandia's investigators reached back through the network to activate the cameras on the hackers' own laptops. They could see their keystrokes while actually watching them at their desks.
The hackers, just about all of them male and most in their mid twenties, carried on like a lot of young guys around the world. They showed up at work about eight-thirty a.m. Shanghai time, checked a few sports scores, emailed their girlfriends, and occasionally watched porn. Then, when the clock struck nine, they started methodically breaking into computer systems around the world, banging on the keyboards until a lunch break gave them a moment to go back to the scores, the girlfriends, and the porn.
One day I sat next to some of Mandia's team, watching the Unit 61938 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts [...].”
In a statement published on Monday, FireEye admitted that Sanger was given access to the methods used by Mandiant to gather evidence of APT1’s ties to the Chinese military, but claims the reporter’s description “resulted in a serious mischaracterization of our investigative efforts.”FireEye says it does not hack back
“We did not do this, nor have we ever done this,” FireEye said regarding claims that its employees activated the cameras on the hackers’ own laptops. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.’”
“Hacking back,” the term used to describe a cyberattack victim – or someone hired by the victim – hacking into the systems of the attacker, is a controversial practice and only few cybersecurity firms have admitted doing it.
FireEye claims that what Sanger described as hacking back were actually video recordings of the attackers interacting with their malware command and control (C&C) servers. The firm has published one of the videos it presumably showed the reporter.
“To someone observing this video ‘over the shoulder’ of one of our investigators, it could appear as live system monitoring. Nevertheless, Mandiant did not create these videos through ‘hacking back’ or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised,” FireEye explained.
While some industry professionals have accepted FireEye’s explanation for obtaining data on the hackers’ personal online activities, Sanger’s claims that he saw APT1 members wearing leather jackets raises a lot of questions. FireEye has not specifically addressed this issue in its statement, but SecurityWeek is trying to obtain some clarifications from the company. In the meantime, experts have provided some more or less plausible explanations on how the reporter may have seen what he believed were the hackers.
Richard Bejtlich, who worked for Mandiant and then FireEye between 2011 and 2017, including as Chief Security Strategist, has corroborated FireEye’s statement.
‘At no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems,” Bejtlich wrote in a blog post. “During my six year tenure, we were publicly and privately a ‘no hack back’ company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.”