Posts

Method – MirageFox Malware

On June 18th, malware researcher, Jay Rosenberg released some interesting findings on a binary that was analyzed by the company Intezer. The code was retrieved through VirusTotal hunting. VirusTotal is a tool used by the global cybersecurity community that allows users to upload suspicious executables to an engine to check if antivirus vendors detect anything bad about the file. The Intezer analysis revealed that the binary shared code with a remote access tool (RAT) was very similar to the code that had been mentioned in the 2017 campaign documented by NCC Group where the hacker group APT 15 had hacked entities within the UK Government.

This indicates that the group APT 15 had built a variation of their RoyalAPT malware mentioned by the NCC Group. This malware could’ve then potentially been used to perform a separate attack perhaps on an additional entity. During the article, the author states “Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.” This infers that the author believes the MirageFox and US Navy Contractor hack are tied together. As a result, we have seen additional sources claiming that APT 15 was likely behind the US Navy hack of Operation Sea Dragon. We’d like to point out that the findings of the malware author do not prove this and this is only based on speculation at this time.

Some very interesting findings in the report are the command and control used within the binary. The IP address of the call home was 192.168.0.107. This is an internal IP address used within internal networks. This indicates that the command and control server was on the inside of the network, possibly on a VPN. This is a very abnormal configuration from the attacker and will throw off several types of perimeter security controls without special configuration.

The Proficio Threat Intelligence Recommendations:

  • Block hashes of IOCs on the corporate endpoint solution if possible. The researcher stated the binaries at the time of research had a low antivirus detection rate.
  • Note the internal command and control server and think about this type of attack when configuring perimeter IDPS technologies that look for outbound traffic as a means of command and control.
  • Potentially treat your internal VPN network ranges as an external network when configuring your IDPS controls. The organization will have to validate this will not result in false positive IDPS triggers.

Source of analysis – Click Here

Actor – APT 15 / Vixen Panda

A suspected state-sponsored Chinese threat actor that is known as APT 15 (FireEye) or Vixen Panda (Crowdstrike), and activity documented as Operation Ke3chang (FireEye and Palo Alto) has recently resurfaced again in conversations. The activity of this group was suspected to start as early as 2009. The first major public release of information on this threat actor was in FireEye’s “OPERATION KE3CHANG – Targeted Attacks Against Ministries of Foreign Affairs” whitepaper in 2014. In the whitepaper, FireEye detailed how spear phishing emails were used to install backdoors. The most discussed malware mentioned in the whitepaper was a BS2005 backdoor that has been used to trace back activity by the attacker over the years. In the attack, several broad sectors like aerospace, energy, government, and manufacturing, were mentioned as being targeted.

The next major publication of activity related to the actor came from Palo Alto in 2016. In the publication, it traced a new “TidePool” malware with many similarities to the previously used BS2005 malware. The targets in this attack were stated to be against Indian embassy personnel worldwide.

The most recent publication that has surfaced for an attack directly attributed to APT 15 is from the NCC Group, where the organization claims to have uncovered two previously unknown backdoors (RoyalDNS and RoyalCLI) that have similarities to BS2005. The attack which appeared to occur from May 2016 until late 2017, targeted UK government departments. The information regarding the breach was not published until March of 2018.

The next development that is surfacing now is from security researchers attempting to attribute the major 2018 US Navy Contractor hack to APT 15. In the attack, 614 gigabytes of material related to the US Navy’s “Sea Dragon” Project were stolen by attackers. Researchers are drawing conclusions around an updated backdoor known as MirageFox (again with similarities to the BS2005 malware), and state that this may have been used in the compromise. At this time, based on reviewed intelligence from Intezer and other firms, Proficio believes with that these claims are loose associations and only speculative at this time. Additional future information may attribute to the hack with APT 15 as well.

The Proficio Threat Intelligence Recommendations:

  • Implement phishing training for employees
  • Have a procedure to have employees forward suspicious emails to security operations for analysis

FireEye Analysis from 2014 – Click Here
Palo Alto Analysis from 2016 – Click Here
NCC Group Analysis from 2018 – Click Here
Intezer’s MirageFox Analysis from 2018 – Click Here

Method: Roaming Mantis Malware

Kaspersky Labs has detailed Android malware mainly targeting Chinese and Korean users. The malware is designed to steal two-factor authentication codes for Google accounts sent via SMS/MMS.

Kaspersky Labs has detailed a lot of the interesting technical elements of the malware. For example, command and control for samples analyzed were found to lookup strings of web pages hosted on legitimate sites such as sohu.com and baidu.com. Kaspersky also believes the initial infection vector for the Android devices were compromised routers in Asia. The routers were redirecting Android devices towards malicious sites via DNS hijacking. The malware does have a component that appears to target English speaking users, but the HTML code within the malware is written in broken English. Most researchers after additional analysis have attributed this malware to cybercriminals focusing on Chinese and Korean targets.

Proficio Threat Intelligence Recommendations:

  • Do not allow users that have Android devices to bring “rooted” devices into corporate networks (rooted devices were targeted in this campaign)
  • Routers in this attack allowed attackers to perform DNS hijacking in this campaign. Monitoring corporate routers for attacks and compromise should be performed by security operations
  • SOCs (security operation centers) often detect BYOD infected cellular devices in guest networks or corporate wireless networks. Corporate IT should decide on an action (or no action) to be taken when these detections occur

General Information – Click Here

Attacker: Actor – TEMP.Periscope / Leviathan

The threat actor TEMP.Periscope (FireEye) / Leviathan (Proofpoint) has been observed running targeted spear phishing campaigns against maritime and engineering targets. The threat actors appear to be tied to Chinese espionage. The TTPs of this threat actor are what are normally expected from a state sponsored level threat actor. Some of the interesting tools used include “LUNCHMONEY” (FireEye), a utility used to exfiltrate data to Dropbox, and BLACKCOFFEE (FireEye), a tool used to obfuscated data on Microsoft Technet pages as command and control.

Technical analysis of TTPs used by TEMP.Periscope – https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Info on spear phishing campaigns detected attributed to Leviathan. – https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

Technical information on the BLACKCOFFEE tool. – https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html

Proficio Threat Intelligence Recommendations:

  • If the capability is available, ban the hashes of the IOCs identified by FireEye from running in your organization.
  • Consider banning certain cloud storage, such as Dropbox, if it does not have a business case within the organization.