Tag

apt

Browsing

iTnews reports Slingshot, a highly advanced malware, has remained hidden for six years and was just recently discovered:

They were unable to pinpoint how Slingshot infected all of its targets, however in several cases the malware’s operators targeted routers and used them as a springboard to attack computers within a network.

“The initial loader replaces the victim’s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others,” Kaspersky Lab reported.

“While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.”

Slingshot likely used other methods – like zero-day vulnerabilities – to attack targets, Kaspersky Lab said.

After infection Slingshot downloads a variety of additional modules onto the victim device. The two most powerful modules – GollumApp and Cahnadr – are connected and can support each other in gathering data.

Slingshot appears targeted towards espionage; Kaspersky Lab said the malware was used to log desktop activity, steal data from the clipboard, and collect information about open windows, keyboard data, and network data, among other things.

Considering Slingshot is targeting espionage, it may be backed by nation state actors. Now the questions is: which nation state stands to benefit from spying on, and exfiltrating data from, the thus-far identified victims in the Middle East and Africa since 2012?

One local sophisticated player comes to mind: Iran.

OceanLotus appears to have modified its tactics and is now using compromised web sites for its targets in their ongoing espionage campaign:

The group has begun using compromised websites to profile and target entities of interest to the Vietnamese government, Volexity says.

OceanLotus, an APT actor that over the past few years has been conducting a sophisticated digital surveillance campaign aligned with Vietnamese state interests, has built out a massive attack infrastructure of compromised websites.

OceanLotus, aka APT32, has compromised over 100 websites, the vast majority of which belong to organizations and individuals critical of the government in Vietnam.

The use of compromised websites to lure victims is a new development for OceanLotus and shows how sophisticated threat actors manage to stay a step ahead of defenders by constantly switching tactics.

Once a website has been compromised, OceanLotus has used different methods to identify site visitors and drop different payloads on their systems.

In addition to building out a big network of compromised websites to stage and deliver malware to selected victims, OceanLotus has also managed to build a massive backend infrastructure to facilitate its core data collection activities.

Maturing malicious actors are a huge risk to organizations in their crosshairs.

It has been a few days since the Japan Pension System data leak of 1.2 million cases of PII came to light and enough time for forensics to, at least, produce some theories about the attack source and vector. According to Kaspersky in Japan – and this is news I have yet to see on any English language web site – “Blue Termite” APT used to penetrate Japan Pension System was 100% targeted only at Japan:

Blue Termiteは100%日本を標的としたAPT攻撃であり、日本年金機構へのサイバー攻撃もその一環だとする一方で、標的は同機構だけではなく“日本全体”だと強調。たまたま情報が漏えいしたおかげで同機構では攻撃が発覚したに過ぎないとし、政府機関や報道機関をはじめ、防衛関連、エネルギー関連、航空宇宙産業、金融、化学、製造業、研究・学術機関、さらには情報通信事業者のクラウドサーバーまで、少なくとも300カ所がBlue Termiteのマルウェアに侵入されていることを明らかにした。

Blue Termiteは、「CloudyOmega(クラウディオメガ)」と呼ばれる攻撃者グループが展開している攻撃の1つ。その標的型攻撃メールとマルウェアが昨年秋、シマンテックやトレンドマイクロによって報告されていた。

 例えば、送信元が「健康保険組合運営事務局」というメールでは、Wordの文書ファイルを装った「健康保険のお知らせ」というファイルが添付されているが、実際は自己解凍型の実行ファイル(.exe)であり、これを開いてしまうと、ダミーのWord文書が表示される裏でマルウェアの本体が実行されて感染。攻撃者の指令サーバー(C&Cサーバー)との通信を開始し、情報窃取などの活動を行う。

Kaspersky Labs reports the malicious actors are targeting a variety of Japanese sectors, including government, defense industry, critical infrastructure, aerospace, financial, manufacturing, and academia. Analysis of cloud service providers reveals there may be over 300 web sites infected and distributing the malware. Additionally, according to reports by Symantec and Trend Micro, the activity has been traced to a group known as CloudyOmega and their “blue termite” attack leverages phishing, the most common and successful vector today.

As with most campaigns of this type, the emails carry a malicious payload and are written in such a convincing manner that it is very difficult for the average recipient to distinguish the authenticity. Most of the phishing emails contain a disguised Word attachment called “Notice of health insurance” that is actually a self-extracting executable (.exe), and when open will launch a window appearing to be Microsoft Word and displaying the ostensible notice. The malware then initiates a command-and-control connection in the background without the users knowledge. This is when the so-called magic happens allowing the malicious actors to siphon information out of the computer and any network connections it has established.

Kaspersky Labs states the C&C activity began around September 18, 2014. In the timeframe of October through December, there were upwards of 100 C&C connections each day until the activity subsided. Then suddenly in April 2015, a mere two months ago, C&C communication activity was resurrected, with approximately 140 cases seen per day.

Once the C&C channel is established with the victim, the actors analyze the directories and files to determine whether or not the machine has valuable data worth extracting. If not, the activity ceases. Otherwise, additional hacking tools are dropped onto the machine to aid the actors in obtaining the data. These tools assist the actors in lateral movement across the network, as well as hijacking mail account and web browser information.

It is likely this will not be the last time we hear about Blue Termite and CloudyOmega being responsible for data compromises in Japan. What I find the most interesting is how Blue Termite appears to be solely targeted at Japan, with no trace of this malware having been used in any other country. More to the point, there is not a single English language web site discussing Blue Termite, strengthening the theory this attack was aimed solely at Japan.

There are three outstanding questions at this point:

  1. Is CloudyOmega a nation state attacker, hacktivist, or group of script kiddies sitting in a basement? The sophistication of the attack points more towards nation state or, at least, a tightly-knit group of very capable actors. From the motive perspective, nation state is the most plausible.
  2. If CloudyOmega is nation state, which nation – China, North Korea, Russia, or someone else? The type of data stolen is seemingly only beneficial to a nation state attacker because there is no obvious valuable way to monetize the compromised Japan Pension System PII.
  3. Lastly, the timing of the JPS and OPM attacks are highly curious. Is there any relationship between the two?

There will likely be a lot more questions arising in the coming days than answers. I will add additional reporting as more information becomes available.

Disclosure: I work for Intel Security, a Kaspersky, Trend Micro, and Symantec competitor.