Attack Groups Operate in Parallel

Monday, September 15, 2014 @ 03:09 PM gHale

Two attack campaigns by different groups in separate regions of China appear to be operating in parallel, but on different targets, researchers said.

The first group, named Moafee, appears to operate from the Guangdong Province and is targeting military and government organizations in countries with interests in the South China Sea, said researchers at FireEye. This includes targets within the defense industry in the United States.

Dragonfly: Pharma Industry Targeted
Mitigating Havex, an ICS Threat
Havex an ICS Game Changing Threat
Havex Varient Brings Attack via OPC

The second group, known as DragonOK, focuses on high-tech and manufacturing companies in Japan and Taiwan with the likely goal of economic espionage, according to the researchers.

“It seems that both groups, while operating in distinctly different regions, either 1) collaborate, 2) receive the same training), 3) share a common toolkit supply chain, or 4) some combination of these scenarios, which means they are employing a ‘production line’-type approach to initiating cyber attacks to breach defenses,” the researchers blogged. “Both campaigns use similar tools, techniques and procedures (TTPs) – including custom-built backdoors and remote-administration tools (RATs) to infiltrate their targets’ networks.”

Moafee and DragonOK use the HUC Packet Transmit Tool (HTRAN) proxy tool to hide their geographical locations, and use password-protected documents and large file sizes to disguise their attacks. Among the tools used by both groups are Mongall, Nflog, PoisonIvy and CT/NewCT/NewCT2.

“Both Moafee and DragonOK favor spear-phishing emails as an attack vector, often employing a decoy to deceive the victim,” the researchers said. “The emails are well crafted and audience specific, even written in the intended victim’s native language. Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document. We also observed both groups using decoy documents that are presented to the victim while the malware runs in the background.”

The Moafee group was running HTRAN proxies on multiple command and control servers operated on CHINANET and hosted in Guangdong Province, the researchers said. DragonOK was running HTRAN to proxy their command and control servers as well, they said. Their command and control servers were also on CHINANET but hosted in the Jiangsu Province.

The researchers said they also found a third, separate group that appears to use the same tools, techniques and procedures, including the same custom backdoors and RATs. However, the researchers stated they do not have enough insight to establish a connection to the other two groups.

FireEye plans to publish a report in the future about the two related campaigns.

Leave a Reply

You must be logged in to post a comment.