Cyber Espionage Program Making Rounds

Tuesday, May 21, 2013 @ 05:05 PM gHale

A new, massive cyber espionage campaign is hitting as many as 71 victims each day, including government ministries, technology companies, academic research institutions, nongovernmental organizations and media outlets, researchers said.

The “Safe” campaign first came out in October 2012 and has resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to connect to two sets of command-and-control (C&C) infrastructures, but the actual number of targets seems to be smaller as some of these IP addresses ended up focused within specific network blocks so are probably used by the same organization, said Trend Micro researchers.

Pakistan Hit by Targeted Attacks
Iran: Nuclear Sites Safe, Secure
APT Attacks Shut Down
Study: DDoS Attacks Jump 200%

“Investigating and monitoring the activities of the Safe campaign over time, we were able to take advantage of the mistakes the attackers made and thus gain a deeper understanding of their operations,” the researchers wrote in a whitepaper.

“One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.”

The attacks start via Tibetan- and Mongolian-themed spear-phishing emails containing a malicious MS Word file specifically designed to exploit a vulnerability (CVE-2012-0158) in older versions of the software.

The decoy document would open, and in the background malicious files would be dropped onto the system in preparation for the second stage of the attack: The downloading and running of additional malware and tools such as off-the-shelf programs that are able to extract saved passwords from Internet Explorer and Mozilla Firefox as well as any stored Remote Desktop Protocol (RDP) credentials.

The analysis of the IP addresses contacting the two C&C servers found most targeted systems were in Mongolia, India, the U.S., China, Pakistan and the Philippines. A closer look at the C&C servers allowed them also to identify the tools and source code the attackers used to create, distribute, and encrypt/decrypt data.

The malware author seems to be China-based and the researchers believe him to be a professional software engineer.

“The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers. These qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science,” they said.

“Apart from being significantly well-organized and well-commented, the code was also developed with defensive programming in mind. Each of the variables was named in a very obvious manner, helping other engineers easily distinguish functionality; again, a trait seen in the work of many professional software engineers. In addition to being heavily commented on and using intuitive variable naming conventions, the code also had an apparent slant toward usability. Each interface was very intuitive and well-designed, something not often seen in the code of a hobbyist.

“The use of terms like ‘bot,’ combined with the author’s posting of the malware code to code-sharing sites, indicate a degree of familiarity with the cybercriminal underground in China.”

But the campaign’s operators remain a mystery due to their use of VPNs and proxy tools.
Click here for a copy of the Trend Micro whitepaper.

Leave a Reply

You must be logged in to post a comment.