Introduction
The attackers referred to as APT12 (also known as IXESHE, DynCalc,
and DNSCALC) recently started a new campaign targeting organizations
in Japan and Taiwan. APT12 is believed to be a cyber espionage group
thought to have links to the Chinese People's Liberation Army. APT12's
targets are consistent with larger People's Republic of China (PRC)
goals. Intrusions and campaigns conducted by this group are in-line
with PRC goals and self-interest in Taiwan. Additionally, the new
campaigns we uncovered further highlight the correlation between APT
groups ceasing and retooling operations after media exposure, as APT12
used the same strategy after compromising the New York Times in Oct
2012. Much like Darwin’s theory of biological evolution, APT12 been
forced to evolve and adapt in order to maintain its mission.
The new campaign marks the first APT12 activity publicly reported
since Arbor Networks released their blog “ href="http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/">Illuminating
The Etumbot APT Backdoor.” FireEye refers to the Etumbot
backdoor as RIPTIDE. Since the release of the Arbor blog post, FireEye
has observed APT12 use a modified RIPTIDE backdoor that we call
HIGHTIDE. href="/content/fireeye-www/en_US/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html">This
is the second time FireEye has discovered APT12 retooling after a
public disclosure. As such, FireEye believes this to be a common
theme for this APT group, as APT12 will continue to evolve in an
effort to avoid detection and continue its cyber operations.
FireEye researchers also discovered two possibly related campaigns
utilizing two other backdoors known as THREEBYTE and WATERSPOUT. Both
backdoors were dropped from malicious documents built utilizing the
“Tran Duy Linh” exploit kit, which exploited CVE-2012-0158. These
documents were also emailed to organizations in Japan and Taiwan.
While APT12 has previously used THREEBYTE, it is unclear if APT12 was
responsible for the recently discovered campaign utilizing THREEBYTE.
Similarly, WATERSPOUT is a newly discovered backdoor and the threat
actors behind the campaign have not been positively identified.
However, the WATERSPOUT campaign shared several traits with the
RIPTIDE and HIGHTIDE campaign that we have attributed to APT12.
Background
From October 2012 to May 2014, FireEye
observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that
communicates via HTTP to a hard-coded command and control (C2) server.
RIPTIDE’s first communication with its C2 server fetches an encryption
key, and the RC4 encryption key is used to encrypt all further communication.
Figure 1: RIPTIDE HTTP GET Request Example
In June 2014, href="http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/">Arbor
Networks published an article describing the RIPTIDE backdoor
and its C2 infrastructure in great depth. The blog highlighted that
the backdoor was utilized in campaigns from March 2011 till May 2014.
Following the release of the article, FireEye observed a distinct
change in RIPTIDE’s protocols and strings. We suspect this change was
a direct result of the Arbor blog post in order to decrease detection
of RIPTIDE by security vendors. The changes to RIPTIDE were
significant enough to circumvent existing RIPTIDE detection rules.
FireEye dubbed this new malware family HIGHTIDE.
HIGHTIDE Malware Family
On Sunday August 24, 2014 we observed a
spear phish email sent to a Taiwanese government ministry. Attached to
this email was a malicious Microsoft Word document (MD5:
f6fafb7c30b1114befc93f39d0698560) that exploited CVE-2012-0158. It
is worth noting that this email appeared to have been sent from
another Taiwanese Government employee, implying that the email was
sent from a valid but compromised account.
Figure 2: APT12 Spearphishing Email
The exploit document dropped the HIGHTIDE backdoor with the
following properties:
The HIGHTIDE backdoor connected directly to 141.108.2.157. If you
compare the HTTP GET request from the RIPTIDE samples (Figure 1) to
the HTTP GET request from the HIGHTIDE samples (Figure 3) you can see
the malware author changed the following items:
Figure 3: HIGHTIDE GET Request Example
Similar to RIPTIDE campaigns, APT12 infects target systems with
HIGHTIDE using a Microsoft Word (.doc) document that exploits
CVE-2012-0158. FireEye observed APT12 deliver these exploit documents
via phishing emails in multiple cases. Based on past APT12 activity,
we expect the threat group to continue to utilize phishing as a
malware delivery method.
MD5 | valign="top">File Name | valign="top">Exploit |
valign="top">73f493f6a2b0da23a79b50765c164e88 | width="250" valign="top">議程最新修正及注意事項.doc | valign="top">CVE-2012-0158 |
valign="top">f6fafb7c30b1114befc93f39d0698560 | width="250" valign="top">0824.1.doc | valign="top">CVE-2012-0158 |
valign="top">eaa6e03d9dae356481215e3a9d2914dc | width="250" valign="top">簡易名冊0全國各警察機關主官至分局長.doc | width="100" valign="top">CVE-2012-0158 |
valign="top">06da4eb2ab6412c0dc7f295920eb61c4 | width="250" valign="top">附檔.doc | valign="top">CVE-2012-0158 |
valign="top">53baedf3765e27fb465057c48387c9b6 | width="250" valign="top">103年第3屆通訊錄.doc | valign="top">CVE-2012-0158 |
valign="top">00a95fb30be2d6271c491545f6c6a707 | width="250" valign="top">2014 09 17 Welcome Reception for Bob | valign="top">CVE-2012-0158 |
valign="top">4ab6bf7e6796bb930be2dd0141128d06 | width="250" | width="100" valign="top">CVE-2012-0158 |
Figure 4: Identified exploit documents for HIGHTIDE
When the file is opened, it drops HIGHTIDE in the form of an
executable file onto the infected system.
RIPTIDE and HIGHTIDE differ on several points: executable file
location, image base address, the User-Agent within the GET requests,
and the format of the URI. The RIPTIDE exploit document drops its
executable file into the C:\Documents and Settings\{user}\Application
Data\Location folder while the HIGHTIDE exploit document drops its
executable file into the C:\DOCUMENTS and SETTINGS\{user}\LOCAL
SETTINGS\Temp\ folder. All but one sample that we identified were
written to this folder as word.exe. The one outlier was written as winword.exe.
Research into this HIGHTIDE campaign revealed APT12 targeted
multiple Taiwanese Government organizations between August 22 and 28.
THREEBYTE Malware Family
On Monday August 25, 2014 we observed a different spear phish email
sent from lilywang823@gmail.com to a technology company located in
Taiwan. This spear phish contained a malicious Word document that
exploited CVE-2012-0158. The MD5 of the exploit document was e009b95ff7b69cbbebc538b2c5728b11.
Similar to the newly discovered HIGHTIDE samples documented above,
this malicious document dropped a backdoor to C:\DOCUMENTS and
SETTINGS\{user}\LOCAL SETTINGS\Temp\word.exe. This backdoor had the
following properties:
This backdoor sent the following callback
traffic to video[.]csmcpr[.]com:
href="/content/dam/legacy/blog/2014/09/threebyte-wireshark.jpg"> width="434" height="36"
src="https://www.fireeye.com/content/dam/legacy/blog/2014/09/threebyte-wireshark.jpg"
alt="threebyte-wireshark" class="aligncenter size-full wp-image-6360 landscape-sm" />
Figure 5: THREEBYTE GET Request Beacon
The THREEBYTE spear phishing incident (while not yet attributed)
shared the following characteristics with the above HIGHTIDE campaign
attributed to APT12:
WATERSPOUT Malware Family
On August 25, 2014, we observed another round of spear phishing
emails targeting a high-technology company in Japan. Attached to this
email was another malicious document that was designed to exploit
CVE-2012-0158. This malicious Word document had an MD5 of
499bec15ac83f2c8998f03917b63652e and dropped a backdoor to
C:\DOCUMENTS and SETTINGS\{user}\LOCAL SETTINGS\Temp\word.exe. The
backdoor had the following properties:
The backdoor connects to a command and control server at icc[.]ignorelist[.]com.
Similar to RIPTIDE and HIGHTIDE, the WATERSPOUT backdoor is an
HTTP-based backdoor that communicates with its C2 server.
Accept: image/jpeg, application/x-ms-application,
image/gif, application/xaml+xml, image/pjpeg,
application/x-ms-xbap, */*
User-Agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
.NET4.0C; .NET4.0E)
Host: <C2 Location>
Cache-Control: no-cache
Figure 6: Sample GET request for WATERSPOUT backdoor
Although there are no current infrastructure ties to link this
backdoor to APT12, there are several data points that show a possible
tie to the same actors:
Conclusion
FireEye believes the change from
RIPTIDE to HIGHTIDE represents a temporary tool shift to
decrease malware detection while APT12 developed a completely
new malware toolset. These development efforts may have resulted
in the emergence of the WATERSPOUT backdoor.
Figure 7: Compile dates for all three malware
families
APT12’s adaptations to public disclosures
lead FireEye to make several conclusions about this threat
group:
Though public disclosures resulted in APT12
adaptations, FireEye observed only a brief pause in APT12
activity before the threat actors returned to normal activity
levels. Similarly, the public disclosure of APT12’s intrusion at
the New York Times also led to only a brief pause in the threat
group’s activity and immediate changes in TTPs. The pause and
retooling by APT12 was covered in the href="https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf">Mandiant
2014 M-Trends report. Currently, APT12 continues to target
organizations and conduct cyber operations using its new tools.
Most recently, FireEye observed HIGHTIDE at multiple
Taiwan-based organizations and the suspected APT12 WATERSPOUT
backdoor at a Japan-based electronics company. We expect that
APT12 will continue their trend and evolve and change its
tactics to stay ahead of network defenders.
Note: IOCs
for this campaign can be found href="https://github.com/fireeye/iocs/blob/master/APT12/2384c8ce-6eca-4d06-8aa4-151b53d9a6bc.ioc"
target="_blank">here.