Attacks/Breaches
4/22/2013
01:23 PM
Connect Directly
RSS
E-Mail
50%
50%

Chinese Hackers Seek Drone Secrets

"Comment Crew" gang that fanned fears of Chinese hacking launches malware that combs for drone technology information.

A notorious cyber-espionage gang is being blamed for a set of recently discovered spear-phishing attacks that aim to steal information relating to unmanned aerial vehicles (UAVs), better known as drones.

"The set of targets cover all aspects of unmanned vehicles, land, air, and sea, from research to design to manufacturing of the vehicles and their various subsystems," said James T. Bennett, a senior threat research engineer at FireEye, in a blog post.

Furthermore, the advanced persistent threat (APT) group behind both attacks, according to FireEye, is the gang known as the "Comment Crew," which was singled out in a recent report from Mandiant. The security firm accused the group, dubbed APT1, of being an elite Chinese military hacking unit based in Shanghai, known as the People's Liberation Army (PLA) Unit 61398, which is suspected of having attacked at least 141 organizations across numerous industries. Chinese government officials have denied those accusations.

[ U.S. intelligence agencies are using analysis software to identify security threats. Read more at Military Uses Big Data As Spy Tech. ]

Regardless of the group's sponsor, one recent set of attacks it launched targeted about a dozen organizations -- across the aerospace, defense, telecommunications and government sectors -- in both the United States and India, beginning in December 2011, if not earlier. But FireEye also found that the malicious infrastructure and command-and-control (C&C) servers used in the attacks are the same as those employed in a campaign known as Operation Beebus, so named for the related malware used by attackers, which was first submitted for testing to VirusTotal in April 2011. Including those spear-phishing attacks, which were discovered in February, FireEye now has a running total of 20 targets, including government-funded drone researchers in academia.

The earlier Beebus attacks involved malicious PDF and Word files -- with names such as "sensor environments.doc" and "RHT_SalaryGuide_2012.pdf" -- emailed to targets. The documents attempted to exploit a well-known DLL search order hijacking vulnerability in Windows and drop a malicious DLL file in the Windows directory.

In the latest series of attacks, the tactics have remained largely the same, although this time one of the decoy documents includes a reference to Pakistan's UAV program, while another appears to have been sent from a military email address at Joint Base Andrews in Maryland, titled "Family Planning Association of Base (FPAB)."

If a target opens the malicious document, it will attempt to exploit the Windows DLL vulnerability. If successful, the attack results in the installation of backdoor software known as Mutter, which uses what Bennett has dubbed a "hide-in-plain-sight" tactic in that the malicious file is 41 MB in size. "With rare exceptions, malware typically have a small size, usually no larger than a few hundred kilobytes," he said. "When an investigator comes across a file [that's] megabytes in size, he may be discouraged from taking a closer look."

To build the 41-MB file, the malware dropper first decodes a malicious DLL file -- only 140 KB in size -- that's included in the dropper's resource file, then places the DLL file onto the compromised system, proceeding to fill its resource section with randomly generated data, Bennett explained. "This has another useful side effect of giving each DLL a unique hash, making it more difficult to identify."

After infection, the malware will stay dormant for some period of time before attempting to exfiltrate data from the infected PC. That behavior mirrors that of the "wiper" malware that successfully exploited 48,000 systems at South Korean banks and broadcasters last month, although the malware isn't related.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.