Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

9/11/2014
07:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Franchising The Chinese APT

At least two different cyber espionage gangs in China appear to be employing uniform tools and techniques, FireEye finds.

Two Chinese cyber espionage gangs known for targeting very different industries and working out of different regions of the nation actually use some of the same or similar tactics, tools, and resources in their spying operations, researchers found.

Such collaboration and resource sharing has not typically been the MO among the majority of Chinese cyber espionage groups, and this could indicate an evolution in the nation's cyberspying operations toward more organized, streamlined, and cooperative operations, according to FireEye, which studied the inner workings of the groups.

Security researchers from other firms say this is a trend that has been evolving for some time.

"They use similar malware implants, backend infrastructure, and similar social engineering techniques. But they are distinct based on their mission focus and locations," says Thoufique Haq, senior research scientist at FireEye. "It's quite possible they are subgroups with their own mission focus."

The so-called Moafee gang, which targets military and government entities such as the US defense industry, and the DragonOK gang, which targets high-tech and manufacturing companies in Japan and Taiwan, operate out of different regions in China and constitute separate groups, researchers say. Moafee appears to operate out of Guandong Province, and DragonOK appears to operate out of Jiangsu Province.

They use similar phishing email and malicious attachment structures in their targeted cyberattack campaigns, with password-protected Office documents or ZIP files with malicious executables, as well as phony documents that mask the malware running in the background. They each also attempt to hide the malware by halting its execution if only one CPU is detected running it, which could indicate a virtual machine analyzing it. They also require passwords for the victims to open the documents as a way to bypass antivirus engines and other security tools, and they pad files so that they appear larger and can bypass host-based AV engines, FireEye has found.

Moafee and DragonOK also use the backdoor malware, including CT/NewCT, NewCT2, Mongall, Nflog, and PoisonIvy. They also use the popular HTRAN proxy tool on their command and control servers to mask their locations.

"They are collaborating or a handoff is going on between the APT attackers… they are not completely isolated groups," Haq says.

His team could not determine just how successful the two APT groups have been in their cyberspying operations, but most of their operations are still under way. Though Moafee and DragonOK haven't been exposed much publicly before, they have been operating under the radar for some time.

"It's not very often you can gain insight into the methodology of a [cyber espionage] attacker," he says. "In the crimeware industry, you… have a good understanding of the payloads. In APTs, this usually happens behind the curtain."

Aviv Raff, CTO at Seculert, says he and his team have seen attackers sharing tools and resources. "There are even 'as-a-service' groups just for that. However, I think it's more important to understand the motive behind the attack, instead of trying to attribute it to a specific attacker."

Researchers at AlienVault also have seen Chinese APTs sharing zero-day exploits for several years, says Jaime Blasco, director of AlienVault Labs. "It seems there is either a supply chain or I would say a huge amount of information-exchanging and collaboration between groups operating in China," Blasco says.

What was the most surprising thing about the Moafee and DragonOK groups? "The most surprising aspect here is their use of very simple evasion techniques, such as detecting the CPU… that's been known about for more than a decade in the industry," Haq says. "I'm very surprised they were still able to use them and remain effective against their targets."

Meanwhile, FireEye says a third Chinese APT group may also be using some of the same tools and techniques as Moafee and DragonOK. "By sharing TTPs and coordinating joint attacks, these advanced threat actors are leveraging China's supply chain economic expertise to perform extensive worldwide espionage," FireEye's research team wrote in a blog post today.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
proxysp
50%
50%
proxysp,
User Rank: Apprentice
1/21/2015 | 9:24:31 AM
Re: Why no attempt to hide the China connection
in My point is the VPN is too expensive for chinese.you can check the top vpn price ,

i think that really can't afford to chinese.
GOSteen
100%
0%
GOSteen,
User Rank: Apprentice
9/17/2014 | 10:44:57 AM
Re: Why no attempt to hide the China connection
You kinda hit the nail on the head with that one.  Many groups from all over the world have enjoyed using China as a false target.  Various hackers from Russia & Brazil as well as a few from the US tend to use this very tactic as it 'just makes sense'.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
9/15/2014 | 4:14:22 PM
fascinating
The attribution thing doesn't entirely stun me. After all, there have always been crime bosses with household names, who for whatever reason, couldn't be put in jail. 

But the fact that there are crime groups collaborating in some way definitely makes them seem like more of an official operation -- like different departments of a government -- than a crime family.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/15/2014 | 9:45:54 AM
Re: Chinese hackers on the rise
I confirm and I also add Crowdstrike
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/15/2014 | 9:26:13 AM
Re: Chinese hackers on the rise
FireEye isn't the only one seeing these common MOs among different APT groups in China--Seculert and AlienVault Labs have been witnessing this trend, too. 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/14/2014 | 4:07:59 AM
Chinese hackers on the rise
This is another excellent analysis of the FireEye-Mandian team. The researchers are elaborating model to recognize pattern of attacks for similar groups and trigger an early warning. The groups mentioned in this post used well known TTPs, something similar already seen in other attacks like BeeBus campaign.

Both teams used custom-based malware, but both aren't using zero-day exploits.

Anyway these guys are able to exploit a large number of targets and we are already paying the consequences.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/12/2014 | 2:38:37 PM
Re: Why no attempt to hide the China connection
That's a great point, @Lance. I know what you mean. It hasn't been a priority for many of the Chinese APTs to hide their geographic location. While they are fairly good at keeping a low profile inside the target, they don't seem to be too concerned about attribution. That being said, there is always the false flag potential in trying to ID an attacker. I think most researchers are pretty careful before they conclude an attack came out of China, or elsewhere. 
LanceCottrell
50%
50%
LanceCottrell,
User Rank: Author
9/12/2014 | 2:06:12 PM
Why no attempt to hide the China connection
I am constantly amazed that these groups make so little effort to hide their location in China. It would be very easy for them to appear to be coming from somewhere else.

I often wonder how many attackers false flag to China because it meets the expectations of the defenders, so they don't do deeper investigations.
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14230
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
CVE-2019-14231
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
CVE-2019-14207
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
CVE-2019-14208
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
CVE-2019-14209
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.