According to new research from soon-to-go-public security firm FireEye, the threat actors behind the attacks against the New York Times late last year appear to be using upgraded versions of the malware they use, and are conducting a new wave of attacks.
These new attacks appear to be the “first significant stirrings from the group since it went silent in January” after a report exposed the group and its exploits, which security researchers believe is a massive spying operation stemming from China.
The newest campaign uses updated versions of Aumlib and Ixeshe, FireEye said.
According to the security firm, Aumlib now encodes certain HTTP communications and FireEye researchers spotted the latest malware variant when analyzing a recent attack against an organization involved in shaping economic policy. FireEye also said a new version of Ixeshe uses new network traffic patterns, possibly to evade traditional network security systems.
The Ixeshe attacks, which have been traced back to at least July 2009, have been used to secretly gain access to large multinational corporations. Trend Micro previously found that Ixeshe was targeting East Asian governments, electronics manufacturers, and telecommunications companies, and had used compromised servers housed inside targeted organizations as command-and-control (C&C) servers.
In a previous interview, Tom Kellermann, vice president of cybersecurity at Trend Micro, told SecurityWeek that the technique of using compromised servers as C&C servers was being adopted by elite hacker crews, and he rated the sophistication of the Ixeshe campaign as a 9.3 out of 10.
Interestingly, despite the assumed success of the attacks, the Aumlib malware itself had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011, FireEye said, noting that the recent updates are significant for both malware families.
“When a larger, successful threat actor changes up tactics, the move always piques our attention,” FireEye researchers Ned Moran and Nart Villeneuve noted in a blog post Monday. “Naturally, our first priority is ensuring that we detect the new or altered techniques, tactics, or procedures (TTPs). But we also attempt to figure out why the adversary changed — what broke? — so that we can predict if and when they will change again in the future.”
“We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode,” the researchers continued. “But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes.”
FireEye said a sample of Aumlib (Backdoor.APT.Aumlib) was found being used against an organization involved in shaping economic policy, that incorporated subtle changes could be enough to evade existing IDS signatures designed to detect older variants of the Aumlib family.
For Ixeshe (Backdoor.APT.Ixeshe), FireEye analyzed a sample that appears to have targeted entities in Taiwan, activity consistent with previous Ixeshe targets. According to FireEye, the new Ixeshe variant revealed network traffic that does not match the earlier pattern and also has the potential to evade existing network traffic signatures designed to detect Ixeshe related infections.
“Innovative and clever” attacks such as the one against the New York Times is why security experts recommend organizations deploy layered security mechanisms and not just rely on one single mode of protection, Kurt Hagerman, the director of information security at FireHost, told SecurityWeek in February. The best defense for Web applications and software is an intelligent security model, which incorporates numerous layers of protection, including DDoS mitigation, IP Reputation Filtering, web application protection, virtual and hardware based firewalling, and IDS/IPS, Hagerman said.
“Knowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats,” Moran and Villeneuve noted. “But knowing the ‘why’ is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior — because if you successfully foil their attacks, they probably will.”