Researchers at Trend Micro shined a light on a cyber-espionage campaign that infected nearly 12,000 unique IP addresses spread across more than 100 countries.
Nicknaming the campaign ‘Safe’, Trend Micro uncovered two sets of command-and-control (C&C) infrastructures related to the attacks. First seen in October 2012, Safe went on to compromise government ministries, technology companies, media outlets, academic institutions and other organizations. The largest number of infected parties are in India and the United States.
Trend Micro, in the first release of the report, called this campaign SafeNet. As Steve Ragan points out, shortly after the research was released, the whitepaper was taken offline, and the campaign was renamed to “Safe”, which the threat certainly is not.
“We also discovered that the average number of actual victims remained at 71 per day, with few if any changes from day to day,” according to the report. “This indicates that the actual number of victims is far less than the number of unique IP addresses. Due to large concentrations of IP addresses within specific network blocks, it is likely that the number of victims is even smaller and that they have dynamically assigned IP addresses, which have been compromised for some time now.”
The attack exploited CVE-2012-0158, a Microsoft Word vulnerability patched last year. The first set of C&C servers were tied to just 243 victims, only three of which were “live” at the time of the report. The 243 unique IPs came from 11 different countries, mostly from Mongolia. In those cases, victims were hit with emails containing Tibetan and Mongolian themes, such as one email claiming to have an attachment containing an excerpt of an interview of the Dali Lama.
The report did not describe the emails that hit the other victims. However, logs from the second set of C&C servers showed 11,563 unique IP addresses from 116 different countries checked in to them. More than 4,300 of those were in India.
“One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them,” according to Trend Micro. “As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.”
The C&C infrastructures had little in common besides being used in conjunction with the same malware. The researchers were able to piece together enough information to give them an idea of the malware author’s identity – a person they describe in the report as most likely a “professional software developer who studied at a technical university in China.”
“This individual appears to have repurposed legitimate source code from an Internet services company in the same country for use as part of the campaign’s C&C server code,” according to the report. “As such, this may be a case in which a malware entrepreneur’s code was used in targeted attacks.”
“As the tools used in targeted attacks are exposed, attackers may look for new custom malware to circumvent defenses,” the report notes. “As a result, attackers may increasingly look to the cybercriminal underground for new malicious tools instead of developing their own tools for exclusive use. These developments highlight the increasing need for ongoing investigation and monitoring of such threats.”
Updated 2:32 PM to include mention of Trend Micro’s renaming of the attack campaign from SafeNet to Safe.