A cyber-espionage campaign operating for more than eight months has been linked to an Indian Advanced Persistent Threat (APT) group known as Patchwork, which might be the same attackers behind Operation Hangover, Forcepoint researchers warn.
Dubbed MONSOON, the campaign was observed starting in May this year, but started in December 2015 and is still ongoing, researchers say. Characteristic to this campaign is the use of weaponized documents with political themes, distributed through emails specifically tailored for the targets, which are both Chinese nationals within different industries and government agencies in Southern Asia.
One adversary, multiple names
This cyber-espionage group appears to be operating out of the Indian Subcontinent, just as the Operation Hangover group analyzed by Blue Coat three years ago, and the Dropping Elephant and Patchwork groups detailed by Kaspersky Lab and Cymmetria last month. According to Forcepoint, these reports might all be about the same threat group, given the targeting of demographically similar victims and the use of similar tools.
In their report about Dropping Elephant, Kaspersky researchers revealed that the actor relies on weaponized Word or PowerPoint documents to drop malware by exploiting the CVE-2012-0158 and CVE-2014-6352 vulnerabilities. A few days later, Cymmetria revealed that the Patchwork group was targeting the CVE-2014-4114 vulnerability in unpatched versions of Microsoft Office PowerPoint 2003 and 2007 to infect its victims.
Just weeks after Cymmetria published its report, Symantec revealed its own analysis of the group and said not only that Dropping Elephant and Patchwork are one and the same adversary, but that its target list is larger than initially believed. It would not focus only on military and political targets, but it would also attempt to compromise entities working in industries such as Aviation, Broadcasting, Energy, Financial, Non-governmental organizations (NGO), Pharmaceutical, Public sector, Publishing, and Software, Symantec said.
Now, Forcepoint researchers explain in a whitepaper (PDF) that the MONSOON campaign is targeting different industries in China, as well as government agencies in Southern Asia, and that the employed documents feature political themes, taken from recent publications on topical current affairs. Overall, security researchers identified over 110 different victim countries and 6,300 victim IP addresses, but say that 61% of all victims were located in China.
Forcepoint’s team also discovered 172 lure documents, and say that the group abused legitimate websites and services for its nefarious purposes. The emails sent to victims were themed in line with current political events, to ensure increased interest. By abusing a legitimate service, the threat actor was able to fake the sender and distribute a link to the weaponized documents in the email body.
The group was also found to operate a fake political news site at chinastrat[.com]. The site’s downloads section contains malicious documents similar to those sent via email, which would drop the same malware families. The weaponized documents attempt to exploit three vulnerabilities in Office, namely CVE-2012-0158, CVE-2014-6352, and CVE-2015-1641.
The site further links the group to Dropping Elephant, since the APT was also called Chinastrats, the same as its accounts on social networks, which also go by the name of Chinastrat. The actor has been active on these networks for a couple of years: the Google Plus and Twitter accounts are active since December 2014. The group also operates a Facebook account.
The report also includes the analysis of four malware components used in this operation, namely BADNEWS, an AutoIt backdoor, TINYTYPHON, and Unknown Logger Public. The most interesting of the four is the BADNEWS malware, mainly because it uses resilient command and control (C&C) capability by leveraging RSS feeds, Github, forums, blogs and Dynamic DNS hosts.
BADNEWS supports multiple functions, including arbitrary command execution, screenshots, self-updating, downloading and executing files, and directory listings. The malware uses DLL side-loading with a signed Java binary to evade detection, but is used mainly as a first-stage attack, being likely to receive second stage malware components if the target is of interest, a technique already known to be employed by this adversary.
Once installed on the victim’s computer, the malware would spawn two threads, one for key-logging and the other for crawling local hard-drives for document files. Moreover, it would install a registry key to achieve persistence, and would also try to connect to its C&C server (via hard-coded channels such as RSS feeds, forums, blogs, etc.) to receive commands.
By communicating with the C&C server BADNEWS can update itself to a newer version, can download an executable and run it, can create files on the compromised system, send keylog file, take screenshots and upload them to the C&C, exfiltrate documents on the computer, upload specific files from the victim’s machine, execute specific commands, and change C&C server address.
While BADNEWS is the most interesting malware used by the threat actor, an AutoIt binary is dropped most often by the malicious documents (the majority of them are PPS files that exploit CVE-2014-6352). The AutoIt script can perform various operations: sends system information, executes arbitrary commands, updates itself, bypasses UAC for escalated privileges, exfiltrates documents found on the systems, executes secondary PowerShell-based malware or other custom malware, steals Chrome passwords, and checks whether the 360 Total Security anti-virus is running on the infected machine.
A third piece of malware used in the MONSOON campaign is version 1.5 of Unknown Logger Public, a credential stealing worm that a user named “The Unknown” publicly released in 2012. The adversary is believed to have downloaded the publicly available code and built its own versi
on of the threat. Dropped by documents that abused the CVE-2014-6352 flaw, the malware is used to record keystrokes and steal usernames and passwords from browsers. The worm is capable of spreading into RAR files, USB devices and network shares, but lacks C&C communication capabilities.
TINYTYPHON, the fourth tool associated with this campaign that Forcepoint researchers analyzed, is a small backdoor designed to locate and steal documents on locally mapped drives, as well as to receive secondary malware. The code used by this malware is taken from the MyDoom worm, repurposed to exfiltrate documents.
Focus on specific kinds of documents
When it comes to the kind of documents the adversary is interested in, researchers observed a series of recurring themes: army training, personnel and payroll records, defense attaches and consulates, foreign high commissions, military exercises, military air/naval platforms, military logistic records, naval coast protection, Anti-torpedo and naval electronic countermeasure (ECM) systems, submarine communication systems, nuclear security and counter proliferation, United Nations, personal details (including medical records, driving license, passport and visas), accounting records, and travel and itinerary details.
According to Forcepoint researchers, the threat group clearly has military and political interests in the Indian Subcontinent, with many of its victims located in Bangladesh, Sri Lanka and Pakistan, but also Africa and the Far East. The targeting of Chinese nationals could be related to a separate campaign, especially since the group might be the same identified as Operation Hangover, researchers say.
“Our MONSOON investigation has uncovered what is clearly a concerted and persistent campaign to steal sensitive data from a variety of critical sources. The use of both current and topical themes as lures, not only indicates the precision level of targeting but also the targeting decision process itself,” Andy Settle, Head of Special Investigations, Forcepoint, says.