A cyber espionage group linked to China has been targeting organizations in various industries, Palo Alto Networks’ Unit 42 reported on Friday.
The threat actor, known as Codoso and C0d0so0, has been around since at least 2010, in the past focusing its activities on organizations in the defense, finance, energy, and government sectors, along with global think tanks and political dissidents.
A report on Codoso’s activities was published in February 2015 by iSIGHT Partners, a few months after the group abused Forbes.com and other legitimate websites in watering hole attacks aimed at financial services and defense companies in the United States and Chinese dissidents. The attacks involved a Flash Player zero-day that Adobe patched in December 2014 and a malware family known as Derusbi.
A new wave of attacks attributed by Palo Alto Networks to the Codoso group has been aimed at organizations in the telecommunications, education, high tech, legal services and manufacturing sectors. The attackers leveraged spear phishing emails and compromised websites used for watering hole attacks.
Researchers discovered two malware variants being used in these attacks, and while they don’t appear to belong to any known family, their network communication structure is similar to the one seen at Derusbi, which experts say is unique to Chinese cyber espionage groups.
“Past observations of Derusbi in various attack campaigns indicate the version used was compiled specifically for that campaign. Derusbi has had both the client and server variants deployed, using different combinations of configurations and modules. The newly discovered activity is consistent with this procedure, with compile times only a few days prior to the observed attacks,” Palo Alto Networks researchers explained in a blog post.
One of the pieces of malware used by Codoso in its recent attacks is disguised as a serial number generator for AVG AntiVirus. Once it infects a system, the threat checks for the presence of sandboxes and virtual environments, and starts collecting information about the infected machine, including MAC address, IP, username, hostname, and CPU data.
The malware, which uses HTTP for network communications, attempts to download additional plugins from a remote server.
The second piece of malware, more recent than the first variant, is disguised as a DLL file that is side-loaded by a legitimate McAfee application. This threat, which uses a custom network protocol over port 22, also collects system information and downloads additional plugins from its server.
For command and control (C&C) communications, the threat actor has used three domains, all registered using Chinese addresses and all resolving to a Hong Kong IP.
“In these newly discovered C0d0s0 attacks, several of the targeted hosts were identified as server systems, instead of user endpoints, suggesting the possibility that these specific targets will be used in future attacks as additional watering holes. Both of the malware variants encoded and compressed the underlying network traffic to bypass any network-based security controls that were implemented,” experts noted.
Researchers have found several similarities between the latest attacks and the 2014 campaign involving Forbes.com. First, they noticed that the DLL file loaded by the legitimate McAfee application appears to be a newer variant of a DLL loaded in the Forbes.com attack, as the same unique strings have been found in both samples.
Secondly, the use of HTTP is shared between the malware disguised as the AVG serial number generator and the one seen in the 2014 campaign. Finally, experts noted that the capabilities of the analyzed samples are also similar.
Palo Alto Networks has pointed out that the Codoso group’s tactics, techniques, and procedures (TTPs) are more sophisticated compared to other threat actors.