Security Companies Hit Hikit Backdoor Used by APT Group

A coordinated effort by security companies has struck a blow against malware tools used by a cyber-espionage group known as Hidden Lynx.

Hidden Lynx is believed to be based in China and has been tied to attacks against U.S. defense contractors and other organizations around the world. In a collaboration dubbed ‘Operation SMN’, researchers from a number of companies joined forces to target the Hikit backdoor and other malware used by the group.

The effort was coordinated by security firm Novetta as part of Microsoft’s new Coordinated Malware Eradication program, and also involved Symantec, Cisco Systems, FireEye, F-Secure, iSight Partners, ThreatConnect, Tenable, Microsoft, ThreatTrack Security and Volexity. A report with technical details about the effort is set to be released Oct. 28.

“We felt it was important to take action proactively in coordination with our coalition security industry partners,” said Novetta CEO Peter B. LaMontagne, in a statement. “The cumulative effect of such coordinated approaches could prove quite disruptive to the adversaries in question and mitigate some of the threat activity that plagues the joint customer base of this coalition.”

Through the operation those involved were able to develop knowledge about the malware family and associated tool chain, and have begun shipping signatures and recommendations on remediation to industry partners.

“This is akin to an ‘open source software’ approach for cyber threat mitigation—the adversaries share and retool their malware,” said LaMontagne. “We need to do the same on the defensive side.” 

According to Symantec’s Security Response Team, the Hikit backdoor has been used in cyberespionage attacks against a range of targets in the US, Japan, Taiwan, South Korea, and other regions. Those targets included organizations in the government, technology, research, defense and aerospace sectors.

According to researchers with Symantec, Hikit is a stealthy remote access Trojan (RAT) that has been used in attacks going back to 2011. Hikit comes in 32-bit and 64-bit versions, which are deployed depending on the target’s infrastructure. The malware has been used by at least two China-based advanced persistent threat (APT) groups to launch cyber attacks, Hidden Lynx and Pupa (Deep Panda).

“Hidden Lynx used Hikit during its compromise of Bit9’s trusted file-signing infrastructure in 2012,” Symantec noted. “This attack was then leveraged to mount the VOHO campaign in July 2012 using Bit9-signed malware. The ultimate target of this campaign was US companies whose computers were protected by Bit9. Hikit once again played a key role in this attack campaign.”

“Since then, Hidden Lynx has continued to use Hikit in its attacks against organizations predominantly in Taiwan, the US, Japan, and South Korea,” Symantec continued. “In 2013, Hidden Lynx underwent a significant re-tooling effort, introducing two new malware tools, Backdoor.Fexel and Backdoor.Gresim, which it continues to use in conjunction with Hikit. Backdoor.Gresim was undiscovered prior to this collaboration effort.”

“Together as a coalition, we plan to release a comprehensive technical report by October 28, 2014 that will include a high level overview of the threat actor group, some of the targeted industries they attacked, an overview of malware families they used and their capabilities,” blogged Stephen Ward of iSight Partners. “This report will also include an in-depth review of the tactics, techniques and procedures (TTPs) of this group and who we believe they could be based on this larger narrative.”