Researchers at Blue Coat Systems have identified a stealthy cyber-espionage framework that has been used to target organizations around the world.
The framework, dubbed Inception, has been linked to attacks on individuals in industries ranging from oil to finance as well as government and military officials. When the attacks began, they focused on targets located in Russia or related to Russian interests. Since then however, the attacks have spread to other locations around the globe, according to Blue Coat (PDF).
But the most interesting aspect of Inception may not necessarily be the targets, but the sneaky way the attackers went about their business by leveraging home routers and a cloud service for obfuscation.
The attackers have been using CloudMe.com, a cloud service provider based in Sweden, for its main command-and-control infrastructure. CloudMe.com offers both free and paid WebDAV cloud storage, and the attackers leverage the WebDAV protocol to send instructions and receive exfiltrated data from compromised systems. This hides the identity of the attacker and can bypass many current detection mechanisms, according to Blue Coat.
“WebDAV is a communication standard that allows file management over HTTP or HTTPS,” Blue Coat researchers noted in their report. “Windows allows WebDAV sessions to be mapped as network resources. The use of WebDAV as the communication channel is atypical for most malware samples we see. By using a network resource, the actual web traffic originates from the system itself, and not from the process in which the malware resides. Additionally, once the resource is established, the malware can transfer files to and from the command and control servers using standard file IO commands.”
To add another layer of obfuscation, the attackers used a proxy network of compromised home routers – most of which are based in South Korea – for their command and control communication. Many of the routers were Tera-EP wireless routers, but other products such as ASUS wireless routers were impacted as well. The attackers were likely able to compromise these devices due to poor configuration or default credentials, Waylon Grange, senior malware researcher at Blue Coat, told SecurityWeek.
“There clearly is a well-resourced and very professional organization behind Inception, with precise targets and intentions that could be widespread and harmful,” he said. “The complex attack framework shows signs of automation and seasoned programming, and the number of layers used to protect the payload of the attack and to obfuscate the identity of the attackers is extremely advanced, if not paranoid. Based on the multiple layers of obfuscation and indirection in the malware, along with the control mechanisms between attacker and target, it is clear the attackers behind Inception are intent on staying in the shadows.”
The attackers used spear phishing emails to hook their victims.
“Initial malware components have, in all cases that Blue Coat has observed, been embedded in Rich Text Format (RTF) files,” according to a blog post by Grange and fellow Blue Coat researcher Snorre Fagerland. “Exploitation of vulnerabilities in this file format is leveraged to gain remote access to victim’s computers. These files are delivered to the victim via phishing emails with exploited Word documents attached. When the user clicks on the attachment, a Word document is displayed to avoid arousing suspicion from the user while malicious content stored inside the document in encoded form writes to their disk. Unusual for many exploit campaigns, the names of the dropped files vary and have been clearly randomized in order to avoid detection by name.”
The malware gathers system information from the infected machine, including the OS version as well as system drive and volume information. All of this system information is encrypted and sent to cloud storage via WebDAV. The framework is designed in such a way that all communication after the malware infection can be performed via the cloud service, Blue Coat explained.
“The malware components of this framework follow a plug-in model, where new malware rely on already existing malware components to interact with the framework,” the researchers blogged. “Without the initial installer, none of the subsequent separate modules will work, and most of these will only exist in memory – vanishing at reboot.”
In addition to PCs, the attackers also created malware designed to target Android, BlackBerry and iOS devices.
Attribution is always hard, and in this case it is exceedingly difficult, Grange told SecurityWeek.
“Based on the attributes of the attack and the targeting of individuals connected with national political, economic and military interests, the party behind Inception could be a medium-sized nation state, or possibly a resourceful and professional private entity,” he said.
Blue Coat recommends that organization look for unauthorized WebDAV traffic and regsvr32.exe continuously running in the process list.