Cyber-espionage has steadily migrated from a world of shadowy closed-door government players into the public spotlight over the past three years. Mandiant’s APT1 report was the first to change the game, and paved the way for private security companies to expose advanced threat actors en masse. In the years since, both private security companies and media organizations alike have sought to capitalize on this craze. What is often neglected is reporting on the aftermath of such exposure, and what measures the attackers take to remain hidden, ready to strike again.

Very few reports offer follow-ups to what transpires after an attacker is completely pushed out of an environment. If they did, those reports would most likely paint a much bleaker picture of the cyberthreat landscape. The truth is most companies are never aware they’ve been breached again, even if they are hit multiple times after the initial attack. The truth is that intelligent attackers with long-term surveillance goals do not simply give up after their malware and command and control (C2) infrastructure is burned. Attackers typically redesign C2 infrastructure and deploy entirely new or updated malware after being exposed. Unless companies are well positioned to detect these changes, attackers will quietly slip back in time and time again.

At Cylance, we’ve become more interested in following the repercussions of public exposure of so-called advanced threat groups and malware, since this tends to be the new operational norm for security companies. While it’s generally accepted that any exposure of coordinated cyber-espionage is a good thing, we believe it's not clear enough yet whether all the additional public attention is assisting or hindering cyber defenders. Intelligent attackers will adapt, modify tactics, and bolster their operational security in order to survive. We will err on the side of “it's generally better to know more than less”, and will continue to explore the ramifications of public research to attacker activity over the months to come.

In 2014, our colleagues at Crowdstrike wrote an exposé about a long-standing Chinese APT threat group they self-named Putter Panda, which Mandiant/FireEye refers to as APT2. This threat group has been around for quite a while, and commonly operated tangentially to APT1 intrusions into defense contractors and aerospace companies. We've been tracking a series of exploit documents which, upon successful exploitation, simply drop a file and perform no other actions; these documents have dropped a variety of backdoors associated with a range of previously identified threat groups. One of them was of particular interest because we'd never seen the backdoor before and it leveraged a relatively unique German dynamic DNS provider for command and control.

The exploit document was targeted at a Russian speaker with the title "Гасий Константин Васильевич.doc", which roughly translates as “Gasy Konstantin”, which seems to be someone’s name. The document itself was a MIME-encoded HTML file which contained a base64-encoded word document as well as an appended XOR-encoded executable. The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection. The executable began at offset 0x9C50 in the MIME-document and used an encoding mechanism that consisted of an incrementing XOR key, starting at byte 0xAC combined with an additional XOR operation against the byte 0x28, which ultimately yields a unique 256-byte XOR key.

Document Details:

Filename: Гасий Константин Васильевич.doc

SHA256: 333061e6c4847aa72d3ba241c1df39aa41ce317a3d2898d3d13a5b6eccffc6d9

File Size: 105,552 Bytes

Author: User123

Upon successful exploitation, the backdoor is dropped to "%USERPROFILE%\Start Menu\Programs\Startup\time.exe". No other changes to the file system or registry are made. This method achieves persistence but the backdoor will not execute until the user logs off and back into the machine. This functionality alone can assist in the evasion of certain sandbox/dynamic analysis systems. Unless a live human can intervene in the sandboxing process, it would be impossible to observe the post-logoff behavior.

Backdoor Details: