A cyber-espionage group historically believed to be operating in the interests of the Chinese government is believed to have hacked a UK government contractor from where security researchers found evidence that attackers stole information related to UK government departments and military technology.

Attackers used never-before-seen tools, old malware, but also employed legitimate apps found on the compromised systems in an attempt to remain undetected for as long as possible.

Security researchers from NCC Group, who investigated the hacks, said they kicked hackers off the victim's network once, but they regained access after a couple of weeks, even deploying new malware in the attack, in an attempt to prolong their stay.

The attackers have been identified by the codename of APT15. This codename describes a cyber-espionage outfit whose operations have been previously detailed in reports from other security vendors who used other names such as Ke3chang, Mirage, Vixen Panda GREF, and Playful Dragon [1, 2, 3].

APT15 deploys two new backdoors —RoyalCLI and RoyalDNS

For the attacks on the UK government contractor, APT15 deployed two new backdoors, named RoyalCLI and RoyalDNS.

It is unclear how attackers gained access to the contractor's network, but once inside, the group deployed the RoyalCLI backdoor first, along with an older backdoor used in past attacks named BS2005.

APT15 used these backdoors to drop various tools on infected systems. The list includes a network scanning/enumeration tool to help attackers identify nearby computers and an open-sourced tool named spwebmember that can enumerate and dump data from Microsoft SharePoint servers.

Additionally, researchers also found a legitimate version of WinRAR to help attackers with data compression and a copy of Mimikatz, a penetration-testing tool that attackers used to dump local credentials and create Kerberos golden tickets that could be used to authenticate on systems after a user had changed his PC password.

Backdoors controlled via Internet Explorer component

Both RoyalCLI and BS2005 were also unique because of another feature. That feature was the use of Internet Explorer's IWebBrowser2 COM interface as a way to send and receive commands from the command and control server.

This was unique, but NCC researchers say this also had a downside. The downside is that recent IWebBrowser2 COM calls were cached to disk, leaving a trail that investigators analyzed.

Researchers said they managed to determine over 200 commands that attackers ran on infected hosts by looking at this cached data.

APT15 had a penchant for living off the land

Most commands involved legitimate Windows applications such as tasklist.exe, ping.exe, netstat.exe, net.exe, systeminfo.exe, ipconfig.exe, bcp.exe, and RemoteExec.

Typos and immediate corrections in some commands suggested that attackers were running these commands by hand, and they were not the result of automated tasks.

NCC Group researchers say these actions prove attackers had put considerable effort in remaining undetected on infected systems by carefully choosing what step to take and always trying to "live off the land" by using local tools instead of malware. But in spite of all their efforts, the hack was discovered, and the network cleaned.

APT15 hacks target for a second time

Per researchers, "APT15 managed to regain access a couple of weeks later via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host."

For this new series of attacks, APT15 expended a new backdoor, that too, had not been seen before. Called RoyalDNS, this backdoor used DNS TXT records as a channel to communicate with its command and control server.

This technique isn't new and had been most likely borrowed from the DNSMessenger RAT, another cyber-espionage-grade hacking tool first spotted last year.

All in all, these are not your run of the mill amateur hackers, but a nation-state-backed advanced persistent threat (APT) group that was sufficiently funded to deploy two never-before-seen backdoors for just one operational campaign.

NCC's Rob hereSmallridge APT15 report is available here, while IOCs are available on GitHub.