ANNUAL ARMED FORCES COVENANT REPORT PUBLISHED » THE Armed Forces Covenant Annual Report has been presented to Parliament today and details the progr... Opengear Continues EMEA Momentum » Slough UK:  Opengear has announced its most impressive year in EMEA with across the board growth. 2... America and Boko Haram: Challenges and Responses ... » IN PRAISE OF SELF-RELIANCE Obama's America...not a friend in need, hence not a friend indee... Military training set to be improved with trees » Soldiers using Catterick Training Area (CTA) are set to benefit from improved facilities thanks to t... Ukraine source of Cyber Monday attack campaigns » .........Online Shopping Season - The Stuffed Turkey Effect Data centre security company Imperva ha... In the beginning, there were Christmas jumpers and... » ......Jingle Beards… And Christmas Trimmings -          Artist creates stunning festive sculptures ... Reservists getting ready for mission in West Afric... » Vigilance can report that the first UK reserves are joining nearly 100 regular counterparts as they ... A call for reflection on the anniversary of the... » On the anniversary of the conflict in South Sudan, Minister for Africa James Duddridge writes: ALPRO AT FARNBOROUGH INTERNATIONAL AIRSHOW » Aluminium fabricator Veranti are using transom closers from Alpro on new metal-clad modular building... Centerprise awarded three Lots on £6bn CCS RM1054 ... » Centerprise were approved on the three lots that they tendered for on the Crown Commercial Service (...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

In January, the New York Times reported it had been attacked by cybercriminals  in a campaign lasting 4 months (http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all).  The FireEye Labs team has discovered that the attackers behind this audacious breach appear to be mounting fresh assaults that leverage new and improved versions of malware.

Below is the analysis of this new malware, which describes:

  • How this new campaign marks the first significant stirrings from the group.
  • How attackers change their tactics to ensure they are not discovered
  • Where the threat actors are based
  • How organisations can look for clues to ensure they stay a head of the game when attackers change tactics.

Survival of the Fittest

New York Times Attackers Evolve Quickly In Aftermath of Discovery

FireEye Labs

The attackers behind an audacious breach of the New York Times’ computer network late last year appear to be mounting fresh assaults that leverage new and improved versions of malware.

The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China[1].

The newest campaign uses updated versions of Aumlib and Ixeshe.

Aumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications. FireEye researchers spotted the malware when analyzing a recent attempted attack on an organization involved in shaping economic policy.

And a new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new network traffic patterns, possibly to evade traditional network security systems.

The updates are significant for both of the longstanding malware families; before this year, Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011.

Background

Cybercriminals are constantly evolving and adapting in their attempts to bypass computer network defenses. But, larger, more successful threat actors tend to evolve at a slower rate.

As long as these actors regularly achieve their objective (stealing sensitive data), they are not motivated to update or rethink their techniques, tactics, or procedures (TTPs). These threat actors’ tactics follow the same principles of evolution – successful techniques propagate, and unsuccessful ones are abandoned. Attackers do not change their approach unless an external force or environmental shift compels them to. As the old saying goes: If it ain’t broke, don’t fix it.

So when a larger, successful threat actor changes up tactics, the move always piques our attention. Naturally, our first priority is ensuring that we detect the new or altered TTPs. But we also attempt to figure out why the adversary changed — what broke? — so that we can predict if and when they will change again in the future.

We observed an example of this phenomenon around May. About four months after The New York Times publicized an attack on its network, the attackers behind the intrusion[2] deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families.

The previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011.

We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode. But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes.

The following sections detail the changes to Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe.

Backdoor.APT.Aumlib

Aumlib has been used in targeted attacks for years. Older variants of this malware family generated the following POST request:

POST /bbs/info.asp HTTP/1.1

Data sent via this POST request transmitted in clear text in the following structure:

<VICTIM BIOS NAME>|<CAMPAIGN ID>|<VICTIM EXTERNAL IP>|<VICTIM OS>|

A recently observed malware sample (hash value 832f5e01be536da71d5b3f7e41938cfb) appears to be a modified variant of Aumlib.

The sample, which was deployed against an organization involved in shaping economic policy, was downloaded from the following URL:

status[.]acmetoy[.]com/DD/myScript.js or status[.]acmetoy[.]com/DD/css.css

The sample generated the following traffic:

This output reveals the following changes when compared with earlier variants:

  • The POST URI is  changed to /bbs/search.asp (as mentioned, earlier Aumlib variants used a POST URI of /bbs/info.asp.
  • The POST body is now encoded.

Additional requests from the sample generated the following traffic:

We can infer that the new sample is an Aumlib variant because it shares code with an older known variant of Aumlib with the hash cb3dcde34fd9ff0e19381d99b02f9692. That sample connected to documents[.]myPicture[.]info andwww[.]documents[.]myPicture[.]info and, as expected, generated a POST request to /bbs/info.asp.

Though subtle, the changes in the newest sample may be enough to circumvent intrusion detection system signatures designed to spot older variants of the Aumlib family.

Backdoor.APT.Ixeshe

The Ixeshe malware family has been used in targeted attacks since 2009, often against entities in East Asia. Although the network traffic is encoded with a custom Base64 alphabet, the URI pattern has been largely consistent:

/[ACD] [EW]S[Numbers].jsp?[Base64]

We analyzed a recent sample that appears to have targeted entities in Taiwan, which is consistent with previous Ixeshe activity.

This sample (aa873ed803ca800ce92a39d9a683c644) exhibited network traffic that does not match the earlier pattern. The change may enable it to evade existing network traffic signatures designed to detect Ixeshe related infections.

The Base64-encoded data contains information, including the victim’s hostname and IP address — but notably, a “mark” or campaign tag/code that the threat actors use to keep track of their various attacks. The mark for this attack was [ll65].

Conclusion

Based on our observations, the most successful threat actors evolve slowly and deliberately. So when they do change, pay close attention.

Knowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats. But knowing the “why” is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior — because if you successfully foil their attacks, they probably will.