A new analysis of a long-term APT campaign targeting manufacturers, industrial, pharmaceutical, construction and IT companies in several countries has uncovered fresh details of the attack, including identification of nearly 3,000 victims and the unmasking of the command-and-control infrastructure.
The campaign, known variously as Energetic Bear or Crouching Yeti, was the subject of a detailed technical analysis by researchers at Kaspersky Lab who found 219 domains used in the C&C infrastructure, almost exclusively on compromised legitimate Web sites. The attackers behind the campaign are unknown at this point, as is their specific country of origin, and Kaspersky researchers said that the attack employs known infection vectors such as spearphishing and watering hole attacks and hasn’t been observed using zero day exploits.
“For command and control, these connect to a large network of hacked websites. These sites host malware modules, victim information and issue commands to infected systems. The dozens of known Yeti exploit sites and their referrer sites were legitimate, compromised sites. They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day,” the Kaspersky research report says.
The main goal of this campaign, which originally was named Energetic Bear by CrowdStrike earlier this year, is to steal sensitive information from targeted organizations. Most of the 2,800 companies identified as victims of the attack are in the industrial/machinery market and researchers say the most-targeted countries are the United States, Spain, Japan and Germany.
The Crouching Yeti attack employs a variety of malware components, including the Havex and Sysmain Trojans, and the ClientX and Karagany backdoors. The Havex Trojan has been associated with attacks on ICS systems and it has a variety of modules with powerful capabilities.
“These modules are hosted between the havex markers in the HTML code of compromised websites. The module code is usually XORed with ”1312312” then compressed with BZIP2 and finally base64 encoded. Once downloaded into the %TEMP%\*.xmd file by the main Havex DLL, the code is decoded, decompressed, saved into the temporary DLL file and loaded into the memory,” the report says.
“The modules perform a variety of different actions, including collecting information about the victim’s system and other machines in the local network, harvesting passwords, listing documents, etc. In order to do that, some of the modules make use of additional 3rd stage 3rd party executables.”
The backdoors used in the campaign are employed to steal credentials, take screen shots, download and run other executables and other malicious functions. Most of the C&C infrastructure used by the Crouching Yeti attackers is located in the U.S., with other servers spread across Germany, Russia and the U.K.
Researchers believe the campaign began as early as 2010 and has been ongoing since then. While the attackers are active nearly all the time, they are most active during the week and the statistics gathered by Kaspersky show that active infections have fallen by about 50 percent since the beginning of 2014.
Identifying the malware, tools and victims in the attack is one thing, but Kaspersky researchers said pinning down who the attackers are has proven more difficult.
“Compared to our other APT research the available data is more non-specific than usual. There simply is no one piece or set of data that would lead to the conclusion that the threat actor is Bear, Kitten, Panda, Salmon, or otherwise,” the report says.