Researchers Uncover PinkStats APT Toolkit

A tool, PinkStats, has been used by a number of Chinese attack crews in targeted operations against governments, universities and other organizations over the last four years.

The arsenal of tools that attack groups use to do their business is seemingly endless, and many of them remain unknown for years before they’re discovered. Often, it’s not until a tool has been compromised or sold on the open market that researchers get a close look at it, but that’s been changing recently. The latest example is a tool called PinkStats that researchers say has been used by a number of Chinese attack crews in targeted operations against governments, universities and other organizations for the last four years.

PinkStats has a number of capabilities and it’s built to spread on its own through a compromised network, a somewhat unusual behavior for a tool used by APT groups. The first component of the attack is a downloader that reaches out to a a C2 server to pull down several other pieces and is designed to look like a Web statistics counter, according to an analysis done by Israeli security firm Seculert.

“PinkStats malware is a downloader, meaning it will download one or more additional malware components from a location embedded within the PinkStats executable. It sends an updated HTTP request to the C2 (Command & Control) server once the download and installation of the new malware components is successfully completed,” the analysis by Seculert CTO Aviv Raf says.

“PinkStats attempts to masquerade itself as legitimate web statistics or a counter service, both in the malware communication to the C2 server (see Figure 1) and the attacker’s administration panel login screen.”

Once it’s on an infected machine and has downloaded its other components, it gets to work. In one campaign that Seculert analyzed, it installs a known attack tool called Zxarps that PinkStats uses to spread automatically on the compromised network. Raff said it’s not clear yet what the initial infection vector is for the PinkStats tool.

“It performs ARP poisoning in order to inject an iframe tag into active web sessions on other machines within the victim’s local network. The injected iframe contains an ActiveX installation of the PinkStats malware using a vulnerable C6 messanger ocx component. The ActiveX cab file is signed by Thawte and valid as of May 8th, using “Microsoft Corporation” as the product name and a fake South Korean company name, ‘Liaocheng YuanEr Technology CO.,ltd.’, as the publisher name,” Raff said.

The PinkStats malware also downloads a file named Win8.exe, which is a DDoS attack tool that can be used to launch attacks against targets chosen by the attackers. Raff said that this component may be one of the tools being used as part of the recent DDoS attacks against South Korean targets.

Image from Flickr photos of Amy Guth.

Suggested articles