Targeted Espionage Attack Borrowing from Cybercriminals

The Safe cyberespionage campaign includes elements of malware and coding from a professional cybercrime software development team.

More and more, we’re hearing about a crossing of the streams, if you will, between cybercrime and state-sponsored attackers. Elements of malware, code persistence and distribution techniques are bleeding over between one realm of hacking into the other as each side tries to fill gaps in their respective portfolios.

The most recent example comes from Safe, a targeted espionage malware campaign recently reported on by Trend Micro. Safe has all the elements of a state-sponsored endeavor yet it seems to have been written by a third-party professional software developer with textbook code snippets, extensive commenting throughout the source code and an air of commercialization.

“As the tools used in targeted attacks are exposed, attackers may look for new custom malware to circumvent defenses. As a result, attackers may increasingly look to the cybercriminal underground for new malicious tools instead of developing their own tools for exclusive use,” wrote Kyle Wilhoit and Nart Villeneuve in a paper.

Safe, named after the filenames given to of the several malware components, has hit a relatively small number of targets, namely nongovernmental organizations (NGOs), technology companies, government agencies, academic research institutions and media companies. To date, nearly 12,000 unique IP addresses from more than 100 countries have connected to a pair of command and control infrastructures.

Each command and control server had its own set of marching orders for the malware and targets. One snared just three live victims, the report said, most of those in Mongolia, while the other had significantly more, and most of those connections originated in India, the U.S., China and Pakistan.

From clues discovered from a misconfiguration on one of the C&C servers, the researchers were able to see all of its directories, view victim information and download backup archives that included source code used for the server and malware.

“This is realistically about a developer who may be cybercrime oriented, but a malware campaign that is espionage oriented,” Wilhoit told Threatpost, who added that this type of professional code development is not uncommon in either the cybercrime or cyberespionage arenas.

Attacks begin with spear phishing emails containing spiked Microsoft Office documents exploiting a vulnerability in CVE-2012-0158. The spear phishing messages are targeting Tibetan activists with information about an interview with the exiled Dalai Lama. The attachment is titled: NBC Interview Excerpts. CVE-2012-0158 was also used in the Red October espionage campaign as well as other attacks against Tibetan activists in China or in exile elsewhere worldwide.

Once the document is executed, the victim sees a decoy document while files are downloaded in the background, including a .dll file called Safe.Ext which contains the malware and SafeCredential.DAT which contains an Rc4 encryption key as well as command and control server information and the targets. Each victim is assigned a unique identifier. The second stage of the attack then executes and a number of data exfiltration plug-ins are installed, as well as a number of credential-stealing tools targeting the major browsers and Remote Desktop Protocol.

Aside from the malware, the two C&C servers don’t seem to have anything in common. While one uses Mongolian domain names, the second holds nonsensical domain names such as getapencil[.]com. No attack vectors have been discovered for the second server, Trend Micro said. The domains in the second server are registered to a wanxian at 126[.]com, the same address used to register another 17 domains including five C&C servers used in the iMuler and Enfal malware campaigns, Trend Micro said.

The researchers’ access to the source code illustrated the professionalism at play with this campaign. Apparently, the author had access to source code from a Chinese ISP and used that code in the building of the C&C server.

“We believe the malware author is a professional software engineer that is familiar with version control. We also found indicators that this individual is proficient in software development due to the high quality of the source code he used. The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers,” the paper said. “These qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science.”

Wilhoit told Threatpost they are still investigating and would not release any specific information about targets or the types of data being exfiltrated.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.