LAS VEGAS – The Emissary Panda APT group has a long history of invading Western organizations—be they enterprises, government or political outfits—hungry for reams of intellectual property.
Lately the group, however, has become a little more selective about what it steals.
Researchers at Dell SecureWorks Counter Threat Unit (CTU) today at Black Hat released a report on the inner workings of the group, which is largely linked to the Chinese government. The report reveals a little more discerning attitude from the state-sponsored attackers.
In data culled from close to 100 watering hole attacks, the APT group has drifted from the strategy employed by other similarly motivated gangs, which is to exfiltrate everything from a target’s network. Making use of hacking tools almost exclusively used by group, dubbed Threat Group 3390 (TG-3390) by Dell, they’re being quieter and stealing details on less than a handful of projects at a time.
“This is something that’s more unique to this group,” said senior security researcher Dr. Andrew White. “Most groups just package large amounts of data and exfiltrate it rather than the two or three smaller things this group is after. This indicates deliberate and specific tasking; they’re very clear in their goals and what they’re going after.”
Dell said today that targets in a number of American and U.K. industries—manufacturing, automotive, aerospace, pharmaceuticals, oil and gas companies, defense industrial base, political and education—have fallen victim to this group in ongoing campaigns that continue. The group uses commodity exploits for Flash, Java and Windows, some four years old, to compromise websites of interest to employees of these sundry organizations.
“What they do is compromise websites they think the targets will visit,” White said adding that the group has built a framework for fingerprinting visitors to its watering hole sites. “They monitor how these targets access the websites, track IP addresses, and based on the IPs, figure out if they’re from a netblock belonging to the company of interest and deliver exploits and malicious payloads to visitors from those IP blocks.”
The group exfiltrates intellectual property, via backdoors established through the use of remote access Trojans such as PlugX, another hallmark of Emissary Panda. It also borrows tools used by other APT gangs, including HttpBrowser, a remote access tool that allows them to upload files and move data off machines, the ChinaChopper web shell, and the Hunter web application scanning tool that seeks out exploitable flaws in Apache Tomcat, JBoss and ColdFusion servers, as well as identify open ports, collect web banners and download secondary files.
The group also makes almost exclusive use of the OWAauth tool which is a webshell and keylogger for Microsoft Exchange servers, and a modified version of the ASPXTool spy tool for Microsoft Internet Information Services servers.
These tools help the group gain an initial foothold inside an organization. Part of that initial intrusion includes going after domain controller credentials which affords the attackers lateral movement inside the network within a matter of two hours, and begin moving data off in less than a day.
Once inside, they build a list of every file on a server by recursively listing directories.
“What we see them do is produce a shopping list, and enumerate file systems on servers or where data stored,” White said. “They exfiltrate these shopping lists and come back days later, and move them off the servers.”
One thing this group is unlikely to do is burn a valuable zero-day exploit or vulnerability, especially when an exploit for a patched flaw will do just fine. “I feel like this group is very successful at using older vulnerabilities,” White said. “There’s no reason move to zero days.”