Mysterious APT Leaves Curious ‘KilllSomeOne’ Clue

KilllSomeOne APT cyberattack

APT cloaks identity using script-kiddie messages and advanced deployment and targeting techniques.

Researchers are scratching their heads when it comes to unmasking a new advanced persistent threat (APT) group targeting non-governmental organizations in the Southeast Asian nation Myanmar (formerly Burma).

Based on crude messages, such as “KilllSomeOne”, used in attack code strings, coupled with advanced deployment and targeting techniques, they say the APT has a split personality.

“The messages hidden in their samples [malware] are on the level of script kiddies. On the other hand, the targeting and deployment is that of a serious APT group,” wrote Gabor Szappanos, author of a Sophos technical brief, posted Wednesday, outlining what is known about the APT.

Szappanos wrote that the gang relies primarily on a cyberattack technique known as DLL side-loading. This preferred method of attack gained popularity in China in 2013. That fact, coupled with ongoing border-tensions between ethnic Chinese rebels and Myanmar military, suggest that the gang is a Chinese APT, researchers believe.

“While the [DLL side-loading] is far from new—we first saw it used by (mostly Chinese) APT groups as early as 2013, before cybercrime groups started to add it to their arsenal—this particular payload was not one we’ve seen before,” Szappanos wrote.

Four distinct DLL side-loading scenarios deliver either a shell payload (allowing an adversary to run commands on targeted systems) or plant a “complex set of malware” on systems, researchers said.

DLL side-loading, simply put, is a type of application that appears to be legitimate and can often bypass weak security mechanisms such as application whitelisting. Once trusted, the application gains additional permissions by Windows during its execution.

“Side-loading is the use of a malicious DLL spoofing a legitimate one, relying on legitimate Windows executables to load and execute the malicious code,” describes Sophos.

All four DLL side-loading scenarios execute malicious code and install backdoors in the networks of targeted organizations. Each also share the same program database path and plaintext strings written in poor English with politically inspired messages in their samples, Sophos said.

“The cases are connected by a common artifact: the program database (PDB) path. All samples share a similar PDB path, with several of them containing the folder name ‘KilllSomeOne,'” researchers wrote.

Sample strings of plain text in the KilllSomeOne malware code include “Happiness is a way station between too much and too little” and “HELLO_USA_PRISIDENT”.

“The types of perpetrators behind  targeted attacks in general are not a homogeneous pool. They come with very different skill sets and capabilities. Some of them are highly skilled, while others don’t have skills that exceed the level of average cybercriminals,” researchers said. “The group responsible for the attacks we investigated in this report don’t clearly fall on either end of the spectrum. They moved to more simple implementations in coding—especially in encrypting the payload,” they said.

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles

Discussion

  • Darren on

    Are we possibly talking about Mustang Panda here? They have recently (<3 months) used DLL side loading and PlugX in Myanmar.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.