UPDATE: Researchers have identified an ongoing series of attacks, possibly emanating from China, that are targeting a number of high-profile organizations, including SCADA security companies, universities and defense contractors. The attacks are using highly customized malicious files to entice targeted users into opening them and starting the compromise.
The attack campaign is using a series of hacked servers as command-and-control points and researchers say that the tactics and tools used by the attackers indicates that they may be located in China. The first evidence of the campaign was an attack on Digitalbond, a company that provides security services for ICS systems. The attack begins with a spear phishing email sent to employees of the targeted company and containing a PDF attachment. In Digitlbond’s case, the file is called “Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe” and when it’s opened, the file installs a Trojan downloader called spoolsvr.exe.
That file, when executed, reaches out to a C&C server located at hxxp://hint.happyforever.com and downloads instructions and a payload. The HTML file that is downloaded installs another file called tanghi.exe that is not widely recognized by antimalware products, according to an analysis by AlienVault. The executable is a remote access tool that gives the attacker a persistent presence on the compromised machine.
“The communication between the malware and the C&C is done using HTTP requests to random numeric .asp files. The RAT communication is present on the Cookie header of the request and base64/xor encoded,” Jaime Blasco of AlienVault said in his analysis.
In addition to the attack on Digitalbond, researchers have found that the campaign also has hit users at Carnegie Mellon University, Purdue University and the University of Rhode Island. Also, the Chertoff Group, a consultancy headed by former secretary of Homeland Security Michael Chertoff, and NJVC, another defense contractor, have been targeted. Carnegie Mellon and Purdue both have high-profile computer security programs.
Alienvault identified similarities to the so-called Shady Rat attacks that were first publicized by McAfee in August, 2011. The similarities between the attacks include the use of encoded commands hidden in webpages, and overlapping command and control infrastructure for both the latest attacks and Shady RAT.
“We have identified that the group behind these attacks is using hacked web servers to host the malicious configuration files. Based on the networks hosting the C&C ips (mainly universities), it is very likely that these servers are also hacked and some kind of proxy is installed on them to redirect the traffic to the real C&C server. This can be easily achieve using HTran or other similar software commonly used by Chinese hacker groups in this kind of campaigns,” Blasco said.
The attackers clearly are not hitting random targets with this campaign, but are selecting their targets carefully.
“According to the information collected, the targets of these campaigns are somehow related with the US government or US Defense contractors directly, providing different services such as authentication software/hardware, Industrial Control Systems security, or strategic consulting,” Ruben Santamarta, a researcher at IOActive, wrote in an anlysis on the attacks.
“Despite the fact that attribution is the most polemic task nowadays, we would like to note that code, tricks and certain infrastructure usually present in the Chinese hacking scene have been identified in this campaign.”