An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries, has now pointed its focus inward at China’s autonomous territory Hong Kong.
An August attack against several media companies in Hong Kong was carried out shortly after a high-profile controversy over an appointment at the prestigious Hong Kong University. This is not the first time China has targeted media outlets, especially in Hong Kong, in particular seeking out journalists’ sources and attempting to stay ahead of a news cycle. In January 2013, hackers, allegedly connected to the Chinese government, were blamed by Mandiant for a breach at the New York Times. The group targeted the email accounts of investigative journalists looking into alleged corruption involving then-Chinese premier Wen Jiabao.
The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy.
In this case, researchers at FireEye said that this is one of the first instances this group has used phishing lures written in Chinese against targets. Three attachments accompanied each phishing email, all of which were exploits for a patched Microsoft Office vulnerability, CVE-2012, 0158, a buffer overflow in the Windows Common Control Library patched in early 2012.
Once executed, a backdoor called Lowball is dropped onto the compromised machine which then connects to a legitimate Dropbox account belonging to the attackers. This first stage of the attack runs a number of commands on the infected computer and sends the output to the Dropbox account, said FireEye principal threat analyst Nart Villeneuve. The attackers retrieve the information, analyze it, and if the target is worthy, a second stage backdoor is delivered called Bubblewrap, a much more traditional backdoor that is used for remote control and stealing data.
Villeneuve said that APT gangs could soon be trending toward involving cloud-based services such as Dropbox as part of their attacks.
“These attackers are using Dropbox because it provides them with a way to disguise their activities,” Villeneuve said. “Anyone looking at the traffic would see only encrypted connections going to Dropbox rather than traffic associated with known malware.”
The phishing emails began showing up in the inboxes of Hong Kong-based newspapers, television and radio stations, targeting journalists with tidbits about current events including one purporting to be from alumni of Hong Kong University sharing their concerns over a vote to appoint a vice-chancellor at the school being influenced by Beijing. The first stage of the attack, Villeneuve said, is essentially reconnaissance. Once the exploit is executed, it connects to Dropbox using the service’s API and creates a file in Dropbox using the name of the compromised host. The file contains IPconfig data, user and domain information, and lists of program files and recently created documents.
“The attackers look at the information and determines if the target is of interest. If they are, they then put an executable in the Dropbox account so that the next time compromised host checks in, it pulls down the executable and a well-known backdoor is dropped giving them real-time access to the host.”
FireEye said it shared its findings with Dropbox, which investigated further and found a separate and larger attack that is likely connected to the same group.
“[Dropbox] found another set of activity using malware that was almost the same and in that case, the attack appeared to be much larger, about 50 targets,” Villeneuve said, adding that the second attack is ongoing. “We are pretty sure this second cluster of activity is related. There’s nothing we can link them to other than it looks the same, with multiple Dropbox accounts and a few more targets.