Don’t judge an APT by its exploits alone. That’s the takeaway from a report that details a unique advanced persistent threat that leverages a kludge of unsophisticated, outdated and rudimentary attack tools to conduct cyber espionage. The target of the attacks are government and diplomatic agencies in Asia with close ties to China.
Researchers discovered the APT group, dubbed Dropping Elephant, and report that it was active between November 2015 and this June. The APT, discovered by researchers at Kaspersky Lab and outlined in a report released today, relies exclusively on social engineering and low-budget malware tools and outdated exploits against old, patched Windows vulnerabilities.
The group, according to the report, chooses targets mainly in Asia, paying particular attention to Chinese government and diplomatic organizations – and also to foreign embassies and diplomatic offices in China, including those of Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia and USA, according to the report.
“Despite using such simple and affordable tools and exploits, the team seems capable of retrieving valuable intelligence information,” said Vitaly Kamluk, director of Kaspersky Lab’s APAC Global Research and Analysis Team.
The Dropping Elephant’s ragtag approach included standard attack schemes starting with two-stage phishing email attack. Phase one involves sending email with a harmless attachment that when opened pinged the attacker’s command and control server with details pertaining to the target’s computer. The second stage included sending an email with either Microsoft Word or PowerPoint document that contained exploits (CVE-2012-0158 and CVE-2014-6352) effective on unpatched versions of Microsoft Office.
In other cases, according to Kaspersky Lab, the APT attacker also relied heavily on social engineering to reach desired targets. “Some victims are targeted by a watering hole attack: they receive a link to a website disguised as a political news portal, focused on China’s external affairs,” according to Kaspersky Lab. Links lead to additional content that included Microsoft PowerPoint files that contained malicious payloads.
“The content of the malicious PPS is based on carefully chosen, genuine news articles featuring widely discussed geopolitical topics, which makes the document look more trustworthy and likely to be opened. This leads many users to become infected,” according to Kaspersky Lab.
Once the payloads are executed attackers place a UPX (a free and open source executable packer) with an AutoIT executable on targeted systems, according to Kaspersky Lab. The AutoIT then automates the downloads of additional components from the attackers’ servers. “Then the stealing of documents and data begins,” Kaspersky Lab wrote in its report.
A closer look at the Dropping Elephant APT’s use of the AutoIT executable revealed an AutoIT3 script embedded inside. “Once started, it downloads additional malware from the C2 and also uploads some basic system information, stealing, among other things, the user’s Google Chrome credentials,” according to the report.
Another file-stealer module, for example, downloaded malware that repeatedly attempted to go through directories and collect files (doc, docx, ppt, pptx, pps, ppsx, xls, xlsx, and pdf) and then upload them to the command and control server.
According to researchers, Dropping Elephant managed to pull off attacks with what Kaspersky Lab calls “low investment and ready-made offensive toolsets” that when coupled with high-quality social engineering lures. Social engineering also included maintaining Google+, Facebook and Twitter accounts.
Researchers can’t with 100 percent certainty say the attackers were of Indian origin. However, there are indicators such as the APT attackers used the Indian language, were active during Indian workday and IP addresses used in the attack were traced to India.
Kaspersky Lab said it doesn’t believe that the cyber-espionage attacks will end anytime soon. Researchers say there are indications that the APT group is increasing its headcount, based on the fact active hours of the group have expanded.
“The modus operandi of ‘Dropping Elephant’ could hardly be called sophisticated. The attackers rely heavily on social engineering and low-budget malware tools and exploits. However, this approach seems to be effective, which makes this actor a dangerous one,” Kaspersky Lab wrote.