Researchers have discovered a mature attack platform that’s enjoyed great success eluding detection and made good use of an exploit present in a number of espionage campaigns.
The attacks have concentrated largely on the automotive industry, hitting large companies primarily in Asia and only after being tested against activist targets in the region. Nicknamed Grand Theft Auto Panda by researcher Jon Gross of Cylance, the attacks rely on the well-worn exploits used against CVE-2012-0158. Malicious Microsoft Office documents are sent to the victim, who must interact with the .xls, .doc, or other file in a phishing email or website in order to exploit the vulnerability and inject malware or cause a service disruption.
These attacks are not carried out on the same scale as those by the Comment Crew or other high profile APT gangs. Specific targets are chosen in these campaigns, and those targets are phished with convincing messaging, such as a negative customer service review as in one attack spotted by Cylance.
The platform has been around for a few years and can be used to steal not only system and network information, but documents and credentials, in addition to opening a backdoor connection to the attacker in order to move stolen data.
“It’s more of an extensible platform to where they can add in any functionality they want as a plug-in. It’s more of an infection framework than any specific Trojan,” Gross said. “They can modify the components over time and not have to really worry about it if the main component is never detected. This is more like extensible platform where they add in functionality, screen capture, key logging, they just send it up as a plug in.”
CVE-2012-0158, meanwhile, has been a favorite among nation-state attackers seeking to infiltrate corporations or activist groups for espionage or surveillance. It was detected in the Icefog and NetTraveler campaigns discovered by Kaspersky Lab. Both were linked to operatives in China and follow similar patterns as GTA Panda in that that they’re attacking both activists and manufacturing companies.
“We see a lot people who are attacking industries, also attacking human rights groups. We’ve always thought it just comes down as a directive from whomever to test this against them,” Gross said. “We see a lot of new malware tested against human rights activists before it ever makes its way to the corporate environments. The original stuff I found was not targeted against human rights, but as I dug into it, I saw more and more stuff that was also additionally targeting human rights; and that was older stuff before they moved on to corporations.”
NetTraveler, for example, made use of the CVE-2012-0158 Office exploits to target the Uyghur and Tibetan activists, before moving on to oil and energy companies as well as diplomats and government agencies around the world.
“It’s kinda like a Darwinian evolution of malware. If it passes the first test, it’s survival of the fittest. The things that don’t get detected get reused,” Gross said. “Human rights are almost like a playground. They’re always a target, and we see a lot of malware that’s used against them before anyone else.”
As for the platform, its staying power is due to its stealth.
“The big thing is moving functionality out of the actual files that get loaded into [victims’ machines] because then it doesn’t look suspicious until that file subsequently loads something else that performs the malicious activity,” Gross said. “The malicious components are sitting there encrypted on disk, where your typical security product is not going to find that unless they already know about it.”
There are also layers of encryption protecting the attack that shield it from detection, Gross said. As for the exploits, lax patching is likely the biggest culprit; in this case, CVE-2012-0158 was patched more than 18 months ago by Microsoft. Combine that with effective social engineering in the phishing messaging—in particular from spoofed, trusted email addresses—and that’s a potent cocktail for trouble.
“If you get emails that look like they’re coming from trusted parties and people you usually communicate with, then our guard drops and we’re much more likely to say OK, I’ll open that,” Gross said. “I think they rely on that really heavily, especially with the activist community because they know all these people and they know who they communicate with on a regular basis and they try to make it look like it comes from them. Their guard’s totally down and they’re not worried about it.”
