A recently observed APT campaign, dubbed Operation Oceansalt, could herald the return of the infamous China-linked hacking group known as Comment Crew or APT1. Attacks are cunning and are defined by their their deep targeting and use of an innovative multi-wave attack methodology.
Operation Oceansalt, which started in May, was first spotted by a team of researchers targeting Korean speakers with an unknown data reconnaissance implant. From there, four more waves of related attacks were seen targeting companies inside South Korea, the United States and Canada in a well-focused effort, all using the same malware called Oceansalt.
The implant, or Oceansalt, is primarily aimed at carrying out espionage activity. However, it also gives the attackers full control of any system they compromise and the network it is connected to. Overall, it appears to be the first stage of an advanced persistent threat, according to the McAfee’s Advanced Threat Research, credited for first identifying the attacks.
“The malware can send system data to a control server, and execute commands on infected machines, but we do not yet know its ultimate purpose,” noted researchers Raj Samani and Ryan Sherstobitoff in a technical write-up by McAfee outlining the campaign posted on Thursday.
Waves of Attacks Crashing
The initial attack vector was spear-phishing, with two malicious Korean-language Microsoft Excel email attachments acting as downloaders of the implant from a South Korean compromised website (now offline).
In the first two waves of the attack, the document analysis showed that the targets were South Korean public infrastructure officials with knowledge of various South Korean projects and related financials. Most of the data in the malicious file was unrelated and had to do with those involved in higher education in South Korea or who attend various institutes—likely a copy of a database of personal information from a South Korean government authority, Sherstobitoff said.
A third round of malicious documents, this time in Microsoft Word, carried the same metadata and author as the Excel documents used in the first two waves. This time however, the content was related to the financials of the Inter-Korean Cooperation Fund. The document was created at the same time as the previous attacks, but used a different South Korean compromised website to distribute Oceansalt.
Further telemetry indicated that organizations in the investment, healthcare banking and agriculture industries in Canada and the United States had fallen victim to the Oceansalt malware as of mid-August, representing a fourth wave of activity; details here are few, however.
“We did not find Office documents affecting targets in Canada and the United States, but our telemetry indicates the threat has also affected systems in North America,” researchers said. They added that they’re not certain if the attack used a different compromised website to distribute the implant.
And finally, in a fifth wave, researchers discovered additional variants of Oceansalt using different control servers, obfuscated to avoid detection but still identical to the initial Oceansalt implant. The fifth-wave samples were found in various organizations in South Korea and the United States.
“One possible motive for the campaign is financial theft,” wrote Samani and Sherstobitoff. “These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victims. The impact of these operations could be huge…A bank’s network would be an especially lucrative target.”
Comment Crew Returns?
Interestingly, upon examination, the binary used in all five waves bears a striking resemblance to the Seasalt implant (active circa 2010), which is linked to the Chinese hacking group Comment Crew.
“Although one reaction is to marvel at the level of innovation displayed by the threat actor(s), we are not discussing five new, never-before-seen malware variants—rather the reuse of code from implants seen eight years prior,” the researchers said. “The Oceansalt malware uses large parts of code from the Seasalt implant.”
The notable thing about this is that not only was Comment Crew thought to be defunct, but the source code – to the researchers’ knowledge – was never leaked on the underground. The obvious implication is that Operation Oceansalt could signal the return of the hacking group – or at least, new activity from a few of its members. Or, perhaps not.
“Originally taking the title APT1, the Comment Crew was seen as the threat actor conducting offensive cyber-operations against the United States almost 10 years before,” McAfee researchers said. “We have not seen any activity from this group since they were initially exposed [by Mandiant, in 2013]. Is it possible that this group has returned and, if so, why target South Korea? Alternatively, this could be a ‘false-flag’ operation to suggest that we are seeing the re-emergence of Comment Crew. Creating false flags is a common practice.”
If the latter, it could indicate a collaboration on the part of threat groups.
“Threat actors have a wealth of code available to leverage new campaigns,” wrote Samani and Sherstobitoff. “In this case, we see that collaboration not within a group but potentially with another threat actor—offering up considerably more malicious assets. We often talk about partnerships within the private and public sector as the key to tackling the cybersecurity challenges facing society. The bad actors are not putting these initiatives on PowerPoint slides and marketing material; they are demonstrating that partnerships can suit their ends, too.”
Seasalt vs. Oceansalt
Samani told Threatpost that at the same time, there are a few differences between the two implants in terms of their implementation, which demonstrates that Oceansalt is not simply a recompilation of Seasalt source code but rather an evolution from it.
“For example, the Seasalt implant does not use encoding and sends unencrypted data to the control server, and it parses the control address from its binary by decoding data,” Samani told Threatpost. “Seasalt also copies itself to C:\DOCUMEN~1\<userid>\java.exe and creates a registry entry to ensure infection after reboot.”
Also, the mechanism for obtaining the address in Seasalt is different from Oceansalt.
“Seasalt looks for encoded data at the end of the binary, decodes this data into tokens separated by the marker ‘$,’ and obtains the control server information,” Samani told us. “Oceansalt implants have the control server IP addresses and port numbers hardcoded as plaintext strings in the binaries.”