**December 01, 2015 | By FireEye Threat Intelligence | Threat Intelligence, Threat Research** **FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting** **Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an** **uncategorized advanced persistent threat (APT) group and other researchers refer to as “admin@338,” may** **have conduced the activity.[1] The email messages contained malicious documents with a malware payload** **called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We** **collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second,** **similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating** **with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]** **The threat group has previously used newsworthy events as lures to deliver malware. [4] They have largely** **targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs** **such as Poison Ivy, as well some non-public backdoors.[5]** **The group started targeting Hong Kong media companies, probably in response to political and economic** **challenges in Hong Kong and China. The threat group’s latest activity coincided with the announcement of** **criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced** **several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the** **stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the** **pro-democracy movement persists, and the government recently denied a professor a post because of his** **links to a pro-democracy leader.[7]** **Multiple China-based cyber threat groups have targeted international media organizations in the past. The** **targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy** **material. The media organizations targeted with the threat group’s well-crafted Chinese language lure** **documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups’ access to** **the media organization’s networks could potentially provide the government advance warning on upcoming** **protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet,** **such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]** **In August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media** **organizations, including newspapers, radio, and television. The first email references the creation of a** **Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known** **as the Umbrella Movement. The second email references a Hong Kong University alumni organization that** **fears votes in a referendum to appoint a Vice Chancellor will be co opted by pro Beijing interests [9]** ----- **Figure 1: Lure Screenshots** **The group’s previous activities against financial and policy organizations have largely focused on spear** **phishing emails written in English, destined for Western audiences. This campaign, however, is clearly** **designed for those who read the traditional Chinese script commonly used in Hong Kong.** **The spear phishing emails contained three attachments in total, each of which exploited an older vulnerability** **in Microsoft Office (CVE-2012-0158):** **MD5** **Filename** **b9208a5b0504cb2283b1144fc455eaaa** **使命[公⺠運動]** **我們[的異象].doc** **ec19ed7cddf92984906325da59f75351** **新聞[稿及公佈].doc** **(代發)[采訪[通知]]港⼤[校友關注組遞]** **6495b384748188188d09e9d5a0c401a4** **信⾏[動].doc** **In all three cases, the payload was the same:** |MD5|Filename| |---|---| |b9208a5b0504cb2283b1144fc455eaaa|使命公⺠運動 我們的異象 .doc| |ec19ed7cddf92984906325da59f75351|新聞稿及公佈 .doc| |6495b384748188188d09e9d5a0c401a4|(代發)[采訪通知]港⼤校友關注組遞 信⾏動.doc| |MD5|Filename| |---|---| |d76261ba3b624933a6ebb5dd73758db4|time.exe| ----- **ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.** **After execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP** **port 443 for the files:** **MD5** **Filename** **d76261ba3b624933a6ebb5dd73758db4** **WmiApCom** **79b68cdd0044edd4fbf8067b22878644** **WmiApCom.bat** **The “WmiApCom.bat” file is simply used to start “WmiApCom”, which happens to be the exact same file as** **the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to** **update the compromised host with a new version of the LOWBALL malware.** **The threat group monitors its Dropbox account for responses from compromised computers. Once the** **LOWBALL malware calls back to the Dropbox account, the attackers will create a file called** **“[COMPUTER_NAME]_upload.bat” which contains commands to be executed on the compromised computer.** **This batch file is then executed on the target computer, with the results uploaded to the attackers’ Dropbox** **account in a file named “[COMPUTER_NAME]_download”.** **We observed the threat group issue the following commands:** **@echo off** **dir c:\ >> %temp%\download** **ipconfig /all >> %temp%\download** **net user >> %temp%\download** **net user /domain >> %temp%\download** **ver >> %temp%\download** **del %0** **@echo off** **dir "c:\Documents and Settings" >> %temp%\download** **dir "c:\Program Files\** **" >> %temp%\download** |MD5|Filename| |---|---| |d76261ba3b624933a6ebb5dd73758db4|WmiApCom| |79b68cdd0044edd4fbf8067b22878644|WmiApCom.bat| ----- **net localgroup administrator >> %temp%\download** **netstat -ano >> %temp%\download** **These commands allow the threat group to gain information about the compromised computer and the** **network to which it belongs. Using this information, they can decide to explore further or instruct the** **compromised computer to download additional malware.** **We observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as** **Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:** **@echo off** **ren "%temp%\upload" audiodg.exe** **start %temp%\audiodg.exe** **dir d:\ >> %temp%\download** **systeminfo >> %temp%\download** **del %0** **We have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to** **the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat** **group, although the IP had not been used for some time prior to this most recent activity:** **MD5** **0beb957923df2c885d29a9c1743dd94b** **accounts.serveftp.com** **59.188.0.197** **BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate** **using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating** **system version and hostname, and includes functionality to check, upload, and register plugins that can** **further enhance its capabilities.** **FireEye works closely with security researchers and industry partners to mitigate cyber threats, and we** **collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this** **abuse and put countermeasures in place.** **Our cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient** **evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of** **th** **fil** **diff** **t** **hi h i di** **t** **th t th** **b** **lti l** **i** **f th** **l** **I** **dditi** |MD5|Col2|Col3| |---|---|---| |0beb957923df2c885d29a9c1743dd94b|accounts.serveftp.com|59.188.0.197| ----- **duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the** **victims.** **In this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat,** **upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware** **beacons to this directory using the hardcoded API token and attempts to download these files (which are** **deleted from the Dropbox account after the download):** **upload.bat, a batch script that the compromised machine will execute** **upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an** **executable (sometimes named rar.exe) which the batch script will run and almost always uploads the** **results of download.rar to the cloud storage account** **silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC** **The threat actor will then download the results and then delete the files from the cloud storage account.** **LOWBALL is an example of malware that abuses cloud storage services to mask its activity from network** **defenders. The LOWBALL first stage malware allows the group to collect information from victims and then** **deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed** **interesting targets.** **_A version of this article appeared first on the_** **_FireEye Intelligence Center. The FireEye Intelligence Center_** **_provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional_** **_knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking_** **_advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat_** **_Intelligence Analysts, to power the Intelligence Center._** **[1] FireEye currently tracks this activity as an “uncategorized” group, a cluster of related threat activity about** **which we lack information to classify with an advanced persistent threat number.** **[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic.** **[https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf](https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf)** **[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group .** **[4] Moran, Ned and Alex Lanstein. FireEye. “Spear Phishing the News Cycle: APT Actors Leverage Interest in** **the Disappearance of Malaysian Flight MH 370.” 25 March 2014. https://www.fireeye.com/blog/threat-** **research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-** **malaysian-flight-mh-370.html.** **[5] Moran, Ned and Thoufique Haq. FireEye. “ Know Your Enemy: Tracking a Rapidly Evolving APT Actor .” 31** **October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence** **[6] BBC News. “Hong Kong student leaders charged over Umbrella Movement.’” 27 August 2015.** **http://www.bbc.com/news/world-asia-china-34070695.** **[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. “University of Hong Kong’s council votes 12-8 to reject** **Johannes Chan’s appointment as pro-vice-chancellor.” 30 September 2015.** **http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-** **hong-kong.** **[8] Wong, Alan. Pro-Democracy Media Company’s Websites Attacked. “Pro-Democracy Media Company’s** **Websites Attacked.” New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-** ----- **http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.** **This entry was posted on Tue Dec 01 08:00:00 EST 2015 and filed under Blog, Command And Control,** **FireEye Threat Intelligence, Latest Blog Posts, Malware, News, Threat Intelligence and Threat Research.** ## Last Name ----- **Careers** **Events** **Webinars** **Support** **Partners** **Newsroom** **Blog** **[Investor Relations](http://investors.fireeye.com/)** **Incident?** **Contact Us** **[Communication Preferences](https://www2.fireeye.com/manage-your-preferences.html)** **Report Security Issue** **Supplier Documents** # � � � � � � **[Facebook](https://www.facebook.com/FireEye)** **[LinkedIn](https://www.linkedin.com/company/fireeye)** **[Twitter](https://twitter.com/fireeye)** **[Google+](https://plus.google.com/+Fireeye/videos)** **[YouTube](https://www.youtube.com/user/FireEyeInc)** **[Glassdoor](http://www.glassdoor.com/Overview/Working-at-FireEye-EI_IE235161.11,18.htm)** **Copyright © 2015 FireEye, Inc. All rights reserved.** **Privacy & Cookies Policy | Safe Harbor** -----