**December 20, 2015 | by Ryann Winters, FireEye Threat Intelligence | Threat Research, Targeted Attack** **On Wednesday, Dec. 16,** **[2015, FireEye published The EPS Awakens](https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html)** **, detailing an exploit targeting a** **previously unknown Microsoft Encapsulated Postscript (EPS) dict copy use-after-free vulnerability that was** **silently patched by Microsoft on November 10, 2015. The blog described the technical details of the** **vulnerability, and the steps needed to bypass the EPS filter and obtain full read and write access to the** **system memory.** **In this follow-up blog, we discuss the operational details of the spear phishing campaigns associated with the** **exploit. Specifically, we detail the lures, attachments, targeting and malware, and examine the China-based** **advanced persistent threat (APT) group responsible for one of the observed attacks.** **Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups** **launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech,** **government services, media and financial services industries. Each campaign delivered a malicious Microsoft** **Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local** **Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities** **led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as** **ELMER.** **On November 26, 2015, a suspected China-based APT group sent Japanese defense policy-themed spear** **phishing emails to multiple Japanese financial and high-tech companies. As shown in Figure 1, the emails** **originated from the Yahoo! email address mts03282000@yahoo.co[.]jp, and contained the subject “新年[号巻]** **頭⾔[の送付]” (Google Translation: Sending of New Year No. Foreword).** **Figure 1. November 26, 2015 Phish SMTP header** **Each phishing message contained the same malicious Microsoft Word attachment. The malicious attachment** **resembled an article hosted on a legitimate Japanese defense-related website, as both discussed national** **defense topics and carried the same byline. The lure documents also used the Japanese calendar, as** **indicated by the 27th year in the Heisei period. This demonstrates that the threat actors understand** **conventional Japanese date notation.** **Following the exploitation of the EPS and CVE-2015-1701 vulnerabilities, the exploit payload drops either a** ----- **(CnC) server and uniform resource locator (URL) path.** **The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded** **and decoded payloads are written to files named igfxHK[%rand%].dat and** **igfxHK[%rand%].exe** **respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp.** **Table 1. IRONHALO artifacts** **IRONHALO persists by copying itself to the current user’s Startup folder. This variant sends an HTTP request** **to a legitimate Japanese website using a malformed User-Agent string, as shown in Figure 2. The threat** **actors likely compromised the legitimate site and attempted to use it as a staging server for second-stage** **payloads.** **Figure 2. IRONHALO HTTP GET request** **On December 1, 2015, threat actors launched two additional spear phishing attacks exploiting the** **undisclosed EPS vulnerability and CVE-2015-1701. Unlike the Nov. 26 campaign, these attacks targeted** **Taiwanese governmental and media and entertainment organizations. Moreover, the exploit dropped a** **different malware payload, a backdoor we refer to as ELMER.** **The first spear phishing message was sent to a Taiwanese governmental employee on Dec. 1. The** **attachment was created using the traditional Chinese character set, and contained a flowchart that appeared** **to be taken from the legitimate Taiwanese government auction website** **hxxp://shwoo.gov[.]taipei/buyer_flowchart.asp. The image, shown in Figure 3, is a flowchart detailing how** **to place a trade on the Taipei Nature and Cherish Network website.** ----- **Figure 3: Lure Image** **The second December spear phishing attack targeted Taiwan-based news media organizations The emails** ----- **threat actors may have tried to make the message appear to be a legitimate communication from the** **Democratic Progressive Party (DPP), Taiwan’s opposition party.** **Figure 4. December 1 Lure 2 SMTP Header** **Unlike the previous exploit documents, this malicious attachment did not contain any visible text when opened** **in Microsoft Word.** **The exploit documents delivered during the December campaigns dropped a binary containing an embedded** **variant of a backdoor we refer to as ELMER. ELMER is a non-persistent proxy-aware HTTP backdoor written** **in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory** **listings.** **To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the** **HTTP response packets received from the CnC server for an integer string corresponding to the command** **that needs to be executed. Table 2 lists the ELMER backdoors observed during the December campaigns.** **Table 2. ELMER variants** **The ELMER variant 6c33223db475f072119fe51a2437a542 beaconed to the CnC IP address 121.127.249.74** **over port 443. However the ELMER sample 0b176111ef7ec98e651ffbabf9b35a18 beaconed to the CnC** **domain news.rinpocheinfo[.]com over port 443. Both samples used the hard-coded User-Agent string** **“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)”, as shown in Figure 5.** **Figure 5 ELMER beacon** ----- **While attribution of the first two spear phishing attacks is still uncertain, we attribute the second December** **phishing campaign to the China-based APT group that we refer to as APT16. This is based on the use of the** **known APT16 domain rinpocheinfo[.]com, as well as overlaps in previously observed targeting and tactics,** **techniques and procedures (TTPs).** **Taiwanese citizens will go to the polls on January 16, 2016, to choose a new President and legislators.** **According to recent opinion polls, the Democratic Progressive Party (DPP) candidate Tsai Ing-wen is leading** **her opponents and is widely expected to win the election. The DPP is part of the pan-green coalition that** **favors Taiwanese independence over reunification with the mainland, and the party’s victory would represent** **a shift away from the ruling Kuomintang’s closer ties with the PRC. Since 1949, Beijing has claimed Taiwan as** **a part of China and strongly opposes any action toward independence. The Chinese government is therefore** **concerned whether a DPP victory might weaken the commercial and tourism ties between China and Taiwan,** **or even drive Taiwan closer to independence. In 2005, the Chinese government passed an “anti-secession”** **law that signified its intention to use “non-peaceful” means to stymie any Taiwanese attempt to secede from** **China.** **APT16 actors sent spear phishing emails to two Taiwanese media organization addresses and three webmail** **addresses. The message subject read “DPP’s Contact Information Update”, apparently targeting those** **interested in contact information for DPP members or politicians. The Chinese government would benefit from** **improved insight into local media coverage of Taiwanese politics, both to better anticipate the election** **outcome and to gather additional intelligence on politicians, activists, and others who interact with journalists.** **[This tactic is not without precedent; in 2013, the New York Times revealed it had been the target of China-](http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html)** **[based actors shortly after it reported on the alleged mass accumulation of wealth by then-Prime Minister Wen](http://www.nytimes.com/2012/10/26/business/global/family-of-wen-jiabao-holds-a-hidden-fortune-in-china.html)** **Jiabao and his family. The actors likely sought information on the newspaper’s sources in China, who could be** **silenced by the government.** **Compromising these Taiwanese news organizations would also allow the actors to gain access to informants** **or other protected sources, who might then be targeted for further intelligence collection or even retribution.** **The webmail addresses, while unknown, were possibly the personal-use addresses of the individuals whose** **corporate domain emails were targeted. As corporate networks become more secure and users become more** **vigilant, personal accounts can still offer a means to bypass security systems. This tactic exploits users’** **reduced vigilance when reading their own personal email, even when using corporate IT equipment to do so.** **On the same date that APT16 targeted Taiwanese media, suspected Chinese APT actors also targeted a** **Taiwanese government agency, sending a lure document that contained instructions for registration and** **subsequent listing of goods on a local Taiwanese auction website. It is possible, although not confirmed, that** **APT16 was also responsible for targeting this government agency, given both the timeframe and the use of** **the same n-day to eventually deploy the ELMER backdoor.** **One of the media organizations involved in this latest activity was targeted in June 2015, while its Hong Kong** **branch was similarly targeted in August 2015. APT16 actors were likely also responsible for the June 2015** **activity. They sent spear phishing messages with the subject “2015 Taiwan Security and Cultural Forum** **Invitation Form” (2015台灣[安全⽂化論壇邀請函]), and used a different tool – a tool that we refer to as** **DOORJAMB – in their attempt to compromise the organization. A different group, known as admin@338,** **[used LOWBALL malware during its Hong Kong activity. Despite the differing sponsorship, penetration of Hong](https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html)** **Kong and Taiwan based media organizations continues to be a priority for China based threat groups** ----- **different groups based on their targets geographic location. In other words, while media organizations are** **important targets, it is possible that two separate groups are responsible for Hong Kong and Taiwan,** **respectively. The suspected APT16 targeting of the Taiwanese government agency – in addition to the** **Taiwanese media organizations – further supports this possibility.** **Table 3 contains a summary of the phishing activity detailed in this blog.** **Table 3. Activity summary** **These clusters of activity raise interesting questions about the use of an identical silently-patched vulnerability,** **possibly by multiple threat groups. Both Japan and Taiwan are important intelligence collection targets for** **China, particularly because of recent changes to Japan’s pacifist constitution and the upcoming Taiwanese** **election. Based on our visibility and available data, we only attribute one campaign to the Chinese APT group** **APT16. Nonetheless, the evidence suggests the involvement of China-based groups.** **This entry was posted on Sun Dec 20 19:45:00 EST 2015 and filed under Blog, Cyber Threats, FireEye** **Threat Intelligence, Latest Blog Posts, Ryann Winters, Spear Phishing, Targeted Attack and Threat** **Research.** ----- ## Last Name **Cyber Security Fundamentals** **Careers** **Events** **Webinars** **Support** **Partners** ## First Name ----- **Blog** **[Investor Relations](http://investors.fireeye.com/)** **Incident?** **Contact Us** **[Communication Preferences](https://www2.fireeye.com/manage-your-preferences.html)** **Report Security Issue** **Supplier Documents** # � � � � � � **[Facebook](https://www.facebook.com/FireEye)** **[LinkedIn](https://www.linkedin.com/company/fireeye)** **[Twitter](https://twitter.com/fireeye)** **[Google+](https://plus.google.com/+Fireeye/videos)** **[YouTube](https://www.youtube.com/user/FireEyeInc)** **[Glassdoor](http://www.glassdoor.com/Overview/Working-at-FireEye-EI_IE235161.11,18.htm)** **Copyright © 2015 FireEye, Inc. All rights reserved.** **Privacy & Cookies Policy | Safe Harbor** -----