# The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity **[THE ADVERSARY LINE-UP](http://blog.crowdstrike.com/category/the-adversary-line-up/)** **25 FEB 2014** **[MATT DAHL](http://blog.crowdstrike.com/author/mattdahl/)** **Two weeks ago, news broke about strategic web compromise (SWC) activity on the website for** **the U.S. organization, Veterans of Foreign Wars (VFW). This activity leveraged exploit code for a** **zero-day vulnerability now identified as CVE-2014-0322 and ultimately infected victims with�** **ZxShell malware. CrowdStrike Intelligence attributed this attack to the AURORA PANDA** **adversary; however, the discovery of additional indicators revealed that another adversary was** **leveraging the same vulnerability to carry out targeted attacks nearly a month before the VFW** **attack occurred. This other activity appears to be focused on French aerospace and shares** **similarities with a 2012 SWC campaign affecting the website of U.S.-based turbine manufacturer,** **Capstone Turbine.** ----- **iframe located at savmpet[.]com. The iframe redirected visitors to gifas[.]assso[.]net, which was** **hosting exploit code in two files (include.html and Tope.swf) as well as a malicious payload�** **(Erido.jpg).** **Above are screenshots of the savmpet[.]com webpage and part of the page source showing the** **date that it was last modified and the iframe redirect. The content of the page was taken from the�** **website of the French aerospace industries association, Groupement des industries françaises** **aéronautiques et spatiales (GIFAS). The 17 January 2014 date on both the webpage and the** **page source shows that it was created nearly a month before the VFW attack occurred** **Victim exploitation occurred in the same manner as in the VFW activity, but the payload was** **different. Instead of ZxShell malware connecting to AURORA PANDA-related infrastructure, it was** **a malware variant known as Sakula connecting to command-and-control (C2) infrastructure at** **oa[.]ameteksen[.]com.** **French Aerospace Focus** **This attack’s most obvious connection to French aerospace is the content taken from the GIFAS** **website and the GIFAS-based domain used to host the exploit code and payload** **(gifas[.]assso[.]net). However, a more in-depth look reveals additional connections.** ----- **gifas[.]assso[.]net. Several other domains were also pointed at this IP during the same time** **frame, including two that contained the same content and malicious iframe as savmpet[.]com,** **secure[.]safran-group[.]com, and icbcqsz[.]com.** **Of particular interest was secure[.]safran-group[.]com. Safran is a France-based aerospace and** **defense company with a focus on the design and production of aircraft engines and equipment.** **The company owns the safran-group[.]com domain, and the fact that one of its subdomains was** **pointed at a malicious IP address suggests that the adversary compromised Safran’s DNS.** **The Sakula malware used in this attack contained an unusual and interesting component that** **further indicates a focus on French aerospace. As part of the infection process, it added a** **number of domains to the “host’s” file of victim machines.�** **The snecma[.]fr domain belongs to the Safran subsidiary, Snecma, that designs and builds** **engines for civilian and military aircraft, and spacecraft. The domains listed appear to provide** **remote access to the company’s employees and possibly third-party contractors.** **The purpose of this component is unclear. It does not map these domains to malicious IP** **addresses because the 217.108.170.0/24 range belongs to the company, which means it is not** **meant to send victims directly to adversary infrastructure for credential collection. One possibility** **is that it was meant to make the malware appear more legitimate. It has also been** **hypothesized that this was done to ensure DNS connectivity to these particular domains;** **however, it seems unlikely that victims would suffer significant DNS connectivity issues, which�** **means that adding this component to the malware for that purpose would be somewhat** **superfluous.�** **It should be noted that no victim logs related to this attack were discovered, so it is unclear who** **the actual targets and victims were. Having the secure[.]safran-group[.]com domain pointed at a** **malicious IP indicates that Safran suffered a DNS compromise, but no deeper network** **compromise was observed. It is possible that the adversary desired to target the French** ----- **In January 2013, it was reported that the website for U.S.-based turbine manufacturer, Capstone** **Turbine, had been compromised and was being used in a SWC attack leveraging an exploit for** **the CVE-2012-4792. There are three primary similarities between the Capstone Turbine attack** **and the recent French aerospace activity.** **The first, and most significant, connection is the use of Sakula malware. In both campaigns,�** **Sakula variants were installed on successfully exploited machines. In Capstone Turbine, the** **Sakula sample used (MD5 hash: 61fe6f4cb2c54511f0804b1417ab3bd2) connected to** **web[.]vipreclod[.]com, and in the recent attack, the sample (MD5 hash:** **c869c75ed1998294af3c676bdbd56851) connected to oa[.]ameteksen[.]com. Use of this malware** **doesn’t appear to be widespread, but it is not yet clear whether only one group uses it, and** **therefore its use alone does not necessarily indicate a particular adversary.** **Another similarity is that GIFAS-based malicious domains are related to each incident. In the** **more recent attack, the gifas[.]assso[.]net domain was used to host exploit code and the** **malicious payload. The Capstone Turbine incident did not directly use a GIFAS-based domain,** **but a deeper look at network indicators related to those observed in the Capstone incident reveals** **two such domains: gifas[.]cechire[.]com and gifas[.]blogsite[.]org.** **The third similarity between the two is the use of zero-days. The exploit used in Capstone** **Turbine was a zero-day during the time it was active, just like the exploit used in the recent** **French aerospace activity. This is a general similarity that does not create a definitive link�** **between the two attacks, but when viewed in conjunction with the use of the same malware and** **GIFAS-based domains, it strengthens the connection.** ----- ## ← Mo’ Shells Mo’ Problems – File List Details about Apple SSL vulnerability and Stacking iOS 7.0.6 patch → ## Recent Posts The Imperative for Proactive Incident Response in 2015 and Beyond **November 3, 2015** ## Why Your Business Environment Should Drive Cybersecurity **November 2, 2015** ## Blurring of Commodity and Targeted Attack Malware **October 16, 2015** ## Should I Really Trust the Cloud with my Endpoint Protection? ## Follow Us **Tweets about "from:crowdstrike OR from:Adam_Cyber OR from:JMDeC OR from:DmitriCyber OR** **from:StevenChabinsky OR from:George_Kurtz"** ----- |M|T|W|T|F|S|S| |---|---|---|---|---|---|---| |||||||1| |2|3|4|5|6|7|8| |9|10|11|12|13|14|15| |16|17|18|19|20|21|22| |23|24|25|26|27|28|29| |30||||||| ## Archives ### N O V E M B E R 2 0 1 5 **M** **T** **W** **T** **F** **S** **S** **1** **[2](http://blog.crowdstrike.com/2015/11/02/)** **[3](http://blog.crowdstrike.com/2015/11/03/)** **4** **5** **6** **7** **8** **9** **10** **11** **12** **[13](http://blog.crowdstrike.com/2015/11/13/)** **14** **15** **16** **17** **[18](http://blog.crowdstrike.com/2015/11/18/)** **19** **20** **21** **22** **23** **24** **25** **26** **27** **28** **29** **30** **[« Oct](http://blog.crowdstrike.com/2015/10/)** ## Recent Comments -----