**Projects** **GLA2010** **In the News** **About** **Publications** **Newsletter** **People** **Archives** **Events** **Opportunities** **Contact** ## Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns **_April 18, 2016_** **[Tagged: Burma, Hong Kong, Malware, Targeted Threats](https://citizenlab.org/tag/burma/)** **[Categories: Jakub Dalek, Masashi Crete-Nishihata, Matthew Brooks, Reports and Briefings�, Research News](https://citizenlab.org/category/author/jakub-dalek/)** **By Matthew Brooks, Jakub Dalek, and Masashi Crete-Nishihata** # Summary **In this research note, we analyze an espionage campaign targeting Hong Kong democracy activists. Two new malware families are** **used in this campaign that we name UP007 and SLServer.** **The UP007 malware family was previously observed by Arbor Security Emergency Response Team (ASERT) in the report** **[“Uncovering the Seven Pointed Dagger,” which analyzes a set of samples that were hosted on the national level electoral](http://www.arbornetworks.com/blog/asert/uncovering-the-seven-pointed-dagger/)** **commission of Myanmar (Burma): the Myanmar Union Election Commission. One of the samples analyzed was described as** **[“unknown malware”, which we call UP007 based on an identifier in the malware’s network traffic. In a �report released today, ASERT](https://www.arbornetworks.com/blog/asert/four-element-sword-engagement)** **describes a series of campaigns targeting Tibetan, Hong Kong, and Taiwanese interests, which also includes details on the same** **UP007 sample we analyze.** **[A recent PricewaterhouseCoopers (PwC) report includes analysis of the SLServer sample we analyze (PwC refers to the family as](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html)** **SunOrcal). We refer to the malware as SLServer due to a resource dialog in the file. These previous reports collected samples from�** **[VirusTotal. We received the original email lure and samples used in the campaign from a targeted source, and found that both](https://www.virustotal.com/)** **UP007 and SLServer were sent to targets in the same attack.** **This research note builds on previous reporting by more closely examining UP007 and SLServer, variations of these samples found** **“in the wild”, and the connections between these attacks and other campaigns. Previous reports have shown overlap in the tactics,** **techniques, and procedures used in this campaign in other operations targeting groups in Burma, Hong Kong, and the Tibetan** **community. We speculate that either a single threat actor is targeting these groups or some level of formal or informal resource** **sharing is occurring between the operators behind the campaigns.** # Espionage Campaign Targeting Hong Kong Activists **In the week prior to the January 2016 Taiwanese General Election, Hong Kong-based pro-democracy activists received a targeted** **email purporting to come from a Taiwanese non-profit organization with information about the upcoming election. The email included�** **[a Google Drive link to a RAR archive file: “�2016總統[選舉⺠情中⼼預測值].rar”, which translates to “Predictive Forecast from Centre](http://www.rarlab.com/)** **of Public Sentiment in 2016 Presidential Elections.rar”.** **_Figure 1: Targeting email sent to Hong Kong democracy activists_** ----- **districts conclude their voting (1041229); Centre of Public Sentiment’s predicted forecast in the 2016 presidential elections (104.12.28).** **The 2016 Election enters its crucial final 10 days. On the 6th, Ing-wen Tsai, the DPP (Democratic Progressive Party) candidate, called on�** **DPP supporters to consolidate their votes. She warned that the intense internal competition within the DPP had caused people to be** **worried about a splitting of the votes, potentially leading to the loss of the 15th and 16th seats.** **The election day is on the 16th. Besides the presidential election, there is also the legislative election which includes district seats and** **non-district seats. There are 34 non-district seats in total, of which the DPP won 13 during the last election. Given the higher degree of** **support this time, the DPP should be able to secure 16 seats. But as the New Power Party’s (NPP) influence and support grows, it might�** **threaten the DPP.** **In order to promote support for non-district legislators, the DPP Central Standing Committee organized a campaign event this afternoon.** **The chairwoman of the DPP, Ing-wen Tsai, said there are only ten days left before the election, and the three things she worried the most** **about were: 1) ballot bribery, which may cause DPP’s loss in certain swing areas; 2) whether young people would return home to vote on** **Jan 16th; 3) vote splitting that may lead good candidates to lose in non-district legislative elections.** **Predictive Forecast from Centre of Public Sentiment in the 2016 Presidential Elections.rar** # Delivery Mechanism **We have observed the use of Google Drive links as a delivery vector in recent campaigns targeting Tibetan organizations. In these** **[campaigns, Google Drive links were used to send malware and phishing pages. We have also seen the tactic used in recent](https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/)** **[espionage campaigns targeting an NGO working on environmental issues in Southeast Asia. The prior use of Google Drive as a](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/)** **delivery vector against Tibetan groups is significant, as Tibetan groups are �promoting Google Drive as an alternative to sending file�** **attachments to prevent infection from document-based malware.** ## Examining the RAR Archive **Within the linked RAR archive, the top three directories contain a mix of malicious and benign documents, as well as shortcuts that** **run two executables that are deeply nested within hidden directories in the archive. The file structure of this archive is shown in�** **Figure 2.** **_Figure 2: File structure of delivered RAR archive._** **The top level directory of this archive contains a benign Word document named 聲明.doc, which translates to “Statement.doc”. The** **text of this document is written in Chinese and is related to the Taiwanese election.** **Document Text:** **73個⽴[委選區選情研判](1041229),** **2016總統[選舉⺠情中⼼預測值](104.12.28).** **⽂件[內容僅代表個⼈⽴場,僅供參閱。解壓選舉⺠情中⼼預測值到桌⾯即可查閱全部數據].** **English Translation:** **Election polling of 73 legislative electoral districts(12/29/104).** **Predicted forecast from Centre of Public Sentiment in the 2016 presidential elections (12/28/104).** **All the documents represent personal views and are for reference only. Unzip Election Polling Centre’s forecast to the desktop to view all** **data.** **The first two directories contain separate Windows shortcuts, each of which runs an executable that is nested down in seven hidden�** **subdirectories. Table 1 shows details of the two executables contained in this nested directory along with their detection rate by** **antivirus vendors according to VirusTotal.** ----- |fzyy.exe|d579d7a42ff140952da57264614c37bc|Date / Time: 01-11- 2016 Detection Rate: 8/55| |---|---|---| |wzget.exe|d8becbd6f188e3fb2c4d23a2d36d137b|Date / Time: 03-21- 2016 Detection Rate: 30/57| **_Table 1: Sample overview_** **These samples, when executed, create two separate infection chains. The lack of emphasis on tricking targets into running a single** **malicious file is interesting. We are unsure as to why the operators chose to deploy two separate infection chains within the same�** **delivery mechanism. It is also unclear why the benign document was included at the top directory, as this would require more user** **interaction for a compromise to be successful. It is possible that this mixture of benign and malicious files is intended to lull the�** **targets into a false sense of security.** **Within the archive there are two Microsoft Word files: �2016總統[選舉⺠情中⼼預測值].doc (translation: “Predictive forecast from** **Centre of Public Sentiment in 2016 Presidential Elections”) and 73個⽴[委選區選情研判].doc (translation: “Election polling of 73** **legislative electoral districts”). Despite having different filenames, they are the same file (MD5 hash:�** **[09ddd70517cb48a46d9f93644b29c72f). This infected document was analyzed in the recent PwC report and the malware family](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html)** **was named SunOrcal by the researchers. In this report we take a closer look at the two nested executables: fzyy.exe and** **wzget.exe and the two separate infection chains they produce.** # UP007 Malware Family **The fzyy.exe executable is a dropper responsible for creating multiple files and starting this particular infection chain. When the�** **file is run it creates the following files in the directory: �%APPDATA%\Microsoft\Internet Explorer\** **Filename** **MD5** **Purpose** **conhost.exe** **f70b295c6a5121b918682310ce0c2165** **Loads SBieDll.dll** **SBieDll.dll** **f80edbb0fcfe7cec17592f61a06e4df2** **Loads maindll.dll** **maindll.dll** **d8ede9e6c3a1a30398b0b98130ee3b38** **Loads dll2.xor** **dll2.xor** **ce8ec932be16b69ffa06626b3b423395** **Payload** **runas.exe** **6a541de84074a2c4ff99eb43252d9030** **Establishes persistence; Not utilized in this loading** **chain** **nvsvc.exe** **e0eb981ad6be0bd16246d5d442028687** **Unknown – possibly older component** **_Table 2: Executable infection chain for fzyy.exe_** **These files are all initially stored as resources within �fzyy.exe. Some of the files are stored in encoded form while �maindll.dll** **is stored as a packed executable. When writing the files to disk, the dropper will decode and write the files stored in encoded form.�** **In addition the infection chain will check multiple registry keys before writing maindll.dll.** **[The keys largely seem to check for the presence of popular Chinese antivirus products: 360 Security, Kingsoft Antivirus, Rising AV,](https://www.360totalsecurity.com/en/)** **[Jiangmin, and Micropoint as well as a popular free antivirus product Avira. Interestingly, in this instance, even if the registry keys are](http://jiangmin-antivirus.en.softonic.com/)** **present, maindll.dll will still be written and the infection chain will still continue. The registry keys that are checked by the infection** **chain are summarized in Table 3.** **Key** **Subkey** **HKLM\SOFTWARE\360Safe\Liveup** **curl** **HKCU\Software\360safe** **DefaultSkin** |Filename|MD5|Purpose| |---|---|---| |conhost.exe|f70b295c6a5121b918682310ce0c2165|Loads SBieDll.dll| |SBieDll.dll|f80edbb0fcfe7cec17592f61a06e4df2|Loads maindll.dll| |maindll.dll|d8ede9e6c3a1a30398b0b98130ee3b38|Loads dll2.xor| |dll2.xor|ce8ec932be16b69ffa06626b3b423395|Payload| |runas.exe|6a541de84074a2c4ff99eb43252d9030|Establishes persistence; Not utilized in this loading chain| |nvsvc.exe|e0eb981ad6be0bd16246d5d442028687|Unknown – possibly older component| |Key|Subkey| |---|---| |HKLM\SOFTWARE\360Safe\Liveup|curl| ----- |HKLM\SOFTWARE\Avira\Avira Destop|Path| |---|---| |HKLM\SOFTWARE\rising\RAV|installpath| |HKLM\SOFTWARE\JiangMin|InstallPath| |HKLM\SOFTWARE\Micropoint\Anti-Attack|MP100000| **_Table 3: Registry keys that fzyy.exe checks for before writing maindll.dll_** **Once all the files are created, �conhost.exe starts, loads SBieDll.dll, then ultimately loads maindll.dll and the final�** **payload, which we have named UP007 (dll2.xor) due to an identifier in the network traffic. The primary function of UP007�** **appears to be to log keystrokes to the %USERPROFILE%\Local Settings\Temp\keylog\ directory and send them to a remote** **server.** **[UP007 uses Windows Sockets to communicate with its command and control server (C2). While doing so, it sends a hardcoded](https://msdn.microsoft.com/en-us/library/windows/desktop/ms738545%28v=vs.85%29.aspx)** **HTTP header disguised as Microsoft Update traffic. This is likely an attempt to escape notice by casual inspection of network traffic.�** **On connection, UP007 downloads another payload directly from the C2 server. This secondary payload we have named** **“DownLoad” given the way it identifies itself in the traffic with the C2 server. This secondary payload is injected into memory. The�** **initial network traffic observed from the UP007 sample is seen in Figure 3.�** **_Figure 3: Network capture of the initial communication by UP007._** **Once the entire payload is received from the C2 server, UP007 sends basic system information such as operating system version,** **IP address, and username and the C2 responds with a “READY” announcement (see Figure 4).** **_Figure 4: Network capture of the infected system sending system information to the C2._** **The secondary payload (DownLoad) initiates its own separate TCP connection with the C2 server. A sample of the network traffic of�** **this secondary payload is seen in Figure 5.** ----- **_Figure 5: Network capture of DownLoad connection to the C2._** **Unfortunately, even though the connection with the C2 was established, we did not observe any further activity from this payload.** **However, DownLoad’s strings show references to the following:** **this is cmd** **this is Desktop** **It is possible these are in reference to additional components or capabilities of the malware. Further analysis is required to** **determine the function of these components.** ## UP007 Command and Control Infrastructure **The command and control server for the UP007 sample is hosted on Hong Kong provider New World Telecom at the IP address** **[59.188.12[.]123. Passive DNS data from PassiveTotal indicates that the domain name yeaton.xicp[.]net pointed to this IP](https://www.passivetotal.org)** **[from January 8 2016 to March 19 2016. In their recent report ASERT notes that the domain: yeaton.xicp[.]net was used to](https://www.arbornetworks.com/blog/asert/four-element-sword-engagement)** **[advertise a Chinese VPN service in 2012. However, as ASERT explains given the long period between the use of the domain for](https://www.arbornetworks.com/blog/asert/four-element-sword-engagement)** **advertising and the recent threat activity the past uses of the domain may not be related to the threat actors.** ## UP007 Samples and Variations **[In November 2013, an exploit document (MD5: 983333e2c878a62d95747c36748198f0) was uploaded to various malware sites with](https://virustotal.com/en/file/ef97f13f49266a170f4d334482376bb31335fc323ed80917b9943207ff75f750/analysis/)** **[the filename �中国[国家安全委员会机构设置和⼈员名单提前曝光].docx (which translates to “Chinese National Security Council’s](https://virustotal.com/en/file/ef97f13f49266a170f4d334482376bb31335fc323ed80917b9943207ff75f750/analysis/)** **Institutional Structure and Member list”) and 131106 minutes.docx. Instead of receiving the Stage 2 binary in the C2 protocol as** **in the recent UP007 sample, the November 2013 sample directly requested ok.exe via an HTTP GET request to** **103.19.85[.]89. The ok.exe sample communicated with tenday.mysecondarydns[.]com which resolved to** **103.19.85[.]89. It was signed with a certificate with serial number �04 DE 6E CB 4B A2 A5 54 2B 5E 0C 71 EE FD 2A** **AA.** **[One year later, in November 2014, another instance of the UP007 dropper (MD5: e2ac89b5c820fc598b92a635a7d8bc33) signed](https://virustotal.com/en/file/fffcd925236e3fa5dce4645b792487add293bbca7117a91cba7c5035ff1c3db0/analysis/)** **with a certificate using the serial number �3A 72 A8 34 FB EC E5 4F A5 E5 2F 67 BA 63 4D CA was uploaded to** **VirusTotal. According to VirusTotal, this file was observed being hosted at �http://103.19.85[.]89/chin.jpg. The final�** **payload was designed to communicate with the same host for command and control.** **[In August 2015, an instance of the UP007 dropper (MD5: 639c7239f40d95f677a99abb059e8338) signed with the same certificate�](https://virustotal.com/en/file/b748b61ff6c3ea0c64f2359c44e022c629378aab6d7377e64c6ad0dcc5f78746/analysis/)** **(Serial: 5D 11 78 4F B8 17 65 02 3F 89 A4 F4 24 3F E1 A9) as fzyy.exe was uploaded to VirusTotal spotted in the** **wild as http://hkemail.f3322[.]org/32.zip. This sample communicated with hk2[.]upupdate[.]cn which resolved to** **103.27.108[.]122 at the time of analysis.** **The samples detailed in Table 4 were identified by import hash and other structural similarities related to the UP007 dropper. They�** **were uploaded to VirusTotal by the same submitter on November 14, 2014 and February 27, 2015. They were signed with the same** **3A 72...4D CA and 5D 11...E1 A9 certificates, respectively.�** **MD5** **Import Hash** **C2** ----- **(113.204.17[.]59)** **[be378f3d66ecd38cda09508015de71f7](https://virustotal.com/en/file/e91449a3a99798e27c9cc21bce1b3ae4f3a7bd4b0b78e3a76c5af8fc726be378/analysis/)** **820438f3f1efede11425a9cc13ae2dbd** **172.16.10[.]124** **_Table 4: UP007 Variants_** **[The RAR archive detailed in Table 5 reportedly drops the same files responsible for loading the UP007 sample. It also �reportedly](http://a.virscan.org/19866e7566373028799abd6844ac16d1)** **communicates with 59.188.12[.]123. We have not been able to obtain this sample directly.** **MD5** **File Name** **C2** **[19866e7566373028799abd6844ac16d1](http://a.virscan.org/19866e7566373028799abd6844ac16d1)** **QiHua.rar** **219.133.40[.]1,** **59.188.12[.]123** **_Table 5: UP007 Variants_** # SLServer Malware Family **[The SLServer sample we received was also recently analyzed and reported by PwC. It was presented in an overview of threat](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html)** **actors making use of the recent Taiwanese presidential election in email lures to entice targets to open malicious documents. As** **noted by PwC, this file is a self-extracting archive ultimately responsible for downloading a binary from a website that was likely�** **compromised. Like PwC, we were unable to obtain the final �Keyainst.exe binary due to the behaviour of the C2 during the time of** **analysis.** **Based on common behavioural characteristics and shared C2 it appears the downloaded file analyzed by PwC was �MD5:** **e5e7dcbda781dd0bf5f5da3cccdb094d. This sample was referred to as SunOrcal by PwC. This name was based on a folder** **misspelling. We refer to the malware family as SLServer due to a resource dialog in the file (see Figure 6).�** **_Figure 6: SLServer dialog resource._** **[Another recently observed instance of this malware found on VirusTotal (MD5: cfcd2a90e87156e1a811f9c7b0051002) was](https://virustotal.com/en/file/83f967523fb0904cb14ced4e84d1f299c51ff7f33a2a68348dac47e06f3fa2d2/analysis/)** **designed to communicate with the same C2 server and contains the following debug path:** |be378f3d66ecd38cda09508015de71f7|820438f3f1efede11425a9cc13ae2dbd|172.16.10[.]124| |---|---|---| |MD5|File Name|C2| |---|---|---| |19866e7566373028799abd6844ac16d1|QiHua.rar|219.133.40[.]1, 59.188.12[.]123| **e:\Working\SVNProject\SLServer\SLServer2.0\release\SLServer.pdb** **Interestingly, according to VirusTotal, the previously mentioned UP007 dropper fzyy.exe was also observed hosted as wthk.txt** **at the same URL as this downloaded SLServer sample. The precise timeframes during which these samples were hosted and** **changed remains unknown. Table 6 shows the timestamps of their initial upload to VirusTotal.** **File Name** **Malware Family** **MD5** **First Submission Time** **wzget.exe** **SLServer** **[e5e7dcbda781dd0bf5f5da3cccdb094d](https://virustotal.com/en/file/4018b934ee0ccdd0e469e56acadc66e2d5c11260f35340a6560c2db91f4e3612/analysis/)** **2016-01-07 19:03:25 UTC** **fzyy.exe** **UP007** **[d579d7a42ff140952da57264614c37bc](https://virustotal.com/en/file/5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d/analysis/)** **2016-01-08 05:21:18 UTC** **_Table 6: Times for Sample Upload to VirusTotal_** ## SLServer – Possible Second Stage |File Name|Malware Family|MD5|First Submission Time| |---|---|---|---| |wzget.exe|SLServer|e5e7dcbda781dd0bf5f5da3cccdb094d|2016-01-07 19:03:25 UTC| |fzyy.exe|UP007|d579d7a42ff140952da57264614c37bc|2016-01-08 05:21:18 UTC| ----- **[On VirusTotal we discovered a file named �javaupdata.dll (MD5: <7332245f67b6b8a256ab22a6496b4536), which exports a](https://virustotal.com/en/file/5b598a760115ecc3bc972e808fc8550682e527f2d1352acef5fc6baada31916a/analysis/)** **function by the same name. Strings in the SLServer sample also reference a file by this name. When executed, this �DLL contacts** **210.61.12[.]153 using SSL. This host is the same one pointed to by the SLServer’s C2 domain, safetyssl.security-** **centers[.]com. Interestingly, while the 210.61.12[.]153 host did not respond to the SLServer connections during analysis** **time, the host did accept the SSL connections from javaupdata.dll. Further analysis of this file is ongoing.�** ## SLServer Command and Control Infrastructure **The SLServer C2 server: safetyssl.security-centers[.]com resolved to the IP address: 210.61.12[.]153 at the time of** **[analysis. This IP is hosted in Taiwan on the hosting provider Chunghwa Telecom, specifically their Data Communication Business�](http://www.cht.com.tw/en/aboutus/aboutcht.html)** **Group offering. It appears to host the site of a Taiwanese auto parts manufacturer, Yowjung Autoparts. This site may have been** **either compromised or copied from a legitimate source.** **The domain name security-centers.com** **[was registered on September 11 2015 by the e-mails: janmiller-](https://whois.domaintools.com/security-centers.com)** **domain@googlemail[.]com and an_ardyth@123mail[.]org. Using Passive DNS data we find the following subdomains�** **were used in the time period after domain registration:** **safetyssl.security-centers[.]com** **computer.security-centers[.]com** **security-centers[.]com** **www.security-centers[.]com** **[The domain computer.security-centers[.]com was a C2 server previously reported by ASERT related to a sample of the](https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf)** **Trochilus RAT analyzed in the report. ASERT retrieved that sample from the compromised Myanmar Union Election Commission** **website. The other subdomains (www and the the top level security-centers[.]com) are likely the default IP addresses for** **GoDaddy registered domains. The hosting information for this infrastructure is presented in the Figure 7.** **_Figure 7: Hosting infrastructure over time for *.security-centers[.]com_** ----- **We discovered three additional SLServer samples using VirusTotal. We list the hash, submission time, as well as C2 domains** **associated with the sample in Table 7.** **MD5** **First Submission** **C2** **[d07b2738840ce3419df651d3a0a3a246](https://virustotal.com/en/file/bd7b3e29049e992b921b79a4c633a5de5269c76f544b38b5d9614b8c3db9e61a/analysis/)** **2016-02-25 01:14:15** **www.olinaodi[.]com** **(74.126.181[.]10)** **[397021af7c0284c28db65297a6711235](https://www.virustotal.com/en/file/aacb670cb56ae40bd9da94dcf77547e8ef66c02d2590c97c22f8ff2ef79b8e8c/analysis/)** **2016-02-22 18:30:19** **safetyssl.security-centers[.]com** **(210.61.12[.]153)** **[dc195d814ec16fe91690b7e949e696f6](https://www.virustotal.com/en/file/a16dc9ec40bba2ba1c3d3cfdff46cde5c76ebf643ead7675908ec0ea967d8981/analysis/)** **2016-02-17 11:32:02** **www.olinaodi[.]com** **(74.126.181[.]10)** **[cfcd2a90e87156e1a811f9c7b0051002](https://www.virustotal.com/en/file/83f967523fb0904cb14ced4e84d1f299c51ff7f33a2a68348dac47e06f3fa2d2/analysis/)** **2015-11-09 05:20:33** **safetyssl.security-centers[.]com** **(211.255.32[.]130)** **_Table 7: SLServer Variants Overview_** # Recent Campaign Connections **[In January 2016, Arbor Networks released a report titled “Uncovering the Seven Pointed Dagger” in which they discuss a series of](http://www.arbornetworks.com/blog/asert/uncovering-the-seven-pointed-dagger/)** **six RAR files hosted on the Myanmar election commission website on 20 October 2015. The focus of the report was on the�** **discovery of the new Trochilus RAT. However, one of the RAR files was noted as unknown malware. This sample (�Security-** **Patch-Update.exe, MD5: 82896b68314d108141728a4112618304) is also UP007, signed with the 5D 11 78 4F B8 17 65** **02 3F 89 A4 F4 24 3F E1 A9 certificate and configured to communicate with �59.188.12[.]123 directly over port 8008,** **identical to fzyy.exe mentioned above. In this instance, if any of the previously discussed registry keys were present, the sample** **will execute the dropped runas.exe binary. Given this execution, nvsvc.exe is likely also an older component. As discussed** **above the UP007 sample we analyzed shares the same C2 (computer.security-centers[.]com) as the Trochilus RAT** **[sample reported by ASERT.](http://www.arbornetworks.com/blog/asert/uncovering-the-seven-pointed-dagger/)** **[In November 2015, Palo Alto Networks reported on a newly discovered trojan referred to as Bookworm. They revealed a campaign](http://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/)** **focused on the targeting of government entities in Thailand. The campaign used a malware family known as FFRAT, and the sample** **described in the report connected to the domain hkemail.f3322[.]org for command and control. In August 2015, the same** **domain was reportedly used to host an instance of UP007 as well.** **[Finally, the relationship between the SLServer C2 www.olinaodi[.]com and our previous research into the Surtr malware family was](https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/)** **[highlighted by PwC through the overlap in the toucan6712@163[.]com registrant. We tracked malware campaigns using the](https://targetedthreats.net/)** **Surtr family that have targeted Tibetan organizations since 2013.** # Conclusion **This latest espionage campaign against Hong Kong activists appears to be connected to a broader set of targets, and operations.** **[The recent detailed reporting by ASERT makes it clear that the UP007 malware family has been found in previous campaigns](https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf)** **targeting Burmese interests. In addition, the campaigns share some C2 infrastructure with previous operations against targets in** **Thailand and the Tibetan community. The domain registration connections between SLServer infrastructure and Surtr infrastructure** **also suggests some level of potential coordination between campaigns targeting Hong Kong groups and the Tibetan community.** **Despite these connections, it is unclear if these campaigns are being conducted by the same threat actor.** **We cannot exclude the possibility that distinct operators have a degree of sharing of tools and infrastructure. Alternatively, security** **[researcher Ned Moran has articulated a concept of a “digital quartermaster,” to refer to an actor that supplies threat infrastructure](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-malware-supply-chain.pdf)** **and malware development resources to multiple groups. While these scenarios are plausible, we do not have enough data to** **properly assess these competing hypotheses, or to make conclusive statements about the identity of the threat actors.** **What is clear from our analysis is that civil society groups across Asia continue to be targeted by persistent and organized cyber** **espionage campaigns. Civil society often lack the resources and awareness to defend against these operations and closer attention** **to the threats they face is needed.** # Acknowledgements **[Special thanks to Valkyrie-X Security Research Group and ASERT. We are grateful to Jason Q. Ng and Kun Cleo Zhang for](https://sites.google.com/site/valkyriexsecurityresearch/)** |MD5|First Submission|C2| |---|---|---| |d07b2738840ce3419df651d3a0a3a246|2016-02-25 01:14:15|www.olinaodi[.]com (74.126.181[.]10)| |397021af7c0284c28db65297a6711235|2016-02-22 18:30:19|safetyssl.security-centers[.]com (210.61.12[.]153)| |dc195d814ec16fe91690b7e949e696f6|2016-02-17 11:32:02|www.olinaodi[.]com (74.126.181[.]10)| |cfcd2a90e87156e1a811f9c7b0051002|2015-11-09 05:20:33|safetyssl.security-centers[.]com (211.255.32[.]130)| ----- # Indicators of Compromise **[Yara signatures are available for the UP007 and SLServer malware families here](https://github.com/jakubd/malware-signatures/tree/master/yara-rules/between-hk-and-burma.yara)** ### MD5 Hashes **d579d7a42ff140952da57264614c37bc** **d8becbd6f188e3fb2c4d23a2d36d137b** **09ddd70517cb48a46d9f93644b29c72f** **f70b295c6a5121b918682310ce0c2165** **f80edbb0fcfe7cec17592f61a06e4df2** **d8ede9e6c3a1a30398b0b98130ee3b38** **ce8ec932be16b69ffa06626b3b423395** **6a541de84074a2c4ff99eb43252d9030** **e0eb981ad6be0bd16246d5d442028687** **639c7239f40d95f677a99abb059e8338** **d07b2738840ce3419df651d3a0a3a246** **397021af7c0284c28db65297a6711235** **dc195d814ec16fe91690b7e949e696f6** **cfcd2a90e87156e1a811f9c7b0051002** ### IP Addresses **59.188.12[.]123** **210.61.12[.]153** ### Domains **safetyssl.security-centers[.]com** **computer.security-centers[.]com** **hkemail.f3322[.]org** **www.olinaodi[.]com** **tenday.mysecondarydns[.]com** **© Citizenlab 2016 |** **|** **[Contact](https://citizenlab.org/contact)** **[RSS](https://citizenlab.org/feed/)** -----