[Home](https://www.fireeye.com/)  [FireEye Blogs](https://www.fireeye.com/blog.html)  [Threat Research](https://www.fireeye.com/blog/threat-research.html)  [March 2014 Threat Research Blog Posts](https://www.fireeye.com/blog/threat-research/2014/03.html)  A Detailed Examination of the Siesta Campaign # A Detailed Examination of the Siesta Campaign [March 12, 2014 | by Ned Moran, Mike Oppenheim](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/cap-ned-moran) ## Executive Summary [FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and](http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/) dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the [campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is](http://intelreport.mandiant.com/) perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1. The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature. ## Overview On March 6, 2014 TrendMicro reported on the Siesta Campaign. Though not explicitly stated in this report, the tactics, techniques and procedures (TTPs) described in this report share a number of characteristics with historical activity we’ve attributed to APT1 (also known as the “Comment Crew”). ----- |MD5|61249bf64fa270931570b8a5eba06afa| |---|---| |Compile Time|2014-02-20 02:28:21| |.text|39e9e4eac77a09b915626f315b963a4f| |.rdata|a126c8c7c50bf034f2d3ba4aa5bcab28| |.data|bb95154b5aeb13a4ff937afa2e7e4560| |.rsrc|edf3a1e142fc212da11dc72698184ad5| |Import Hash|20ff5087740eabff5bdbdf99d9fb6853| This sample initiated a callback to www[.]microsofthomes[.]com/index.html. This same import hash was seen in the following samples: |MD5|Compile Time|Command-and-Control (CnC) server| |---|---|---| |68f73d81c814ab2f70eed02c0be3b67d|2014-02-20 02:26:24|www[.]microsofthomes[.]com| 2014-02-20 20b124baaaec1e8cbc3cd52e8e5ceebd www[.]microsofthomes[.]com 02:26:24 ----- The TTPs described above are consistent with APT1. This group previously relied on establishing a foothold in targeted networks with following methods: Spear-phishing emails with links to archives Callback traffic to a legitimate-looking webpage Analysis of Related Samples A related dropper listed in the TrendMicro report on the Siesta campaign is MD5 0f3031412d255336a102bbc1dcd43812. This sample had the following properties: **MD5** 0f3031412d255336a102bbc1dcd43812 **Compile Time** 2014-02-19 09:29:04 **.text** a2e11e9c8b07888345d6cdf7d995b832 **.rdata** 0203cc3bb607e9cfa296fa857b243468 **.data** 7d281bd27bc1279428bd1798671eb57b **.rsrc** caa869fa01ddfee26156166a10c42944 **Import Hash** 0fefba40443edd57f816502035077e3e The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign including: |MD5|0f3031412d255336a102bbc1dcd43812| |---|---| |Compile Time|2014-02-19 09:29:04| |.text|a2e11e9c8b07888345d6cdf7d995b832| |.rdata|0203cc3bb607e9cfa296fa857b243468| |.data|7d281bd27bc1279428bd1798671eb57b| |.rsrc|caa869fa01ddfee26156166a10c42944| |Import Hash|0fefba40443edd57f816502035077e3e| **MD5** **Compile Time** **CnC** ----- 0f3031412d255336a102bbc1dcd43812 2014-02-19 09:29:04 www[.]skyslisten[.]com The import hash from this dropper was also seen in a number of previous APT1 samples [dating as far back as 2011 — well before the release of the APT1 report. We previously](http://intelreport.mandiant.com) [discussed the value of tracking via import hashing here. Other APT1 samples with this](http://www.mandiant.com/blog/tracking-malware-import-hashing/) same import hash include (but are not limited to): |MD5|Compile Time|CnC| |---|---|---| |719453b4da6d3814604c84a28d4d1f4c|2011-06-16 12:54:20|www[.]stapharrest[.]com| |93a6e9a26924a5cdab8ed47cadbe88d5|2012-01-18 13:35:54|www[.]offerdahls[.]com| |c2aadd6a69a775602d984af64eaeda96|2012-05-15 09:02:25|www[.]bluecoate[.]com| |1df0b937239473df0187063392dae028|2012-06-20 09:25:31|www[.]billyjoebobshow[.]com| |55065f1b341e5b095b6d453923d5654d|2012-07-12 09:21:17|184.82.164.104| |65502e91e3676cf30778a7078f1061de|2012-07-19 09:31:42|www[.]billyjoebobshow[.]com| |287113e4423813efd242af8e6255f680|2012-07-24 05:53:22|thales[.]myftp[.]info| |d613d40d5402f58d8952da2c24d1a769|2012-09-27 12:46:20|www[.]billyjoebobshow[| |57a4c6236b4ecf96d31258e5cc6f0ae4|2013-01-07 07:43:14|manslist[.]loopback[.]nu| ----- Further, the 0f3031412d255336a102bbc1dcd43812 sample dropped a backdoor with the MD5 hash 185e930a19ad1a99c226d59ef563e28c. This implant was stored as a resource within the dropper, and it contained a custom base64 alphabet of oWXYZabcdefghijkl123456789ABCDEFGHIJKL+/MNOPQRSTUVmn0pqrstuvwxyz. This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including (but not limited to): **MD5** **Compile Time** **CnC** 736ebc9b8ece410aaf4e8b60615f065f 2003-05-15 08:58:48 www[.]comtoway[.]com ac87816b9a371e72512d8fd82f61c737 2006-09-14 02:28:46 www[.]mwa[.]net 173cd315008897e56fa812f2b2843f83 2006-09-14 02:28:46 www[.]deebeedesigns[.]ca 513644c57688b70860d0b9aa1b6cd0d7 2010-12-17 03:24:13 69.90.65.240 fdf6bf1973af8ab130fbcaa0914b4b06 2012-05-10 08:41:35 www[.]woodagency[.]com 682bfed6332e210b4f3a91e5e8a1410b 2012-05-15 03:17:04 www[.]oewarehouse[.]com fb7a74a88eead4d39a58cc7b6eede4ce 2013-08-01 18:23:07 www[.]mwa[.]net ## Executable (PE) resource with PDF icon Table |MD5|Compile Time|CnC| |---|---|---| |736ebc9b8ece410aaf4e8b60615f065f|2003-05-15 08:58:48|www[.]comtoway[.]com| |ac87816b9a371e72512d8fd82f61c737|2006-09-14 02:28:46|www[.]mwa[.]net| |173cd315008897e56fa812f2b2843f83|2006-09-14 02:28:46|www[.]deebeedesigns[.]ca| |513644c57688b70860d0b9aa1b6cd0d7|2010-12-17 03:24:13|69.90.65.240| |fdf6bf1973af8ab130fbcaa0914b4b06|2012-05-10 08:41:35|www[.]woodagency[.]com| |682bfed6332e210b4f3a91e5e8a1410b|2012-05-15 03:17:04|www[.]oewarehouse[.]com| |fb7a74a88eead4d39a58cc7b6eede4ce|2013-08-01 18:23:07|www[.]mwa[.]net| ----- 719453b4da6d3814604c84a28d4d1f4c 2011-06-16 12:54:20 www[.]drgeorges[.]com |854cb8ba3b2d3058239a7ba6a427944a|2011-08-17 00:31:27|meeting[.]toh[.]info| |---|---|---| |a049b8ec51c0255dec734c7ba5641af3|2011-08-17 00:31:27|meeting[.]toh[.]info| |0725a1819a58e988b939f06e53990254|2011-08-17 00:31:27|google.ninth.biz| |0fdffd4f5730bdd37f2f082bf396064a|2011-08-11 09:35:24|homepage[.]longmusic[.]com| |e476e4a24f8b4ff4c8a0b260aa35fc9f|2012-06-09 13:19:49|www[.]heliospartners[.]com| |d613d40d5402f58d8952da2c24d1a769|2012-09-27 12:46:20|www[.]billyjoebobshow[.]com| |f822a9e08b51c19a154dfb63ee9b8367|2013-01-10 07:50:58|technology[.]acmetoy[.]com| Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including (but not limited to): **MD5** **Compile Time** **CnC** 2009-09-28 1aab2040ed4f918e1823e2caf645a81d www[.]olmusic100[.]com 22:08:38 |MD5|Compile Time|CnC| |---|---|---| ----- 2010-08-31 9c4617793984c4b08d75b00f1562cbda 03:27:55 2010-08-31 b584b48d401e98f404584c330489895c 07:52:17 2010-09-16 b92a53fc409d175c768581978f1d3331 09:57:09 2010-10-25 d6c19be4e9e1ae347ee269d15cb96a51 01:59:00 2011-04-20 d0a7cd5cd7da9024fb8bd594d37d7594 07:39:01 2011-06-13 b19ef1134f54b4021f99cc45ae1bc270 06:56:04 2012-03-26 b0a95c47d170baad8a5594e0f755e0c1 06:50:10 2012-03-26 894ef915af830f38499d498342fdd8db 07:13:36 2012-05-15 c2aadd6a69a775602d984af64eaeda96 09:02:25 Li k t th A ti it freetrade[.]allowed[.]org worldwide[.]chickenkiller[.]com |b584b48d401e98f404584c330489895c|2010-08-31 07:52:17|worldwide[.]chickenkiller[.]com freetrade[.]allowed[.]org| |---|---|---| |b92a53fc409d175c768581978f1d3331|2010-09-16 09:57:09|www[.]rbaparts[.]com| |d6c19be4e9e1ae347ee269d15cb96a51|2010-10-25 01:59:00|www[.]kayauto[.]net| |d0a7cd5cd7da9024fb8bd594d37d7594|2011-04-20 07:39:01|www[.]kayauto[.]net| |b19ef1134f54b4021f99cc45ae1bc270|2011-06-13 06:56:04|www[.]kayauto[.]net| |b0a95c47d170baad8a5594e0f755e0c1|2012-03-26 06:50:10|www[.]coachmotor[.]com| |894ef915af830f38499d498342fdd8db|2012-03-26 07:13:36|www[.]rightnowautoparts[.]com| |c2aadd6a69a775602d984af64eaeda96|2012-05-15 09:02:25|www[.]bluecoate[.]com| ----- |MD5|Compile Time|CnC| |---|---|---| |392f15c431c00f049bb1282847d8967f|2012-05-16 06:48:02|army.xxuz.com| |21567cce2c26e7543b977a205845ba77|2012 06 26 05:17:52|nasa.xxuz.com| |d4b7f99669a3efc94006e5fe9d84eb65|2012-07-03 09:33:46|tw.2012yearleft.com| |df5bd411f080b55c578aeb9001a4287d|2012-07-04 04:07:36|apple.cmdnetview.com| |001b8f696b6576798517168cd0a0fb44|2012 11 13 07:19:03|google.macforlinux.net| |6a3b8d24c125f3a3c7cff526e63297f3|2013-02-25 05:31:41|cvnx.zyns.com| |a02610e760fa15c064931cfafb90a9e8|2013-08-01 18:23:04|cvnx.zyns.com| |78a4fee0e7b471f733f00c6e7bca3d90|2013-08-01 18:23:05|fbi.sexxxy.biz| |6f3d15cf788e28ca504a6370c4ff6a1e|2013-09-10 06:40:28|scrlk.exprenum.com| ## Shared Tools This shared PE resource between what is believed to be two distinct groups (likely APT1, and Menupass) can be explained by either of the following: APT1 and Menupass are actually one and the same ----- possibility is that the shared resource between APT1 and the Menupass group is a binder tool. A binder tool enables a malicious actor to add an innocuous-looking icon, such as a PDF document icon, to a malicious dropper. This technique facilitates social engineering, presenting the end user with a file that looks like a PDF document rather than an executable. Figure 1 shows a builder that enables actors to bind a JPG image icon to a malicious executable. Figure 1: Binder tool for disguising executable files as JPGs ----- An unknown group using tools and tactics shared by APT1 executed the Siesta campaign Although we are not certain that APT1 is responsible for the Siesta activity, this current campaign shares a number of distinct characteristics with previous activity attributed to APT1. ## So What? Regardless of which group is responsible for this campaign, our analysis highlights the importance of monitoring for known indicators. As shown above, monitoring for previously disclosed indicators of compromise (IOCs), even IOCs that are years old, can yield value. Additionally, monitoring for IOCs and attributes of malware that are shared by multiple groups may also improve the effectiveness of your network defense operations. In this example, implementing detection for executables with a PE resource with a SHA256 hash of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd would detect both Menupass and APT1 samples. [This entry was posted on Wed Mar 12 19:57 EDT 2014 and filed under Ned Moran and](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/cap-ned-moran) [Mike Oppenheim.](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/cap-mike-oppenheim) ----- ## Sign up for email updates Get information and insight on today's advanced threats from the leader in advanced threat prevention. First Name Last Name Email Address Company Name Threat Research Blog Products and Services Blog Executive Perspectives Blog SUBSCRIBE ----- [About FireEye](https://www.fireeye.com/company/why-fireeye.html) [Customer Stories](https://www.fireeye.com/customers.html) [Careers](https://www.fireeye.com/company/jobs.html) [Partners](https://www.fireeye.com/partners.html) [Investor Relations](http://investors.fireeye.com/) [Supplier Documents](https://www.fireeye.com/company/supplier.html) [Newsroom](https://www.fireeye.com/company/newsroom.html) [Press Releases](https://www.fireeye.com/company/press-releases.html) [Webinars](https://www.fireeye.com/company/webinars.html) [Events](https://www.fireeye.com/company/events.html) [Awards and Honors](https://www.fireeye.com/company/awards.html) [Email Preferences](https://www2.fireeye.com/manage-your-preferences.html) [Incident?](https://www.fireeye.com/company/incident-response.html) [Report Security Issue](https://www.fireeye.com/company/security.html) [Contact Support](https://www.fireeye.com/support/contacts.html) [Customer Portal](https://csportal.fireeye.com/secur/login_portal.jsp?orgId=00D3000000063LS&portalId=06030000000pSNE) [Communities](https://community.fireeye.com/welcome) [Documentation Portal](https://docs.fireeye.com) [Threat Research](https://www.fireeye.com/blog/threat-research.html) [Products and Services](https://www.fireeye.com/blog/products-and-services.html) [Executive Perspectives](https://www.fireeye.com/blog/executive-perspective.html) Threat Map [View the Latest Threats](https://www.fireeye.com/cyber-map/threat-map.html) [1 877 347 3393](tel:+1 877-347-3393) Stay Connected ##  Copyright © 2018 FireEye, Inc. All rights reserved. [Privacy & Cookies Policy | Privacy Shield | Legal Documentation](https://www.fireeye.com/company/privacy.html) Site Language English  -----