# A Detailed Examination of the Siesta Campaign

**[fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html](https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html)**

## Threat Research Blog

March 12, 2014 | by [Ned Moran,](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/cap-ned-moran) [Mike Oppenheim](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/cap-mike-oppenheim)

### Executive Summary

[FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed](http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/)
the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign
[present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this](http://intelreport.mandiant.com/)
activity, or another group is using the same tactics and tools as the legacy APT1.

The Siesta campaign reinforces the fact that analysts and network defenders should remain
on the lookout for known, public indicators and for shared attributes that allow security
experts to detect multiple actors with one signature.

### Overview

On March 6, 2014 TrendMicro reported on the Siesta Campaign. Though not explicitly stated
in this report, the tactics, techniques and procedures (TTPs) described in this report share a
number of characteristics with historical activity we’ve attributed to APT1 (also known as the


-----

Comment Crew ).

We witnessed this same campaign targeting a customer in the telecommunications sector on
Feb. 20, 2014, using a spear-phishing message with a link to
ifuedit[.]net/Healthcare_Questionnaire.zip. This zip file contained a malicious executable with
the following properties:

**MD5** 61249bf64fa270931570b8a5eba06afa

**Compile Time** 2014-02-20 02:28:21

**.text** 39e9e4eac77a09b915626f315b963a4f

**.rdata** a126c8c7c50bf034f2d3ba4aa5bcab28

**.data** bb95154b5aeb13a4ff937afa2e7e4560

**.rsrc** edf3a1e142fc212da11dc72698184ad5

**Import Hash** 20ff5087740eabff5bdbdf99d9fb6853

This sample initiated a callback to www[.]microsofthomes[.]com/index.html.

This same import hash was seen in the following samples:


**MD5** **Compile Time**


68f73d81c814ab2f70eed02c0be3b67d
68f73d81c814ab2f70eed02c0be3b67d

20b124baaaec1e8cbc3cd52e8e5ceebd
20b124baaaec1e8cbc3cd52e8e5ceebd


2014-02-20
02:26:24 201402-20 02:26:24

2014-02-20
02:26:24 201402-20 02:26:24


**Command-and-Control**
**(CnC) server**

www[.]microsofthomes[.]com
www[.]microsofthomes[.]com

www[.]microsofthomes[.]com
www[.]microsofthomes[.]com


**Techniques, tactics, and procedures analysis**

The TTPs described above are consistent with APT1. This group previously relied on
establishing a foothold in targeted networks with following methods:

Spear-phishing emails with links to archives
Callback traffic to a legitimate-looking webpage

**Analysis of Related Samples**

A related dropper listed in the TrendMicro report on the Siesta campaign is MD5
0f3031412d255336a102bbc1dcd43812. This sample had the following properties:


-----

**MD5** 0f3031412d255336a102bbc1dcd43812

**Compile Time** 2014-02-19 09:29:04

**.text** a2e11e9c8b07888345d6cdf7d995b832

**.rdata** 0203cc3bb607e9cfa296fa857b243468

**.data** 7d281bd27bc1279428bd1798671eb57b

**.rsrc** caa869fa01ddfee26156166a10c42944

**Import Hash** 0fefba40443edd57f816502035077e3e

The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the
Siesta campaign including:

**MD5** **Compile Time** **CnC**


643654975b63a9bb6f597502e5cd8f49
643654975b63a9bb6f597502e5cd8f49

0f3031412d255336a102bbc1dcd43812
0f3031412d255336a102bbc1dcd43812


2014-01-14
04:38:30 2014-0114 04:38:30

2014-02-19
09:29:04 2014-0219 09:29:04


www[.]cloudcominc[.]com
www[.]cloudcominc[.]com

www[.]skyslisten[.]com
www[.]skyslisten[.]com


The import hash from this dropper was also seen in a number of previous APT1 samples
[dating as far back as 2011 — well before the release of the APT1 report. We previously](http://intelreport.mandiant.com/)
[discussed the value of tracking via import hashing here. Other APT1 samples with this same](http://www.mandiant.com/blog/tracking-malware-import-hashing/)
import hash include (but are not limited to):

**MD5** **Compile Time** **CnC**


719453b4da6d3814604c84a28d4d1f4c
719453b4da6d3814604c84a28d4d1f4c

93a6e9a26924a5cdab8ed47cadbe88d5
93a6e9a26924a5cdab8ed47cadbe88d5

c2aadd6a69a775602d984af64eaeda96
c2aadd6a69a775602d984af64eaeda96

1df0b937239473df0187063392dae028
1df0b937239473df0187063392dae028


2011-06-16
12:54:20 201106-16 12:54:20

2012-01-18
13:35:54 201201-18 13:35:54

2012-05-15
09:02:25 201205-15 09:02:25

2012-06-20
09:25:31 201206-20 09:25:31


www[.]stapharrest[.]com
www[.]stapharrest[.]com

www[.]offerdahls[.]com
www[.]offerdahls[.]com

www[.]bluecoate[.]com
www[.]bluecoate[.]com

www[.]billyjoebobshow[.]com
www[.]billyjoebobshow[.]com


-----

55065f1b341e5b095b6d453923d5654d
55065f1b341e5b095b6d453923d5654d

65502e91e3676cf30778a7078f1061de
65502e91e3676cf30778a7078f1061de

287113e4423813efd242af8e6255f680
287113e4423813efd242af8e6255f680

d613d40d5402f58d8952da2c24d1a769
d613d40d5402f58d8952da2c24d1a769

57a4c6236b4ecf96d31258e5cc6f0ae4
57a4c6236b4ecf96d31258e5cc6f0ae4

e5a4ec0519c471b5be093aee5c33b1ee
e5a4ec0519c471b5be093aee5c33b1ee

f822a9e08b51c19a154dfb63ee9b8367
f822a9e08b51c19a154dfb63ee9b8367


2012-07-12
09:21:17 201207-12 09:21:17

2012-07-19
09:31:42 201207-19 09:31:42

2012-07-24
05:53:22 201207-24 05:53:22

2012-09-27
12:46:20 201209-27 12:46:20

2013-01-07
07:43:14 201301-07 07:43:14

2013-01-08
07:34:59 201301-08 07:34:59

2013-01-10
07:50:58 201301-10 07:50:58


184.82.164.104
184.82.164.104

www[.]billyjoebobshow[.]com
www[.]billyjoebobshow[.]com

thales[.]myftp[.]info
thales[.]myftp[.]info

www[.]billyjoebobshow[
www[.]billyjoebobshow[

manslist[.]loopback[.]nu
manslist[.]loopback[.]nu

www[.]whackcard[.]com
www[.]whackcard[.]com

technology[.]acmetoy[.]com
technology[.]acmetoy[.]com


Further, the 0f3031412d255336a102bbc1dcd43812 sample dropped a backdoor with the
MD5 hash 185e930a19ad1a99c226d59ef563e28c. This implant was stored as a resource
within the dropper, and it contained a custom base64 alphabet of
oWXYZabcdefghijkl123456789ABCDEFGHIJKL+/MNOPQRSTUVmn0pqrstuvwxyz. This
custom alphabet was used by the malware to decode commands issued by the attacker to
the victim machine and to Base64 encode the reverse shell from the victims back to the CnC
server.This same custom alphabet has been used in previous APT1 samples including (but
not limited to):

**MD5** **Compile Time** **CnC**


736ebc9b8ece410aaf4e8b60615f065f
736ebc9b8ece410aaf4e8b60615f065f

ac87816b9a371e72512d8fd82f61c737
ac87816b9a371e72512d8fd82f61c737


2003-05-15
08:58:48 2003-0515 08:58:48

2006-09-14
02:28:46 2006-0914 02:28:46


www[.]comtoway[.]com
www[.]comtoway[.]com

www[.]mwa[.]net
www[.]mwa[.]net


-----

173cd315008897e56fa812f2b2843f83
173cd315008897e56fa812f2b2843f83

513644c57688b70860d0b9aa1b6cd0d7
513644c57688b70860d0b9aa1b6cd0d7

fdf6bf1973af8ab130fbcaa0914b4b06
fdf6bf1973af8ab130fbcaa0914b4b06

682bfed6332e210b4f3a91e5e8a1410b
682bfed6332e210b4f3a91e5e8a1410b

fb7a74a88eead4d39a58cc7b6eede4ce
fb7a74a88eead4d39a58cc7b6eede4ce


2006-09-14
02:28:46 2006-0914 02:28:46

2010-12-17
03:24:13 2010-1217 03:24:13

2012-05-10
08:41:35 2012-0510 08:41:35

2012-05-15
03:17:04 2012-0515 03:17:04

2013-08-01
18:23:07 2013-0801 18:23:07


www[.]deebeedesigns[.]ca
www[.]deebeedesigns[.]ca

69.90.65.240
69.90.65.240

www[.]woodagency[.]com
www[.]woodagency[.]com

www[.]oewarehouse[.]com
www[.]oewarehouse[.]com

www[.]mwa[.]net
www[.]mwa[.]net


### Executable (PE) resource with PDF icon Table

**MD5** **Compile Time** **CnC**


719453b4da6d3814604c84a28d4d1f4c
719453b4da6d3814604c84a28d4d1f4c

854cb8ba3b2d3058239a7ba6a427944a
854cb8ba3b2d3058239a7ba6a427944a

a049b8ec51c0255dec734c7ba5641af3
a049b8ec51c0255dec734c7ba5641af3

0725a1819a58e988b939f06e53990254
0725a1819a58e988b939f06e53990254

0fdffd4f5730bdd37f2f082bf396064a
0fdffd4f5730bdd37f2f082bf396064a

e476e4a24f8b4ff4c8a0b260aa35fc9f
e476e4a24f8b4ff4c8a0b260aa35fc9f


2011-06-16
12:54:20 201106-16 12:54:20

2011-08-17
00:31:27 201108-17 00:31:27

2011-08-17
00:31:27 201108-17 00:31:27

2011-08-17
00:31:27 201108-17 00:31:27

2011-08-11
09:35:24 201108-11 09:35:24

2012-06-09
13:19:49 201206-09 13:19:49


www[.]drgeorges[.]com
www[.]drgeorges[.]com

meeting[.]toh[.]info
meeting[.]toh[.]info

meeting[.]toh[.]info
meeting[.]toh[.]info

google.ninth.biz
google.ninth.biz

homepage[.]longmusic[.]com
homepage[.]longmusic[.]com

www[.]heliospartners[.]com
www[.]heliospartners[.]com


-----

d613d40d5402f58d8952da2c24d1a769
d613d40d5402f58d8952da2c24d1a769

f822a9e08b51c19a154dfb63ee9b8367
f822a9e08b51c19a154dfb63ee9b8367


2012-09-27
12:46:20 201209-27 12:46:20

2013-01-10
07:50:58 201301-10 07:50:58


www[.]billyjoebobshow[.]com
www[.]billyjoebobshow[.]com

technology[.]acmetoy[.]com
technology[.]acmetoy[.]com


Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812
droppers also had a portable executable (PE) resource with the SHA256 of
fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE
resource contained the PDF icon used by the dropper to make the executable appear as
though it was a PDF document rather than an executable. Previous APT1 samples also used
this sample PE resource including (but not limited to):

**MD5** **Compile Time** **CnC**


1aab2040ed4f918e1823e2caf645a81d
1aab2040ed4f918e1823e2caf645a81d

8ee2cf05746bb0a009981fdb90f1343e
8ee2cf05746bb0a009981fdb90f1343e

9c4617793984c4b08d75b00f1562cbda
9c4617793984c4b08d75b00f1562cbda

b584b48d401e98f404584c330489895c
b584b48d401e98f404584c330489895c

b92a53fc409d175c768581978f1d3331
b92a53fc409d175c768581978f1d3331

d6c19be4e9e1ae347ee269d15cb96a51
d6c19be4e9e1ae347ee269d15cb96a51

d0a7cd5cd7da9024fb8bd594d37d7594
d0a7cd5cd7da9024fb8bd594d37d7594


2009-09-28
22:08:38 200909-28 22:08:38

2010-03-15
11:46:31 201003-15 11:46:31

2010-08-31
03:27:55 201008-31 03:27:55

2010-08-31
07:52:17 201008-31 07:52:17

2010-09-16
09:57:09 201009-16 09:57:09

2010-10-25
01:59:00 201010-25 01:59:00

2011-04-20
07:39:01 201104-20 07:39:01


www[.]olmusic100[.]com
www[.]olmusic100[.]com

gogotrade[.]apple.org[.]ru

tradeproject[.]rlogin[.]org
gogotrade[.]apple.org[.]ru

tradeproject[.]rlogin[.]org

freetrade[.]allowed[.]org

worldwide[.]chickenkiller[.]com
freetrade[.]allowed[.]org

worldwide[.]chickenkiller[.]com

worldwide[.]chickenkiller[.]com

freetrade[.]allowed[.]org
worldwide[.]chickenkiller[.]com

freetrade[.]allowed[.]org

www[.]rbaparts[.]com
www[.]rbaparts[.]com

www[.]kayauto[.]net
www[.]kayauto[.]net

www[.]kayauto[.]net
www[.]kayauto[.]net


-----

b19ef1134f54b4021f99cc45ae1bc270
b19ef1134f54b4021f99cc45ae1bc270

b0a95c47d170baad8a5594e0f755e0c1
b0a95c47d170baad8a5594e0f755e0c1

894ef915af830f38499d498342fdd8db
894ef915af830f38499d498342fdd8db

c2aadd6a69a775602d984af64eaeda96
c2aadd6a69a775602d984af64eaeda96

**Links to other Activity**


2011-06-13
06:56:04 201106-13 06:56:04

2012-03-26
06:50:10 201203-26 06:50:10

2012-03-26
07:13:36 201203-26 07:13:36

2012-05-15
09:02:25 201205-15 09:02:25


www[.]kayauto[.]net
www[.]kayauto[.]net

www[.]coachmotor[.]com
www[.]coachmotor[.]com

www[.]rightnowautoparts[.]com
www[.]rightnowautoparts[.]com

www[.]bluecoate[.]com
www[.]bluecoate[.]com


This same PE resource was also used in a number of other samples deployed by the
[“Menupass” group, which we have detailed in our Poison Ivy report. Previous Menupass](https://www.fireeye.com/blog/threat-research/2013/08/pivy-assessing-damage-and-extracting-intel.html)
samples with this same PE resource include (but are not limited to):

**MD5** **Compile Time** **CnC**


392f15c431c00f049bb1282847d8967f
392f15c431c00f049bb1282847d8967f

21567cce2c26e7543b977a205845ba77
21567cce2c26e7543b977a205845ba77

d4b7f99669a3efc94006e5fe9d84eb65
d4b7f99669a3efc94006e5fe9d84eb65

df5bd411f080b55c578aeb9001a4287d
df5bd411f080b55c578aeb9001a4287d

001b8f696b6576798517168cd0a0fb44
001b8f696b6576798517168cd0a0fb44

6a3b8d24c125f3a3c7cff526e63297f3
6a3b8d24c125f3a3c7cff526e63297f3

a02610e760fa15c064931cfafb90a9e8
a02610e760fa15c064931cfafb90a9e8

78a4fee0e7b471f733f00c6e7bca3d90
78a4fee0e7b471f733f00c6e7bca3d90

6f3d15cf788e28ca504a6370c4ff6a1e
6f3d15cf788e28ca504a6370c4ff6a1e


2012-05-16 06:48:02
2012-05-16 06:48:02

2012 06 26 05:17:52
2012 06 26 05:17:52

2012-07-03 09:33:46
2012-07-03 09:33:46

2012-07-04 04:07:36
2012-07-04 04:07:36

2012 11 13 07:19:03
2012 11 13 07:19:03

2013-02-25 05:31:41
2013-02-25 05:31:41

2013-08-01 18:23:04
2013-08-01 18:23:04

2013-08-01 18:23:05
2013-08-01 18:23:05

2013-09-10 06:40:28
2013-09-10 06:40:28


army.xxuz.com
army.xxuz.com

nasa.xxuz.com
nasa.xxuz.com

tw.2012yearleft.com
tw.2012yearleft.com

apple.cmdnetview.com
apple.cmdnetview.com

google.macforlinux.net
google.macforlinux.net

cvnx.zyns.com
cvnx.zyns.com

cvnx.zyns.com
cvnx.zyns.com

fbi.sexxxy.biz
fbi.sexxxy.biz

scrlk.exprenum.com
scrlk.exprenum.com


-----

### Shared Tools

This shared PE resource between what is believed to be two distinct groups (likely APT1,
and Menupass) can be explained by either of the following:

APT1 and Menupass are actually one and the same
APT1 and Menupass share “binder” tools

It is unlikely that APT1 and Menupass represent the same group. We have observed no
other overlaps in infrastructure or tools between these two groups. A more likely possibility is
that the shared resource between APT1 and the Menupass group is a binder tool.

A binder tool enables a malicious actor to add an innocuous-looking icon, such as a PDF
document icon, to a malicious dropper. This technique facilitates social engineering,
presenting the end user with a file that looks like a PDF document rather than an executable.
Figure 1 shows a builder that enables actors to bind a JPG image icon to a malicious
executable.

**Figure 1: Binder tool for disguising executable files as JPGs**

**Attribution**

Based on the evidence provided, the following are possibilities:

The Siesta campaign was executed by APT1
An unknown group using tools and tactics shared by APT1 executed the Siesta
campaign

Although we are not certain that APT1 is responsible for the Siesta activity, this current
campaign shares a number of distinct characteristics with previous activity attributed to
APT1.

### So What?

Regardless of which group is responsible for this campaign, our analysis highlights the
importance of monitoring for known indicators. As shown above, monitoring for previously
disclosed indicators of compromise (IOCs), even IOCs that are years old, can yield value.


-----

Additionally, monitoring for IOCs and attributes of malware that are shared by multiple groups
may also improve the effectiveness of your network defense operations. In this example,
implementing detection for executables with a PE resource with a SHA256 hash of
fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd would detect
both Menupass and APT1 samples.


-----