Friday, March 14, 2014

[fireeye] A Detailed Examination of the Siesta Campaign

Executive Summary

FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.
The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.


On March 6, 2014 TrendMicro reported on the Siesta Campaign. Though not explicitly stated in this report, the tactics, techniques and procedures (TTPs) described in this report share a number of characteristics with historical activity we’ve attributed to APT1 (also known as the “Comment Crew”).
We witnessed this same campaign targeting a customer in the telecommunications sector on Feb. 20, 2014, using a spear-phishing message with a link to ifuedit[.]net/ This zip file contained a malicious executable with the following properties:
Compile Time2014-02-20 02:28:21
Import Hash20ff5087740eabff5bdbdf99d9fb6853
This sample initiated a callback to www[.]microsofthomes[.]com/index.html.
This same import hash was seen in the following samples:
MD5Compile TimeCommand-and-Control (CnC) server
68f73d81c814ab2f70eed02c0be3b67d2014-02-20 02:26:24www[.]microsofthomes[.]com
20b124baaaec1e8cbc3cd52e8e5ceebd2014-02-20 02:26:24www[.]microsofthomes[.]com
Techniques, tactics, and procedures analysis
The TTPs described above are consistent with APT1. This group previously relied on establishing a foothold in targeted networks with following methods:
  • Spear-phishing emails with links to archives
  • Callback traffic to a legitimate-looking webpage
Analysis of Related Samples
A related dropper listed in the TrendMicro report on the Siesta campaign is MD5 0f3031412d255336a102bbc1dcd43812. This sample had the following properties:
Compile Time2014-02-19 09:29:04
Import Hash0fefba40443edd57f816502035077e3e
The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign including:
MD5Compile TimeCnC
643654975b63a9bb6f597502e5cd8f492014-01-14 04:38:30www[.]cloudcominc[.]com
0f3031412d255336a102bbc1dcd438122014-02-19 09:29:04www[.]skyslisten[.]com
The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 — well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):
MD5Compile TimeCnC
719453b4da6d3814604c84a28d4d1f4c2011-06-16 12:54:20www[.]stapharrest[.]com
93a6e9a26924a5cdab8ed47cadbe88d52012-01-18 13:35:54www[.]offerdahls[.]com
c2aadd6a69a775602d984af64eaeda962012-05-15 09:02:25www[.]bluecoate[.]com
1df0b937239473df0187063392dae0282012-06-20 09:25:31www[.]billyjoebobshow[.]com
55065f1b341e5b095b6d453923d5654d2012-07-12 09:21:17184.82.164.104
65502e91e3676cf30778a7078f1061de2012-07-19 09:31:42www[.]billyjoebobshow[.]com
287113e4423813efd242af8e6255f6802012-07-24 05:53:22thales[.]myftp[.]info
d613d40d5402f58d8952da2c24d1a7692012-09-27 12:46:20www[.]billyjoebobshow[
57a4c6236b4ecf96d31258e5cc6f0ae42013-01-07 07:43:14manslist[.]loopback[.]nu
e5a4ec0519c471b5be093aee5c33b1ee2013-01-08 07:34:59www[.]whackcard[.]com
f822a9e08b51c19a154dfb63ee9b83672013-01-10 07:50:58technology[.]acmetoy[.]com
Further, the 0f3031412d255336a102bbc1dcd43812 sample dropped a backdoor with the MD5 hash 185e930a19ad1a99c226d59ef563e28c. This implant was stored as a resource within the dropper, and it contained a custom base64 alphabet of oWXYZabcdefghijkl123456789ABCDEFGHIJKL+/MNOPQRSTUVmn0pqrstuvwxyz. This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including (but not limited to):
MD5Compile TimeCnC
736ebc9b8ece410aaf4e8b60615f065f2003-05-15 08:58:48www[.]comtoway[.]com
ac87816b9a371e72512d8fd82f61c7372006-09-14 02:28:46www[.]mwa[.]net
173cd315008897e56fa812f2b2843f832006-09-14 02:28:46www[.]deebeedesigns[.]ca
513644c57688b70860d0b9aa1b6cd0d72010-12-17 03:24:1369.90.65.240
fdf6bf1973af8ab130fbcaa0914b4b062012-05-10 08:41:35www[.]woodagency[.]com
682bfed6332e210b4f3a91e5e8a1410b2012-05-15 03:17:04www[.]oewarehouse[.]com
fb7a74a88eead4d39a58cc7b6eede4ce2013-08-01 18:23:07www[.]mwa[.]net
Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including (but not limited to):
MD5Compile TimeCnC
719453b4da6d3814604c84a28d4d1f4c2011-06-16 12:54:20www[.]drgeorges[.]com
854cb8ba3b2d3058239a7ba6a427944a2011-08-17 00:31:27meeting[.]toh[.]info
a049b8ec51c0255dec734c7ba5641af32011-08-17 00:31:27meeting[.]toh[.]info
0fdffd4f5730bdd37f2f082bf396064a2011-08-11 09:35:24homepage[.]longmusic[.]com
e476e4a24f8b4ff4c8a0b260aa35fc9f2012-06-09 13:19:49www[.]heliospartners[.]com
d613d40d5402f58d8952da2c24d1a7692012-09-27 12:46:20www[.]billyjoebobshow[.]com
f822a9e08b51c19a154dfb63ee9b83672013-01-10 07:50:58technology[.]acmetoy[.]com
Finally, the sample 643654975b63a9bb6f597502e5cd8f49 compiled on 2014-01-14 04:38:30 and seen connecting to the command and control server at www[.]cloudcominc[.]com also dropped a decoy PDF document with the MD5 hash of 76aa49de535ee39129d5751e00517ad0. This same PDF decoy document was also used in previous APT1 samples including (but not limited to):
MD5Compile TimeCnC
1aab2040ed4f918e1823e2caf645a81d2009-09-28 22:08:38www[.]olmusic100[.]com
8ee2cf05746bb0a009981fdb90f1343e2010-03-15 11:46:31gogotrade[.][.]ru
9c4617793984c4b08d75b00f1562cbda2010-08-31 03:27:55freetrade[.]allowed[.]org
b584b48d401e98f404584c330489895c2010-08-31 07:52:17worldwide[.]chickenkiller[.]com
b92a53fc409d175c768581978f1d33312010-09-16 09:57:09www[.]rbaparts[.]com
d6c19be4e9e1ae347ee269d15cb96a512010-10-25 01:59:00www[.]kayauto[.]net
d0a7cd5cd7da9024fb8bd594d37d75942011-04-20 07:39:01www[.]kayauto[.]net
b19ef1134f54b4021f99cc45ae1bc2702011-06-13 06:56:04www[.]kayauto[.]net
b0a95c47d170baad8a5594e0f755e0c12012-03-26 06:50:10www[.]coachmotor[.]com
894ef915af830f38499d498342fdd8db2012-03-26 07:13:36www[.]rightnowautoparts[.]com
c2aadd6a69a775602d984af64eaeda962012-05-15 09:02:25www[.]bluecoate[.]com
Links to other Activity
This same PE resource was also used in a number of other samples deployed by the “Menupass” group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include (but are not limited to):
MD5Compile TimeCnC
21567cce2c26e7543b977a205845ba772012 06 26
001b8f696b6576798517168cd0a0fb442012 11 13

Shared Tools

This shared PE resource between what is believed to be two distinct groups (likely APT1, and Menupass) can be explained by either of the following:
  • APT1 and Menupass are actually one and the same
  • APT1 and Menupass share “binder” tools
It is unlikely that APT1 and Menupass represent the same group. We have observed no other overlaps in infrastructure or tools between these two groups. A more likely possibility is that the shared resource between APT1 and the Menupass group is a binder tool.
A binder tool enables a malicious actor to add an innocuous-looking icon, such as a PDF document icon, to a malicious dropper. This technique facilitates social engineering, presenting the end user with a file that looks like a PDF document rather than an executable. Figure 1 shows a builder that enables actors to bind a JPG image icon to a malicious executable.
Figure 1: Binder tool for disguising executable files as JPGs
Based on the evidence provided, the following are possibilities:
  • The Siesta campaign was executed by APT1
  • An unknown group using tools and tactics shared by APT1 executed the Siesta campaign
Although we are not certain that APT1 is responsible for the Siesta activity, this current campaign shares a number of distinct characteristics with previous activity attributed to APT1.

So What?

Regardless of which group is responsible for this campaign, our analysis highlights the importance of monitoring for known indicators. As shown above, monitoring for previously disclosed indicators of compromise (IOCs), even IOCs that are years old, can yield value.
Additionally, monitoring for IOCs and attributes of malware that are shared by multiple groups may also improve the effectiveness of your network defense operations. In this example, implementing detection for executables with a PE resource with a SHA256 hash of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd would detect both Menupass and APT1 samples.

No comments:

Post a Comment