FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.
The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.
On March 6, 2014 TrendMicro reported on the Siesta Campaign. Though not explicitly stated in this report, the tactics, techniques and procedures (TTPs) described in this report share a number of characteristics with historical activity we’ve attributed to APT1 (also known as the “Comment Crew”).
We witnessed this same campaign targeting a customer in the telecommunications sector on Feb. 20, 2014, using a spear-phishing message with a link to ifuedit[.]net/Healthcare_Questionnaire.zip. This zip file contained a malicious executable with the following properties:
|Compile Time||2014-02-20 02:28:21|
This sample initiated a callback to www[.]microsofthomes[.]com/index.html.
This same import hash was seen in the following samples:
|MD5||Compile Time||Command-and-Control (CnC) server|
Techniques, tactics, and procedures analysis
The TTPs described above are consistent with APT1. This group previously relied on establishing a foothold in targeted networks with following methods:
- Spear-phishing emails with links to archives
- Callback traffic to a legitimate-looking webpage
Analysis of Related Samples
A related dropper listed in the TrendMicro report on the Siesta campaign is MD5 0f3031412d255336a102bbc1dcd43812. This sample had the following properties:
|Compile Time||2014-02-19 09:29:04|
The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign including:
The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 — well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):
Further, the 0f3031412d255336a102bbc1dcd43812 sample dropped a backdoor with the MD5 hash 185e930a19ad1a99c226d59ef563e28c. This implant was stored as a resource within the dropper, and it contained a custom base64 alphabet of oWXYZabcdefghijkl123456789ABCDEFGHIJKL+/MNOPQRSTUVmn0pqrstuvwxyz. This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including (but not limited to):
Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including (but not limited to):
Finally, the sample 643654975b63a9bb6f597502e5cd8f49 compiled on 2014-01-14 04:38:30 and seen connecting to the command and control server at www[.]cloudcominc[.]com also dropped a decoy PDF document with the MD5 hash of 76aa49de535ee39129d5751e00517ad0. This same PDF decoy document was also used in previous APT1 samples including (but not limited to):
Links to other Activity
This same PE resource was also used in a number of other samples deployed by the “Menupass” group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include (but are not limited to):
|21567cce2c26e7543b977a205845ba77||2012 06 26 05:17:52||nasa.xxuz.com|
|001b8f696b6576798517168cd0a0fb44||2012 11 13 07:19:03||google.macforlinux.net|
This shared PE resource between what is believed to be two distinct groups (likely APT1, and Menupass) can be explained by either of the following:
- APT1 and Menupass are actually one and the same
- APT1 and Menupass share “binder” tools
It is unlikely that APT1 and Menupass represent the same group. We have observed no other overlaps in infrastructure or tools between these two groups. A more likely possibility is that the shared resource between APT1 and the Menupass group is a binder tool.
A binder tool enables a malicious actor to add an innocuous-looking icon, such as a PDF document icon, to a malicious dropper. This technique facilitates social engineering, presenting the end user with a file that looks like a PDF document rather than an executable. Figure 1 shows a builder that enables actors to bind a JPG image icon to a malicious executable.
Based on the evidence provided, the following are possibilities:
- The Siesta campaign was executed by APT1
- An unknown group using tools and tactics shared by APT1 executed the Siesta campaign
Although we are not certain that APT1 is responsible for the Siesta activity, this current campaign shares a number of distinct characteristics with previous activity attributed to APT1.
Regardless of which group is responsible for this campaign, our analysis highlights the importance of monitoring for known indicators. As shown above, monitoring for previously disclosed indicators of compromise (IOCs), even IOCs that are years old, can yield value.
Additionally, monitoring for IOCs and attributes of malware that are shared by multiple groups may also improve the effectiveness of your network defense operations. In this example, implementing detection for executables with a PE resource with a SHA256 hash of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd would detect both Menupass and APT1 samples.