A suspected Chinse APT group has been spotted raiding a UK government contractor for military and other sensitive documents.
APT15 is also known as Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon – a group operating for several years from servers registered in China and with Chinese language infrastructure.
NCC Group claimed at the weekend that it spotted the group stealing sensitive documents from one of its clients, a government contractor, back in May.
It appeared to be using a blend of old and new tools: previous backdoor BS2005 now appearing alongside new versions RoyalCli and RoyalDNS.
“All of the backdoors identified – excluding RoyalDNS – required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key. We believe that APT15 could have employed this technique in order to evade behavioral detection, rather than due to a lack of sophistication or development capability,” explained the firm.
“Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as 'spwebmember'.”
APT15 also used the open source utility Mimikatz to dump credentials and generate Kerberos golden tickets, allowing the group to remain in the network in the event of password resets and other remediation activity.
Even after NCC Group kicked APT15 off the network, it regained access a fortnight later via the corporate VPN with a stolen VPN certificate, taken from a compromised host.
This highlights the sheer persistence of the group, hinting at a state-sponsored entity. This time it used a DNS backdoor, RoyalDNS, with persistence achieved via the 'Nwsapagent' service.
Great effort seems to have been made to minimize the use of malware, in order to remain undetected.
“Analysis of the commands executed by APT15 reaffirmed the group's preference to 'live off the land'. They utilized Windows commands in order to enumerate and conduct reconnaissance activities such as tasklist.exe, ping.exe, netstat.exe, net.exe, systeminfo.exe, ipconfig.exe and bcp.exe,” NCC Group explained.
“Lateral movement was conducted through by a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts. APT15 then used a tool known as RemoteExec (similar to Microsoft's Psexec) in order to remotely execute batch scripts and binaries.”