Capturing a bit of today’s military zeitgeist, at least one decoy document centered on unmanned attacks, or drone use, by the Pakistan military – and the overall attack appears to be tailored for entities that develop such technology.
FireEye Labs has linked the attacks to the China-based Comment Group hacker collective (a prolific actor believed to be affiliated with the Chines government), and Operation Beebus. Beebus is an ongoing advanced persistent threat (APT) designed to steal information for cyber-espionage purposes, and related to Operation ShadyRAT. It begins its infiltration, as so many attacks do, with spear-phishing emails – in this recent case, those mentioning drone tech. From there, the command & control (C&C) infrastructure is similar to earlier Beebus attacks, as are the targets and timeline observed. Also, several IP addresses were found to be overlapping.
“As we uncover more targets related to these attacks, we are seeing a common link between them: unmanned vehicles, also known as drones,” explained the security firm, in a blog. “The set of targets cover all aspects of unmanned vehicles, land, air and sea, from research to design to manufacturing of the vehicles and their various subsystems. Other related malware have been discovered through the same C&C infrastructure that have a similar set of targets, that when included bring the total number of targets to more than 20 as of this writing. These targets include some in academia which have received military funding for their research projects relating to unmanned vehicles.”
The theme of these attacks appears to be specifically South Asia politics. “The hints scattered throughout the documents and domain registrant information were laid on pretty thick which is something be wary of,” FireEye noted. “The only legible, sensible decoy document observed so far is revealing of the interests of at least one of the targets of this campaign: namely the military threat of Pakistan against India and its growing relationships with other countries including China.”
Technically, these attacks are exploiting previously discovered vulnerabilities via document files delivered by email in order to plant a previously unknown backdoor onto victim systems. Both RTF and XLS files used for delivery.
Two different versions of the same backdoor were used in all of these attacks, which FireEye has dubbed “Mutter.” Mutter is HTTP proxy aware, and attempts to determine if a proxy is required and what the proxy details are if necessary.
“In every case we have found, the main component is a DLL dropped by an executable compiled minutes after the DLL,” FireEye said in its forensic breakdown. “The dropper shares the same decoding functions as the DLL and performs some modifications on the DLL that will be described later. There was one unique case we found where the initial dropper was a self-extracting archive that utilizes Visual Basic and batch scripts to download and install the DLL instead of extracting it from a resource.”
Mutter also appears to employ techniques to possibly evade dynamic malware analysis systems – a tactic that is becoming increasingly common. For instance, the recently discovered BadNews malware uses a server to delay the execution of its malicious behavior – and avoid detection.
“This has been an ongoing trend in malware development that we and others have observed several times in past,” said FireEye. “The malware author will add code to delay the execution of the important functionality for some period of time with the idea being that if the malware stalls for long enough, the dynamic malware analysis system will give up on it and pass it off as benign. This malware has two routines that we could find no other purpose than for such an evasion.”