Advance Persistence Threats recent targeted espionage and collaboration.
In this particular we will see the matching patterns in malware targeted codes by APTs recently being observed in organised cyber crime activities.
Assertion after Analysis (APTs Collaborating)
APT-C-41, APT40, APT28, APT39, APT29,UNC2452, UNC2546, APT37 and APT38.
Starting off from StrongPity and Chinese APT tool SManager.
Entry function of both the malware from APT-C-41 and APT40 are quiet similar. Where StrongPity uses executable as backdoor on the other hand APT40 uses .dll for its cyber espionage tool for its targets.
Looking at the “system_info_fetcher” and “thread_ps_info_store” functions in both samples we can conclude that this function is found responsible for fetching all the details of the system. Both functions mentioned below.
And function next to both of these function on these sample is sort of main function that does the system triage via the malicious dll loading and file operations on the system.Both the functions mentioned below.
Mitre Att&ck Common Techniques [ TTPs]
Moving on to the next assertion on APTs collaboration.
Assertion of APT40 and APT28 collaboration from APT40 “SManager” backdoor and APT28 “ZebrocyNim Keylogger and ComRat”.
In the samples of APT40 and APT28 , SManager Backdoor , Zebrocy Nim Keylogger and ComRat Remote Access Tool Entry function is similar to previous assertion whereas what’s interesting here in this asserted collaboration is that way these samples communicate with the Command and Control Servers (C&C).
Mitre Att&ck Common Techniques [ TTPs]
Moving on to the next assertion on APT39 and UNC2452 collaboration
This time malware is made in .Net , samples for the this assertion are of MuddyWater from Iranian APT group and malware observed in the targeted SolarWinds Orion hacks Sunburst and SUPERNOVA.
Way these samples were developed have several similar patterns.
Mitre Att&ck Common Techniques[TTPs]
Moving on to Last assertion on collaboration of UNC2452 (APT29), APT38 ,APT37, APT40 and APT39.
Either these APTs if developing C/C++ based malware they deploy socket dynamic link library for creating service that communicate with the C&C server or they if the deploy the method of Pipe Server for communication for the command and control server.
Mitre Att&ck Common Techniques [ TTPs ]
Indicators of Compromise [ IOCs ]
For Samples from Report:
For you’all asking me how i cited that SManager to APT40 instead of APT17 it’s because of following blog in the References which is the research from Cyber Security Firm “FireEye” from around early 2020 days in which Chinese APT40 had cited “APT17" was cited with Connection with the APT40. And for those who was asking that how i cited UNC2452 (must be part of APT29) as culprit in this espionage operations is because of U.S. Government accused Russian GRU & Chinese Govt. Hackers for SolarWinds Orion Hacks. Their is active threat report about Chinese APT from Reuters recently.
From FireEye Blogs:
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day…
Light in the Dark: Hunting for SUNBURST
Today, nation-state groups and other adversaries have the resources and expertise to evade detection successfully while…
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims…
Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as…
UNC2452 (Threat Actor)
Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial…
From Attack Mitre:
Identifying UNC2452-Related Techniques for ATT&CK
Tracking UNC2452-related reporting as we look to update ATT&CK.
From White House Briefings:
From Security Affairs:
China-linked APT40 group hides behind 13 front companies
A group of anonymous security researchers that calls itself Intrusion Truth has discovered that a China-linked…
Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency - sources
WASHINGTON (Reuters) - Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break…
From Threat InTeL Community Platform :
AlienVault - Open Threat Exchange
Learn about the latest online threats. Share and collaborate in developing threat intelligence. Protect yourself and…
IronNetInjector: Turla's New Malware Loading Tool
In recent years, more and more ready-made malware is released on software development hosting sites available for…
SUPERNOVA: A Novel .NET Webshell, an Analysis
The actors behind the supply chain attack on SolarWinds' Orion software have demonstrated a high degree of technical…
Threat Brief: SolarStorm and SUNBURST Customer Coverage
On Sunday, Dec. 13, FireEye released information related to a breach and data exfiltration originating from an unknown…
Internals of SunBurst Malware.
SolarWinds Hacks to Analysis of SunBurst Malware.
Reversing APT Tool : SManager (Unpacked)
Reversing highly sophisticated espionage tool from Chinese APT group.
Internals of Lazarus Operation Dream Job
Reverse Engineering Torisma and LCPDot Malware.
Uncovering APT-C-41 (StrongPity) Backdoor
Reverse Engineering tool of Turkish Espionage and Cyber Crime Group.
Uncovering SUPERNOVA Malware
Another Sophisticated .Net Malware from SolarWinds Hacks Internals
Reversing APT-28 64-bit Keylogger [Zebrocy Nim] [ TLP: White ]
In depth Static and Dynamic Analysis of Zebrocy Nim.