APT1: Q&A on Attacks by the Comment Crew

Today Mandiant released a detailed report dubbed "APT1" which focuses on a prolific cyber espionage campaign by the Comment Crew going back to at least 2006 and targeting a broad range of industries. The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec. We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks. The following Q&A briefly outlines some of the relevant Symantec information around this group:

Q: Do Symantec and Norton products protect against threats used by this group?

Yes. Symantec confirms protection for attacks associated with the Comment Crew through our antivirus and IPS signatures, as well as STAR malware protection technologies such as our reputation and behavior-based technologies. Symantec.cloud and Symantec Mail Security for Microsoft Exchange also detect the targeted emails used by this group.

Q: Has Symantec been aware of the activities of the Comment Crew?

Yes. Symantec has been actively tracking the work of the Comment Crew for a period of time to ensure that the best possible protection is in place for the different threats used by this group.

Q: Why are they called the Comment Crew?

They were dubbed the Comment Crew due to their use of HTML comments to hide communication to the command-and-control servers.

Q: How does a victim get infected?

The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Some recent examples used by this group and blocked by Symantec technologies are listed here:

  • U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip
  • Instruction_of_KC-135_share_space.doc
  • New contact sheet of the AN-UYQ-100 contractors.pdf
  • U.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind Towers in the United States.doc
  • ArmyPlansConferenceOnNewGCVSolicitation.pdf
  • Chinese Oil Executive Learning From Experience.doc
  • My Eight-year In Bank Of America.pdf

Similar to what Symantec indicated in a recent blog, if the malicious attachment is opened, it attempts to use an exploit against the target victim's system. It drops the malicious payload as well as a clean document to keep the ruse going.

Q: Does Symantec know who this group is targeting?

Yes. Symantec telemetry has identified many different industries being targeted by this group including Finance, Information Technology, Aerospace, Energy, Telecommunications, Manufacturing, Transportation, Media, and Public Services. The following Figure shows a worldwide heatmap for detections related to this group since the beginning of 2012.
 

Figure. Heatmap of Comment Crew related detections
 

Q: Currently, what are the most prevalent threats being used by this group?

Symantec, in the last year, has identified the most prevalent threats being used by this group as Trojan.Ecltys, Backdoor.Barkiofork, and Trojan.Downbot.

Q: Has Symantec released any publications around these attacks?

Yes. We have recently released publications to address techniques and targets of Trojan.Ecltys and Backdoor.Barkiofork, both of which are threats used by this group:

We have also investigated associated attacks of this group:

Q: What are the Symantec detection family names for threats used by this group?

Symantec also detects numerous other files used by this group under various detection names:

Q: Does Symantec have IPS protection for these threat families?

Yes. There are several IPS signatures to catch threat families associated with this group:

Q: How will this report affect the Comment Crew operations?

Despite the exposure of the Comment Crew, Symantec believes they will continue their activities. We will continue to monitor activities and provide protection against these attacks. We advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups like the Comment Crew.

Nitro attackers have some gall

Authored by Tony Millington and Gavin O’Gorman

The intercepted email in this blog was provided by Symantec.cloud.

The Nitro Attacks whitepaper, published by Symantec Security Response, was a snapshot of a hacking group’s activity spanning July 2011 to September 2011.  The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi. That is, they are sending targets a password-protected archive, through email, which contains a malicious executable. The executable is a variant of Poison IVY and the email topic is some form of upgrade to popular software, or a security update. The most recent email (Figure 1) brazenly claims to be from Symantec and offers protection from “poison Ivy Trojan”!

Figure 1 Fake malicious email

Furthermore, the attachment itself is called “the_nitro_attackspdf.7z”. The attachment archive contains a file called “the_nitro_attackspdf                            .exe”. (The large gap between the “pdf” and “.exe” is a basic attempt to fool a user into assuming that the document is a PDF, when it is really a self-extracting archive.)

Figure 2 Contents of the attachment, including the genuine report

When the self-extracting executable runs, it creates a file called lsass.exe (Poison IVY) and creates a PDF file. This PDF file is none other than our own Nitro Attacks document! The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity.

The threat, lsass.exe, copies itself to “%System%\web\service.exe” and attempts to connect to the domain “luckysun.no-ip.org”. This domain resolves to an IP, which is hosted by the same hosting provider that hosted most of the previously encountered IP addresses. Figure 3 is a partial graph of the domains involved, including the most recent activity.

Figure 3 Network map

Table 1 lists the latest emails intercepted by Symantec .cloud and the MD5s of the associated threat samples.

Subject

File name

MD5

Detection

Symantec Security Warning!

The_nitro_attackspdf .exe

90e793e64e63317db15f4a64be8b56f9

Trojan.ADH

so funny

123.doc.exe

0b1b0fe45a179f75a5c4c3bad21ca185

Backdoor.Bifrose

N/A

learning materials.doc .exe

eb404fe1eec399127ac39336427503ac

Backdoor.Bifrose

adobe update

Adobe Reader Update.exe

d3ee44d903876bd942fc595c96151df8

Trojan.ADH

Adobe Reader Upgrade Rightnow!

Install_ reader10_en_air_gtbd_aih.exe

d6404d5c7a65a23d8d1687fe1549d21e

Backdoor.Odivy

Safety Tips

Q329834_WXP_SP2_ia364_ENU.exe

14c9d01d152e25e98e6ee8758ecfa9a8

Trojan.Dropper

Table 1 most recent emails and samples

Despite the publishing of the whitepaper, this group persists in continuing their activities unchecked. They are using the exact same techniques - even using the same hosting provider for their command and control (C&C) servers. The domains have been disabled and Symantec have contacted the relevant IP hosting provider and continue to block the emails through the .cloud email scanning service.

Symantec.cloud customers have been and continue to be protected from attacks performed by this group.

12 Million Exploit Attacks Originating from the CO.CC Domain

Symantec’s telemetry has shown over 12 million Intrusion Prevention Signature (IPS) hits on sub domains of the ‘CO.CC’ domain in the last six months. Anyone somewhat familiar with the top-level domain-naming hierarchy might be lead to believe that CO.CC is actually an official second-level domain similar to CO.UK; this, however, is not the case. .CC is the Internet country code top-level domain (ccTLD) for Cocos (Keeling) Islands, an Australian territory. "CO.CC" is not an official hierarchy; it is a domain owned by a company that offers free sub domains and other services such as URL forwarding. The terms and conditions for use of the ‘CO.CC’ Web site can be found here.

The CO.CC domain itself is legitimate and has registered over eight million legitimate website URLs on its sub domains. However, wherever a free service exists, it is susceptible to being abused by malware distributors.  A malware distributor can register several free sub domains and use the URL forwarding service to point them all to one domain hosting a crimeware exploit pack. This way an attacker can stage their attack through redirection and try to mask the final URL destination hosting the exploit pack. This in turn makes it more difficult for the black listing of malicious URLs. In our analysis, we have seen numerous exploit packs such as Black hole, Fragus, Phoenix, Crimepack, K0de, and Eleonore being associated to CO.CC sub domains.  

 

This may not sound very innovative to some readers, as in the past we have seen other free services, such as free dynamic DNS sites, being abused by malware distributors. Attacks such as Hydraq (Aurora) highlighted the use of dynamic DNS by attackers and has lead to numerous companies blocking the use of dynamic DNS sites on their network. The use of free services on sites, such as the one highlighted in this blog, has given attackers another avenue for performing their attacks.

In our research, we have also identified variants of the following threats to be communicating with CO.CC sub domains.

Threats seen using CO.CC sub domains

As always, Symantec recommends that you keep your definitions up to date to ensure protection against threats mentioned in this blog.