Page 36 - index
P. 36
Asia; government agencies; and non-governmental organizations focused on international
relations and defense. These compromised sites belonged to organizations located all around
the globe, including places like Iran, Iraq, Zambia, Italy, Afghanistan, Qatar, and Ecuador.
The group placed code on each site that redirected visitors to a malicious site. If the visitor had
an IP address that was of interest, the person would be served an exploit kit the next time they
returned to the compromised site. To avoid detection, these compromised sites were not always
used to serve code – instead, the attackers would stop using a specific site altogether for a time
in order to stay under the radar.
The group also in one instance was observed using spear phishing to compromise a target.
When it comes to exploits, the group relied on old vulnerabilities such as CVE-2011-3544 and
CVE-2010-0738 to compromise their targets. Thus far, no zero-day vulnerabilities are known to
have been used in their attacks.
SOPHISTICATED ADVERSARY
TG-3390 has many tools in its toolbox. Some of them are exclusive, while others are shared
among a small group of Chinese threat groups. Malware used by the threat group can be
configured to bypass network-based detection, and the group’s obfuscation techniques in SWCs
complicate detection of malicious web traffic redirects.
Once inside the targeted network, the attackers go for the domain controller, which gives them
access to credentials for a variety of users. The attackers were observed moving laterally to
other hosts in as little as two hours after penetrating the network. Data exfiltration has been
observed happening almost four weeks after the initial compromise and continuing on for two
weeks.
In addition to going after the domain controller, the attackers also move to install a keylogger
and backdoor on Microsoft Exchange servers. To compromise the Exchange Server, the
attackers obtain credentials for a privileged account and map a network share to the server. The
servers make for attractive targets because their criticality to business operations means they
have high availability. In addition, the backdoor also guarantees the attackers have a way to
steal credentials and get back in the network in the event they are booted out.
In addition to PlugX, the group uses multiple tools leveraged by other threat groups.
HttpBrowser (also known as TokenControl) for example allows them to spawn a reverse shell,
upload or download files and capture keystrokes on a compromised machine. They also use a
Web-based executable script known as the ‘ChinaChopper’ web shell as well as a web
application scanning tool known as ‘Hunter’ that can identify vulnerabilities in Tomcat, JBoss
and ColdFusion as well as identify open ports, collect web banners and download secondary
files.
Two of the tools used by the attackers –ASPXTool and the OwaAuth web shell – appear to be
totally exclusive to the group. OwaAuth is a web shell and credential stealer deployed to
Exchange Servers and is installed as an ISAPI filter. ASPXTool meanwhile is a modified version
36 Cyber Warnings E-Magazine – August 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
