www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology
Submission: On September 12 via api from US — Scanned from DE
Submission: On September 12 via api from US — Scanned from DE
Form analysis
3 forms found in the DOM/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form>
<form id="mktoForm_9701" data-mkto-id="9701" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field"><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_164135_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_164135_0 InstructblogInterest" class="mktoField" placeholder="AllSecurity Awareness TrainingThreat Insight"><label for="mktoCheckbox_164135_0"
id="LblmktoCheckbox_164135_0">All</label><input name="blogInterest" id="mktoCheckbox_164135_1" type="checkbox" value="Security Awareness Training" aria-labelledby="LblblogInterest LblmktoCheckbox_164135_1 InstructblogInterest"
class="mktoField" placeholder="AllSecurity Awareness TrainingThreat Insight"><label for="mktoCheckbox_164135_1" id="LblmktoCheckbox_164135_1">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_164135_2"
type="checkbox" value="Threat Insight" aria-labelledby="LblblogInterest LblmktoCheckbox_164135_2 InstructblogInterest" class="mktoField" placeholder="AllSecurity Awareness TrainingThreat Insight"><label for="mktoCheckbox_164135_2"
id="LblmktoCheckbox_164135_2">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="9701" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology">
</form>
<form data-mkto-id="9701" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>
Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu EMAIL SECURITY AND PROTECTION Defend against threats, ensure business continuity, and implement email policies. ADVANCED THREAT PROTECTION Protect against email, mobile, social and desktop threats. SECURITY AWARENESS TRAINING Engage your users and turn them into a strong line of defense against phishing and other cyber attacks. CLOUD SECURITY Defend against cyber criminals accessing your sensitive data and trusted accounts. COMPLIANCE AND ARCHIVING Reduce risk, control costs and improve data visibility to ensure compliance. INFORMATION PROTECTION Protect from data loss by negligent, compromised, and malicious users. DIGITAL RISK PROTECTION Protect against digital security risks across web domains, social media and the deep and dark web. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. PROTECT AGAINST INSIDER THREATS Get real-time insight into threats that can cause data loss and brand damage. Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite DEFEND YOUR REMOTE WORKFORCE Secure access to corporate resources and ensure business continuity for your remote workers SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal Channel Buzz RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits THREAT CENTER Learn about our threat operations center and read about the latest risks in our threat blog and reports. Learn More ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. SUPPORT Access the full range of Proofpoint support services. Learn More United States United Kingdom France Germany Italy Spain Japan Australia Products Overview Email Protection Email Fraud Defense Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Overview Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence Overview Simulated Phishing and Knowledge Assessments Training Modules, Videos and Materials Phishing Email Reporting and Analysis Business Intelligence Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Zero Trust Network Access (ZTNA) Overview Capture & Monitor Content Capture Content Patrol Compliance Gateway Archiving Enterprise Archive Intelligent Supervision E-discovery Analytics NexusAI Compliance Overview Endpoint Data Loss Prevention (DLP) Enterprise Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Insider Threat Management Overview Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Technical Account Managers Premium Threat Information Service Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Insider Threat Management Services Compliance and Archiving Services Consultative Services Products Solutions Partners Resources Company United States United Kingdom France Germany Italy Spain Japan Australia Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact EMAIL SECURITY AND PROTECTION Defend against threats, ensure business continuity, and implement email policies. ADVANCED THREAT PROTECTION Protect against email, mobile, social and desktop threats. SECURITY AWARENESS TRAINING Engage your users and turn them into a strong line of defense against phishing and other cyber attacks. CLOUD SECURITY Defend against cyber criminals accessing your sensitive data and trusted accounts. COMPLIANCE AND ARCHIVING Reduce risk, control costs and improve data visibility to ensure compliance. INFORMATION PROTECTION Protect from data loss by negligent, compromised, and malicious users. DIGITAL RISK PROTECTION Protect against digital security risks across web domains, social media and the deep and dark web. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. Overview Email Protection Email Fraud Defense Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Overview Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence Overview Simulated Phishing and Knowledge Assessments Training Modules, Videos and Materials Phishing Email Reporting and Analysis Business Intelligence Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Zero Trust Network Access (ZTNA) Overview Capture & Monitor Content Capture Content Patrol Compliance Gateway Archiving Enterprise Archive Intelligent Supervision E-discovery Analytics NexusAI Compliance Overview Endpoint Data Loss Prevention (DLP) Enterprise Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Insider Threat Management Overview Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Technical Account Managers Premium Threat Information Service Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Insider Threat Management Services Compliance and Archiving Services Consultative Services PROTECT AGAINST INSIDER THREATS Get real-time insight into threats that can cause data loss and brand damage. Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite DEFEND YOUR REMOTE WORKFORCE Secure access to corporate resources and ensure business continuity for your remote workers SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal Channel Buzz RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits THREAT CENTER Learn about our threat operations center and read about the latest risks in our threat blog and reports. Learn More ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. SUPPORT Access the full range of Proofpoint support services. Learn More Zeigen Sie weiterhin Inhalte für Ihren Standort an United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen Blog Threat Insight Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia CHINESE APT “OPERATION LAGTIME IT” TARGETS GOVERNMENT INFORMATION TECHNOLOGY AGENCIES IN EASTERN ASIA July 24, 2019 Michael Raggi and Dennis Schwarz with the Proofpoint Threat Insight Team Overview Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013 [1]. Delivery Proofpoint researchers initially identified email campaigns with malicious RTF document attachments targeting East Asian government agencies in March 2019. These campaigns originated from adversary-operated free email sender accounts at yahoo[.]co[.].jp and yahoo[.]com. Sender addresses often imitated common names found in the languages of targeted entities. Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions. The lures used in the subjects, attachment names, and attachment content in several cases utilized information technology themes specific to Asia such as governmental or public training documents relating to IT. On one specific occasion an email utilized the subject “ITU Asia-Pacific Online CoE Training Course on ‘Conformity & Interoperability in 5G’ for the Asia-Pacific Region, 15-26 April 2019” and the attachment name “190315_annex 1 online_course_agenda_coei_c&i.doc”. The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries. Figure 1: Example lure used by TA428 referencing an APAC IT conference We identified several government agencies targeted as part of Operation LagTime IT. These agencies are responsible for overseeing IT, scientific research, domestic affairs, foreign affairs, political processes, and financial development. Exploitation As we previously noted, the malicious RTF attachments exploited vulnerabilities in the Microsoft Equation Editor, specifically CVE-2018-0798, before downloading subsequent payloads. The exploit uses an encoded RTF object to drop a PE file to the Windows temporary directory. The dropped PE file has the distinctive file name “8.t”. When executed, writes a Word Add-In file with the “.wll” extension to the Windows Startup directory, which runs the next time Word is opened. It should be noted that this dropper methodology is not unique to TA428, and has been identified by security researchers in campaigns related to at least four additional Chinese APT groups. RTF files leveraging this technique have historically contained the string "objw871\\objh811\\objscalex8\\objscaley8" which has been noted by researchers at Anomali [2] and FireEye. Researchers have also recently observed this RTF weaponizer tool in commodity campaigns delivering Async RAT. After it is executed, the .wll file renames itself as RasTls.dll. Simultaneously, it decrypts a legitimate Symantec PE binary commonly named IntelGraphicsController.exe or AcroRd32.exe. This legitimate Symantec binary is used to side-load RasTls.dll using DLL search-order hijacking leading to the execution of Cotx RAT malware. Once executed the RasTls.dll file next resolves the addresses of the DLL libraries it is programmed to access and ensures that it is only running in one of five predetermined processes. These processes are winword.exe, excel.exe, powerpnt.exe, eqnedt32.exe, and acrord32.exe. The first four of these processes are associated with Microsoft Word, Excel, and PowerPoint exploits, as well as the Equation Editor exploit used by the initial malicious RTF in this campaign. The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above. The inclusion of the processes excel.exe and powerpnt.exe suggests that this stage one malware may be capable of utilizing .xls and .ppsx files as droppers. Researchers at SectorB06 [4] have noted this stage-one payload and indicated that throughout the above process it is running a “CheckRemoteDebuggerPresent” function to prevent analysis and debugging by researchers. Malware: Cotx RAT The RasTls.dll contains the Cotx RAT code. The malware is written in C++ using object-oriented programming. We named it by borrowing the name of the location of its stored configuration. The encrypted configuration is stored in the side-loaded DLL file RasTls.dll in a PE section named “.cotx”. The current encrypted configuration is also stored in the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Java\user”. The configuration data is AES-192-encrypted using CBC mode and base64-encoded. We determined that the encryption key was "98151137ab12780969b2c3612072018709a83a3352466a8b" (hex-encoded) and the initialization vector “IV” was “2042123224315117031b1a0a3ccda53f” (hex-encoded). In plaintext the configuration appears as follows: *\x00\x00\x00217.69.8.255|||1.187.1.187|mark3|P@SSaw1||\x00\x00 The first four bytes contain the size of the configuration (42-bytes). The configuration is pipe delimited and contains: 1. C&C host 1 2. C&C host 2 3. C&C host 3 4. Definition of two C&C ports 1. An example string looks like an IP address: "1.187.1.187" 2. The string is split on "." 3. Port 1 is defined by (piece0 << 8) + piece1 = (1 << 8) + 187 = 443 4. Port 2 is defined by (piece2 << 8) + piece3 = (1 << 8) + 187 = 443 5. Alternatively, if the string is not an IP address, but looks like a host, it will resolve the host into an IP address and calculate the ports using the resolved address 5. "mark" field - sent in the C&C beacon 6. "passwd" field - sent in the C&C beacon 7. Proxy IP and port 1. Discovered by searching the IPv4 TCP connection table for established connections with remote ports using common proxy ports (3128, 8080, 808, 1080) 2. Or via WINHTTP_OPTION_PROXY For persistence, Cotx stores files in a directory “Intel\Intel(R) Processor Graphics”. The location of this folder varies among samples with both the %AppData% and %PROGRAMFILES% directories being observed. The command and control structure of Cotx RAT is proxy aware. It utilizes wolfSSL for TLS encrypted communication. The initial beacon contains “|”-delimited system information. The data included in the beacon is Zlib compressed and encrypted with AES-192 in CBC mode utilizing the same keys as the configuration. The following values are included: * "id" value from "software\\intel\\java" subkey * Computer name * "mark" field from configuration * Username * Windows version * Architecture * Possible malware version. "0.9.7" is hardcoded in the analyzed sample * Local IP addresses * First adapter's MAC address * Connection type (https or _proxy) * "password" field from configuration Commands from the C&C are received from the malware beacon. This data is AES-encrypted. We observed the following commands: * 0 - Keep alive, sets a "poll again" flag and sends an empty response to C&C * 1 - Sets "id" value in "software\\intel\\java" subkey, sends an empty response to C&C * 2 - Get directory info or drive info * 5 - Open command shell * 6 - Open command shell as logged in user * 7 - Send command to command shell * 8 - Copy file * 9 - Delete file * 10 - Read file * 11 - Check for filename. If doesn't exist, check for filename with ".ut" extension. If it exists, send file size back to C&C * 12 - Write file * 13 - Screenshot * 14 - Process listing * 15 - Kill process * 16 - Send current configuration to C&C * 17 - Update config in registry and ".cotx" PE section * 18 - Set sleep time * 19 - Close C&C comms * 20 - Uninstall and remove self * 21 - Get list of installed software * 22 - Kill command shell * 23 - Exit malware * 24 - Send a "Ctrl-C" to the command shell and exit * 25 - Execute an executable Malware: Poison Ivy TA428 threat actors also delivered Poison Ivy malware payloads. In a limited number of cases, we observed attachments utilizing the 8.t dropper methodology described above. However, the majority of Poison Ivy payloads were dropped as PE files named OSE.exe when the RTF attachment was executed and an Equation Editor vulnerability was successfully exploited. The Poison Ivy samples all communicated with the IP 95.179.131[.]29. We identified earlier variants of Poison Ivy malware that utilized the above IP via open source research, which used the file names bubbles.exe and sfx.exe. Examination of the Poison Ivy malware configurations indicated that all samples shared the password “3&U<9f*lZ>!MIQ” while campaign and group IDs, as well as mutexes varied across campaigns. We identified significant operational overlap between Cotx RAT campaigns and Poison Ivy campaigns. Specifically, on several occasions users that were unsuccessfully targeted with Cotx RAT malware were later targeted with messages distributing Poison Ivy. Users were also targeted by Poison Ivy malware on successive occasions indicating the adversary’s persistent nature in attempting to compromise targets via spear phishing. In one example, a targeted user received an unsuccessful phishing email attempting to deliver Cotx RAT followed by a Poison Ivy phishing email seven days later. In addition to a shared targeting list, analysts observed adversary reuse of free email sender accounts to deliver both Cotx RAT and Poison Ivy malware to different users. It appears the adversary sender accounts utilized delivery TTPs and payloads interchangeably from March through April 2019. This vacillation of tactics further enforces Proofpoint’s classification of these campaigns under a single operation. C&C Infrastructure An examination of the separate C&C infrastructure utilized by Cotx RAT and Poison Ivy payloads revealed further overlaps between these campaigns. A review of passive DNS information indicated that the C&C IPs hosted subdomains that share the root domain vzglagtime[.]net. We found that the Poison Ivy C&C IP hosted the domains f1news[.]vzglagtime[.]net and news[.]vzglagtime[.]net. The Cotx RAT C&C IP hosted the hostname mtanews.vzglagtime[.]net. The latter of these domains was previously reported by security researchers to have been a C&C address observed in a malware implant targeting the East Asian Telecommunications and Transportation sectors in January 2019. The presence of related domain registrations on disparate malware IP infrastructure also contributed to analysts’ decision to classify these campaigns collectively under Operation LagTime IT. Poison Ivy Cotx RAT C&C IP 95.179.131[.]29 217.69.8[.]255 Domains Hosted by IP f1news.vzglagtime[.]net news.vzglagtime[.]net mtanews.vzglagtime[.]net Conclusion Proofpoint analysts assess that Operation LagTime IT is likely a continuation of targeted activity by APT actors aligned with Chinese state interests. This operation, centered around East Asian governmental agencies, may represent efforts to satisfy espionage and intelligence requirements relative to China’s regional neighbors. While not revolutionary in its approach or malware design, TA428 actors demonstrated significant persistence in compromising victims and utilized custom malware. The defined scope of targeting in this operation including government information technology agencies demonstrates a focus on high-value targets. While ultimately the motivation for this APT campaign remains opaque, what is certain is that TA428 persists in targeting users responsible for the orchestration of governmental systems in East Asia. References [1] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf [2] https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain [3] https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt [4] https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/ Indicators of Compromise (IOCs) IOC IOC Type Description 304115cef6cc7b81f4409178cd0bcea2b22fd68ca18dfd5432c623cbbb507154 SHA256 Cotx RAT d0ccb9a277b986f7127199f122023c79a7e0253378a4a78806fbf55a87633532 SHA256 Cotx RAT 81898df69e28a084ea37b77b568ccde34afdf96122ab784f8a361f055281ed0f SHA256 Cotx RAT 93ac0ff3f01f8b8dfad069944d917e4b0798d42bc9ff97028e5a4ea8bda54dbc SHA256 Cotx RAT 3dbff4e82dd8ddf71f9228f68df702b8f4add47237f2aee76bd5537489ed2fa9 SHA256 Cotx RAT cbf607725d128d93fed3b58cde78e1feb7db028a1ed1aa5c924e44faa1015913 SHA256 Poison Ivy 9a477b455a20a26875e5ff804151f9f6524131c32edf04366cfbaf9d41c83f2a SHA256 Poison Ivy eb0191d1b8e311d2716795e9fa7c0300c5199ebf3d8debff77993f23397d2fb5 SHA256 Poison Ivy 1bc93ef96134be9a5a7b5f5b747be796a9ff95bdc835d72541673565d1c165b8 SHA256 Poison Ivy 4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34bea SHA256 Poison Ivy 93f56ec68e072ccba8102c71d005604763d064021795c7c8bb1cade05ddb6ff6 SHA256 Poison Ivy e9fa0a6223b0e4e60654dc629cd46174b064d5a0968732e6f05bc212a2cdf3f4 SHA256 Poison Ivy b7cfea87d7de935e1f20e3c09ba4bd1154580682e75330876f21f241b33946f2 SHA256 8.t Dropper ae3e335cc39c07bda70e26e89003e0d1b8eea2deda2b62a006517c959fc0a27a SHA256 8.t Dropper 1d492e549d2cbd296bc8e1368c8625df0c82c467c1b4addea7191e4a80bf074e SHA256 8.t Dropper b541e0e29c34800a067b060d9ee18d8d35c75f056f4246b1ce9561a5441d5a0f SHA256 8.t Dropper 95.179.131[.]29 C2 IP Poison Ivy C2 217.69.8[.]255 C2 IP Cotx RAT C2 f1news.vzglagtime[.]net Domain Domain Related by IP news.vzglagtime[.]net Domain Domain Related by IP mtanews.vzglagtime[.]net Domain Domain Related by IP ET and ETPRO Suricata/Snort Signatures 2836210 ETPRO TROJAN SSL/TLS Certificate Observed (SectorB06 Dropper) Subscribe to the Proofpoint Blog * Business Email: * Blog Interest: AllSecurity Awareness TrainingThreat Insight Submit ABOUT * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform THREAT CENTER * Human Factor Report * Threat Glossary * Threat Blog * Daily Ruleset PRODUCTS * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Digital Risk Protection * Product Bundles RESOURCES * Whitepapers * Webinars * Datasheets * Events * Customer Stories * Blog * Free Trial CONNECT * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo SUPPORT * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * United States * United Kingdom * France * Germany * Italy * Spain * Japan * Australia © 2021. All rights reserved. Terms and conditions Privacy Policy Sitemap