East Asian government agencies came under siege when attackers targeted several servers within their networks. The said attackers, who showed familiarity and in-depth knowledge of their agencies’ network topology, tools, and software, were able to gain access to their targeted servers and install malware. After which, they used the compromised servers not only as gateways to the rest of the network but also as C&C servers. This particular attack has been active since 2014.
The attackers tried to maintain their presence in the network by modifying applications installed in the servers. Certain files in the said applications—mostly productivity, security, and system utility apps—were tampered to load malicious DLL files. The common denominator among these tampered apps is that they were all set to run upon system startup. This suggests that the applications were modified in order to ensure that the installed malware will run every time the server is launched.
Servers are Prime Targets
Our investigation revealed five applications the attackers modified:
- Citrix XenApp IMA Secure Service (IMAAdvanceSrv.exe)
- EMC NetWorker (nsrexecd.exe)
- HP System Management Homepage (vcagent.exe)
- IBM BigFix Client (BESClient.exe)
- VMware Tools (vmtoolsd.exe)
According to our monitoring, the attacker initially targeted two servers, and then continued to move through the network looking for more to infect. This was done continuously until early 2015, affecting more servers. Some of those affected were network management servers, meaning that they had access to all systems within their assigned subnet. We did not find traces of how the attackers utilized this level of access to the network, but we assume that they used this to maintain their presence in the network and to steal information.
Using the Target’s Environment against Them
Attackers were able to identify applications installed in the servers and modified them to run malicious code. The target applications’ import table were modified to add a reference to a malicious DLL (the name of the DLL varies to match the target application). When the modified application is run, the malicious DLL is loaded as well.
Figure 1. Modified import table, with reference to malicious DLL (highlighted in blue)
It is almost impossible to find differences between the original version and the modified ones, as even their file sizes are almost identical. The difference will be noticeable, however, if the files are signed, which was the case for four of the five files we analyzed. Since modifications will invalidate file signatures, the attackers stripped off the signatures from the modified versions. The pictures below show the original BESClient.exe on the left and the modified version on the right.
Figures 2 and 3. Properties of original and modified executables
As previously mentioned, BESClient.exe was modified to add a reference to a DLL file named libBEScrypto_1_0_0_6.dll. This DLL file is a malware loader that will then try to decrypt and rename a file (whose name and folder also matches the modified application.) In this case, the file at C:\Program Files (x86)\BigFix Enterprise\BES Client\BESInfo.dat is decrypted and renamed to %Temp%\mesnt.exe, and the malware loader will execute mesnt.exe.
Once mesnt.exe is executed, it will create a new svchost.exe process with the suspended flag, which allows malicious code to be executed. Mesnt.exe will then be deleted and the now un-suspended svchost.exe process connects back to a specified command-and-control (C&C) server which is also found within the target network. As mentioned earlier, this shows how much intelligence has been gathered about the target. Using an internal IP address ensures that any activity will not be seen as malicious, and instead be seen as normal network activity.
Figure 4. An internal IP used as C&C for the malware
We also found the attackers trying to erase their tracks by deleting their backdoor and undoing the changes they made to the applications by removing the malicious DLLs. It is possible that the attackers were able to detect that the environment was being monitored, or that they’ve ceased their information gathering. Regardless, we are continuing our monitoring for any developments.
The Need for Better Vigilance
Familiarity with a target environment gives attackers a lot of opportunities to blend into the background and stay hidden from monitoring. The level of access the attackers got in this particular attack shows how deep they can get into the network and how this level of access can be used to ensure that the attackers’ activities are not detected.
It is therefore very important for organizations to be more keen on monitoring suspicious behaviors in the network, regardless of whether a file is being launched by a known program, or if network communication is coming from within the network.
Trend Micro™ Custom Defense™ solutions can protect organizations from this type of attack. They provide in-depth contextual analysis and insight that help IT administrators properly identify suspicious behavior in the network, such as the access to the servers in this attack.
Organizations with Trend Micro Endpoint Application Control enabled in their network will also be able to detect the changes made to the applications and prevent them from executing.
More information about trends seen in targeted attacks can be found in our annual targeted attack report.
The following table provides references for the files we found related to this attack:
|File name||SHA1||Description||Detection Name|
|(Citrix) modified executable||PTCH_POISON.ZTCC-A|
|(Citrix) malware loader||BKDR_POISON.ZTCC-A|
|(Citrix) encrypted backdoor||BKDR_POISON.ZTCC-A|
|(EMC) modified executable||PTCH64_POISON.ZTCB-B|
|(EMC) malware loader||BKDR_POISON.ZTCB-B|
|(EMC) encrypted backdoor||BKDR_POISON.ZTCB-B|
|(IBM) modified executable||BKDR_POISON.TUFM|
|(IBM) malware loader||BKDR_POISON.TUFM|
|(IBM) encrypted backdoor||TROJ_AGENT.GLI|
|(VMWare) modified executable||PTCH64_POISON.ZTCB-A|
|(VMWare) malware loader||BKDR_POISON.ZTCB-A|
|(VMWare) encrypted backdoor||BKDR_POISON.ZTCB-A|
Additional analysis by Tim Yeh