• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Targeted Attacks   »   Attack Gains Foothold Against East Asian Government Through “Auto Start”

Attack Gains Foothold Against East Asian Government Through “Auto Start”

  • Posted on:May 21, 2015 at 6:40 am
  • Posted in:Targeted Attacks
  • Author:
    Dove Chiu (Threat Researcher)
0

East Asian government agencies came under siege when attackers targeted several servers within their networks. The said attackers, who showed familiarity and in-depth knowledge of their agencies’ network topology, tools, and software, were able to gain access to their targeted servers and install malware. After which, they used the compromised servers not only as gateways to the rest of the network but also as C&C servers. This particular attack has been active since 2014.

The attackers tried to maintain their presence in the network by modifying applications installed in the servers. Certain files in the said applications—mostly productivity, security, and system utility apps—were tampered to load malicious DLL files. The common denominator among these tampered apps is that they were all set to run upon system startup. This suggests that the applications were modified in order to ensure that the installed malware will run every time the server is launched.

Servers are Prime Targets

Our investigation revealed five applications the attackers modified:

  • Citrix XenApp IMA Secure Service (IMAAdvanceSrv.exe)
  • EMC NetWorker (nsrexecd.exe)
  • HP System Management Homepage (vcagent.exe)
  • IBM BigFix Client (BESClient.exe)
  • VMware Tools (vmtoolsd.exe)

According to our monitoring, the attacker initially targeted two servers, and then continued to move through the network looking for more to infect. This was done continuously until early 2015, affecting more servers. Some of those affected were network management servers, meaning that they had access to all systems within their assigned subnet. We did not find traces of how the attackers utilized this level of access to the network, but we assume that they used this to maintain their presence in the network and to steal information.

Using the Target’s Environment against Them

Attackers were able to identify applications installed in the servers and modified them to run malicious code. The target applications’ import table were modified to add a reference to a malicious DLL (the name of the DLL varies to match the target application). When the modified application is run, the malicious DLL is loaded as well.

Figure 1. Modified import table, with reference to malicious DLL (highlighted in blue)

It is almost impossible to find differences between the original version and the modified ones, as even their file sizes are almost identical. The difference will be noticeable, however, if the files are signed, which was the case for four of the five files we analyzed. Since modifications will invalidate file signatures, the attackers stripped off the signatures from the modified versions. The pictures below show the original BESClient.exe on the left and the modified version on the right.

Figures 2 and 3. Properties of original and modified executables

As previously mentioned, BESClient.exe was modified to add a reference to a DLL file named libBEScrypto_1_0_0_6.dll. This DLL file is a malware loader that will then try to decrypt and rename a file (whose name and folder also matches the modified application.) In this case, the file at C:\Program Files (x86)\BigFix Enterprise\BES Client\BESInfo.dat is decrypted and renamed to %Temp%\mesnt.exe, and the malware loader will execute mesnt.exe.

Once mesnt.exe is executed, it will create a new svchost.exe process with the suspended flag, which allows malicious code to be executed. Mesnt.exe will then be deleted and the now un-suspended svchost.exe process connects back to a specified command-and-control (C&C) server which is also found within the target network. As mentioned earlier, this shows how much intelligence has been gathered about the target. Using an internal IP address ensures that any activity will not be seen as malicious, and instead be seen as normal network activity.

Figure 4. An internal IP used as C&C for the malware

We also found the attackers trying to erase their tracks by deleting their backdoor and undoing the changes they made to the applications by removing the malicious DLLs. It is possible that the attackers were able to detect that the environment was being monitored, or that they’ve ceased their information gathering. Regardless, we are continuing our monitoring for any developments.

The Need for Better Vigilance

Familiarity with a target environment gives attackers a lot of opportunities to blend into the background and stay hidden from monitoring. The level of access the attackers got in this particular attack shows how deep they can get into the network and how this level of access can be used to ensure that the attackers’ activities are not detected.

It is therefore very important for organizations to be more keen on monitoring suspicious behaviors in the network, regardless of whether a file is being launched by a known program, or if network communication is coming from within the network.

Trend Micro™ Custom Defense™ solutions can protect organizations from this type of attack. They provide in-depth contextual analysis and insight that help IT administrators properly identify suspicious behavior in the network, such as the access to the servers in this attack.

Organizations with Trend Micro Endpoint Application Control enabled in their network will also be able to detect the changes made to the applications and prevent them from executing.

More information about trends seen in targeted attacks can be found in our annual targeted attack report.

The following table provides references for the files we found related to this attack:

File name SHA1 Description Detection Name
IMAAdvanceSrv.exe d955d7a581cc8f1d428a
282683351b9ec3c119d1
(Citrix) modified executable PTCH_POISON.ZTCC-A
imaInst.dll ab85f8bdd369f2fa3089
f39588a2cb11884640f7
(Citrix) malware loader BKDR_POISON.ZTCC-A
imaUpd.dat 57ec4f26e77521198483
c2b4bfd569f634a2c248
(Citrix) encrypted backdoor BKDR_POISON.ZTCC-A
nsrexecd.exe 842a9402714bd0d8838b
7d4b20575c6d7a85b6d6
(EMC) modified executable PTCH64_POISON.ZTCB-B
nsrinit.dll d460baf807076ab95290
229bade2be1addeea9cd
(EMC) malware loader BKDR_POISON.ZTCB-B
libuni.jar a257bc3c6f05e59ef319
c46e30e7e009c125408f
(EMC) encrypted backdoor BKDR_POISON.ZTCB-B
BESClient.exe c5bc692ceb22dd8c6e49
3e93cee62a4cbe4232e4
(IBM) modified executable BKDR_POISON.TUFM
libBEScrypto_1_0_0_6.dll 3b6e637504d535f30745
959eeefa63d11a622a72
(IBM) malware loader BKDR_POISON.TUFM
BESInfo.dat 7f40deb2875543008462
7c024a46275a059ad835
(IBM) encrypted backdoor TROJ_AGENT.GLI
vmtoolsd.exe 1b0c561d5fe78168cc34
e9de64824b04df895688
(VMWare) modified executable PTCH64_POISON.ZTCB-A
VmUpgrade.dll 1822b8d10ebb5a363755
7fa5e42284c7bf794f36
(VMWare) malware loader BKDR_POISON.ZTCB-A
VMwareRes.pkg 65bd14bf85d26ecd7cec
4c7dc7aaad15df268f0a
(VMWare) encrypted backdoor BKDR_POISON.ZTCB-A

Additional analysis by Tim Yeh

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: APTbackdoorMalwarenetwork securityserverstargeted attacks

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.