East Asian government agencies came under siege when attackers targeted several servers within their networks. The said attackers, who showed familiarity and in-depth knowledge of their agencies’ network topology, tools, and software, were able to gain access to their targeted servers and install malware. After which, they used the compromised servers not only as gateways to the rest of the network but also as C&C servers. This particular attack has been active since 2014.
The attackers tried to maintain their presence in the network by modifying applications installed in the servers. Certain files in the said applications—mostly productivity, security, and system utility apps—were tampered to load malicious DLL files. The common denominator among these tampered apps is that they were all set to run upon system startup. This suggests that the applications were modified in order to ensure that the installed malware will run every time the server is launched.
Servers are Prime Targets
Our investigation revealed five applications the attackers modified:
- Citrix XenApp IMA Secure Service (IMAAdvanceSrv.exe)
- EMC NetWorker (nsrexecd.exe)
- HP System Management Homepage (vcagent.exe)
- IBM BigFix Client (BESClient.exe)
- VMware Tools (vmtoolsd.exe)
According to our monitoring, the attacker initially targeted two servers, and then continued to move through the network looking for more to infect. This was done continuously until early 2015, affecting more servers. Some of those affected were network management servers, meaning that they had access to all systems within their assigned subnet. We did not find traces of how the attackers utilized this level of access to the network, but we assume that they used this to maintain their presence in the network and to steal information.
Using the Target’s Environment against Them
Attackers were able to identify applications installed in the servers and modified them to run malicious code. The target applications’ import table were modified to add a reference to a malicious DLL (the name of the DLL varies to match the target application). When the modified application is run, the malicious DLL is loaded as well.
Figure 1. Modified import table, with reference to malicious DLL (highlighted in blue)
It is almost impossible to find differences between the original version and the modified ones, as even their file sizes are almost identical. The difference will be noticeable, however, if the files are signed, which was the case for four of the five files we analyzed. Since modifications will invalidate file signatures, the attackers stripped off the signatures from the modified versions. The pictures below show the original BESClient.exe on the left and the modified version on the right.
Figures 2 and 3. Properties of original and modified executables
As previously mentioned, BESClient.exe was modified to add a reference to a DLL file named libBEScrypto_1_0_0_6.dll. This DLL file is a malware loader that will then try to decrypt and rename a file (whose name and folder also matches the modified application.) In this case, the file at C:\Program Files (x86)\BigFix Enterprise\BES Client\BESInfo.dat is decrypted and renamed to %Temp%\mesnt.exe, and the malware loader will execute mesnt.exe.
Once mesnt.exe is executed, it will create a new svchost.exe process with the suspended flag, which allows malicious code to be executed. Mesnt.exe will then be deleted and the now un-suspended svchost.exe process connects back to a specified command-and-control (C&C) server which is also found within the target network. As mentioned earlier, this shows how much intelligence has been gathered about the target. Using an internal IP address ensures that any activity will not be seen as malicious, and instead be seen as normal network activity.
Figure 4. An internal IP used as C&C for the malware
We also found the attackers trying to erase their tracks by deleting their backdoor and undoing the changes they made to the applications by removing the malicious DLLs. It is possible that the attackers were able to detect that the environment was being monitored, or that they’ve ceased their information gathering. Regardless, we are continuing our monitoring for any developments.
The Need for Better Vigilance
Familiarity with a target environment gives attackers a lot of opportunities to blend into the background and stay hidden from monitoring. The level of access the attackers got in this particular attack shows how deep they can get into the network and how this level of access can be used to ensure that the attackers’ activities are not detected.
It is therefore very important for organizations to be more keen on monitoring suspicious behaviors in the network, regardless of whether a file is being launched by a known program, or if network communication is coming from within the network.
Trend Micro™ Custom Defense™ solutions can protect organizations from this type of attack. They provide in-depth contextual analysis and insight that help IT administrators properly identify suspicious behavior in the network, such as the access to the servers in this attack.
Organizations with Trend Micro Endpoint Application Control enabled in their network will also be able to detect the changes made to the applications and prevent them from executing.
More information about trends seen in targeted attacks can be found in our annual targeted attack report.
The following table provides references for the files we found related to this attack:
| File name | SHA1 | Description | Detection Name |
| IMAAdvanceSrv.exe | d955d7a581cc8f1d428a 282683351b9ec3c119d1 |
(Citrix) modified executable | PTCH_POISON.ZTCC-A |
| imaInst.dll | ab85f8bdd369f2fa3089 f39588a2cb11884640f7 |
(Citrix) malware loader | BKDR_POISON.ZTCC-A |
| imaUpd.dat | 57ec4f26e77521198483 c2b4bfd569f634a2c248 |
(Citrix) encrypted backdoor | BKDR_POISON.ZTCC-A |
| nsrexecd.exe | 842a9402714bd0d8838b 7d4b20575c6d7a85b6d6 |
(EMC) modified executable | PTCH64_POISON.ZTCB-B |
| nsrinit.dll | d460baf807076ab95290 229bade2be1addeea9cd |
(EMC) malware loader | BKDR_POISON.ZTCB-B |
| libuni.jar | a257bc3c6f05e59ef319 c46e30e7e009c125408f |
(EMC) encrypted backdoor | BKDR_POISON.ZTCB-B |
| BESClient.exe | c5bc692ceb22dd8c6e49 3e93cee62a4cbe4232e4 |
(IBM) modified executable | BKDR_POISON.TUFM |
| libBEScrypto_1_0_0_6.dll | 3b6e637504d535f30745 959eeefa63d11a622a72 |
(IBM) malware loader | BKDR_POISON.TUFM |
| BESInfo.dat | 7f40deb2875543008462 7c024a46275a059ad835 |
(IBM) encrypted backdoor | TROJ_AGENT.GLI |
| vmtoolsd.exe | 1b0c561d5fe78168cc34 e9de64824b04df895688 |
(VMWare) modified executable | PTCH64_POISON.ZTCB-A |
| VmUpgrade.dll | 1822b8d10ebb5a363755 7fa5e42284c7bf794f36 |
(VMWare) malware loader | BKDR_POISON.ZTCB-A |
| VMwareRes.pkg | 65bd14bf85d26ecd7cec 4c7dc7aaad15df268f0a |
(VMWare) encrypted backdoor | BKDR_POISON.ZTCB-A |
Additional analysis by Tim Yeh
