With added text by Threat Researcher Nart Villeneuve
Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.
This research paper documents the operations of a campaign, which was able to compromise the following types of organizations:
- government ministries
- technology companies
- media outlets
- academic research institutions
- nongovernmental agencies
The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).
During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.
While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.
This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper, which can be downloaded here.
Please note that there are references in the attack itself to “SafeNet”; there is no connection between this attack and SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro.