China-linked Hackers Targeting Air-Gapped Systems: Report
26.6.18 securityweek Attack
The cyber espionage group known as "Tick" has been targeting a secure USB drive built by a South Korean defense company, likely in an attempt to compromise air-gaped systems, Palo Alto Networks reports.
Also known as Bronze Butler, Tick is believed to be based in China and to have been active for at least a decade, although it was detailed for the first time only in April 2016. The group is mainly targeting Japan and South Korea, but variants of their malware were also observed in attacks on organizations in Russia, Singapore, and China.
To date, the group has been observed employing a variety of custom malware families, including Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader.
The attempt to weaponize a secure USB drive is an attack technique uncommon for the actor, which led security researchers to the conclusion that the assault was likely aiming at air-gapped systems (machines that are not connected to the public Internet).
The malware used in these attacks was designed to target systems running Windows XP or Windows Server 2003, which are older, out-of-support OS versions. Air-gapped systems, Palo Alto says, are commonly used in many countries by government, military, and defense contractors, and other industry verticals.
Although no public reports of the attack were published until now, the malware observed in this incident was likely used many years ago.
“Based on the data collected, we do not believe this malware is part of any active threat campaign,” Palo Alto says.
Although they don’t have a complete picture of the past attack, the researchers believe Tick managed to compromise the secure USB drive model and load a malicious file onto an unknown number of devices, which are supposedly certified as secure by the South Korean ITSCC.
The group also created a malware family dubbed SymonLoader, which is somehow loaded on older Windows systems machines, where it continuously looks for these specific USB drives. When detecting the presence of a targeted secure USB drive, SymonLoader attempts to load the unknown malicious file using APIs that directly access the file system (saves the file to the temp directory and executes it).
Without a compromised USB drive or the unknown malicious file, the security researchers were not able to determine the manner in which the USB drives have been compromised.
“Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering,” Palo Alto notes.
The malware loader was observed being installed by a Trojanized version of a legitimate Japanese language GO game, which was first observed on January 21, 18. Previously, the Trojanized application was seen dropping HomamDownloader, which can install malicious files from a remote command and control (C&C) server.
“Despite the differences from previous samples, we believe this sample is related to the Tick group because the shellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs described earlier. Also, SymonLoader shares code with HomamDownloader,” Palo Alto says.
The analyzed SymonLoader sample was apparently created on September, 26, 2012, when both Windows 7 and Windows Server 2008 were already released at that time. The malware, however, specifically targets only Windows XP and Windows Server 2003, and only searches for USB drives built by a South Korean company that develops information and communication security equipment for military, police, government agencies and public institutions.
“The attacker encrypted the unknown executable file and concealed it at the ending part of the secure USB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile(). Instead, SymonLoader uses Logical Block Addressing (LBA) and SCSI commands to read the data physically from the particular expected location on the removable drive,” the researchers explain.