Cyber-Espionage Campaigns Target Tibetan Community in India
28.6.18 securityweek CyberSpy
Two cyberespionage campaigns targeting the Tibetan community based in India appear to be the work of Chinese threat actors, a new Recorded Future report reveals.
Referred to as RedAlpha, the campaigns have been ongoing for the past two years, focused on cyber-espionage. As part of these attacks, which share light reconnaissance and selective targeting, various malicious tools were used, including new malware families.
The newly uncovered campaigns took place in 2017 (involving a custom dropper and the NetHelp infostealer implant) and 18 (when a custom validator and the njRAT commodity malware were used). The latter campaign is still ongoing.
While the second campaign leveraged a scaled-down infrastructure, likely to reduce the impact of discovery, both attacks used payloads configured with several command and control (C&C) servers, but the malware employed the doc.internetdocss[.]com C&C domain in both cases.
The security researchers also observed the attackers using a malicious Microsoft Word document that exploited CVE-2017-0199 and managed to connect the attacks to previous activity due to the use of FF-RAT and common infrastructure used by NetTraveler, Icefog, and DeputyDog APTs, as well as the MILE TEA campaign.
Over the years, the Tibetan and Uyghur communities have been targeted by many threat actors, including Chinese attackers such as the original Winnti group, LuckyCat, and NetTraveler, but also MiniDuke.
As part of the RedAlpha campaigns, the actor used a “careful combination of victim reconnaissance and fingerprinting, followed by selective targeting with multi-stage malware,” Recorded Future reports.
The first campaign started in June 2017 using two stages of largely custom malware for both 32- and 64-bit Windows systems: a straightforward dropper that would fetch a payload and establish persistence, and the NetHelp infostealer to collect system information, compress files and directories, and exfiltrate them. The attackers relied on a dual C&C infrastructure.
The email address used to register a C&C site was used to register a domain that resolves to a Hong Kong IP that was previously associated with a phishing campaign against Tibetans in 2016 and 2017. Thus, the researchers believe the same actor has been behind all three attacks.
A report on the phishing campaign suggested that a “low-level contractor” exhibiting “sloppy” tradecraft and utilizing inexpensive infrastructure was behind it. Thus, the 2017 campaign suggests “an increased level of sophistication for the attacker,” Recorded Future says.
The 18 campaign started in January and continued until at least late April, showing a departure from the custom first-stage dropper and the adoption of a validator-style implant instead (which also checked PCs for security software). Based on the information gathered on the victim systems, the attackers would then selectively deploy njRAT onto specific machines.
This shift is part of a trend observed in the APT research community: both criminal and nation-state sponsored groups are increasingly relying on commodity malware and penetration testing tools, which not only allows them to blend in, but also means lower cost of retooling upon discovery.
Analyzing IPs and domains associated with these campaigns, the security researchers also discovered that Tibetans weren’t the only targets and say that the same group might have hit multiple targets since 2015.
The campaigns also appear connected to the FF-RAT malware that has been around since at least 2012, and which has been associated with Chinese APT activity exclusively. In 2015, the FBI said the malware was used to target the U.S. Office of Personnel Management (OPM).
“We assess FF-RAT was likely used by the same threat actors behind RedAlpha, possibly as early as 2016,” Recorded Future says.
“We do not currently possess enough evidence to categorically prove that the RedAlpha campaigns were conducted by a new threat actor. We have outlined some tentative connections, through infrastructure registrations to existing Chinese APTs, but a firm attribution requires further detail on the individuals and organizations behind the malicious activity,” the security firm concludes.