Despite Mandiant’s prediction that the release of their report on the attack methodology of the so-called APT1 (or “Comment Crew”) cyber espionage group would lead to them changing their attack techniques and consequently make them harder to track in the future, it seems that the group laid has bucked the expectations.
According to researchers from Cyber Squared, the Comment Crew have not significantly changed their implant technologies, C&C capabilities, or targets.
“One working theory for the lack of any noteworthy change is that ‘Comment Crew’ does not need to make any significant changes to continue conducting successful exploitation operations,” they pointed out. “The ‘Comment Crew’ actors may have achieved a satisfactory balance of conducting successful exploitation operations by maintaining a certain level of survivability while using existing C2 infrastructure. Or perhaps, they have developed new midpoints in addition to implementing host-based detection evasion techniques.”
They still use the same malware that has gone through minimal changes, and they still deliver it via ZIP files as attachments in emails delivered to their targets.
The PDFs that serve as cover for the background installation of the malware are an invitation and the agenda of a conference sponsored by the National Defense Industrial Association, which covers a number of industries that have been singled out by the Chinese government as crucial to the country’s economic growth, as well as a legitimate document containing a presentation on future US military training technologies.
Analysis of the malicious file reveals that it was compiled less than two weeks ago, and that the comment type used is similar to that in the files analyzed by Mandiant. The attackers have only started using a more complex decryption key.
The domain on which the files were hosted were also tied with an IP address previously used by the Crew.
Despite all these discoveries, the researchers say that their observations are based on a single source of evidence – ThreatConnect, their crowd-sourcing threat intelligence solution. “It is possible that there are other unknown instances of either new or undetected ‘Comment Crew’ capabilities, infrastructure, or activity,” they concluded.