The operations of a cyber arms dealer

FireEye researchers have linked eleven distinct APT cyber espionage campaigns previously believed to be unrelated, leading them to believe that there is a shared operation that supplies and maintains malware tools and weapons used in them.

In a recently released report that details the connections, they dubbed this development and logistics operation as Sunshop Digital Quartermaster, and posit that it supports these and possibly other APT campaigns, as part of a “formal offensive apparatus”.

“This digital quartermaster also might be a cyber arms dealer of sorts, a common supplier of tools used to conduct attacks and establish footholds in targeted systems,” they explained.

The eleven campaigns they tied together were detected between July 2011 and September 2013, but it’s possible and very likely that some of them were active even before then. They targeted a wide range of industries:

But despite using varying techniques, tactics, and procedures, Sunshop and the 10 other linked campaigns all leveraged a common development infrastructure, and shared – in various combinations – the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates.

The researchers collected and analyzed 110 unique binaries (variants of the 9002, PoisonIvy, Gh0st, Kaba and Briba Trojans), and discovered that:

• 65 of these binaries were packaged with 2 unique portable executable (PE) resources (in this case manifests generated by the Nullsoft scriptable installation system)
• 47 of the binaries were signed with 6 different digital certificates (not unique to these campaigns, currently revoked or expired, some stolen), signed by signed by Microsoft, Sinacom, Facesun.cn, Mgame Corp, Guangzhou YuanLuo Technology, and Wuhan Tian Chen Information Technology
• the binaries connected to 54 different unique fully qualified domains.

In an extensive report, the researchers have shared details of every single one of those campaigns, and have noted the relationships between them. They have also presented a builder tool thought to have been used by this “quartermaster” entity to quickly create different variants of the same malware.

“A typical builder provides a graphical user interface that enables a malicious actor to configure elements such as the location of the command and control server,” they explained, and dubbed the tool “9000 Builder”, as it was used to configure and create different 9002 Trojan binaries.

What’s interesting to note is that the dialogue and menu options in the tool’s GUI are in Chinese, which leads the researchers to believe that it was either created by a developer that speaks it, or it was created for users that do.

Despite all these findings, the researchers concede there is a (very unlikely) possibility that the different campaigns are all executed by the same, well-resourced actor who also created all the tools, weapons and infrastructure that supported them. They also point out that it’s possible that there is no such entity as the Sunshop Digital Quartermaster, and that the different actors responsible for the 11 APT campaigns are simply sharing – formally or informally – the tools and techniques.

Still, they are highly confident that their main theory is the correct one, and that the attacker groups mounting the various campaigns are getting their tools from a central “armory”.