IT service providers, many other orgs targeted in long-standing attack campaign

US-CERT has released an alert warning about a sophisticated attack campaign using multiple malware implants and targeting organizations in the IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing sectors.

long-standing attack campaign

“According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems,” the alert says.

“Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”

Apparently, the attacks have been going on since May 2016, at least, and they continue. The National Cybersecurity and Communications Integration Center (NCCIC) has, therefore, released indicators of compromise (IOCs) so organizations could check their networks and systems for compromise.

Known malicious domains, fileless malware

The IOC files note that some of the domains used in the attack could be possibly associated with the C&C infrastructure of Stone Panda (aka APT10, aka menuPass). The group is believed to be of Chinese origin, and has apparently been involved in the recent attacks against South Korean targets, as well as espionage efforts against US companies lobbying the Trump administration on global trade, and various organizations in Japan.

“User impersonation via compromised credentials is the primary mechanism used by the adversary. However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines,” US-CERT also noted.

“In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures. The observed malware includes PlugX/Sogu and Redleaves.”

IOCs for the PlugX/Sogu and Redleaves malware variants used by the group can also be found in the IOC documents added to the report.

“The Redleaves implant consists of three parts: an executable, a loader, and the implant shellcode. The Redleaves implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2,” US-CERT explains.

PlugX is a sophisticated Remote Access Tool (RAT) operating since approximately 2012. It is known to use DLL side-loading to evade anti-virus and to maintain persistence on a victim system, and that’s also the case in these campaigns.

NCCIC has provided a comprehensive list of mitigations that should work to keep these intruders out.