The APT attacks hitting East Asia

East Asia have been targeted by a stream of cyber-attacks carried about by an advanced persistant threat (APT) group. The group goes by several names such as Tick, Brzone Butler and Redbaldknight.

The APT group’s main targets are South Korea and Japan. This current wave of Datper malware attacks is written in Delphi and is capable of executing shell commands to gain information from the infected machine, such as hostnames and drive information.

Security researchers from Cisco Talos have stated It is not yet known how the attacks are being conducted since command and control (C2) servers in question are not active. However, they say it’s possible the malware is being delivered using web-based attacks such as drive-by downloads, or by watering hole attack. Watering hole attacks is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit.

Could this signal the re-emergence of Comment Crew

A fresh wave of APT cyber-attacks has hit South Korea, but also US and Canada, causing some to believe this could spell the re-emergence of Chinese government backed hacking group Comment Crew. Security company McAfee claimed they have discovered a new hacking campaign that focuses on cyberespionage and data reconnaissance.

Comment Crew or otherwise known as Shanghai Group or APT1 is thought to be responsible for the majority of China’s cyber-attacks since 2006. In 2013 they were linked to the successful hacks of over 100 US companies, but vanished soon after the exposure, along with hundreds of terabytes of data. The Chinese government maintains that they do not sponsor hacking and claim to be a victim to hacking campaigns themselves.

McAfee has found malware that reuses some of the code that was uses in a campaign called Seasalt that was introduced by APT1 around 2010. The reason this is interesting is because this code was never released publicly, lending authority to McAffee’s claims.

A recent campaign, named Operation Oceansalt has been linked to Comment crew. Operation Onceansalt started in May this year and was seen to be targeting Korean speaker with a data reconnaissance implant. Four more waves have since been detected, aimed against companies in South Korea, the United States and Canada.

The Oceansalt implant gives attackers full control of any system or network it is connected to, however, is mainly used for espionage activity. McAffee acknowledged that the implant allows for information to be sent to a control server and commands can also be executed on infected machines, however the full extent of its purpose is not known.

The waves of attacks

The first wave of attacks happened when a South Korean website was compromised, allowing for a spear-phishing campaign to take place. This was done through Microsoft excel email attachments.

For the first two waves of the attack the targets were South Korean public infrastructure officials. The third round of malware documents was distributed from another compromised South Korean website, and the content related to the financials of the Inter-Korean Cooperation Fund.

In the fourth wave involved the targeting of investment, healthcare, banking and agriculture industries in the US and Canada. There are few details around the extent or damage of this wave.

The fifth wave primarily targeted South Korea and the United States using Oceansalt implant.

Although the full motive of the attack is unclear, there is speculation that it could be financial, or a small part of a much larger attack.

Ad Clicker Disguised as a Google Photos App has been Hosted on Microsoft Store.

A malicious app called “Album by Google Photos” was found to be hosted on the Microsoft store. The app was pretending to be part of Google Photos, but was in fact an ad clicker that generates hidden adverts within the Windows 10 Operating System.

The ad clicker app seemed credible to users because of its name, and also the fact it claimed to be created by Google LLC, Google’s actual Microsoft store account is Google Inc, but it looks unsuspecting to users. Microsoft came under some criticism for not realising the app was actually malicious software since the user reviews did highlight that the app was fake, with plenty of 1* reviews. One review states “ My paid Anti-malware solution detected several attempts to download malware by this app. Watch out”. The App was first released on the Microsoft store in May.

What did the application do?

The “Album by Google Photos” app is a Progressive Web Application (PWA), which acts as the front end for Google Photos and includes a legitimate login screen. Hidden in the app bundle is also an ad clicker which runs in the background and generates income for the app developers.

The app connects to ad URLS, and the ads were very similar to what users would see from typical adware, including tech support scams, random chrome extensions, fake flash and java installs and general low-quality sites.

Microsoft haven’t commented how this app managed to pass the Microsoft review process before ending up on the store.  This is somewhat concerning since it could mean other malicious apps of a similar nature have flown under the radar and are still infecting user’s computers. We are waiting for Microsoft to comment on the issue.

Several vulnerabilities found in RouterOS that Affected MikroTik Routers

Tenable researcher, Jacob Baines, has discovered multiple vulnerabilities in the Mikrotik routers; four separate security flaws that are vulnerable to hacking attacks. Mikrotik made it into the news in September after it was discovered routers had been hijacked using a security flaw on the RouterOS, and attackers we able to spy on users.

RouterOS, Mikrotik’s operating system was found to have around four security flaws. This includes a remote code execution vulnerability (CVE-2018-1156), File upload memory exhaustion flaw (CVE-2018-1157), recursive JSON parsing stack exhaustion (CVE-2018-1158), and www memory corruption (CVE-2018-1159).

While these are separate vulnerabilities, they all require legitimate user credentials before being able to exploit. These vulnerabilities are particularly dangerous, allowing an attacker to gain full control of the system, by remote attacks.

This security vulnerability has been exploited in the past, memorably the hacking of 7500 routers for intercepting user’s traffic and the cryptojacking campaign in which routers were exploited for cryptocurrency mining.

According the Tenable the multiple vulnerabilities affected RouterOS versions 6.42.6 and 6.40.8. Tanable contacted MikroTik in May 2018 to inform them about the flaws, after which Mikrotik released patches to fix the issue. However, not everyone is vigilant with patching their router when these flaws become known, and Jacob Baines has estimated that around 200,000 routers across the world may still be open to this exploit.

We second Tenable’s statement in encouraging users to update their system to the latest patch at the earliest possible time to help protect against these security vulnerabilities.