The APT15 hacking group has always been associated with Chinese intelligence and it has been part of quite a few, infamous hacking sprees. Now the same group has allegedly stolen information about UK’s military technology by compromising computer of a UK government contractor and launching a malware-based attack.
As per the findings of NCC Group, the Chinese linked APT15 (also known as Ke3chang, Vixen Pands, Mirage, Playful Dragon and GREF) hacker group has been eyeing data related to military technology and governmental departments of the UK. In this particular attack, APT15 used new backdoors while the targets were contractors working with different military units and government departments in the UK.
The findings were presented by NCC Group’s senior malware researcher Ahmed Zaki at Kaspersky’s Security Analyst Summit (SAS). In an official blog post, NCC Group explained that on May 2-17, the Incident Response Team at NCC Group were called-in by a contractor who provided a wide range of services to the UK government and the team was requested to respond to a then on-going incident.
The blog stated that the client informed about becoming a victim of a network compromise that involved “advanced persistent threat group APT15.” The investigation was stopped in June 2017 on the request of the same client and then it was resumed in August once again when APT15 hackers again accessed victim’s network.
“APT15 managed to regain access a couple of weeks later via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host,” the blog post read.
It seems like this attack is not an individual attempt but actually part of a bigger, wider operation that is aimed at UK government and military contractors. The hacker group is believed to be using two new backdoors along with malware that already has imprints of APT15. Researchers wrote in their blog post:
“During our analysis of the compromise, we identified new backdoors that now appear to be part of APT15’s toolset. The backdoor BS2005 – which has traditionally been used by the group – now appears alongside the additional backdoors RoyalCli and RoyalDNS. The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines.”
RoyalCLI was tracked through a debugging path that was left in the binary and happens to be a successor of BS2005 backdoor that was also used by APT15 in one of its previous malicious campaigns. RoyalCLI and BS2005 use Internet Explorer via the COM interface IWebBrowser2 to communicate with their C&C server.
The second backdoor RoyalDNS utilizes DNS to create a link with its C&C server. When the command is executed, the backdoor returned output via the same DNS. The domain and IP address infrastructure analysis showed various domains that quite possibly were used by APT15 and hosted on Google Cloud and/or Linode.
“All of the backdoors identified – excluding RoyalDNS – required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key.
Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as ‘spwebmember’.” researchers explained.
After the NCC Group discovered the attack, APT15 did not give up on attacking and again accessed the system via the corporate virtual private network by using a stolen certificate extracted from an already compromised host.
“This time, APT15 opted for a DNS based backdoor: RoyalDNS. The persistence mechanism used by RoyalDNS was achieved through a service called ‘Nwsapagent’,” while the C&C server of this backdoor used the TXT record of the DNS protocol and the server contacted with ‘andspurs[.]com’ domain, the blog revealed.
Researchers were able to cache a number of C2 commands to the disk due to the IE injection technique that HTTP-based backdoors use. The files were recovered and reverse engineered by the researchers using the encoding routine that backdoors use to accurately uncover the commands executed by the attacker.
They recovered over 200 commands in total, which were executed by the attackers against compromised hosts. This is how they were able to understand the attackers’ TTPs. Decoded scripts have also been uploaded to NCC Group’s Github page.