The IT security researchers at Kaspersky Lab have published a report on the activities of the Chinese hacking group LuckyMouse (also known as Iron Tiger, Threat Group-3390, EmissaryPanda, and APT27), which has been active since at least 2010 and using watering hole attack against its victims.
According to Kaspersky’s report, hackers attacked the national data center of an unknown Central Asian country, eventually gaining access to a number of government resources. The involvement of LuckyMouse in the attacks is indicated by the tools, domains, tactics of the attackers and target victim.
Watering holes is a technique in which famous websites are infected with malware so that visitors unknowingly get their devices infected.
To remotely manage infected servers, attackers did not develop a completely new malware but used the latest versions of the already known HyperBro RAT, a Remote Administration Tool well known to be used by Chinese attackers – The timestamps for these modules are from December 2017 until January 2018.
Researchers also discovered that LuckyMouse and other Chinese attackers began actively using infected documents (Microsoft Office Equation Editor) exploiting the 17-year-old vulnerability CVE-2017-118822. But, it is unclear if the latest attack was carried out using the same method or the employees of the data center were infected by attackers using the previous watering hole attack.
The command and control (C&C) server used in this campaign is hosted on an IP address belonging to a Ukrainian Internet service provider (ISP) using MikroTik router with the firmware version 6.34.4 since March 2016. Researchers believe that this router does not belong to the attackers, but it was hacked by them for processing malware’s HTTP requests.
After the successful compromise of the data center, the websites were set up to redirect visitors to the ScanBox and BEeF deployed by the criminals. These redirections are implemented by adding two malicious scripts, obfuscated using a tool similar to the Dean Edwards wrapper.
In conclusion, Kaspersky Lab experts note that the LuckyMouse group has recently been very active and stands out against others with its skills in conducting watering hole attacks. However, the most unusual and interesting this about this campaign is their target – The national data center is not only a source of valuable information but also hosts government-based websites.
“A national data center is a valuable source of data that can also be abused to compromise official websites,” Kaspersky researchers said in a blog post. “Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.”
Image credit: Depositphotos