Spear phished by FireEye?

Blogging about crimeware (commodity malware that will infect victims in a purely opportunistic fashion) is an easy thing to do ethically, as the “victim” often times does not add much value to the story. Also, there are so many copies of the malware publicly available that talking about the threat does not compromise your collection source, and in general, we try to avoid “naming names” for the sake of shaming anyone.

In the case of crimeware, whether a home user or a chemical company gets compromised by a ddos bot, the malware is going to act pretty much the same. For this reason, publicly talking about those types of threats don’t lead you down discussions of, “But now they now know that you know!”

Attacks that are people-driven are much more interesting to analysts because playing against a human leads to a whole different set of challenges than playing against an automated attack algorithm. The attacker, be it APT (China) or simply a well-resourced attacker, performs very systematic attacks on you to see what the simplest method that they need to use in order to be successful is. There is a lot of FUD in the security community about how all APTs use unknown and/or unpatched software vulnerabilities, which is simply false. Why burn a zero-day if a link to an exe/hlp/chm/scr will work just as well? Why use a carefully constructed PDF email attachment that works 5% of the time when you could simply send a link to an older java exploit that works 50% of the time? We’ve seen link lures for “iPhone 5′s” and “movie premieres” that work better than the hottest UAV conference. The fact is that there is very much a ramping up of the sophistication of the exploit over the attack timeline between you (or your organization) and a specific threat actor. Obviously, if there is data that needs to be exfiltrated in short order, the volume and sophistication of attacks will escalate faster, but the general “shopping list” with which they are tasked see a very gradual rise until an attack is successful. To put it another way, you’re not always fighting against the A-team, and although the B players aren’t that talented, they are just as relentless.

Getting back on point, tying an identity to an attack, either the sender or the target, will almost definitely pique my curiosity faster, but the victim rarely agrees to talk about this type of incident publicly. However, there are services where people knowingly sign away those rights, such as virustotal or vicheck. When you submit a file there, all the security vendors that participate in the share receive a copy, which is used to help QA a variety of security tools. For instance, over the past three months, we’ve seen hundreds of targeted attacks from these sharing programs against all sorts of orgs, such as governments in the US, Sweden, Japan, Taiwan, etc., global manufacturing companies, oil/gas, and more uninteresting USPS/IRS/DHL spam than I care to count. Many of these targets should understand the value of OPSEC, but alas….

No organized group receives targeted attacks with a higher volume or more regularity than Tibetan activists. Not USG, not US DIB, not Taiwan…. Tibet. Everyone, from the personal envoys to the Dalai Lama to student activists in San Francisco, gets hammered day in and day out, often times with pretty high octane stuff. These people are very public figures and have very little to lose (and potentially, much to gain if they are recognized to be victimized by the Chinese), so I thought I would reach out to a few of the targets that had sent multiple pieces of malware to virustotal over the past month or two.

Spear phishing with malicious attachments

(Alison from was the only one who responded, and I’ll be posting more analysis about attacks she sees soon.)

Unfortunately, for one of the people on the BCC: list (and for me), one of them was compromised, and very quickly (the next day), the spear phisher was able to steal his or her email, interpret it, and come up with interesting content to use as a future lure to get others to open the malicious attachment. When the spear phish was actually sent to other targets, you’ll notice the text looks slightly different, was sent from a account, and contained a malicious PDF exploiting an older vulnerability. I’ve seen a few copies of this same spear phish, sent from different yahoo accounts.

Spear phishing

You’ll notice the characters look a little funky.  Well, that’s because the person who took my mail recreated it under the following character set:

Spear phishing Tibetan activists

Kinda strange that the attacker would happen to be working on a Chinese keyboard layout.

I’m not going to dig too deeply into the malware, but what it does post-compromise is similar to the TTP of any targeted threat. Simple RAT is dropped and executed, persistence is maintained (in this case through the “startup” section of the start menu), runs a “decoy” document (to make the user think they saw real content), and makes a simple outbound connection. I reformatted the actual output slightly, but the content is all correct.

Spear phishing Tibetan activists

The decoy document is a little more interesting. It appears they took a screenshot of our site and didn’t put a whole lot of effort in making sure that the layout looked reasonable.

Spear phishing Tibetan activists

And interestingly, in the footer, there is a bit of .cn text:

Tibetan spear phishing email has .cn text in the footer

As I mentioned above, I intended to start a running series of posts about Tibetan attacks, but just my luck, they decided to make it a little more interesting for me.

I would also like to take the time to thank a couple people who alerted me to this. Initially I got an email from a government CERT that has not given me permission to use their name yet, followed quickly by the good folks at UCSB who run the awesome wepawet service, and finally from Ivan Macalintal over at Trend Micro.