Sanny CnC Backend Disabled

We recently encountered in the wild another sample related to the Sanny APT. For readers who are not familiar with the Sanny APT, please refer to our previous blog for the background. The sample was using the same lure text and CVE-2012-0158 vulnerability. However this time it was using a different board named "ecowas_1" as compared to "kbaksan_1" which was employed previously. The following are the CnC URLs to list stolen data entries extracted from the samples:

New    -->      hxxp://board.nboard.net/list.php?db=ecowas_1&p=1

Previous -->       hxxp://board.nboard.net/list.php?db=kbaksan_1&p=1

Based on the time stamps and other indicators, we believe that both samples were created and deployed at the same time. The attacker probably used different boards/DBs to divide victims to make sure that if one goes down he/she still can keep getting the stolen data from the remaining ones.

We have been in touch with Korea Information Security Agency (KISA) regarding the Sanny APT and with their help the CnC boards ecowas_1 and kbaksan_1 are shut down (not serving any content). The following screenshot shows the response if you access the ecowas_1 board.

[caption id="attachment_1432" align="alignnone" width="522"]sanny_v2_sshot Figure 1[/caption]

The text in the figure 1 roughly translates to “Error: Blackout”

We want to thank KISA for collaborating with FireEye on this important case. Both FireEye and KISA are monitoring this threat and will let you know if there is any new update.