Through the course of our client engagements, Mandiant's Intel team tracks and analyzes the threat activity we observe. We recently saw two separate APT groups use two different backdoors that had very similar networking protocols. Nevertheless, they are separate backdoors with separate functionality. This is notable because in general, when network defenders see an IDS alert associated with a custom backdoor protocol, they tend to assume that a specific backdoor has been deployed in the network.
It is rare that two different backdoors will share the same networking protocols. Nevertheless, this example shows that the actual backdoor should be recovered from the compromised host before a definitive determination is made about the family of malware that was deployed.
The backdoors, which Mandiant calls HIPSTING and TEMPFUN, send periodic "beacon" packets to their command and control (C2) servers with information about the victim system, such as the processor speed, computer name, username, version information and the volume serial number. This information is encoded and transmitted as part of an HTTP GET request. Figure 1 and Figure 2 display portions of the encoded GET requests for these backdoors, which contain host information and were generated using the same sandbox.
A comparison of these encoded samples shows that though the content is not identical, it is clear that the two backdoors provide a lot of the same host information, using the same algorithm to encode the data.
Furthermore, the two backdoors use the same hard-coded user agent in these GET requests:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
This user agent indicates the use of Internet Explorer 6.0 on the Windows 2000 operating system with the .NET framework version 1.1.4322 installed. Though the components of the user agent lend the HTTP traffic an air of legitimacy, they do not indicate technical requirements for the backdoors; e.g. the backdoors will use this user agent even if they are not running on Windows 2000.
Finally, when the C2 server responds to the backdoors, it may use the following header format:
However, despite these striking networking protocol similarities, HIPSTING and TEMPFUN are different backdoors and some stylistic differences even suggest they were authored by different people:
- The backdoors use different command codes and include different functionality.
- TEMPFUN uses two "layers" of command codes (in that issuing a command in the "primary" layer may lead to commands in a "secondary" layer), whereas HIPSTING does not.
- Variants of HIPSTING have used the legitimate wordpress.com service to store and download current C2 configuration information.
- When parsing commands, TEMPFUN uses "switch" statements, while HIPSTING uses "if" statements.
- Though the protocol format is similar, the code for sending HTTP requests differs in the functions that are called using the Windows library WININET.dll.
The fact that the malware was very similar in some respects, yet associated with two different threat groups, should give people pause when attributing intrusion events based on malware correlations. The striking similarities in the HIPSTING and TEMPFUN networking protocols suggest more than a coincidental relation between the two, though it is unclear how far that relation goes. The authors of the two backdoors may have drawn from the same networking protocol code, and it is possible that they did not know each other. That being said, it would also not be surprising if the two groups shared malware authors, or if their malware authors independently collaborated.
It is rare for two backdoors to share the same networking protocols, and in general when an IDS signature fires on a custom backdoor protocol, it is a good indication that a specific backdoor has been deployed. Additionally, it may not be absolutely necessary for network defenders to figure out which backdoor was involved in a particular intrusion event, unless they are intent on decoding the traffic. However, for intelligence analysts who are attempting to connect the dots and determine which threat group was involved in each case, it is important to be precise and collect the actual malware whenever possible to determine its family. Although the use of the same malware family in two intrusion events is normally not enough to conclude that the same threat group was behind both, it is nevertheless an element in making such a determination.
For similar intelligence reporting and analysis on details related to threat actors and their trade craft, consider subscribing to the Mandiant Intelligence Center.