Researchers uncovered a new cross-platform attack from 5 different APT groups that work for the Chinese Government targets the Linux servers, Windows and Android systems deployed in an organization around the globe using Remote Access Trojan’s, and the campaign remains undetected nearly a decade.
Threat APT groups are comprised of civilian contractors working in the interest of the Chinese government and they focused on the large Linux server deployed data centers that are the backbone for most sensitive enterprise network operations.
These APT attacks carry over the Linux malware that is linked with one of the largest Linux botnets that ever discovered, along with kernel-level rootkits which are extremely difficult to detect and increase the probability of the infection rate.
These groups mainly attacking the Red Hat Enterprise, CentOS, and Ubuntu Linux environments for the purposes of espionage and steal the intellectual property of the several industries across the globe.
Targeting the Linux servers has following advantages.
• Compromising Linux web servers allows for the exfiltration of massive amounts of data that can be obscured within the high volume of daily web traffic
• Compromising Linux database servers provides attackers a greater chance of finding valuable data like sensitive intellectual property, trade secrets, or lists of employee usernames and passwords relatively quickly
• Compromising Linux jump-boxes, aka bastion or proxy servers, erases a layer of protection typically relied upon by most corporate networks to separate internal networks from external threats
There are several malware, toolsets, the rootkits, and the infrastructure involved in this large scale APT attack.
Attackers also leveraging Android malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.
Collected evidence shows that the attackers shifted to the use of a cloud platform for command and control server and perform a data exfiltration which helps them perform their operation over trusted communication.
Four of these five groups are already known to the security community as PASSCV, BRONZE UNION (aka APT27, EMISSARY PANDA), a group tracked internally as CASPER (aka LEAD), and the original WINNTI GROUP.
A fifth APT group called as Linux splinter cell group that has been tracked as WLNXSPLINTER using a collection of backdoor called WINNTILNX toolset.
There are 3 backdoor and 2 rootkit variants that are used by these groups in this massive attack over a decade.
- PWNLNX1 (Backdoor)
- PWNLNX2 (Backdoor)
- PWNLNX3 (Backdoor)
- PWNLNX4 (Rootkit)
- PWNLNX5 (C2 Server for both Windows and Linux malware suite)
- PWNLNX6 (Rootkit)
Windows malware that used this in campaign attempts to elude defenders through the use of stolen adware code-signing certificates, hiding the malware in plain sight with the hopes it will be dismissed as just another blip in a nearly constant stream of adware alerts.
Researchers also found a modified ZXShell variants commonly used by BRONZE UNION (aka APT27, EMISSARY PANDA).
ZXShell variants contain several droppers that load the Windows backdoor payload which has the following functions.
Mobile Malware Division
Researchers found evidence that these APT groups also developed a Mobile Malware and powerful Remote Access Trojan for mobile devices, especially for the Android platform.
Android malware that uncovered by the researchers very closely resembles the code in a commercially available penetration testing tool which is created nearly two years back.
Upon closer examination of the groups leveraging the Linux implants, BlackBerry researchers found a number of indications within current and older C2 infrastructures that mobile implants associated with both PASSCV and CASPER likely existed.
Another interesting find is NetWire RAT, a multi-platform, commercial, off-the-shelf remote administration tool (RAT) that can be licensed on a monthly or annual basis from a company called World Wired Labs.
This RAT module legitimately utilized by system admins, network admin, incident responders, also parents who want to monitor their kids’ mobile phone activity.
But the RAT tool is one of the most pervasive RATs in use by criminal enterprises and APT groups.
BlackBerry researchers also identified several implants designated as PWNDROID5 which masqueraded as fake Adobe Flash updates for Android in a newly identified campaign designated as OPERATION ANDROIDBEACON.
John McClurg, Chief Information Security Officer at BlackBerry said “This research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure that is more systemic than has been previously acknowledged,” You can read the full report here.