We recently encountered in the wild another sample related to the
Sanny APT. For readers who are not familiar with the Sanny APT, please
refer to our previous
blog for the background. The sample was using the same lure text
and CVE-2012-0158 vulnerability. However this time it was using a
different board named “ecowas_1” as compared to
“kbaksan_1” which was employed previously. The following are
the CnC URLs to list stolen data entries extracted from the samples:
New –> hxxp://board.nboard.net/list.php?db=ecowas_1&p=1
Previous –> hxxp://board.nboard.net/list.php?db=kbaksan_1&p=1
Based on the time stamps and other indicators, we believe that both
samples were created and deployed at the same time. The attacker
probably used different boards/DBs to divide victims to make sure that
if one goes down he/she still can keep getting the stolen data from
the remaining ones.
We have been in touch with Korea Information Security Agency (KISA)
regarding the Sanny APT and with their help the CnC boards ecowas_1
and kbaksan_1 are shut down (not serving any content). The following
screenshot shows the response if you access the ecowas_1 board.
The text in the figure 1 roughly translates to “Error: Blackout”
We want to thank KISA for collaborating with FireEye on this
important case. Both FireEye and KISA are monitoring this threat and
will let you know if there is any new update.