A newly discovered cyber espionage campaign targeting South Korea, the U.S. and Canada features malware that reuses old source code associated with the seemingly dormant or disbanded APT1 threat group.

The findings raise the possibility that the reputed Chinese threat actor has resumed operations, especially because its source code was never released to the public, according to a McAfee blog post and corresponding research paper published yesterday.

But McAfee researchers believe it is more likely that the culprit is a new group that either reached a code-sharing agreement with APT1, received the code from an individual APT1 member, or is using the code as a false flag. The likely motive of this group: financial theft, the researchers theorize.

Known as the Comment Crew due to its habit of embedding hidden code or comments into Web pages, APT1 first emerged over a decade ago, stealing terabytes of data from a wide range of U.S. industries and critical infrastructure providers. But the group has laid low for years after its activity was publicly exposed in 2013, following a 2013 Mandiant report tying the group to the Chinese People’s Liberation Army’s Unit 61398.

So the sudden reemergence of malicious activity featuring certain hallmarks of APT1 comes as a surprising development.

Dubbed Oceansalt, the mysterious new malicious campaign began around May 2018 and has occurred in five distinct waves, write blog/report authors Raj Samani, chief scientist and McAfee fellow; Ryan Sherstobitoff, senior analyst for major campaigns; and Asheer Malhotra, senior security researcher. The Oceansalt malware implant used in each of these waves is a first-stage component that shares about 21 percent of its code with Seasalt, an eight-year-old  implant previously linked to Comment Crew.

The Oceansalt first-stager features a small footprint and is designed to communicate infected systems’ data to a C&C server, as well as execute numerous commands, although at this time it’s unclear for what purpose. 

“These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victims,” the report speculates. “The impact of these operations
could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to. A bank’s network would be an especially lucrative target.”

The attacker’s choice of infection method has been phishing emails with malicious attachments. The first three waves were clearly designed to target Koreans, with decoy documents containing content that sometimes included a list of individuals involved in South Korean higher education, and other times conveyed information related to the financials of the Inter-Korean Cooperation Fund.

“According to our document analysis, the targets likely had knowledge of South Korean public infrastructure projects and related financials — a clear indication that the actor focused initially on infrastructure,” the report states.

By August, a fourth wave began targeting multiple industries (including financial, health care, agriculture and telecom) in the U.S. and Canada — although McAfee notes that this could be considered a separate campaign altogether. This was followed by a fifth wave involving several different variants of Oceansalt, targeting both the U.S. and South Korea.