The long-running Blackgear cyber espionage campaign that has largely targeted Taiwan, Japan and South Korea commenced a new operation in early July that abuses legitimate blog and social media sites in order to establish command-and-control infrastructure.
Also known as Topgear and Comnie, Blackgear dates back to 2008, and has long focused on infiltrating public sector agencies, telecommunications firms and tech countries based in target countries, writes post author Joey Chen, a threats analyst at Trend Micro. In this latest iteration of the campaign, the attackers send victims spam emails containing decoy documents or fake installer files (for software such as Flash Player), which when clicked upon produces the Marade downloader.
Marade balloons its file size up to over 50MB in order to evade traditional sandbox solutions, and then performs a system check. If the victim's system is internet-connected and free from anti-virus software, Marade connects to a previously compromised blog or social media site to retrieve an encrypted command-and-control configuration; if not, it relies on C&C connections instructions embedded in its own code.
Upon decrypting the C&C information, Marade then accesses the malicious server and downloads version 3.7 of the backdoor Protux, which executes via a DLL file. Protux next reaches out to yet another compromised website in order to retrieve its very own C&C information. Once connected, it relies on RSA-based encryption to communicate with its server, using the open-source compiler OpenCSP to generate a session key.
Using Protux, the attackers can reportedly generate a list of system drivers, folders, processes, modules, threats, ports, services, and registries, as well as take screenshots and create shells.
Researchers were also able to investigate Protux's new remote controller tool, which according to Chen "provides a user interface that allows attackers to send instructions to and monitor any compromised endpoint host" in real time. Additionally, the tool can remotely control the Marade downloader in infected machines.
"Based on the controller's behavior, we can posit that both Marade and Protux were authored by the same threat actors," concludes Chen. "Each serves a specific role once in the system. Marade acts as the first stage of attack, sending the compromised system's information to the C&C server and then awaiting commands from the controller. This allows threat actors to monitor and check whether the affected system is of interest to them. If so, the attack moves to the second stage by deploying Protux."
The fact that Marade and Protux both retrieve C&C information from compromised blog and social media posts and both have similar configuration formats also indicate that they originate from the same actor, Chen notes.
Yesterday, a separately published blog post report compiled by Trend Micro in conjunction with South Korean malware research team IssueMakersLab warned of a different Asian cyber espionage threat.
Andariel Group, an offshoot of suspected North Korean APT actor Lazarus Group, was reportedly engaging in a new wave of watering hole attacks that were essentially a continuation of an ongoing campaign called GoldenAxe, which leverages an exploit for ActiveX, Microsoft's software framework for Internet Explorer.
According to Chen, who also authored this blog post, Trend Micro discovered on June 21 that actors had injected malicious script into four compromised South Korean websites, with the intent to perform reconnaissance on these sites by gathering various ActiveX object information and targeted objects from visitors' browsers. Targets included a Korean non-profit organization's website and three South Korean local government labor union websites.
The attackers were able to collect visitor information such as browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects. Unlike previous scripts used in the GoldenAxe campaign, this malicious script also gathered ActiveX objects related to two specific South Korean software products commonly used by local governments and public institutions. Trend Micro describes them as a Digital Rights Management product and voice conversion software.
Trend Micro says the websites were notified of the activity, and the reconnaissance activity ceased as of June 27.