‘Black Vine’ group breached Anthem, leveraged zero-day bugs in various campaigns

Symantec said on Monday that it believes a threat group known as Black Vine – operating since at least 2012 and possibly tied to China – is responsible for the Anthem breach, as well as a number of other attacks against a variety of targets based primarily in the U.S.

The security firm connected Black Vine to the attack on Anthem because a malware variant used by the group was also used in that breach, Symantec Security Response told in a Tuesday email correspondence.

“Symantec found that a Black Vine malware variant was used in the Anthem breach,” Symantec Security Response said. “Other third-party vendors cited the same variant in their research into the attack. The Anthem attackers also used a digital certificate to sign the malware, which was seen before in other Black Vine attacks. Additionally, there were multiple domains that were used in the Anthem breach which were found on Black Vine's infrastructure.”

In its campaigns, Black Vine was observed using custom malware known as Hurix and Sakurel – both of which are detected as Trojan.Sakurel – and Mivast, which is detected as Backdoor.Mivast, a post said.

The three observed threats are capable of opening a backdoor, executing files and commands, deleting and modifying and creating registry keys, and gathering information from an infected computer, the post explained.

Aside from Anthem, Symantec said it observed Black Vine targeting other companies in a variety of industries, including aerospace, healthcare, energy, military and defense, finance, agriculture, and technology. The majority of infections, 82 percent, were observed in the U.S., with four percent in Canada and China, three percent in Denmark and Italy, and two percent in India.

Black Vine has been observed using spear-phishing emails to infect its victims, but the group is perhaps better known for compromising legitimate websites to serve exploits for zero-day bugs, including CVE-2012-4792 and CVE-2014-0322, both of which are use-after-free remote code execution vulnerabilities in Internet Explorer.

Because Black Vine had been observed using certain zero-day exploits at the same time as other threat groups, Symantec believes Black Vine has access to the Elderwood platform, a framework that is continuously updated to include the latest zero-day exploits, the post said.

Historically, campaigns connected to zero-day exploits in the Elderwood platform have been attributed to groups based in China, the post added, indicating that the same may be true for Black Vine.

“Certain Black Vine infrastructure seems to be associated with the Beijing-based security organization Topsec,” Symantec Security Response said, going on to add, “The relationship with Black Vine and Topsec provides evidence of the past or present geography of at least some actors involved in this group's activity. However, there is no evidence to suggest the group is state-sponsored.”

Additional information on the group can be found in Symantec's whitepaper.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.