FireEye revealed APT Operation DeputyDog against Japanes entities

Security experts at FireEye discovered the Operation DeputyDog against Japanese entities that exploits Zero-Day (CVE-2013-3893) recently announced by Microsoft.

FireEye announced the discovery of the cyberespionage Operation DeputyDog leveraging the recently announced zero-day CVE-2013-3893. FireEye and Kaspersky are the companies most active in the analysis of large espionage campaign that governments and hackers are conducting against strategic targets.

According the analysis based on FireEye Dynamic Threat Intelligence cluster the Operation DeputyDog began as early as August 19, 2013 targeting Japanese organizations. Security experts found that attackers have used the same command and control infrastructure of the attack on Bit9 firm.

Bit9 experts discovered that hackers penetrated their network infecting machine with two variants of the HiKit rootkit.

“One of these Hitkit samples connected to a command and control server at downloadmp3server[.]servemp3[.]com that resolved to 66.153.86.14. This same IP address also hosted www[.]yahooeast[.]net, a known malicious domain, between March 6, 2012 and April 22, 2012. The domain yahooeast[.]net was registered to 654@123.com. This email address was also used to register blankchair[.]com – the domain that we see was pointed to the 180.150.228.102 IP, which is the callback associated with sample 58dc05118ef8b11dcb5f5c596ab772fd, and has been already correlated back to the attack leveraging the CVE-2013-3893 zero-day vulnerability.”

Just a couple of days ago, on September 17, 2013 Microsoft announced a new zero-day vulnerability in Internet Explorer products that was being exploited in targeted attacks.

FireEye investigated on the attacks revealing that they targeted organizations in Japan, according evidences collected behind the Operation DeputyDog there is the same threat actor that compromised Bit9 in February 2013, when during the hack were stolen digital certificates used later in further attacks to sign malware. The payload used in these attacks on August 23th 2013 against entities in Japan was hosted on a server in Hong Kong with IP address equal to 210.176.3.130. Despite the payload is named img20130823.jpg in reality it is an executable, once run it writes a dll named “28542CC0.dll” in the following path:

C:\Documents and Settings\All Users\Application Data\28542CC0.dll

To be able to execute the malware on every machine restarts the malicious agent also adds this registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28542CC0 rundll32.exe “C:\Documents and Settings\All Users\Application Data\28542CC0.dll”,Launch

The malware connects to a host in South Korea (180.150.228.102), it is curious that callback traffic is not encrypted HTTP over port 443. The FireEye security experts identified the signature for the attacks that allowed the detection of at least 5 samples that were compiled on 2013-08-19, within 1 second of each other.

MD5	Compile Time (UTC)	C2 Server
58dc05118ef8b11dcb5f5c596ab772fd	2013-08-19 13:21:58	180.150.228.102
4d257e569539973ab0bbafee8fb87582	2013-08-19 13:21:58	103.17.117.90
dbdb1032d7bb4757d6011fb1d077856c	2013-08-19 13:21:59	110.45.158.5
645e29b7c6319295ae8b13ce8575dc1d	2013-08-19 13:21:59	103.17.117.90
e9c73997694a897d3c6aadb26ed34797	2013-04-13 13:42:45	110.45.158.5

The malicious domains identified are:

Domain	First Seen	Last Seen
ea.blankchair.com	2013-09-01 05:02:22	2013-09-01 08:25:22
rt.blankchair.com	2013-09-01 05:02:21	2013-09-01 08:25:24
ali.blankchair.com	2013-09-01 05:02:20	2013-09-01 08:25:22
dll.freshdns.org	2013-07-01 10:48:56	2013-07-09 05:00:03

Campaign such as the Operation DeputyDog are the demonstration that groups of persistent collectors are very active and use sophisticated techniques for their attacks. The hackers exploited the knowledge of a zero-day during last attacks, circumstance that lets me think of the responsibility of state-sponsored hackers. Governments are primary entities that exploit zero-day flaws during their attack, cybercrime ecosystem in fact is more oriented in the sale of these exploits instead to use it for illegal activities. If you are interested to go deep in the technical analysis of the ATP read the following post published by FireEye.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – FireEye, Operation DeputyDog, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.