Shiqiang APT cyber espionage using RAT signed with stolen certificates

Pierluigi Paganini May 07, 2014

Security experts at McAfee Labs have discovered a new cyber espionage based on the malware digitally signed with stolel certificates.

A recent research of McAfee Labs has identified a series of spear phishing attacks against non governmental entities and activists, the offensives which interested mainly organizations in China were conducted using malicious code signed with stolen digital certificates.

The official blog post of McAfee Labs states that the attacks are dated as far back as July 2013, the experts have identified valid signatures with certificates belonging to “Zhengzhou hanJiang Electronic Technology Co., Ltd,” verified by Thawte, and “Jiangxi you ma chuang da Software Technology Co., Ltd,” verified by Verisign.

“The group has been very active since July 2013 and is known to use two valid digital certificates as part of their campaign.” states the post.

  • Zhengzhou hanJiang Electronic Technology Co., Ltd. Expires 9/1/2013
  • Jiangxi you ma chuang da Software Technology Co., Ltd. Expires 12/14/2014

The attackers also take advantage of an arbitrary-code-execution exploit (CVE-2012-0158), in July 2013 experts at Trend Micro uncovered a string of targeted attacks against European and Asian government agencies to steal login credentials from IE and Microsoft Outlook products based on the same exploit.

“There is only limited role-restriction on many Windows installs in the first place, but in this case it exploits ActiveX components, which are associated with video processing and will generally run at a system level of access,”  said Adam Wosotowsky, messaging data architect at McAfee.

The malware spread by attackers are remote access trojans (RAT) which are served as attachment of the malicious emails and appear as legitimate and harmless Microsoft Word documents.

The threat vector is a doc file that exploits the CVE-2012-0158 vulnerability and contains a decoy document. Upon execution in a vulnerable environment, the doc file drops an embedded executable (kav.exe) that is digitally signed, which in turn drops another DLL file that is signed by the same digital certificate.

The malware allows the attacker to gain the remote control of the victim’s PC, we are probably facing with a cyber espionage campaign on nongovernmental organizations and activists to collect information like member lists, activity plans any other kind of financial data.

The malware drops the Msnetwork.dll library registering it as a layered service provider (LSP), the dll can be loaded whenever an application uses winsock and allows the malicious agent to intercept and modify inbound and outbound Internet traffic.

“Msnetwork.dll checks the host process it is being loaded into and injects aesen.dat and desen.dat into explorer.exe.”

cyber espionage campaign certificates malware

The experts at  McAfee Lab dubbed the bad actor behind the attacks “the Shiqiang Group”, or Shiqiang Gang, because of one of the certificates the team is using to avoid defense systems. The experts has also found analyzing the code of the malware the list of Command & Control used by the attackers:

  • 61.128.110[.]137
  • tibetcongress.oicp[.]net
  • 60.13.176[.]25
  • 220.171.94[.]50
  • newyorkonlin[.]com

These operations are very frequent, the technique of using malicious code digitally signed with stolen certificates is considered a winner choice in the cyber criminal ecosystem.

Pierluigi Paganini

(Security Affairs –  APT, certificates, malware)

you might also like

leave a comment