China-based TEMP.Periscope APT targets Cambodia’s elections

FireEye uncovered a large-scale Chinese phishing and hacking campaign powered by Temp.periscope APT aimed at Cambodia’s elections.

Security researchers at FireEye have uncovered a large-scale Chinese phishing and hacking campaign aimed at Cambodia’s elections.

The hackers distributed a remote access trojan (RAT) and data exfiltration operation targeting the poll.

The experts from FireEye attributed the attacks to an APT group tracked as TEMP.Periscope that targeted in past operations American engineering and maritime operations.

FireEye found evidence of infection on systems used by election-related entities in Cambodia, including the National Election Commission, human rights advocates, an MP for the Cambodia National Rescue Party, two Cambodian diplomats in overseas posts, and some media outlets.

“FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia’s politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures.” reads the analysis published by FireEye.

“This campaign occurs in the run up to the country’s July 29, 2018, general elections.”

TEMP.Periscope used the same infrastructure of other campaigns against other targets, including the defense industrial base in the United States and a chemical company based in Europe.

Analyzing this campaign, FireEye found files on three open indexes operated by the attackers, in this way the company gathered information about group’s TTPs and its targets. The activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia’s government and elections.

Two servers (chemscalere[.]com and scsnewstoday[.]com) is used to operate a typical Command and Control infrastructure and hosting sites, while a third one, mlcdailynews[.]com, works as an active SCANBOX server.

SCANBOX is another APT that FireEye has monitored in various campaigns since 2015, the presence of a SCANBOX server suggested TEMP.Periscope was also planning to target individuals with an interest in US-East Asia politics, Russia, and NATO affairs in forthcoming campaigns.

The servers contain both malware and logs, the analysis of the latter revealed:

• Analysis of logs from the three servers revealed:
  • Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
  • Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
• The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .

The servers were administered by operators based in Hainan (one of the IP addresses, 112.66.188[.]28, is located in Hainan, China), and experts found two new malware families hosted on them, DADBOD and EVILTECH, and other malware families detected in the past (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX)”.

The most active tolls of this campaign were the AIRBREAK backdoor, the HOMEFRY password cracker and dumper; the LUNCHMONEY uploader and a command line reconnaissance tool called MURKYTOP.

FireEye says it had seen these in previous campaigns, and it also spotted two new tools in the Cambodian operation. There’s a backdoor called EVILTECH, a Javascript-based RAT, and the DADBOD credential stealer.

Malware	Function	Details
EVILTECH	Backdoor	EVILTECH is a JavaScript sample that implements a simple RAT with support for uploading, downloading, and running arbitrary JavaScript. During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.
DADBOD	Credential Theft	DADBOD is a tool used to steal user cookies. Analysis of this malware is still ongoing.

The experts attributed the attacks to China, other IP addresses involved in the campaign are associated with virtual private servers, but researchers noticed that artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.

“The activity uncovered here offers new insight into TEMP.Periscope’s activity.” concludes FireEye. “Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cambodia, TEMP.Periscope)

[adrotate banner=”5″]

[adrotate banner=”13″]