Buckeye APT group used Equation Group tools prior to ShadowBrokers leak

Pierluigi Paganini May 07, 2019

China-linked APT group tracked as APT3 was using a tool attributed to the NSA-linked Equation Group more than one year prior to Shadow Brokers leak.

China-linked APT group tracked as APT3 (aka Buckeye, APT3, UPS Team, Gothic Panda, and TG-0110) was using a tool attributed to the NSA-linked Equation Group more than one year prior to Shadow Brokers leak,

In May 2017, researchers at threat intelligence firm Record Future discovered a clear link between APT3 cyber threat group and China’s Ministry of State Security.

The APT3 cyberespionage group had been active since at least 2009 and its last operation was uncovered in mid-2017.

In 2010, security vendor FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 and described them as “one of the most sophisticated threat groups” being tracked at the time.

Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong.

In November 2017, US authorities charged three China-based hackers for stealing sensitive information from US-based companies, including Siemens AG, and accessing a high-profile email account at Moody’s.

The three Chinese citizens, Wu Yingzhuo, Dong Hao and Xia Lei, work for the Chinese cybersecurity company Guangzhou Bo Yu Information Technology Company Limited, also known as “Boyusec.”

Buckeye’s arsenal included several pieces of malware, one of which is the popular DoublePulsar NSA-linked implant and an exploit tool dubbed Bemstour.

The DoublePulsar exploit was released publicly in April 2017 by ShadowBrockers hackers that allegedly stole them from the NSA.

The hackers leaked a huge trove of hacking tools and exploit codes used by the US intelligence agency, most of Windows exploits were addressed by Microsoft the month before.

DoublePulsar is sophisticated SMB backdoor that could allow attackers to control the infected systems since its leak it was working on almost any Windows system except on devices running a Windows Embedded operating system.

In August 2016, the Shadow Brokers group announced it had hacked the NSA-linked Equation Group, and in the next months, it leaked many tools after attempting to sell them in various ways.

Now Symantec revealed that its experts found evidence that Buckeye group used a variant of DoublePulsar as early as March 2016 in a targeted attack.

The version of DoublePulsar used by Buckeye is newer than the one in the Shadow Brokers dump.

Since March 2016, Buckeye began delivering an early variant of the DoublePulsar implant using the Trojan.Bemstour tool.

“Beginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor that was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar.” reads the analysis published by Symantec.

“Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers. One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec. The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak.”

The Bemstour tool exploits two Windows vulnerabilities to get remote kernel code execution on the victim’s machine. The first flaw, tracked as CVE-2019-0703, is a Windows zero-day issue discovered by Symantec. The second flaw, tracked as CVE-2017-0143, is a Windows vulnerability addressed by the tech giant in March 2017 after it was found exploited by the NSA linked exploits EternalRomance and EternalSynergy.

How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak?

“Based on the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the tools from artefacts found in captured network traffic, possibly from observing an Equation Group attack.” concludes Symantec. “Other less supported scenarios, given the technical evidence available, include Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckeye,”

The mystery around Buckeye is not ended here, despite the APT group apparently ceased its operations since mid-2017, its DoublePulsar variant was spotted on September 2018. It seems that the threat actor continues to, to improve the Bemstour tool, Symantec experts found a new sample dated March 23, 2019.

“Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye’s apparent disappearance.” continues the analysis. “It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group. However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group,”

Buckeye Timeline_970x1164
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Buckeye, China)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment