The precedence of Cyberwar from China APT-3

By -

Yet another Chinese APT, it seems like china is getting ready with cyberwarfare. Like APT-1 and APT-2 this thread also started with phishing email, but it targets were limited to public, defense, private, Supply chain sectors, Non-profit, Biotechnology, Construction, Education and Energy.

In 2013 Chinese based thread actors thought of creating threads for stealing information using Java, Adobe and Internet Explorer (default browser for XP and 2007). Bug Hunters who were really working hard found various enumeration techniques to exploit java with minimum user interferences. This was bad news for the thread actors. So they planned to espionage and steal information from the above sectors using Adobe and Internet Explorer. 

 


 

Numerous mails to employees were drafted and sent to the Defense and Aerospace Industry.  Some sample e-mails are shown below

Sample-1:

  • Save between $200-450 by purchasing an Apple Certified Refurbished iMac through this link. Refurbished iMacs come with the same 1-year extendable warranty as new iMacs. Supplies are limited, but update frequently.

Sample-2:

  • One Month's Free Membership for The PLAYBOY ClUB 1080P HD VIDEOS 100,000 PHOTOS 4,000  MODELS Nude Celebrities, Playmates, Cybergirls & More! Click hxxp://join.playboysplus.com/signup/ To Get a Free Plus Member Now & Never Miss Another Update. Your Member referrals must remain active. If anyone getting "Promotion not available" for 1 month free membership, you might get the issue up to 48 hrs once your membership is expired and make sure to clear out cookies or use another browser or use another PC. 



 

 Don't hesitate --->Go to Sale

Whenever a user clicks the above hyperlinks they are  redirected to the new websites like 

  • hxxp://report.perrydale[.]com/ema/RR201507[.]pdf------194.44.130.179
  • hxxp://vic.perrydale[.]com/logo2.jpg-----------------------------107.20.255.57
  • hxxp://rpt.perrydale[.]com/en/rep201507101[.]pdf--------23.99.20.198

and they are asked to automatically download the adobe flash player plugin into the system. This was actually a .flv or .swf file in it. These aren't any legit files they are the actual malwares that were injected into the system using the Adobe Vulnerability (CVE-2015-3113)--zero day. Once the file is downloaded the user then installs the file which then extracts the malware. The actual path of the malware in Windows XP is 

  • “C:\Users\Public”

once the file is decompressed the file is split into two sections

 


When the test.exe file is installed the windows checks for the Internet Explorer version and the Adobe versions. Then it checks whether the current user has admin users by checking "whoami" If all were right then it starts to create a connection to the CnC server which stores all the stolen information. It initially creates a socket connection via TCP port 1913 and then to confirm it again it also opens another TCP port 81. Once both the data from two different ports are verified. The APT-3 starts its initial phase of thread. Those SOCK5 connections were arriving form following IP's

  • 192.157.198.103
  • 192.184.60.229                                                                                                                                                 

The Other file doc.exe is used to create a string named as 4113.pdb

The no 4113 is used to indicate the (CVE-2014-4113), This was found during forensic investigation.  

 

 

Once both the files are ready, the malware starts its work. The Internet Explorer version from IE-8 to IE-11 were affected with same kind of buffer overflow attacks. The attackers used to send more packets to the stack register/pointer by leveraging the ASLR(Address Space Layout Randomization) and libc functions. The ASLR is used to block the attacker to perform injection attacks easily in the binary level. ASLR is used to randomize the address of the base address. Commonly used ASLR bypass technique CVE-2013-0634.

Gaping with this vulnerability the attacker also bypass the Data Execution Prevention(DEP) by using Return Line Programming(RLP). The ROP/RLP is used a kind of attack where the attacker reverses the entire application and creates a custom payload based on the data provided on the particular firmware. This is difficult to do, as attackers can't inject malicious scripts available to the public. By doing this the attacker can take control of the victim system and can multiple vulnerabilities. This ROP is also injected in gadgets using link concepts. This is like a DoS/Brute force attack. By doing this the intruder can steal all valuable instructions like cookies and all secured information transmitted within secured space. 

 

For more details visit our sitemaps.

Comments

Post a Comment

Popular posts from this blog

Banning that paved the road to success for The Indian Apps

By -
Image
We all know about the Chinese apps ban done in India which created a tornado among the digital life not only destroyed the income of China apps but created new fields for the Indian Apps to blossom among us. Before I explain about various Indian apps that rose to our attention, we all need to know a little details about the security clearances an app posses. Every apps we install asks for permissions and we simple press accept all without giving a second thought why it asks and what's the requirements. Let me tell a real scenario to you which it took place on Aug '19. When my cousin and I were talking about ghosts incident, are they real or not! and during our conversation we were transferring a movie to one of our mobiles via ShareIt. Before our session, ShareIt showed some travel related contents as we were traveling, post this conversation, ShareIt app showed us the ghost related prank videos. We were shocked so I did a research about t...
Read more

The Millionaire: ProFun into A ProFession

By -
Image
The world stuck by thunder and everything stood still . During this pandemic situation people started to realize the worth of their life and the precious time they hold. This made everyone to value their loved ones and they utilize their time worthwhile. Among them, the gamer’s started to think productively and the perspectives have been changed about How to earn money!  Have you ever heard about the word   streamers?   Well, no sweat, you're gonna be Insinuated. Gaming started to bloom around the world in the late 2000 ’s . Children  used to play video games by  using the various electronic console-like brick game, video games using the game chip.  A s an up-gradation,   play station reached the  gaming market for  the graphics and the gameplay . The experience was immeasurable   when compared with previous gaming . When the play station was donning the gaming market, PC games came with a price tag, that is far more affordable ...
Read more

How UK invented biscuits and established globally

By -
Hello and welcome to my first post of our blog!!! Here we're gonna see some interesting facts(a product that we consume daily) in my first post.                         Origin of Biscuits   In my country, elders usually carry biscuits whenever they visit their relatives. Even diabetes patients consult themselves towards biscuit, which is enriched in high-fibre. It shows that biscuits have made a major impact on our daily life. Regardless of age, biscuits are favoured by everyone. Have you ever imagined how it was originated? Okay, before we get deeper into it, I wanna share some interesting facts that I found while doing my research. Prepare to be baked! The biscuit was invented before World War I The inventor of the biscuit served under Queen Victoria, though he owns his factory. Biscuits were found to be one of the favorite consumables for sailors. The UK nearly had about 30% of exports share in biscu...
Read more