Initial Infiltration of Construction and Engineering APT-6 & APT-7

Both APT 6 & APT 7 are so similar but with the slightest differences. They both steal something that's not the same yet similar.

Construction, Aerospace, Engineering and defense industrial estate are targets of APT 7. For APT 6, they share the same domain but with additional targets, Transportation, construction and materials.


The attacked areas are also similar, as in

The APT 6's goal is to heist a data, whereas the APT 7 steals intellectual property.

 

            Credits: Kaspersky

If you are new to this post and not aware of about what APT is check out our first blog listed under APT which will provide you more insights.

Advanced Persistent Thread-6

  • Anonymity
  • FBI alert
  • The backdoor
  • RAT
  • Prevention techniques

Anonymity 

The cybersecurity elite group confirmed that their digital signatures were so unique, meaning this APT-6 digital signature were entirely new. Zscalar who actually informed FBI saying that many organizations was attacked by a new APT group. They took it in a lethargic way like this happen later they realized. Between the thread group were stealing sensitive information for a period a one month. 



 

FBI Alert

FBI issued a high alert for the organizations in the US. The public Alert named as "FBI FLASH Alert A-000067-DM, 12 FEB 2016". This was later posted in alien vault for a public awareness. 

While we were collecting data about the APT6 we collected information about the name of the malware and the backdoor used but, we can't find the malware functionalities. There might be a chance that the malware can't be broke nor the government didn't want to disclose the IOC to the public. For Thai CERT report, click here. Unlike other APT this also started with a spearfishing point.

The Backdoor- Poison Ivy 

 

                                                                                                                                                                      Credits: Empello

It's a rat Trojan that allows the attackers to customize the file and execute it as an RAT malware. It consists of two main parts, one is initializing and maintenance code and networking code. At first a particular file of the malware is sent over spearfishing mail and then other parts are downloaded using a web server that are supported by the PIVY file. This malware is designed in such a way that even a user manually stops the execution, it still enables itself by use of the CALL instruction embedded in it. APT-6 used a modified version of poison Ivy to make connection with the command and the control  server option.

What is RAT?

RAT(Remote Access Trojan) is a malware which gains admin privilege access when the user executes it. 

 

 
Credits: Cisco
 
This malware file typically transferred via spearfishing mails or by download cracked version software programs/games. Once the attacker gains access to the system, then they try to turn them into a botnet by affecting the entire network. Some major features of RAT Malware are
  • Key logging
  • Screen capturing
  • Video capturing
  • File transfers
  • System administration
  • Password theft
  • Traffic relaying

The latest riot by redfoxtrot group

Some common TCP ports used by PIVY are 443,80, 8080, 8000,1863, make sure that any unknown services are running in your network. 
 

 

 

Prevention

Since we can't find how the malware works we are unaware of the malware removal process but, we here are some tools for preventing Poison Ivy backdoor. These tools will work fine until or unless the backdoor is tailored for a targeted attack. Below are some Linchpin tools used,

 

 

APT 7

The cyber operation of intellectual property theft is to steal data of the appropriate companies that are involved in this line of work. They target the U.S and U.K countries which are already infiltrated but by other APT's. 

The attack vectors by the threat actors attacks two or more organization of a parent company which comes under their target, but also attacks other organizations that share their threat.


Malware
DigDug

It is a library file helps in web driver service tunnels. It connects current server with other cloud driver tunnels.

Vulnerability

Apparently it doesn't have a direct vulnerabilities right from its launch, but while creating a new ammendment in its server, an URL with a proxy server provides every access that are given to a legal account.

This let the actors in dark and helps to exploit the server.

 


Tracks

It is a compatible web application built on rails with Ruby. Owned by GTD company.

Vulnerability

A vulnerability had happened to be found in the source code of its application. The config file was corrupted in the search engine which leads to the source code field.


Since, there's no direct vulnerabilities present in the exploited malware and the actors targetted only for the intellectual property data's the exploitation was minimally evasive. Yet, we cannot deny the fact that the actors didn't go further to exploit the found indirect bug and made it into much big a deal than it already is.

Comments

Popular posts from this blog

Banning that paved the road to success for The Indian Apps

The Millionaire: ProFun into A ProFession

How UK invented biscuits and established globally