Initial Infiltration of Construction and Engineering APT-6 & APT-7
Both APT 6 & APT 7 are so similar but with the slightest differences. They both steal something that's not the same yet similar.
Construction, Aerospace, Engineering and defense industrial estate are targets of APT 7. For APT 6, they share the same domain but with additional targets, Transportation, construction and materials.
The attacked areas are also similar, as in
The APT 6's goal is to heist a data, whereas the APT 7 steals intellectual property.
Credits: Kaspersky
If
you
are new to this post and not aware of about what APT is check out our
first blog listed under APT which will provide you more insights.
Advanced Persistent Thread-6
- Anonymity
- FBI alert
- The backdoor
- RAT
- Prevention techniques
Anonymity
The cybersecurity elite group confirmed that their digital signatures were so unique, meaning this APT-6 digital signature were entirely new. Zscalar who actually informed FBI saying that many organizations was attacked by a new APT group. They took it in a lethargic way like this happen later they realized. Between the thread group were stealing sensitive information for a period a one month.
FBI Alert
FBI issued a high alert for the organizations in the US. The public Alert named as "FBI FLASH Alert A-000067-DM, 12 FEB 2016". This was later posted in alien vault for a public awareness.
While
we were collecting data about the APT6 we collected information about
the name of the malware and the backdoor used but, we can't find the
malware functionalities. There might be a chance that the malware can't
be broke nor the government didn't want to disclose the IOC to the
public. For Thai CERT report, click here. Unlike other APT this also started with a spearfishing point.
The Backdoor- Poison Ivy
It's a rat Trojan that allows the attackers to customize the file and execute it as an RAT malware. It consists of two main parts, one is initializing and maintenance code and networking code. At first a particular file of the malware is sent over spearfishing mail and then other parts are downloaded using a web server that are supported by the PIVY file. This malware is designed in such a way that even a user manually stops the execution, it still enables itself by use of the CALL instruction embedded in it. APT-6 used a modified version of poison Ivy to make connection with the command and the control server option.
What is RAT?
RAT(Remote Access Trojan) is a malware which gains admin privilege access when the user executes it.
- Key logging
- Screen capturing
- Video capturing
- File transfers
- System administration
- Password theft
- Traffic relaying
The latest riot by redfoxtrot group
Some common TCP ports used by PIVY are 443,80, 8080, 8000,1863, make sure that any unknown services are running in your network.
Prevention
Since we can't find how the malware works we are unaware of the malware removal process but, we here are some tools for preventing Poison Ivy backdoor. These tools will work fine until or unless the backdoor is tailored for a targeted attack. Below are some Linchpin tools used,
APT 7
The cyber operation of intellectual property theft is to steal data of the appropriate companies that are involved in this line of work. They target the U.S and U.K countries which are already infiltrated but by other APT's.
The attack vectors by the threat actors attacks two or more organization of a parent company which comes under their target, but also attacks other organizations that share their threat.
Malware
DigDug
It is a library file helps in web driver service tunnels. It connects current server with other cloud driver tunnels.
Vulnerability
Apparently it doesn't have a direct vulnerabilities right from its launch, but while creating a new ammendment in its server, an URL with a proxy server provides every access that are given to a legal account.
This let the actors in dark and helps to exploit the server.
Tracks
It is a compatible web application built on rails with Ruby. Owned by GTD company.
Vulnerability
A vulnerability had happened to be found in the source code of its application. The config file was corrupted in the search engine which leads to the source code field.
Since, there's no direct vulnerabilities present in the exploited malware and the actors targetted only for the intellectual property data's the exploitation was minimally evasive. Yet, we cannot deny the fact that the actors didn't go further to exploit the found indirect bug and made it into much big a deal than it already is.
Comments