New Malware Strains are Emerging Samide Says
June 2018 by Jeremy Samide, Stealthcare, CEO
Ping-ponging tariffs between the U.S. and China, have already sparked new Chinese hacking campaigns and a shift toward attacks that are increasingly targeted, and most likely aimed at carrying out government espionage.
This is according to Jeremy Samide, Stealthcare, CEO who calls for private organizations and governments to step up their cybersecurity with advanced threat assessment tactics, so they can take defensive measures before the attack, rather than after a breach.
"Cyberattacks typically increase when political and international tensions rise as they are now with the recent round of escalating tariffs between Trump and Xi that will be felt here initially by US corporations manufacturing in China, including Apple, Sony and Boeing. Typical targets are government agencies, law firms, healthcare organizations and major corporations that possess intellectual property and proprietary data worth billions," Samide says.
Despite their fanciful names, the intent of malware developed and launched in China and elsewhere is sinister. According to Samide, “The China campaign we recently detected was attributed to LuckyMousewhich is ironically also named Emissary Panda, APT27. The new malware strain is based, in part, on the HyperBro Remote Access Trojan (RAT).”
The Trojanmalware breached a national data center in Central Asia, which granted the operators access to government resources. The operators then compromised frequently visited government websites in a move called watering hole attacksthat then infiltrate the visitor’s computers.
Of the two major attacks during the previous week or so, “The main C2 attack, which gives the hackers feedback on their success, has been traced to an IP address belonging to a Ukrainian ISP network, held by a MikroTikrouter using two-year-old firmware,” Samide says.
“The router was probably hacked specifically for this campaign to process the malware’s HTTP request,” says Samide whose Stealthcare research team relies on AI, Big Data, machine learning, data analytics and tradecraft to give its corporate and government clients an edge against geopolitical cyber threats that include self-propagating ransomware, DDoS attacks and common thievery of intellectual property and customer records.
Shortly after the first attack, Stealthcare observed another Chinese espionage campaign dubbed MirageFox, attributed to APT15, also known as Vixen Panda, Ke3chang, Royal APT, and Playful Dragon. “After infiltrating a target, the hackers conduct extensive reconnaissance, send the commands from the C2 server manually, and customize malware components to best suit the infected environment. Interestingly, decrypting the C2 configuration reveals an internal IP address.”
Previous intelligence indicates the APT15 virus infiltrated a private organization after stealing the VPN Private Key, an advanced access protection system. Adds Samide, “These factors indicate that this version of the malware was tailored to an organization the group had previously infiltrated.”