yara signatures
APT 40
2
APT 40
Diamond model
Intrusion Analysis
Acting Origin: China
Attack Handles / Codenames:
AIRBREAK and BADFLICK - Backdoors
AIRBREAK and PHOTO - Web shells
[Capabilities]
Domains:
scsnewstoday[.]com
Thyssenkrupp-marinesystems[.]org
IP addresses:
185.106.120[.]206
193.180.255[.]2
68.65.123[.]230
82.118.242[.]242
82.118.242[.]243
[Victim]
[Infrastructure]
[Adversary]
Locations:
China’s Belt and Road Initiative - (i.e., Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom.)
Industries:
Universities and research centers involved in marine research
at.exe - a task scheduler
net.exe - a network resources management tool
Establish Lateral Movement
AIRBREAK and PHOTO - Backdoor
Maintain Presence
3
APT 40
Diamond Model Findings - Socio Political Axis
ADVERSARY
Leviathan was previously known as TEMP.Periscope and TEMP.Jumper by fire eye is a cyber espionage group linked to the Chinese government to conduct the cyber espionage act to support China's naval modernization attempt. They mainly operate in Western Europe, North America, South-East Asia, first seen in 2013. The actor's targeting is consistent with Chinese state interests such as targeting and manipulations with china's "Belt and Road Initiative." Also, there is evidence of multiple technical artifacts indicating the actor is based in China.
VICTIM
APT Targeted mainly targeted the defense sectors with a specific interest in naval technologies and Universities and research centers primarily located in the United States to support China's maritime modernization attempt. Furthermore, they targeted china's neighboring countries, such as victims with connections to elections in Southeast Asia, which is driven by events affecting China's Belt and Road Initiative.
4
APT 40
Diamond Model Findings - Technology Axis
CAPABILITIES
APT 40 mainly targeted the defense sectors with a specific interest in naval technologies and Universities and research centers to exfiltrate secrete information to aid China's naval advancement. The Group conducted phishing campaigns delivering backdoors, both publicly available and custom-made so that they can gain an initial foothold in the system. The Group used early-stage backdoors such as photo, BAdFlick, and China chopper for the initial foothold to the system and targets VPN and remote desktop credentials. Utilizing these web shells for the system's initial foothold, the attacker proceeded to conduct lateral movement and gather more information. To establish and maintain their presence in the system, they used malicious tools such as AIRBREAK and PHOTO.
INFRASTRUCTURE
Using custom tools such as paper rush helps exfiltrate data more efficiently along with publicly available tools such as Beacon. APT 40 conducted a massive exfiltration attempt by establishing backdoors by exploiting known vulnerabilities a few days after they were first discovered and phishing campaigns. Some Indicators of compromise include the following:
SHA 256 hashes
cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1f c7fa6f27ec4f4142ae591f2dd7c63d046431945f03c87dbed88d79f55180a46d
Ip addresses:
185.106.120[.]206 and 193.180.255[.]2
Domains:
Scsnewstoday[.]com and thyssenkrupp-marinesystems[.]org
APT 40 - Kill Chain
5
Reconnaissance
Using open-source intelligence on what Universities, research centers, and defense sectors are involved in researching the advancement of marine technologies. The actors gathered openly available information from the selected targets
Weaponization
Utilize new known Vulnerabilities for exploitation using custom made and publicly available tools.
Delivery
APT 40 used multiple methods for initial compromise, including web server exploitation, strategic web compromises, phishing campaigns delivering backdoors.
Exploitation
The Group used early-stage backdoors such as photo, BAdFlick, and China chopper for the initial foothold to the system and targets VPN and remote desktop credentials.
Installation
In later stages, they used password hash dumping and available credentials harvesting tools such as windows credential editor to gather more of the victim's credentials.
Command and Control
Using malicious tools such as AIRBREAK and PHOTO, the attacker used these web shells to conduct lateral movement and gather more information to establish and maintain their presence in the system.
Actions on Objectives
APT 40 successfully utilized these created back doors to transfer information out of the target network. They also develop tools such as PAPERPUSH to make data targeting and theft more efficient.
Sources
Plan, F. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. FireEye. https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html
Cyware Labs. (2019). APT40: A State-Sponsored Cyber Espionage Group Targeting North America And Europe to Obtain Advanced Naval Technology. https://cyware.com/blog/apt40-a-state-sponsored-cyber-espionage-group-targeting-north-america-and-europe-to-obtain-advanced-naval-technology-7410
Advanced Persistent Threat Groups (APT Groups). (2019). FireEye. https://www.fireeye.com/current-threats/apt-groups.html
“Threat Group Cards: A Threat Actor Encyclopedia.” Leviathan, APT 40, TEMP.Periscope - Threat Group Cards: A Threat Actor Encyclopedia, apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Leviathan%2C+APT+40%2C+TEMP.Periscope.
Image Sources
city icons free - building infrastructure icon png - Free PNG Images png - Free PNG Images. (2019). TopPNG. https://toppng.com/city-icons-free-building-infrastructure-icon-PNG-free-PNG-Images_128412?search-result=gaming%20icon
Iconscout. (2018). Cyber security Icon of Line style - Available in SVG, PNG, EPS, AI & Icon fonts. https://iconscout.com/icon/cyber-security-2
V, S. (2018). Crime, cyber, hack, hacker, hacking icon - Download on. Iconfinder. https://www.iconfinder.com/icons/2760863/crime_cyber_hack_hacker_hacking_icon
6