Chinese malware used in attacks against Australian orgs

The Australian government released an advisory late last week about increased cyber activity from a state actor against networks belonging to its agencies and companies in the country.

Behind the attack is a “sophisticated” adversary that relies on slightly modified proof-of-concept exploit code for yesteryear vulnerabilities, the government says. An unofficial blame finger points to China.

Resilient adversary

The attacker targets public-facing infrastructure with remote code execution exploits, a frequent choice being unpatched versions of Telerik user interface (UI).

This would be the fourth warning this year (1, 2, 3, 4) from the Australian Cyber Security Centre (ACSC) about threat actors exploiting critical vulnerabilities in Telerik UI (CVE-2019-18935, CVE-2017-9248, CVE-2017-11317, CVE-2017-11357). Exploit code has been publicly available for a while for all of them.

Important to note that CVE-2019-18935 has been leveraged by multiple threat groups, a recently documented one being Blue Mockingbird (from cybersecurity firm Red Canary) for cryptocurrency mining purposes.

ACSC says that that the attacker also exploited a VIEWSTATE deserialization vulnerability in Microsoft Internet Information Services (IIS) for uploading a web shell, a 2019 Microsoft SharePoint vulnerability (CVE-2019-0604), and the CVE-2019-19781 vulnerability in Citrix. All of them are critical.

If they failed to get initial access by leveraging these flaws, the adversary turned to spear phishing to harvest credentials, deliver malware, steal, Office 365 OAuth tokens.

They also used “email tracking services to identify the email opening and lure click-through events,” notes the advisory from ACSC.

ACSC’s investigation showed that the intruder carried reconnaissance operations, with no sign of “disruptive or destructive activities within victim environments.”

The Chinese connection

The toolset used by the intruder makes it difficult to attribute the attacks to a particular actor, although the Australian government is certain that a state-based adversary is at play.

While the Prime Minister has steered away from attribution, saying only that not many state-based actors can run an operation of this type, senior sources told Australia’s ABC News that China may have a hand in it.

One link to China is this threat actor’s use of malware that’s been associated with Chinese hacker groups, some believed to work on behalf of the government.

In the list of indicators of compromise (IoCs) provided by the ACSC, there is one sample that stands out. Multiple engines on Virus Total detect is as Korplug. The name appears in a report from ESET on OceanLotus, which is believed to be based in Vietnam.

However, this particular sample is PlugX, and ESET classifies it as Korplug because the two malware families share a specific DLL side-loading technique.

PlugX has been around since at least 2008 and is mentioned in numerous reports from cybersecurity companies on attack campaigns linked to China. In the attacks reported by the ACSC, the malware was used to load a Cobalt Strike payload.

A report from Palo Alto Networks in 2015 connects the malware to DragonOK, which they link to China two years later.

In a newer one from this year, Avira says that the Mustang Panda threat group used PlugX and Cobalt Strike payloads against victims in Hong Kong, Vietnam, China, and Australia.

There are at least 10 threat actors, all connected to China and engaged in espionage activities, that have PlugX in their toolset:

• APT41 (a.k.a. Barium, Blackfly, Group 72, Wicked Panda, Bronze Atlas)
• Deep Panda (a.k.a. Shell Crew, Bronze Express, Kung Fu Kittens, Black Vine, PinkPanther, WebMasters)
• APT19 (a.k.a. Codoso, Sunshop Group, Bronze Firestone, C0d0so0)
• APT17 (a.k.a. Deputy Dog, Tailgater Team, Bronze Keystone)
• Suckfly (a.k.a. Bronze Olive)
• DragonOK (a.k.a. Danti, Bronze Overbrook)
• Mustang Panda (a.k.a. Bronze President)
• APT10 (a.k.a. Stone Panda, MenuPass, Potassium, Bronze Riverside, Hogfish, Red Apollo)
• APT27 (a.k.a. Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, TG-3390)
• Roaming Tiger (a.k.a. Rotten Tomato, Bronze Woodland)

Being used by so many threat groups it is difficult to attribute the attacks against targets in Australia to a specific actor but based on the presence of PlugX alone, it is easy to understand why senior officials would single out China as a suspect.

Open-source tools and beyond

After getting inside the victim network, the adversary increased their foothold by escalating their privileges to SYSTEM using the Juicy Potato and RottenPotatoNG utilities.

ACSC also spotted the use of the open-source project PowerShell Empire post-exploitation framework, abandoned by its original developers in August last year and ported to Python3 by BC Security in December the same year.

From there, the actor was able to drop web shells to ensure remote access to the compromised hosts. At least half a dozen samples for this type of threat are provided in ACSC’s IoCs.

However, open-source utilities did not make the entire arsenal of the attacker as they used some malware that was poorly detected at the time of the report.

Antivirus engines on Virus Total classify one of the web shells in ACSC’s report as HighShell, which is attributed to Iranian threat group OilRig (APT34, HelixKitten, Cobalt Gypsy, Chrysene, Crambus).

This malware was leaked by Lab Dookhtegan in April 2019 to disrupt the hacking activity of the Iranian government.

With exploit code being freely available and easily-accessible open-source tools, many adversaries can deploy these long-running attacks investigated by the ACSC. All this creates a murky context where attribution is very difficult. ACSC published a report on the techniques, tactics, and procedures associated with the threat actor.

The organization also offers mitigations that should be enforced with priority. These measures, had they been applied in time, would have thwarted the attacks:

• immediate patching of internet-facing software, operating systems, and devices.
• activate multi-factor authentication across all remote access services (web-based cloud emal, collaboration platforms, VPN connections, remote desktop services)