#plugx

Chinese cyber spies have breached European diplomatic networks, exploiting a newly disclosed Windows shortcut flaw to plant PlugX malware through fake EU and NATO meeting files.

Source: Arctic Wolf Labs

Status: Inactive since Fall 2015Other Names: Operation Umbrella Revolution, Operation Poisoned HurricaneActive Since/Discovered: 2013 Last Report: December 2015 Targets: Telecommunications and technology companies. Targets confidential data and intellectual property Target Sectors: internet services, engineering, and aerospace Malware: -RATs – Sakula Gh0st, PlugX, Hikit, Mimikatz -Webshell RAT – Chopper webshell --Easily obfuscated 70 byte text file that consists of an ‘eval()’ command --Used to provide full command execution and file upload/download capabilities to the attackers. --Typically uploaded to a web server via a SQL injection or WebDAV vulnerability Preferred Attack Vector: zero-day vulnerabilities; a DNS resolution exploitation technique; unique toolkit; and a SQL injection vulnerabilities

This group targets government and diplomatic organizations in the APAC region, particularly organizations located in nations along the South China Sea. Most targets are from Malaysia, the Philippines, Indonesia, and India. Hellsing malware samples were primarily compiled in either UTC+6 or UTC+8. Typically, it infects targets through spear phishing emails containing password protected RAR, ZIP, and 7ZIP archives. The passwords are sent in the emails to the target. Locking the archives bypasses some security features such as Gmail scans.  Hellsing APT was discovered when Kaspersky Lab was investigating the Naikon group and found that Hellsing had responded to a 2014 spear phishing email from Naikon with a custom backdoor. It is not clear whether Naikon intentionally targeted Hellsing or if Hellsing actually managed to infect Naikon; however, it is clear that Hellsing took the attempt as an attack and responded with an escalated attack. Hellsing responded to the spear phishing request for information with a series of inquisitive exchanges, pressing Naikon’s assumed identity (as an employee of the secretariat division of the government of the assumed target nation) and fake credentials. The conversation demonstrates that the Hellsing members are more proficient in English than the Naikon group. Finally, Hellsing emailed back a “confidential” locked RAR and the accompanying password. The archive contained two PDFs and a malicious SCR file. The latter file was a backdoor specifically customized to target the Naikon group.