Advanced threat actors up their obfuscation tactics

Read time 4min 10sec

In June last year, researchers from Kaspersky discovered an advanced cyber espionage campaign targeting entities in the government and military sector in Vietnam.

The final payload is a remote administration tool (RAT) that gives bad actors total control over the infected device. Additional analysis suggested that this campaign was conducted by a group related to Cycldek, a Chinese-speaking threat group that has been active since at least 2013, but it showed a dramatic step up in terms of sophistication.

According to Kaspersky, Chinese-speaking attackers often share their techniques and methodologies with each other, which makes it easier for researchers to hunt for advanced persistent threat (APT) activity related to notorious cyber espionage groups, such as LuckyMouse, HoneyMyte, and Cycldek.

For this reason, when they noted one of their more well-known tactics, called the DLL side-loading triad, which targeted Vietnamese public sector and military bodies in Vietnam, they took notice.

Evading the security nets

DLL, or dynamic-link libraries, are pieces of code meant to be used by other programs on a computer. In DLL side-loading, a legitimately signed file (such as from Microsoft Outlook) is tricked into loading a malicious DLL, enabling malefactors to slip through security nets.

In this recently discovered campaign, the DLL side-loading infection chain executes a shellcode that decrypts the final payload - a RAT Kaspersky named FoundCore.

Interestingly, the method used to protect the malicious code from analysis, highlighted a dramatic advancement in sophistication for bad actors in this region.

The headers, or destination and source for the code for the final payload, were entirely stripped away, and the few that remained contained incoherent values. By doing this, the attackers make it far more difficult for researchers to reverse engineer the malware for analysis.

Hiding the full picture

Moreover, the components of the infection chain are tightly coupled, meaning single pieces are difficult, if not impossible, to analyse in isolation, preventing a full picture of malicious activity.

The researchers also found that this infection chain was downloading two additional pieces of malware. The first, DropPhone, collects environment information from the target’s machine and sends it to DropBox. The second is CoreLoader, which runs code that helps the malware evade detection by security products.

Dozens of computers were affected by this campaign, with 80% of them based in Vietnam. Most belonged to the government or military sector, although other targets were related to health, diplomacy, education or politics. There were also occasional targets in Central Asia and in Thailand.

Ivan Kwiatkowski, senior security researcher with Kaspersky’ Global Research and Analysis Team (GReAT), said based on the similarities of the dropped malware with the RedCore malware discovered last year, Kaspersky can attribute this campaign with low confidence to Cycldek, which, until now, we have considered a less sophisticated Chinese-speaking actor conducting cyber espionage campaigns in this region. “However, this recent activity signals a major leap in their abilities.”

Honing their abilities

In general, over the past year, Kaspersky has noted that many of these Chinese-speaking groups are investing more resources into their campaigns and honing their technical capabilities.

“Here, they’ve added many more layers of obfuscation and significantly complicated reverse engineering. And this signals that these groups may be looking to expand their activities. Right now, it may seem as if this campaign is more of a local threat, but it’s highly likely the FoundCore backdoor will be found in more countries in different regions in the future,” explains Mark Lechtik, senior security researcher with GReAT at Kaspersky.

“What’s more, given that these Chinese-speaking groups tend to share their tactics with one another, we wouldn’t be surprised to find the same obfuscation tactics in other campaigns. We’ll be monitoring the threat landscape for similar suspicious activity closely. For companies, the best thing they can do is keep their company up-to-date with the latest threat intelligence, so they know what to be on the lookout for,” comments Pierre Delcher, senior security researcher with GReAT at Kaspersky.

Anyone interested in seeing the de-obfuscation of Cycldek-related malware in action and wanting to learn how to reverse engineer like GReAT experts, can join the Targeted Malware Reverse Engineering Workshop on 8 April at 17:00 MSK. This Webinar offers a sneak peek at Kaspersky’s brand new, self-study, intermediate-level reverse engineering training.

To defend from APT campaigns, Kaspersky recommends installing anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities.

See also