APT3 (UPS Team, Buckeye) – China

Overview

Is a China-based threat group that researchers have attributed to China’s Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.

The Buckeye attack group had been active since at least 2009, when it began mounting a string of espionage attacks, mainly against organizations based in the U.S.

The group has a record of exploiting zero-day vulnerabilities. These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014.

Although other zero-day attacks have been reported, they have not been confirmed by Symantec. All zero-day exploits known, or suspected, to have been used by this group are for vulnerabilities in Internet Explorer and Flash.

The China-based threat group, FireEye tracks as APT3, is one of the more sophisticated threat groups that FireEye Threat Intelligence tracks, and they have a history of using browser-based exploits as zero-days (e.g., Internet Explorer, Firefox, and Adobe Flash Player).

After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3’s command and control (CnC) infrastructure is difficult to track, as there is little overlap across campaigns.

Targets

Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications, Transportation

Attack vectors

The phishing emails used by APT3 are usually generic in nature, almost appearing to be spam. Attacks have exploited an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files. The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP).

A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.

How they work

Upon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting JavaScript profiling scripts. Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system.

Indicators of Compromise (IOC)

• IP addresses:
  • 103.4.241.194
  • 103.4.241.202
  • 103.4.241.203
  • 103.4.241.204
  • 103.4.241.205
• Domain names:
  • 404notfound.biz
  • 503serviceunavailable.biz
  • 600servererror.biz
  • 701connectionrefused.biz
  • 802badgateway.biz
• File hashes:
  • 5482598005525873334
  • 6682888614648030960
  • 7883188223870288576
  • 8183487833092546176
  • 8283787442314803776

References:

• APT3

• APT3: A Nation-State Sponsored Adversary Responsible For Multiple High Profile Campaigns

• Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign

• Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak

• APT3 aka: GOTHIC PANDA, TG-0110, Group 6, UPS, Buckeye, Boyusec, BORON, BRONZE MAYFAIR, Red Sylvan

• APT3