Sophisticated, persistent cyber attacks have hit a host of defence and aerospace firms, FireEye reports
Security company FireEye spotted the “Beebus” attacks, which used malicious PDFs and .DOC files to infect targets with malware, which subsequently drops a DLL (dynamic link-library), called ntshrui.DLL in the C:\Windows directory. It does so to achieve persistence, FireEye said. Those files were either executed after successful spear phishing or through drive-by downloads.
Cyber attacks incoming
The malware collects information, including the infected machine’s processor type, CPU speed and memory usage. The malware also contains a module to download and execute additional payloads and updates, which could be used to siphon off more important data.
FireEye did not venture to say where the attack came from, but says it derived a link to China based on the technical make-up of the attacks. The command and control infrastructure in the attacks used “bee.businessconsults.net” as a host.
Subdomains of “businessconsults.net” have been used as command and control nodes for the “HUC Packet Transmit Tool”, a TCP proxy tool used by the attackers who breached RSA in early 2012, which some believe China took part in.
Furthermore, those RSA hackers used obfuscated or encrypted HTML comments embedded in websites, in order to indirectly control compromised endpoints, FireEye said. That technique was reportedly used by the “Comment Group” or “Comment Team” hacking collective, believed to be associated with the Chinese government.
China has been in the cyber security press rather a lot recently. It has been linked with attacks on various US media organisations, including the Wall Street Journal and the New York Times, as well as Twitter.
The Wall Street Journal reported this week that Google chairman Eric Schmidt had some strong words to say about China, in a book called The New Digital Age. Along with his co-writer, head of Google Ideas Jared Cohen, Schmidt said China was “the world’s most active and enthusiastic filterer of information” and “the most sophisticated and prolific” hacker of foreign companies.
The attackers used some nifty tricks to prevent detection and interference. The base64 algorithm used to encrypt pilfered information uses different characters from the standard library, making inspection carried out by men-in-the-middle, or “on the wire” snoopers, less likely.
Intriguing keywords, designed to assist attackers in designating attacks via their command and control infrastructure, were used by the hackers, including the Japanese name Osamu.
“There is no specific pattern to this attack, we have seen days on which multiple weaponised emails were sent to several companies, and on other days we observed that the threat actor sent only one email to a specific target organisation,” FireEye wrote in its blog post.
See below for FireEye’s table on how the cyber attack has been going up and down for months now:
FireEye did not specify which firms were targeted, or where they hailed from.
Are you a security expert? Try our quiz!