跳到主体内容

Dropping Elephant: Cyber-espionage Group Hunts High Profile Targets with Low Profile Tools

2016年7月9日

In February 2016, following an alert from a partner, Kaspersky Lab’s Global Research and Analysis Team began an investigation

In February 2016, following an alert from a partner, Kaspersky Lab’s Global Research and Analysis Team began an investigation. It quickly became clear that a threat actor, likely operating from India, was undertaking aggressive cyber-espionage activity in the Asian region, targeting multiple diplomatic and government entities with a particular focus on China and its international affairs. Having only old exploits and unremarkable tools in their arsenal, the actor also tried its  luck in attacking high profile targets including some Western entities.  

The modus operandi of “Dropping Elephant” (also known as “Chinastrats”) could hardly be called sophisticated. The attackers rely heavily on social engineering and low-budget malware tools and exploits. However, this approach seems to be effective, which makes this actor a dangerous one. From November 2015 to June 2016, the actor profiled hundreds to thousands of targets all around the world. On top of this, within the first couple of months of the operation they managed to steal documents from at least a few dozen selected victims.

Tools: simple, yet effective

  • For initial target profiling, Dropping Elephant mass-mails a number of email addresses it has collected on the basis of their relevance to its goals. The spear-phishing emails sent by the attackers contain references to remote content – it is not embedded in the email itself, but downloaded from an external source. The email has no malicious payload, except a simple “ping” request that is sent to the attackers’ server if the target opens the email. This automatically sends a message which contains some basic information about the recipient: IP address, type of browser and both the device used and its location.
  • After using this simple method to filter out the most valuable targets, the attackers proceed with another, more targeted spear-phishing email. This is either a Word document with CVE-2012-0158 exploit, or PowerPoint slides with an exploit for the CVE-2014-6352 vulnerability in Microsoft Office. Both exploits are public and have been known for a long time, but are still effective.
  • Some victims are targeted by a watering hole attack: they receive a link to a website disguised as a political news portal, focused on China’s external affairs. The majority of links on this website lead to additional content in the form of a PPS (PowerPoint Slides document) with a malicious payload inside.

Even though the vulnerabilities used in the attacks were patched by Microsoft, the attackers can still rely on a social engineering trick to compromise their targets if they ignore multiple security warnings displayed and agree to enable dangerous features of the document. The content of the malicious PPS is based on carefully chosen, genuine news articles featuring widely discussed geopolitical topics, which makes the document look more trustworthy and likely to be opened. This leads many users to become infected.

  • After the successful exploitation of the vulnerability, a range of malicious tools are installed on the victim’s machine.
  • These tools then collect and send attackers the following types of data: Word documents, Excel spreadsheets, PowerPoint presentations, PDF files, login credentials saved in the browser.

In addition to social engineering attacks and exploits for old vulnerabilities, one of the Dropping Elephant backdoors uses a C&C communication method borrowed from other threat actors: it hides the real location of the C&C server in the form of the comments to articles on legitimate public websites. This technique has previously been observed, albeit with a far more complex execution, in operations conducted by Miniduke and other threat actors. This is done in order to make investigation of the attack more complicated.

Geographical preferences

Based on the target profile created by the Kaspersky Lab researchers, Dropping Elephant is focused on two main types of organization and individuals: Chinese-based government and diplomatic entities and any individuals connected to them, as well as partners of these organizations in other countries.

In total, Kaspersky Lab experts were able to identify several hundred targets worldwide, most of which are located in China, while others were from or related to Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia, USA and some other countries.

Artifacts

There are indicators pointing to the fact that this actor operated from India however, at the same time, there is no solid proof to that a nation-state might be involved in this operation.

The analysis of activity reveals that the attackers probably operated in the time zone of either UTC+5 or UTC+6. Interestingly enough, since May 2016, Kaspersky Lab researchers have spotted a new activity pattern for the group in a new geographical area that includes Pacific Standard Time zone, corresponding – among others - to West Coast working hours in the US. This is likely to be the result of increased headcount in the Dropping Elephant team.

«Despite using such simple and affordable tools and exploits, the team seem capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016. The expansion also suggests that it is not going to end its operations anytime soon. Organizations and individuals that match this actor’s target profile should be especially cautious. The good news is that this group hasn’t yet been spotted using really sophisticated, hard-to-detect tools. This means that their activity is relatively easy to identify. This can of course change at any time,» - said Vitaly Kamluk, Head of Research Center in APAC, GReAT, Kaspersky Lab.

Kaspersky Lab is open to working with CERTs and law enforcement agencies of affected countries to notify the owners and mitigate the threat.

In order to protect yourself and your organization from cyber-espionage groups like Dropping Elephant, Kaspersky Lab security experts advise taking the following measures:

  • Follow the basic rules of Internet security: don’t open attachments in emails received from unknown senders and regularly update the software on your PC;
  • Use a proven security solution capable of fighting the most sophisticated cyberthreats;
  • Remember that what looks like a legitimate document could be the first stage of a targeted attack against your company. In large organizations, use proven anti targeted-attack solutions capable of spotting dangerous anomalies in the corporate networks before the malware is installed and the data is stolen;
  • The best way to keep your protection up to date is to track the evolution of targeted attack actors. Use threat intelligence services to ensure you’re aware of what new techniques attackers implement and what protection measures could make these techniques ineffective.

Kaspersky Lab solutions detect and neutralize the Dropping Elephant malware as Exploit.Win32.CVE-2012-0158;

  • Exploit.MSWord.CVE-2014-1761;
  • Trojan-Downloader.Win32.Genome;
  • HEUR:Trojan.Win32.Generic.
  • Trojan.Win32.Agent.ijfx
  • Trojan-Ransom.Win32.PolyRansom.bel
  • Trojan.Win32.Autoit.fdp

Kaspersky Lab also detects the exploits used in the documents.

To learn more about the Dropping Elephant group, read the blogpost on Securelist.com

The full version of the report on Dropping Elephant is available for customers of Kaspersky Lab APT Intelligence reporting service. Learn more at: http://www.kaspersky.com/enterprise-security/apt-intelligence-reporting

Learn more about how Kaspersky Lab products can protect users from this threat.

Dropping Elephant: Cyber-espionage Group Hunts High Profile Targets with Low Profile Tools

In February 2016, following an alert from a partner, Kaspersky Lab’s Global Research and Analysis Team began an investigation
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻