LAS VEGAS -- Researchers have uncovered a huge amount of malware and registered domains being used by criminals linked to China who are conducting cyber-espionage on a wide range of government, industry, and human rights activists.
The growing menace from these "Advanced Persistent Threats" is detailed in a report unveiled today called "Chasing APT." In an interview at the Black Hat security conference here, Joe Stewart, director of malware research at Dell Secureworks Counter Threat Unit, said that over the last 18 months he's been monitoring attacks designed to steal data from organizations around the world. Two primary groups, in Shanghai and Beijing, appear to be behind the attack operations, he said.
The groups were using more than 200 unique families of custom malware. They were also using more than 1,100 domain names registered solely to serve as command-and-control servers or to send spear phishing messages targeting specific workers within a company to entice them to open a malicious e-mail attachment or Web link. No one is safe with carefully crafted and targeted messages, Stewart said.
"You have to to have that kind of paranoia to know anything you get that is unsolicited is suspicious," he said. Companies should consider opening any unsolicited attachments and links, even from people who are known and trusted, in a virtual machine or a sanitized workstation in which an infection can be isolated.
Targets include Japanese government ministries, universities, municipal governments, trade organizations, news media, think tanks and manufacturers of industrial equipment. "Now it's not just a limited set of targets," Stewart said. "It's anybody who has a competitor."
Stewart also found a private security organization in Asia, but not in China, that's conducting a powerful cyber-espionage operation against another country's military, while also offering security services and so-called "ethical hacking courses" as part of its legitimate business. He wouldn't name the company.
Attackers are using a tool called HTran to disguise the location of their command-and-control servers and a new piece of malware called "Elirks" that uses a microblogging service called Plurk as a first-stage command-and-control server.
Once a computer is infected, the malware enlists an arsenal of tools to stay in stealth mode and get as much financial data from the victim as possible, said Brett Stone-Gross of the Dell SecureWorks Counter Threat Unit. It uses Web Injects when it detects a victim visiting particular e-commerce sites to display a pop up window via the browser that prompts for sensitive information such as social security number and credit card number.
It also uses infected machines to launch Distributed Denial-of-Service attacks against financial sites after money has been pilfered from bank accounts so that victims can't reach the site to see if their account is OK. Its peer-to-peer infrastructure makes it impossible to shut down because there is no central command-and-control server running it.