Much like in the middle ages, where the best knights had a great arsenal of swords, axes and maces to win a battle, today’s adversary must have a good arsenal of attacking tools and malware to have a successful APT attack. For instance, the Chinese APT1 group has a great arsenal of malware – many of which are described in Mandiant’s detailed report.
In the following research lab blog posts (this is the first in the series), we will expose unknown attacking tools and malware used by different attackers from various parts of the world.
The Attack Tool: PinkStats Downloader
Today, we would like to discuss a malware called PinkStats which has been used by several Chinese-speaking groups to target different worldwide organizations and nation-states for the past 4 years.
PinkStats malware is a downloader, meaning it will download one or more additional malware components from a location embedded within the PinkStats executable. It sends an updated HTTP request to the C2 (Command & Control) server once the download and installation of the new malware components is successfully completed.
PinkStats attempts to masquerade itself as legitimate web statistics or a counter service, both in the malware communication to the C2 server (see Figure 1) and the attacker’s administration panel login screen (see Figure 2).
Figure 1: PinkStat malware communication to the C2 server
Figure 2: PinkStat malware administration panel login screen
We have identified numerous different campaigns since 2009 using the PinkStats attacking tool as the main download component. One of the latest operations targeted dozens of organizations in South Korea.
Oppa PinkStats Style
A screenshot of the administration panel that we were able to find on one of the C2 servers (Figure 3) reveals over 1,000 machines located in South Korea. The machines belonging mainly to universities and other educational institutions, have been targeted by silently installing the PinkStats malware, using “arp” as the name of the infection group.
Figure 3: PinkStats malware administration panel written in Chinese
In this targeted attack the PinkStats downloaded two additional malware components. The first component is a common Chinese attack tool called zxarps that is being used as a local network worm. It performs ARP poisoning in order to inject an iframe tag into active web sessions on other machines within the victim’s local network. The injected iframe contains an ActiveX installation of the PinkStats malware using a vulnerable C6 messanger ocx component. The ActiveX cab file is signed by Thawte and valid as of May 8th, using “Microsoft Corporation” as the product name and a fake South Korean company name, “Liaocheng YuanEr Technology CO.,ltd.”, as the publisher name (Figure 4).
This time the PinkStats malware is using “arp1” as the name of the infection group. This allows the Chinese adversary to easily identify machines which were infected by the initial attack vector (infection group “arp”), and those that were infected using the ARP poisoning local network worm component (infection group “arp1”).
Figure 4: PinkStats signed ActiveX of a fake South Korean company
The second installed component is a DDoS malware tool. The downloaded component file, Win8.exe, is trying to disguise as V3Light Framwork software from AhnLab, a South Korean antivirus company (Figure 5).
Up until now, the adversary did not seem to send any specific instructions to the installed DDoS malware. However, with the recent incidents of DDoS attacks against South Korean infrastructure, it is reasonable to assume that this state could change anytime soon.
Figure 5: Win8.exe using fake South Korean AhnLab product name
This is not the first time we have seen Chinese attackers target entities from other Asian countries. For instance, a few months ago, Chinese attackers targeted Japanese and even Chinese journalistsby sending Spear Phishing email with a fake Mandiant APT1 report. However, while it was speculated that the Chinese are behind the recent DDoS attack against South Korea’s critical infrastructure, PinkStats seems to be the first real proof that Chinese-speaking adversaries are indeed targeting South Koreans.
To learn more about protection from Advanced Persistent Threats such as PinkStats join us on July 18, 2013 for an in-depth webinar: Why depending on malware prevention alone is no longer an option, register here