{"id":3175,"date":"2013-08-13T10:00:25","date_gmt":"2013-08-13T14:00:25","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=3175"},"modified":"2013-08-13T10:00:25","modified_gmt":"2013-08-13T14:00:25","slug":"security-team-pries-open-secrets-of-chinese-hacker-gang","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/13\/security-team-pries-open-secrets-of-chinese-hacker-gang\/","title":{"rendered":"Security team pries open secrets of Chinese hacker gang"},"content":{"rendered":"
\"\"
\nA Chinese hacker gang whose malware targeted RSA<\/a> in 2011 infiltrated more than 100 companies and organizations, and was so eager to steal data that it probed a major teleconference developer to find new ways to spy on corporations, according to researchers.
\nThe remote-access Trojan,<\/a> or RAT, tagged as “Comfoo” is largely inactive, said a pair of veteran researchers from Dell SecureWorks, who presented their findings at the recent Black Hat security conference.
\nBut their discoveries showed just how pervasively a dedicated group of attackers<\/a> can infiltrate networks and walk away with secrets.
\n“We’re not seeing it used to the extent it was before,” said Joe Stewart, director of malware research at SecureWorks, in explaining why he and his college, Don Jackson, revealed their undercover campaign.<\/p>\n

Digital stakeout<\/h2>\n

For more than 18 months, Stewart and Jackson, director of SecureWorks’ Counter Threat Unit (CTU), secretly monitored some of the workings of Comfoo, which they believe was the work of a hacker crew they’ve named the Beijing Group. The gang is one of China’s top-two hacker organizations.<\/p>\n

\"\"
<\/figcaption><\/figure>\n

To start, Stewart captured a sample of the malware used in the RSA attack,<\/a> which at the time was attributed to Chinese hackers<\/a>, then reverse-engineered the encryption that the malware used to mask instructions to and from the gang’s command-and-control (C&C) servers.
\nEventually, Stewart was able to spy on the hackers as they logged onto those C&C servers. As they did, Stewart snatched the victims’ MAC addresses\u2014unique identifiers for network hardware\u2014their IP, or “Internet protocol” addresses, and finally, a tag the hackers used to label each data-stealing campaign.
\nSecureWorks was not able to see what data the attackers were stealing, but their passive monitoring reaped dividends.
\n“We’ve done similar ops like this before,” said Stewart, “but with the custom stuff, you rarely get this kind of insight or this level of detail of the attacks and victims.”<\/p>\n

Victims notified<\/h2>\n

SecureWorks said its stealthy stakeout\u2014which was intermittent to ensure that the hackers weren’t aware they were watching\u2014uncovered over 100 victims, more than 64 different campaigns and 200-plus Comfoo variants. The Atlanta-based security firm notified some of the victims directly, and others through CERTs, the computer emergency response teams that governments maintain.
\n“This was just a snapshot of the [total] victims,” Stewart cautioned.
\nThe hackers targeted a wide range of government agencies and ministries, private companies and trade organizations in fields as diverse as energy, media, semiconductors and telecommunications. They seemed eager to grab information from almost anywhere and anyone, although the victims were concentrated in Japan, India, South Korea, and the U.S.
\nBut one victim caught their attention.
\nWhile Stewart and Jackson declined to name any of the victims, they said one campaign had been aimed at a major videoconferencing software developer.
\nThey speculated that the attackers were sniffing through that company’s network for information on vulnerabilities in the software, which they could then exploit at other targets to put eyes and ears on confidential industry and government meetings. “They might be trying to leverage that access to spy on third parties,” said Stewart.<\/p>\n

Unusual spy targets<\/h2>\n
\"comfoo\"SecureWorks<\/small>
SecureWorks’ virtual stakeout pinpointed the physical location of many of the Comfoo C&C servers. China was the hotspot.<\/figcaption><\/figure>\n

In a report SecureWorks published last week on Comfoo, the company said that targeting audio and videoconferencing products was “unusual.”
\nOther attacks may have had the same goal: Acquire inside information on everything from specialized security software to digital certificates for use in future campaigns.
\nSecureWorks’ surveillance will also let security researchers better track the hacker gang, even though the cyber criminals have changed their malware tools since using Comfoo, and will undoubtedly do so again, said Jackson.
\n“It’s safe to assume that they’ll change their toolkits,” Jackson said. “But as long as the key features match, we should be able to match them [in the future] with campaigns.”
\nHacker gangs, Jackson added, have personalities and quirks, and can be “fingerprinted” by closely analyzing not only the malware they use, but also how they organize the C&C infrastructure. “They all have patterns,” Jackson said.
\nAlthough he wouldn’t go into specifics, Jackson said that SecureWorks had already used the patterns found in the Comfoo campaigns to identify newer malware and attacks that the company believes is the work of the Beijing Group.
\n“As long as it’s evolutionary rather than revolutionary, we should be able to spot them,” Jackson said.
\nvia PCWorld<\/a>
\n<\/section>\n","protected":false},"excerpt":{"rendered":"

A Chinese hacker gang whose malware targeted RSA in 2011 infiltrated more than 100 companies and organizations, and was so […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[6,7],"tags":[342,453,655],"class_list":["post-3175","post","type-post","status-publish","format-standard","hentry","category-networking","category-security","tag-exploits","tag-hackers","tag-malware"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-Pd","jetpack-related-posts":[{"id":6294,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/27\/research-team-creates-undetectable-malware-bound-to-legitimate-software-downloads\/","url_meta":{"origin":3175,"position":0},"title":"Research team creates undetectable malware bound to legitimate software downloads","author":"NCCT","date":"August 27, 2014","format":false,"excerpt":"Most cyber attacks from your typical home hacker, come by way of techniques used 10 years ago or more like phishing scams, poor password management, and things of that nature. But now it seems as though a research team from Germany has developed on all new strain of malware. The\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3156,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/09\/hand-of-thief-banking-trojan-doesnt-do-windows-but-it-does-linux\/","url_meta":{"origin":3175,"position":1},"title":"\u201cHand of Thief\u201d banking trojan doesn\u2019t do Windows\u2014but it does Linux","author":"NCCT","date":"August 9, 2013","format":false,"excerpt":"Signaling criminals' growing interest in attacking non-Windows computers, researchers have discovered banking fraud malware that targets people using the open-source Linux operating system. Hand of Thief, which was recently discovered by researchers from security firm RSA, sells for about $2,000 in underground Internet forums and boasts its own support and\u2026","rel":"","context":"In "Linux"","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":8714,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/05\/newly-discovered-adware-digs-its-claws-deep-into-android-is-nearly-impossible-to-remove\/","url_meta":{"origin":3175,"position":2},"title":"Newly discovered adware digs its claws deep into Android, is nearly impossible to remove","author":"NCCT","date":"November 5, 2015","format":false,"excerpt":"Security researchers found over 20,000 adware samples hiding in apps that masquerade as Facebook, Twitter, Snapchat, and other popular services. Derek Walter | @derekwalter | PCWorld Security researchers have uncovered a new style of Android malware that hides inside of apps that act and look like they\u2019re legitimate services. Lookout\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3213,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/20\/researchers-manage-to-get-malware-published-in-apples-ios-app-store\/","url_meta":{"origin":3175,"position":3},"title":"Researchers manage to get malware published in Apple's iOS App Store","author":"NCCT","date":"August 20, 2013","format":false,"excerpt":"While the posting of malware remains a rare occurrence on Apple's iOS App Store, a team of security researchers figured out a way to get a malicious piece of software past Apple's certification team. The team from Georgia Tech said that the app was approved and published by Apple in\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7586,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/06\/sneaky-linux-malware-comes-with-sophisticated-custom-built-rootkit\/","url_meta":{"origin":3175,"position":4},"title":"Sneaky Linux malware comes with sophisticated custom-built rootkit","author":"NCCT","date":"February 6, 2015","format":false,"excerpt":"A malware program designed for Linux systems, including embedded devices with ARM architecture, uses a sophisticated kernel rootkit that\u2019s custom built for each infection. The malware, known as XOR.DDoS, was first spotted in September by security research outfit Malware Must Die. However, it has since evolved and new versions were\u2026","rel":"","context":"In "Linux"","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8923,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/05\/17\/this-botnet-has-infected-nearly-a-million-devices-since-2014\/","url_meta":{"origin":3175,"position":5},"title":"This botnet has infected nearly a million devices since 2014","author":"NCCT","date":"May 17, 2016","format":false,"excerpt":"By Shawn Knight | TechSpot One of the many ways that cybercriminals earn income is through affiliate advertising programs like Google\u2019s AdSense. Rather than generate traffic through content creation, hackers figure out ways to trick advertising platforms into thinking a partner is sending them legitimate traffic. Not knowing they're being\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3175","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=3175"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3175\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=3175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=3175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=3175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}