Following the recent hack of a US Navy contractor security experts found evidence of very recent activity by the China-linked APT group tracked as APT15.

The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations.

APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets in defense, high tech, energy, government, aerospace, manufacturing industries worldwide. The attackers demonstrated an increasing level of sophistication across the years, they used a custom-malware and various exploits in their attacks.

Across the years, security firms identified many hacking tools associated with APT15 such as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb.

The group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.

In March 2018, APT15 used new backdoors is an attack that was likely part of a wider operation aimed at contractors at various UK government departments and military organizations.

One of the attacks aimed at a UK-based customer of NCC Group, an organization that provides a wide range of services to the United Kingdom government. The hackers focused on government departments and military technology by targeting the customer of the company.

NCC noted at the time that the APT15 used two new backdoors, tracked as RoyalCLI and RoyalDNS.

One of the backdoors has been tracked as RoyalCLI due to a debugging path left in the binary, it is the successor of BS2005 backdoor used by the group. Both RoyalCLI and BS2005 communicate with command and control (C&C) servers via Internet Explorer using the COM interface IWebBrowser2.

The attackers utilized Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

The second backdoor, tracked as RoyalDNS, uses DNS to communicate with the C&C server, once executed the command the backdoor returns output through DNS.

Researchers from security firm Intezer, has recently identified a new piece of malware linked to APT15. The discovery was casual, the experts in fact discovered the malware while searching the Mirage malware based on YARA rules created for Mirage, one of the oldest tools used by the APT15 and for the Reaver malware that was linked to cyber espionage campaigns conducted by China-linked APT groups.

“Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.”  reads the analysis published by Intezer.

“The malware involved in this recent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012, known as Mirage.”

The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.

The original Mirage malware includes the code for a remote shell and the function for decrypting command and control (C&C) configuration data.

Mirage also shares code with other malware attributed to APT15, including BMW, BS2005, and particularly MyWeb.  Code similarities suggest the Reaver malware was developed by the APT15.

“MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth.” continues the analysis published by Intezer.

“Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs,” 

The sample analyzed by the experts was compiled on June 8 and it was uploaded to VirusTotal on June 9.

The malware leverages a legitimate McAfee binary to load malicious processes through DLL hijacking, a technique already used by in past attacks.

Intezer experts also noticed that the C&C server is configured as an internal IP address, a circumstance that confirms the sample was configured to target organization.

“If you look at it the decrypted configuration, you may notice that the IP being used for the C&C is an internal IP address. If you read the report mentioned above about RoyalAPT by NCC Group, it is mentioned that APT15 infiltrated an organization again after stealing a VPN private key, therefore we can assume this version was tailor made to an organization they have already infiltrated and are connecting to the internal network using a VPN.” continues the report.

At the time the attack vector it is still unclear, further technical details including IoCs are reported in the analysis published by the company. 

“There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries.” concludes Intezer.

“As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected.”

Pierluigi Paganini