Dubbed "Safe," the campaign has first been spotted in October 2012 and has so far resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to be connected to two sets of command-and-control (C&C) infrastructures, but the actual number of target seems to be smaller as some of these IP addresses were concentrated within specific network blocks so are probably used by the same organization.
"Investigating and monitoring the activities of the Safe campaign over time, we were able to take advantage of the mistakes the attackers made and thus gain a deeper understanding of their operations," the researchers wrote in a whitepaper detailing the campaign.
"One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks."
The attacks start almost predictably via Tibetan- and Mongolian-themed spear-phishing emails containing a malicious MS Word file specifically designed to exploit a vulnerability (CVE-2012-0158) in older versions of the software.
The decoy document would open, and in the background malicious files would be dropped onto the system in preparation for the second stage of the attack: the downloading and running of additional malware and tools such as off-the-shelf programs that are able to extract saved passwords from Internet Explorer and Mozilla Firefox as well as any stored Remote Desktop Protocol (RDP) credentials.
The analysis of the IP addresses contacting the two C&C servers revealed that most targeted systems were located in Mongolia, India, the U.S., China, Pakistan and the Philippines. A closer look at the C&C servers allowed them also to identify the tools and source code the threat actors used to create, distribute, and encrypt/decrypt data.
The malware author seems to be based in China and the researchers believe him to be a professional software engineer.
"The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers. These qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science," they noted.
"Apart from being significantly well-organized and well-commented, the code was also developed with defensive programming in mind. Each of the variables was named in a very obvious manner, helping other engineers easily distinguish functionality; again, a trait seen in the work of many professional software engineers. In addition to being heavily commented on and using intuitive variable naming conventions, the code also had an apparent slant toward usability. Each interface was very intuitive and well-designed, something not often seen in the code of a hobbyist.
The use of terms like 'bot,' combined with the author’s posting of the malware code to code-sharing sites, indicate a degree of familiarity with the cybercriminal underground in China."
But the campaign’s operators remain a mystery due to their use of VPNs and proxy tools.