APT1 cyber espionage group is back to their old tricks
Posted on 30 April 2013.
Despite Mandiant's prediction that the release of their report on the attack methodology of the so-called APT1 (or "Comment Crew") cyber espionage group would lead to them changing their attack techniques and consequently make them harder to track in the future, it seems that the group laid has bucked the expectations.


According to researchers from Cyber Squared, the Comment Crew have not significantly changed their implant technologies, C&C capabilities, or targets.

"One working theory for the lack of any noteworthy change is that 'Comment Crew' does not need to make any significant changes to continue conducting successful exploitation operations," they pointed out. "The 'Comment Crew' actors may have achieved a satisfactory balance of conducting successful exploitation operations by maintaining a certain level of survivability while using existing C2 infrastructure. Or perhaps, they have developed new midpoints in addition to implementing host-based detection evasion techniques."

They still use the same malware that has gone through minimal changes, and they still deliver it via ZIP files as attachments in emails delivered to their targets.

The PDFs that serve as cover for the background installation of the malware are an invitation and the agenda of a conference sponsored by the National Defense Industrial Association, which covers a number of industries that have been singled out by the Chinese government as crucial to the country's economic growth, as well as a legitimate document containing a presentation on future US military training technologies.

Analysis of the malicious file reveals that it was compiled less than two weeks ago, and that the comment type used is similar to that in the files analyzed by Mandiant. The attackers have only started using a more complex decryption key.

The domain on which the files were hosted were also tied with an IP address previously used by the Crew.

Despite all these discoveries, the researchers say that their observations are based on a single source of evidence - ThreatConnect, their crowd-sourcing threat intelligence solution. "It is possible that there are other unknown instances of either new or undetected 'Comment Crew' capabilities, infrastructure, or activity," they concluded.









Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //