By Joshua Pisciotta
Within the past year there has been many instances of different Chinese hacker groups targeting eastern European nations. These Chinese groups include Storm-0558, Mustang Panda, APT31, and many others. Their aim is to gather information from government embassies through analyzing emails or file exfiltration. Below are explanations on three examples of the attacks from Storm-0558 and Mustang Panda including a brief description on how these attacks were carried out.
The Chinese hacker group Storm-0558 operates as an independent group that primarily targets US and European diplomatic, economic, and legislative government bodies (Microsoft Threat Intelligence). This also includes individuals connected to Taiwan and Uyghur geopolitical interests. The goals of Storm-0558 campaigns are usually to gain unauthorized access to email accounts of the individuals that work in the government bodies of the European nations. They accomplish this malicious behavior by credential harvesting, phishing campaigns and OAuth token attacks. Storm-0558 is highly knowledgeable on gaining information and understanding the targets networking environment, login policies, authentication requirements, and policies and procedures.
Storm-0558 used an inactive MSA consumer signing key. According to TechTarget the MSA keys were stolen by the Chinese hackers by compromising a Microsoft engineer’s account. This gave them access to the network and debugging environment where the key was conveniently placed. The Microsoft investigators said that the MSA key was mistakenly placed due to a snapshot of a crashed process. A race condition allowed the MSA key to be present in the crash dump. A race condition is where multiple threads try to read and write a file at the same time. After Microsoft moved the crash dump to the debugging environment, the scanning methods did not detect the MSA keys therefore they were open to anyone to find on the corporate network.
The threat actors then used the keys to forge Azure AD tokens. Tokens allow consumers to call protected Application Programming Interfaces (APIs). APIs are what connects computer software’s to one another. In order to prove identity, the Azure AD tokens are signed with a private key and the receiving party authenticates the token with the public key. Token forgery is when a malicious user obtains a private key and use it to create falsified tokens with valid signatures that will be trusted. Storm-0558 used token forgery to gain access to OWA and outlook.com.
When Storm-0558 gained access to the services they used PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service. REST (Representational State Transfer) APIs take advantage of preexisting protocols within an environment, most commonly over HTTP for a Web API (Team Cleo). REST API is designed to be more lightweight and is flexible in enabling modern business connectivity. Once the connection was established the Chinese threat actors downloaded the emails and their attachments, locations, downloaded conversations, and recieved email folder information. These requests where then routed through a Tor proxy or several hardcoded SOCK65 proxy servers. According to torproject.org, Tor proxy servers use encrypted traffic from the end-user through at least 3 different severs before the packets arrive at the desired destination. Also, according to whatismyipadress.com a SockS5 proxy transfers network packet from an end-user to the internet through a proxy. It offers authentication services, and most VPNs use SOCKS5. These proxy services help mask the identity of the threat actors. Storm-0558 only desired to access emails and exfiltrate data from the Microsoft customers.
Storm-0558 is not the only Chinese hacker group that attacked countries across Europe. Another hacker group’s handle is Mustang Panda, and they committed a new custom backdoor attack called MQsTTang. The Slovak cybersecurity firm ESET started to analyze them in early 2021 (WAQAS). According to ESET, the attackers used decoy filenames that resemble their own previous attacks, targeting the European political organizations. MQsTTang was distributed by spear-phishing emails and the payloads were downloaded through GitHub repositories. The MQsTTang executable were compressed in RAR archives that were named after diplomatic themes. RAR is an archive file format that supports data compression, error correction, and file spanning.
The executable performs malicious tasks such as enabling command and control communications and ensuring persistence. The malicious file uses the MQTT for the command-and-control communications to defend against any defensive actions. The executable also hides the infrastructure the hackers used for passing communication. It also checks for debuggers and monitoring tools to prevent detection. According to Tech Target the MQTT protocol is a lightweight open messaging protocol that provides a simple way to distribute telemetry information in low-bandwidth environments. It is used widely today as an open-source protocol for IoT devices. One of the main benefits of using MQTT is that it hides its command-and-control communication behind a broker such as an IoT device.
When MQsTTang is executed, the malware will launch a copy of itself with ones as a command line argument (Cyr). As the process is repeated the argument will be incremented by one on every run. As a specific number is achieved, this will flag the machine to execute a task. If any analysis tool or debugger is detected, then MQsTTang will skip to task 5 which is “Stop recursive execution.” The first task to be executed is “Start C&C communication” with an argument value of 5. Mustang Panda uses this task to decide whether the time is worth the investment. Tasks 2 and 3 are almost the same thing and they are “Create copy and launch” and “Create persistence copy” it is launched when the counter reaches 9 and then 32. They create a copy of the malware and saves it to a hardcoded path c:/users/public/vdump.exe or vcall.exe. Once the counter reaches 119 the malware executes task 4 called “Establish Persistence.” This creates a value “qvlc” and sets it in the file c:\users\public\vcall.exe under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. This will execute the malware at startup on the end user.
The last attack that China committed to Europe was also performed by Mustang Panda. On July 3rd, 2023, the Check Point Research (CPR) published a report that the target of this attack was toward eastern European countries including Czech Republic, Slovakia, and Hungary. This attack campaign was named SmugX and it used HTML smuggling to hide the PlugX malware. HTML smuggling is where the threat actor exploits HTML features to hide software data from automated content filters. Mustang Panda was able to gain information by using a technique called pixel tracking. When the remote image is requested the attacker’s server logs information including IP addresses and user agents. When the data is analyzed, the attacker begins spying on the victim’s behavior such as when and where they opened a document (Check Point Research).
According to the Check Point Research blog, HTML smuggling is where malicious files were embedded within HTML documents, enabling them to evade network-based detection measures. When a certain JavaScript or a ZIP file is downloaded, a chain of events will start to occur. First, the payload that is in the software is decoded and saved to a JavaScript blob. Then the blob creates a URL object using a function called createObjectURL. After that, the downloaded attribute obtains the desired filename. Lastly, the code simulates a user clicking on the link to start downloading a file. When the virus establishes itself onto the victim’s computer it starts the infection chain. There are two distinct chains, one is SmugX Archive Chain and the other is SmugX JavaScript Chain. The SmugX Archive chain is when a Zip archive contains a malicious link hidden inside the HTML program. This link executes a PowerShell executable that extracts compressed archive files contained within the link and saves it to the %temp% directory. The directory contains three files: passwordgenterator.exe, roboform.dll and data.dat. After that, PowerShell continues to run the hijacked software which triggers the execution of the PlugX payload stored in data.dat. The second chain, SmugX JavaScript Chain uses HTML Smuggling to download a JavaScript File. A MSI file from the malicious server will then download and execute once the JavaScript file is executed. The MSI will then create a new folder contained in %appdata%\Local directory and store the files that MSI created. These malicious files contain hijacked legitimate executables, the loader DLL, and an encrypted payload.
A DLL stands for Dynamic-link library, and it is a shared library created by Microsoft. It behaves like a .exe file but it promotes code reuse, efficient memory usage, and reduced disk space. As mentioned previously the loader DLL is downloaded by the MSI file. The loader DLL is what executes a legitimate program that loads the malicious DLL. The DLL then decrypts the final payload which is stored in a file called data.dat using RC4 encryption. The final phase of SmugX is the use of PlugX malware. PlugX has been used by the Chinese since 2008. PlugX copies legitimate program and the DLL and stores them inside a hidden file. The malware adds the legitimate program to the Run registry in order to maintain persistent. PlugX then uses plugins to perform file theft, keystroke logging, screen captures, and command execution.
The Chinese hackers are very talented on creating methods of attack and carrying it out. They are patient on reconnaissance to gather enough information on how to exploit vulnerabilities. Most of these attacks could have been prevented if there was more awareness of security procedure and better handling of confidential information. The best example was the first attack described by Storm-0558. If an employee was aware of confidential password data being displayed on the open company web then it would have been reported and handled within minutes. Information security awareness is one of the best practices on preventing attacks in the coming future.
Works Cited
Ahmed, Deeba. “Chinese APT Group Hits Air-Gapped Systems in Europe with Malware.” Hack Read (2023). 02 November 2023. <https://www.hackread.com/china-apt-group-gapped-systems-malware-europe/>.
—. “SmugX: Chinese Hackers Targeting Embassies in Europe.” Hack Read (2023). Web Site. 29 November 2023. <https://www.hackread.com/smugx-attack-chinese-hackers-europe/>.
Bernstein, Corinne, Alexander S. Gillis and Kate Brush. “MQTT (MQ Telemetry Transport).” Tech Target (2023). Website. 14 November 2023. <https://www.techtarget.com/iotagenda/definition/MQTT-MQ-Telemetry-Transport>.
Check Point Research. “CHINESE THREAT ACTORS TARGETING EUROPE IN SMUGX CAMPAIGN.” Check Point Research (2023). Web Site. 29 November 2023. <https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/>.
Cyr, Alexandre Côté. “MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT.” We Live Security (2023). Website. 14 November 2023. <https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/>.
Microsoft Threat Intelligence. “Analysis of Storm-0558 techniques for unauthorized email access.” Microsoft Security (2023). Blog. 03 11 2023. <https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/>.
Team Cleo. “Understanding How to Utilize a REST API.” Cleo (n.d.). 07 November 2023. <https://www.cleo.com/blog/blog-knowledge-base-what-is-rest-api#:~:text=A%20REST%20API%20works%20essentially,the%20loading%20of%20a%20webpage.>.
Waldman, Arielle. “How Storm-0558 hackers stole an MSA key from Microsoft.” TechTarget (2023). Article. 03 November 2023. <https://www.techtarget.com/searchsecurity/news/366551281/How-Storm-0558-hackers-stole-an-MSA-key-from-Microsoft>.
WAQAS. “Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft.” Hack Read (2023). Website. 14 November 2023. <https://www.hackread.com/chinese-group-storm-0558-hacked-europe-microsoft/>.