China-linked APT group tracked as APT3 (aka Buckeye, APT3, UPS Team, Gothic Panda, and TG-0110) was using a tool attributed to the NSA-linked Equation Group more than one year prior to Shadow Brokers leak,
In May 2017, researchers at threat intelligence firm Record Future discovered a clear link between APT3 cyber threat group and China’s Ministry of State Security.
The APT3 cyberespionage group had been active since at least 2009 and its last operation was uncovered in mid-2017.
In 2010, security vendor FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 and described them as “one of the most sophisticated threat groups” being tracked at the time.
Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong.
In November 2017, US authorities charged three China-based hackers for stealing sensitive information from US-based companies, including Siemens AG, and accessing a high-profile email account at Moody’s.
The three Chinese citizens, Wu Yingzhuo, Dong Hao and Xia Lei, work for the Chinese cybersecurity company Guangzhou Bo Yu Information Technology Company Limited, also known as “Boyusec.”
Buckeye’s arsenal included several pieces of malware, one of which is the popular DoublePulsar NSA-linked implant and an exploit tool dubbed Bemstour.
The DoublePulsar exploit was released publicly in April 2017 by ShadowBrockers hackers that allegedly stole them from the NSA.
The hackers leaked a huge trove of hacking tools and exploit codes used by the US intelligence agency, most of Windows exploits were addressed by Microsoft the month before.
DoublePulsar is sophisticated SMB backdoor that could allow attackers to control the infected systems since its leak it was working on almost any Windows system except on devices running a Windows Embedded operating system.
Now Symantec revealed that its experts found evidence that Buckeye group used a variant of
The version of DoublePulsar used by Buckeye is newer than the one in the Shadow Brokers dump.
Since March 2016, Buckeye began delivering an early variant of the DoublePulsar implant using the Trojan.Bemstour tool.
“Beginning in March 2016, Buckeye began using a variant of
“Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers. One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec. The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak.”
The Bemstour tool exploits two Windows vulnerabilities to get remote kernel code execution on the victim’s machine. The first flaw, tracked as CVE-2019-0703, is a Windows zero-day issue discovered by Symantec. The second flaw, tracked as CVE-2017-0143, is a Windows vulnerability addressed by the tech giant in March 2017 after it was found exploited by the NSA linked exploits EternalRomance and EternalSynergy.
How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak?
“Based on the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the tools from
The mystery around Buckeye is not ended here, despite the APT group apparently ceased its operations since mid-2017, its
“Mystery also surrounds the continued use of the exploit tool and DoublePulsar after Buckeye’s apparent disappearance.” continues the analysis. “It may suggest that Buckeye retooled following its exposure in 2017, abandoning all tools publicly associated with the group. However, aside from the continued use of the tools, Symantec has found no other evidence suggesting Buckeye has retooled. Another possibility is that Buckeye passed on some of its tools to an associated group,”
| [adrotate banner=”9″] ||[adrotate banner=”12″]|