China-Linked APT15 used new backdoors in attack against UK Government’s service provider

Pierluigi Paganini March 12, 2018

China-Linked APT15 used new backdoors is an attack that is likely part of a wider operation aimed at contractors at various UK government departments and military organizations.

Last week Ahmed Zaki, a senior malware researcher at NCC Group, presented at the  Kaspersky’s Security Analyst Summit (SAS), details of a malware-based attack against the service provider for the UK Government launched by the APT15 China-linked group (aka Ke3chang, Mirage, Vixen Panda and Playful Dragon).

“In May 2017, NCC Group’s Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.” reads a blog post published by NCC Group.

NCC stop the investigation in June 2017 on explicit request of the victim but resumed it in August after the APT15 hackers managed to regain access to the victim’s network.

“APT15 managed to regain access a couple of weeks later via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.” continues the analysis.

The attack is likely part of a wider operation aimed at contractors at various UK government departments and military organizations.

APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets worldwide.  The attackers demonstrated an increasing level of sophistication across the years, they used a custom-malware and various exploits in their attacks.

NCC Group recently spotted two new backdoors used by the group along with malware already associated with the APT15.

“During our analysis of the compromise, we identified new backdoors that now appear to be part of APT15’s toolset. The backdoor BS2005 – which has traditionally been used by the group – now appears alongside the additional backdoors RoyalCli and RoyalDNS.” continues NCC Group.

“The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines.”

One of the backdoors has been tracked as RoyalCLI due to a debugging path left in the binary, it is the successor of BS2005 backdoor used by the group. Both RoyalCLI and BS2005 communicate with command and control (C&C) servers via Internet Explorer using the COM interface IWebBrowser2.

The attackers utilized Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

The second backdoor, tracked as RoyalDNS, uses DNS to communicate with the C&C server, once executed the command the backdoor returns output through DNS.

Further information, including the IoCs, are available in the post.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – APT15, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment