In 2010, security firm FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8.
Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong — and everyone has been trying to figure out who they are. APT3 functions very differently than 3LA, the former Chinese military hacking organization leading to the assumption that APT3 is not part of the military complex. At least not officially.
In May 2017, researchers at threat intelligence firm Record Future discovered a clear link between
The APT3 has developed a collection of exploits and tools dubbed ‘UPSynergy,’ many of which appear to be based on malicious code belonging to the NSA’s Equation Group APT.
How did APT3 obtain these tools and exploits?
Researchers from Check Point, with the intent of expanding Symantec’s research, conducted a deep analysis of the Bemstour exploitation tool used by the Equation Group APT. The researchers believe that APT3 developed its own version of an Equation group exploit by using captured network traffic.
“The threat group known as APT3 recreated its own version of an Equation group exploit using captured network traffic,” reads the analysis, published by Check Point. “We believe that this artifact was collected during an attack conducted by the Equation Group against a network monitored by APT3, allowing it to enhance its exploit arsenal with a fraction of the resources required to build the original tool
The experts discovered that APT3 developers were able to make a reverse engineering of the tool and improved it by adding an additional zero-day exploit
The original version of
The Equation Group solved this problem chaining the
APT3 solved the same problem by using a new zero-day information leak exploit that integrated into the
The APT3 leveraged on the zero-day flaw tracked as CVE-2019-0703, it is an information disclosure vulnerability that exists in the way the Windows SMB Server handles certain requests.
“The group attempted to develop the exploit in a way that allowed it to target more Windows versions, similar to what was done in a parallel Equation group exploit named EternalSynergy. This required looking for an additional 0-day that provided them with a kernel information leak. All of this activity suggests that the group was not exposed to an actual NSA exploitation tool, as they would then not need to create another 0-day exploit.” continues the analysis. “We decided to name APT3’s bundle of exploits UPSynergy, since, much like in the case of Equation group, it combines 2 different exploits to expand the support to newer operating systems.”
The EternalRomance exploit was used by both NSA and the APT3 group to deploy the DoublePulsar tool.
Check Point researchers noted that
“If network traffic was indeed used by the group as a reference, the traffic was likely collected from a machine controlled by APT3,” state Check Point researchers. “This means either a Chinese machine that was targeted by the NSA and monitored by the group, or a machine compromised by the group beforehand on which foreign activity was noticed. We believe the former is more likely, and in that case could be made possible by capturing lateral movement within a victim network targeted by the Equation Group.”
Experts pointed out that the U.S.
Evidence collected by
“It’s not always clear how threat actors achieve their exploitation tools, and it’s commonly assumed that actors can conduct their own research and development or get it from a third party,” Check Point concludes. “In this case we have evidence to show that a third (but less common) scenario took place – one where attack artifacts of a rival (i.e.
Further technical details, including IoCs, are reported in the analysis published by Check Point.