APT15 Targets Major U.K. Government Contractor
APT15 (aka Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon) compromised the networks of an unidentified contracting firm that provides services to the U.K. government and military and stole a variety of sensitive documents, according to NCCGroup research published over the weekend. Of particular interest, NCCGroup says that the suspected state-sponsored hacking group has added a pair of backdoors to its arsenal: one identified as RoyalCli and another known as RoyalDNS. These new backdoors round out an arsenal that already included another backdoor, BS2005, which, like RoyalCli, communicates with its command and control server (C2) using the COM interface IWebBrowser2 within Internet Explorer. RoyalDNS, on the other hand, communicates with its C2 via DNS TXT records. Once on a victim’s network, the group uses a variety of legitimate utilities to move laterally and carry out reconnaissance, including tasklist.exe, ping.exe, netstat.exe, net.exe, systeminfo.exe, ipconfig.exe, bcp.exe, and RemoteExec (similar to PSExec). The group also deploys keyloggers, Mimikatz, a network scanning and enumeration tool, WinRAR, and a customized Sharepoint data dumping tool called “spwebmember.” NCCGroup says that it discovered typographical errors in some of the group’s commands, suggesting that the attacks are not automated but rather carried out manually. Researchers posted the associated IoCs on GitHub.
Necurs and Gamut Botnets Responsible for 97 Percent of Spam