admin001 发布于 09月21, 2018

Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment

Chapter 1 Overview

1. Main Findings

Through research, 360 Helios Team has found that, since 2007, the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments, such as national defense, government, science and technology, education and maritime agencies. The group mainly targets military industry, Sino-US relations, cross-strait relations and ocean-related fields. It indicates that the group’s interest is similar to that of our previously published OceanLotus APT Group.

360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007. In the following 11 years, we have captured 13 versions of malicious code, involving 73 samples. In the initial attack, the Group mainly used spear phishing emails. Before the attack, the target was deeply investigated and carefully selected. Contents that are closely related to the target industry or field were used to construct the bait files and emails, such as specific conference materials, researches or announcements. The lure documents contain 10 vulnerable document samples, including a 0day vulnerability. Infections of this Trojan are distributed in 31 provincial-level administrative regions. The number of C&C domain names is 59 located in 4 different countries or regions according to the returned addresses.

In this cyber espionage campaign that lasted for 11 years in China, the following points in time are worthy of attention:

  • In December 2007, the Trojan associated with the group was first discovered. Involving marine related fields (suspected to be related to a large shipping company)
  • In March 2008, a key laboratory (a scientific research institution) of a university in China was attacked
  • In February 2009, attacks against the military industry began (a well-known military journal magazine)
  • In October 2009, the Trojan added a special method of combating static scanning (API string reverse order), and the methods were used in most versions of Trojans and continued to be applied to 2018.
  • In December 2011, the Trojan added a special method to combat dynamic detection (error API parameters), and related methods were used in most versions of Trojans and continued to be applied to 2015.
  • In February 2012, the first modified version of backdoor 1 based on zxshell code was discovered. The key function is to steal document files such as .doc.ppt.xls.wps.
  • In March 2013, intense attacks were constructed targeting Chinese Academy of Sciences and a number of national ministries and commissions in the fields of science and technology, maritime affairs, etc.
  • In October 2013, carried out watering hole attack on a Chinese government website
  • In May 2014, the revolted version 2 of zxshell modified version of Backdoor 1 was discovered. In addition to the function based on the modified version 1, the search for keywords such as "military (军)", "aviation (航)", and "report (报告)" was added.
  • On September 12, 2014, events and samples related to CVE-2014-4114 (0day vulnerability) were first discovered.
  • On October 14, 2014, iSIGHT released the relevant report and disclosed CVE-2014-4114 (0day vulnerability). On the same day, Microsoft released relevant security bulletins.
  • On February 25, 2015, an attack on a military industry association (national defense technology) and the Chinese Academy of Engineering was detected. Kanbox (酷盘) samples were discovered.
  • In October 2017, the CVE-2017-8759 vulnerability document was used to initiate a spear phishing attack on a large media agency website and an individual working in Quanzhou.
  • In April 2018, the 360 Threat Intelligence Center disclosed the attack malicious code of the group, exploring CVE-2017-8759.
  • In May 2018, the actor launched attacks against several maritime organizations such as shipbuilding companies and port operating companies.

Note: The above first attack time is based on the existing statistics we have. It does not mean that we have known all the attacks and behaviors of the organization.

2. About the Codename of the Group

Since 2015, APT researches in China has gradually started and accelerated. Following the exposure of APT organizations such as “OceanLotus” and “LanBao Mushroom”, the Poison Ivy Group (APT-C-01) is another APT organization that launches persistent attacks targeting government, military, and maritime organizations and stealing sensitive information.

This cyberespionages group was independently discovered by 360 and was first disclosed previously with part of the information. The code-naming is in line with 360’s naming standard for APT organizations.

360 Threat Intelligence Center named the APT-C-01 organization "Poison Ivy", mainly considering the following factors: First, the organization used Poison Ivy Trojans in several attacks. Second, the attack organization used the Cloud disk as a springboard to transmit information. This is similar to the feature of vines that can climb across the wall. According to the 360 Threat Intelligence Center's naming rules for APT organizations (see the report: China APT Annual Report 2016). Considering the common vine plants in the associated areas of the Group, APT-C-01 is named "Poison Ivy".

In addition, Antiy Lab revealed the APT organization "Green Spot" on September 19, 2018. According to the mutual recognition agreement between 360 Threat Intelligence Center and Antiy Lab, the “Poison Ivy” (APT-C-01) and “Green Spot” are different names for the same group. Therefore, we have also announced our discovery.  

Chapter 2 Purposes and Victims

1. Purposes

The main purpose of the attacks is to steal data from the Chinese government and scientific research institutions, which are mainly documents. The following keywords and extension are what the actor searched for :

  • Key words:

阅读全文 »

admin001 发布于 08月17, 2018

NEO Smart Contract Platform Runtime_Serialize Calls DoS

Zhiniang Peng from Qihoo 360 Core Security

NEO is a non-profit, community-based blockchain project. It is a distributed network that uses blockchain technology and digital identity for asset digitization. It is also an intelligent management of digital assets using intelligent contracts to create “Smart Economy”. At present, NEO’s market capitalization ranks fifteenth in the world in coinmarket, being one of the remarkable blockchain projects. We found a Denial of Service vulnerability in the NEO smart contract platform which attacker could use to instantly crash the entire neo network.

阅读全文 »

admin001 发布于 08月16, 2018

NEO智能合约平台Runtime_Serialize调用拒绝服务漏洞

Zhiniang Peng from Qihoo 360 Core Security

NEO是一个非盈利的社区化的区块链项目。它是利用区块链技术和数字身份进行资产数字化,利用智能合约对数字资产进行自动化管理,实现“智能经济”的一种分布式网络。目前Neo市值在coinmarket上排名全球第十五,是备受关注的区块链项目之一。我们在neo智能合约平台中发现一处拒绝服务漏洞,攻击者可利用该漏洞在瞬间使得整个neo网络崩溃。

阅读全文 »

admin001 发布于 08月15, 2018

数字加密货币交易软件APT攻击简报

APT-C-26(Lazarus 音译”拉撒路”)是从2009年以来至今一直处于活跃的APT组织,据国外安全公司调查显示,该组织最早的攻击可能和2007年针对韩国政府网站大规模DDOS攻击的“Operation Flame”行动相关,同时可能是2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件和2017年席卷全球的“Wannacry”勒索病毒等著名攻击事件的幕后组织。2017年以来,该组织将攻击目标不断扩大,日趋以经济利益为目的,从针对全球的传统金融机构银行系统进行攻击,开始转向于针对全球加密货币组织和相关机构以及个人进行攻击。

阅读全文 »

admin001 发布于 08月15, 2018

Brief Analysis on APT Attack through Cryptocurrency Trading Software

APT-C-26 is an APT group that has been active since 2009. According to the research by an overseas security vendor, the group’s earliest attack may be associated with the “Operation Flame” which was a large-scale DDOS attack on Korean government’s website in 2007. Lazarus may also be the group behind the hacking incident of Sony Pictures in 2014, the data breach of the Bank of Bangladesh in 2016 and other infamous attacks such as the “Wannacry” ransomware that swept across the globe in 2017. Since 2017, the group has been expanding its targets of attack and increasingly aimed at economic interests. In earlier attacks, the group mainly targeted the banking system of traditional financial institutions. Now, it has begun to attack global cryptocurrency organizations and related individuals.

阅读全文 »