New APT1/Comment Crew Indicators
StealthWatch Labs has uncovered a new set of technical indicators associated with the APT1 attacks that have not been published in another forum as far as we are aware.
Mandiant’s recent report on APT1 was a watershed event that has significantly raised awareness about the threat of state sponsored computer network intrusions. Of course, the first thing that everyone wants to know is whether or not these attacks impacted their networks.
Along with the report, Mandiant provided a very valuable collection of technical information that can be used to answer that question. These “indicators of compromise” include MD5 hashes of the malicious software that was used in the attacks, as well as the domain names that the attackers used to control that software. More data was published by Symantec, who refer to this adversary as the “Comment Crew.” Symantec’s data set also included IP address information.
Through analyzing the data disclosed by Mandiant and Symantec, StealthWatch Labs has unearthed some additional technical indicators that were not previously reported.
These indicators are valuable because network operators can search through systems and log files to determine whether or not the indicators are present. It is unlikely that any of these malicious programs or their associated command and control systems will be used in the future, because they have been publicly disclosed. The attackers will likely use new malware and new command and control systems going forward.
However, historical records of netflow, firewall logs, and DNS server logs may contain these indicators. Lancope Senior Systems Engineer Charles Herring wrote a great blog post on how to look for past compromises using these indicators and our product, StealthWatch. If you find these indicators in your netflow or log files, it may be the case that your network was previously compromised by APT1. Due to the persistent nature of these attacks, it is likely that if you were compromised in the past, your network may still be targeted now and in the future. Discovering these indicators can be an important starting point for a thorough forensic investigation.
Stealthwatch Labs has a collection of malware, as well as information about the command and control systems used by the malware in our collection. We searched our malware collection for the indicators of compromise that were disclosed by Mandiant and Symantec. This search uncovered several kinds of related information that had not been previously disclosed.
First, we uncovered additional domain names that were used for command and control by the malware samples that Mandiant and Symantec identified. Second, we uncovered a set of additional malware samples that used the same command and control systems as the samples disclosed by Mandiant and Symantec. It is likely that these malware samples are associated with the same attacks because they used the same command and control infrastructure. Third, we uncovered some new IP addresses associated with these command and control systems that have not been previously disclosed.
Here are the first two new indicator sets:
New Domain Names:
New sample MD5s:
IP Address Information
The new IP addresses require some further explanation. IP address information associated with malware command and control can be particularly valuable for searching through netflow and firewall logs. However, the IP addresses associated with malware can change rapidly, as can the nature of the services offered at a particular address.
At the time that the Mandiant report was released, many of the domain names included in their data set resolved to IP addresses associated with popular shared hosting or email services. This is a common tactic among malware operators. A malware operator might want to infect a host many months before they intend to take control of it. However, every time the malware reaches out over the network to talk to its command and control system, there is a risk that the infection will be discovered.
Pointing command and control domain names at popular destination addresses helps keep infected hosts hidden from network administrators. As lots of activity on a given network is directed at these popular destinations, it may be difficult to pick out activity associated with malware infections. When the malware operator is ready to start using the malware, the domain names get pointed at systems under his control. Later, the domain names are pointed back at popular destinations again, making the malware dormant.
Our malware information includes some IP addresses that these command and control domain names were associated with in the past. This historical IP address information is more likely to represent the real command and control hosts than the IP addresses that many of these domain names currently resolve to. However, some of these addresses may, in fact, be associated with legitimate services.
We are maintaining a full list of IP addresses that we have associated with APT1/Comment Crew here. To create this list, we started with the IP addresses in the Symantec data set, and the IP addresses that the domain names in the Mandiant data set were resolving to at the time the Mandiant data was disclosed. We have removed a number of addresses associated with popular shared hosting services from that initial list, and added in our new IP address data. This list is subject to change as we find new addresses or remove addresses that we feel are poor indicators of a previous compromise.
New IP Addresses:
While Mandiant did a good job attributing these attacks to China, it is important to note that the attacker doesn’t have to run his command and control infrastructure in his country of origin. Most of the command and control servers we have observed were located in the United States. This is actually an expected result. When executing a targeted attack, the attacker wants his communications to go unnoticed. The best way to do that is to make the traffic look innocuous.
The command and control communications associated with these malware samples tend to use common ports like TCP 80 (HTTP) and to use servers located in the target country or a country that would not raise red flags. If you are directly accessing a target server in the United States from a country like China or Romania- you are much more likely to be noticed than you would attacking from the United States. Here is the geographic break down of our full list of APT1 C&C IPs.
Lancope would like to thank the Georgia Tech Information Security Center for their assistance in preparing this report.