New APT1/Comment Crew Indicators by John Pierce

New APT1/Comment Crew Indicators

StealthWatch Labs has uncovered a new set of technical indicators associated with the APT1 attacks that have not been published in another forum as far as we are aware.

Mandiant’s recent report on APT1 was a watershed event that has significantly raised awareness about the threat of state sponsored computer network intrusions. Of course, the first thing that everyone wants to know is whether or not these attacks impacted their networks.

Along with the report, Mandiant provided a very valuable collection of technical information that can be used to answer that question. These “indicators of compromise” include MD5 hashes of the malicious software that was used in the attacks, as well as the domain names that the attackers used to control that software. More data was published by Symantec, who refer to this adversary as the “Comment Crew.” Symantec’s data set also included IP address information. 

Through analyzing the data disclosed by Mandiant and Symantec, StealthWatch Labs has unearthed some additional technical indicators that were not previously reported.

These indicators are valuable because network operators can search through systems and log files to determine whether or not the indicators are present. It is unlikely that any of these malicious programs or their associated command and control systems will be used in the future, because they have been publicly disclosed. The attackers will likely use new malware and new command and control systems going forward. 

However, historical records of netflow, firewall logs, and DNS server logs may contain these indicators. Lancope Senior Systems Engineer Charles Herring wrote a great blog post on how to look for past compromises using these indicators and our product, StealthWatch. If you find these indicators in your netflow or log files, it may be the case that your network was previously compromised by APT1. Due to the persistent nature of these attacks, it is likely that if you were compromised in the past, your network may still be targeted now and in the future. Discovering these indicators can be an important starting point for a thorough forensic investigation.

Methodology

Stealthwatch Labs has a collection of malware, as well as information about the command and control systems used by the malware in our collection. We searched our malware collection for the indicators of compromise that were disclosed by Mandiant and Symantec. This search uncovered several kinds of related information that had not been previously disclosed.

First, we uncovered additional domain names that were used for command and control by the malware samples that Mandiant and Symantec identified. Second, we uncovered a set of additional malware samples that used the same command and control systems as the samples disclosed by Mandiant and Symantec. It is likely that these malware samples are associated with the same attacks because they used the same command and control infrastructure. Third, we uncovered some new IP addresses associated with these command and control systems that have not been previously disclosed.

Here are the first two new indicator sets:

 New Domain Names:

adobeservices.info.tm
express.it.cx
freewave.us.to
news.lflinkup.org
public.ddns.us

New sample MD5s:

04280931d5d078f989512eef494120ea
06c3dcd732050be5ebb9966de47d00c7
071508923b781c59fcfe364c53725504
3e3736dffedaf2a0ae4d948567933b3f
4862e6da87635015ffc43ad797416e22
53bf0762b4bfef95534621c350d8946e
5c06b61614c6ad36e0b29dc36023681e
6b5ccf3742a16c0549d78680b08259cd
742d9b839e2919110b66f89df790a304
74b4f0fbb55f4eec1e0bf8ff8471375f
75bce6335999bc1c351a8037a5419270
766f3ace14a89906ee84b3cb7e3bf7df
83e88faf1e48656bccc6e9575876f41e
854cb8ba3b2d3058239a7ba6a427944a
98c17f049e196f65e6e43535d7a0779c
a973bf5a5e746729f4394095aa1bfe41
b61ecb9abbad2f8f3ac827acdea3e13f
bfcc6d79a11b3a339ea46d1793d72b29
c6b95b178188b8c35d14bed40520e685
d6bf1f3e458eb75d2829a483fd785d4d
de88d82cdc2368af0b76cf30cac8e7a7
e9c1981e40b1817b74a25717cd3650eb
f028f60f50db365802df59de6a0d1be7
f791d1ad81601aac3e3d32a683189c06 

IP Address Information

The new IP addresses require some further explanation. IP address information associated with malware command and control can be particularly valuable for searching through netflow and firewall logs. However, the IP addresses associated with malware can change rapidly, as can the nature of the services offered at a particular address.

At the time that the Mandiant report was released, many of the domain names included in their data set resolved to IP addresses associated with popular shared hosting or email services. This is a common tactic among malware operators. A malware operator might want to infect a host many months before they intend to take control of it. However, every time the malware reaches out over the network to talk to its command and control system, there is a risk that the infection will be discovered.

Pointing command and control domain names at popular destination addresses helps keep infected hosts hidden from network administrators. As lots of activity on a given network is directed at these popular destinations, it may be difficult to pick out activity associated with malware infections. When the malware operator is ready to start using the malware, the domain names get pointed at systems under his control. Later, the domain names are pointed back at popular destinations again, making the malware dormant. 

Our malware information includes some IP addresses that these command and control domain names were associated with in the past. This historical IP address information is more likely to represent the real command and control hosts than the IP addresses that many of these domain names currently resolve to. However, some of these addresses may, in fact, be associated with legitimate services. 

We are maintaining a full list of IP addresses that we have associated with APT1/Comment Crew here. To create this list, we started with the IP addresses in the Symantec data set, and the IP addresses that the domain names in the Mandiant data set were resolving to at the time the Mandiant data was disclosed. We have removed a number of addresses associated with popular shared hosting services from that initial list, and added in our new IP address data. This list is subject to change as we find new addresses or remove addresses that we feel are poor indicators of a previous compromise.  

New IP Addresses:

12.38.236.32 
71.6.141.230
72.240.45.65 
203.231.234.23
202.64.109.187
223.25.233.36

Geolocating APT1

While Mandiant did a good job attributing these attacks to China, it is important to note that the attacker doesn’t have to run his command and control infrastructure in his country of origin. Most of the command and control servers we have observed were located in the United States. This is actually an expected result. When executing a targeted attack, the attacker wants his communications to go unnoticed. The best way to do that is to make the traffic look innocuous. 

The command and control communications associated with these malware samples tend to use common ports like TCP 80 (HTTP) and to use servers located in the target country or a country that would not raise red flags.  If you are directly accessing a target server in the United States from a country like China or Romania- you are much more likely to be noticed than you would attacking from the United States.  Here is the geographic break down of our full list of APT1 C&C IPs. 

 

 APT1 C&C IP Address Geology

SLIC map

Lancope would like to thank the Georgia Tech Information Security Center for their assistance in preparing this report.