IXESHE Campaign Actors Zero in on East Asian Governments and Industries
May 22, 2012
Download the full research paper: IXESHE: An APT CampaignThe number of targeted attacks is undoubtedly on the rise. These highly targeted attacks focus on individual organizations in an effort to extract valuable information. In many ways, this is a return to the “old hacking days” before more widespread attacks targeting millions of users and the rise of computer worms came about. Sometimes, these targeted attacks are allegedly linked to state-sponsored activities but may also be carried out by individual groups with their own goals.
Trend Micro continues to track and analyze highly targeted attacks, also known as “advanced persistent threats (APTs).” We have, in fact, published two research papers on the Luckycat and Lurid campaigns. This research paper will delve into another prominent group of attackers referred to as “IXESHE” pronounced “i-sushi”), based on one of the more common detection names security companies use for the malware they utilize. This campaign is notable for targeting East Asian governments, electronics manufacturers, and a telecommunications company.
The IXESHE campaign makes use of targeted emails with malicious attachments to compromise victims’ systems. The emails are often tailored for specific victims and contain malicious attachments that are almost always “weaponized”. PDF files with known exploits that drop malware executables onto targeted systems. In addition, the IXESHE attackers conducted two specific attacks that leveraged zero-day exploits—one in 2009 and another in 2011.
The IXESHE attackers almost always make use of compromised servers as command-and-control (C&C) servers. In some cases, the compromised servers are hosted on target organizations’ networks after successful infiltration so the attackers can increase their control of the victims’ infrastructure. Using this approach, the attackers amassed at least 60 C&C servers over time. This technique also allows the attackers to cover their tracks, as having the C&C server in the victims’ corporate networks means very little C&C traffic leaves them. The attackers’ deliberate use of compromised machines and dynamic Domain Name System (DNS) services allows them to hide traces of their presence by confusing their activities with data belonging to legitimate individuals.
Looking at threat intelligence derived from tracking APT campaigns over time primarily based on the network traffic generated by the malware used, we were able to develop indicators of compromise for the IXESHE campaign. The malware samples used in this campaign were not very complicated by nature but do give the attackers almost complete control over their targets’ compromised systems.
IXESHE Quick Profile:
The IXESHE campaign has been actively staging targeted attacks since at least July of 2009.
Victims and Targets:
IXESHE has been found to target electronics manufacturers, a telecommunications company, and East Asian governments.
IXESHE attacks used custom-fit targeted emails with PDF exploits for CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, and CVE-2011-0611. These were used to drop malicious executable files that gave the attackers complete control of their targets’ systems.
The attackers used either dynamic Domain Name System (DNS) or compromised servers hosted on networks that they previously successfully infiltrated.
Possible Indicators of Compromise
Below is a list of the components of the Safe campaign.
- Enters networks via a specially crafted, targeted email with a malicious file attachment
- Uses document exploits (primarily PDF exploits) to drop malware onto target systems
- Uses malware detected as IXESHE by security companies
- Sends a GET request to the command-and-control (C&C) server with the format: http://[C&C Server]/[ACD] [EW]S[Some Numbers].jsp?[Encrypted Base64 Blob]
*The campaign codes we have seen so far are detailed in the Trend Micro research paper, “IXESHE: An APT Campaign.” The characteristics highlighted in this APT campaign quick profile reflect the results of our investigation as of May 2012.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.