Dissecting an Active Campaign Targeting America’s Defense Industrial Base and Intel Communities

Researchers from Invincea Labs and ThreatGrid dissected a sophisticated spear-phish aimed at a high profile target
within America’s Defense and Intelligence community July 20th. Based on our analysis, we believe a new active and sustained campaign directed against the US defense industrial base was started within the past two weeks. The campaign demonstrates hallmarks of a persistent adversary as multiple attack methods have been utilized, including spear-phish emails in what we believe is an attempt to gain a beach head on defense contractor networks.

It is well known that these communities represent one of the most desired targets for motivated nation state actors. While we cannot determine with certainty the country of origin, our analysis suggests nation state involvement. The fact that this campaign is underway is not surprising – these communities face a relentless onslaught and recent public disclosures highlight this fact. Also not surprising is the fact that the adversary is utilizing spear-phishing as an entry point. A large percentage of the high profile breaches disclosed over the past 18-24 months include spear-phishing elements (i.e. Night Dragon, Google, RSA, Oak Ridge National Labs, etc.). Spear-phishing attacks are on the rise as adversaries look for the path of least resistance – i.e. prey on human curiosity to make the user an unwitting accomplice in the breach of the network.

The information presented by Invincea Labs and ThreatGrid provides a look into an active campaign – we present this information in the interest of transparency for the security community and as a warning notice to the Defense Industrial Base. Prior to releasing this information, both organizations have contacted the appropriate authorities and are working to contact the potential targets of this attack at this time. Because of sensitivities with an active on-going campaign against Defense and Intelligence contractors, we are not publicly disclosing identifying information such as IP addresses, domains, and URLs that are signatures of this attack.

 Summary of Attack

The attack starts as an in-bound spear-phish to individuals in the Defense Industrial Base purporting to come from the US Intelligence Advanced Research Projects Activity (IARPA). The spear-phish contains a URL to a zip archive file with a roster of Defense Industrial Base attendees to an IARPA Program conference. The roster is an active list of 163 senior level executives participating in a recent IARPA Project Day, including Directors and Presidents, and CEOs of premier defense and intelligence companies.

• Once the attachment is opened, it presents the promised roster while running another program it extracted — a custom http client beacons a server then signals how long it will go to sleep. It places itself on the list of programs that runs at system startup.
• After a re-boot the custom http client initiates a GET request to a command & control server. The returned page has an encoding in the HTML. It decodes the encoding in memory to produce a new program that it writes to the user’s disk. This program is a remote command & control Trojan. Since the encoded program is hosted on a website, this can be updated over time with more sophistication.
• The new Trojan app gives complete control of the victim machine to the adversary. It will also change Internet Settings in the registry to bypass any local proxy settings that may be in place (e.g., for security). It also has built in capability to update the Root Certificates list that can aid in Man-in-the-Middle attacks against SSL based sessions the user may engage in.
• There are other indicators this attack is part of a larger campaign where multiple organizations are targeted. A file with similar characteristics but different type was uploaded to an online analysis platform and the outbound URLs follow the same format as the beaconing URLs presented here.

Detailed Analysis of Attack

• A targeted email is sent and appears to come from an attendee of a recent meeting.

• The URL appears to be subdomain of a domain that has a permanent redirect to a legitimate research project website.
• Once the user opens the attachment, a dropper program runs that extracts and presents the promised roster (Figure 2), while running a custom http client it also extracted.
• The custom http client then initiates a beacon using http protocol to one of two URLs that resolve to the same server IP address. The beacon includes a timestamp, hostname, and IP address of the compromised host in the GET request. The http client also forges the user agent in the GET request with a false user agent name and uses it to post information about the host.

• The server is also used to host a number of manufactured domains that look legitimate so monitored outbound traffic will not attract attention.
  • Past history in APT campaigns (e.g., NightDragon) indicate these organizations may be direct targets of this campaign as well.