Virus Bulletin 2019- Multiyear campaigns stretching back to at least 2014 have been seen using zero-days in region-specific software.
LONDON — Three separate, multi-year APT campaigns targeting region-specific software showcase a savvy technique of leveraging zero-day vulnerabilities in niche software in order to infect victims with malware.
According to researchers at JPCERT in Japan, speaking at Virus Bulletin 2019, both the APT17 and Bronze Butler threat groups have carried out ongoing campaigns that use the same techniques, swapping out exploits as new exploits are developed. The targets of the attacks are generally Japanese government agencies and vertical organizations, including education organizations, researchers said, with the most recent malicious activity seen in April 2019.
According to JPCERT researchers Tomoaki Tani and Shusei Tomonaga, the regional software targeted by the APTs includes Sanshiro (a spreadsheet application similar to Microsoft Excel, which was discontinued in 2014 but still used across Japan); Ichitaro (a word processing, software similar to Microsoft Word); and SkySea Client View (an enterprise asset-management tool).
When it comes to Sanshiro, major campaigns from APT17 leveraged a zero-day exploit for an arbitrary code execution vulnerability (CVE-2014-0810), spread in malicious documents attached to spearphishing emails. It began its routine when the user opened the software; and the endgame was the delivery of the PlugX remote access trojan (RAT).
“This exploit was shared in several campaigns, and perhaps the actor was the same in all of them,” said Tani, speaking in a Wednesday session at Virus Bulletin 2019. “Further analysis showed that PlugX was used in other attacks, with each sample resolving to the same command-and-control server address.”
A similar effort targeted Ichitaro, which was used in a multi-year campaign starting in 2014 dubbed Blue Termite. It affected more than 100 organizations across Japan; here, another zero-day code-execution exploit (CVE-2014-7247) was used in spearphishing campaigns to spread a triumvirate of malware: PlugX and two bots, Emdivi and Agtid. The bots can upload and download files from the victim’s computer.
This attack is linked, researchers suspect, to an April 2019 effort targeting a vulnerability in the Virus Buster Corporate Edition from Trend Micro, which is popular in Japan.
In all cases, the campaigns were aimed at infiltrating target networks, moving laterally and stealing data, in classic APT fashion.
The takeaway from the research is that APT groups are actively targeting niche attack surfaces in hopes of flying under the radar of defenders. While these particular attacks occurred in Japan, the same approach would prove effective elsewhere, according to Tani.