"value":"McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, we dive deeply into this campaign. For a brief overview of this threat, see \u00e2\u20ac\u0153Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries.\u00e2\u20ac\u009d\r\n\r\nOur investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.\r\n\r\nFurthermore, the Advanced Threat Research team has discovered Proxysvc, which appears to be an undocumented implant. We have also uncovered additional control servers that are still active and associated with these new implants. Based on our analysis of public and private information from submissions, along with product telemetry, it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017.\r\n\r\nThe attackers behind Operation GhostSecret used a similar infrastructure to earlier threats, including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad, which was used in the Sony Pictures attack. Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group. The Advanced Threat Research team uncovered activity related to this campaign in March 2018, when the actors targeted Turkish banks. These initial findings appear to be the first stage of Operation GhostSecret. For more on the global aspect of this threat, see \u00e2\u20ac\u0153Global Malware Campaign Pilfers Data from Critical Infrastructure of Entertainment, Finance, Health Care, and Other Industries.\u00e2\u20ac\u009d",
"comment":"Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII \u00e2\u20ac\u01530\u00e2\u20ac\u009d) and shuts down the connection.",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766132",
"to_ids":false,
"type":"ip-src",
"uuid":"5ae214c7-aa40-4154-a878-452302de0b81",
"value":"121.240.155.74"
},
{
"category":"Network activity",
"comment":"Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII \u00e2\u20ac\u01530\u00e2\u20ac\u009d) and shuts down the connection.",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766133",
"to_ids":false,
"type":"ip-src",
"uuid":"5ae214c8-dd6c-4b76-947e-49a302de0b81",
"value":"121.240.155.76"
},
{
"category":"Network activity",
"comment":"Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII \u00e2\u20ac\u01530\u00e2\u20ac\u009d) and shuts down the connection.",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766133",
"to_ids":false,
"type":"ip-src",
"uuid":"5ae214c8-54f4-4deb-bf2e-41bf02de0b81",
"value":"121.240.155.77"
},
{
"category":"Network activity",
"comment":"Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII \u00e2\u20ac\u01530\u00e2\u20ac\u009d) and shuts down the connection.",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766134",
"to_ids":false,
"type":"ip-src",
"uuid":"5ae214c9-f330-48a2-9ec7-451702de0b81",
"value":"121.240.155.78"
},
{
"category":"Network activity",
"comment":"Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII \u00e2\u20ac\u01530\u00e2\u20ac\u009d) and shuts down the connection.",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766134",
"to_ids":false,
"type":"ip-src",
"uuid":"5ae214c9-bafc-47b3-b4f7-400202de0b81",
"value":"223.30.98.169"
},
{
"category":"Network activity",
"comment":"Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII \u00e2\u20ac\u01530\u00e2\u20ac\u009d) and shuts down the connection.",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766134",
"to_ids":false,
"type":"ip-src",
"uuid":"5ae214ca-8200-4bee-9a0a-45ec02de0b81",
"value":"223.30.98.170"
},
{
"category":"Network activity",
"comment":"Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII \u00e2\u20ac\u01530\u00e2\u20ac\u009d) and shuts down the connection.",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766135",
"to_ids":false,
"type":"ip-src",
"uuid":"5ae214ca-a294-408a-994d-4d0102de0b81",
"value":"14.140.116.172"
},
{
"category":"Payload delivery",
"comment":"Both of these control servers used the PolarSSL certificate",
"comment":"The 2015 implant does not contain a hardcoded value of the IP address it must connect to. Instead it contains a hardcoded sockaddr_in data structure (positioned at 0x270 bytes before the end of the binary) used by the connect() API to specify port 443 and control server IP addresses:",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766136",
"to_ids":false,
"type":"ip-dst",
"uuid":"5ae2152a-6adc-4f6c-a335-407802de0b81",
"value":"193.248.247.59"
},
{
"category":"Network activity",
"comment":"The 2015 implant does not contain a hardcoded value of the IP address it must connect to. Instead it contains a hardcoded sockaddr_in data structure (positioned at 0x270 bytes before the end of the binary) used by the connect() API to specify port 443 and control server IP addresses:",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766136",
"to_ids":false,
"type":"ip-dst",
"uuid":"5ae2152a-c9b4-4719-8dcb-4e3b02de0b81",
"value":"196.4.67.45"
},
{
"category":"Network activity",
"comment":"Further investigation into the control server infrastructure reveals the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203.131.222.83, used by the February 2018 implant. This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants. This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack. Analyzing this certificate reveals additional control servers using the same PolarSSL certificate. Further analysis of McAfee telemetry data reveals several IP addresses that are active, two within the same network block as the 2018 Destover-like implant.",
"deleted":false,
"disable_correlation":false,
"timestamp":"1524766136",
"to_ids":true,
"type":"ip-dst",
"uuid":"5ae21588-3774-4c2c-bf14-420502de0b81",
"value":"203.131.222.95"
}
],
"Object":[
{
"comment":"",
"deleted":false,
"description":"File object describing a file with meta-information",