ATK23

Presumed Origin: China < Back

Alias: Dagger Panda, Ice Fog, Icefog

ATK23 (aka: Icefog) is an Chinese cyber espionange group active since at least 2011. This group is described by Kaspersky as "small, which a relative lack of complexity" but they sucessfully compromised their targets which are mostly the defense contractors, industrial campanies, shipbuilding companies, telecommunication operators and medias in Japan, Taiwan and South Korea. This group used spearphishing emails exploiting CVE-2012-0158 and CVE-2012-1856 or containg a web link to Oracle Java exploits CVE-2013-0422 and CVE-2012-1723. It uses already known and patched vulnerabilities. Its lure Word documents contains pictures of a woman or are related to political actuality. This group also used HLP files abusing Windows features to drop its malwares.

 

After the initial access, the group list folder on the disk, IP configuration and information about the victim network. If the victim is interesting it deploys additional softwares such as backdoor and lateral movement tools to dump password from Windows, IE or Outlook and a legitimage RAR compressing tool. It also try tool steal Windows address books (.WAB files) and XSL, DOC or HWP documents. The stolen document are compressed and split into multiple parts using WinRAR or CABARC to be transfered to the C2 server.

 

The lateral movment is done using multiple tools to dump credential from browsers or Outlook.

 

The C2 server are hosted on shared hosting plateforms and dedicated hosting. Their C2 infrastructure is very ephemeral. Icefog seems to use a "hit and run" strategy. They infects their victims, steal the data and the C2 infrastructure expires in few months. This strategy indicate that they knew what it his looking for. They did not maintain a persistent prensence on the compromised network when their goal is reached.

 

After the Kaspersky reports from September 2013 and January 2014, the group desapeared. In 2015 after nearly a year of silence, new variants of the ICEFOG (ICEFOG-M and ICEFOF-P) have been found, used during campaign which targets do not match with previously seen campaign.

 

NB: AccoRding to the researcher Chi-en Shen from FireEye, the new variants of the ICEFOG backdoor are used by multiple Chinese groups (APT9, APT15, Goblin Panda and another group name "Temp Group A" which can actually be the original Icefog group). The conclusion is that the ICEFOG backdoor cannot be used to attribute a campaign.

 

References :

REFERENCES

Target sector

  • Aerospace
  • Defense
  • Energy
  • Government and administration agencies
  • High-Tech
  • Maritime Compagnies
  • Media
  • Military
  • Naval
  • Water distribution and supply

Target countries

  • Australia
  • Austria
  • Belarus
  • Canada
  • China
  • France
  • Germany
  • Hong Kong
  • India
  • Italy
  • Japan
  • Kazakhstan
  • Korea, Republic of
  • Malaysia
  • Mongolia
  • Netherlands
  • Pakistan
  • Philippines
  • Russian Federation
  • Singapore
  • Sri Lanka
  • Taiwan
  • Tajikistan
  • Turkey
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America
  • Uzbekistan

Attack pattern

  • T1002 - Data Compressed
  • T1005 - Data from Local System
  • T1016 - System Network Configuration Discovery
  • T1030 - Data Transfer Size Limits
  • T1038 - DLL Search Order Hijacking
  • T1043 - Commonly Used Port
  • T1064 - Scripting
  • T1065 - Uncommonly Used Port
  • T1071 - Application Layer Protocol
  • T1071 - Standard Application Layer Protocol
  • T1083 - File and Directory Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1204 - User Execution
  • T1218.001 - Compiled HTML File
  • T1319 - Obfuscate or encrypt code

Motivation

  • Espionage

Malwares

  • 8.t Dropper
  • ICEFOG
  • JavaFog
  • MacFog

Vulnerabilities

  • CVE-2012-0158
  • CVE-2012-1723
  • CVE-2012-1856
  • CVE-2013-0422