DECADE OF THE RATs: Novel Cross-Platform APT Attacks Targeting Linux Windows and Android
The recent Chinese New Year ushered in the Year of the Rat, but from the perspective of corporations, government agencies and other organizations who continue to be targeted by Advance Persistent Threat (APT) groups acting in the interest of the Chinese government, recent years could aptly be described as the Decade of the RATs - Remote Access Trojans, that is.
As China forges its role as one of the great world powers, it relies upon a blast furnace of cyberespionage operations to acquire foreign technologies and intellectual property, better position itself against competing international powers, and control its own image both at home and abroad.
This pervasive economic espionage led the U.S. Department of Justice (DOJ) to create the China Initiative in November of 2018 to prevent and prosecute “thefts of American technology and intellectual property for the benefit of China,” according to the DOJ.
As of today, however, the DOJ says the Chinese government continues to pursue a multipronged economic espionage strategy that blends cyber intrusions with the co-opting of private sector insiders by state intelligence services and use of non-traditional collectors.
But while Chinese IP theft is an old story, new chapters carry lessons for security teams and their organizations. In a recent study, BlackBerry Lab researchers announced the activities of five related adversarial groups who have spent much of the last decade successfully targeting organizations in cross-platform attacks while operating relatively, if not entirely, undetected in multiple strategic and economic espionage operations.
This quintet of threat actor groups focused on an often-overlooked platform: Linux® servers that comprise the backbone of large data centers hosting some of the most sensitive enterprise network operations. And it further revealed the link between a previously unidentified Linux malware toolset and one of the largest Linux botnets ever discovered.
The newly discovered Linux malware toolset included two kernel-level rootkits that rendered executables difficult to detect, making it probable that the number of organizations impacted is significant and the duration of the infections lengthy. This Blackberry Lab report provides analysis of the attacks, toolset, rootkits, other malware and infrastructure involved.
The research also analyzes attacks designed to elude defenders through the use of Windows® malware that uses adware code-signing certificates. Attackers hope this tactic will increase infection rates as red flags are dismissed as just another blip in a constant stream of adware alerts. The report also examines multiple malware samples accompanied by the adware code-signing certificates.
In addition to Linux malware toolsets, BlackBerry Lab researchers explored the targeting of the mobile devices that increasingly make up a significant portion of the enterprise network perimeter. In doing so, they exposed the curious case of a mobile remote access trojan (RAT) that was developed by an APT group nearly two years prior to the commercial availability of a popular remote administration penetration testing tool that has strikingly similar code structure and characteristics, raising questions about the origins of each.
As intellectual property and other targeted data has moved to new operating environments, these APT groups have readily adapted, shared new tools, borrowed from open-source resources and developed new methods to harvest information – all while effectively hiding more or less in plain sight. In addition, many of the attack techniques that worked a decade ago continue to be effective today. The cycle regularly comes full circle, where old techniques and tricks are revived time and time again.
While much of the security industry continues to charge forward with efforts to address the next trendy buzzword threat, few are looking back in time to assure they have effectively solved for the issues presented by the last. Thus, some subtle changes in tactics and a new stolen code-signing certificate appear to be the only things necessary for these adversaries to continue evading security solutions.