Researchers have uncovered a Chinese APT campaign designed to compromise government websites in a Central Asian nation by targeting a key datacenter.
Kaspersky Lab explained that by compromising the national datacenter, the APT27/LuckyMouse/EmissaryPanda group was able to gain “access to a wide range of government resources at one fell swoop.”
“Government entities, including the Central Asian ones also were a target for this actor before,” it added. “Due to LuckyMouse’s ongoing water-holing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the datacenter and inject JavaScripts into them.”
It’s not clear how the attackers targeted the datacenter in the first instance. Although they have used weaponized documents exploiting CVE-2017-118822 in the past, Kaspersky Lab believes employees may have been targeted by watering hole attacks.
Interestingly, the main command and control IP address was traced back to a Ukrainian ISP running a Mikrotik router that was hacked “in order to process the malware’s HTTP requests.”
The websites themselves were compromised to redirect visitors to instances of both ScanBox and BEeF. The former is a reconnaissance framework that collects information about the victim’s machine, including operating systems, language and location.
BEeF — the Browser Exploitation Framework — is a pen testing tool focused on the browser.
“The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro),” Kaspersky Lab concluded.
“The most unusual and interesting point here is the target. A national datacenter is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.”