Advanced Inception APT Malware Likely State-Sponsored

Written by

A highly advanced, multi-layered advanced persistent threat (APT) is targeting individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. And it’s spreading.

Researchers from Blue Coat Labs have identified the emergence of this previously undocumented attack framework. Dubbed Inception after the 2010 movie of the same name about a thief who entered peoples’ dreams and stole secrets from their subconscious, the malware started out with targets in Russia or related to Russian interests, but has since spread to other locations around the world. 

The preferred malware delivery method is via phishing emails containing trojanized documents, aimed at PC users. When the user clicks on the attachment, a Word document is displayed to avoid arousing suspicion from the user while malicious content stored inside the document in encoded form writes to their disk. Unusual for many exploit campaigns, the names of the dropped files vary and have been clearly randomized in order to avoid detection by name.

The malware gathers system information from the infected machine, including OS version, computer name, user name, user group membership, the process it is running in, locale IDs, as well as system drive and volume information.

But, the attackers have also created mobile malware, for Android, BlackBerry and iOS devices. These bugs are used to gather information from the victims, including phone call recordings. Specifically on the Android platform, attackers are recording incoming and outgoing phone calls to MP4 sound files, that are periodically uploaded to the attackers.

The perpetrators were also found to be preparing seemingly planned MMS phishing campaigns to mobile devices of targeted individuals. To date, Blue Coat has observed over 60 mobile providers, including China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is likely far higher, the firm said.

Be it from wireline or wireless victims, all of this system information is encrypted and sent to cloud storage via a Swedish cloud service provider using the WebDAV protocol. The framework is designed in such a way that all communication after malware infection (i.e. target surveying, configuration updates, malware updates and data exfiltration) can be performed via the cloud.

Tracing the malware took some doing: it contains multiple layers of obfuscation and indirection, along with the control mechanisms between attacker and target. Most interaction between attackers and their infrastructure is performed via a convoluted network of router proxies and rented hosts (mostly in South Korea), most likely compromised because of poor configurations or default credentials.

“There clearly is a well-resourced and very professional organization behind Inception, with precise targets and intentions that could be widespread and harmful,” explained Blue Coat researchers Snorre Fagerland and Waylon Grange, in an analysis. “The complex attack framework shows signs of automation and seasoned programming, and the number of layers used to protect the payload of the attack and to obfuscate the identity of the attackers is extremely advanced, if not paranoid.”

Attribution is always hard, and in this case it is exceedingly difficult. However, the researchers took an educated guess.

“Based on the attributes of the attack and the targeting of individuals connected with national political, economic and military interests, the party behind Inception could be a medium-sized nation state, or possibly a resourceful and professional private entity,” they said.

What’s hot on Infosecurity Magazine?