This tactic allowed IXESHE attackers to hide their presence by confusing their activities with data belonging to legitimate individuals within the organization. Victims tended to be East Asian governments, electronics manufacturers, and a German telecommunications company, according to a Trend Micro white paper.
“What is unique about IXESHE was that the attackers moved the command and control within the host system”, said Tom Kellermann, vice president of cybersecurity at Trend Micro.
“So they weren’t reaching back for command and control. Rather, the command and control would be updated on a sleep-cycle basis; it would go to sleep and then, through a manual process, would be updated on a sleep-cycle basis once in a while”, Kellermann told Infosecurity. “Quite elegant”, he added.
IXESHE’s primary method of entry into victim’s systems was using malicious PDF files that exploited Adobe Acrobat, Reader, or Flash Player vulnerabilities. These files were included as attachments to targeted emails sent to potential victims within target organizations.
If the IXESHE victims had updated their software and had been trained on how to read headers, they would not have been compromised, Kellermann opined.
“The stealthy nature of how they are conducting local information gathering and privileged escalation within these systems is very much advanced”, Kellermann observed. “You are seeing a phenomenon now where systems are becoming colonized”, he added.
In addition, the IXESHE campaign used dynamic Domain Name System (DNS) services and distributed external C&C services to make detection and takedown more difficult.
“In one particular case, we saw C&C servers hosted on the compromised machines of an East Asian country, making targeted attacks against that government easier. In another case, we received an error message from a C&C server, which indicated that the front-end servers were merely acting as proxies for the actual back-end servers”, the white paper explained.
Kellermann noted that much of law enforcement and industry efforts to stop botnets goes after the command and control servers. To do that, they share sinkhole data about botnets.
“But the reality is that this is not going to be sufficient, even though it is step in the right direction, because the elite hackers of the world are leveraging these colonized command and control servers inside the target’s systems”, he explained.
“What these hackers are trying to do is minimize network traffic associated with compromises. They are leveraging that minimized network traffic to transit and leapfrog between systems that trust other systems, not just within that network but with strategic partner systems, as well as consumers”, Kellermann said.