Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, Tom Hall, principal consultant for incident response and Mitch Clarke, incident response consultant UK&I, at Mandiant, talked about lessons learned from the APT41 detection last summer, and how tools are being used by different threat actors.
The speakers said that they believed that APT41 are “sponsored by the Chinese government” and not part of the state’s offensive operations, and the group have been seen conducting espionage operations during daytime working hours, and doing “cybercrime activities” in the evening. This includes targeting healthcare and telco companies for IP theft.
Clarke explained that the group “flip the infrastructure and use it for cybercrime and non espionage tasks” and this has involved stealing source code and certificates, and in the day job they flip back to espionage and use those certificates to sign malware to run in their operations.
Hall explained that APT41 have used stolen certificates to sign tools and hide from incident responders and forensic investigators. “It is not a case of if it is signed you can trust it.”
However, in attacks conducted by the APT34 group, the Mandiant researchers said that another tool called “SEASHARPEE,” which comprises of a loader and embedded payload, was used as a second stage webshell.
Hall explained that SEASHARPEE has “anti-forensic capabilities and extended functionality dependent on the sample” and while they were first seen in APT34 intrusions in October 2015, the APT34 toolsets were leaked and reported in April 2019 and were reported as being used by the APT27 attackers in 2019.
Clarke said that the presence of this particular type of malware shows that attribution cannot be completely relied upon, as you need to keep an open mind for who or what is being used and for which activity.
“Just because it is signed, it doesn’t mean it is trusted,” Clarke said. “You can add malicious certificates into root stores and an invalid cert would be available in the store.”
Speaking to Infosecurity, and asked if they felt that groups were exchanging tools or selling them on dark markets, Clarke said that sharing was very rare among threat actors, but it was more likely that different actors were using a similar kit.