Difference between revisions of "Illuminating the Etumbot APT backdoor"
m (1 revision imported) |
|||
| Line 1: | Line 1: | ||
{{Publication | {{Publication | ||
|Botnet=Etumbot | |||
|Year=2014 | |||
|Date=2014-06-06 | |||
|Editor=Arbor Networks | |||
|Link=http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ | |||
|Type=White paper | |Type=White paper | ||
|Abstract=Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12. Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities. | |Abstract=Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12. Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities. | ||
| Line 16: | Line 15: | ||
A timeline containing distraction documents along with backdoor and dropper indicators to include MD5 hashes, Command & Control server information, file system and process artifacts are included herein. Some use of the HTran connection bouncer has been observed, indicating that selected C&C’s were simply compromised sites used to relay traffic elsewhere. | A timeline containing distraction documents along with backdoor and dropper indicators to include MD5 hashes, Command & Control server information, file system and process artifacts are included herein. Some use of the HTran connection bouncer has been observed, indicating that selected C&C’s were simply compromised sites used to relay traffic elsewhere. | ||
|NomRevue=ASERT Blog | |||
}} | }} | ||
Revision as of 19:29, 14 July 2015
(Publication) Google search: [1]
| Illuminating the Etumbot APT backdoor | |
|---|---|
| Botnet | Etumbot |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2014 / 2014-06-06 |
| Editor/Conference | Arbor Networks |
| Link | http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ (Archive copy) |
| Author | |
| Type | White paper |
Abstract
“ Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12. Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities.
Indicators suggest that the Etumbot dropper is delivered via spear phishing and is contained inside an archive file intended to be of interest to the target. The attackers use the Unicode Right to Left Override technique and document icons to disguise malicious executable content as document files. Once the dropper is executed, the backdoor is activated and a distraction file of interest to the target is opened for viewing. ASERT has observed several Etumbot samples using distraction documents involving Taiwanese and Japanese topics of interest, and has also observed recent development activity which indicates that attack campaigns are ongoing.
Once installed, the backdoor connects to it’s Command & Control server and receives an encryption key. RC4 encryption, along with HTTP transactions intended to blend in with typical traffic are used for backdoor communications. Etumbot’s core functionality allows for the execution of commands and the capability to upload and download files.
Attackers attempt to obfuscate the malware by using a technique known as “byte strings”, also known as “string stacking”. Through the use of ASERT tools, these byte strings are deobfuscated and revealed herein.
A timeline containing distraction documents along with backdoor and dropper indicators to include MD5 hashes, Command & Control server information, file system and process artifacts are included herein. Some use of the HTran connection bouncer has been observed, indicating that selected C&C’s were simply compromised sites used to relay traffic elsewhere.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1388,
editor = {Arbor Networks},
author = {},
title = {Illuminating the Etumbot APT backdoor},
date = {06},
month = Jun,
year = {2014},
howpublished = {\url{http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/}},
}