Illuminating the Etumbot APT backdoor

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Illuminating the Etumbot APT backdoor
Botnet Etumbot
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign APT12
Operation/Working group
Vulnerability
CCProtocol
Date 2014 / 2014-06-06
Editor/Conference Arbor Networks
Link http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ (Archive copy)
Author
Type White paper

Abstract

Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12. Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities.

Indicators suggest that the Etumbot dropper is delivered via spear phishing and is contained inside an archive file intended to be of interest to the target. The attackers use the Unicode Right to Left Override technique and document icons to disguise malicious executable content as document files. Once the dropper is executed, the backdoor is activated and a distraction file of interest to the target is opened for viewing. ASERT has observed several Etumbot samples using distraction documents involving Taiwanese and Japanese topics of interest, and has also observed recent development activity which indicates that attack campaigns are ongoing.

Once installed, the backdoor connects to it’s Command & Control server and receives an encryption key. RC4 encryption, along with HTTP transactions intended to blend in with typical traffic are used for backdoor communications. Etumbot’s core functionality allows for the execution of commands and the capability to upload and download files.

Attackers attempt to obfuscate the malware by using a technique known as “byte strings”, also known as “string stacking”. Through the use of ASERT tools, these byte strings are deobfuscated and revealed herein.

A timeline containing distraction documents along with backdoor and dropper indicators to include MD5 hashes, Command & Control server information, file system and process artifacts are included herein. Some use of the HTran connection bouncer has been observed, indicating that selected C&C’s were simply compromised sites used to relay traffic elsewhere.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1388,
   editor = {Arbor Networks},
   author = {},
   title = {Illuminating the Etumbot APT backdoor},
   date = {06},
   month = Jun,
   year = {2014},
   howpublished = {\url{http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/}},
 }