Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy

We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails.  Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.

The attacks discussed in this blog are related to an APT campaign commonly referred to as “th3bug”, named for the password the actors often use with their Poison Ivy malware. Of note, only the older of the samples we cover in this blog used that password.  We don’t know the reason the actors changed this, but it could possibly be in reaction to information widely published on the Internet about their activities, which use that password as a key component to tie the activity together. FireEye in particular published a paper describing several APT campaigns whose activity they correlate using Poison Ivy passwords.

In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent.  Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.

While we were unable to recover the initial vulnerability used, it is possibly the same CVE 2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July.  We cannot confirm the initial compromised sites, but we noted traffic to several known re-direct sites and the malware was configured to use the same command and control (C2) server.

In addition, the download dates of many of our files pre-date those noted by Cisco by only a few days. All of the malware were variants of the Poison Ivy Remote Administration Tool (RAT) and were properly identified as such by our WildFire platform.  The targets of the attack were:

• Uyghur sympathizers
• An East Asian office for a major US based computer manufacturer
• A major US university
• An international wholesale and retail telecom provider

We saw the first sample on July 14, 2014. This sample had an interesting PDB string - C: \Users\sophie\documents\visual studio 2010\Projects\init\Release\init.pdb with a time date string that exactly matched the PE timestamp of 11 July, 2014.

Table 1

The next day we collected several copies of the same malware intended for the same industry.  They were downloaded from one of the download URLs in the below table, but all had the same MD5 and C2 domain.

Table 2

On July 16 WildFire picked up a malicious executable hosted on uyghurweb.net, a legitimate Uyghur website that was compromised to infect users. The file was named “PYvBte.jar” but was actually a Windows executable. The file has the characteristics listed in Table 3, and appears to be a stand-alone executable version of the Metasploit Meterpreter shell. When this file runs, it downloads a payload from uyghurweb.net/player/gmuweb.exe and executes it. This file is the same Poison Ivy RAT described in Table 2.

The Meterpreter payload masquerades as a copy of the ApacheBench tool made by the Apache Software Foundation.

Table 3

On 21 July, we detected another sample that was noted in the Cisco TRAC blog. The initial download URL and IP resolution were different than the previous samples, but the C2 domain and resolution matched. This file is also a Poison Ivy variant.

Table 4

Based on historical IP resolution overlaps between the above C2 domains and other domains that have also resolved to the same IPs, we found an additional sample from the beginning of this year.

Interestingly, the first sample was not logged in VirusTotal prior to our submission, despite the sample having been in use in the wild for at least seven months. In addition, it is the only sample tied to this activity we found that used the Poison Ivy password “th3bug”. AVAST wrote a blog related to the activity we describe here and tied a file with the same name, but the sample we found doesn’t match any other details of the file they documented.

Also of note, the IP resolution for this C2 domain was changed to match the IP resolution of the C2 domains used in the July activity only a few days after these samples were seen. Additionally, the files PE timestamp was January 21, the day before we detected the sample. Targeted industries for this series are listed below.

• Another international wholesale and retail telecom provider
• A major visual computing company headquartered in the US
• A state-owned East Asian financial services company

Table 5

Watering hole attacks will continue to be popular with APT campaigns, as they are much harder to defend against then spear phishing attacks. There is no way for people browsing to these websites to know in advance the normally trusted website has been compromised and will serve them malware when they visit it.

Ensuring web browsers and operating system software is fully patched and up-to-date is the best way to defend against this type of threat. However, to increase success rates APT campaigns can use zero-day exploits, so even a properly patched system would be compromised.  Palo Alto Networks users should use our firewall’s ability to block executable downloads unless the user specifically authorizes it. If you want to allow executables through but prefer that they be analyzed for malicious activity, use our WildFire platform, which correctly identified all of the files listed in this blog as malware and provides users with a full report on the samples host and network-based activities.