Attacks on East Asia using Google Code for Command and Control

Recently, FireEye published a blog titled “Operation Poisoned Hurricane” which detailed the use of PlugX malware variants signed with legitimate certificates that used Google Code project pages for command and control (C2). We were able to uncover multiple additional samples exploiting the same technique as well as an additional Google Code account with multiple projects containing encoded commands.

The attacks against Palo Alto Networks customers, which took place between early June to early July, also targeted users in East Asia; in this case an international law firm’s regional office and a major university. All of the attacks were detected by our WildFire platform.

Of note, three of the Google Code projects associated with the newly uncovered account were added during the past few days, indicating it is still in active use.

Below is a current screenshot of the newly uncovered Google Code account’s projects.

The encoded commands decode to the below IP addresses. Interestingly, “/p/pthon”, which is the project page used by some of the newly discovered samples detailed later in this blog, is the only page with the encoded command not included in the summary and is instead in text only on the page itself. The three pages created since we discovered this user are admmmomn, eyewheye, and joompler.

Table 1

We discovered a total of seven samples, five of which were not in VirusTotal prior to our submission. Table 2 contains details of a PlugX sample using the PixelPlus Co., Ltd certificate that is currently only detected by four AV vendors. It has been in use in the wild since at least early June and is the earliest sample related to this activity our team has so far found. It was targeted against a major university. It uses one of the Google Code pages noted in FireEye’s blog, “/p/updata-server”, but had a different C2 redirect, noted below. Interestingly, the IP resolved by the initial website hosting the PlugX malware also served as a C2 server for different malware in mid-December 2013 (MD5: ddd46ce5e5eaaa8e61ce11a121a79266). At that time the C2 server was qq7712409.3322[.]org.

Table 2

The PlugX sample in Table 3 also uses the legitimate PixelPlus Co., Ltd certificate and was also targeted against the university. This sample was not represented in VirusTotal. It is correctly identified by eleven AV vendors as PlugX malware. In addition, it also used the same Google Code page and redirect as the previous sample. The registrant information associated with the website hosting the malware is a domain reseller.

Table 3

We were able to uncover an additional two samples using the QTI International Inc certificate and Google Code pages. The first sample in the below table was not in VirusTotal and targeted the same university as the previous samples. Only three AV vendors correctly identified it as PlugX malware.

Table 4

The second sample using the QTI International Inc certificate also uses IP 211.233.89.182 for C2 but does not first connect to a Google Code page and is not PlugX. Instead it contained two separate Trojans; one known as Cudofows.A by Microsoft, and one only detected by two AV vendors in VirusTotal known as Backdoor.Win32.Miancha.f by Kaspersky. This malware also targeted the university. Of note, the PlugX sample in Table 8 uses a different certificate but was downloaded from the same website. It also uses the Google Code page “/p/tempzz” for C2, which was also listed in FireEye’s blog.

The website hosting the malware was registered 4 June 2014 via eNom, a well-known domain name registrar. The registrant address is labtestshowlong[@]outlook.com, which has not been used to register any other domains as of 14 August.

Table 5

Our team was able to further uncover three new samples using the Ssanyong Motor Co., Ltd certificate and Google Code C2 redirection. None of these were in VirusTotal. The below sample also uses the Google Code page “/p/pthon”, which was newly uncovered during this research. The PlugX sample in Table 4 used the same Google Code page and redirect, but the QTI International Inc certificate. The below PlugX sample was only detected as PlugX malware by two AV vendors.

Table 6

The PlugX sample in Table 7 also targeted the same university as all previous samples. Eight AV vendors correctly identified it.

Table 7

The final new sample using the SSanyong Motor Co., Ltd certificate is an interesting mix. It was downloaded from the same website as the sample in Table 5; however, it was targeted against an international law firm’s East Asian office, and uses a Google Code page identified in FireEye’s blog for C2, but an IP not listed in the blog post. In addition, it was only detected by two AV vendors.

Table 8

We see several indications this is an ongoing campaign, including:

• We were able to find several unknown samples used within the same timeframe as those in the FireEye blog;
• The limited AV detection and lack of previous VirusTotal submission of most of these samples;
• The identification of another active malicious Google Code account updated within the past several days; and,
• The identification of additional Google Code project pages that do not have corresponding reported samples.

These new methods have somewhat limited efficacy, as further C2 commands would be more obviously detectable because the C2 server no longer appears to be a legitimate website. However, it is highly likely there are still more unknowns related to this activity, as the actors conducting it have shown an understanding of basic perimeter network defense and some ability to adapt around it.

Prior to publishing this blog, we notified both Microsoft and Google of the malicious accounts using their services in an effort to help thwart this malicious activity.