In mid-July of this year, we noticed yet another legitimate website had been compromised by APT actors and was serving malware. In this case, it was a group commonly referred to as “Nitro,” which was coined by Symantec in its 2011 whitepaper.
As we dug deeper, we found additional compromised legitimate websites and malware from the same group back through March of this year. In most instances, the malware is one commonly referred to as “Spindest,” though we also found “PCClient” and “Farfli” variants in use by the group. We don’t have enough data to say for certain that all of the malware in this blog was delivered via compromised legitimate websites.
Historically, Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware, which was not seen in these attacks. Since at least 2013, Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites, as reported by Cyber Squared’s TCIRT. Our findings indicate they are continuing to evolve with the addition of PCClient and Farfli variants. The Maltego screenshot below shows the activity we describe in this blog.
These events impacted at least the following industries, across four waves:
- A US based IT Solutions provider;
- The European office of a major, US based commercial vendor of space imagery and geospatial content;
- A European leader in power technologies and automation for utilities and industry;
- A US based provider of medical and dental imaging systems and IT solutions.
In July, Nitro compromised a South Korean clothing and accessories manufacturer’s website to serve malware commonly referred to as “Spindest.” Of all the samples we’ve tied to this activity so far noted in this blog, this is the only one configured to connect directly to an IP address for Command and Control (C2). This IP address has been in use by this group for some time, which is interesting since they have evolved other components of their kill chain over time to ensure malware delivery, but oddly not altered their C2 infrastructure. It is simple for companies to block any outbound traffic to this IP, which would negate the effort Nitro put into successfully delivering the malware.
37 AV vendors within VirusTotal properly identify it, and the PE timestamp shows the day before we saw it. In addition, the following three samples were found roughly a week apart from each other, possibly indicating the timing of the waves of activity.
|First Seen||2014-07-24 11:54:02|
The next sample we found is commonly known as PCClient, which is not malware previously tied to this group. We discovered this, and many of the following samples, through historic IP resolution overlap between the same domains alternately resolving to either the 18.104.22.168 or 22.214.171.124. The second IP has also not been reported as tied to this group before. However, this shifting of IP resolutions back and forth indicates Nitro is in control of these domains. It also makes is fairly easy for any Infosec team to reach the same conclusion we did, which again negates their use both of a previously unreported domain and IP for C2, as well as a new family of malware. 25 AV vendors within VirusTotal properly classify this sample as malware. Its PE timestamp was 8 July, almost a week prior when we first saw it.
|First Seen||2014-07-15 11:48:33|
The next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient sample. In addition, Nitro chose to use the same C2 for this sample, making it easy to both find and tie to the group. 41 AV vendors within VirusTotal properly classify this sample as malware.
|First Seen||2014-07-09 16:31:26|
The next wave of activity we found took place in mid-May. Both samples were Spindest variants with the same PE timestamp of 15 May. While neither MD5s for C2 match, the aforementioned link to a post by Cyber Squared’s TCIRT did document Nitro using Spindest variants with the same file name starting late December last year. In that case they used the historic C2 IP we note in Table 1 in this blog. 34 AV vendors within VirusTotal properly classify the first sample as malware, and 40 AV Vendors the second sample.
|First Seen||2014-05-20 08:43:15|
|First Seen||2014-05-15 16:34:10|
The malware dropped was configured to use good.myftp[.]org as the C2 URL, and the IP resolution was 126.96.36.199. Both of these are known Nitro Indicators of Compromise (IOCs). In this case, the malware was a Farfli variant, again not a malware previously tied to this group. 39 AV vendors within VirusTotal properly identify the file as malware. The PE timestamp on the file was 1 April, about two weeks before we saw the file. Continuing the activity, we discovered the actors had compromised a legitimate website belonging to an international technology company that provides Software Configuration and Change Management (SCCM) solutions in mid-May. (It is a well regarded company and partners with large companies such as Microsoft.)
|First Seen||2014-04-15 01:13:14|
The final sample, from mid-March, was also hosted on a compromised legitimate website, this time a small, US based IT company. The IP resolved by the C2 URL was changed two days after we saw this file to overlap with good.myftp[.]org for a month before returning the below resolution. The filename matches that of the sample in Table 5, which had a very similar third level C2 domain and the same IP resolution. This is also a Spindest variant with a PE timestamp of the same day we saw it. 39 AV vendors within VirusTotal properly identify the file as malware.
|First Seen||2014-03-12 06:58:22|
As this post and previous cited research show, APT groups such as Nitro will continue to evolve their techniques within the kill chain to avoid detection. However, they also demonstrate the value of tracking these threats over time, as this allowed us to uncover and properly attribute the new IOCs because Nitro was still re-using old C2 infrastructure with their new malware.
For Palo Alto Networks customers, all of these files were properly identified by WildFire as malware and all of the C2 domains are labeled as threats in both Threat Prevention and URL Filtering systems.