New Attacks Reuse Malware Code from Dormant APT1

New attacks against organizations from South Korea, Canada and the United States use a malicious implant that’s based on an old malware program associated with a dormant Chinese APT group known as APT1.

According to researchers from antivirus firm McAfee, the new implant, dubbed Oceansalt, uses large parts of code from Seasalt, a trojan used around 2010 by Comment Crew, aka APT1.

Comment Crew was responsible for cyberespionage attacks against hundreds of U.S. organizations, especially from the critical infrastructure sector, between 2006 and 2013, when it was exposed in a groundbreaking report as a unit of China’s People’s Liberation Army.

The report, released by Mandiant, was one of the first in the security industry to clearly link an APT group to a foreign government organization and even identified some of the group’s members. China denied the accusations at the time, but all activity from APT1 seized shortly after the report came out.

“Until this analysis, we had observed no new activity related to Comment Crew since they were exposed, but now we find portions of their implant code appearing in new operations targeting South Korea,” researchers from McAfee said in a new report on Operation Oceansalt. “As we investigated this code overlap, we found no evidence that the source code from Comment Crew was ever made public, nor did we find it being sold in underground markets we examined.”

Oceansalt could signal a return of APT1, though the McAfee researchers think that’s unlikely. Other possibilities are that the implant is the result of a code sharing arrangement between two threat actors, that someone has privately gained access to the Seasalt source code from one of the original Comment Crew members, or that Oceansalt is a “false flag” operation designed to make it appear as if China and North Korea are collaborating on cyberattacks.

The vast majority of Operation Oceansalt’s targets are from South Korea and the malicious spear-phishing documents used to distribute the malware are unique and suggest the attackers have good command of the Korean language. Furthermore, the contents of the documents suggest the intended targets are familiar with South Korea’s public infrastructure projects and with financials related to the Inter-Korean Cooperation Fund.

Initial Operation Oceansalt activity was detected on May 31 in South Korea, but by August 14 the campaign had expanded to also affect organizations from multiple industries in the U.S. and Canada.

“These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victims,” the McAfee researchers said. “The impact of these operations could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to.”

Oceansalt is deployed using malicious macros embedded in Microsoft Excel documents. The implant is small in size, at only 76KB, but offers a variety of commands that allow attackers to collect data from infected systems. It serves as a first-stage implant, opening a reverse shell through which hackers can deploy and execute additional malicious tools.

Oceansalt shares around 21 percdent of its code with a 2010 sample of Comment Crew’s Seasalt. The code overlap is not in a common library that could be easily reused, which suggests its authors had access to the original Seasalt source code.

“It is likely that reactions to this research will focus on debating the identity of the threat actor,” McAfee researchers Raj Samani and Ryan Sherstobitoff said in a blog post. “Although this question is of great interest, answering it will require more than the technical evidence that private industry can provide. These limitations are frustrating. However, we can focus on the indicators of compromise presented in this report to detect, correct, and protect our systems, regardless of the source of these attacks.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin