A joint security advisory released on the 27th September by the US and Japan outlines APT activity which has been generating backdoor capabilities against router firmware to facilitate long-term network access.
The advisory has been published by The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and concerns the activity of a PRC-linked APT known as BlackTech.
Who are BlackTech?
BlackTech aka: CIRCUIT PANDA, Temp.Overboard, HUAPI, Palmerworm, Radio Panda, G0098, T-APT-03, Manga Taurus, and Red Djinn is an espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.
BlackTech’s campaigns are designed to steal their target’s technology and are suspected to be behind three such campaigns known as PLEAD, Shrouded Crossbow, and, Waterbear.
PLEAD is an information theft campaign active since 2012 which attempts to target confidential documents. Targets for PLEAD include various Taiwanese government agencies and private organisations.
Malware used in the PLEAD campaign includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. The campaign uses spear-phishing emails to deliver and install the backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO.
The threat actors behind the PLEAD campaign scan for vulnerable routers which they then use as a virtual server via the router’s VPN option. This virtual server is then used either as a C2 server or an HTTP server that delivers PLEAD malware to other targets.
Shrouded Crossbow was first seen in 2010 and utilises a modified version of the Microsoft Windows BIFROST backdoor. BIFROST is a backdoor trojan horse which can infect multiple versions of Microsoft Windows (95 – 10) and utilises typical components of such a malware including a server builder and client console program to allow users to execute arbitrary code on a compromised machine. BlackTech are suspected of purchasing the source-code for BIFROST and modified it to create new variants known as BIFROSE, KIVARS, and XBOW. The threat actors have a varient which is capable of targeting UNIX-like systems as well.
The Shrouded Crossbow campaign, like PLEAD uses spear phishing as the first stage of compromise, and again is designed to exfiltrate sensitive documents.
C2 communication is achieved via the Tor protocol
Waterbear is the APTs longest running campaign and employs a modular approach to its malware.
A loader executable will connect to a C2 server to download the main backdoor and load it in the victim device memory, the main backdoor is either loaded from an encrypted file or downloaded from the C2 server.
A later version of this malware used patched server applications as its loader component meaning that the threat actors behind the campaign had prior knowledge of their targets’ environment.
It’s possible attackers used Waterbear as a secondary payload to help maintain presence after gaining some levels of access into the targets’ systems via other mechanisms.
This threat group have also used stolen code-signing certificates to give their malware an air of legitimacy and thus avoid detection from security utilities.
Pivoting & using trust
BlackTech threat actors are able to pivot from trusted internal routers to other systems of the compromised companies and the headquarters’ networks.
The threat actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks. Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech threat actors often modify firmware to hide their activity across the edge devices to further maintain persistence in the network.
To extend their foothold, the threat actors target branch routers (smaller appliances used at remote branch offices to connect to a corporate headquarter) and then abuse the trusted relationship between these devices to pivot deeper into the network.
The APT then use these compromised public-facing branch routers as part of their own infrastructure for proxying traffic – blending in with corporate network traffic.
Router compromise
Although BlackTech has targeted and exploited various brands and versions of routers, a common target are those made by Cisco. In some cases, replacing the firmware for certain Cisco IOS®-based routers with malicious firmware.
Although the threat actors must already have elevated privileges on the router to replace the firmware, the malicious firmware is used to establish persistent backdoor access and obfuscate future malicious activity.
The modified firmware uses a built-in SSH backdoor and is enabled and disabled through specially crafted TCP or UDP packets.
Exploitation of the routers is achieved by first installing older legitimate firmware which is then modified in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware.
To further hide their activity, BlackTech threat actors often obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results.
On a compromised router, the BlackTech-created EEM policy waits for specific commands to run to execute obfuscation measures or deny execution of specified legitimate commands.
