14 DAY TRIAL // A group of hackers believed to be associated with the China Cracking Group and to operate since 2009 has been discovered to be targeting companies in the entertainment and video industry to steal source code for making crack and cheat codes for games.
Dell SecureWorks Counter Threat Unit (CTU) named the group Threat Group-3279 (TG-3279), and their investigation determined that the hackers relied on a wide range of utilities for gathering information about the targets and gaining access to their systems. Some of the tools used in the incidents appear to have been created by members of the group.
Among the arsenal employed during TG-3279 operations there is a remote access Trojan (RAT) called Conpee, which is modular in architecture and supports a wide variety of plugins to extend its functionality.
Additional utilities indicating activity of the group on a system include a system profiling tool (gsi.exe) and a rootkit designed to hide network and file activity (Etso).
They also use the SYN port scanner, a PHP SQL injection script, Python scripts for enumerating DNS entries from a word list and for brute-forcing Remote Desktop Protocol (RDP) usernames and passwords; also found was a reverse shell (icmp_shell) that runs on Windows hosts over ICMP traffic.
Before attacking a target, TG-3279 runs reconnaissance actions, by scanning the network and via publicly available information.
As far as exploitation techniques are concerned, “CTU researchers have not discovered packaged exploits used by TG-3279 and believe that the threat actors rely on active hands-on-keyboard techniques to exploit targets.”
The researchers note that TG-3279 gained persistent presence on the affected systems, as they would update the infiltrated tools to more recent versions.
They also observed that some of the tools used in the attacks on Windows 7 computers were digitally-signed with valid certificates; this would make them more difficult to detect because the user would not be asked for permission to run the malicious program.
It appears that the certificate used was revoked in August 2012, although the tools were signed in February 2013, indicating that the signing certificate was stolen and that the current certificate list (CRL) on the compromised host had not been updated, otherwise it would have triggered an alert for invalid signature.
“TG-3279 actors strive to access network and system administrators' accounts to gain the most access to the target organization. After initial exploitation, TG-3279 relies on a few key hosts (typically the hosts of system or network administrators, document repositories, and domain controllers) to act as beachheads running the Conpee or Etso tools,” a post from CTU team says.
CTU has identified two members of the group, going by the online personas Sincoder and Laurentiu Moon Colonce.