14 DAY TRIAL // The Chinese hackers that attacked The New York Times and several other organizations went silent in January after reports were published about their tactics. Now, they’re back and the new campaigns they’re preparing will use improved versions of malware.
According to FireEye researchers, the state-sponsored cybercriminals are rethinking their techniques, tactics and procedures (TTPs).
They’re now using updated versions of Aumlib, a piece of malware that, until this year, hasn’t been updated since May 2011, and Ixeshe, a threat that hasn’t evolved since at least December 2011.
“We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode. But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes,” experts noted.
The updated versions of the Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families have been spotted around four months after The New York Times wrote about the attacks on the organization’s networks.
The changes made to Aumlib are subtle. However, experts warn they might be enough to bypass the existing intrusion detection system (IDS) signatures.
Ixeshe, which has been mostly seen in attacks against East Asian organizations, has been observed in recent attacks against entities in Taiwan.
The malware sample analyzed by FireEye has a different network traffic pattern compared to previous variants. This might allow the threat to evade existing Ixeshe network traffic signatures.
“Knowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats. But knowing the ‘why’ is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior — because if you successfully foil their attacks, they probably will,” researchers explained.