From: Dark Reading

Researcher uncovers hundreds of different custom malware families used by cyberspies — and discovers an Asian security company conducting cyberespionage

By Kelly Jackson Higgins

Turns out cyberespionage malware and activity is far more prolific than imagined: a renowned researcher has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing.

“There are so many families of malware. Based on my knowledge of public reports, I had a feeling there was a certain amount of activity … If I had to guess how many families were out there, [it was] a few dozen,” says Joe Stewart, director of malware research at Dell Secureworks. “But no, I kept discovering one after another … They were all different, but basically do the same thing.”

Stewart also unearthed a private security firm located in Asian — not in China — that is waging a targeted attack against another country’s military operations, as well as spying on U.S. and European companies and its own country’s journalists. He declined to provide details on the firm or its country of origin, but confirmed that it’s based in a nation that’s friendly with the U.S.

“They are selling a range of services, including ethical hacking classes,” he says. “Their own government is using their services.”

The company has its own malware, and is using spear-phishing and backdoors in its cyberespionage operations.

Stewart says he’s unsure if this type of spying activity under the guise of a legitimate company is just the tip of the iceberg. “There are plenty of examples of companies who paid a hacker to spy,” he says.  This one is different, however, he says.

“They’ve got lots of domains registered, lots of malware,” he says. “I worry that we will start to see a legitimization of this activity because governments are admitting to doing it,” he says.

Dell Secureworks’ team also found more than 1,100 domain names registered by APT-type groups for hosting malware command and control or phishing, and around 2,200 subdomains under that for command and control malware resolution.  And the Htran tool used by Chinese APTs is still widely employed by attackers.

Complicating things further is that attribution can be tricky. While China conducts the majority of advanced persistent threat-type campaigns, attackers from other nations have been spotted posing as Chinese attackers to throw off researchers and investigators.

“It’s very easy to jump to conclusions when it comes to attribution. You can copy digital fingerprints to appear like China,” for example, says Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab.

Even more worrisome are the emerging hacking communities in Brazil and the Middle East getting into the act as well. “There’s a very active hacking community in the Middle East — Turkey — and in Brazil, Just like you’re seeing with China,” says Greg Hoglund, CTO at ManTech CSI and founder of HBGary, now a division of ManTech. “They grow up on e-crime, cut their teeth on it. They are skilled at hacking and run scams on the side.”

And according to recent research conducted by HBGary, the number of Chinese cyberespionage groups has actually declined — most likely due to consolidation. “The number of APT groups is going down, not up,” Hoglund wrote in a blog post last weekon HBGary’s link-analysis on APT groups out of China.

“Our link analysis reveals surprising, non-obvious connections between APT groups. The group list is being consolidated, not expanded. In numerous cases, what appear to be different groups are actually the same, ” Hoglund said. “We have also seen other trends such as overlap between nation-state and e-Crime attacks – Chinese hackers committing both crimes. It would be easier to say ‘The Chinese Are Coming!’ and leave it at that.”

Dell Secureworks’ Stewart says overall, the APT malware he’s seeing isn’t necessarily advanced. “But the whole operation and how they are approaching it is advanced, with spearphishing and they types of exploits they have access to. That’s very advanced stuff,” he says.

His team earlier this year also found a widespread APT campaign targeting Japan:  several government ministries, universities, news media, trade organizations, and industrial equipment manufacturers, were in the bull’s eye.

But there’s plenty more out there, security experts say. “There’s a lot of cyberespionage happening internationally. This is not going to go away,” Kaspersky’s Schouwenberg says.

Dell Secureworks’ Stewart plans to continue hunting down APT attackers. “We will see how many more we can find in the next six- to 12-months and how they react to being outed,” he says.

Said HBGary’s Hoglund: “One thing is very clear about Chinese hackers: they have a long history. Many of the hackers know each other, have social links, potentially trade malware and tools, etc. As we have expanded our threat intelligence around Chinese APT, it has become very clear that it’s not about number of groups. Chinese APT is an emulsion of largely similar intentions, tools, and backstories.”

The full report by Dell Secureworks’ Stewart is available here.