Spring Dragon is an extended operating APT actor that operates on a large scale. The neighborhood has been working campaigns, typically in international locations and territories around the South China Sea, in view that as early as 2012. The main objectives of Spring Dragon assaults are excessive profile governmental companies and political events, education associations comparable to universities, as well as groups from the telecommunications sector.
in the starting of 2017, Kaspersky Lab became privy to new actions through an APT actor we now have been monitoring for a number of years referred to as Spring Dragon (also called LotusBlossom).
advice about the new attacks arrived from a research partner in Taiwan and we determined to overview the actor’s equipment, strategies and activities.
the use of Kaspersky Lab telemetry information we detected the malware in assaults against some excessive-profile corporations around the South China Sea.
Spring Dragon is popular for spear phishing and watering gap strategies and some of its equipment have up to now been analyzed and pronounced on through protection researchers, including Kaspersky Lab. We amassed a large set (600+) of malware samples utilized in different assaults, with custom-made C2 addresses and crusade codes hardcoded in the malware samples.
Spring Dragon’s Toolset
The risk actor at the back of Spring Dragon APT has been setting up and updating its range of equipment all the way through the years it has been operational. Its toolset includes a number of backdoor modules with wonderful characteristics and functionalities.
The danger actor owns a big C2 infrastructure which comprises greater than 200 enjoyable IP addresses and C2 domains.
The gigantic variety of samples which we’ve managed to bring together have personalized configuration information, distinct sets of C2 addresses with new hardcoded crusade IDs, in addition to custom-made configuration information for creating a provider for malware on a victim’s device. here is designed to make detection greater complicated.
all the backdoor modules within the APT’s toolset are in a position to downloading more info onto the victim’s desktop, importing files to the attacker’s servers, and additionally executing any executable file or any command on the victim’s computer. These functionalities allow the attackers to undertake distinct malicious actions on the sufferer’s machine.
a detailed evaluation of usual malicious tools used with the aid of this chance actor is available for customers of Kaspersky probability Intelligence functions.
Command and control (C2) Infrastructure
The leading modules in Spring Dragon attacks are backdoor info containing IP addresses and domains of C2 servers. We collected and analyzed guidance from a whole lot of C2 IP addresses and domains utilized in different samples of Spring Dragon tools that have been compiled through the years.
to be able to hide their real location, attackers have registered domain names and used IP addresses from diverse geographical areas. The chart beneath indicates the distribution of servers based on geographical region which the attackers used as their C2 servers.
Distribution chart of C2 servers via nation
more than 40% of all the C2 servers used for Spring Dragon’s operations can be found in Hong Kong, which pointers on the geographical place (Asia) of the attackers and/or their objectives. The next most familiar nations are the U.S., Germany, China and Japan.
ambitions of the attacks
As become mentioned, the Spring Dragon possibility actor has been primarily targeting countries and territories around the South China Sea with a particular center of attention on Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.
Our analysis suggests that the main goals of the attacks are in right here sectors and industries:
- high-profile governmental agencies
- Political parties
- schooling institutions, including universities
- groups from the telecommunications sector
here map indicates the geographic distribution of attacks in accordance with our telemetry, with the frequency of the assaults increasing from yellow to crimson.
Geographic map of assaults
origin of the attacks
The victims of this chance actor have always been certainly governmental businesses and political events. These are favourite to be of most pastime to state-supported groups.
The category of malicious equipment the actor has applied over time are more often than not backdoor information capable of stealing info from victims’ techniques, downloading and executing additional malware add-ons in addition to operating equipment commands on victims’ machines. this means an intention to search and manually collect assistance (cyberespionage). This activity is most commonly associated with the interests of state-subsidized attackers.
As a routine evaluation system, we decided to determine the attacker’s viable time zone the use of the malware compilation timestamps from a huge number of Spring Dragon samples. here diagram indicates the frequency of the timestamps right through daytime hours. The timestamps latitude from early 2012 until now and are aligned to the GMT time zone.
Assuming the top working hours of malware developers are the ordinary working day of 09:00-17:00, the chart suggests that compilation took area in the GMT+8 time zone. It also means that either there’s a 2d group working a different shift within the identical time zone or the attackers are go-continental and there is yet another community, maybe in Europe. The uneven distribution of timestamps (low activity round 10am, 7-8pm UTC) suggests that the attackers didn’t alternate the timestamps to random or steady values and they would be true.
Histogram of malware files’ timestamps
Spring Dragon is considered one of many long-running APT campaigns by using unknown chinese language-speaking actors. The number of malware samples which we managed to bring together (over 600) for the community surpassed many others, and suggests an operation on a large scale. It’s viable that this malware toolkit is offered in professional public or inner most forums to any patrons, youngsters, up to now, we haven’t viewed this.
We trust that Spring Dragon is going to continue resurfacing regularly in the Asian place and it is therefore profitable having good detection mechanisms (corresponding to Yara rules and network IDS signatures) in area. we are able to continue to track this community going ahead and, should the actor resurface, we will deliver updates on its new modus operandi.
extra suggestions is accessible to Kaspersky Lab deepest document subscribers. Please contact [email protected]
beneath is the listing of public references and reports related to the Spring Dragon attackers:
- Securelist – https://securelist.com/weblog/analysis/70726/the-spring-dragon-apt/
- Palo Alto Networks – http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/
- Palo Alto Networks IoC2 – https://github.com/pan-unit42/iocs/tree/grasp/lotusblossom
- Palo Alto Networks 2 – http://researchcenter.paloaltonetworks.com/2015/12/assault-on-french-diplomat-linked-to-operation-lotus-blossom/
- Palo Alto Networks Unit 42, full document – https://app.box.com/s/xhn6ru62qqom1kuxoe3mxnqrtb1sqw2q
- TrendMicro – http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-focused-attack-campaign-hits-apac-governments
- TrendMicro – http://s.itho.me/infosec/2016/AT8.pdf
- PwC – http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html