Stamping out the fire: The battle against spear phishing

FireEye unmasks major Chinese-based phishing attack

Tags: APT (advanced persistent threat)Cyber crimeFireEye (
  • E-Mail
Stamping out the fire: The battle against spear phishing Oppenheim notes that APT3 tends to target industries that align with Chinese interests
By  David Ndichu Published  August 28, 2015

FireEye recently uncovered a scheme by China-based APT3, a group also linked to similar attacks in the past such as the notorious Operation Clandestine Fox, to use spear phishing attacks in order to exploit a vulnerability in Adobe Flash Player.

Adobe was targeted as it’s a mainstay of many organizations and is utilized by millions around the world, representing a high-value target for threat actors, notes Mike Oppenheim, senior threat intelligence analyst at FireEye.

“Once a weak point is discovered in popular software like this, these cyber attackers can target and compromise a large number of victims with ease,” Oppenheim added.

APT3 is one of the more sophisticated threat groups tracked by FireEye Threat Intelligence and has been the first group to have access to a browser-based zero-day exploits (examples are Internet Explorer, Firefox and Adobe Flash Player), FireEye says.

After successfully exploiting a target host, APT3 will quickly dump credentials, move laterally to additional hosts and install custom backdoors. The group’s command-and-control (CnC) infrastructure is difficult to track, as there is little overlap across its campaigns.

Potentially, any organisation could be at risk to campaigns and attacks like this, observes Oppenheim. However, APT3 tends to specifically target industries that align with Chinese interests, he adds. These interests include information and networks that give Chinese companies and the government economic and technological advantages, or networks which have valuable human information, which the PLA (People’s Liberation Army) or the government is interested in.

“After this initial set of targets, the networks that are most at risk are those that have yet to implement the patch supplied by Adobe,” says Oppenheim.

Upon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting JavaScript profiling scripts. Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the hapless victim’s system.

For this type of attack, users and networks will find it difficult to protect themselves once they have clicked the link embedded in the email prior to the patch, observes Oppenheim. Once the patch was released, the next tier of users and networks that are affected are those who have not implemented the Adobe patch for this zero–day threat, he adds.

FireEye and its consulting arm Mandiant believe that breaches are inevitable, says Oppenheim. “If a breach were to occur, we have both network and endpoint technology that will attempt to find and discover the attacker’s activity once they breach a network,” Oppenheim explains.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code