Infiltrated dot Net

Shady Rats and Poison Ivy
Written by J. Oquendo   

Researchers at F-Secure were able to locate the initial message sent to EMC employees that ultimately lead to the RSA breach. [1] In F-Secure's disclosure of what the file was, what it did, the C&C addresses (command and control), it made me do a "wait a minute!!!"

As many may recall, the theme is always centered on China; the Advanced Persistent Boogeyman. However, was China really behind the RSA attack? Enquiring minds want to know. Especially considering who maintains *known* trash on that IP space. You see, according F-Secure's information, the command and control servers (good.mincesur.com, mincesur.com, 119.70.119.30) did not belong to China or "known Chinese APT sources" but rather, they belonged to known RBN addresses. [2,3] They was also flagged by SANS' Internet Storm Diary back in early March [4,5]. Up to right now, you can go connect to that server to listen Parazitii, B.U.G. Mafia, Grasu XXL and other Romanian rappers. [6]

So although the netblock for the IP traverses to South Korea, we have enough information to know that RBNers may have been involved. This sort of changes up the projected source of attribution doesn't it? What are the possible outcomes if the RBN was involved? Well, I never heard of the RBN targeting data on that level. Usually, RBNers are after a surefire hit: credit card, banking information. For those NOT in the know, RBN also moved from Russia to China [7] albeit briefly but researchers in quite a few groups can place them as being in South Korea. Makes one wonder[8]: "Is it all (compromises) China?" Doubtful.

Since it's Friday and we're preparing for a storm slash hurricane, I just wanted to throw this tidbit of information out there for other analysts. Something doesn't add up. RBNers usually take adequate steps to lock down their machines (C&Cs). To think that perhaps that China went to compromise an RBN server to launch an attack would be rather moronic. They could have outright paid someone under the table to do the same (compromise RSA or at least try).

If the current information holds true, that the first instance of the infected file "2011 Recruitment plan.xls" hitting EMC came in March, this would make the RSA hack the work of the RBN and not China. We could theorize that perhaps China paid the RBN, China hacked the RBN and pivoted, whatever we'd like. Facts are what they are though, they don't equate to China. If we used McAfee's information from their "Shady Rat" [9] article, we would yield HTRAN as the backdoor of choice for APTs while here - the RSA hack - we have Poison Ivy which was (maybe still is) the choice of RBNers [10].

Who knows how this all plays out. Realistically, unless the culprits oust themselves, the likelihood of ever determining what occurred is rather low. Therefore I speculate that "the Shady Rat was scratching because he was exposed to Poison Ivy in Korea on his stopover from Russia." Da

super chinese hacker baby



[1] http://www.f-secure.com/weblog/archives/00002226.html
[2] http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBN_IP_List_Update_4-3-2011.txt
[3] http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBN_IP_List_Update_5-9-2011.txt
[4] http://isc.sans.edu/diary.html?storyid=10549&rss
[5] http://nevis-blog.com/2011/03/adobe-flash-0-day-in-the-wild/
[6] http://www.radioflood.com/detail/21171.html
[7] http://www.eweek.com/c/a/Security/RBN-Gang-Moves-Sets-Up-Shop-in-China/
[8] http://www.infowar-monitor.net/2011/08/35-million-accounts-vulnerable-after-new-hacks-hit-south-korea-tech-industry/
[9] http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat
[10] http://www.securelist.com/en/analysis/204792051/Kaspersky_Security_Bulletin_Malware_evolution_2008