Wednesday, March 28, 2012

The Luckycat Hackers


A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after.


The most useful information about the attackers is in one of the log files retrieved from a C&C server. This log file appears to record connections to an FTP server running on the C&C server. The attackers probably use FTP to easily retrieve stolen data uploaded to the C&C server. 45 unique IP addresses were identified in the log. Of these, all but two are from the same ISP, based in Sichuan province in China. The remaining two are from South Korea.

Despite this, the IP address used for the new connection changes regularly. In figure 7, during a period of approximately an hour and 15 minutes, four different IP addresses were used for six distinct connections. This is unusual because if the attacker is using DHCP, generally an IP address will remain allocated to a particular computer for a longer period of time.

A possible explanation is that the IP addresses used are the point of egress of a VPN-like service. The attackers may be using a service through which they can route their connections. The service periodically rotates connections amongst a pool of IP addresses in order to render the attacker anonymous or implicate China as the source of the attack. There are two potential reasons for the South Korean IP addresses. The first is that the IP addresses are part of the VPN service and were assigned to the attacker as the service rotated through the range of IP addresses available. The second explanation is that the attacker may have forgotten to enable the VPN by mistake and connected directly to the C&C server.

No comments:

Post a Comment