Global Research and Analysis Team (GREAT) from Kaspersky Lab discovered the existence of a group of hackers, who are likely to operate from India, aggressive cyber espionage activities in the Asian region.
They target several diplomatic and government entities, in particular focusing on China and international affairs relating to that country. The group is only armed with outdated exploitation and the equipment is not as sophisticated as their weapons.
They are also known to try to carry out attacks on the vital-profile targets in western countries. The way of the hacker group Dropping Elephant (also known as Chinastrats) could hardly have been said to be sophisticated.
The attackers relied heavily on social engineering as well as equipment and low-budget exploitation malware. However, this method seems to be quite effective, thus making the hacker group has become one that is dangerous.
From November 2015 until June 2016, the hacker group is profiling hundreds to thousands of targets around the world.
Not only that, in the first few months of operation they managed to steal documents from at least a few dozen victims who had their previous target.
For profiling targets early stage, Dropping Elephant mass email to a number of email addresses they have collected based on the relevance of the target toward their goals.
Spear-phishing emails sent contain a reference to the content is controlled remotely – are not attached in the email itself – but downloaded from an external source. Email does not have a malicious payload, unless the request “ping” is sent to the server the attacker, was opened by the target.
It automatically sends a message that contains some basic information about the recipient, such as IP address, browser type, and the devices used and the location.
After using this simple method to filter the most valuable targets, the hackers then proceed to the next step, ie spear-phishing emails reserved.
This method uses a Word document to exploit CVE-2012-015 or PowerPoint slide with the exploit for CVE-2014-6352 vulnerability in Microsoft Office. Both are exploit common and has been known for a long time, but still effective.
Some victims are being targeted under attack watering hole, where they receive a link to a website masquerading as political news portal, focusing on China’s external affairs. The majority of the links in this website lead to additional content in the form of PPS (PowerPoint slides) with a malicious payload in it.
Although the vulnerabilities used in the attack had been patched by Microsoft, the attacker can still rely on social engineering tricks to hack their target.
Especially if they ignore some security warnings displayed and agreed to activate dangerous features in the document.
As for the content of such dangerous PPS provides original news articles are carefully selected, displays a much-discussed topic of geopolitics, thus making the document look trustworthy and less likely to be opened. This causes a lot of targets to become infected.
After successfully exploit the vulnerability, then various dangerous devices installed on the victim machine. This equipment then collects and sends the attacker types of data: Word documents, Excel spreadsheets, PowerPoint presentations, PDF files, login credentials are stored in the browser.
In addition to social engineering attacks and exploits, backdoors Dropping one Elephant methods of communication C & C they borrow from the perpetrators of other threats. They hide the actual location of the C & C servers by providing comments on the article on the public website is legitimate.
This technique has previously been observed, although the execution is much more complex, in an operation conducted by the actors Miniduke and other threats. This is done in order to make an investigation into the attack becomes more complicated