APT Threat Campaign

WhiteBear APT Campaign Spying Embassies and Consulates

WhiteBear APT Campaign
The security researchers at Kaspersky revealed an APT backdoor campaign that has been used to spy on consulates and embassies worldwide. The researchers have coined the term WhiteBear for the campaign.

The campaign is identified active since 2016 was associated with infamous Russian Turla APT group. The WhiteBear APT Campaign leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure.

Technical Details

Modus Operandi: The hacker delivers the malicious payload via spear phishing emails and compromises the targeted computers in two stages. In the first stage, the malware drops another backdoor dubbed Skipper, then installs the second stage backdoor, here in the case, Gazer backdoor.

The second-stage backdoor receives encrypted instructions from the hacker via C&C servers, using compromised, legitimate websites as a proxy. This helps them evade from some of the security solutions.

The researchers revealed that, earlier, the Turla APT group had used different second stage backdoor like; Carbon and Kazuar.

Most WhiteBear samples Kaspersky researchers received are signed with a valid code signing certificate issued by “Solid Loop Ltd”, a once-registered British organization

WhiteBear APT Architecture (source – ESET)

Binary:

Sample MD5: b099b82acb860d9a9a571515024b35f0
SHA256: 473aa2c3ace12abe8a54a088a08e00b7bd71bd66cda16673c308b903c796bec0
Type PE EXE
Compilation timestamp 2002.02.05 17:36:10 (GMT)
Linker version 10.0 (MSVC 2010)
Signature “Solid Loop Ldt” UTCTime 15/10/2015 00:00:00 GMT – UTCTime 14/10/2016 23:59:59 GMT

Command and Control

IP:
169.255.137[.]203
217.171.86[.]137
66.178.107[.]140

Domains:
soligro[.]comw
daybreakhealthcare[.]co[.]uk
implecreative[.]design
mydreamhoroscope[.]com

Targets

From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. By June 2017, WhiteBear activity shifted to include defense-related organizations.

WhiteBear targets over the course of a couple years are related to government foreign affairs, international organizations, and later, defense organizations. The geolocation of the incidents are below:

  • Europe
  • South Asia
  • Central Asia
  • East Asia
  • South America

Detection

Leveraging the automated malware detection process of Virus Total API, we could see Anti-Virus solution like Symantec, Kaspersky, McAfee, Microsoft etc. are capable of detecting the backdoor binary.

Virustotal detection result

However, if the similar solution at your organization is unable to detect the threat, we recommend you to block the associated command and control center IP’s and URL and closely monitor the network activity.

This APT activity was also a matter of research for ESET security researcher and they name the backdoor as Gazer.

About the author

Rumi