External Threat Management Labs

Just How Much Threat Activity Can You Link Together With a Cookie?

In part one of RiskIQ's 'Adventures in Cookie Land' report, our researchers tapped RiskIQ's Internet Intelligence Graph to link a cookie associated with a malicious Chinoxy malware sample used by the Roaming Tiger APT to a trove of new threat activity. These newly unearthed malware campaigns targeted East Asian Governments, CIS, Universities, Government contractors, and members of the Tibetan diaspora, with some 2020 campaigns using COVID-19-themed attacks to increase the likelihood of success. 

In part two of this research, we played the role of threat cartographers to see just how far we could take this single indicator, expanding on our findings from part one to uncover even more threat infrastructure. We leveraged our unique visibility to enumerate APT-related attack-infrastructure with thousands of observables spanning different threat actor groups and campaigns. 

By finding commonalities and patterns in this infrastructure, RiskIQ showed that several disparate threat groups used different variants of a similar backdoor over time. The base64 encoded version of the same cookie value used in part one led us to threat activity associated with Goblin Panda, several other groups using the ICEFOG malware, the group behind the "WATERFIGHT" campaign (currently lacks a public name), and several other active threat groups. 

IPs and Domains

Continuing to leverage RiskIQ's Internet Intelligence Graph, we tied this modified indicator to a new set of nine unique IP addresses. The most interesting of these IPs belonged to a netblock owned by a subsidiary of Choopa named Vultr. The IP Address hosted several beginning in December of 2019, all of which have been tied to threat activity. 

Many of these domains were free DynamicDNS domains. We enriched this list of domains via the PassiveTotal API and located three more connected IP addresses. One of these IP addresses was owned by Digital Ocean and had historically hosted several DynamicDNS domains associated with threat activity.

RiskIQ researchers connected these domains to more IP addresses and, in turn, more domains that have appeared in previous publications, OSINT, or sandbox analyses. Looking at this OSINT, it seemed these domains aligned with those described in FireEye's ICEFOG analysis. The original ICEFOG group was a China-based threat actor last seen prior to Kaspersky's publication in 2013. The original threat actor primarily conducted espionage campaigns against government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and other defense-related industries. Its targets were located mainly in the United States, Taiwan, Japan, and South Korea.

Newer activity using similar malware has been attributed to multiple CN-APT groups, including APT9, APT15, and those behind the WATERFIGHT campaign. More recent targets included the governments of Kyrgyzstan, Kazakhstan, Uzbekistan, and Tajikistan, among others.

Creating an even broader picture of the threat landscape surrounding this single cookie, we traced the ICEFOG domains to additional IP addresses, several of which tied to what appeared to be a staging server linked to disparate infrastructure used in other distinct threat campaigns.

One set of this linked infrastructure, in particular, targeted both Tajikistan and Uzbekistan at different points in time. One of these attacks was part of a campaign FireEye dubbed "WATERFIGHT," but the others appear to be unknown. Users of PassiveTotal Enterprise Edition can investigate the associated indicators there. 

Hashes and Malware

RiskIQ also uncovered several malicious hashes related to the WATERFIGHT activity available in VirusTotal. One of these hashes was a dynamic link library (DLL) with a single export. This file was a backdoor that appeared to be a variant of the infamous PoisonIvy RAT. The backdoor contained some unused proxying functionality from which RiskIQ was able to identify nine other similar hashes. 

RiskIQ found the parent file of the first backdoor analyzed, which was sourced from an IP address in Kyrgyzstan, and identified six related droppers for the PoisonIvy backdoors, some with different functionality. Several of the domains associated with the PoisonIvy samples above led to other unique clusters of malicious activity. These indicators are available to our Enterprise customers.

What's It Mean?

Similarities between campaigns are an observable behavior for threat analysts tracking them. Threat actors can reuse the same tactics, malware, and even infrastructure to achieve their objectives. It's important to bear that in mind when clustering activity sets together. Starting with the unique data sets in RiskIQ PassiveTotal built upon RiskIQ's Internet Intelligence Graph, analysts can quickly enumerate infrastructure related to seemingly disparate campaigns to paint a vivid picture of the threat landscape targeting their organization. 

To read the full report and explore the comprehensive list of IOCs, visit the Threat Intelligence Portal in RiskIQ PassiveTotal. Sign up with a corporate email address for a free month of enterprise access. 

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor