Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150814-256-CSIR-15005-Stalker Panda
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 14 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report outlines the series of attacks and tools attributed to a suspected Chinese
affiliated group known as “Stalker Panda.” The group appears to have close ties to the Chinese
National University of Defense and Technology, which is possibly linked to the PLA. Stalker
Panda has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the
United States. The attacks appear to be centered on political, media, and engineering sectors. The
group appears to have been active since around 2010 and they maintain and upgrade their tools
regularly.
(S//NF) Stalker Panda has been observed using several different RATs that seem to be exclusive
to the group. The RATs the group uses are Elirks, SharpServer, Blogspot, and the XUni
platform. Elirks is the subject of Pique report 20150814-257-CSIT-15016-Elirks. SharpServer
was developed for .Net.
(S//NF) A fairly unique aspect of the observed Stalker Panda attacks is their use of social media
and blog sites as first stage (cutout) command and control (C2) infrastructure. This 2-stage C2
infrastructure provides some obfuscation of the main C2 servers and provides some flexibility in
communications because the first stage social media/blog site nodes can be reconfigured at will.
(S//NF) Stalker Panda seems to favor spear phishing email campaigns as their attack vector. A
cases, the victims were social engineered into browsing to a compromised website that leveraged
CVE-2014-6332 (Windows OLE vulnerability). Once the vulnerability is triggered, malicious
content is downloaded to the victim’s machine using a PowerShell script. In other instances,
Stalker Panda has been observed attaching malicious documents (.PDF) to their email spears
leveraging CVE-2011-0611 (Adobe Flash, Reader, and Acrobat vulnerability).
(S//NF) Stalker Panda’s current ‘go to’ implant appears to be Elirks, which is detailed in another
report, however we’ll provide a brief overview here. Elirks uses a standard persistence technique
whereby they create a shortcut in the victim’s startup folder. Elirks uses an interesting custom
cryptographic routing to provide obfuscation. The configuration file is stored in the binary
encrypted, and the decryption key itself is also encrypted. The algorithm combines 8 DWORDs
with Boolean operations (right-shift 25 bits and left-shift 7 bits) to derive a 16-bit key. The
resulting key is used with a modified AES-128 algorithm where the key expansion function uses
a bit-rotation of 8 bits to the right (ROR-8) instead of left as specified in the AES standard. The
capabilities once on platform. Elirks uses the multi-stage C2 communications pattern with social
media or blog sites as the first node.
(S//NF) SharpServer is a .Net-based RAT with similar capabilities as Elirks, but without a
persistence mechanism. The code is obfuscated with .Net’s dotfuscator (which is fairly easy to
reverse). The report mentions that SharpServer exhibits a “low level of sophistication.”
(S//NF) Blogspot is a RAT that also uses the multi-stage C2 infrastructure as does Elirks and
SharpServer. Blogspot differs from Elirks and SharpServer in one respect, Elirks and
SharpServer have the next-stage C2 information stored in the form visible to arbitrary website
visitors, Blogspot’s tokens do not render and are not visible to other visitors. There is nothing
interesting, unique, or sophisticated about the Blogspot RAT.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh