MONSOON – ANALYSIS OF AN APT CAMPAIGN
monsoon-analysis-apt-campaign?utm_source=Labs&utm_medium=blog&utm_content=monsoon_whitepaper&utm_campaign=monsoon
monsoon-analysis-apt-campaign?utm_source=Labs&utm_medium=blog&utm_content=monsoon_whitepaper&utm_campaign=monsoon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Forcepoint Security Labs | Special Investigations<br />
EXECUTIVE SUMMARY<br />
<strong>MONSOON</strong> is the name given to the Forcepoint Security Labs<br />
investigation into an ongoing espionage campaign that the Special<br />
Investigations team have been tracking and analysing since May 2016.<br />
The overarching campaign appears to target both Chinese nationals<br />
within different industries and government agencies in Southern Asia. It<br />
appears to have started in December 2015 and is still ongoing as of July<br />
2016.<br />
Amongst the evidence gathered during the <strong>MONSOON</strong> investigation were<br />
a number of indicators which make it highly probable 1 that this adversary<br />
and the OPERATION H<strong>AN</strong>GOVER [1], [2] adversary are one and the<br />
same. These indicator include the use of the same infrastructure for the<br />
attacks, similar Tactics, Techniques and Procedures (TTPs), the targeting<br />
of demographically similar victims and operating geographically within the<br />
Indian Subcontinent.<br />
The malware components used in <strong>MONSOON</strong> are typically distributed through weaponised documents<br />
sent through e-mail to specifically chosen targets. Themes of these documents are usually political in<br />
nature and taken from recent publications on topical current affairs. Several malware components have<br />
been used in this operation including Unknown Logger Public, TINYTYPHON, BADNEWS, and an AutoIt<br />
[3] backdoor.<br />
BADNEWS is particularly interesting, containing resilient command-and-control (C&C) capability using RSS<br />
feeds, Github, forums, blogs and Dynamic DNS hosts.<br />
This whitepaper provides an in-depth understanding and insight into the actors and their campaign. It<br />
includes detailed analysis and findings, previously undocumented malware components, victims, and<br />
infrastructure involved.<br />
ACKNOWLEDGEMENTS<br />
“More information is always<br />
better than less. When<br />
people know the reason<br />
things are happening, even if<br />
it's bad news, they can<br />
adjust their expectations and<br />
react accordingly. Keeping<br />
people in the dark only<br />
serves to stir negative<br />
emotions”.<br />
Simon Sinek<br />
We would like to acknowledge both Kaspersky and Cymmetria [4] who have published their own research<br />
on the groups referred to as "PATCHWORK" and "DROPPER ELEPH<strong>AN</strong>T". We also recognise the<br />
analysis by Blue Coat in tracking OPERATION H<strong>AN</strong>GOVER in the past [1].<br />
We would like to thank the wider Forcepoint Security Labs team for their help with our investigation. We<br />
would also like to give special thanks to Ran Mosessco for assisting with specific analysis.<br />
1 SEE: “Uncertainty Yardstick”, Page 3-32<br />
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/311572/20110830_jdp2_00_ed3_with_change1.pdf<br />
<strong>MONSOON</strong> <strong>–</strong> <strong><strong>AN</strong>ALYSIS</strong> <strong>OF</strong> <strong>AN</strong> <strong>APT</strong> <strong>CAMPAIGN</strong> Revision: 1.07 | TLP-WHITE | 4/57