Type: Unknown

Scarcruft APT Status: Active

Scarcruft APT Other Names: Operation Daybreak/ Operation Erebus

Scarcruft APT Active Since/Discovered: March 2016

Last Report: January 2017

Targets:

• Russia, Nepal, South Korea, China, India, Kuwait and Romania
• US Mobile advertiser
• Individuals related to the International Association of Athletics Federations
• A restaurant located in one of the top malls in Dubai

Target Sectors: Asian Law Enforcement, Asian Trading companies, Telecommunications

Malware:

• Trojan.Win32.ScarCruft.gen. “yay_release.dll”
  • implements read/write operations at a particular address in memory that can allow for full remote code execution
  • loaded directly into the exploited application and has several methods of payload execution
  • One method bypasses modern anti-malware
    • Exploits bug in Windows DDE component
  • cfgifut.dll
  • cldbct.dll
  • cryptbase.dll
  • msfte.dll
  • Example watering-hole attack vulnerability (CVE-2016-4171)  located in the code which parses the ExecPolicy metadata information
• Third-party spy tools

Preferred Attack Vector:  Spear-phishing, watering-hole attack

IoCs:

• Flash Exploit CVE-2016-4171
• CVE-2016-4117
• CVE-2016-1010
• CVE-2016-0147 – vulnerability in Microsoft XML Core Services – patched April 2016
• modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificate
• Exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland
• Main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JavaScript

Unique:

• Exploits a flaw in Windows DDE component to bypass modern anti-virus