China-based hackers take an interest in Cambodia's elections

Group named 'TEMP.Periscope' releasing RATs says FireEye

A US-based security researcher has accused China of interfering in Cambodia's forthcoming national election.

Security vendor FireEye says it has spotted a large-scale Chinese phishing, intrusion, remote access trojan (RAT), and data exfiltration operation targeting the poll.

FireEye attributed the activity to a group dubbed “TEMP.Periscope”, previously more closely associated with targeting American engineering and maritime operations.

china

FireEye hacked off at claim it hacked Chinese military's hackers

READ MORE

The FireEye post says TEMP.Periscope footprints were found on a number of election-related entities in Cambodia: various ministries including the National Election Commission; an MP for the Cambodia National Rescue Party; human rights advocates; two Cambodian diplomats in overseas posts; and multiple media outlets.

Its analysis was based on three servers it ran over with the fingerprint brush: “chemscalere[.]com and scsnewstoday[.]com operate as typical C2 servers and hosting sites, while the third, mlcdailynews[.]com, functions as an active SCANBOX server.”

SCANBOX is an advanced persistent threat that FireEye has seen in various campaigns since 2015.

The company believes the servers were administered from Hainan in China, and they hosted malware from two new families, DADBOD and EVILTECH, as well as “previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX)”.

The lynchpin of this campaign was the Javascript-based AIRBREAK backdoor, which “retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services”.

The other most active tools were the HOMEFRY password cracker and dumper; the LUNCHMONEY uploader, which sends docs to Dropbox; and a command line reconnaissance tool called MURKYTOP.

FireEye says it had seen these in previous campaigns, and it also spotted two new tools in the Cambodian operation. There's a backdoor called EVILTECH, a Javascript-based RAT; and the DADBOD credential stealer.

Attribution to China came from IP addresses logged on a server available to the company: “One of the IP addresses, 112.66.188.28, is located in Hainan, China. Other addresses belong to virtual private servers, but artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.”

The SCANBOX server suggested TEMP.Periscope was also planning future campaigns targeting individuals with an interest in US-East Asia politics, Russia, and NATO affairs.

Cambodia appears to be heading for likely single-party rule, as the main opposition party has been banned and cannot run candidates in the July 29th poll. The current regime has supported Beijing in its maritime disputes in the South China Sea, annoying neighbours by doing so. Just why China would want to mess with nation's elections given the all-but-certain outcome is anyone's guess. "To show it can" may be as good an answer as any! ®

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018