Group named 'TEMP.Periscope' releasing RATs says FireEye
By Richard Chirgwin 11 Jul 2018
AUS-based security researcher has accused China of interfering in Cambodia's forthcoming national election.
Security vendor FireEye says it has spotted a large-scale Chinese phishing, intrusion, remote access trojan (RAT), and data exfiltration operation targeting the poll.
FireEye attributed the activity to a group dubbed “TEMP.Periscope”, previously more closely associated with targeting American engineering and maritime operations.
FireEye hacked off at claim it hacked Chinese military's hackers
The FireEye post says TEMP.Periscope footprints were found on a number of election-related entities in Cambodia: various ministries including the National Election Commission; an MP for the Cambodia National Rescue Party; human rights advocates; two Cambodian diplomats in overseas posts; and multiple media outlets.
Its analysis was based on three servers it ran over with the fingerprint brush: “chemscalere[.]com and scsnewstoday[.]com operate as typical C2 servers and hosting sites, while the third, mlcdailynews[.]com, functions as an active SCANBOX server.”
SCANBOX is an advanced persistent threat that FireEye has seen in various campaigns since 2015.
The company believes the servers were administered from Hainan in China, and they hosted malware from two new families, DADBOD and EVILTECH, as well as “previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX)”.
The other most active tools were the HOMEFRY password cracker and dumper; the LUNCHMONEY uploader, which sends docs to Dropbox; and a command line reconnaissance tool called MURKYTOP.
Attribution to China came from IP addresses logged on a server available to the company: “One of the IP addresses, 220.127.116.11, is located in Hainan, China. Other addresses belong to virtual private servers, but artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.”
The SCANBOX server suggested TEMP.Periscope was also planning future campaigns targeting individuals with an interest in US-East Asia politics, Russia, and NATO affairs.
Cambodia appears to be heading for likely single-party rule, as the main opposition party has been banned and cannot run candidates in the July 29th poll. The current regime has supported Beijing in its maritime disputes in the South China Sea, annoying neighbours by doing so. Just why China would want to mess with nation's elections given the all-but-certain outcome is anyone's guess. "To show it can" may be as good an answer as any! ®