Russian Pawn Storm group strikes back at Trend Micro
Wed 15 Jul 2015
Pawn Storm, the Russian-based hacking group which carried out zero-day java-based exploits against the White House and other military-industrial targets in the U.S., has turned against the LA-based security company which bought its clandestine six-year campaign into the public spotlight – by making its IP address a Command-And-Control (C&C) server destination.
Trend Micro noticed the redirected DNS record yesterday, and surmise that the change in behaviour is ‘retaliation’ for its disclosure of the Pawn Storm operation. In practical terms no infrastructure at Trend Micro has been hacked or affected, except that an IP address owned by the company has now been set as one of a possible number of C&C servers for an infected environment which has been overtaken by Oracle’s recently-patched 0-day Java vulnerability. The report notes:
The DNS A record of the domain ausameetings[.]com now points to 184.108.40.206, an IP address of Trend Micro. While it was serving the zero-day exploit, the IP address of ausameetings[.]com was 95[.]215[.]45[.]189…We are not sure when the domain was pointed to Trend Micro, but based from DNS record naming convention, it is most likely modified to point to Trend Micro yesterday, July 14.
It’s slightly more than a whimsical or sulky prank, since the IP address is likely to become automatically or manually blocked by system administrators retrenching against Pawn Storm’s activities, presumably ignorant that the target IP will not participate in the exploit. Another possibility is that the intention of the redirect was to implicate Trend Micro as a hacked participant in Pawn Storm’s activities.
The company discovered the zero-day attack late last week in the wake of a spate of Oracle updates which included the closing of the security hole which permitted the exploit. The campaign was unusually sustained, and in addition to targeting anti-Kremlin activists and others opposed to official Russian causes, targeted NATO, The White House, Polish government websites and the United States’ allies.
The campaign has run in three different modalities – a traditional spear-phishing scenario aimed at Windows-based users and exploiting compromised Microsoft Office documents to install malicious services; the injection of select exploits into certain government sites in Poland; and the use of phishing mails to direct users to bogus Outlook Web Application login pages designed to capture users’ login credentials. The first two scenarios were aimed at exfiltrating the usual data in the usual ways, including local documents, contacts, screenshots and other sensitive information.
Earlier this year Trend Micro noted the activities two malicious iOS applications used by Pawn Storm, XAgent and MadCap, which uses the name of a non-malicious iOS game. The former’s C&C servers were still active as of yesterday.