Since July 2017, security researchers at Trend Micro have been tracking the nefarious cyberespionage activities of ChessMaster, a campaign targeting Japanese government agencies, technology firms, media, academe and managed service providers. Equipped with a diverse arsenal of tools, techniques and use of remote access Trojans such as ChChes, RedLeaves and PlugX, researchers signalled that ChessMaster’s sophisticated nature signalled it could evolve into a notable threat.
At the time, Trend Micro highlighted the links between ChessMaster campaign and APT 10, the China-based cyberespionage group also known as Stone Panda, CVNX, MenuPass and POTASSIUM. Researchers have recently released a new report detailing the campaign’s changes and evolution since then.
New tools and techniques
Over the past few months, ChessMaster has expanded its arsenal to include a new backdoor targeting the SOAP WSDL parser vulnerability CVE-2017-8759 within the Microsoft .NET framework and another that exploits the 17-year-old MS Office vulnerability CVE-2017-11882.
The campaign primarily focuses on phishing attacks to deploy emails that have a malicious document in doc, docx, csv, rtf or msg format. Both the email title and the attached document are written in Japanese with phrases typically themed around politics, the economic or business such as “re-appointment of Prime Minister Abe” or “budget estimation request.”
When the user opens the malicious document, a pop-up message is displayed that reads “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?” If the “No” button is clicked, the malicious document is unable to deploy its dubious ware and exploit MS Office’s functions.
The exploit document itself has evolved to exploit additional vulnerabilities such as CVE-2017-11882 that was patched in November 2017 and target the MS Office’s legitimate Automatic Dynamic Data Exchange, Link Auto Update or Word’s Frames/Frameset functions.
Any one of these functions can be compromised by ChessMaster to drop the Koadic malware that was seen in earlier campaigns. This open-source post-exploitation tool focuses on swiping critical environment information from the targeted system.
Subtle but key changes
Once the malware executes its command, its output varies based on the version of the ANEL malware used in that particular attack. Anel was first discovered in November 2017 that was used by ChessMaster as a backdoor into the targeted system. At the time, researchers found that ANEL had incomplete code - a possible sign that it’s authors intended to further develop the malicious software.
Roughly three months later, Trend Micro has discovered four different ANEL variants that show slight changes made to the ANEL loader, main ANEL DLL and backdoor commands. Between the four versions, the C&C server was changed three times.
If the targeted system is deemed to be of interest, Koadic downloads a Base-64 encrypted version of the ANEL malware from its C&C server. The malware is then decrypted to execute a DLL file titled “lena_http_dll.dll.”
The targeted system’s environment information and other sensitive data is encrypted using XOR, blowfish and Base64-based encryption methods and siphoned off to the attackers’ C&C server. ANEL also downloads additional malicious payloads to harvest confidential data from the targeted system including password and info-stealers.
What is ChessMaster’s next big move?
According to Trend Micro researchers, ChessMaster’s growth and expansion of arsenal in just a few months show the attackers behind the campaign are bound to rapidly continue their progress.
“At first glance, it seems ChessMaster’s evolution over the past few months involves subtle changes,” Trend Micro said in a recent report. “However, the constant addition and changing of features and attack vectors indicate that the attackers behind the campaign are unlikely to stop and are constantly looking to evolve their tools and tactics.”