SafeNet: A Targeted Threat
With added text by Threat Researcher Nart Villeneuve
Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well known within the security community, new and smaller campaigns are beginning to emerge. These campaigns use small clusters of C&C servers, new malware, and attack fewer targets.
This research paper documents the operations of a campaign we call “SafeNet,” based on the names of the malicious files used throughout the campaign (which have nothing to do with the security company by the same name). It is an emerging and active targeted threat targeting:
- government ministries
- technology companies
- media outlets
- academic research institutions
- nongovernmental agencies
The distribution method of the SafeNet campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).
During our investigation of the C&C servers associated with SafeNet we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.
While determining the intent and identity of the attackers remains difficult, we assessed that the SafeNet campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.
This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper Safenet: A Targeted Threat.