Luckycat Redux: Inside an APT Campaign

Today, we published our paper titled Luckycat Redux, which looked into the activities of the Luckycat campaign. First documented earlier this month by our friends at Symantec, our investigation has significantly improved the available knowledge about not just this attack specifically, but about how targeted attacks unfold. Here are some of our findings:

  • To understand targeted attacks, you have to think of them as a campaign. The attacks – which can be linked through careful monitoring and analysis – are only part of the whole campaign. This approach yields vastly more useful information about these attacks. The idea of campaigns and campaign tracking is vital to developing actionable threat intelligence that protects users and networks.
  • This campaign had a much more diverse target set than previously thought. Not only did they target military research in India (as earlier disclosed by Symantec), they also targeted sensitive entities in Japan and India, as well as Tibetan activists. They used a diversity of infrastructure as well, ranging from throw-away free hosting sites to dedicated virtual private servers.
  • Luckycat has links to other campaigns as well. The persons behind this campaign used or provided infrastructure for other malware campaigns that have also been linked to previous targeted attacks, like the previously uncovered, yet still active, Shadow Network. They also used additional malware as second-stage malware in their attacks. We tracked 90 attacks that were part of this campaign.
  • Our careful monitoring allowed us to capitalize on some mistakes made by the attackers, and give us a glimpse of their identities and capabilities. We were able to get an inside view of some of the operational capabilities, including their use of anonymity technology to disguise themselves. Also, we were able to track some of the attackers through their QQ addresses to a famous hacker forum in China known as Xfocus. One individual was identified as previously attending an information security institute in China.

Those interested in the rest of our findings can download the full copy of our paper Luckycat Redux below. To know how Luckycat measures up to other well-known threats, we also created an infographic for comprehensive reference.



Sufficiently motivated threat actors can penetrate even networks with advanced security. As such, apart from standard attack prevention tools, enterprises should also focus on detecting and mitigating attacks and employing data-centric strategies. Technologies like Trend Micro Deep Discovery provides visibility, insight and control over networks necessary to defend these against targeted threats.

Post from: TrendLabs | Malware Blog – by Trend Micro

Luckycat Redux: Inside an APT Campaign

Read more: Luckycat Redux: Inside an APT Campaign

Story added 30. March 2012, content source with full text you can find at link above.