Oceansalt cyberattack wave linked to defunct Chinese APT Comment Crew

The source code of malware from the ancient Chinese military-affiliated group appears to have changed hands.

A fresh wave of cyberattacks striking the US, South Korea, and Canada has been connected to an APT group with ties to the Chinese military.

On Thursday, cybersecurity researchers from McAfee's Advanced Threat Research team said they have discovered a new campaign which focuses on cyberespionage and data reconnaissance.

South Korea appears to be the primary target of the campaign, dubbed "Operation Oceansalt," with five attack waves launched in May against organizations in the country.

The group uses a data reconnaissance implant which became of serious interest to the researchers. Upon further examination, it was discovered that the implant is based on the source code of Comment Crew.

Also known as APT1, Comment Crew is an advanced persistent threat (APT) group with links to the Chinese military. The threat actors, which were active from roughly 2006 to 2010, managed to strike over 140 US companies in the quest for sensitive corporate and intellectual property data.

The group earned their name through their use of HTML comments to hide communication to the command-and-control servers. The usual attack vector was via spear phishing campaigns utilizing emails which contained documents with names tailored for the potential victims, such as "ArmyPlansConferenceOnNewGCVSolicitation.pdf," or "Chinese Oil Executive Learning From Experience.doc."

CNET: Stolen Apple IDs used in string of digital payment thefts in China, says report

These malicious documents would contain malware payloads for the spread of Trojan.Ecltys, Backdoor.Barkiofork, and Trojan.Downbot, among others, for the purpose of cyberespionage.

It is believed that while active, Comment Crew managed to steal terabytes of data.

The data reconnaissance implant used by Oceansalt reuses a portion of code from the Seasalt malware implant, which the researchers say is related to Comment Crew's past operations.

"Oceansalt appears to be the first stage of an advanced persistent threat," McAfee says. "The malware can send system data to a control server and execute commands on infected machines, but we do not yet know its ultimate purpose."

McAfee says that the latest wave of attacks becoming attributable to Comment Crew is "unlikely,"; despite the implant code overlap, as there are no other indications of the groups' resurrection.

It is of note that the source code from Comment Crew, to the best of our knowledge, was never made public or sold online.

As an alternative answer as to how this unique code ended up in the hands of a new hacking group, McAfee suggests there may be a code-sharing deal between the two groups; a hacker somehow managed to gain access to the source code from an inside player who was once a member of Comment Crew -- or this may be a "false flag" operation to lay the blame on China.

TechRepublic: Survey: How does your company handle cyberwarfare and cybersecurity?

Oceansalt's spear phishing campaign spreads malicious documents which have not been seen before in the hacking realm. The documents, Microsoft Word and Excel-based, are written in Korean and generally target Korean-speaking entities or individuals.

If a potential victim clicks on the document, the malicious payload triggers through macros. The malware contains many of the features of typical surveillance including the ability to exfiltrate data, encrypt it, and send it to a command-and-control (C2) server.

In addition, Oceansalt contains similar reverse-shell execution capabilities to Seasalt.

However, one major difference is that whilst Seasalt contains persistence mechanisms, Oceansalt does not.

A number of South Korean websites have been compromised to host the malicious code.

The APT appears to be focusing its efforts on South Korean financial entities and, based on the documents viewed by McAfee, has a strong understanding of the country's financial systems. However, agricultural industries have also been targeted.

See also: Zero-days, fileless attacks are now the most dangerous threats to the enterprise

"These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victims," McAfee says. "The impact of these operations could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to. A bank's network would be an especially lucrative target."

Previous and related coverage