Chinese hackers cover their tracks and remove malware a few days before detection

FireEye specialists drew attention to the strange behavior of Chinese hackers, who, in an attempt to cover their tracks, remove malware shortly before detection.

According to the researchers, two hack groups are using a zero-day vulnerability in Pulse Secure VPN to attack the networks of American defense contractors and government organizations around the world.

According to FireEye, the hacks started way back in August 2020, when the first hack group, which the company tracks as UNC2630, targeted US defense contractors and European organizations. According to analysts, these hackers “act on behalf of the Chinese government and may have connections with APT5,” that is another well-known Chinese cyber espionage group.

In October 2020, a second group of hackers joined the attacks (FireEye assigned it the ID UNC2717), but the experts knew practically nothing about it.

In both cases, the attackers installed web shells on vulnerable devices, and then used them to go to the victims’ internal networks, from where they stole credentials, letters and confidential documents.

Now in a new report, FireEye writes that further investigation of these attacks helped to discover something strange: at least one of the groups involved in the incidents began to remove their malware from infected networks three days before disclosure.

“Between April 17 و 20, 2021, Mandiant specialists observed that UNC2630 gained access to dozens of compromised devices and removed web shells such as ATRIUM and SLIGHTPULSE”, — analysts write.

The actions of the cybercriminals look suspicious and raise questions, مثلا, if the attackers could know about the interest from FireEye. البته, the removal of the malware could have been a coincidence, but if UNC2630 participants knew that FireEye was investigating some of the networks they had compromised, it appears that the hackers deliberately backed down and removed evidence to protect other operations from the researchers.

FireEye also reports that it has discovered new details of this hacking campaign. بنابراین, experts found four additional strains of malware (in addition to the 12 previously described).

• BLOODMINE — Pulse Secure Connect log file analysis utility. Retrieves information related to logins, post IDs and web requests and copies the corresponding data to another file.
• BLOODBANK — A credential stealing utility that parses two files containing password hashes or passwords in an open test and expects the output file to be specified on the command line.
• CLEANPULSE — it is a memory patching utility that can be used to prevent certain log events from occurring. It was found along with the ATRIUM web shell.
• RAPIDPULSE — A web shell capable of reading arbitrary files. Like other web shells, RAPIDPULSE is a modification of the legitimate Pulse Secure file. Can serve as a loader for encrypted files.

علاوه بر این, FireEye continues to work with the developers of Pulse Secure to identify compromised devices and their owners. This work allowed analysts to learn more about the targets of the attackers. بنابراین, according to new data, most of the victims are organizations based in the United States (others are located in European countries). While the attacks were previously thought to have targeted defense contractors and government agencies, it has now become clear that the attackers also targeted telecommunications, finance and transportation companies.

Whereas earlier FireEye analysts wrote that only UNC2630 can have links with the Chinese government, now they are confident that both groups are engaged in cyber espionage and “support the key priorities of the Chinese government.”

Let me remind you that I also wrote that XCSSET malware uses 0-day attacks in macOS.