Evidence of Advanced Persistent Threat: A case study of malware for political espionage

A political figure in Hong Kong continuously receives spear-phishing emails that encourage clicking on shortcuts or opening attachments with file extensions, such as .pdf, .doc(x), .xls(x), .chm, and so on. He suspects that such emails were actively sent from seemingly known parties during the pre- and postelection periods. The emails and samples were sent to us for investigation, and two nearly identical samples were chosen for the case study. These malwares appear to be the first Advanced Persistent Threat (APT) incident to undergo detailed study in Hong Kong. APT is defined by MANDIANT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target or entity for a prolonged period. The malware performs the following functions similar to those of “Operation Shady RAT”, it attempts to hide itself from known anti-virus programs, downloads and executes additional binaries, enumerates all file information in the hard disk, gathers email and instant messaging passwords from victims, collects screen captures, establishes outbound encrypted HTTP connections, sends all gathered intelligence to a Command and Control, and deletes all temporary files of the collected information from the victims' machine after uploading. The forensic findings lead us to believe that APT is a real threat in Hong Kong.