A discovered malware sample uses code from the NSA and a Chinese hacking group – CyberScoop

Written by Shannon Vavra May 7, 2020 | CYBERSCOOP

Good hackers steal, great hackers borrow.

According to new research from ESET, a code obfuscation tool thats been linked to Chinese-based hackers has been used in tandem with an implant that has been attributed to Equation Group, a hacking faction that is broadly believed to have ties to the National Security Agency.

ESET says the obfuscation tool is linked with Winnti Group, while the implant, known as PeddleCheap, appeared in an April 2017 leak from the mysterious group known as theShadow Brokers.

Its unclear if the sample was used in a malicious campaign or if its the product of a security researcher experimenting with different tools,according to Marc-tienne Lveill, a malware researcher at ESET. It was uploaded to malware-sharing repository VirusTotal in 2017, according to Lveill.

The Winnti-linked packer was used in a series of intrusions at gaming organizations in 2018, which ESET has previously documented.

ESET published its findings in the hopes that some other researchers may have more visibility into the samples origins, Lvill told CyberScoop.

Its not clear who is behind the sample its possible Equation Group used the Winnti-linked portion to run its own intelligence collection, but it is also possible Winnti, which is suspected to have links with the Chinese government, used the leaked NSA implant for its operations.

Lveill said he views the latter as the likely explanation.

It is likely that the Winnti Group used tools from the Shadow Brokers leak as a first stage to compromise their victims in 2017. Another, less likely, scenario is that the Equation Group has seen and reused the Winnti Group packer in their operations, Lveill told CyberScoop. Yet another, even less-likely scenario is that a thirdparty who had access to this Winnti Group [tool], used it with PeddleCheap from the Shadow Brokers leak.

The malware combination shows the far-reaching ramifications of the Shadow Brokers leak: attributing attacks via tools that were used in the massive dump is much moredifficult, as any number of actors can use them to muddle up security researchers findings.

These samples are an example of how attribution is difficult, if not impossible, by looking only at malware samples without additional context. It is relatively easy to repurpose malware [artifacts] once they are discovered and documented, Lveill told CyberScoop. In addition to that, it is possible intelligence agencies discover these components before they are public knowledge, misleading attribution made by analysts later on.

While the actors behind the Winnti-PeddleCheaptool may be unknown, Chinese hackers had access to some other tools that appeared in the Shadow Brokers leak months before the Shadow Brokers revealedthem to the public.

It remains unclear if that group, known as Buckeye orAPT3, stole the tools by breaching NSA systems or if they caught them in the wild. It is also possible the Chinese hackers independently observed the same vulnerabilities and created similar tools to exploit them.

Link:
A discovered malware sample uses code from the NSA and a Chinese hacking group - CyberScoop

Related Posts

Comments are closed.