Messaging Application LINE Used as a Decoy for Targeted Attack

A popular mobile messaging application, LINE was used as a bait to lure targets in a targeted attack which hit Taiwan government. LINE, an application that offers free calls and chat messages is commonly used in countries such as Taiwan, Japan, Indonesia, India, United States, Mexico, and Colombia among others. Based on reports, as of 2014, it has global users of more than 490 million registered users. The number of LINE users in Taiwan reaches up to 17 million in the same year. As proof of its popularity, certain government officials are said to employ this application for communication purposes in the office.

The attack cycle

Intended targets received a spear-phishing email that uses LINE as its subject and has .ZIP file attachment with the filename, add_line.zip. The said email message purports to come from the secretary of the vice mayor supposedly asking recipients (in Taipei government office) to join the LINE group, Commissioner Schedule Secretaries and to provide some information for profiling purposes. Once users open the .ZIP file, it contains an executable file (add_zip.exe), which Trend Micro detects as BKDR_MOCELPA.ZTCD-A. Here’s the translated version of the spam email:

In order to deliver message and communicate easily, we invited you to join LINE group “Commissioner Schedule Secretaries”. Please provide ID and accept the invitation as well.

Please also provide your Chinese name and agency for profiling.

Please respond immediately and invite new members to join the group when Schedule Secretary is changed.

Figure 1. Screenshot of the attached .ZIP file

Based on our analysis, this backdoor uses port 443, which is related to HTTPS. The only information it extracts is MAC address as compared to other backdoors that steal data such as hostname, OS version, and domain among others. We surmise that the attackers behind this are after MAC address so as to identify the machine. Once the Command-and-control (C&C) server replies, that’s the time the malware will send the MAC address of the infected system.

This backdoor will initially send a message to the C&C server informing that it is indeed ‘connected’ or ‘alive’ via a valid, but hardcoded HTTPS traffic. Our monitoring shows no activity from its C&C server (with IP: 200.87.48.4). There’s a possibility that the C&C server may have been a previously compromised system since the IP is a legitimate IP and g

We observed that BKDR_MOCELPA.ZTCD-A doesn’t create any registry or injects codes on the infected system but rather engages only SSL communication. This is possibly done to prevent any security solutions from flagging the file as suspicious. We also noticed that the malware used ‘byte string,’ a kind of string building technique where characters are inserted one by one in a memory location. We saw the same technique employed by two notorious remote access tools (RAT): Gh0st RAT and IXESHE.

Figure 2. Screenshot of ‘byte string’

Taidoor Connections?

Further investigation reveals that this targeted attack is suspected to be connected to Taidoor because it makes use of the same encryption to hide the network traffic.

Taidoor is a campaign which employed malicious .DOC files that shows a legitimate document but executes the malware payload in the background. One particular sample exploited CVE-2012-0158, a vulnerability in Windows Common Controls. It targeted US Defense contractors as well as Japanese companies. Trend Micro detects Taidoor malware as BKDR_SIMBOT variants. In 2014, Taidoor also used two zero-day exploit attacks targeting CVE-2014-1761 which hit government agencies and an educational institution in Taiwan.

Consumerization and targeted attacks

The prevalence of consumerization and bring-your-own device (BYOD) trends in enterprises can be attributed to some of its own benefits like reduction of costs and increase in productivity. When employees used personally-owned mobile devices and consumer-related applications like messaging apps and note-taking apps among others, it introduces risks to company data. Security remains to be one of the challenges in implementing consumerization and BYOD in the enterprise environment. In this particular attack, threat actors somehow knew that their targets are using LINE for official business function thus leveraging this mobile application for its social engineering lure.

Defending your network

Trend Micro protects organizations from this particular threat with endpoint solutions from our Smart Protection Suite. These solutions leverage behavior monitoring to detect this type of threat. The Endpoint and Mobile Security in Smart Protection Suites protects endpoints and mobile devices, while its email security component blocks all malicious emails from entering users’ inboxes.

In our 2014 annual report on targeted attacks, we saw further developments and enhancements in the tactics, techniques, and procedures related to APTs. The campaigns we investigated have showed the need for enterprises and large organizations to adapt more than ever to the risks posed by targeted attacks.

Organizations can go beyond endpoint solutions to specifically address targeted attacks. Trend Micro™ Custom Defense™ is a family of security solutions that enable you to rapidly detect, analyze, and respond to targeted attacks and advanced threats before they unleash lasting damage. Custom Defense allows organizations to detect and respond to targeted attacks, monitor endpoints, and stop targeted email attacks while providing enhanced protection.

Aside from a custom defense strategy that follows ‘detect-analyze-respond’ life cycle in order to mitigate and break the attack cycle, enterprises are advised to build their threat intelligence and create an incident response team. Through these efforts, IT administrators can determine the indicators of compromise (IoCs) and use it as basis when monitoring the network for any suspicious activities thus preventing attacks from reaching data exfiltration stage.

The following hash is related to this attack:

• f5e016b847145c61f0643c0270973002c67d30a5 – detected as BKDR_MOCELPA.ZTCD-A

The sample mentioned above is publicly available via Virustotal.

With additional insights and analysis from MingYen Hsieh