A group of Chinese hackers called the ‘Comment Crew’ have resumed their attacks against dissidents. FireEye, a security organisation who specialise in stopping sophisticated attacks have documented attackers who are using a new set of tools and evasion techniques. The company cannot name their clients but Rob Rachwald, director of Market Research for FireEye said that their clients include an organisation in Taiwan.
The Comment Crew are a well known group of hackers, made famous for their attack on the New York Times. Organisations opposing Chinese government policies have frequently been targeted by hackers.
PCWorld add “The Comment Crew laid low for about four months following the report, but emerging clues indicate they haven’t gone away and in fact have undertaken a major re-engineering effort to continue spying. The media attention “didn’t stop them, but it clearly did something to dramatically alter their operations,” Rachwald said in an interview.”If you look at it from a chronological perspective, this malware hasn’t been touched for about 18 months or so,” he said. “Suddenly, they took it off the market and started overhauling it fairly dramatically.”
FireEye researchers Nart Villeneuve and Ned Moran detailed the new techniques on their Monday blog at FireEye.
They said “The newest campaign uses updated versions of Aumlib and Ixeshe.Aumlib, which for years has been used in targeted attacks, now encodes certain HTTP communications. FireEye researchers spotted the malware when analyzing a recent attempted attack on an organization involved in shaping economic policy.
And a new version of Ixeshe, which has been in service since 2009 to attack targets in East Asia, uses new network traffic patterns, possibly to evade traditional network security systems.
The updates are significant for both of the longstanding malware families; before this year, Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011.”
Encryption is being used now to hide certain components of the program’s networking communication according to Rachwald. He said that it is strongly believed that the Comment Crew are behind the new attacks given their previous use of Aumib and Ixeshe.
Kitguru says: The group has also re-engineered their attack infrastructure over the last few months, so it is hard to be completely sure.