EHDevel – The story of a continuously improving advanced threat creation toolkit

Cristina Vatamanu , Senior Malware Researcher , Bitdefender

Usually, the trajectory of an advanced persistent threat can be divided into four stages as follows: incursion (first infections), discovery (data harvesting), capture (target infection) and exfiltration (stealing the target information). Of particular importance is the second stage, as the first victims in the organization are usually not the intended ones. The sensitive information the APT group seeks is well guarded, so the attack needs to start with more vulnerable victims and discover a way to the target once the perimeter has been breached. During the discovery stage, most APTs make use of tools that are usually developed by other teams. Such tools are specialized in gathering as much information as it can about the victim’s environment, as thorough profiling increases the odds of reaching the desired resources.

The EHDevel toolkit presented in this paper is a specialized framework that was used to gather information for years in different shapes and forms. Trying to find the purpose of this framework, we were able to link it to the 2013 Operation Hangover APT.

This plug-and-play malware framework uses a handful of novel techniques for command and control identification and communications, as well as a plugin-based architecture.
Our technical dive into the framework revealed an intricate mix of transitions from one programming language to another (from python, through VBS and AUTOIT all the way to C), code under active development and bugs that were not spotted during the QA process (if there were any).

This paper will cover each specialized component and the connections between them, but also it will describe the infrastructure serving one of the component, which handles the malware distribution. This operation continues to this date, the latest known victims reportedly being several Pakistani individuals. In their case, the threat actors have chosen different lures than the ones presented in this paper, but the modus operandi is identical.

Cristina Vatamanu

Cristina Vatamanu has graduated the Faculty of Computer Science at the University of “Gheorghe Asachi”. She works at Bitdefender for almost 8 years and some of her responsibilities (and hobbies) are reverse engineering, exploits analysis and automated systems.