APT31/Zirconium
APT31 is an Advanced Persistent Threat group with a focus on intellectual property theft and malvertising. This group is also called Zirconium, Judgment Panda, and Bronze Vinewood by different security organizations. Like with most other APT groups, there are suspicions that APT31 may be state-sponsored and in this case the suspected state is China. In the summer of 2020 the Google Threat Analysis Group suggested that APT31 was targeting Joe Biden’s presidential campaign with phishing emails.
Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing. No sign of compromise. We sent users our govt attack warning and we referred to fed law enforcement. https://t.co/ozlRL4SwhG
— Shane Huntley (@ShaneHuntley) June 4, 2020
APT31's Forced Redirect Process
Back in 2017, APT31 was running the largest malvertising operation. The group had created no less than 28 fake advertisement companies. According to Confiant, Zirconium had bought approximately 1 billion ad views and had managed to get on 62% of all ad-monetized websites. The main attack vector APT31 used was the forced redirect. A forced redirect occurs when someone browsing a website is redirected to another website without the user taking any action. The website the user ends up on is commonly used as a part of a scam or leads to a malware infection.
MyAdsBro homepage screenshot - source: Confiant.com blog
APT31 created and used Beginads, a fake ad agency, to establish relationships with ad platforms. Down the line, it became the domain Zirconium would use to direct traffic for all the campaigns of all of their fake agencies. APT31 worked hard to make sure they had legitimately looking relationships with a number of real ad platforms. This approach also gave the scheme some resilience and made it less likely to raise suspicions. APT31 also resold traffic to affiliate marketing platforms. This arrangement meant that APT31 didn’t have to operate the landing pages on their own. The cybercriminals went further, creating an affiliate network that they themselves operated. The network was called MyAdsBro. APT31 used to run their own campaigns through MyAdsBro but others could also push traffic to MyAdsBro for a commission.
Customer web panel screenshot - source: Confiant.com blog
Once the redirects took place, the users were enticed to enable the infection through some of the most popular tactics:
- Fake Adobe Flash Player update pop-ups
- Fake antivirus pop-ups
- Tech support scams
- Various scareware messages
APT31 went to great lengths when establishing their scheme and making it look legitimate. All of the fake agencies had various marketing materials, fake officers with profiles in social media, and even posts in said media with unique content. Most of Zirconium’s mass-produced companies launched in the Spring of 2017. Not all of the 28 were used as 8 of them never started their social media presence and didn’t get involved in any advertisement activities. The cybercriminal’s efforts were clearly successful. APT31’s fake agencies managed to create direct business relationships with 16 real ad platforms.
Only a small part of the traffic they got redirected to an actual payload. In order to avoid detection and analysis, Zirconium used evasion methods. APT31 employed a technique called fingerprinting. It’s a process where the cybercriminals collect information about the systems of the potential victims to more precisely target a particular part of the audience. The goal of the cybercriminals when using fingerprinting is to avoid detection. To that purpose, they would use JavaScript in the browser to try and ascertain whether the script was running against a security scanner. If signs of a scanner were detected, the payload wouldn’t be delivered. There is a risk involved with fingerprinting. The script is visible to anyone looking for it and that may raise suspicion, but fingerprinting allows for a higher number of deployments of the payload.
APT31 Leverages its Sneaky Tactics
There are other ways to evade detection that don’t involve running a script on the user’s side. Server side mechanisms can be safer to apply since a security researcher wouldn’t be able to analyze them unless they trigger. One such approach is to check if the user’s IP is a datacenter IP. Scanners often use datacenter IPs and detecting such IP would be a clear sign to not deploy the payload.
Despite the impressive scale of APT31’s malvertising operation, security researchers still identify their main focus to be intellectual property theft. The real scope of all of Zirconium’s operations is still unknown as is their potential to do harm.