Proprietary 2015-04-09 · 16 days ·Backdoor, Remote Access, Espionage

Altair EvLog delivered Kingslayer

Attackers compromised Altair Technologies' eventid.net and EvLog update path, replacing EvLog 3.0 with a signed Kingslayer backdoor. The administrator tool gave the operation a privileged route into sensitive enterprise networks.

Story

EvLog was a small Windows event-log tool, but it sat in the right hands. System administrators used it to read the signals of large networks. In April 2015, attackers compromised Altair Technologies' eventid.net infrastructure, including the EvLog download and update path.

RSA reported .htaccess redirects on the MSI download and update sites. Those redirects sent users to attacker-controlled infrastructure hosting a subverted MSI and modified service binaries built from Altair source and signed with Altair's stolen code-signing key. Krebs described the update server as part of the compromise; Altair later told SecurityWeek that EvLog did not update by itself and required a manual update request.

The backdoor decrypted http://www.oraclesoft.net/mailcheck.png, beaconed only during a narrow weekly schedule, and could load a second-stage executable from the image response. RSA called that suspected secondary implant K2; forensic evidence on one administrator workstation showed SYSTEM-level execution, file transfer, and uploaded-program execution.

RSA sinkholed oraclesoft.net in April 2016 and saw signs that sensitive organizations were still exposed. The public disclosure was weak. Krebs identified the unnamed vendor as Altair and tied the RSA timeline to an EvLog notice published on June 30, 2016 and revised on July 17, 2016. Those are disclosure dates. The compromised distribution window was April 9 through April 25, 2015.

Affected Artifacts

EvLog 3.0

· eventid.net · Binary Archive

Observed: 2015-04-09 to 2015-04-25
Compromised Versions: 3.0
Fixed: Not listed
Hashes: sha256:caea901a301b9c103d90b8539819e050e57b67c6ff4d7863ad1cd549f5fdc2af

sha256:383d60bffd5dc64e38893361cb03939bc8c6d5e476dc70755eb0886947e51661

sha256:7aa474d0d39a41768149f413c451e9208f73af4d262b6575ada31644f5699153

+3 more
Evidence: distribution: eventid.net/evlog, domain: oraclesoft.net, domain: timekard.com, url: http://www.oraclesoft.net/mailcheck.png , +6 more

RSA sinkholed the Kingslayer control domain in April 2016 and observed indicators of organizations that may still have been running the backdoored software.
RSA described the current-version update path as a delivery route; Altair later told SecurityWeek the software did not update by itself and required a manual update request.
Altair's EvLog notice was published on June 30, 2016 and revised on July 17, 2016; those are disclosure dates, not artifact distribution dates.

Incident Context

Motive: Espionage
Cause: Update Server Compromise Stolen Certificates
Transitive: No
User Impact: 100

External References

How to Bury a Major Breach Notificationkrebsonsecurity.com
Serious Breach Linked to Chinese APTs Comes to Lightsecurityweek.com
Broken Trust: Lessons from Sunburstatlanticcouncil.org
Kingslayer - A Supply Chain Attackgithub.com
Kingslayer - A Supply Chain Attackweb.archive.org

Source record: proprietary/evlog/meta.yaml