Proprietary 2016-11-05 · 41 days ·Backdoor, Remote Access, Credential Theft

APN updater delivered signed backdoor

Ask Partner Network's signed updater path executed attacker-controlled payloads. Later activity used a signed APN update binary to launch a remote shell and credential theft.

Story

Ask Partner Network was unwanted software, but it was still a real distribution channel. It was bundled with common installers and present across many enterprise endpoints. That reach made the updater valuable to an attacker.

Red Canary saw the first compromise on November 5, 2016. A signed Ask component, apnmcp.exe, wrote and executed a PE file named logo.png. The filename looked like an image. The behavior did not. logo.png downloaded two or three later-stage binaries, executed them, then deleted itself.

Carbon Black saw a second wave on December 16, 2016. Apnmcp.exe contacted tbapi.search.ask.com, then redirected to a VPS outside the APN environment. It downloaded ApnUpdateMgr.exe, a remote-access trojan signed with an APN LLC certificate issued after the November incident.

The attacker moved fast. VMware reported a reverse command shell, credential theft, network enumeration, lateral movement, and persistence through C:\ProgramData\System.bat and encoded PowerShell that loaded obfuscated shellcode. APN revoked the compromised certificate and shipped updates. The lesson is plain: signed updater plumbing is code execution.

Affected Artifacts

APN Updater

windows update · apn.ask.com · Update

Observed: 2016-11-05 to 2016-12-16
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha256:d01c7abc39e1b24a76641b597426aa377db0e27369f32dfe3522f364cec4495b
Evidence: distribution: apn.ask.com, distribution: tbapi.search.ask.com, mirror: virustotal.com/gui/file/b31e8146b37b6c54068437086e9bd4ed6a64f4cb65374dc71e88d9896457e89f, mirror: virustotal.com/gui/file/d01c7abc39e1b24a76641b597426aa377db0e27369f32dfe3522f364cec4495b , +23 more

Red Canary reported a November 5, 2016 APN compromise; VMware Carbon Black reported a December 16, 2016 second compromise and described the broader activity as spanning late 2016 into 2017.
The signed apnmcp.exe updater component was the trusted parent process; the malicious second-stage ApnUpdateMgr.exe hash is stored as the affected delivered artifact hash.

Incident Context

Motive: Espionage
Attribution: Group
Cause: Update Infrastructure Compromise
Transitive: No

External References

Ask Partner Network Compromise: Operational Lessons on Software Supply Chain Riskredcanary.com
Second Ask Partner Network Compromise Highlights How Attackers Are Commandeering Widely Used General Tools for Sophisticated Targeted Attacksblogs.vmware.com
Ask Partner Network blamed for supplying malware to millions of PCsbleepingcomputer.com
Ask Partner Network compromised second time in two monthsscworld.com
Ask.com serves as a conduit for malware againnetworkworld.com

Source record: proprietary/ask-partner-network/meta.yaml