Chess. Master Makes its Move A Look into the Campaigns Cyberespionage Arsenalby Benson Sy, CH Lei, and Kawabata Kohei. From gathering intelligence, using the right social engineering lures, and exploiting vulnerabilities to laterally moving within the network, targeted attacks have multifarious tools at their disposal. Download the free trial version below to get started. Doubleclick the downloaded file to install the software. After a whiplashinducing morning of mixed messages, Donald J. Trump on Wednesday opened a small window into some of the results from his most recent. The inverse of the Evil Albino, the Heroic Albino is a good guy who has albinism. Albinism is a condition that affects the production of melanin, causing. ChessMaster is a campaign targeting Japanese academe, technology enterprises, media outfits, managed service providers, and government agencies. Del Mar Junior Lifeguard Program. And like in a game of chess, they are the set pieces that make up their modus operandi. Take for instance the self named Chess. Master, a campaign targeting Japanese academe, technology enterprises, media outfits, managed service providers, and government agencies. It employs various poisoned pawns in the form of malware laden spear phishing emails containing decoy documents. And beyond Chess. Masters endgame and pawns, we also found red flags that allude to its links to APT 1. Pass, POTASSIUM, Stone Panda, Red Apollo, and CVNX. Chess. Masters name is from pieces of chesscheckersdraughts we found in the resource section of the main backdoor they use against their targets Ch. Ches, which Trend Micro detects as BKDRCHCHES. What makes the campaign unique is its arsenal of tools and techniques Malicious shortcut LNK files and Power. Shell. The LNK files execute Command Prompt that downloads a Power. Shell script, which would either directly drop or reflectively load Ch. Ches into the machine. The latter method makes Ch. Ches a fileless malware. Self extracting archive SFX. An archive that drops an executable EXE, a dynamic link library DLL, and a binary file. BIN. Upon their extraction, malicious code is injected into the process of a legitimate fileapplication DLL hijacking. Chess. Master takes it up a notch via load time dynamic linking to trigger the malicious DLLs function. Runtime packers. Throughout its campaign, Ch. Ches used three packers to obfuscate itself and avoid detection. JC175Mm5zM/VAmp0S_sr0I/AAAAAAAAKxg/NURsLrK12Q0/s1600/4.jpg' alt='Latest Version Of Chessmaster' title='Latest Version Of Chessmaster' />Welcome to the official website for Ubisoft, creator of Assassins Creed, Just Dance, Tom Clancys video game series, Rayman, Far Cry, Watch Dogs and many others. The first had no encryption and a varied loader code. The second had a buggy or anti emulation exclusive OR XOR encryption technique. The third added an AES algorithm on top of XOR encryption. Their compile dates overlap, which indicates Ch. Ches authors take cues and fine tune their malware. Latest Version Of Chessmaster' title='Latest Version Of Chessmaster' />Second stage payloads. Additional malware are introduced to the infected system for persistence. These are actually variants of Ch. Ches that use similar entry points but different and encrypted C C communication. Hacking Tools. Chess. Master draws on legitimate email and browser password recovery and dumping tools theyve misused and modified for their campaign. These can restore forgotten passwords, which are then dumped and retrieved. Lateral movement and further attacks can be worked out from here. Tiny. X. A version of Plug. X sans the plug in functionality that allows it to adopt new capabilities. Tiny. X is bundled separately in spear phishing emails. Red. Leaves. A second stage backdoor that operates like the open source and fileless remote access Trojan RAT Trochilus, which is known for enabling lateral movement in the infected systems. Red. Leaves adopted capabilities from Plug. X. In April, a Red. Leaves variant named himawari Japanese for sunflower emerged capable of evading YARA rules released during that time. Chess. Master and APT 1. Plays the Same Cyberespionage Game. APT 1. 0menu. Pass is a cyberespionage group whose specific campaign, Operation Cloud Hopper, attacked the intermediaries of their targets of interestmanaged service providers MSPs. Its notoriety stems from their prolific use of multifarious information stealing backdoors and vulnerability exploits, along with the tenacity of its subterfuges, from spear phishing emails to attack and infection chains. It also abused legitimate or open source remote administration tools to steal data. If that sounded familiar, its because Chess. Latest Version Of Chessmaster' title='Latest Version Of Chessmaster' />Master and APT 1. Heres a further illustration Figure 1 Similarities in Chess. Master and APT 1. We first saw Ch. Ches set its sights on an organization thats long been a target of APT 1. Pass. As we caught and delved into more Ch. Ches samples in the wild, however, we also saw how they followed the same patternexclusive packers, mutual targets, overlapping C C infrastructure. Ch. Ches packer, for instance, resembled the one used in menu. Pass old Plug. X samples. DNS records also showed that some of their command and control C C servers and domains resolved to the same IP address, or resided in the same subnet. Are they operated by the same actorsTheir commonalities make it appear so. Its also known to happen Black. Techs cyberespionage campaigns are a case in point. Figure 2 Comparison of Emdivi and Ch. Ches. Chess. Masters Ch. Ches also resembles another backdoor, Emdivi, which first made waves in 2. They have the same endgame. Both are second stage payloads that use the systems Security Identifier SID as encryption key so they execute only in their targets machine. Their difference lies in complexityCh. Ches hides part of the decryption key and payload in registry keys to make it harder to reverse engineer. But thats just one dot in several weve connected. In one instance, we detected Plug. Cannot Find Install-Recovery.Sh here. Chessmaster is a chessplaying computer game series which is now owned and developed by Ubisoft. It is the bestselling chess franchise in history, with more than. Boggle Supreme is the latest and greatest version your favorite 3 minute word search game This Boggle is the very first game to include the amazingly fun. X and Emdivi on the same machine. This Plug. X variant connected to an APT 1. Pass owned domain, but the packer is similar to that used by Ch. Ches. While its possible it was hit by two different campaigns, further analysis told a different story. Both were compiled on the same date, only several hours apart. We detected and acquired the samples the next day, which means both backdoors were delivered to the victim a day after they were compiled. Figure 3 Overview of the overlaps in Chess. Master and APT 1. Take Control of the CenterUltimately attacks like Chess. Masters make pawns out of the systems, networks, devices and their users, all of which hold the organizations crown jewels. This is why enterprises need to be steps ahead of the game prepare, respond, restore, and learn. Plan aheadwhat techniques will attackers use How can I defend against them Dont just pull the plugunderstand what happened to better assess and mitigate the damage. Fine tune your responsewhat worked, what didnt, and what couldve been done better Defense in depth plays a crucial role especially for the ITsystem administrators and information security professionals that watch over them. The network, endpoints, servers, mobile devices, and webemail gateways are the bishops, knights, and rooks that underpin the enterprises crown jewels, which is why securing them is important. Reduce their attack surface. Keep the systems updated and regularly patched, and enforce the principle of least privilege. Employ behavior monitoring and application control. Deploy firewalls as well intrusion detection and prevention systems. Implement URL categorization, network segmentation, and data categorization. Chess. Masters gambit is spear phishing, so its especially important to filter and safeguard the email gateway. Additionally, foster a cybersecurity aware workforce. Seemingly benign icons or decoy documents can still swindle the victim, for instance. More importantly, develop proactive incident response and remediation strategiesthreat intelligence helps enterprises prepare and mitigate attacks. Like in chess, the more you understand your enemys moves, the more successful you can be at thwarting them. The Indicators of Compromise Io. Cs related to Chess. Masters campaigns is in this appendix. This has been presented in the RSA Conference 2. Asia Pacific Japan as Chess.