Mandiant APT1 SSL Connection Activity

by Ron Gula
February 20, 2013

This report searches historic SSL network activity to find indicators of APT1's command and control communications. 

The report leverage's the Passive Vulnerability Scanner's ability to identify the certificate name used in SSL network connections. These realtime logs are sent to the Log Correlation Engine where they are summarized in the SSL_Cert_Summary event. The LCE summarizes all SSL certificate names observed for a given IP address and records logs such as this: 

 

SSL_Cert_Summary since 2/19/2013 07:21:18 host 192.168.1.18 had SSL sessions involving these server certs: psi3.secunia.com secure.impulsedriven.com www.google.com Google Inc seal.verisign.com update.microsoft.com www.googleapis.com www.facebook.com VeriSign Trust Network s-static.ak.facebook.com Akamai Technologies Inc fbstatic-a.akamaihd.net fbcdn-profile-a.akamaihd.net GTE Corporation sb.scorecardresearch.com d.p-td.com t.mookie1.com loadm.exelator.com network.realmedia.com platform.twitter.com apis.google.com plusone.google.com ssl.gstatic.com r.twimg.com ajax.googleapis.com ws.sharethis.com exityield.advertise.com clk.relestar.com

 

Mandiant identified a variety of SSL certificates used by the APT1 organization. The following names are used to perform a search: 

  • WEBMAIL
  • Widgets
  • ALPHA
  • EMAIL
  • LM-68AB71FBD8F5
  • NS
  • SERVER
  • SUR
  • mail.aol.com
  • mail.yahoo.com
  • MOON-NIGHT
  • NoName

The mail.aol.com and mail.yahoo.com names are omitted since they will match against legitimate access to those email services. 

This report creates a single query for any SSL_Cert_Summary event during the past 25 days with contains the a text string for the hostile certificate names. 

It is suggested that the search be run for much longer than 25 days since Mandiant's report claimed that the APT1 organization has been active of several years. If you do have any detections with this report, Tenable has also added a variety of Nessus checks and audits which can be used to help identify this malware.