The use of a sophisticated cyber-attack tool by the US National Security Agency’s APT3 has been monitored by the Chinese threat actor APT3. The code obtained has been reverse engineered to develop a highly advanced Trojan known as Bemstour.
The conclusion by the Check Point Software is completely based on the analysis of the Bemstour security vendor after Symantec reported in May on APT3 using it for attacking targets in countries like Hong Kong, Belgium, and the Philippines.
APT3 has been described by Symantec as using the Bemstour for delivering backdoor variants known as DoublePulsar on the target systems. According to the analysis of Symantec, both the tools seem to be the attack software variant built by the Equation Group. This is an operation that is affiliated with the unit of NSA’s Tailored Access Operations.
Symantec added that they are not yet clear about the NSA tools have been obtained by APT3. But the possibility of the Chinese threat actor obtaining the cyber weapons has been ruling out. These weapons were obtained from the NSA cyberweapons that Shadow Brokers leaked publicly in 2017.
Symantec analysis showed that DoublePulsar and Bemstour were before the being used by APT3 before the data dump by Shadow Brokers data dump. Both the variants had wide differences in coding, which made it transparent that they were not originated from the leakage.
According to the security vendor, the analysis of the Bemstour by Check Point shows that the exploit is the implementation of APT3’s, EternalRomance. This is a tool developed by NSA to break into the operating system of Windows 8, Windows 7 and Windows NT systems.
Windows zero-day has been leveraged by APT3’s Bemstour like the one that was used in the EternalRomance (CVE-2017-0143). Moreover, the group even developed an exploit for Windows zero-day (CVE-2019-0703). Both the flaws have been patched.