Why “Special Ear” Is The New Fiend On The Internet

Security researchers have recently discovered a cybergroup in China who are working on a new type of hacking campaign using the shipping and transport industry. The campaign is called “Special Ear” and appears to be a well-funded area of cyber espionage. These phishing emails are currently making the rounds in India and parts of the middle east.

During the investigation, researchers at the crowd-sourced threat intelligence company, LMNTRIX, discovered the campaign name buried in the malware code. Their method includes designing malicious email to appear authentic as if it contained regular business information, purchase orders, or sales copies.

For example, an email targeting a user in India will have the domain address “.co.in” included in them to bolster the appearance of authenticity. Similarly, targets in the UAE will see “.ae” in their fake communications. This increased level of precision has given the fake email campaign a new sense of legitimacy. The malware is being delivered through the Portable Executable file with a Trojan: MSIL.

As quoted in ZDNet, lead threat researcher at LMNTRIX, Bipro Bhattacharjee, describes the malware as being a “specially built Trojan.” While researchers have attributed the campaign to China-based hackers, the WHOIS record of the spammy emails suggests the attacks are actually coming from somewhere in the Netherlands.

Bipro Bhattacharjee goes on to say, “The Chinese phrases and their excessive appearance in the Portable Executable file imply a Chinese origin. In almost every instance where Chinese characters could be used, they were used — this is a common obfuscation technique of Chinese threat actors.”

The use of Chinese characters is likely there to confuse analysts and researchers who don’t understand much of the language, effectively rendering the code nearly impossible to examine properly. This move also suggests making the code harder to understand may actually be more important to the campaign than disguising the region responsible for its creation.

“As the target region for the campaign was non-Chinese speaking countries, we believe the priority was to hide the code’s functionality, rather than the campaign’s Chinese origin,” said Bhattacharjee.

Analysis of the code behind the malware, which uses .NET Framework, revealed the use of Chinese characters throughout, many of which appear to be random words and phrases specifically inserted to make the researcher’s job harder. One of the random phrases translates to “Special Ear,” hence the name. In a further attempt to hide its harmful intent, the malware has been designed to obfuscate all API calls.

Researchers have not yet determined if any targets have actually fallen victim to the campaign and installed the key-logging malware. They suggest not all antivirus software may be able to effectively identify the new malware. “The full extent of the campaign is still to be discovered,” said Bhattacharjee.

Researchers recommend checking that all antivirus software is up-to-date and aware of the malicious signature is the best way to protect against becoming Special Ear’s next victim.