Skip to content

Trending tags

NanHaiShu: Threat Intelligence Brief on Intelligence Gathering Attacks

Adam Pilkey

04.08.16 5 min. read

A new report published by F-Secure Labs has exposed an infostealer used to attack parties involved in the ongoing border dispute in the South China Sea. The Remote Access Trojan (RAT) – dubbed NanHaiShu – is suspected to be of Chinese origin, and used in spear phishing emails targeting parties involved in the South China Sea dispute. Targets discussed in the report include two governmental organizations and a law firm representing one of the parties.

Cyber attacks have become a staple of intelligence gathering operations all over the world. And while political attacks like these and other high profile attacks can come across as “too big” for many businesses to concern themselves with, that’s a mentality that attackers count on when planning their attacks.

“There’s someone behind every cyber attack, and they’ll see what’s working in one successful hack and try to repurpose it in another,” says F-Secure Cyber Security Advisor Erka Koivunen. “So now is your last chance to learn from other people’s mishaps, because for all you know, you’re the next target for the same hack. Learning about how different techniques lead to security incidents is how you can figure out where to invest resources for the best defense.”

That’s why threat intelligence is an invaluable resource in building a defense against attackers looking to make use of backdoors, infostealers, and other hacks focused on stealing your data. After all, it’s one thing to say you’re going to protect yourself against cyber criminals or cyber saboteurs, but that’s tough to do if you don’t know how they do business.

You can download the threat intelligence brief below to learn more about the tactics, techniques, and procedures associated with the NanHaiShu attacks, as well as instructions on how to harden your systems against them. Here’s a few of the key takeaways in the brief:

  1. Attackers know where to hit

The hackers using NanHaiShu knew where to hit their targets. Not only were they able to craft effective spear phishing emails to bait their targets into opening the malicious attachments, but the malware was designed to be effective on targets using “a non-default configuration in Microsoft Office,” according to the brief. So these attackers obviously did enough reconnaissance to feel confident that exploiting non-default configurations would work against their targets.

This should be taken as an indicator that companies need to start picking off their “low hanging fruits” before attackers find them.

NanHaiShu’s malicious code was designed to run as a macro in Microsoft office. Malicious macros like these have become increasingly popular recently, so companies should disable macros by default if they’re using Microsoft Office (the threat intelligence brief has information on how to do this). Users at a company should be left with no way to run unsigned macros. If your business is unable to do this, you’re going to be left with a gaping hole in your cyber defenses that’s currently being targeted in many cyber attacks. However, the brief does include some advice on how you can reduce the risks associated with running macros.

  1. Attackers know how to use the news

Researchers have linked the use of NanHaiShu with events that unfolded through 2015. And while the events that influenced the use of NanHaiShu were developments in the South China Sea dispute, different threat actors respond to different types of news. For example, this video shows how The Dukes cyber espionage group used events surrounding the Ukraine crisis to craft spear phishing emails (by the way, the process in the video is very similar to what a NanHaiShu attack looks like).

Once again, we’re seeing attackers do enough reconnaissance to know how to bait people into running malicious macros. The attackers know your business lingo, they know who you have dealings with, they know which topics in the news and the business issues that interest you, and they know when you are prepared to let your guard down to conduct business.

And in this blog post, as well as our most recent threat report, we discussed how hackers are able to create and distribute exploits within 24 hours of new vulnerabilities being disclosed. So you should understand that today’s threats respond to current developments, whether they’re tech news or political developments.

Consequentially, companies should make their employees aware about how current news and events can have security implications for their organization.

  1. Attackers can hide in plain sight

Another technique used by the attackers behind NanHaiShu (as well as many other threats) is hiding their malicious traffic in legitimate services. More specifically, NanHaiShu uses dynamic DNS providers to route their traffic through the Internet. And they’re not alone in using this type of resource. In 2014, attorneys for Microsoft suggested that over 245 different types of malware were using a dynamic DNS provider to resolve malicious network traffic.

This approach not only helps threat actors avoid detection, but it also makes them more difficult for authorities to take down. Microsoft’s attempt to take down 2 malware families in 2014 via their dynamic DNS provider affected millions of legitimate servers, with many people using those servers less than impressed with Microsoft’s approach.

The solution for businesses is to use an intrusion/detection system to flag or verify dynamic DNS traffic. You should also implement a system or a managed service that allows you to log potentially dangerous actions such as file downloads, file launches and unusual behavior. This way you can continue to use such services for legitimate purposes while monitoring for suspicious activity.

Finally, companies should also follow the “best practices” outlined in the brief to make sure they’re prepared for NanHaiShu and other online threats.

Nanhaisu threat intelligence


[fsecure-eloqua name=”Threat%20Intelligence%20Brief%20Nanhaishu” url=”” description=”Threat%20Intelligence%20Brief%20Nanhaishu”]

Adam Pilkey

04.08.16 5 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.