Skip to content

Malware University

Class is in Session

  • About
    • Privacy Policy
  • Contact
  • Resources

Category: Campaign Analysis

Analysis of campaigns from technical, social, political, and economic perspectives. For nation-state (espionage) based campaigns, technical and political is often the focus. For theft and hacktivist related campaigns, economics and social commentary may hold more sway.

Kaseya Bullseye

Posted on July 12, 2021 - July 12, 2021 by admin

Hackers attributed to the REvil group recently exploited an (internally) known 0day in Kaseya software to demand ransom worth 70,000,000 USD affecting at least 1000 businesses.

On Friday, July 2, 2021, the incident response team from Kaseya became aware of a security incident related to their VSA software. Hackers used the software to deploy the REvil ransomware into many victims’ environment. The malicious code is side-loaded by a fake Windows Defender app, encrypting files in return for ransom. “Kaseya VSA Agent Hot-fix” is the distributed name of the malware, which was also seen attempting to disable Microsoft Defender Real-Time Monitoring via Powershell.

The group sent out a message on July 2:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour."

How did the REvil group know a patch was forthcoming? Did they? It’s improbable this is a coincidence.

Assuming it is not, how were they alerted to a forthcoming patch which likely spurred an immediate decrease in their attack timeline? Insider alerting them? Prior compromise and a great analysis team?

Anything is possible when tens of millions of dollars, or more, are at stake. The most expensive 0days ($1,000,000+) are a drop in the bucket for groups eyes to rake in millions from one successful operation.

Former employees raised several software security concerns from 2017 through 2020 to company leaders. These concerns were not fully addressed, as sales were the focus of the business at the expense of other priorities. One employee sent a 40-page memo detailing many security concerns related to the software leading to his firing two weeks later. Customer passwords were stored in clear text on third-party platforms, among other bad habits.

Shame on Kaseya. Likely one of many professional software firms and IT management companies which fail to adhere to even basic security and administration best practices.

Posted in Campaign Analysis, Current EventsTagged 0day, kaseya, ransomwareLeave a comment

Chengdu 404

Posted on September 20, 2020 - September 20, 2020 by admin

US DOJ has listed several arrest warrants for Chinese nationals believed to be part of APT41 (Barium). This group is allegedly behind the ASUS hack that lead to hundreds of thousands of infections due to the group using ASUS’s own code signing certificate to push their malware via the company’s update servers.

Some of these infected hosts were targeted with ransomware and cryptojacking malware. The group has engaged in financially-motivated attacks since at least 2012 by targeting gaming companies for the procurement of game currency.

This group, who had a front company named Chengdu 404, likely was coerced by Chinese state officials to engage in traditional espionage activities while allowing the group to continue their financial pursuits.

The group is not known to produce their own 0day exploits but are very quick to deploy new releases once an exploit is dropped, as they did in March 2020 with the Zoho ManageEngine exploit.

Chinese APT groups have traditionally had a reputation of government and corporate espionage for largely information purposes. It appears the Chinese state authorities are turning a blind eye to financially-focused groups so long as they perform actions on behalf of the Party in between their activities.

Posted in Campaign Analysis, Current EventsTagged APT41, ASUS, Barium, Chengdu 404, US DOJLeave a comment

NewsBeef APT Updates Their Campaign

Posted on July 18, 2019 - July 18, 2019 by admin

USCYBERCOM’s VirusTotal executable object uploads appeared in our January 2017 private report “NewsBeef Delivers Christmas Presence”, an examination of a change in the tactics used in spear-phishing and watering hole attacks against Saudi Arabian targets. Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets, and lacks advanced offensive technology development capabilities.

The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails, links sent over social media/standalone private messaging applications, and watering hole attacks that leverage compromised high-profile websites (some belonging to the SA government).
The group changed multiple characteristics year over year – tactics, the malicious JavaScript injection strategically placed on compromised websites, and command and control C2 infrastructure.
The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets; BeEF does not appear to be deployed as a part of the current campaign; Compromised government and infrastructure-related websites are injected with JavaScript that geolocates and redirects visitors to spoofed, attacker-controlled web-servers; Improvements in JavaScript injection and obfuscation may extend server persistence; NewsBeef continues to deploy malicious macro-enabled Office documents, poisoned legitimate Flash and Chrome installers, PowerSploit, and Pupy tools.

The NewsBeef campaign is divided into two main attack vectors, spearphishing and strategic web compromise (watering hole) attacks.
On December 25, 2016, the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations. To compromise websites and servers, the group identified vulnerable sites and injected obfuscated JavaScript that redirected visitors to NewsBeef-controlled hosts (which tracked victims and served malicious content).

These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to their targets.
Their injection and obfuscation techniques enable the actor to serve the same JavaScript with every page visit to the “watering hole” site as well as increase the difficulty of identifying the malicious JavaScript source on compromised sites.

These recent attacks against legitimate servers (when compared to previous NewsBeef activity) indicate that NewsBeef operators have improved their technical skills, specifically their ability to covertly inject JavaScript code into served web pages. For example, on a Saudi government website, the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site. The JavaScript resource changes on every compromised website among many other referenced JavaScript sources, making it difficult to track down the source of the malicious script per site.


The filenames of the malicious Office documents (hosted at the spoofed NTG site) are relevant to typical IT and contracting resources and indicate that this scheme relies on effective social engineering tactics related to human resources and IT activities.


The malicious DLL deployed by NewsBeef contains Python code, a Python interpreter, and the MSVC runtime library as well as code that loads the Python interpreter, runs Python code and exports some functions for Python. The main functionality of the backdoor is implemented in packages (Python code, compiled Python C extensions, compiled executable files) and modules (Python code).

As this recent campaign indicates, the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents, PowerSploit, and Pupy.

Posted in Campaign Analysis, Current EventsTagged beef, CYBERCOM, malicious macros, NewsBeef, Powershell, powersploit, pupy, Python, Saudi Arabia, spearphishing, watering holes

Cloud Hopper a Top Notch APT

Posted on June 27, 2019 - July 1, 2019 by admin

The “Cloud Hopper” attack group is back in the spotlights this week after an informative report of Operation “Soft Cell” by security firm Cybereason. Detailed campaigns tracked by the firm display traits similar to how “APT10” associated groups have operated in the past.

Active since at least 2012 against telecommunications providers, “Soft Cell” was observed to target Active Directory domain servers once access was obtained on a target network before expanding their access. This suggests the group is primarily interested in long-term compromise of their targets. Their ongoing operations for months, and at times years, shows the group has the discipline and ability to practice stealthy and persistent attacks usually associated with well-funded nation-state groups.

Adaptability while maintaining access is a key ability for sophisticated nation-state groups. Such groups expect and plan for alternative routes during pre-attack operational activities.

Initial Access

A web shell (China Chopper) written for IIS servers was dropped after web-based compromise. From this webshell reconnaissance activity was observed by operators running basic diagnostic commands from a spawned cmd.exe instance with tools such as ipconfig, find, netstat, and whoami.

The second notable activity after initial access was running a modified nbtscan tool to identify NetBIOS name servers both locally and over the network. This tool was used by the actors to find shares on the internal Windows network.

Elevation

Utilities such as Mimikatz were modified and deployed after the reconnaissance phase. Their modified artifact removed the need for command line arguments, likely to evade various techniques employed by EDR solutions to detect common tools like Mimikatz during execution. Modified and compiled code also has the advantage of easily defeating Anti-Virus solutions due to changes in signature(s) of code segments and structure, largely with no real work needed by the technical team powering Cloud Hopper’s operations.

Their modified Mimikatz tool allowed the group to dump NTLM hashes on the compromised machines. A second technique to obtain coveted NTLM hashes was performed by dumping specific hives from the Windows Registry containing the hashes. The SAM hive HKEY_LOCAL_MACHINE\SAM and Security hive HKEY_LOCAL_MACHINE\Security store these essential hashes.

Pivoting

With the network mapped and credentials stolen (and not necessarily cracked), the group had all they needed to remotely establish sessions. The target telco’s network’s production and database servers, along with their Domain Controller (!), were successfully compromise.

WMI and PsExec remote command execution, Windows sysadmin utilities, were used to successfully run the landscape of their target network.

Persistence

Despite having all information and IP routing necessary to perform a complete domain compromise, the group performed additional tasks to enable persistence in forms other than their initial attack vector.

The attackers created high-privilege domain user accounts to perform actions after their first goal was achieved: domain compromise.

Changing the source of malicious operation, from the perspective of the Windows subsystem and network managers, provides multiple benefit. Obviously, it allows a deeper foothold into the system, having now a webshell along with domain-privileged accounts. Higher-privileged accounts, especially on machines with regular network traffic, are much quieter when performing administrative based tasks. With deployment of a RAT, such as PoisonIvy this threat actor used, they can maintain “phone home” or “callback” connectivity, bypassing the need to “push” into a network, opting to “pull” access at intervals.

This PoisonIvy variant abused a trusted and signed Samsung tool, runhelp.exe, was deployed as a Nullsoft Installer Package (NSIS) package. Once unpacked and run, the Samsung tool loaded a fake DLL posing as a legitimate dll, ssMUIDLL.dll, causing the malicious code to execute. The result was a scheduled task which would run the legitimate Samsung tool with the malicious payload. This is known as DLL Side Loading.

Exfiltration

The actor opted for the RAR archival utility for compressing desired data for exfiltration. They were spotted keeping the WinRAR tool and their compressed data for exfiltration in the Recycle Bin folder.

These RAR data were stored as multi-part archives. This technique, among the others mentioned, are staples among the APT10 actor(s).

hTran was used attempting to exfiltrate targeted data out of segmented networks. The code was modified from the original; likely an attempt to evade detection of EDR and Anti-Virus solutions. The structure and debug output was almost identical, with key phrases left in the deployed payload, likely due to lack of English-language skills.

For example, “Connect error” became “C e.”.

Reasons for Attack

The most obvious reason for a nation-state targeting large telcos of nations is to track call/message data. These Call Detail Records (CDRs) are a way of telephone companies tracking data from:

  • Device details
  • Physical location
  • Device vendor and version
  • Source, destination, and duration of call

With such information, the unit can monitor another nation’s citizens, including their leaders. If they need further access, they can know the exact make/model of a device used by a target.

As a last resort, the unit also has the ability to potentially “jam” the data/voice network by destroying the infrastructure.

If the unit is extremely technically sophisticated, the desire is there from the management, and the target allows such technical operation, the group may pull off infected firmware updates, rogue base station legitimacy, or other such fanciful Hollywood-esque attacks which may actually exist as a capability.

Areas for Improvement

The attackers were found conducting multiple campaigns from the same IP address. When you’re a big nation state and not looking to cause overt damage, operation security is practically optional.

This author could critique the operation in many ways. The fact is the techniques described here work, and work well, for multi-year operations against higher-sophisticated targets such as telcos.

Hats off to the Cloud Hopper group for a long-term successful campaign that has likely monitored and lead to exploitation of several high-value political and business targets of the affected countries.

Without a doubt these operations will continue from the Chinese groups. They will continue to stay at the level (A/B/C/D/F grading) required to achieve and maintain access to sources of data their state deems critical to the operational success and future viability of their country.

No need to bring out the A-team for adversaries which do not demand it.

Posted in Campaign Analysis, Current EventsTagged APT10, China Chopper, Cloud Hopper, hTran, Mimikatz, Operation Soft Cell, PoisonIvyLeave a comment

Recent Posts

  • Manual Scraping
  • Nitter Replacement
  • MFA Abuse in Splunk
  • Virtualbox Automation
  • Repository Poisoning

Recent Comments

    Archives

    • August 2024
    • July 2023
    • August 2022
    • March 2022
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • February 2021
    • December 2020
    • October 2020
    • September 2020
    • April 2020
    • March 2020
    • January 2020
    • July 2019
    • June 2019

    Categories

    • Campaign Analysis
    • Campaign Management
    • Code Analysis
    • Current Events
    • Malware Development
    • Techniques
    • Uncategorized
    • Utilities

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Proudly powered by WordPress | Theme: micro, developed by DevriX.