In this unique talk, Proofpoint’s Greg Lesnewich takes us on a tour of recent North Korean APTs targeting macOS devices and offers researchers new techniques for hunting this increasingly active cluster through similarity analysis of Mach-O binaries and linked dynamic libraries.
While many state-aligned threats have dipped their toes into macOS Malware, North Korea has invested serious time and effort into compromising Apple’s desktop operating system. Its operations in macOS environments include both espionage and financial gain. macOS malware analysis is an exciting space, but most blogs on the subject deal with functionality and capability, rather than how to find more similar samples. Analysts are forced to rely on string searching, based on disassembler output or a strings dump; in contrast, executables for Windows have “easy” pivots such as import hashing or rich headers that help analysts to find additional samples without much effort.
This talk introduces some of those easy pivots for Mach-O files, using North Korean samples as an initial case study; along the way, Greg takes us on a tour of the North Korean clusters using Mach-O samples, how those clusters intersect, how their families relate to one another, and shows how some simple pivots can link a group’s families together.
About the Presenter
Greg Lesnewich is senior threat researcher at Proofpoint, working on tracking malicious activity linked to the DPRK (North Korea). Greg has a background in threat intelligence, incident response, and managed detection, and previously built a threat intelligence program for a Fortune 50 financial organization.
About LABScon 2023
This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
During the last couple of years, Hakan Tanriverdi (@hatr) has reported on several large-scale digital espionage and sabotage campaigns, from hacking groups that were later called out by the Department of Justice to companies targeting critical infrastructure in Germany and across Western Europe. In both cases, mistakes in how the attackers set up their infrastructure enabled Hakan’s team to follow their tracks, in some cases right back to their employers. The resulting stories revealed the intersection where covert cyber operations and overt organizational structures meet.
This talk lays out the types of information investigative reporters work with, how they follow and fact-check opaque leads, and how they turn them into portraits of previously unknown actors pulling the strings in cyberspace.
Covering investigations into Turla, Magna Bear and REvil, this talks offers a fascinating insight into how researchers peel back the layers threat actors use to mask their activities.
About the Presenter
Hakan Tanriverdi works as a reporter for Paper Trail Media covering cybersecurity. He mainly focuses on hacking groups and trying to find out who they are working for, on a name- and employer-basis. His investigations tend to be on the more technical side and are assisted by scripts, scrapers and querying databases.
About LABScon 2023
This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
Adam Rawnsley has spent the past decade reporting in-depth on Iran’s UAV industry and paying particular attention to the IRGC drone company Mado and its CEO Yousef Aboutalebi. One day in 2021, a self-professed “hacktivist” popped into Adam’s direct messages, told him his “group” had noticed Adam had done the most work on Mado, and dumped videos and documents allegedly hacked from the company’s network and CEO.
The material—painstakingly verified with the help of colleagues—fleshes out a portrait of the company Adam had been sketching out for years. Thanks to the additional sourcing and some help from colleagues at the Middlebury Institute of International Studies (MIIS) and work by others, we can now confirm that Mado engines are powering the Iranian drones raining down on Ukraine and are likely used in some of the cruise missiles Iran and its proxies have launched against Saudi Arabia and the United Arab Emirates.
Using the hacked documents and videos along with court records, web registration information, business records, and other open sources, Adam traces the rise of a key Iranian drone company from late 2000s aviation forum posts to contracts with some of the highest ranking generals in the Islamic Revolutionary Guard Corps. Mado’s trail starts in Iran but moves through China, Germany, Saudi Arabia, an Iranian motorcycle company, and finally Russia and Ukraine.
About the Presenter
Adam Rawnsley is a reporter at Rolling Stone. He spent his career in journalism covering national and cybersecurity, primarily through the lens of open source reporting. He has written for Bellingcat, Foreign Policy, Wired, and The Daily Beast and guest lectured on open source and security issues at CyberWarCon (2022), John Hopkins University, Georgetown University, and Middlebury College.
About LABScon 2023
This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
SentinelLabs has discovered a novel malware variant of AcidRain, a wiper that rendered Eutelsat KA-SAT modems inoperative in Ukraine and caused additional disruptions throughout Europe at the onset of the Russian invasion.
The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.
Our analysis confirms the connection between AcidRain and AcidPour, effectively connecting it to threat clusters previously publicly attributed to Russian military intelligence. CERT-UA has also attributed this activity to a Sandworm subcluster.
Specific targets of AcidPour have yet to be conclusively verified; however, the discovery coincides with the enduring disruption of multiple Ukrainian telecommunication networks, reportedly offline since March 13th.
The ISP attacks are being publicly claimed by a GRU-operated hacktivist persona via Telegram.
On March 16th, 2024, we identified a suspicious Linux binary uploaded from Ukraine. Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer). Since our initial finding, no similar samples or variants have been detected or publicly reported until now. This new sample is a confirmed variant we refer to as ‘AcidPour’, a wiper with similar and expanded capabilities.
This is a threat to watch. My concern is elevated because this variant is a more powerful AcidRain variant, covering more hardware and operating system types. https://t.co/h0s6pJGuzv
Our technical analysis suggests that AcidPour’s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.
Following our initial reporting on Twitter, CyberScoop reported a claim from the Ukrainian SSCIP attributing our findings to UAC-0165, clustered as a subgroup under the outdated ‘Sandworm’ threat actor construct. We reported our initial findings to partners on Saturday, followed by the public analysis thread on Twitter. Our analysis is ongoing.
AcidRain Context
On February 24th, 2022, a cyber attack rendered Eutelsat KA-SAT modems inoperable in Ukraine. Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control and reportedly affected vital services across Europe.
On March 30th, 2022, we identified a wiper component which we dubbed ‘AcidRain’ as a part of the attack chain that caused this disruption by rendering Surfbeam2 modems inoperable in an attempt to disable vital Ukrainian military communications at the start of the Russian invasion.
During our original analysis of AcidRain, we assessed with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin named ‘dstr’. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government.
On May 10th, 2022, the European Union and its Member States issued an official condemnation of this activity, holding the Russian government responsible. Despite an abundance of wipers and cyber operations against Ukrainian targets in the subsequent months and years, we had not seen any further uses of AcidRain or similar components.
Enter AcidPour
On March 16th, 2024, we observed a new Linux wiper we are naming ‘AcidPour’. We alerted relevant partners immediately to stem the potential for any additional significant regional impact, followed by public dissemination of technical indicators and early analysis to alert the research community and encourage vigilance and contributions.
Our initial finding centered on surface similarities with AcidRain, so we placed a large emphasis on ascertaining whether a more conclusive relationship could be established between the two components at a technical level, as well as an understanding of its capabilities.
Technical Analysis
Where AcidRain is a Linux wiper compiled for MIPS architecture for compatibility with the devices targeted, AcidPour is compiled for x86 architecture. Despite both targeting Linux systems, the architecture mismatch somewhat limits our ability to compare the compiled codebases.
Notably, AcidRain was a hamfisted wiper rather than a specifically tailored solution. It operates by iterating over all possible devices in hardcoded paths, wiping each, before wiping essential directories. Its lack of specificity suggests a lack of familiarity (or time) to adapt to the specifics of the Surfbeam2 targets. However, that also means that AcidRain can serve as a more generic tool able to disable a wider swath of devices reliant on embedded Linux distributions.
The AcidPour variant is an ELF binary compiled for x86 (not MIPS), and while it refers to similar devices, the codebase has been modified and expanded to include additional capabilities. Our best automated attempts to compare across different architectures only yields a low confidence < 30% similarity.
We took that as a base measurement and proceeded to conduct a deep-dive analysis of the new binary with a focus on testing the hypothesis that the two are related variants, as well as detailing any net new capabilities.
Notable similarities include the use of the same reboot mechanism, the exact logic of the recursive directory wiping, and most importantly the use of the same IOCTL-based wiping mechanism used by both AcidRain and the VPNFilter plugin ‘dstr’.
Shared Reboot Mechanism
Recursive Directory Processing
Wiping Mechanisms
At the time of discovery, we noted the similarities between AcidRain’s IOCTLs-based device-wiping mechanism and the VPNFilter plugin ‘dstr’, pictured below:
AcidPour relies on the same device wiping mechanism:
AcidPour’s Net New Functionality
AcidPour expands upon AcidRain’s targeted linux devices to include Unsorted Block Image (UBI) and Device Mapper (DM) logic.
AcidRain’s supported devices:
/dev/sd*
A generic block device
/dev/mtdblock*
Flash memory (common in routers and IoT devices)
/dev/block/mtdblock*
Another potential way of accessing flash memory
/dev/mtd*
The device file for flash memory that supports fileops
/dev/mmcblk*
For SD/MMC cards
/dev/block/mmcblk*
Another potential way of accessing SD/MMC cards
/dev/loop*
Virtual block devices
AcidRain targeted flash chips via MTD for raw access to flash memory in the form of /dev/mtdXX device paths. This capability is expanded in AcidPour to include /dev/ubiXX paths. UBI is an interface built on top of MTD to act as a wear-leveling and volume management system for flash memory. These devices are common in embedded systems dependent on flash memory like handhelds, IoT, networking, or in some cases ICS devices.
AcidPour also adds logic for handling /dev/dm-XX paths to access mapped devices. The device mapper framework enables logical volume management (LVM), abstracts physical storage into logical volumes for easier resizing, manipulation, and maintenance.
These devices act as virtual layers of block devices, enabling features like logical volumes, software RAID, and disk encryption. This would put devices like Storage Area Networks (SANs), Network Attached Storage (NASes), and dedicated RAID arrays in scope for AcidPour’s effects.
All Local, No imports
One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2.
AcidPour is programmed in C without relying on statically-compiled libraries or imports. Most functionality is implemented via direct syscalls, many called through the use of inline assembly and opcodes.
This forces some unusual seemingly-archaic approaches to simple operations like storing and modifying format strings for device paths as needed in the course of their operations.
Self-Delete
Perhaps as a response to the discovery of AcidRain, this new version now kicks off with a self-delete function. It maps the original file into memory, then overwrites it with a sequence of bytes ranging from 0-255 followed by a polite Ok.
Alternate Device Wiping Mechanism
At the time of our discovery of AcidRain, there was some confusion about the involvement of a wiper in taking down the Surfbeam2 modems. As we reverse engineered the malware, we found a second wiping mechanism that didn’t rely on IOCTLs. This alternate mechanism filled a buffer with the highest byte value (0xFFFFFFFF) and proceeded to decrement by 1, overwriting its target with the result. That allowed us to connect AcidRain’s expected output with dumps of the affected devices.
Viasat incident I managed to dump the flash of two Surfbeam2 modems: 'attacked1.bin' belongs to a targeted modem during the attack, 'fw_fixed.bin' is a clean one. A destructive attack. pic.twitter.com/0QuTrLFR2A
With this crucial detail in mind, we were curious as to whether AcidPour implements an analogous alternate wiping mechanism.
Depending on the device type, a different wiping mechanism is engaged, overwriting the device repeatedly with the contents of a 256kb buffer. The specifics of this alternate mechanism require further analysis.
Attribution
Earlier this week, CERT-UA confirmed our findings and publicly attributed the activity to UAC-0165, considered a subgroup of the outdated Sandworm APT. UAC-0165 targets are commonly observed in Ukrainian critical infrastructure, including telecommunications, energy, and government services.
In September 2023, Ukraine SSSCIP publicly released a report on their latest findings of Russian linked threat activity. Notably, their section on UAC-0165 points to the continued use of GRU-linked, fake hacktivist personas as a medium for publicly announcing major intrusions and the leak of stolen data from Ukrainian victims.
On March 13th, the SolntsepekZ persona publicly claimed the intrusion into Ukrainian telecommunication organizations, three days prior to our discovery of AcidPour.
In addition to their Telegram presence, SolntsepekZ makes use of multiple domains under this persona. On Telegram, visitors are currently linked to solntsepek[.]com, which is associated with the hosting IP 185.61.137.155, of BlazingFast Hosting in Kiev. This hosting IP has previously hosted solntsepek[.]info as well as being related to solntsepek[.]org and similar to solntsepek[.]ru.
Review of the current state of these alleged target organizations indicates the impact is still ongoing. Below is an example notice currently on display from Triangulum, a group of companies providing telephone and Internet services under the Triacom brand, and Misto TV. Industry colleagues with Kentik are also observing this activity and have shared observations of the impact starting on March 13th as well.
At this time, we cannot confirm that AcidPour was used to disrupt these ISPs. The longevity of the disruption suggests a more complex attack than a simple DDoS or nuisance disruption. AcidPour, uploaded 3 days after this disruption started, would fit the bill for the requisite toolkit. If that’s the case, it could serve as another link between this hacktivist persona and specific GRU operations.
Conclusion
The discovery of AcidPour in-the-wild serves as a stark reminder that cyber support for this hot conflict continues to evolve two years after AcidRain. The threat actors involved are adept at orchestrating wide-ranging disruptions and have demonstrated their unwavering intent to do so by a variety of means.
The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict significant operational impact. This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications.
We continue to monitor these activities and hope the broader research community will continue to support this tracking with additional telemetry and analysis.
SentinelLabs and ClearSky Cyber Security have been tracking the activities of a suspected Russia-aligned influence operation network named Doppelgänger.
We observed Doppelgänger intensively targeting German audiences, coinciding with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.
The network spreads propaganda and disinformation through news articles focused on current socio-economic and geopolitical topics relevant to the general population.
Doppelgänger disseminates content criticizing the ruling government coalition and its support for Ukraine, likely aiming to influence public opinion before the upcoming elections in Germany.
Doppelgänger leverages a substantial network of X accounts, actively participating in coordinated activities to enhance visibility and engage audiences.
Overview
SentinelLabs and ClearSky Cyber Security have been tracking a propaganda and disinformation campaign since late November 2023, highly likely orchestrated by Doppelgänger, a suspected Russia-aligned influence operation network known for its persistent and aggressive tactics. Initially focusing on disseminating anti-Ukraine content following the onset of the Russo-Ukrainian conflict, Doppelgänger has since broadened its scope, targeting audiences in the US, Israel, Germany, and France.
We observed a significant emphasis by Doppelgänger on targeting German audiences. The network’s activities are characterized by consistent efforts to disseminate propaganda and disinformation content, particularly by exploiting current topics of geopolitical and socio-economic significance among the population. The majority of the content seizes every opportunity to criticize the ruling government coalition and its support for Ukraine.
With Doppelgänger activities intensifying in times of frequent political shifts in Germany, we suspect that the network’s goal is to erode support for the coalition in light of upcoming European Parliament, municipal, and federal state elections, culminating in federal government elections scheduled for 2025.
While we were documenting the Doppelgänger campaign, the German Ministry of Foreign Affairs and the prominent German media outlet Der Spiegel reported on overlapping activities, highlighting a growing concern about election interference.
In this post, we supplement existing reporting by providing additional technical indicators and insights into Doppelgänger’s tactics and disseminated content, with the ultimate goal of further heightening public awareness of this threat.
This report focuses on Doppelgänger activities targeting German audiences; a complementary report by Clearsky Cyber Security delves into the network’s targeting of Israel, the United States, and Ukraine. The activities we observed closely resemble and partially overlap with those previously reported by Recorded Future and Meta, indicating the persistent nature of Doppelgänger.
We observed Doppelgänger orchestrating the operation of a large coordinated network of X (formerly known as Twitter) accounts. These accounts propagate content from third-party websites whose content aligns with Doppelgänger propaganda goals, as well as from sites that Doppelgänger itself has created.
The majority of the X accounts we discovered as part of our investigation had not been deactivated at the time of writing. In an effort to maximize visibility and audience engagement, these accounts participate in coordinated activities, such as regularly posting and reposting content from highly popular profiles, as well as engaging with posts from other suspected Doppelgänger-managed accounts.
The posts from these accounts contain links that redirect visitors through two stages to the destination articles intended for consumption. These stages implement obfuscation and tracking techniques. Coupled with the carefully constructed infrastructure management practices we observed Doppelgänger implementing, this underscores the network’s determination to operate without interruptions while effectively tracking the performance of its influence operations.
Redirection Stages
The first-stage websites, which Doppelgänger distributes on X, use thumbnail images hosted at telegra[.]ph to obfuscate the website thumbnails and redirect to second-stage sites.
The second-stage websites contain text unrelated to the campaign and execute a JavaScript code obfuscated using Base64-encoding.
The JavaScript code samples we analyzed issue a request to ggspace[.]space (reported as part of previous Doppelgaenger campaigns) or sdgqaef[.]site. The request includes tracking information, which is likely a campaign identifier. These are in the format of [country]-[day]-[month]_[domain], where [domain] refers to the domain hosting the destination article (DE-02-01_deintelligenz for an article hosted at deintelligenz[.]com). The IOC table at the end of this post lists some of the campaign identifiers we observed.
In addition, the JavaScript code executed by second-stage websites dynamically loads another JavaScript code provided by ggspace[.]space or sdgqaef[.]site, which implements logic for generating web content that redirects to a destination article.
sdgqaef[.]site and ggspace[.]space host at the /admin URL path a login page, which has been assessed to be of the Keitaro Tracking System. Doppelgaenger possibly uses Keitaro to track the effectiveness of its campaigns.
Social Media Activities
Probably in an attempt to increase their visibility, some of the suspected Doppelgänger-managed X accounts we identified regularly post content, which does not necessarily contain first-stage websites, whereas others remain idle for relatively long time periods.
We observed accounts posting content linking to first-stage sites in multiple languages of the targeted audiences. Further, the Doppelgänger’s account network is probably attempting to increase the engagement metrics of posts that link to first-stage websites in a targeted manner through reposts and views. This becomes evident when these metrics are compared with the metrics of posts by the same accounts that do not link to first-stage websites.
We identified multiple clusters of suspected Doppelgänger-managed accounts which have joined the X platform within the same month. We observed a significant level of coordination in the activities of the accounts within the same cluster, suggesting centralized control. This includes reposting of the same content at almost the same time, typically that of highly popular profiles. In addition, engagement metrics of posts that link to first-stage sites by suspected Doppelgänger accounts within the same cluster often have very similar engagement metrics.
Our analysis of the engagement metrics for almost all the accounts we identified revealed a range of reposts between 700 and 2000, with a median value of 883, and a range of views between 613 and 14000, with a median value of 5000.
Propaganda and Disinformation Content
Doppelgänger has been very active in creating websites that host articles for consumption by targeted audiences through the previously described multi-stage approach. Among these sites, there are domains and websites impersonating third-party news outlets, which includes mimicking their design, structure, and domain names, such as welt[.]pm (inauthentic) vs. welt[.]de (authentic) and faz[.]ltd (inauthentic) vs. faz[.]net (authentic). We assess that the rest of the websites we observed have been created by Doppelgänger with original design and structure and no indications of impersonating established news platforms.
In most cases, we observed consistent and regular publishing of new content, with only occasional idle periods lasting a few days at most. Some of the content consists of a blend of materials sourced from other websites and translated into the languages of the targeted audiences.
A closer look at the custom-built websites indicates that Doppelgänger has been making a fast-paced effort to bring its websites online and start distributing content. For example, some sites include template text or exhibit errors in search functionalities. Furthermore, nearly all of these websites lack social media presence. They display icons of social media platforms that link to the domains of these platforms rather than specific profiles.
Many of the custom-built websites have been built and are managed using the WordPress content management system. We observed that some websites display status messages in Russian when users perform content searches and the activity fails with an error, indicating the use of Russian-language WordPress components.
The majority of the articles Doppelgänger distributes have a strong anti-government narrative, especially in regard to the government’s support of Ukraine. The article snippets we present below are machine-translated from German into English.
An article at arbeitspause[.]org discusses a recent series of strikes by workers in the German public transport demanding better wages and better working conditions. The challenges relating to the state of workers in this sector, such as rising living costs due to inflation and shortage of workers, are a pressing concern in Germany that captures the attention of the broader population.
On a similar note, another article at arbeitspause[.]org focuses on the recent strikes by German farmers, which involved the blockade of major roads and were motivated by rising living costs and the government’s plan to phase out agricultural subsidies. Overlapping at times with the strikes in the public transport sectors, the farmers’ strikes have been disrupting mobility and therefore garnered the attention of the population and mass media. Doppelgänger has attempted to capitalize on the momentum by criticizing the government’s plan regarding agricultural subsidies, drawing a connection to the government’s support for Ukraine.
An article at derglaube[.]com focuses on the German immigration policy, which, according to some polls, ranks among the top issues for voters in Germany. In addition, the media frequently coverstopics relating to the government’s allocation of funds for immigration-related programs and services. Consistent with typical Doppelgänger practices, the influence operation network uses this opportunity to cast the government in a negative light and introduce its support for Ukraine into the narrative.
In an attempt to blend political-oriented propaganda or disinformation among other topics, some websites host articles covering broader subjects such as health, sports, and culture. We observed attempts to introduce propaganda even in such articles. For example, an article hosted at miastagebuch[.]com initially discusses headaches from a medical perspective only to later indicate the German government as one of the major causes of headaches.
We emphasize that Doppelgänger also targets Germany through articles published by third-party outlets, such as telepolis[.]de, freiewelt[.]net, overton-magazin[.]de, and deutschlandkurier[.]de.
The articles from these outlets that Doppelgänger disseminates focus on both domestic and international topics, some with a strong anti-Western narrative. For instance, an article from overton-magazin[.]de portrays the West as profiteering from the Russo-Ukrainian conflict, while depicting Ukraine as a plaything of Western global players (cit.).
Additionally, an article from osthessen-news[.]de highlights factors such as the Ukraine war and inflation as contributors to economic challenges in Germany, prompting medium-sized companies to consider restructuring due to escalating costs. Issues concerning small- and mid-sized companies are particularly relevant to the broader German audience, given their significant contribution to the country’s overall economy.
Infrastructure
The Doppelgänger infrastructure can be structured into four parts subject to different infrastructure management and control practices, with each part designated to hosting the different entities involved in disseminating content for consumption by targeted audiences: the first-stage and second-stage redirection websites, the servers likely used for monitoring campaign performance (ggspace[.]space and sdgqaef[.]site), and the destination websites.
The first-stage and second-stage websites often shift between a variety of hosting providers, such as Hostinger, Global Internet Solutions, and Digital Ocean. The domains of these websites typically have short lifespans, lasting only several days at a time and recurring multiple times over a few years. We observe that Doppelgänger activates the domains for brief periods during its campaigns before deactivating them again.
The domains of the first-stage websites have a diverse range of top-level domains (TLDs), including generic TLDs such as .buzz, .art, .store, .site, and .online, as well as country code TLDs like .co.uk and .br. The domains’ format suggests an automated generation approach involving the creation of subdomains and numerical suffixes, for example, pcrrjx.kredit-money-fun169[.]buzz and yzrhhk.kredit-money-fun202[.]buzz.
This strategy, combined with the frequent rotation between hosting providers and the cyclical nature of the domains, indicates an effort by Doppelgänger to evade detection and tracking of its first-stage infrastructure, which is exposed on social media platforms and therefore more likely to be subjected to scrutiny. Doppelgänger does not apply the same domain naming convention to second-stage websites, which are not directly exposed on social media platforms.
Playing a central role in Doppelgänger’s campaigns, ggspace[.]space and sdgqaef[.]site are responsible for both redirection and presumably monitoring campaign performance. They are hosted behind a Cloud-based reverse proxy infrastructure, likely implemented as a security measure to obfuscate their true hosting locations. In contrast to the first-stage and second-stage domains, the active periods of these domains typically span several months during Doppelgänger’s campaigns.
Many of the servers hosting the destination websites are managed using cPanel, and some implement geofencing, which restricts traffic to IP addresses from targeted countries. This practice is likely intended to minimize exposure of their infrastructure and content to scrutiny and monitoring by researchers or authorities outside those regions, reducing the likelihood of detection and investigation into Doppelgänger’s activities.
The domains of the majority of these websites were first registered in the first quarter of 2023 and some as early as mid-2022, remaining active as of the time of writing. A smaller subset of domains, such as derglaube[.]com, which we assess with high confidence as being managed by Doppelgänger at this time, have been active for nearly 10 years, with intermittent periods of inactivity lasting a few years at most.
Conclusions
Doppelgänger represents an active instrument of information warfare, characterized by strategic use of propaganda and disinformation to influence public opinion. The campaign targeting Germany we discussed in this post serves as a compelling example of the persistent and continually evolving nature of Russia-aligned influence operations, which exploit social media and current topics of geopolitical and socio-economic significance to shape perceptions.
We anticipate that Doppelgänger’s activities, targeting not only Germany but also other Western countries, will persist and evolve, particularly in light of the major elections scheduled across the EU and the USA in the coming years. We expect Doppelgänger to continue innovating its infrastructure and obfuscation tactics to make its activities more difficult to detect and disrupt.
We emphasize that countering influence operations requires a comprehensive and collaborative approach, involving enhancing public awareness and media literacy to identify and resist manipulation, alongside prompt and effective actions by social media platforms and infrastructure operators to limit the spread of propaganda and disinformation online.
SentinelLabs continues to monitor Doppelgänger activities and remains committed to timely reporting on its operations to improve public awareness of this threat and mitigate its impact.
Indicators of Compromise
Due to the extensive volume of observed indicators, we present here only a selection, including indicators from parallel campaigns targeting France alongside those targeting German audiences.
In an engaging exploration at LABSCon, Kris McConkey unveils the evolution and significance of a cyber espionage actor, dubbed as a “superpower” in the digital espionage arena. This actor, initially engaged in phishing campaigns, has matured into one of the most technically sophisticated and deeply entrenched entities in cyber espionage.
Evolution
Tracing back over a decade, public and private intelligence reports have consistently highlighted the actor’s growing sophistication. From early stages marked by widespread malware distribution, such as PlugX and ShadowPad, to a more controlled dissemination of advanced tools like Crosswalk and Sidewalk, the actor has demonstrated a strategic tightening of their operational framework.
Technical Sophistication
The actor’s technical prowess is evident through the use of ShadowPad, a tool first emerged around 2015, with SentinelOne offering a comprehensive analysis on its evolution. Notably, ShadowPad has been adopted by at least 13 distinct threat actors, showcasing its wide influence. Introducing ScatterBee loader in 2020 marked a significant technical leap, showcasing advanced obfuscation techniques that complicate malware analysis efforts.
Operational Tactics
The presentation delves into the operational intricacies of the espionage actor, including their unique approach to malware loading and execution. A notable shift was observed in August 2022, with the discovery of a new ShadowPad variant that employed a novel execution mechanism, further emphasizing the actor’s ongoing innovation and adaptation.
Global Reach and Sector Focus
The actor’s operational scope is global, impacting over 35 countries across various sectors. This widespread engagement underscores the actor’s strategic intent and capability to infiltrate various targets, from governmental bodies to the telecommunications sector. Their focus extends to high-value targets, leveraging tailored malware like FunnySwitch and Spider for specific operations.
Infrastructure and Techniques
An in-depth analysis of the actor’s infrastructure reveals a multi-layered approach, involving relay networks and virtual private servers to obfuscate their activities. This infrastructure supports various capabilities, from direct victim access to sophisticated tunneling techniques, enabling the actor to maintain a persistent threat landscape.
Insights Based on Numbers
The actor has evolved over ten years, highlighting their long-term presence and impact.ShadowPad has been utilized by 13 distinct threat actors, indicating its widespread adoption.
The espionage network has targeted over 35 countries, demonstrating its global reach.
In conclusion, the rise of this espionage actor from modest beginnings to becoming a formidable force in cyber espionage illustrates a significant shift in the cyber threat landscape. Their ability to innovate, adapt, and execute sophisticated cyber operations underscores the need for advanced defensive strategies and international cooperation to counteract their pervasive influence.
Watch the full presentation:
About the Presenter
Kris leads PwC’s Global Cyber Threat Intelligence practice, which tracks a wide variety of targeted threat actors operating from more than 25 countries.
Kris also leads the EMEA Cyber Threat Operations practice – a front line technical services group responsible for a portfolio of defensive and offensive cyber security services to help clients detect and respond to cyber security threats and incidents. He has spent the past 17 years at PwC delivering cyber incident response, threat hunting and threat research services to global clients.
About LABScon 2023
This presentation was featured live at LABScon, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
I-Soon (上海安洵), a company that contracts for many PRC agencies–including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army–was subject to a data leak over the weekend of Feb 16th. It is not known who pilfered the information nor their motives, but this leak provides a first-of-its-kind look at the internal operations of a state-affiliated hacking contractor. The authenticity of the documents is still undecided. While the leak’s contents do confirm public threat intelligence, efforts to corroborate further the documents are on-going.
The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem. It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.
I-Soon–whose employees complain about low pay and gamble over mahjong in the office–appears to be responsible for the compromise of at least 14 governments, pro-democracy organizations in Hong Kong, universities, and NATO. The leaked documents align with previous threat intel on several named threat groups.
Victim data and targeting lists, as well as names of the clients who requested them, show a company who competes for low-value hacking contracts from many government agencies. The finding indicates that historical targeting information from Advanced Persistent Threats thought to be PRC contractors does not provide strong guidance on future targets.
Machine translation enabled the rapid consumption of leaked data. These tools broadened the initial analysis of the information beyond seasoned China experts with specialized language skills and technical knowledge. This has enabled many more analysts to scan the leaked information and quickly extract and socialize findings. As researchers dig into the voluminous information, domain expertise will be required to understand the complex relationships and implicit patterns between the relevant organizations, companies, and individuals. One upshot is that geographically-specialized analysis will continue to provide distinct value, but the barrier to entry is much lower.
Initial Observations
At 10:19 pm on January 15th, someone, somewhere, registered the email address [email protected]. One month later, on February 16th, an account registered by that email began uploading content to GitHub. Among the files uploaded were dozens of marketing documents, images and screenshots, and thousands of WeChat messages between employees and clients of I-SOON. An analyst based in Taiwan found the document trove on GitHub and shared their findings on social media.
Many of the files are versions of marketing materials intended to advertise the company and its services to potential customers. In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work. The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.
Elsewhere, technical documents demonstrated to potential buyers how the company’s products function to compromise and exploit targets. Listed in the documentation were pictures of custom hardware snooping devices, including a tool meant to look like a powerbank that actually passed data from the victim’s network back to the hackers. Other documentation diagrammed some of the inner workings of I-SOON’s offensive toolkit. While none were surprising or outlandish capabilities, they confirmed that the company’s main source of revenue is hacking for hire and offensive capabilities.
The leaked documents provide indicators–such as command-and-control infrastructure, malware, and victimology–which relate to suspected Chinese cyberespionage activities previously observed by the threat intelligence community. Initial observations point to activities spanning a variety of targeted industry sectors and organizations as well as APT groups and intrusion sets, which the threat intelligence community tracks, or has been tracking, as distinct clusters. The extent and strength of the relationships between indicators present in the leaked data and past intrusions are still subject to detailed evaluation.
The selection of documents and chats leaked on GitHub seem meant to embarrass the company, but they also raise key questions for the cybersecurity community. One document lists out targeted organizations and the fees the company earned by hacking them. Collecting data from Vietnam’s Ministry of Economy paid out $55,000, other ministries were worth less. Another leaked messaging exchange shows an employee hacking into a university not on the targeting list, only for their supervisor to brush it off as an accident. Employees complained about low pay and hoped to get jobs at other companies, such as Qi An Xin.
Conclusion
The leaked documents offer the threat intelligence community a unique opportunity to reevaluate past attribution efforts and gain a deeper understanding of the complex Chinese threat landscape. This evaluation is essential for keeping up with a complex threat landscape and improving defense strategies.
Extensive sharing of malware and infrastructure management processes between groups makes high-confidence clustering difficult. As demonstrated by the leaked documents, third-party contractors play a significant role in facilitating and executing many of China’s offensive operations in the cyber domain.
For defenders and business leaders, the lesson is plain and uncomfortable. Your organization’s threat model likely includes underpaid technical experts making a fraction of the value they may pilfer from your organization. This should be a wakeup call and a call to action.
SNS Sender is a script that enables bulk SMS spamming using AWS SNS, aka Smishing, a previously unseen technique in the context of cloud attack tools.
The script author is currently known by the alias ARDUINO_DAS and is prolific in the phish kit scene.
The script requires valid AWS SNS credentials compromised from an environment not subject to the SNS sandbox restrictions.
We identified links between this actor and numerous phishing kits used to target victims’ personally identifiable information (PII) and payment card details.
The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery.
Overview
A common thread between businesses and threat actors is that both are moving workloads previously handled by traditional web servers to the cloud. SentinelLabs has identified one example of this in the form of SNS Sender, a Python script that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, aka Smishing.
SNS Sender is the first script we encountered using AWS SNS to send spam texts. The script requires access to an AWS account in which the service was already provisioned, configured, and enabled. By default, AWS accounts are subject to restrictions through a feature called the SNS sandbox. These restrictions can be removed if the customer spends $1 and provides a viable use case to AWS support, who manually review such requests. While other tools like AlienFox have used business to customer (B2C) communications platforms such as Twilio to conduct SMS spamming attacks, we are unaware of existing research that details tools abusing AWS SNS to conduct such attacks.
We identified links between the actor behind this tool and many phishing kits used to target victims’ personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. We believe this actor is using cloud services to send bulk SMS phishing messages, though they may still be testing the tool based on some questionable programming choices.
Script Analysis
SNS Sender is a script that enables bulk SMS spamming using AWS SNS. The script requires a list of phishing links named links.txt in its working directory. SNS Sender also takes several arguments that are entered as input:
A text file containing a list of AWS access keys, secrets, and region delimited by a colon
A text file containing a list of phone numbers to target
A sender ID, similar to a display name for a message
The message content
The send_sns_message function sets up the AWS boto3 client–an interface between the Python script and the AWS SNS backend–to send the SMS messages. The boto3 client variables are obtained through the arguments that the script user provided.
The sender ID variable is an interesting inclusion. According to AWS documentation, this variable is optional and is supported in some countries. In the United States, carriers do not support sender IDs, whereas in India, they are mandatory. The inclusion of a sender ID contrasts with the actor’s association with USPS-themed phishing kits targeting Americans. The oversight may indicate the actor is not familiar with this exception and likely resides in a country where the sender ID is commonplace.
SNS Sender establishes a while loop that iterates through the list of AWS credentials and regions. The script replaces any occurrences of the string linkas in the message content variable with a URL from the links.txt file, which weaponizes the message as a phishing SMS. The link is selected randomly using the Python random library’s choice method.
The script tracks how many AWS access key pairs have been accessed through the a variable and how many phone numbers have been used through the y variable, which are initialized as 0 and incremented by 1 each time the loop runs. Each message is sent using the credentials from one line from the AWS access key pair list, and the tracking ensures that the next line is accessed for the subsequent message.
To run at scale, the list would need to be incredibly long, and likely repeat access key & secret pairs, making this a coding method with questionable efficacy.
Phishing Kits
When investigating the handle ARDUINO_DAS, we identified more than 150 phishing kit files containing references to the actor. More than half of the kits are USPS-themed. The assets in these archives are similar in name to the URIs present in several recent Smishing campaigns using a missed package delivery lure. We believe that the actor abandoned the ARDUINO_DAS handle in 2023 after accusations that the actor scammed buyers. However, some recently circulated phishing kits still reference this handle, which may make it an artifact of actors using the phishing kit.
Due to the link between ARDUINO_DAS and USPS phishing, we explored several active campaigns circulating through early January 2024, hosted on hxxps://usps[.]mytrackingh[.]top and hxxps://u-sipsl[.]cc. Both sites host a USPS-themed phishing site with a flow like:
Landing Page: Explains to the visitor that their USPS package is unable to be delivered. The “Click Update” button leads to the next step.
Tracking Page: This page looks like USPS tracking details, but it prompts the victim to enter their name, physical address, phone number, and email address.
Card Verification Page: This page prompts the user to enter a credit card number for a $0.30 redelivery fee.
The server forwards the details to a card checker, which is likely run through a Telegram service.
Conclusion
Actors are continuously finding new tools and platforms they can use to conduct their attack of choice, and SNS Sender is no exception. Spammers have used mega tools like AlienFox and Predator to target bulk mail services as well as business communications services. Other researchers have detailed which APIs have been used during in-the-wild AWS SNS abuse attacks, as well as enumeration routes actors may take to verify a targeted environment’s SNS capabilities. SNS Sender provides a glimpse into how actors conduct these attacks.
SNS Sender represents a more narrow approach that relies on the actor having access to a properly configured AWS SNS tenant. Using AWS presents a challenge for this actor: AWS does not allow SMS notifications via SNS by default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment. This is an update from previous research where AWS automatically allowed accounts to send to 10 destination numbers while an account is in the SNS sandbox.
Organizations using AWS SNS can protect themselves by reviewing the SNS documentation for the latest information. AWS has shared guidance for organizations to learn more about the SNS sandbox and how to change sending limits. Identity and Access Management (IAM) administrators should review identity best practices to optimize their organization’s security posture.
Desire for recognition presents operational security challenges for actors developing tools for the opportunistic cloud hacking scene. The actor including their handle in the script is ubiquitous among cloud hack tools, enabling researchers to form a point of attribution even when delineating the tool families becomes challenging due to extensive overlap.
China launched an offensive media strategy to push narratives around US hacking operations following a joint statement by the US, UK, and EU in July 2021 about China’s irresponsible behavior in cyberspace.
Some PRC cybersecurity companies now coordinate report publication with government agencies and state media to amplify their impact.
Allegations of US hacking operations by China lack crucial technical analysis to validate their claims. Until 2023, these reports recycled old, leaked US intelligence documents. After mid-2023, the PRC dropped pretense of technical validation and only released allegations in state media.
The cyber-focused media campaign preceded the 2023 efforts of China’s Ministry of State Security to disclose accounts of western spying in the PRC.
Introduction
In the western media and cybersecurity industry in general, we have become familiar with regular reports of nation-state espionage activities often attributed to China or Chinese-linked threat groups. Such reports rest their credibility on the level of meticulous technical detail and evidence-based claims contained therein.
In contrast, claims of espionage and cyber intrusion attributed to western nation-state agencies emanating out of China’s Ministry of State Security and Chinese cybersecurity firms are notably lacking in the same kind of technical detail or evidential proof.
Between the first reports establishing US involvement in Stuxnet and the summer of 2021, China’s most prominent actors in the cybersecurity industry never independently established attribution of hacking inside the PRC to any US-affiliated APTs, nor did the analysis of US-nexus hacking extend beyond tools and exploits.
China’s cybersecurity companies also never published the underlying technical data that is considered table stakes for non-Chinese companies. The companies only regurgitated information from foreign vendors or leaked US intelligence documents. This was a matter of policy, not capability. Such reports were likely written and held back from external publication since at least 2016.
Below, we describe how and why this strategy came into play. Interested readers can find a more detailed analysis in the full report.
China Pivots to Rehashing Old Quarrels
In the winter of 2021, a PRC hacking team was taking advantage of four vulnerabilities in Microsoft Exchange Servers. When intelligence that Microsoft was planning to patch reached the team, they shared the vulnerability with others and automated their attack for scale.
This significant increase in abuse, in concert with its arbitrary targeting that left victims vulnerable to much easier compromise, pushed the U.S., U.K., and the EU jointly to issue a statement condemning China’s behavior in cyberspace. The joint statement so irked the PRC government that it began a media campaign to push narratives about US hacking operations in global media outlets.
Starting in early 2022, state media began releasing English-language articles to accompany CTI publications by PRC cybersecurity companies and government agencies. This marked a shift in China’s approach to discussing foreign espionage, highlighting US hacking activities more frequently to a global audience.
In 2021, Global Times only mentioned the NSA twice–both in the context of railing against global capitalists. In 2022, the publication mentioned the NSA in connection to hackings tools or operations 24 times.
But the reports released throughout 2022 and into 2023 continued to draw from leaked US government documents, not new technical analysis by PRC companies. They were, in effect, recycling old content for propaganda purposes. The China Cybersecurity Industry Alliance released its Review of Cyberattacks from US Intelligence Agencies in 2023, summarizing over a decade of research on US cyberattacks, albeit without new evidence. Of the nearly 150 citations in the report, less than one-third are attributed to PRC vendors. A full accounting of these publications is available in the full report.
A New Era
In July 2023, China did something it hadn’t done before—it spread new allegations of US hacking apparently unrelated to past US intelligence leaks and, as of this report, entirely unsubstantiated.
In a series of publications by Global Times, the CEO of Antiy claimed the United States had hacked into seismic censors of the Wuhan Earthquake Monitoring Center. His claims, along with those of the Global Times, were ostensibly based on a report from CVERC and Qihoo360. But this report, if it exists, is not yet public. Neither CVERC nor Qihoo360 host such a report on their respective websites, nor does any PRC government agency. Qihoo360’s only mention of the Wuhan Center is a community board post by an anonymous user referencing state media.
The lack of technical details–or in this case, a report at all–did not stop the story from getting attention. A handful of cybersecurity industry outlets in the U.S. picked up the story and ran it in July and August after the Global Times published another report covering the allegations. This time, state media claimed that “Chinese authorities will publicly disclose a highly secretive global reconnaissance system of the US government…” To date, this remains yet another report that has not been released.
The allegations of US hacking without technical evidence coincided with China’s Ministry of State Security launching its public WeChat account. Since the middle of 2023, the MSS has publishedfour accounts of foreign spies operating in China and being caught. Three are alleged to have been working for the U.S., a fourth was alleged to have worked for the UK and was tied to office raids of foreign due diligence firms. Off-the-record American officials confirmed one of the US cases to press later in the year. Further discussion of China’s allegations of human intelligence collection is available in the full report.
Conclusion
China has not yet published detailed accounts that analysts have come to expect from cybersecurity firms. Accepting this asymmetry in data sharing benefits China, allowing the country to publish claims of foreign hacking without the requisite information. If analysts do not actively challenge the CCP’s claims, the government can lie with impunity.
Repeating China’s allegations helps the PRC shape global public opinion of the U.S. China wants to see the world recognize the U.S. as the “empire of hacking.” But outright ignoring China’s claims undermines public knowledge and discourse. The fact that China is lodging allegations of US espionage operations is still notable, providing insight into the relationship between the US and China, even if China does not support its claims. CTI analysts and intelligence consumers would be wise to differentiate between the claims made by China across domains, however.
To date, China has provided no reasonable evidence to support any of its claims besides wantonly recycling leaked US intelligence. In western cybersecurity industry circles, claims of US hacking without supporting technical evidence are derided—and rightfully so.
State secrecy laws are the likely culprit stopping PRC-based cybersecurity companies from publishing technical data. With their hands tied, the CCP’s political mandate to support narratives of western espionage operations leaves its companies hamstrung. We can and should call out this lack of rigor when we see it, ensuring that claims made by Chinese firms and the government are held to the same, rigorous analytical standards the global cybersecurity community has self-imposed.
SentinelLabs observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media organizations and high-profile experts in North Korean affairs.
We recovered malware in the planning and testing phases of Scarcruft’s development cycle, presumably intended for use in future campaigns.
ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals.
ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies.
Overview
In collaboration with NK News, SentinelLabs has been tracking campaigns targeting experts in North Korean affairs from South Korea’s academic sector and a news organization focused on North Korea. We observed persistent targeting of the same individuals over a span of two months. Based on the specific malware, delivery methods, and infrastructure, we assess with high confidence that the campaigns are orchestrated by ScarCruft. Also known as APT37 and InkySquid, ScarCruft is a suspected North Korean advanced persistent threat (APT) group with a long history of targeted attacks against individuals as well as public and private entities, primarily in South Korea.
In addition, we retrieved malware that we assess is currently in the planning and testing phases of ScarCruft’s development cycle and will likely be used in future campaigns. In an interesting twist, ScarCruft is testing malware infection chains that use a technical threat research report on Kimsuky as a decoy document. Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and C2 server configurations. Given ScarCruft’s practice of using decoy documents relevant to targeted individuals, we suspect that the planned campaigns will likely target consumers of technical threat intelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals.
We observed ScarCruft using oversized Windows Shortcut (LNK) files that initiate multi-stage infection chains delivering RokRAT, a custom-written backdoor associated with the threat group. RokRAT is a fully-featured backdoor equipped with capabilities that enable its operators to conduct effective surveillance on targeted entities. In an attempt to execute undetected, the infection chains involve multiple executable formats and evasion techniques. They continue an existing trend, closely resembling the infection chains seen in ScarCruft activities from earlier in 2023, including the campaigns disclosed by AhnLab in April 2023, Checkpoint in May 2023, and Qi An Xin in July 2023.
By targeting high-profile experts in North Korean affairs and news organizations focused on North Korea, ScarCruft continues to fulfill its primary objective of gathering strategic intelligence. This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.
ScarCruft’s focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies. This helps in identifying potential threats to their operations and contributes to refining their operational and evasive approaches. As we continue to track suspected North Korean threat actors and their pace of experimentation, we assess they have a growing interest in mimicking cybersecurity professionals and businesses, ultimately for use in the targeting of specific customers and contacts directly, or more broadly through brand impersonation.
ScarCruft Campaigns
A phishing email, impersonating a member of the North Korea Research Institute (Institute for North Korean Studies – INKS), was sent from the email address kirnchi122[@]hanmail.net on December 13, 2023, targeting an expert in North Korean affairs. The email contains an attached archive file named December 13th announcement.zip (machine translation from Korean), which includes nine files.
The files claim to be presentation materials from a fabricated event relevant to the targeted individual — an apparent human rights expert discussion meeting. To make the phishing email current and therefore more credible, the email asserts that the meeting occurred on the same date the email was sent (December 13).
Among the nine files, seven are benign Hangul Word Processor (HWP) and PowerPoint documents, while two are malicious LNK files. LNK files have become popular among threat actors for malware deployment since Microsoft’s announcement that Office applications will by default disable the execution of Office macros in the context of documents that originate from untrusted sources.
In an attempt to make the malicious LNK files blend among the benign files, all files have names that relate to human rights in North Korea and start with a number assigned to each file. Furthermore, the LNK files disguise themselves as Hanword documents, using the Hangul Word Processor icon (the Icon location LNK artifact was set to C:\Program Files (x86)\Hnc\Office 2018\HOffice100\Bin\Hwp.exe).
Filename
Machine translation
1. 전영선 북한 주민 정보접근권 강화방안.hwp
1. Jeon Young-seon’s plan to strengthen North Korean residents’ right to access information.hwp
2.이상용 반동사상문화배격법과 정보 유입 활동의 변화.pptx
2. Lee Sang-yong’s reactionary ideology cultural rejection law and changes in information inflow activities.pptx
3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk
3. Lee Yun-sik’s North Korean Human Rights Act implementation plan centered on the launch of the North Korean Human Rights Foundation.lnk
5. 여현철 북한주민 정보접근권 강화 방안.hwp
5. Yeo Hyeon-cheol’s plan to strengthen North Korean residents’ right to access information.hwp
6. 이종겸 북한인권 토론회 토론문.hwp
6. Lee Jong-gyeom North Korean human rights debate discussion paper.hwp
7. 박유성 북한주민 정보접근 강화방안.hwp
7. Park Yoo-sung’s plan to strengthen North Korean residents’ access to information.hwp
8. 이도건 북한연구소 토론회.lnk
8. Lee Do-gun North Korean Research Center Discussion.lnk
9. 김태원 북한인권 전문가 토론회 토론문.hwp
9. Taewon Kim, North Korean human rights expert discussion paper.hwp
10. 서유석 북한 주민들의 알권리 제고 방안.hwp
10. Seo Yoo-seok’s plan to improve North Korean residents’ right to know.hwp
The LNK files exceed 48 MB and implement a multi-stage mechanism deploying the RokRAT backdoor.
The LNK files execute PowerShell code that performs the following actions:
Locates the executing LNK file based on its filesize.
Extracts from the LNK file a decoy document (in HWP and HWPX format), a Windows Batch script named 111223.bat, and a PowerShell script named public.dat, placing the script in the %Public% folder.
Displays the decoy document and executes 111223.bat.
Deletes the executing Shortcut file.
The PowerShell code locates the content of the files it extracts from the LNK file based on hardcoded offsets.
111223.bat then executes the PowerShell script stored in %Public%\public.dat. This script decodes and executes another hex-encoded PowerShell script embedded in public.dat.
The decoded script downloads from a major Cloud file hosting provider a file named myprofile[.]zip, XOR-decrypts the file using the first byte as an XOR key, and executes the decrypted content in a thread.
myprofile[.]zip implements a shellcode that deploys the RokRAT backdoor. RokRAT uses public Cloud services for command-and-control purposes, such as pCloud and Yandex Cloud, disguising malicious communication as legitimate network traffic.
While most of the documents we analyzed are stripped of metadata, a HWPX decoy document stands out by containing metadata that identifies the pseudonym bandi as the document’s creator. We note the use of the same string in the context of Kimsuky activities, for example, in an email address used in a phishing campaign (bandi00413[@]daum.net) and in a C2 server domain (one.bandi[.]tokyo).
While the overlap in pseudonym use does not represent a strong link between the groups from a technical perspective, it is still indicative of the suspected relations between them. In the context of North Korea, the term bandi is known as the pseudonym of a suspected North Korean author known for publishing dissident writing. bandi also means ‘firefly’ in Korean.
Earlier Overlapping Campaign
Some of the individuals targeted in the December 2023 ScarCruft activity, discussed above, were also targeted approximately one month earlier on November 16, 2023. This speaks of the adversary’s persistence and adaptability in pursuing its goals. The November campaign included individuals from a news organization focused on North Korea as well.
A phishing email, impersonating a member of the North Korea Research Institute, was sent from the address c039911[@]daum.net. The email attaches two malicious HWP files, titled 조선 시장 물가 분석(회령).hwp (Shipbuilding market price analysis (Hoeryeong).hwp) and 조선 시장 물가 분석(신의주).hwp (Shipbuilding market price analysis (Sinuiju).hwp, machine translation from Korean), disguised as North Korean market price analysis data.
The documents contain OLE objects, activated by double-clicking on the document’s content. In adherence to the HWP document format, the OLE objects are stored as compressed Structured Storage objects, and their decompression reveals C2 URLs accessed upon OLE object activation.
The HWP documents contain metadata, including the LinkValue, Last Saved By, and Author metadata values, which provide information on the system accounts where the documents have been created.
HWP document
C2 URL and metadata
조선 시장 물가 분석(회령).hwp
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=5JV0FAGA6KW1GBHB7LX2HCIC
LinkValue: \Users\Moo\AppData\Local\Temp
Last Saved By: Moo
Author: Moo
조선 시장 물가 분석(신의주).hwp
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=GV6BQLRKHW7CRMSLIX8DSNTM
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk_001
Author: dailynk01
The DailyN~1/dailynk_001/dailynk01 account is particularly interesting since it relates to Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea with which we have collaborated in the past. The focus of this organization makes them an attractive target for North Korean threat actors seeking to intrude or impersonate it, a strategy previously observed by SentinelLabs in past Kimsuky campaigns. It remains to be investigated whether this account is used for developing malware involved in Daily NK-related campaigns and/or serves as an additional indicator of the suspected relations between Kimsuky and ScarCruft. Additionally, in our previous reporting on the overlap of suspected North Korean intrusions into a Russian missile engineering organization, we shared links to ScarCruft infrastructure making use of this same illicit naming scheme, such as dallynk[.]com.
Pivoting on the DailyN~1 artifact revealed additional HWP documents that share overlapping metadata information and employ the same OLE-based infection vector, using different C2 URLs.
HWP document (SHA-1 hash)
C2 URL and metadata
e9df1f28cfbc831b89a404816a0242ead5bb142c
http[://]nav[.]offlinedocument[.]site/capture/parts/you?view=IV3D9YMNJW4EAZNOKX5FB0OP
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk01
Author: umgdnk-03
2f78abc001534e28eb208a73245ce5389c40ddbe
http[://]app[.]documentoffice[.]club/voltage_group_intels?user=HE16AJHVFCZ48HFTGD059IGU
LinkValue: \Users\DailyN~1\AppData\Local\Temp
Last Saved By: dailynk_001
Author: /
The app.documentoffice[.]club domain is also used as C2 endpoint for malicious Microsoft Office documents, employing ActiveX controls to establish communication with the C2 server.
At the time of analysis, the C2 URLs were inactive, preventing us from examining their functions and any potential additional payloads they might deliver to the targets. We are still investigating the role of the user and view query parameter values, such as 5JV0FAGA6KW1GBHB7LX2HCIC and H11I75PFF0ZG53NDG00H64OE.
While preparing this report, Genians released research that outlines ScarCruft campaigns throughout 2023, covering certain aspects of the activities discussed in this section. We add to the public information on this activity cluster by providing additional details on the related infrastructure.
Infrastructure associated with this cluster of suspected North Korean threat activity leads to multiple interesting details which we have found useful for further monitoring and analysis of separate campaigns. The domains offlinedocument[.]site and documentoffice[.]club both make use of a variety of subdomains such as open, nav, and app as previously mentioned. During their illicit use, the domains temporarily make use of Lithuania’s Cherry Servers virtual private server (VPS) hosting service – 84.32.131[.]87, and 84.32.131[.]104 in this case.
A repeating trend is the actor registering domains through Namecheap, leaving the domain parked on a Namecheap IP address, and then rotating to Cherry Servers. In separate domains, we observe this same operational workflow, and interestingly other domains which the actor only makes use of for one or two days before shifting back to a parked IP address. We assess this process aims to limit detection and analysis capabilities following their malicious activity, such as hosting a phishing login or malware delivery link.
This domain overlaps through the use of unique Cherry Servers hosting IPs, which can be used for further moderate-confidence infrastructure pivoting. We encourage readers to conduct additional research and monitoring. The full list shown here is provided in the IOC table.
ScarCruft Testing Grounds
While investigating ScarCruft activities, we retrieved malware that we assess to be part of ScarCruft’s planning and testing processes. This includes a spectrum of shellcode variants delivering RokRAT, public tooling, and two oversized LNK files, named inteligence.lnk and news.lnk.
Although similar to those implemented by 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk and 8. 이도건 북한연구소 토론회.lnk discussed above, the infection chains executed by inteligence.lnk and news.lnk exhibit some differences. This has likely been done to evade detection based on the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.
inteligence.lnk executes PowerShell code, which locates the executing LNK file based on its filename instead of its filesize. The code then extracts from the LNK file and displays a decoy PDF document (named inteligence.pdf), and downloads from a major Cloud file hosting provider a hex-encoded file named story.txt. The PowerShell code locates the content of the decoy document it extracts from the LNK file based on a byte pattern (50 4b 03 04) instead of a hardcoded file offset.
The PowerShell code then decodes the file, and executes the decoded file content in a thread. story.txt implements a benign shellcode that just opens notepad.exe, indicating that inteligence.lnk has been developed for testing purposes.
In contrast to 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk and 8. 이도건 북한연구소 토론회.lnk, inteligence.lnk does not execute a Windows Batch script and an external PowerShell script.
news.lnk downloads, in the form of a file named story3.txt, and executes PowerShell code. The implementation and functionality of the code are very similar to that executed by inteligence.lnk, with a major difference being that the shellcode it executes is not downloaded from a remote endpoint but is embedded in the LNK file itself.
In contrast to inteligence.lnk, the shellcode executed by news.lnk is weaponized and deploys the RokRAT backdoor. It is likely that news.lnk is the fully developed version of inteligence.lnk, intended for use in future ScarCruft campaigns. As of the time of writing, we have not observed news.lnk or its variants in the wild.
Both LNK files deploy the same decoy document – a public research report on the Kimsuky threat group by Genians, a South Korean cybersecurity company. The report is written in Korean and was released in late October 2023.
Given the report’s technical content, the LNK file names, and ScarCruft’s use of decoys relevant to the targeted individuals, we suspect ScarCruft has been planning phishing or social engineering campaigns on recent developments in the North Korean cyber threat landscape, targeting audiences consuming threat intelligence reports.
Conclusions
The findings outlined in this post highlight ScarCruft’s ongoing dedication to gathering strategic intelligence through targeted attacks. Our insight into ScarCruft’s malware testing activities reveals the adversary’s commitment to innovating its arsenal and expanding its target list, likely intending to target and/or masquerade as cybersecurity professionals or businesses.
We observed the group experimenting with new infection chains inspired by those they have used in the past. This involves modifying malicious code implementations and excluding certain files from the infection steps, likely as a strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been publicly disclosed by the threat intelligence community.
We suspect that ScarCruft is pursuing non-public cyber threat intelligence and defense strategies. This could benefit not only ScarCruft specifically but also the other constituent groups within the North Korean threat landscape, aiding them in identifying threats to their operations and improving their operational playbooks.
A heightened awareness and better understanding of the adversary’s attack and infection methods among potential targets are crucial for effective defense. SentinelLabs remains actively engaged in tracking ScarCruft activities and supporting the organizations and individuals at risk of being targeted.
Allegations of oligarch elections meddling and influence is old news in 2024, but while prosecutors focus on the money trail in building threat intelligence based cases for indictment, don’t overlook oligarch-funded lawyers with creative delay and distract defense tactics.
From twisting data privacy laws to using funds for SLAPP (Strategic Lawsuits Against Public Participation) libel cases to leaking legal discovery, Elizabeth Wharton dissects a series of US and UK cases citing the Mueller report and the Steele (Orbis) Dossier as examples where oligarchs have thrown lawyers and money as curveballs to exert influence and thwart cybercrime prosecutions. Liz explores the chilling effects that strategic lawsuits can have on researchers when their findings are buried or discredited in lengthy and expensive legal process.
Liz also discusses ways to further leverage these cases as opportunities for closing policy gaps, extend anti-SLAPP legislation and improve open source intelligence data gathering.
Watch the full, fascinating talk below!
About the Presenter
Elizabeth (Liz) leverages almost two decades of legal, public policy, and business experience to advise researchers and to build and scale cybersecurity and threat intelligence focused companies. In addition to having led operations at two adversary research focused startups, her recent prior experience includes serving as the Senior Assistant City Attorney on Atlanta’s ransomware incident immediate response team. Liz was recognized as the 2022 “Cybersecurity or Privacy Woman Law Professional of the Year” by the United Cybersecurity Alliance.
About LABScon 2023
This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
FBot is a Python-based hacking tool distinct from other cloud malware families, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio.
FBot does not utilize the widely-used Androxgh0st code but shares similarities with the Legion cloud infostealer in functionality and design.
Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts.
FBot is characterized by a smaller footprint compared to similar tools, indicating possible private development and a more targeted distribution approach.
Overview
The cloud hacktool scene is highly intertwined, with many tools relying on one another’s code. This is particularly true for malware families like AlienFox, Greenbot, Legion, and Predator, which share code from a credential scraping module called Androxgh0st.
We identified a tool that is related but distinct from these families. FBot is a Python-based attack tool with features to target web servers and cloud services as well as Software-as-a-Service (SaaS) technologies, including:
Amazon Web Services (AWS)
Office365
PayPal
Sendgrid
Twilio
FBot is unique in that it does not apparently adapt the Androxgh0st code so common among similar hacktools, though the earliest reference to FBot is one year more recent than the first sighting of Androxgh0st. However, there are several connections to the Legion cloud infostealer, making it likely the Legion maintainer adapted code from FBot into their tool.
FBot is primarily designed for actors to hijack cloud, SaaS, and web services. There is a secondary focus on obtaining accounts to conduct spamming attacks. Actors can use the credential harvesting features to obtain initial access, which they can sell to other parties.
The tool contains assorted utilities, including an IP address generator and port scanner. There is also an email validator function, which uses an Indonesian technology service provider to validate email addresses.
AWS Targeting
FBot has three functions dedicated to AWS account attacks. The first is an AWS API Key Generator, handled by function aws_generator, which generates a random AWS access key ID by appending 16 randomly selected alphabetic characters to the standard AKIA prefix. Then, it generates a secret key from 40 randomly selected alphabetic characters.
Despite FBot’s apparent lack of adopting the Androxgh0st modules, the same feature was highlighted in research on the Legion stealer as well as an older Androxgh0st variant, and it has not changed significantly. We agree with the aforementioned researchers’ conclusion that this feature is unlikely to succeed at brute forcing account credentials due to the possible number of access key and password combinations.
The second AWS feature is a Mass AWS Checker, handled by function aws_checker. This function checks for AWS Simple Email Service (SES) email configuration details, including the maximum send quota and rate, as well as how many messages have been sent in the past 24 hours, likely to maximize spamming efforts against the targeted account. It also creates a new user account with the username iDevXploit and the password MCDonald2021D#1337 and attaches the AdminsitratorAccess policy to elevate privileges for the new account. Unlike other cloud attack tools such as AlienFox, FBot does not delete the compromised account that the attacker used to gain access.
The third and final AWS feature is an AWS EC2 Checker, with the description Get EC2 VCPU Limit, which is handled by function ec_checker. This function reads a list of AWS identities from a text file in the format of AccessKey|SecretKey|Region. The script uses these values to check the targeted account’s EC2 service quotas. The FBot menu highlights that this can be used to check vCPU details, although the output is less straightforward. The query results describe the account’s EC2 configurations and capabilities, such as what types of EC2 instances can run. The script iterates through a list of specified AWS regions, runs the query again for each region, and logs the result to a text file.
SaaS & Payment Services Targeting
FBot has several features that target payment services as well as SaaS configurations.
The PayPal Validator feature is handled by paypal_validator. This function validates PayPal account status by contacting a hardcoded URL with an email address read from an input list. The email is added to the request in the customer details section to validate whether an email address is associated with a PayPal account.
The script initiates the Paypal API request via the website hxxps://www.robertkalinkin.com/index.php, which is a Lithuanian fashion designer’s retail sales website. Interestingly, all identified FBot samples use this website to authenticate the PayPal API requests, and several Legion Stealer samples do as well.
PayPal Validator crafts the request to this site with a fake item ID as well as phony customer details, then parses the response for a status message indicating success.
FBot also targets several SaaS platforms, including Sendgrid and Twilio. The Sendgrid feature is a Sendgrid API Key Generator, which generates a Sendgrid key formatted like:
SG.{22 characters from [A-Z0-9-_]}.{1 more character from previous range}
The Twilio feature takes the Twilio SID and Twilio Auth Token as input, separated by a pipe. The function then checks the SID & auth token combination for details about the account, including the balance and which currency, a list of phone numbers connected to the account.
Web Framework Features
FBot has features for validating if URLs host a Laravel environment file and for extracting credentials from those files. The Hidden Config Scanner feature takes a URL as input and crafts an HTTP GET request to several PHP, Laravel, and AWS-related URIs where configuration values may be stored, including:
_profiler/phpinfo
config.js
.env
config/aws.yml
.env.bak
info.php
aws.yml
phpinfo
aws/credentials
phpinfo.php
The response is parsed for keys and secrets related to the following services and the result is written to a text file:
AWS
MandrillApp
Coinpayments
Office365
DB_USERNAME (generic database)
Plivo
Ionos
Sendgrid
MAIL_PASSWORD (generic SMTP)
Twilio
Mailgun
FBot also targets several popular Content Management Systems (CMS). The function cms_scanner contains a map of CMS and web frameworks to regular expressions (regex) associated with the service. The program creates a request to the targeted URL and parses the response for the following technologies:
Codeigniter
Laravel
phpBB
Discuz
Lithium
PrestaShop
Drupal
Magento
vBulletin
Esportsify
MediaWiki
Whmcs
FluxBB
Moodle
WordPress
Invision
Ning
YetAnotherForum
Jive
OpenCart
ZenCart
Joomla
osCommerce
Zimbra
Taxonomy
FBot relies on configuration values to be fed to it through a configuration file (.ini), or through headers that initiate the main class. We identified one version that is compiled as a Windows executable.
The string iDevXploit is present across all samples: this handle is credited as the author in the main class. Additionally, the aws_checker function leaves artifacts in targeted AWS consoles: when FBot creates a new user in the AWS account, the username iDevXploit is consistent across samples, along with the password MCDonald2021D#1337.
Unlike many similar cloud hacktools, FBot does not contain references to the open-source Androxgh0st code found in tools like AlienFox, GreenBot, and Predator. The logic implemented is very similar in that both Androxgh0st and FBot parse environment configuration files for credentials related to similar mail & cloud services, but the implementation is different and no code seems to be directly borrowed.
There is considerable overlap with the Legion cloud infostealer in how the tools scrape URLs for PHP configuration. However, FBot is much smaller and less fully featured than Legion, with FBot samples weighing in at approximately 200 KB and Legion ranging from 800-1200 KB in size.
Conclusion
FBot demonstrates another tool family that continues the trend of adopting cloud attack tool code from one tool into another, while maintaining its own distinct flavor. We have seen samples spanning July 2022 to January 2024, showing there is continued proliferation of this tool. However, there are relatively few changes across versions and it is unclear whether this is actively maintained.
As of this writing, we are unable to identify a distribution channel dedicated to FBot, which differentiates the tool from other cloud infostealers often sold on Telegram. The bot has references to buffer_0x0verfl0w, a Telegram channel associated with various crimeware that has since been retired. However, we found indications that FBot is the product of private development work, so contemporary builds may be distributed through a smaller scale operation. This aligns with the theme of cloud attack tools being bespoke ‘private bots’ tailored for the individual buyer, which is a theme prevalent among AlienFox builds.
Organizations should enable multi-factor authentication (MFA) for AWS services with programmatic access. Create alerts that notify security operations teams when a new AWS user account is added to the organization, as well as alerts for new identities added or major configuration changes to SaaS bulk mailing applications where possible.
The excitement surrounding speculative execution attacks may have subsided, but sadly, such threats remain. Binarly Research has discovered a vast attack surface still vulnerable to known issues like Spectre v1 and v2 on AMD silicon. Ineffective mitigations and the complexity of validation negatively impact the AMD device ecosystem.
While the industry is currently concentrating on constructing confidential computing infrastructure, foundational design problems reveal a lack of basic security at the hardware level. This discovery was made possible due to the asynchronous nature of firmware and hardware security fixes development.
Throughout their lifecycle, devices are susceptible to security issues due to the asynchronous nature of firmware security fixes delivery from multiple parties and the asynchronous nature of the supply chain. The lack of transparency in vendor security advisories results in an opaque channel for informing customers about the criticality of released security fixes and leads to varying approaches to patching widespread vulnerabilities with industry-wide implications.
Even major silicon vendors develop mitigations for side-channel attacks differently. This situation presents an opportunity for potential threat actors to exploit known speculative attacks like the 5-year-old Spectre or the 1-year-old Retbleed. A new perspective is needed to construct an attack vector that utilizes speculative attacks to target UEFI-specific firmware vulnerabilities.
In this presentation, we discuss our research into the potential use of speculative attacks against the System Management Mode (SMM) on AMD-based devices and outline the methodologies we employed throughout our research investigation.
About the Presenter
Alex Matrosov is CEO and Founder of Binarly Inc. where he builds an AI-powered platform to protect devices against emerging firmware threats. He is the author of numerous research papers and the book Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. He is a frequently invited speaker at security conferences, such as REcon, Black Hat, Offensivecon, WOOT, DEF CON, and many others.
About LABScon 2023
This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
In this enlightening LABScon Replay session, Vitor Ventura, senior security researcher at Cisco Talos, alongside Michael Gentile, delves into the intriguing evolution of Intellexa and Cytrox in the spyware domain.
The Developmental Saga of Intellexa and Cytrox
Mercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.
Ventura and Gentile explore the journey of Intellexa, which emerged from the amalgamation of Nexa Technologies, WiSpear, and Cytrox, focusing on Android spyware. The talk sheds light on the critical developments that marked Intellexa’s ascension as a formidable entity in the spyware industry, adept in targeting both iOS and Android platforms.
A Deep Dive into Spyware Development
Ventura and Gentile comprehensively analyze ALIEN/PREDATOR, Intellexa’s flagship spyware suite. Through a combination of code analysis and Open Source Intelligence (OSINT), they chart the evolutionary path of this advanced spyware, revealing its sophisticated capabilities.
The presentation dissects the pivotal moments in the development cycle of the ALIEN/PREDATOR spyware suite, offering the audience valuable insights into spyware research methodologies.
Analyzing the Intricacies of Spyware Components
An important part of the talk is dedicated to the technical breakdown of the spyware’s components. The presenters discuss the distinctions and similarities between the ALIEN/PREDATOR suite and the standalone PREDATOR for iOS, providing a clear understanding of the platform-specific nuances.
This session is a recommended watch for those interested in the complexities of spyware development and its broader implications in cybersecurity. Ventura and Gentile impart a thorough understanding of the nuanced world of digital espionage and the dynamic cyber threat landscape.
Watch the Full Talk Below
About the Presenters
Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Vitor has been a speaker in conferences, like VirusBulletin, NorthSec, Defcon’s Crypto and Privacy Village, among others. Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya infections.
Mike Gentile is a Senior Security Researcher at Cisco Talos.
About LABScon 2023
This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
Overlaps in targeting, malware characteristics, and long-term malware evolutions post 2018 suggest that the Gaza Cybergang sub-groups have likely been consolidating, possibly involving the establishment of internal and/or external malware supply lines.
Gaza Cybergang has upgraded its malware arsenal with a backdoor that we track as Pierogi++, first used in 2022 and seen throughout 2023.
Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war.
SentinelLabs’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang.
Overview
Active since at least 2012, Gaza Cybergang is a suspected Hamas-aligned cluster whose operations are primarily targeting Palestinian entities and Israel, focusing on intelligence collection and espionage. Being a threat actor of interest in the context of the Israel-Hamas war, we track Gaza Cybergang as a group composed of several adjacent sub-groups observed to share victims, TTPs, and use related malware strains since 2018. These include Gaza Cybergang Group 1 (Molerats), Gaza Cybergang Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Gaza Cybergang Group 3 (the group behind Operation Parliament).
The goal of this post is twofold:
To highlight relations between recent and historical operations, providing a new common context connecting the Gaza Cybergang sub-groups.
To provide recent findings and previously unreported IOCs, which add to the accumulated knowledge of the group and support further collective tracking of Gaza Cybergang activities.
In the midst of Gaza Cybergang activity spanning from late 2022 until late 2023, we observed that the group introduced a new backdoor to their malware arsenal used in targeting primarily Palestinian entities. We track this backdoor as Pierogi++. We assess that Pierogi++ is based on an older malware strain named Pierogi, first observed in 2019. We also observed consistent targeting of Palestinian entities in this time period using the group’s staple Micropsia family malware and Pierogi++.
This targeting is typical for Gaza Cybergang. These activities are likely aligned with the tensions between the Hamas and Fatah factions, whose reconciliation attempts had been stagnating before and after the outbreak of the Israel–Hamas war. At the time of writing, our visibility into Gaza Cybergang’s activities after the onset of the conflict does not point to significant changes in their intensity or characteristics.
Our analysis of recent and historical malware used in Gaza Cybergang operations highlights new relations between activities that have taken place years apart – the Big Bang campaign (2018) and Operation Bearded Barbie (2022). Further, technical indicators we observed, originating from a recently reported activity, reinforce a suspected relation between Gaza Cybergang and the lesser-known threat group WIRTE. This group has historically been considered a distinct cluster and then associated with low confidence with the Gaza Cybergang. This demonstrates the intertwined nature of the Gaza Cybergang cluster making the accurate delineation between its constituent and even other suspected Middle Eastern groups challenging.
Throughout our analysis of Gaza Cybergang activities spanning from 2018 until present date we observed consistent malware evolution over relatively long time periods. This ranges from minor changes in used obfuscation techniques, to adopting new development paradigms, and resurfacing old malware strains in the form of new ones (as Pierogi++ demonstrates). In addition, the observed overlaps in targeting and malware similarities across the Gaza Cybergang sub-groups after 2018 suggests that the group has likely been undergoing a consolidation process. This possibly includes the formation of an internal malware development and maintenance hub and/or streamlining supply from external vendors.
Micropsia and Pierogi++ Target Hamas Opposition
The Gaza Cybergang umbrella has continuouslytargeted Israeli and Palestinian entities preceding the Israel-Hamas war. We observed additional activities spanning from late 2021 to late 2023 aligned with previous research. Our visibility into these activities, and the theme and language of the used lure and decoy documents, indicate that they were primarily targeting Palestinian entities. The majority involved malware variants of the staple Micropsia family.
Among the Micropsia family malware, we observed its Delphi and Python-based variants deploying decoy documents written in Arabic and focussing on Palestinian matters, such as the Palestinian cultural heritage and political events. Many of the associated C2 domain names, such as bruce-ess[.]com and wayne-lashley[.]com, reference public figures, which aligns with the known domain naming conventions of the group. To support further collective tracking of Gaza Cybergang activities, we focus at the end of the report on listing previously unreported Micropsia indicators.
Among the Micropsia activities we identified a backdoor that we assess is based on a malware first reported in 2020 and named Pierogi. This backdoor, which we labeled Pierogi++, is implemented in C++, and we observed its use in 2022 and over 2023. The malware is typically delivered through archive files or weaponized Office documents on Palestinian matters, written in English or Arabic.
The documents distributing Pierogi++ use macros to deploy the malware, which then typically masquerades as a Windows artifact, such as a scheduled task or a utility application. The malware implementation is embedded either in the macros or in the documents themselves, often in Base64-encoded form.
Pierogi++ executables also masquerade as politically-themed documents, with names such as “The national role of the revolutionary and national councils in confronting the plans for liquidation and Judaization”, “The situation of Palestinian refugees in Syria refugees in Syria”, and “The Ministry of State for Wall and Settlement Affairs established by the Palestinian government”.
We assess that Pierogi++ is based on the Pierogi backdoor, whose variants are implemented in Delphi and Pascal. Pierogi and Pierogi++ share similarities in code and functionalities, such as strings, reconnaissance techniques, and deployment of decoy documents, some also seen in Micropsia malware.
Further, Pierogi++ samples implement in the same order the same backdoor functionalities as Pierogi: taking screenshots, command execution, and downloading attacker-provided files.
When handling backdoor commands, some Pierogi++ samples use the strings download and screen, whereas earlier Pierogi samples have used the Ukrainian strings vydalyty, Zavantazhyty, and Ekspertyza. This raised suspicions at the time of potential external involvement in Pierogi’s development. We have not observed indicators pointing to such involvement in the Pierogi++ samples we analyzed.
Most of the Pierogi++ C2 servers are registered at Namecheap and hosted by Stark Industries Solutions LTD, aligning with previous infrastructure management practices of the Gaza Cybergang umbrella. The backdoor uses the curl library for exchanging data with the C2 server, a technique that we do not often observe in Gaza Cybergang’s malware arsenal.
Pierogi++ represents a compelling illustration of the continuous investment in maintenance and innovation of Gaza Cybergang’s malware, likely in an attempt to enhance its capabilities and evade detection based on known malware characteristics.
From Molerats to Arid Viper And Beyond
Following the first report on the Pierogi backdoor in February 2020, late 2020 and 2021 mark the association of the backdoor and its infrastructure with Arid Viper. The Micropsia activity linked to Arid Viper, which led to the discovery of the then-new PyMicropsia malware in December 2020, includes Pierogi samples. Further historical Pierogi samples use the escanor[.]live and nicoledotso[.]icu domains for C2 purposes, which have been associated with Arid Viper in December 2020 and April 2021. The latest variant of Pierogi is Pierogi++, which we observed targeting Palestinian entities in 2022 and over 2023 – this targeting is typical for Arid Viper.
Our investigations into malware used by Gaza Cybergang prior to 2022, which share capabilities, structure, and infrastructure with Pierogi, resulted in a multitude of samples implemented in Delphi, Pascal, and C++. This highlights the frequent adoption of different development paradigms by Gaza Cybergang and aligns with the observations by Facebook, which associates these variants with Arid Viper and tracks them using different names under the broader Micropsia malware family, such as Glasswire, Primewire, and fgref.
In late 2020, victims targeted with Pierogi variants as part of a suspected Arid Viper operation were observed to be also infected with the then-new SharpStage and DropBook malware, an overlap assessed to strengthen the ties between the Molerats and Arid Viper Gaza Cybergang sub-groups.
Later in June 2021, the LastConn malware, which has been discovered as part of activities attributed to the TA402 cluster, was assessed with high confidence to be an updated version of SharpStage.
Based on our followup investigation into recent 2023 TA402 activity targeting Middle Eastern government entities, we highlight concrete overlaps in malware used by TA402 and a lesser-known threat actor named WIRTE. First disclosed in April 2019, WIRTE was initially considered to be a distinct cluster but later associated with low confidence to the Gaza Cybergang umbrella (primarily based on the use of decoys on Palestinian matters, which are typical for the Gaza Cybergang constituent sub-groups).
WIRTE is known for using a unique custom user agent for C2 communication when staging malware, with the value of the rv field likely being an intrusion identifier. WIRTE’s stagers encapsulate C2 communication attempts in an infinite loop, separated by sleep periods of randomly generated lengths within defined lower and upper boundaries. We observe the same unique user agent format and C2 communication pattern in TA402’s .NET malware stagers.
The involvement of malware artifacts previously seen only in the context of WIRTE indicates a likely relation between the TA402, WIRTE, and Gaza Cybergang clusters. This aligns with the latest TA402 attribution assessment as a cluster overlapping with Gaza Cybergang and WIRTE.
Back To The Big Bang
Operation Bearded Barbie, revealed in April 2022 and attributed with moderate-high confidence to Arid Viper, is a campaign that has been targeting Israeli individuals and officials in the law enforcement, military, and emergency services sectors. The operation highlights the BarbWire backdoor as a novel malware in Arid Viper’s arsenal.
A closer look at the implementation of the BarbWire variants observed as part of Operation Bearded Barbie reveal relations to a malware strain used as part of the 2018 Big Bang campaign, which was considered an evolution of a 2017 campaign targeting Palestinian individuals and entities. Without making a concrete attribution at the time, the campaign was loosely associated with the Gaza Cybergang, noting some links to Arid Viper in particular.
The Big Bang campaign involves the use of a C++ implant, assessed to be an upgraded version of older Micropsia variants. In addition to some similarities in execution flow and structure, we observed that the backdoors used in the Big Bang and Bearded Barbie campaigns share unique strings that report the execution status and/or indicate internal references to malware modules.
The BarbWire samples used as part of Operation Bearded Barbie are reported to implement a custom base64 algorithm (cit.) to obfuscate strings. The backdoor does not implement changes to the Base64 encoding algorithm itself, but modifies Base64 strings by adding an extra character that is removed before decoding. String decoding of BarbWire strings in this way reveals exact matches between BarbWire and the backdoor observed in the Big Bang campaign.
In contrast to BarbWire, BigBang backdoor samples obfuscate the same strings present in BarbWire using Base64-encoding only. The malware authors have likely introduced the Base64 string modification technique in later malware development efforts (reflected in Operation Bearded Barbie), as a relatively simple but effective attempt to evade detection based on known string artifacts.
This technique also allows for quick changes of the modified Base64 strings by only changing the second character to keep evading detection over time. For example, both of the strings IZERvZXMgbm90IGV4aXN0Lg and IHERvZXMgbm90IGV4aXN0Lg Base64-decode to “ Does not exist.” once the second character is removed.
Conclusions
Gaza Cybergang operations over 2022 and 2023 reveal a sustained focus on targeting Palestinian entities. The discovery of the Pierogi++ backdoor shows that the group continues to evolve and supplement its staple malware arsenal, including transforming older implementations into new tooling.
The intertwined nature of its constituent sub-groups sharing TTPs, malware, and victims, indicates that Gaza Cybergang is a unified front against anti-Hamas interests. The persistent nature of the Gaza Cybergang threat underscores the necessity for sustained vigilance and cooperative measures to address the challenges posed by these threat actors.
SentinelLabs continues to monitor Gaza Cybergang activities to further improve the collective knowledge on the group’s dynamics and to supply indicators, which are relevant to security teams defending their organizations and individuals at risk of being targeted.
By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence
Executive Summary
The Sandman APT is likely associated with suspected China-based threat clusters known to use the KEYPLUG backdoor, in particular a cluster jointly presented by PwC and Microsoft at Labscon 2023 – STORM-0866/Red Dev 40.
The Sandman’s Lua-based malware LuaDream and the KEYPLUG backdoor were observed co-existing in the same victim environments.
Sandman and STORM-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions.
The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators.
The use of the Lua development paradigm in the cyberespionage domain, historically associated with actors considered Western or Western-aligned, is likely being adopted by a broader range of adversaries, including those with ties to China.
Overview
In this report, SentinelLabs, Microsoft, and PwC threat intelligence researchers provide attribution-relevant information on the Sandman APT cluster positioning this threat on the broader threat landscape. We highlight links between Sandman and a suspected China-based threat actor using the shared KEYPLUG backdoor – STORM-0866/Red Dev 40. This includes victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.
STORM-0866/Red Dev 40 is a developing APT threat cluster primarily targeting entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities. These are regions and sectors where we also observed Sandman activity. The modular backdoor KEYPLUG is a staple in STORM-0866/Red Dev 40’s arsenal. Mandiant first reported on KEYPLUG as part of intrusions into U.S. government entities by the Chinese APT group APT41.
Microsoft and PwC have subsequently identified at least three other developing clusters involving KEYPLUG, including STORM-0866/Red Dev 40. Their research, making the case that KEYPLUG is likely shared among multiple suspected China-based groups, was presented at LabsCon 2023. They distinguish STORM-0866/Red Dev 40 from the other clusters based on specific malware characteristics, such as unique encryption keys for KEYPLUG C2 communication, and a higher sense of operational security, such as relying on Cloud-based reverse proxy infrastructure for hiding the true hosting locations of their C2 servers.
SentinelLabs and Microsoft have observed Sandman’s LuaDream and KEYPLUG implants cohabiting in the same victim environments, some of which are on the same endpoints. LuaDream is a maintained modular backdoor based on LuaJIT, with version 11.0.2.1.23.1 observed in March 2023 and version 12.0.2.5.23.29 observed in August 2023. In one instance, the KEYPLUG malware had been deployed approximately 3 months prior to LuaDream (in May 2023). LuaDream and KEYPLUG were active at the same time over approximately 2 weeks until both threats were remediated. During this time period, we did not observe any contestation or deconfliction activities by the LuaDream or KEYPLUG operators.
A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators.
The findings we present are yet another showcase of the complex nature of the China-based threat landscape. As exemplified by Sandman and STORM-0866/Red Dev 40, this landscape is marked by substantial cooperation and coordination among its constituent threat groups, along with the possibility of third-party vendors supplying the operational teams with tooling. This makes accurate clustering challenging. Therefore, while acknowledging the association of Sandman with the suspected China-based adversaries using KEYPLUG, we continue to track Sandman as a distinct cluster until further conclusive information suggesting otherwise becomes available.
Lua-based modular backdoors, such as LuaDream, have been observed relatively rarely and often in the context of espionage-motivated APTs historically considered Western or Western-aligned. Our findings on Sandman indicate that the Lua development paradigm is being adopted by a broader set of cyberespionage threat actors for the modularity, portability, and simplicity that the Lua scripting language offers.
Sandman and STORM-0866/Red Dev 40 Infrastructure
The SSL certificate assigned to the LuaDream C2 domain ssl.explorecell[.]com has also been used on the servers with IPs of 185.51.134[.]27 (between March and April 2023) and 45.80.148[.]151 (in March 2023). 185.51.134[.]27 is allocated to the Estonian VPS service provider EstNOC and 45.80.148[.]151 to the Romanian provider HOSTGW SRL. ssl.explorecell[.]com last resolved to 185.82.218[.]230, an IP address of a server hosted in Bulgaria by the ITLDC hosting provider.
Serial number: 364670096077097330220756280372394037039639
Common Name: ssl.explorecell[.]com
Approximately 4 months later (in August 2023), the server at 185.51.134[.]27 used an SSL certificate issued for the domain dan.det-ploshadka[.]com. This domain last resolved to 79.110.52[.]160, a server hosted by the Romanian service provider M247.
Serial number: 365025056055127017786055050446086862849019
Common Name: dan.det-ploshadka[.]com
Microsoft and PwC have observed dan.det-ploshadka[.]com being used as a KEYPLUG C2 server and attribute the domain with high confidence to STORM-0866/Red Dev 40. This assessment is primarily based on the use of RC4 keys for encrypting C2 data that are unique to STORM-0866/Red Dev 40 as well as used known STORM-0866/Red Dev 40 malware in the intrusions.
The dan.det-ploshadka[.]com certificate has also been used on the servers with IPs 45.90.59[.]17 (between July and September 2023), 45.129.199[.]122 (in September 2023), and 146.70.157[.]20 (in June 2023).
Another certificate, issued for the domain ssl.e-novauto[.]com, was also used on 146.70.157[.]20 in May 2023. ssl.e-novauto[.]com, which has an overlap in subdomain naming convention with the ssl.explorecell[.]com Sandman domain, last resolved to 172.67.216[.]63 (an IP address of a Cloud-based reverse proxy infrastructure). 146.70.157[.]20 is allocated to the Romanian hosting service provider M247.
Serial number: 59961237898726280462746217792430024401815283068
Common Name: ssl.e-novauto[.]com
In common with dan.det-ploshadka[.]com, Microsoft and PwC have observed the ssl.e-novauto[.]com domain being used as a KEYPLUG C2 server and attribute the domain with high confidence to STORM-0866/Red Dev 40.
Among the other server IPs on which the ssl.e-novauto[.]com certificate was used (5.255.88[.]188 in October 2022; 5.2.67[.]176 between March and May 2023; 5.2.72[.]130 in April 2022; 37.120.140[.]205 between March 2022 and May 2023; and 185.38.142[.]129 between October 2022 and January 2023), 5.2.67[.]176 has been the resolving IP for the ssl.articella[.]com domain since January 2023. This domain has an overlap in naming convention with the ssl.e-novauto[.]com STORM-0866/Red Dev 40 domain and the ssl.explorecell[.]com Sandman domain.
PwC tracks STORM-0866/Red Dev 40 as a distinct cluster from the other threat groups using the KEYPLUG malware based on their frequent use of Cloud-based reverse proxy infrastructure, likely as an operational security measure to avoid exposing the true hosting locations. We observed this in the context of Sandman as well, noting a shift from using a directly exposed C2 server IP address (C2 domain: ssl.explorecell[.]com) to address of a reverse proxy infrastructure (C2 domain: mode.encagil[.]com).
The overlap of unique infrastructure control and management practices, hosting provider selections, and domain naming conventions, indicates a likely relation between the Sandman and the STORM-0866/Red Dev 40 APT clusters from an infrastructure perspective.
LuaDream and KEYPLUG
LuaDream and KEYPLUG are distinct malware strains. KEYPLUG is implemented in C++, whereas the majority of the LuaDream functionalities are implemented in Lua. The samples that we analyzed do not share straightforward indicators that would confidently classify them as closely related or originating from the same source, such as use of identical encryption keys or direct overlaps in implementation. However, we observed indicators of shared development practices and some overlaps in functionalities and design, suggesting shared functional requirements by the operators. This is not uncommon in the Chinese malware landscape.
We also observed a code comment in Chinese in the main_proto_WinHttpServer component of LuaDream version 11.0.2.1.23.1, indicating potential Chinese origin. However, we note that all other LuaDream string artifacts (function and variable names, and code comment, status, and error reporting strings) are formulated in English.
LuaDream is likely still in active development. It remains to be seen whether further iterations of the malware and its plugins will share implementation overlaps, functionality or design patterns with KEYPLUG or other malware strains of suspected Chinese origin.
C2 Protocols
LuaDream and KEYPLUG are highly modular and multi-protocol in design, both implementing support for the HTTP, TCP, WebSocket, and QUIC protocols for C2 communication. The combination of QUIC and WebSocket is a relatively rare backdoor feature and its implementation in both LuaDream and KEYPLUG may be the result of a shared functional requirement by the backdoors’ operators.
The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order. The LuaDream keyword HTTPS2 refers to WebSocket and KEYPLUG implements additional support for UDP. We do not exclude the possibility for future versions of LuaDream to support UDP as well.
For each protocol, both LuaDream and KEYPLUG implement internal structures that store client data, such as the handles to the established sockets to the C2 servers.
Execution Flow and C2 Data Management
The high-level execution flows of LuaDream and KEYPLUG are very similar. Both backdoors first gather and exfiltrate system and user information in designated functions, with overlaps in gathered information (for example, MAC address, OS version, IP address, computer name, and username).
LuaDream and KEYPLUG then instantiate threads designated for sending and receiving C2 data, establish connection to the C2 server, and continue to process backdoor commands and manage plugins. Plugin management includes loading and unloading plugins.
The backdoors use global data buffers designated for storing data to be sent to the C2 server, and data received from the server. LuaDream and KEYPLUG read from the global buffers that store incoming C2 data and continue processing it when available.
LuaDream and KEYPLUG store in designated internal structures overlapping information about the global buffers, such as starting memory addresses, sizes, and pointers to Windows CRITICAL_SECTION structures. LuaDream defines this structure as _MEM_DATA_CACHE_.
LuaDream and KEYPLUG implement designated functions for reading from, and writing to, these buffers. These functions synchronize buffer access by multiple threads using Windows Critical Sections.
Throughout their execution, both LuaDream and KEYPLUG generate one-time integer values based on the system uptime returned by the GetTickCount function. The backdoors calculate these values by applying modulo and/or addition operations to the system uptime. Some overlapping uses of the generated values are as sleep time intervals or protocol-specific keys, such as the Sec-WebSocket-Key packet header field that is used in the WebSocket opening handshake.
Conclusions
We assess that there are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular. This highlights the complex nature of the Chinese threat landscape. Its constituent threat actors will almost certainly continue to cooperate and coordinate, exploring new approaches to upgrade the functionality, flexibility, and stealthiness of their malware. The adoption of the Lua development paradigm is a compelling illustration of this.
Navigating the threat landscape calls for continuous collaboration and information sharing within the threat intelligence research community. SentinelLabs remains committed to this mission and is grateful to our industry partners involved in this collective endeavor.
Indicators of Compromise
Domains
dan.det-ploshadka[.]com
KEYPLUG C2 server
mode.encagil[.]com
LuaDream C2 server
ssl.articella[.]com
Suspected KEYPLUG or LuaDream C2 server
ssl.e-novauto[.]com
KEYPLUG C2 server
ssl.explorecell[.]com
LuaDream C2 server
yum.luxyries[.]com
KEYPLUG C2 server
IP Addresses
146.70.157[.]20
KEYPLUG C2 server (based on known C2 certificates)
172.67.216[.]63
KEYPLUG C2 server
185.38.142[.]129
KEYPLUG C2 server (based on a known C2 certificate)
185.51.134[.]27
LuaDream and KEYPLUG C2 (based on known C2 certificates)
185.82.218[.]230
LuaDream C2 server
37.120.140[.]205
KEYPLUG C2 server (according to a known C2 certificate)
45.129.199[.]122
KEYPLUG C2 server (based on a known C2 certificate)
45.80.148[.]151
LuaDream C2 (based on a known C2 certificate)
45.90.59[.]17
KEYPLUG C2 server (according to a known C2 certificate)
5.2.67[.]176
KEYPLUG C2 server (based on a known C2 certificate)
5.2.72[.]130
KEYPLUG C2 server (based on a known C2 certificate)
5.255.88[.]188
KEYPLUG C2 server (based on a known C2 certificate)
In his keynote at LABScon23, SentinelLabs’ Principal Threat Researcher Tom Hegel addressed a crucial but often overlooked aspect of global cybersecurity: cyber threat activity in less-monitored regions, particularly Africa.
Focusing on China’s strategic use of soft power across the African continent, Hegel provides a compelling analysis of how technology and investments are wielded as tools of influence and control.
Highlighting its significant investments in key sectors, Hegel explores how China has established strategic influence in African telecommunications, finance, and surveillance sectors and the implications this has for cybersecurity.
While noting that such investments are attractive to African countries for their undoubted benefits, the talk raises concerns about the trade offs. In the realm of telecommunications, Chinese firms like Huawei and ZTE can be linked to potential cases of surveillance and control, evidenced by actions like internet clampdowns in Zimbabwe during politically sensitive times. In finance, an intricate web of financial engagements provide worrying opportunities for cyber espionage. Initiatives like the Safe City projects bring technological advancements but at the potential price of civil and political surveillance.
Hegel concludes with a call to action for the cybersecurity community. The importance of collaborative efforts in monitoring and understanding the cyber activities in these regions is essential not only for the direct protection of entities in undermonitored areas but also for a broader understanding of the global cyber threat landscape.
Connecting the dots between regional cybersecurity issues in Africa and their global repercussions, this talk advocates for a more inclusive view of global cyber threats, highlighting the need for a unified and informed response from the cybersecurity community.
Tom Hegel is a Principal Threat Researcher with SentinelOne. He comes from a background of detection and analysis of malicious actors, malware, and global events with an application to the cyber domain. His past research has focused on threats impacting individuals and organizations across the world, primarily targeted attackers.
About LABScon
This presentation was featured live at LABScon 2023, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
Organizational defenders today face unprecedented pressure to keep up with a relentless stream of new attacks. No sooner than the latest campaign is discovered, indicators shared, and defenses bolstered, and we are on to the next one. The details of these attacks are added to our collective historical record, but most defenders rarely have time or motivation to reconsider what further value they might offer.
However, mining historical data for insight into tomorrow’s attacks is, we would argue, an undervalued resource. From expanding our list of known indicators and developing better threat intelligence to improving our understanding of attribution and providing new discoveries, investigating historical data is an asset that cyber defenders can and should make more of.
In this post, we explore practical ways that revisiting past cyber incidents can empower defenders and help to anticipate future threats more effectively.
1. Exploring the Past to Expand Actionable Threat Intelligence
In September of 2023, SentinelLabs observed a new threat activity cluster by a previously unknown threat actor we dubbed Sandman. The threat actor deploys malware utilizing the LuaJIT platform, a development paradigm relatively rarely seen in the cyberespionage domain, but which has an historical association with suspected Western or Western-aligned advanced threat actors.
Early last year, SentinelLabs released a report on a new cyber threat actor we named ModifiedElephant. This research was the conclusion of an investigation into an unknown offensive threat actor responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence. Our analysis identified that ModifiedElephant has been operating since at least 2012 and continued to operate as of the report.
So why does this matter? Cyber paleontology allows us to take a small bit of knowledge of targeted intrusions, and expand it into hundreds of indicators of compromise, such as malware samples and unique infrastructure. In the case of ModifiedElephant, we tied the threat actor to hundreds of other intrusion attempts across the globe. This research found activity spread across nearly a decade, targeting individuals and organizations alike.
IOCs have been greatly expanded on, which allow us to improve the defenses of those who were originally targeted, and others who may be targeted in the future. If we simply stopped researching the threat actor based on the initial, smaller, case of a handful of intrusions against individuals, our perception of this actor would remain to be interesting but irrelevant to most. However, visiting a decade back of activity allows us to understand and use actionable intelligence for direct network defense needs.
Pushing past directly actionable intelligence such as malware samples, IOCs, and threat detection rules, we can also gain new strategic intelligence on threat actors. Specifically, our perspective of known threat actors can alter greatly when we review past intrusions.
For example, in September we reported and presented at LABScon the topic of China’s soft power agenda throughout Africa. In this research, we shared how Chinese attributed APTs, such as “Backdoor Diplomacy”, have been linked to a previously-reported set of intrusions across South Africa, Kenya, Senegal, and Ethiopia in the past few years.
Revising previously reported infrastructure associated with the threat actor opened our eyes to a wider set of targets in these countries, and a set of targets we have not observed before, including financial organizations. Today, we can use this expanded understanding of the threat actor to apply strategic intelligence for financial organizations and the countries newly observed of interest to the attacker.
Taking a similar approach to others, it would be valuable to dive into high-interest threat actors to question our past assessments and intelligence, aimed at expanding defense capabilities and context today.
3. Enhancing Our Understanding of Attribution
An additional value which can come from a fresh review of historical threat activity concerns attribution – the process of identifying the true attacker behind an activity.
Past intrusions can become clearer based on understanding who the attacking entity actually was, or understanding which threat actor cluster some previously unknown activity may now fall under. For example, in August, we identified malware, with a long history of use by a variety of suspected Chinese clusters, and infrastructure targeting Southeast Asia’s gambling sector related to previous activities attributed to BRONZE STARLIGHT, a Chinese threat actor whose main goal appears to be espionage rather than financial gain.
In addition, we recently reported on the Appin hack-for-hire business in India and how unconfirmed and mysterious activity years back can finally be attributed to them. This includes Operation Hangover, the well known industrial espionage case, and targeting of human rights malware with custom Mac malware.
Knowing that these sets of activity tie back to a central organization allows renewed understanding and interest in the hack-for-hire threat actor industry. Additionally, and perhaps more importantly, this provides victims with an opportunity to hold attackers responsible for their actions, if desired.
4. Newer Techniques Offer Fresh Insights From Old Data
Using today’s technology to expand past context and knowledge of attackers is also increasingly valuable to modern defenders. The technology sector evolves at a blistering pace, and new research tools often arrive to provide new capabilities.
Although much recent focus has been on adopting and adapting LLMs and generative AI for various infosec tasks, we can also see examples of existing technologies that continue to develop and push the boundaries of what is possible.
One of the best examples of this is YARA— today’s go-to tool for malware description rules used to hunt for various types of files, such as malware or files of high interest. YARA continues to be developed in ways that can yield new discoveries from old datasets. New rule writing methods, combined with major malware repositories such as Stairwell and VirusTotal, can lead to the discovery of leaked attacker files, targeted malware family changes, and uploads of never before seen malware from past attacks.
Combining new discoveries with other tools for tracking infrastructure, like SilentPush, it is possible to make similar high interest discoveries centered around old attacker infrastructure.
Conclusion
As we move forward, it’s important not to lose sight of the past. As many of our research examples highlighted above show, retrospective analyses can wring new actionable intelligence from the raw data of past breaches and help to preempt future attacks.
We encourage other analysts to join us in connecting the dots between what was known, what was overlooked, and what can be learned, taking advantage of the insights that new technologies and methods afford us. Historical data isn’t just an academic record of what went before, but a resource we must mine to craft a more resilient and responsive cybersecurity posture.
SentinelOne has temporarily removed the article “Elephant Hunting | Inside an Indian Hack-For-Hire Group” on Dec 22, 2023 in light of a pending court order and is doing so out of an abundance of caution. SentinelOne stands by its findings and was transparent about the evidence it gathered to support its findings. Those findings were based on many hours of research and verified sources and we are closely following the pending legal action. All rights reserved
SentinelLabs has identified a new Python-based infostealer and hacktool called ‘Predator AI’ that is designed to target cloud services.
The Predator AI developer implemented a ChatGPT-driven class into the Python script, which is designed to make the tool easier to use and to serve as a single text-driven interface between disparate features.
These advancements are not production ready, but demonstrate that actors can realistically use AI to improve their workflows by automating data enrichment and adding context to scanner results.
Background & Distribution
Predator AI is advertised through Telegram channels related to hacking. The main purpose of Predator is to facilitate web application attacks against various commonly used technologies, including content management systems (CMS) like WordPress, as well as cloud email services like AWS SES. However, Predator is a multi-purpose tool, much like the AlienFox and Legion cloud spamming toolsets. These toolsets share considerable overlap in publicly available code that each repurposes for their brand’s own use, including the use of Androxgh0st and Greenbot modules.
Predator is an actively developed project. In September 2023, a member of the primary Telegram channel inquired about Predator adding a Twilio account checker, to which the developer replied they could deliver in about 2 weeks. In October, the developer posted an update showing the new Twilio checking feature. The version we analyzed has Twilio features, which suggests it is a recent build.
At the top of the script, there is a message from the developer which states that the tool is protected by copyright law. The message also has a disclaimer saying the tool is for educational purposes and the author does not condone any illegal use.
Targeting & Technical Details
Predator is a Python application with over 11,000 lines. The application runs entirely through a Tkinter-based graphical user interface (GUI): there is no standalone command line interface (CLI) mode, which distinguishes Predator from many similar tools. The Tkinter approach requires several JSON configuration files.
The script has 13 global classes defined, which roughly segment the different features.
Class Name
Details
Predator
The largest class. Goes from the beginning to line 7079.
Settings
Only two lines. Sets UpdatesCheck variable to False and Password to “Predator123”.
Utility
Contains calls to Windows commands that get the current window name and to check if the current user is running as an administrator.
PumperSettings
Code that inflates the size of a file.
FakeErrorBuilder
Creates fake error messages that pertain to XSS testing on a Windows system.
StealerBuilder
Builds a configurable infostealer as a Windows Portable Executable (PE).
Translator
Translates the dialog boxes and menu items that are rendered in the GUI version of the application via Python library Tkinter. Supported languages are Arabic, English, Japanese, Russian, and Spanish.
NetGun
Handles web application security scans with options for proxies and custom wordlists.
CTkMessagebox & CTkListbox
Code that renders the graphical user interface (GUI) via Tkinter.
ThemeMaker
Custom color schemes for the GUI.
GPTj
A ChatGPT-enabled class. Queries the OpenAI API.
NetXplorer
Uses Psutil and Subprocesss to query network status and system information.
Predator has features that can be used to attack many popular web services and technologies, including:
Service Provider
Details
Based In
Aimon
SMS marketing
Italy
Amazon Web Services (AWS) Simple Email Service (SES)
Email platform
United States
Aruba
Hosting
Italy
Clickatell
SMS marketing
South Africa, United States
ClickSend
SMS marketing
Australia
Twilio
SMS, Voice, Video communications
United States
Nexmo
Voice & SMS, acquired by Vonage
United States
OneSignal
SMS, Push Notifications
United States, United Kingdom
Openpay
Buy Now, Pay Later; ceased operations in February 2023
Predator’s web application attacks look for common weaknesses, misconfigurations or vulnerabilities in Cross Origin Resource Sharing (CORS), exposed Git configuration, PHPUnit Remote Code Execution (RCE), Structured Query Language (SQL), and Cross-Site Scripting (XSS).
The following technologies are targeted:
Drupal
Joomla
Laravel
Magento
OpenCart
osCommerce
PrestaShop
vBulletin
WordPress
Predator AI | The GPTj Class
The GPTj class contains the ‘Predator AI’ feature, which is a chat-like text processing interface that connects the user to Predator’s features. The actor designed Predator AI to try to find a local solution first before querying the OpenAI API, which reduces the API consumption.
This class searches the user’s input for strings associated with a known use case centered around one of Predator’s web application and cloud service hacking tools. There are more than 100 cases where Predator handles the data internally or through a free third-party service, such as an IP reputation lookup service. This class contains several partially implemented utilities related to AWS SES and Twilio, as well as utilities to get information about IP addresses and phone numbers.
Predator queries the ChatGPT API only when there is no test case to handle the input. There are several driving functions defined inside this class that handle the activity flow or enable ChatGPT interaction:
generate_text
This function requires two arguments: prompt and api_key. The function uses the OpenAI model text-davinci-003 with a maximum token length of 400 and temperature 0.7. The code makes a POST request to https://api.openai.com/v1/completions and returns the result for handling via the Tkinter UI.
Ai_Backend
This function takes one argument, usrMsg. This code contains the hardcoded OpenAI API key and calls the generate_text function on the usrMsg object with the API Key. The OpenAI server response is returned.
aiRes
This function takes two arguments, msg and patch. This function only calls Ai_Backend–and OpenAI as a result–when the patch argument is equal to 0, or not given. Predator has 106 references to aiRes and each reference has a patch value that should not equal 0. This means the OpenAI functionality is designed to handle edge cases that the script has not natively handled. The function processes whether a patch is present and modifies the UI result based on the length of the response from OpenAI or the patched result.
ChatEvent
This function contains the modular utilities offered by the class. It takes no arguments.
When the user command is not routed to ChatGPT, several functions handle the request locally or through alternate API calls. We break them down by category.
AWS Features
Though the core utility is present, not all of the following functions are called inside the script, suggesting the developer is still working on these features. This code has significant overlap with AlienFox, Legion, and other earlier iterations of these tools. Based on what is currently in the script, there is no indication that AWS-related data would be sent to the ChatGPT service. Instead, the script parses the input for the presence of aws.c and calls the following functions when present.
If these features were fully implemented, the attacker could use them to perform the following when they have valid AWS account credentials:
Check for all email accounts in an AWS SES environment.
Check send quotas.
Create a new account, assign administrative privileges, and delete the old account.
TwilioChecker
This function queries https://api.twilio.com/2010-04-01/Accounts.json with SID and token as arguments. If "message":"Authenticat" is not in the response, the script parses the response for the fields status, type, and balance. If “status” is not in the response, the script parses the response for balance and currency fields. If status returns as active, the script logs the values of SID, TOKEN, TYPE, STATUS, BALANCE to the file Result/TwilioChecker/result.txt.
GhostTrack
There are several other utilities nested under a function named GhostTrack.
IP_Track: Collects information about a given IP address via the ipwho[.]is service.
phoneGW: Uses the phonenumbers Python module to format input phone numbers in a standard way and check information about the phone number, such as whether it is a landline or mobile number.
TrackLu: Checks one of 23 social media services for a username matching the input argument. The function checks for a 200 status code, which is not effective in the case of private profiles and there are likely many site-specific edge cases.
checkIP: Queries api.abuseipdb[.]com to collect information about the given IP address related to abuse metrics, such as an abuse confidence score.
The author included several conditions to handle a user query about the nature of the chat utility, along with a statement that claims the author spent three days developing this feature.
StealerBuilder
This class contains configuration variables to build an infostealer. On October 16 2023, the project developer posted a video about Predator that shows the Stealer build process. A user asked if the resulting executable is fully undetectable, to which the developer replied, “Of course.”
The stealer can be configured to use Discord or Telegram webhooks for C2. The operator can specify an existing executable to insert the infostealer code into. During testing, we were unable to successfully use this feature as the required configuration files were not available. The features visible in the script we analyze indicate that Predator parses files from a Scripts directory and uses those to build either a Windows Portable Executable (PE) file or a Python script version of the stealer module.
Conclusion
The discovery of Predator AI is an entirely expected evolution that has previously been undocumented in the hacktool space. Since the recent wave of AI technologies entered the public domain, security professionals have questioned whether this technology was already aiding threat actors and how it could be used to scale actor operations. There were several projects like BlackMamba that ultimately were more hype than the tool could deliver. Predator AI is a small step forward in this space: the actor is actively working on making a tool that can utilize AI.
While Predator AI is likely somewhat functional, this integration does not substantially increase an attacker’s capability. The feature has not yet been advertised on the actor’s Telegram channel, and there are likely many edge cases that make it unstable and potentially expensive.
Like other cloud service attack tools, organizations can reduce the impacts from these tools by keeping web services patched and up to date, as well as keeping internet access restricted to what is necessary. Use cloud security posture management (CSPM) tools to validate that configurations are secure. Consider dedicated logging and detections for anomalous behaviors on cloud service provider (CSP) resources, such as new user accounts being added and deletion of another user account immediately after.
Arid Viper is an espionage-motivated cyber threat actor with Hamas-aligned interests. Arid Viper’s toolkit is multi-platform and includes the consistent use and development of mobile spyware since emerging in 2017.
Through 2022 and 2023, the actor has distributed SpyC23, an Android spyware family, through weaponized apps posing as Telegram or as a dating app called Skipped.
There are overlaps between recent SpyC23 versions and their 2017 predecessors, tying together several Arid Viper Android malware families.
Increased industry focus on Arid Viper is an extension of our continuing collective efforts to track threat actors engaged in the Israeli-Hamas war. In this context, traditional cyberespionage activities are often enablers for on-the-ground operations and deserve additional scrutiny.
Background
The Arid Viper group has a long history of using mobile malware, including at least four Android spyware families and one short-lived iOS implant, Phenakite. The SpyC23 Android malware family has existed since at least 2019, though shared code between the Arid Viper spyware families dates back to 2017. It was first reported in 2020 by ESET in a campaign where the actor used a third-party app store to distribute weaponized Android packages (APK). That campaign featured several apps designed to mimic Telegram and Android application update managers.
Through 2022 and early 2023, Arid Viper developed several newer SpyC23 versions that share these themes: two apps mimick Telegram, while another is internally called APP-UPGRADE but is based on a romance-themed messaging app called Skipped Messenger. Cisco Talos recently reported on the history of Skipped Messenger, revealing that the once-benign dating application was likely passed from the original developer to the Arid Viper actor.
SentinelLabs compared these newer versions of SpyC23 to the earlier 2020 version, as well as several older Android spyware families associated with Arid Viper: GnatSpy, FrozenCell, and VAMP. Many changes have been made in SpyC23’s development; however, there are notable overlaps with these older families and the taxonomy is less distinct.
App Analysis
The theme of these applications center on messaging and communications. We identified two unique themes: one mimics Telegram, the other mimics an apparent dating-themed app called Skipped Messenger. The group has previously relied on Telegram-themed messengers as well as romance-themed lures and apps.
Arid Viper often relies on social engineering to deliver malware with pretexts that allow operators to engage closer to thier intended victims. The social engineering approach is a boon for delivering Android malware, as there are many hurdles for the actor to overcome before a user successfully installs a malicious app. Working the installation flow into a social engineering pretext is likely more effective than expecting users to install spyware successfully without prompting.
There is a non-weaponized version of Skipped Messenger (SHA-1: 6e1867bd841f4dc16bef21b5a958eec7a6497c4e) that shares the same Firebase service hostname skippedtestinapp[.]firebaseio[.]com as the malicious version. As the Talos report noted, Skipped was originally a legitimate dating app. The Google Play store version was last updated in August 2021.
Like most malicious Android apps, these apps ask the user to enable permissions that facilitate spyware activities.
The application permissions give a high degree of control over the device, including:
Accessing the phone’s location
Making calls without user interaction
Monitoring calls made by the user
Recording with the microphone, capturing audio output
Read & Write to storage
Read & Write to the Contacts list
Modifying network state
Collecting a list of accounts used on the device
Downloading files to the phone without user interaction
Launching Java archive (JAR) files as a Service
Reading notifications received on the device as well as any connected wearables
The developer employed anti-decompilation and anti-virtualization techniques to complicate analysis. Each of these APKs contains application code that is obfuscated. On emulated Android devices, the apps flash and repeatedly cycle through prompts even after the requested permissions have been granted.
Comparing these new versions with older SpyC23 variants, there is significant overlap in package names, which fortifies the relationship between the old and new versions. In the image below, the older version on the left houses malicious activity in the update.bbm package, and the version we discovered on the right houses similar subpackages in the apps.sklite.pacJava package.
The overlaps continue in the class names. The actor frequently names classes after people’s names, as outlined in the rc_cola/tas_ran_rc_col package structure.
These applications are quite large, making analysis of each class impractical. Instead, we will focus on several interesting classes and methods.
ACCAPPService
This class handles some communications to the C2. Of note, the class contains code that pertains to the user uninstalling the application. The SendToServerTask subclass logs when the user is in a ‘dangerous’ menu and parses input containing the active menu name for the English words ‘apps’ or ‘applications’ as well as the Arabic word for ‘Applications’.
Brodie
This class is responsible for much of the app’s upload request handling, acting as an interface between the app and the C2 server. Brodie contains a method named isProbablyArabic, suggesting again that these apps are used against Arabic-speaking targets.
CallRecService
This service enables the spyware’s call recording feature. The class is imported from an external library, libcallrecfix.so, and runs as a service. The Unix library is based on at least two open-source Android call recording projects, though neither are actively maintained. This was implemented in 2020 and has been a staple of SpyC23 iterations since. The library is a binary compiled for each of the app’s compatible architectures.
checkRaw
This Audio upload service has many of the same status logging strings and media recording parameters seen in older versions of Arid Viper’s Android toolsets, including FrozenCell, reported by Lookout in 2017, and VAMP, which was reported by Palo Alto in 2017 as well.
Some elements of this audio recording code are present in GitHub repositories described as a teardown of the Telegram Android app. While this is potentially an adaptation of open-source software, the similarities between the SpyC23 APKs are consistent, and the external versions do not have the same variables or logging messages.
Moller
This class is notable because it contains code that spans back to much earlier versions of Arid Viper’s Android spyware. We identified a 2017 GnatSpy sample from Trend Micro’s Arid Viper reporting that shares the same upload functionality through a subclass JsDirService.
Panda
This class loads methods from external libraries libRoams.so and lib-uoil.so. The code imports several functions related to manufacturer-specific implementations, including Huawei, Oppo, and Xiaomi.
The Panda class imports methods from the open-source Gotev Android Upload Service, which was also used by the older versions of SpyC23. Panda imports methods from the OKhttp library to craft HTTP requests. When the OnCreate method runs, it initializes the Gotev service, parses the C2 configuration values, and registers GarciaReceiver, a receiver that monitors for a connection state change which was also present in older versions.
Like older versions of SpyC23, this class has logic to parse and decode the C2 server details from strings stored inside the lib-uoil.so and related binaries. The strings are encoded partially in Base64 with an additional layer likely on top to parse the correct C2 server URIs. The previous technique of dropping the strings before and after the hyphen remain, and further substitution removes spaces and underscores, replacing them with hyphens.
C2 Infrastructure
The C2 servers used by these apps continue the longstanding Arid Viper domain naming scheme of a hyphenated hostname that uses Western-sounding peoples’ names. The primary C2 servers are:
luis-dubuque[.]in – C2 domain used by APP-UPGRADE Skipped Messenger APK
danny-cartwright[.]firm[.]in – C2 domain used by com.teleram.app APK
conner-margie[.]com – C2 domain used by com.alied.santafi
We have included additional network indicators associated with app features that are unique to the APKs analyzed, including Google Cloud project hostnames and Firebase messaging hostnames.
Conclusion
The discovery of these APKs demonstrates that Arid Viper continues to thrive in the mobile malware space. The dedication to anti-analysis and obfuscation suggests that the developers have an awareness of research analysis and they have applied measures to deter them and remain under the radar. The presence of code from other Arid Viper Android spyware families in SpyC23 fortifies the connection between this group’s various iterations of tools. The resulting bloat from carrying over older versions of the spyware aids attribution in the complex mobile malware landscape that pervades in the Middle East.
Arid Viper has historically targeted military personnel in the Middle East, as well as journalists and dissidents. The most recent versions of SpyC23 highlight the actor’s focus on Arabic speakers, which is an interesting development given the actor’s historical penchant for targeting Israeli military personnel with Android spyware.
Those who are at risk of being targeted by this group should avoid installing applications from outside of the Google Play Store. Everyone should remain wary when installing new apps from any source: does this app really need the permissions it requests? In the case of SpyC23 apps, there is a lengthy walkthrough with images guiding the user to accept an inordinate number of permissions.
SentinelLabs would like to thank the research team at Cisco Talos for their collaboration on this research.
Our recent eBook on how to use radare2 (r2) for macOS malware analysis focused on providing analysts with a series of guided use cases for typical tasks like string decryption, anti-evasion and automation. Aimed at those seeking to power-up their macOS malware analysis skills, the guide contains lots of tips on using r2, but mostly focuses on working through malware samples exemplifying typical challenges.
In this post, somewhat inspired by a similar post on Ghidra, we look at lowering the learning curve and supercharging productivity for those new to or recently converted to using the r2 platform. While the default settings in r2 may be fine for basic reverse engineering, there is a lot of simple customization we can and should do for a better malware analysis workflow.
Explore and Change the Default Theme
Environment is everything when you need to concentrate and focus, and nothing contributes to this more than the UI appearance and theme. Fortunately, r2 comes packed with a bunch of themes built in which can also be customized, so you don’t need to worry about downloading or installing third-party plugins or code.
First, we’ll see how to explore the available themes, then we’ll see how to set that as the default theme for every launch.
On the r2 command line, type eco , then a space, then tab. You’ll see a list of the built-in theme names.
Explore how the different themes look by typing the name of the theme after eco , hitting return, then executing pdf, x, or V to see how it looks. Rinse and repeat till you find one that you like the look of.
eco monokai; pdf; x
Once you have your chosen theme, the next step is to make it the default theme. Exit r2 or open a separate Terminal window and use the following command line to create or append the config file at the default location ~/.radare2rc. I used ‘smyck’ here, but change to suit your preference.
cd; echo eco smyck >> .radare2rc
After executing the command, quit and restart r2 to see the change. The prompt can be customized within the chosen theme. Play around with different foreground / background color combinations with variations of:
ec prompt white green
ec prompt cyan darkgray
Turn Off the Jokes!
You may or may not enjoy the “fortune cookies” that appear on each launch of radare2. Some can be funny, others less so, depending on your taste. Be wary that if you’re sharing screenshots of your r2 sessions either publicly or privately, the ‘jokes’ may cause offense to others if you inadvertently capture them.
We can turn them off with a simple command added to our config file.
cd; echo e cfg.fortunes=false >> .radare2rc
Turn On (and Off) the Comments!
r2 comes with some built-in help for new reverse engineers or even experienced reversers who are learning a new architecture.
Compare the default display of the pdf command:
You will likely not want comments on all the time, as they can be distracting, but it can be really useful to turn them on when you come across an unfamiliar instruction or operand.
We can add a couple of aliases to our config file that will allow us to use the commands “$conn” and “$coff” to quickly toggle comments. Add the following commands to the .radare2rc file, and restart r2.
radare2 helps reverse engineers to visualize control flow and in a variety of ways, one of which is by allowing the indentation of blocks in the disassembly to show nested code.
By default, this is turned off and all blocks appear at the same tabular offset, as in the example below.
We can make it easier to quickly visualize the relationship between blocks of code by turning code indent on.
You could make a pair of aliases to toggle this setting as we did with comments, substituting the value ‘true’ with ‘false’, but for my part I never see a need to turn it off, so I just add the following to my config file.
cd; echo e asm.indent=true >> .radare2rc
Make r2’s Help More Helpful
Help in r2 is summoned with the ? command, but it can be tough finding what we need sometimes. It would make life easier if we could easily grep all the help for a search term of interest.
To do so, add the following code to the .radare2rc config file:
(help x; ?*~$0)
Now, restart r2 and load a binary, say /bin/ls for simplicity. Now compare the output of searching for help on the keyword ‘crypto’:
Our macro is just a shortcut for ? followed by a wildcard and then grepping for our search term, but it’s a lot easier to remember .(help <searchterm>).
Note that for multi-word search terms, you must escape any spaces in the search string.
.(help hexdump\ columns)
Set the Block Size
Block size is the amount of lines r2 prints out with commands like px. By default it’s set to 0x100, but sometimes that’s not enough to see everything of interest.
The block size can be changed within a session on the command line with b <size>, e.g.
b 0x200
A simple alias in our config file is useful for printing out extended block size in one shot:
$x='b 0x200; px'
Sort and Search Functions By Size, XREFS & Other Criteria
In radare2, afl and afll are the go-to commands for viewing function information, but we sometimes want to tailor the output for specific items of interest. Here’s a few different ones I use to help me narrow down various bits of code that might be of interest.
The first two have a dependency on another alias, $fcol, which simply prints out the column headings for the subsequent output from afll:
This time we used a macro rather than an alias. Either will work. Note that with the macro, you don’t need to escape special characters like the pipe or tilde symbols.
Print Calls to and From the Current Function
Understanding the relationships between functions is crucial to discovering malicious behaviour and honing in on parts of a binary we want to use for hunting and detection.
To view all the calls to a current function, the r2 command axg will give a nice graphical view all the way back to main. To view the calls a function makes, use pifc.
If we find these obtuse r2 commands difficult to remember, then of course aliases are our friends:
$callee=’axg’
$calls=’pifc’
However, exploring the nuances of ax and pi through ? and our .(help) macro will return dividends.
We can gain a better understanding of the overall structure of a function with the following macro, which prints out a useful summary of information.
If you have a local YARA file, you can edit it from within r2 from the command line like so:
!vi <path to yara file>
From here, add or adjust existing rules, save and quit out of the text editor, then call it on the currently loaded binary to test the file against the rules:
!yara -fs <path to yara file> `o.`
The r2 command o. serves as a reference to the currently loaded binary and is useful in a wide variety of aliases and macros.
Let’s define an alias and a macro for the above.
$rules=!vi <path to your yara rules file>
(yara x; !yara -$0w <path to your yara rules> `o.`)
After restarting r2, we can now edit our YARA rules from within r2 with the $rules command. We can call our rules on the currently loaded file with .(yara f).
Try .(yara m) and .(yara s) and note the differences.
Query VirusTotal about the Current Sample
Once you realize how easy it is to call external command line utilities from within an r2 session, multiple possibilities for faster and easier workflows open up.
Perhaps one of the most oft-used tools for malware analysts is VirusTotal. If you have the VT API tool installed and in your PATH, it’s very easy to integrate this with r2. Again, a simple addition to our config file is all that’s needed:
You can modify what to include to suit your preferences per the VT documentation.
Check Code Signature of Current Sample
One final tip for anyone that struggles to remember all the various ways to check whether a sample has a valid code signature, whether its notarized and whether its been revoked by Apple…put it all in an alias and run it from within r2!
Working with r2 can be daunting at first, but the platform is built on simplicity. Thanks to its integration with the command line, with a few customizations, radare2 can be quickly turned into a powerful platform for malware analysts. There are also many plugins for radare2 to augment it with various external decompilers, including Ghidra, work with frameworks like Frida, and (of course) work with AI chat bots.
If you enjoyed this post and haven’t yet checked out the ebook, A Security Practitioner’s Guide to Reversing macOS Malware with Radare2, you can find it here. This free PDF resource covers lots of recent macOS malware and walks through example cases of common reversing tasks, all in radare2.
Since the start of the Israel-Hamas war, the cyber domain has played a critical role in the conflict, albeit in ways the world may not have expected. Immediately following the attacks from Hamas on October 7th, social media became a hotbed of disinformation, inaccurate self-described OSINT investigators, and public confusion. Unfortunately, leading social media platforms continue to fail at stopping the spread of disinformation regarding this war. We will continue to see it abused as a go-to method to sway public perception of events with no signs of it ending soon.
However, outside of social media information abuse and opportunistic-hacktivism, we must not forget the likelihood of targeted attacks originating from specific, state-sponsored threat actors. Understanding and closely monitoring all-aspects of the quickly evolving conflict within the digital domain is critical as such targeted attacks will translate into real-world consequences. While we continue to collaborate privately with partners, we also seek to bolster the wider industry knowledge about where to place our efforts.
This is an updated compendium of actors for cybersecurity researchers, analysts, and network defenders to watch closely. These actors have potential for significant involvement as the war continues, including APTs across Hamas, Hezbollah, and Iran-based clusters of activity. While state-sponsored APTs should remain a strong focus, we must also carefully monitor the increasingly common use of hacktivist personas used to cloak state-sponsored operations.
In this post, we share recommended and publicly accessible information in effort to streamline the community’s understanding of relevant actors across historical reports for reference. In addition, we are sharing our perspective of public actor naming overlaps. Please note that each source of public reporting may perform attribution and actor clustering uniquely from their perspective. Nonetheless, these sources should serve as starting points for readers looking to catch up on relevant open-source intelligence for your own defense posturing and analysis needs.
Hamas -Aligned Clusters
Arid Viper
Aliases:
APT-C-23
Grey Karkadann
Desert Falcon
Mantis
Description:
Arid Viper is a threat group conducting cyber espionage and information theft operations since at least 2017, predominantly against targets in the Middle East. Based primarily on the geopolitical context of its activities, Arid Viper is suspected to operate on behalf of Hamas with further conclusive information needed to solidify this assessment. For example, the Israeli Defence Forces (IDF) have reported on a campaign targeting soldiers stationed near the Gaza border, which is suspected to be orchestrated by Hamas. This campaign has been separately attributed with medium confidence to Arid Viper based on victimology and similarities with previous activities attributed to this actor such as overlaps in initial infection techniques.
Targeting individuals is a common practice of Arid Viper. This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements. Common initial infection vectors include social engineering and phishing attacks using themed lure documents. The latter often involves establishing rapport with targets over social media, such as Facebook and Instagram, with catfishing being a frequently used technique.
Arid Viper uses a variety of malware as part of its operations, including stagers, backdoors, and mobile spyware applications for the iOS and Android platforms. Arid Viper’s malware is actively maintained and upgraded to meet the group’s operational requirements. This threat actor has consistently demonstrated innovation by adopting new malware development practices across a range of programming and scripting languages, such as Delphi, Go, Python, and C++.
Gaza Cybergang
Aliases:
Molerats
TA402
Gaza Hackers Team
Moonlight
Extreme Jackal
Aluminum Saratoga
JEA/Jerusalem Electronic Army (Low to Medium Confidence)
Description:
Gaza Cybergang is a threat actor that has been active since at least 2012. The group primarily targets throughout the Middle East, including Israel and Palestine, while also less-observed in the EU and US. Targeted entities include government, defense, energy, financial, media, technology, telecommunication, and civil society. Current assessment of Gaza Cybergang indicates a medium to high level of confidence in Hamas affiliation.
The group has historically used a variety of custom and publicly available tools in their attacks, showing a notable preference for spear phishing as a method of initial access. They have been known to use malicious documents and email attachments to deliver malware and link lures, and they often deploy implants to maintain persistence on compromised systems. Tools include Molerat Loader, XtremeRAT, SharpStage, DropBook, Spark, Pierogi, PoisonIvy, and many others observed uniquely over the years.
The overall objectives of Gaza Cybergang appear to be primarily intelligence collection and espionage. They seek to gather intelligence, monitor political developments in the region, and support their cause through cyber activities. The group has been active for many years, and their persistence and adaptability in the face of evolving tensions make it a notable actor in the cyber threat landscape moving forward.
Hezbollah-Aligned Clusters
Plaid Rain
Aliases:
Aqua Dev 1
Polonium
Description:
Plaid Rain is a threat actor first documented in 2022 with a primary focus on targeting entities in Israel across a broad range of verticals, including defense, government, manufacturing, and financial organizations. Plaid Rain is considered to be based in Lebanon, however, its activities indicate potential coordination with Iran-nexus actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Some indicators supporting this assessment include observed overlaps in targeting and TTPs. The potential collaboration between MOIS and Plaid Rain positions this threat group in the nexus of actors that serve as proxies, providing plausible deniability to the government of Iran, such as Cobalt Sapling.
For initial infection, Plaid Rain is suspected to rely primarily on vulnerability exploitation, downstream compromises, and stolen credentials. The group’s arsenal consists of a wide range of well-maintained custom tooling exemplified by the Creepy malware toolset. Plaid Rain’s malware supports a broad range of complementing functionalities following the latest trends in the malware landscape. For example, the CreepyDrive malware uses Cloud services for command and control purposes, likely in an attempt to evade detection by making malicious traffic look legitimate.
Lebanese Cedar
Aliases:
Volatile Cedar
DeftTorero
Description:
Lebanese Cedar is a lesser-reported APT with a history of successful intrusions across Lebanon, Israel, Palestine, Egypt, United States, United Kingdom, and more. The group was first observed in 2015 and has since maintained limited security industry attention. Similar to Plaid Rain, we associate Lebanese Cedar with Lebanese Shiite militant group Hezbollah attribution as well as potential coordination with Iran-nexus actors affiliated with the Ministry of Intelligence and Security (MOIS).
Initial access methods best observed have been centered around the compromise of victim web servers via n-day vulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar. Further use of Meterpreter and their custom Explosive RAT have been associated with objectives around maintaining access through theft of legitimate network credentials, ultimately pursuing espionage objectives.
Relevant Iranian Clusters
Iran hosts a diverse array of state-sponsored threat actors whose activities quickly expand past the specific focus on the Israel-Hamas war. These threat actors exhibit variability in terms of size, capability, and motivation, and they have been responsible for a wide spectrum of cyber operations. While some have clear affiliations with the Iranian government, many Iranian hacktivist personas claim to operate independently. It is crucial to acknowledge that emerging hacktivist collectives may serve as a means to obscure state sponsorship, influencing public opinion and concealing attribution of offensive actions. We strongly recommend that media outlets and industry colleagues exercise caution when publicly disseminating content produced by hacktivist collectives. The propagation of their claims, viewpoints, and actions aligns with an overarching mission, and endorsing these activities contributes to their success.Nonetheless, the diversity and adaptability of Iranian cyber threat actors make them a significant and multifaceted component of the global threat landscape moving forward. As we monitor the evolving situation in the Middle East, it is imperative to focus on Iran as a potential origin of both direct cyber offensive actions and proxy operations supported by Iran-linked groups like Hamas and Hezbollah.
ShroudedSnooper
Aliases:
Storm-0861
Scarred Manticore
Description:
ShroudedSnooper has been part of multiple recent intrusions across the Middle East, including Israel within the past two months, and elsewhere since at least 2020. Most recent observations and activity we can confirm, center around intrusions across the telecommunication and government sectors. The group is attributed to Iran’s Ministry of Intelligence and Security (MOIS).
Our current understanding of the group is that they operate for intelligence collection and initial access to other MOIS entities. Initial access methods for ShroudedSnooper have, and potentially continue to be, accomplished through the compromise of publicly accessible web servers via n-day vulnerabilities. As observed in the recent Israeli telecom intrusions, the group has then made use of backdoors mimicking enterprise security software.
Cobalt Sapling
Aliases:
Moses Staff
Abraham’s Ax
Marigold Sandstorm
Description:
‘Moses Staff’ and ‘Abraham’s Ax’ are hacktivist personas known for their anti-Israel rhetoric, disruptive and data exfiltration attacks, and penchant for leaking stolen data online along with propaganda content in the form of videos or imagery. Moses Staff and Abraham’s Ax are potentially distinct groups. Since the emergence of Moses Staff in 2021 and Abraham’s Ax in 2022 proclaiming allegiance with Hezbollah, the groups have continued to separately maintain their online presence. However, they share iconography, content editing and infrastructure management practices. This, and the alignment of their activities with the geopolitical interests of Iran, suggests that the two groups are likely part of a single cluster (also referred to as Cobalt Sapling) and serve as proxy groups providing plausible deniability to Iran.
Moses Staff has traditionally focused its efforts on business and government organizations primarily within Israel. In contrast, Abraham’s Ax has asserted responsibility for attacks on entities located outside of Israel but with geopolitical relevance to the country. For example, the alleged intrusions into Saudi Arabian government entities by Abraham’s Ax may have been an attempt to counter the normalization of relations between Israel and Saudi Arabia previously conditioned by resolving the Israeli-Palestinian issue.
Although the threat intelligence research community has identified custom offensive tooling observed in Moses Staff attacks, such as StrifeWater, PyDCrypt and DCSrv, we do not exclude the possibility of Moses Staff and Abraham’s Ax sharing tooling and operational practices making accurate clustering challenging at this time. Operations attributed to Moses Staff have involved RATs and ransomware with no indications of financial motivations, but rather disruption, destruction, and concealment of cyber espionage activities.
By Aleksandar Milenkoski, in collaboration with QGroup
Executive Summary
SentinelLabs has observed a new threat activity cluster by an unknown threat actor we have dubbed Sandman.
Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.
The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection.
Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape. We refer to this malware as LuaDream.
The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale.
At this time, we don’t have a consistent sense of attribution. LuaDream does not appear to be related to any known threat actors. While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group similar to Metador.
Overview
In collaboration with QGroup GmbH, SentinelLabs observed over August 2023 a threat activity cluster targeting the telecommunication sector. The activities have been conducted by a threat actor of unknown origin using a novel modular backdoor based on the LuaJIT platform. We dub this threat actor and the backdoor Sandman and LuaDream in reference to what we suspect to be the backdoor’s internal name – DreamLand client.
The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection.
The implementation and architecture of LuaDream suggest a maintained, versioned project under active development. This is a modular, multi-protocol backdoor whose main functionalities are:
exfiltrating system and user information, paving the way for further precision attacks;
managing attacker-provided plugins that extend LuaDream’s features.
Although the intrusions were detected and interrupted before the threat actor could deploy plugins, our analysis of LuaDream staging samples shared on VirusTotal provided a glimpse into what functionalities the plugins may implement, with command execution capabilities being one example.
The 36 distinct LuaDream components we identified and the support for multiple protocols for C2 communication indicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory. LuaDream’s implementation and staging process leverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make malicious Lua script code difficult to detect.
A Penchant for Telcos
Based on current visibility, accurate clustering remains a challenge. The focussed, strategy-driven activities, and the use of complex malware designed to evade detection point to a motivated and capable adversary. The TTPs, victimology, and the characteristics of the deployed malware indicate that it is highly likely this activity has espionage motivations. Communication providers are frequent targets of espionage activity due to the sensitive data they hold.
The activity cluster we observed and examination of C2 netflow data indicate a pronounced focus on targeting telecommunications providers with a broad geographical distribution, including the Middle East, Western Europe, and the South Asian subcontinent.
Compilation timestamps and a string artifact found within LuaDream hint at potential malware development efforts over the first half of 2022, suggesting possible threat actor activity dating back to 2022.
While we cannot associate LuaDream to any known threat actor, we lean towards the possibility of a private contractor or mercenary group. Typically used as a scripting middleware in gaming and specialty embedded applications and appliances, the use of LuaJIT in the context of APT malware is relatively rare but the population using it is becoming broader.
Embedded Lua VMs serve as a mechanism for modularity and extensibility for advanced APTs, historically considered Western or Western-aligned. However, this development paradigm is being embraced by a broader set of threat actors that also target Western countries and deserves further scrutiny as exemplified by the Sandman APT. Our talk at LABScon 2023 described this paradigm of development overtime, bookended by our discovery of Sandman APT as the latest, along with Fast16 as the earliest example dating back to 2005.
In March 2023, new malware was briefly described by Kaspersky during a quarterly roundup actively targeting a government entity in Pakistan. Based on the sparsely described characteristics, we assess that they’re referring to a variant of LuaDream –dubbed DreamLand. Note the following string in the LuaDream samples we identified:
The activities we observed took place over several weeks in August 2023. After stealing administrative credentials and conducting reconnaissance, Sandman infiltrated specifically targeted workstations using the pass-the-hash technique over the NTLM authentication protocol. On one of the targets, all of the workstations were assigned to personnel in managerial positions.
On average, we observed a five-day gap between infiltrations into different endpoints. After gaining access, Sandman limited its activities to deploying folders and files required for loading and executing LuaDream, refraining from any further actions. We observerd the following deployed filesystem artifacts:
Sandman abused the DLL hijacking technique to execute LuaDream. The ualapi.dll file they placed is a malicious DLL masquerading as its legitimate counterpart (a User Access Logging (UAL) component) and represents the first stage of the intricate LuaDream loading process. The ualapi.dll library is loaded by the Fax and the Spooler Windows service when started. We observed the Spooler service loading the malicious ualapi.dll on the targeted workstations, executing LuaDream in its context.
It is relevant to note that we did not observe the threat actor restarting the Fax and or Spooler service to force the execution of LuaDream, likely to evade detection based on service manipulation. Instead, they were patient in waiting for one of these services to load the malicious ualapi.dll when started at the next system boot.
LuaDream | Staging
The LuaDream staging process is intricate and designed with a focus on evading detection and thwarting analysis. Initiated by the Fax or the Spooler service, which would execute the UalStart export of the malicious ualapi.dll when started, the overall process consists of seven main stages. These are conducted fully in memory and involve a combination of fully-formed DLL PE images, code, and LuaJIT bytecode.
The following table shows DLL images involved in LuaDream staging:
Name
Compilation timestamp
Exports
ualapi.dll
Wed Aug 09 18:24:18 2023
UalInstrument, UalStart, UalStop
MemoryLoadPex64.dll
Wed Mar 22 23:55:07 2023
ProtectMain
common.dll
Wed Aug 09 18:21:18 2023
jsadebugd
Although the DLL timestamps could have been manipulated by the threat actor, given the proximity to the August 2023 intrusion date, it is likely that the timestamps are authentic. Due to the difference of only a few days between the timestamps of ualapi.dll and common.dll, and their actual deployment dates, it is possible that these images have been built specifically for this intrusion.
Some of the implemented anti-analysis measures include hiding LuaDream’s threads from a debugger using the NtSetInformationThread function, file close operation on an invalid handle (0x123456), detection of Wine-based sandboxes, and in-memory mapping of malicious PE images to evade EDR API hooks and file-based detections.
Next-stage code is typically packed using a combination of XOR-based encryption and compression. The fax.dat, fax.Application, and fax.module files store packed staging code. The code unpacked from fax.Application contains a LuaJIT engine enabling the execution of the LuaJIT components internally referred to as interface and crt as well as LuaDream itself.
interface unpacks crt from fax.module, which in turn retrieves XML-formatted configuration and the contents of the fax.cache file – an encrypted and compressed Lua function, which returns the reference names and implementations of LuaDream components in Base-64 encoded form.
The LuaDream configuration includes C2 and communication protocol information. The LuaDream variant we analyzed is configured to communicate with the mode.encagil[.]com domain over the WebSocket protocol.
LuaDream | Overview
LuaDream is a multi-component and multi-protocol backdoor, whose main features are managing attacker-provided plugins and exfiltrating system and user information. The implementation and architecture of LuaDream indicates that it is a maintained, actively developed project of a considerable scale.
Throughout our analysis, we observed what is likely a malware version string (12.0.2.5.23.29), which the backdoor sends to the C2 server when exfiltrating information. Many LuaDream function and variable definitions follow a naming convention involving the word fun, such as dofun, _RUN_FUN_LIST_, and FunGetDataCache.
LuaDream implements testing functions as well as error and execution status logging, which indicates that the malware is likely still in active development. A string artifact in a function labeled com_TestJson suggests potential development in June 2022.
We observed the embedded private IP address 10.2.101[.]99 to which LuaDream binds the communication port 4443, if so configured. This address does not belong to the IP address spaces of the targeted environments. The IP address may be a leftover from an in-development LuaDream variant or from a previous Sandman engagement.
LuaDream | Components And Features
The LuaDream variant we obtained from the targeted environments consists of 34 components: 13 core and 21 support components. They are implemented in LuaJIT bytecode and use the Windows API through the ffi library using C language bindings.
The support components implement Lua libraries as well as Windows API definitions required for LuaDream’s operation, such as xml2lua, Windows Sockets, and NtSec API.
The core components implement LuaDream features, such as initialization, gathering system and user information, C2 communication, and plugin management. As per the component definitions from the fax.cache file, the core LuaDream components are structured into two categories: .com and .main.
With the main component initializing LuaDream, the backdoor connects to the configured C2 server and exfiltrates system, user, and malware-related information gathered by BGetSystemMsg. This information includes the malware version, assigned IP and MAC addresses, OS version, available memory, and the name, PID, and username associated with the process in whose context LuaDream runs.
LuaDream has the capability to reach out to C2 servers but also to act as an implant listening for incoming connections. The backdoor can communicate over the TCP, HTTPS, WebSocket, and QUIC protocols. The main_proto_X_TcpClient, main_proto_WinHttpClient, main_proto_X_WebSocketClient, and main_proto_X_QuicClient components implement support for these protocols, with main_z_protoInterface acting as their main handler.
The main_proto_A_QueryDns component resolves domains to IP addresses using the cloudflare-dns[.]com service, which main_proto_X_WebSocketClient uses for resolving C2 domain names.
main_proto_X_QuicClient draws functionalities from a DLL image which LuaDream maps fully in memory, a functionality implemented by the Acom_LoadDLL component.
LuaDream communicates with a C2 server using the thread_connect, thread_send, and thread_recv components, which are responsible for connecting to, sending data to, and receiving data from the C2 server, respectively. These components operate in separate threads. The exchanged data is in JSON and XML format, in an encrypted and compressed form. The Acom_define component provides functionalities for inter-thread communication and data manipulation.
The thread_recv component handles incoming messages and its main purpose is to manage attacker-provided plugins that extend LuaDream. Some functionalities of this component include:
executing an attacker-specified plugin functionality.
LuaDream maintains a key-based list of plugin information, which includes the handle and the ID of the thread in which the plugin runs, and a plugin-identifying key. Loading of a plugin involves inserting a new entry in this list and executing plugin code in a designated thread. For communicating with plugins, LuaDream leverages inter-thread communication, using the message 1234 for executing plugin functionalities.
Our analysis of LuaDream staging samples shared on VirusTotal revealed the existence of two additional components named main_proto_WinHttpServer and thread_test. main_proto_WinHttpServer implements a LuaDream capability to listen for incoming connections based on the Windows HTTP server API. thread_test implements functions for testing the loadplugin and saveplugin commands. These functions indicate the existence of a plugin named cmd, whose name suggests command execution capabilities.
Network Infrastructure
The LuaDream samples we analyzed communicate with the C2 servers ssl.explorecell[.]com and mode.encagil[.]com. ssl.explorecell[.]com is a Tucows-registered domain with a first-seen resolution date of March 2023. This domain last resolved to 185.82.218[.]230, an IP address of a server hosted in Bulgaria by the ITLDC hosting provider.
mode.encagil[.]com is an Arsys-registered domain with a first-seen resolution date of August 2023. The domain last resolved to 172.67.173[.]208 and 104.21.47[.]226, IP addresses of a server hosted behind a major load balancing platform. The shift from using a directly exposed C2 server IP address to addresses of a load balancing infrastructure marks a change in Sandman’s infrastructure management practices – likely to avoid exposing the true hosting location.
Examination of C2 netflow data revealed lack of comprehensive C2 infrastructure segmentation, with several LuaDream deployments at geographically dispersed victim environments communicating with the same C2 server.
Conclusions
Attributing Sandman remains a mystery, placing it in the same enigmatic category as Metador and other elusive threat actors who operate with impunity. LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal.
Navigating the shadows of the threat landscape necessitates consistent cooperation and information sharing within the threat intelligence research community. SentinelLabs remains dedicated to this mission and hopes that this publication will serve as a catalyst for further collaborative efforts. We are grateful for the contributions of Luca Palermo from the SentinelOne EMEA IR TAM team, who assisted with the initial investigations and remediation of the threat.
SentinelLabs observes sustained tasking towards strategic intrusions by Chinese threat actors in Africa, designed to extend influence throughout the continent.
New attacks include those against telecommunication, finance and government, attributed to the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love.
China’s engagement in soft power diplomacy has a lengthy history, yet the use of strategic cyber intrusions highlights recent objectives and potential lasting impact in Africa.
To better manage the challenge of tracking state-aligned cyber activities in less monitored areas like Africa and Latin America, we are announcing the formation of the ‘Undermonitored Regions Working Group’. Launched today at LABScon, this effort calls upon established security researchers to join analytic capabilities, combine telemetry, resources, and local expertise, and promote a unified approach to analyzing cyber operations used to support soft power agendas in Africa and Latin America.
Introduction
In the evolving cyber threat landscape, it’s always important to constantly challenge our biases. There are large pockets of important threat activity occurring in regions around the world less commonly addressed in Western threat research. While much attention has rightfully been drawn to Chinese threat actors targeting the West, the broader set of global activity supporting and promoting similar interests remains opaque. At a time of pervasive foreign activities towards cornering natural resources and co-opting the governance of less represented countries, we have to ask– what is happening across the vast African continent?
As we contemplate where China might stand in the global arena in the next 5 to 10 years, it’s evident that there exists a considerable gap in the realm of cyber threat intelligence with regards to Africa as a whole, and more specifically how it ties into the long term agenda of the People’s Republic of China (PRC). Africa, with its highly complex and dynamic environment, poses a unique challenge for accurately characterizing its cyber threat landscape.
In the threat intelligence industry, we have a habit of overlooking regions where our immediate financial interests don’t appear to be at stake. Yet, it is precisely in places like Africa and Latin America that we witness these threat actors subtly shifting the balance of negotiations and playing pivotal roles in larger geopolitical strategies. There’s an urgent need to acknowledge the importance of these frequently overlooked regions in the global threat landscape and take radical steps to close the gap in our situational awareness. These regions are shaping up to be the battlegrounds of the future.
Our focus is on incentivizing strategic intelligence on the state of cyber operations targeting Africa. We recognize that these operations need to be placed in the greater context of multidimensional campaigns that include more traditional forms of espionage, market maneuvers, and influence. This is vital in understanding the PRC’s geostrategic ambitions and technological investments, and are fundamental in forging a forward-thinking and holistic defense approach. We’ll highlight key examples including the targeting from Chinese state-sponsored APTs, such as Op. Tainted Love and BackdoorDiplomacy, and how they blend into PRC’s soft power agenda across Africa.
Background on Soft Power Engagement
While cyber capabilities are important, they are just one of the more recent tools used in implementing broad national soft power strategies. Spanning several decades, China’s involvement in the continent has adapted to embrace economic, political, and cultural dimensions that represent both comprehensive and strategic opportunities. The establishment of Confucius Institutes and expanding media investments have been a tool in crafting narratives that underline the positive aspects of its engagement in Africa.
China has engaged in significant strategic investments in Africa, considered ‘debt-trap diplomacy’. This refers to a scenario where a creditor country extends excessive credit to a debtor country with the presumed intention of extracting economic or political concessions when the debtor country cannot meet its repayment terms.
Specifically in Africa, China has financed large critical infrastructure projects in many African countries. Countries pursuing economic and infrastructure development have found China a willing and eager investor over the last decade. Future adverse effects are easily brushed aside by the immediate perceived benefits of these investments.
Offensive Cyber Operations as a Support Tool of Soft Power Agendas
In recent years, we have tracked targeted intrusions against key industrial sectors in various African nations. These attacks conspicuously align with China’s broader soft power and technological agenda in the region, focusing on critical areas such as the telecommunication sector, financial institutions, and governmental bodies. Three significant sets of activity best exemplify this dynamic across the larger set of China-aligned activity in Africa.
Operation Tainted Love
In March 2023, we shared details of Operation Tainted Love, a case centered on targeted attacks against telecommunications providers predominantly located in the Greater Middle East region. This discovery marked an evolution of the toolkit involved in Operation Soft Cell, forging immediate connections to previous China-attributed activities.
From Operation Tainted Love, we highlighted the use of a rigorously maintained and version-controlled system for credential theft, accompanied by a novel dropper mechanism. The overall findings are suggestive of a concerted development effort undertaken by a threat actor, or threat actors support structure, driven by specific objectives.
Unnoted in our initial report, we identified the compromise of a telecommunications entity based in North Africa by the same threat actor. The timing of this activity aligned closely with Chinese telecommunication soft power interests in Africa, as the organization was in private negotiations for further regional expansion in areas. Strategic objectives in such intrusions highlight interest from China in internal business knowledge on negotiations, providing competitive advantage, or prepositioning for retained technical access for intelligence collection.
Backdoor Diplomacy
For several years, another APT primarily referred to as BackdoorDiplomacy has operated across Africa. Recently, fresh revelations emerged spotlighting the group’s sustained three-year endeavor targeting governmental organizations in Kenya. Delving into prior public technical reports by ESET, Unit42, and BitDefender unveils a targeting paradigm bearing resemblance to those employed in Operation Tainted Love.
BackdoorDiplomacy seemingly concentrates efforts on government entities, along with high-priority telecommunications and finance organizations. The group has orchestrated a series of notable espionage campaigns across Africa in recent years. Through analysis of infrastructure tied to this actor, we assess multiple African countries are experiencing targeting over the last few years, including at least South Africa, Kenya, Senegal, and Ethiopia. As noted by previous reporting, the threat actor does maintain operations throughout the middle east, and can be found in other regions of particular PRC interest.
Our current perspective suggests a close relationship between BackdoorDiplomacy and another Chinese state sponsored threat actor, APT15.
Threat Actors Ambiguity
A broader set of China-aligned campaigns has been active across Africa, as emphasized by recent reports on FamousSparrow and Earth Estries. Pinpointing precise clustering for these groups remains challenging due to a prevalence of shared technical resources. However, TTPs and targeting objectives are somewhat related to the APT41 umbrella.
In a separate case, Chinese espionage efforts against the African Union (AU) was allegedly discovered in 2017. According to initial reports, for a period of five years, from 2012 to 2017, the Chinese government maintained backdoor access into servers for the African Union’s headquarters in Ethiopia. The $200 million dollar headquarters was funded and built by China between 2009 and 2012. Notably, the network infrastructure and services were reportedly Huawei technology since the initial construction.
More recently in 2020, Japan’s CERT notified AU IT staff of an intrusion they attributed to the Bronze President APT, a separately tracked Chinese threat actor. In this intrusion, Bronze President was observed exfiltrating surveillance footage from the AU headquarters facility. This case may highlight how much of a real priority intelligence inside the AU is to Beijing, ultimately forcing their hand on moving away from backdoored equipment to performing actual intrusions through well tracked APTs.
In both the 2017 and 2020 case, African Union and Chinese officials denied any sort of intrusions. As quoted by Reuters, a former AU official told them “Attacking the Chinese, for us, it’s a very bad idea,”. A review of specifics around China’s technological soft power in Africa highlights some reasons why the official may have said that.
Technological Soft Power, Reliance, and Abuse Opportunities
The digital landscape of Africa has undergone a seismic transformation, largely facilitated through Chinese tech giants deploying extensive resources to meet the continent’s critical technological needs.
China has taken a lead role in Africa’s telecommunication, finance, and surveillance technology sectors. This initiative ties into China’s Digital Silk Road project, announced in 2015.
Telecommunication Networks
At the forefront of technology investment in Africa are Huawei and ZTE, powerhouses steering efforts to bridge the connectivity divide separating urban and rural landscapes of the continent. These corporations have brought the boon of digital connectivity to the remotest corners of Africa.
In the two decades since Huawei began expanding into Africa, it has grown to become the leading telecommunication technology and service provider across much of the continent.
Yet, underneath the altruistic veneer may lie a strategy anchored on fostering an overwhelming dependence on Chinese technology. Through a sweeping range of initiatives that span from mobile networks to broadband infrastructure, the strategy envisions a society deeply tied to China’s digital ecosystem, guiding future socio-political paths and holding significant sway over personal freedoms.
This rise isn’t merely a route to economic enrichment; it empowers China to shape policies and narratives aligned with its geostrategic ambitions, establishing itself as a pivotal and defining force in Africa’s digital evolution.Targeted intrusions by the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love indicate a level intention directed at supporting such agendas.
Instances of infringement on internet rights and the misuse of technology are already evident in countries such as Sudan, Ethiopia, Zimbabwe, Gabon, and the Democratic Republic of Congo. In some of these nations, the governments have resorted to shutting down social media and internet services as a strategy to suppress civil unrest, or even spying on the network communications of its citizens.
China has also ventured to enhance its command over the underwater fiber networks connected to the African continent. Leveraging significant investments in projects such as the PEACE cable initiative, China has been laying cables that aim to rejuvenate Africa’s digital connectivity, ostensibly offering the continent much needed information accessibility.
These underwater pathways hold enormous significance in dictating the flow of information between continents. In taking ownership of them, China stands in a position to potentially orchestrate and steer digital dialogues on the African continent, forging a narrative that aligns seamlessly with its geopolitical objectives.
Controlling these undersea networks gives China the capacity to monitor the data flowing through them, raising serious concerns regarding data privacy and national sovereignty. To gauge the potential for misuse, we only need to examine how China manages its own domestic networks, offering a window into the possible ramifications of granting them such control.
Mobile Payment Platforms
In recent years, digital mobile banking platforms like M-Pesa have revolutionized Africa’s financial landscape, promoting unprecedented financial inclusion especially in areas underserved by traditional banks. With 51 million users processing over $314 billion in transactions annually, its footprint is substantial.
M-Pesa has since been migrated to Huawei’s Mobile Money Platform. Similarly, China-backed entities OPay and PalmPay have seized a considerable market share, facilitating a large portion of the continent’s financial transactions.
This should raise apprehensions around the nature of China’s influence, with potential avenues for financial monopolies and the control it gives to Chinese stakeholders in the dictation of economic trajectories across the African continent.
The intensive data mining, user surveillance, and user disruption that are characteristic of Chinese tech giants present a significant risk of exploitation, infringing upon the privacy rights of individuals and potentially undermining the sovereignty of African nations. The depth and breadth of data these platforms can amass and control raise serious concerns about how it might be utilized, perhaps to shape consumer behavior, influence public opinion, or even foster dependencies that go beyond financial transactions.
While services offered by these platforms are undeniably bringing about a financial revolution, it’s creating a scenario where a foreign power has an overwhelming influence over the financial stability, habits, and preferences of a significant portion of the African populace. Financial inclusion and potential manipulation hang in a precarious balance, necessitating a critical appraisal of the long-term implications of this growing influence.
Surveillance
Huawei’s Smart City venture is also emerging as a central pillar in China’s escalating soft power influence in Africa. This initiative pivots on a suite of surveillance services including facial recognition, artificial intelligence, data analytics, and 5G network deployments, all purportedly claimed to enhance urban management, augment public safety, and spur economic development. Yet, the flipside of this technological investment is the possibility of a surveillance era of unparalleled scope, exploiting a diverse array of data from daily life to cultivate a society where personal privacy could soon become obsolete.
Across Africa, nations like Kenya, Mauritius, Uganda, and Zambia have embraced Huawei, infusing surveillance technology into the heartbeat of their urban landscapes. In Kenya, the Safe City project — powered by Huawei’s system encompassing CCTV and facial recognition technologies — monitors Nairobi and other primary cities. In Uganda, one such case of surveillance reportedly led to the regime seeking to silence political opponent Bobi Wine, accomplished through the help of Huawei staff and services. These same capabilities can be found in many other countries throughout Africa.
Other noteworthy activity includes the Chinese business CloudWalk Technology providing facial recognition surveillance technology to Zimbabwe. CloudWalk has been accused of being involved in human rights violations and transgressions perpetrated during China’s campaign targeting Uighurs, ethnic Kazakhs, and other Muslim minority groups in the Xinjiang Uighur Autonomous Region. This campaign is characterized by widespread repression, indiscriminate detentions, enforced labor, and intensive high-tech surveillance.
Once these smart cities come to fruition, they will operate fundamentally on Chinese technology, often granting Beijing real-time insights into these nations, lacking consequences for personal privacy and national safeguarding measures. Moreover, these nations steer towards further reliance on Chinese expertise and technical resources for the use and administration of these systems into the future.
A Force for Good
African nations face the delicate task of leveraging Chinese tech innovations while preserving their autonomy and digital rights, a tightrope walk exacerbated by limited alternatives. Concurrently, it’s imperative for the cybersecurity community to deepen our understanding of China’s cyber activities in Africa to prevent unwanted encroachment.
Due to escalating cyber threats in overlooked areas such as Africa and Latin America, we are launching the Undermonitored Regions Working Group (URWG). This initiative is focused on addressing the unique cybersecurity hurdles faced in these regions, frequently sidelined in mainstream global cyber discussions.
Our mission transcends geographical boundaries as we track state-sponsored threats emerging globally from nations be it China, Russia, or Egypt. We are determined to cultivate a technical research collaboration, harnessing our collective expertise to identify new threats, and devise effective countermeasures against them.
SentinelLabs embodies our commitment to sharing openly – providing tools, context, and insights to strengthen our collective mission of a safer digital life for all. We are seeking out security researchers, intelligence analysts, and those passionate about understanding and improving the cyber threat narrative to grow these efforts through unconventional means. By pooling our knowledge and technical prowess, we strive to nurture a digital future in support of less monitored parts of the world.
Conclusion
As we have navigated through the complexities of Chinese influence in Africa, the role of offensive cyber actions, and the broader implications of tech dominance, it becomes evident that this intricate web of geopolitics and cyber threats demands attention across the cybersecurity industry.
Recognizing Africa’s centrality in the future of global cyber dynamics helps not only the safeguarding of the continent’s digital freedoms but fortifies the global ecosystem against sophisticated threat actors.
The story of Africa’s digital landscape today is, in essence, the precursor to the global narrative of tomorrow. We should work in tandem to craft it as one of security, prosperity, and shared progress.
SentinelLabs identified three Android application packages (APK) linked to Transparent Tribe’s CapraRAT mobile remote access trojan (RAT).
These apps mimic the appearance of YouTube, though they are less fully featured than the legitimate native Android YouTube application.
CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects.
Background
Transparent Tribe is a suspected Pakistani actor known for targeting military and diplomatic personnel in both India and Pakistan, with a more recent expansion to the Indian Education sector. Since 2018, reports have detailed the group’s use of what is now called CapraRAT, an Android framework that hides RAT features inside of another application. The toolset has been used for surveillance against spear-phishing targets privy to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.
Transparent Tribe distributes Android apps outside of the Google Play Store, relying on self-run websites and social engineering to entice users to install a weaponized application. Earlier in 2023, the group distributed CapraRAT Android apps disguised as a dating service that conducted spyware activity.
One of the newly identified APKs reaches out to a YouTube channel belonging to Piya Sharma, which has several short clips of a woman in various locales. This APK also borrows the individual’s name and likeness. This theme suggests that the actor continues to use romance-based social engineering techniques to convince targets to install the applications, and that Piya Sharma is a related persona.
CapraRAT is a comprehensive RAT that provides the actors with the ability to harvest data on demand and exfiltrate it. Notable features include:
Recording with the microphone, front & rear cameras
Collecting SMS and multimedia message contents, call logs
Sending SMS messages, blocking incoming SMS
Initiating phone calls
Taking screen captures
Overriding system settings such as GPS & Network
Modifying files on the phone’s filesystem
App Analysis
CapraRAT is distributed as an Android APK. When the tool was initially named by Trend Micro, their research team noted that CapraRAT may be loosely based on the AndroRAT source code.
We performed static analysis on two YouTube-themed CapraRAT APKs: 8beab9e454b5283e892aeca6bca9afb608fa8718 – yt.apk, uploaded to VirusTotal in July 2023. 83412f9d757937f2719ebd7e5f509956ab43c3ce – YouTube_052647.apk, uploaded to VirusTotal in August 2023. We also identified a third APK called Piya Sharma, the YouTube channel persona described earlier: 14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma.apk, uploaded to VirusTotal in April 2023
The yt and YouTube APKs apps are disguised as YouTube, borrowing the YouTube icon.
The app requests several permissions. YouTube is an interesting choice for masquerading the app: some permissions, like microphone access, make sense for recording or search features. Other permissions–like the ability to send and view SMS–are less relevant to the expected app behaviors.
When the app is launched, MainActivity’s load_web method launches a WebView object to load YouTube’s website. Because this loads within the trojanized CapraRAT app’s window, the user experience is different from the native YouTube app for Android and akin to viewing the YouTube page in a mobile web browser.
Key Components
Because CapraRAT is a framework inserted into a variety of Android applications, the files housing malicious activity are often named and arranged differently depending on the app. The CapraRAT APKs we analyzed contain the following files:
Name
yt.apk
Configuration
com/media/gallery/service/settings
Version
MSK-2023
Main
com/media/gallery/service/MainActivity
Malicious Activity
com/media/gallery/service/TPSClient
Name
YouTube_052647.apk
Configuration
com/Base/media/service/setting
Version
A.F.U.3
Main
com/Base/media/service/MainActivity
Malicious Activity
com/Base/media/service/TCHPClient
Name
Piya Sharma.apk
Configuration
com/videos/watchs/share/setting
Version
V.U.H.3
Main
com/videos/watchs/share/MainActivity
Malicious Activity
com/videos/watchs/share/TCPClient
CapraRAT’s configuration file, which is named interchangeably setting or settings, holds the default configuration information, as well as metadata like versioning. The CapraRAT version syntax seen in YouTube_052647.apk and Piya Sharma.apk–A.F.U.3 and V.U.H.3, respectively–matches the convention used to track Transparent Tribe’s Windows tool, CrimsonRAT. However, there is no tangible relationship between these version numbers and the C2 domains as we saw in CrimsonRAT.
Thanks to creative spelling and naming conventions, the RAT’s configuration provides consistent static detection opportunities, with each of the following present in the samples from earlier in 2023 as well:
MainActivity is responsible for driving the application’s key features. This activity sets persistence through the onCreate method which uses Autostarter, an open-source project with code that lets developers automatically launch an Android application. The TPSClient class is initialized as an object called mTCPService; then, this method calls the serviceRefresh method, which creates an alarm at the interval specified in the settings file’s timeForAlarm variable. In this example, the value 0xea60 is equal to 60,000 milliseconds, meaning the alarm and persistence launcher run once per minute.
The RAT’s core functionality is in an activity similar to the Extra_Class activity from the March 2023 samples reported by ESET. Henceforth, we call this activity TPSClient for simplicity. These files are rather large, decompiling to over 10,000 lines of Smali code. By comparison, the March versions’ equivalents have only about 8,000 lines.
TPSClient contains CapraRAT’s commands, which are invoked through the run method via a series of switch statements that map the string command to a related method.
Many of these commands have been documented in previous research, though there are several changes in these new versions. The hideApp method now checks if the system is running Android version 9 or earlier and if the mehiden variable in the setting(s) config file was set to False; if applicable, the app will be hidden from the user’s view. While similarities between CapraRAT and AndroRAT are seemingly minimal at this point in CapraRAT’s development, the AndroRAT source code documentation notes that the tool becomes unstable after Android version 9, so there are likely underlying changes to the OS that make this method behave differently depending on the OS version.
TPSClient has a method check_permissions() that is not in Extra_Class. This method checks the following series of Android permissions and generates a string with a True or False result for each:
READ_EXTERNAL_STORAGE
READ_CALL_LOG
CAMERA
READ_CONTACTS
ACCESS_FINE_LOCATION
RECORD_AUDIO
READ_PHONE_STATE
Interestingly, some other older versions contain this method, suggesting that the samples may be tailored for targets or are potentially developed from different branches.
C2 & Infrastructure
In CapraRAT’s configuration file, the SERVERIP variable contains the command-and-control (C2) server address, which can be a domain, IP address, or both. The C2 port is in hexadecimal Big Endian format; the human readable port can be obtained by converting into decimal, resulting in port 14862 for yt.apk, port 18892 for YouTube_052647.apk, and port 10284 for Piya Sharma.apk.
The shareboxs[.]netdomain used by YouTube_052647.apk has been associated with Transparent Tribe since at least 2019. Interestingly, the ptzbubble[.]shop domain was registered the same week of ESET’s report outlining the group’s Android apps that leveraged other C2 domains.
The IP addresses associated with C2 from the two YouTube samples have Remote Desktop Protocol port 3389 open with the service identified as Windows Remote Desktop, indicating the group uses Windows Server infrastructure to host the CapraRAT C2 application. The Piya Sharma app’s C2 IP, 209[.]127.19.241, has a certificate with common name value WIN-P9NRMH5G6M8, a longstanding indicator associated with Transparent Tribe’s CrimsonRAT C2 servers.
84[.]46.251.145–the IP address hosting ptzbubble[.]shop domain–shows historical resolutions associated with Decoy Dog Pupy RAT DNS tunneling lookups. Any connection between these campaigns is unclear; it is plausible that a service hosted on this IP was infected by that campaign. Based on the query dates, the claudfront[.]net lookup was during the time the CapraRAT actor was using this IP address to host ptzbubble[.]shop, while a lookup to allowlisted[.]net was in December 2022, which was potentially before this actor started using the IP.
Conclusion
Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools.
The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media.
Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat.
Defensive and preventative measures should include:
Do not install Android applications outside of the Google Play store.
Be wary of new social media applications advertised within social media communities.
Evaluate the permissions requested by an application, particularly an application you are not particularly familiar with. Do these permissions expose you to more risk than the potential benefit of the app?
Do not install a third-party version of an application already on your device.
CapraRAT malware is fully detected by SentinelOne’s Singularity Mobile solution.
It wasn’t so long ago that malware authors, much like software developers, were concerned about the size of their code, aiming to keep it as small and compact as possible. Small binaries are less noticeable and can be slipped inside other files or shipped in benign code, attachments and even images. Smaller executables take up less space on disk, are faster to transfer over the wire, and – if they’re written efficiently – can execute their malicious instructions with less tax on the host CPU. In days of small disk drives, slow network connections and underpowered chips, such concerns made good sense and helped malware to avoid detection.
In today’s computer environments, however, storage, bandwidth and processor power are rarely in short supply, and as a result both legitimate programs and malware have increased greatly in size.
While malware executables of several megabytes are now so common they are hardly worthy of mention, some recent malicious programs have taken the invitation to bloat to a new extreme. Malware binaries weighing in at 50MB or more are now widely in use by macOS malware authors, and binaries over 100MB can also be found in some campaigns, typically those involving cryptominers. Such massive file sizes can cause detection problems for some kinds of AV solutions and create triage and reversing challenges for malware analysts.
In this post, we dig into the phenomenon of massive malware binaries on macOS, explaining why they are becoming more common, the problems they cause for detection and analysis, and how defenders can successfully deal with them.
How Widespread are Large macOS Malware Binaries?
It is possible to get a feel for how common large malicious binaries are by hunting in public malware repositories like VirusTotal and filtering by size. For example, if we search for Mach-O binaries over 35MB recognized as malware by 5 or more vendors, the search today returns 524 hits.
Increasing the file size to 50MB or more returns 113 hits, with many of the files returned being samples of Atomic Stealer.
Around 7 samples in the 75MB and 100MB size range are examples of OSX.EvilQuest malware. Adjusting our search for file sizes of 100MB returns over 20 files with five or more vendors detecting as malware; many of these are miners, including a coinminer executable weighing in at 345 MB.
However, the problem is wider than just those files that vendors currently recognize as malware. Both detection solutions and analysts have to determine whether an unknown sample is suspicious or malicious, and if we look at the number of Mach-O binaries on VT in general that are over 35MB, we find almost 100,000 samples, with the number of samples over 100MB currently at almost 50,000.
We can even find a single Mach-O binary on VirusTotal with a file size of 600MB. Are there individual binaries larger than that? Almost certainly, but VirusTotal has a file size upload limit of 650MB, so above that we have a data blindspot for both legitimate and malicious files.
From the data we do have, it is clear large executables are a widespread phenomenon, but why are threat actors turning to bloated binaries and what problems do they cause for enterprise security?
Why Are Threat Actors Turning to Supersized Binaries?
There are a number of reasons why threat actors may choose to distribute malware in oversized binaries. Some large binaries such as cryptominers like BirdMiner (aka LoudMiner) are a result of bundling emulation environments such as QEMU in the malware.
Other large binaries are caused by using cross-platform programming languages like Go and Rust. In order to ensure these programs will run on the intended platform, the runtime, libraries and all other dependencies are compiled into the final payload.
In addition, Apple’s switch to ARM from Intel has resurrected the Universal/FAT binary format, in which two architectures are now compiled into a single binary to ensure that the same program will work regardless of whether the user runs it on an Intel Mac or an Apple silicon Mac. Any binary compiled into the Universal format is effectively doubled in size.
As we shall see in the next section, in some cases threat actors may simply bloat files with junk code to defeat file scanners with file size limits or to thwart analysis by malware researchers.
What Problems Do Outsized Binaries Cause For Detection and Analysis?
Massive individual binaries are a relatively recent phenomenon and they cause a headache for traditional AV scanners that rely on either computing a file’s hash or scanning it for malicious content. The larger the binary the longer it takes to scan, and when scanning across numerous files on a file system, the end result can be a sluggish, unresponsive system as the AV software increasingly hogs the host CPU to complete its task.
The performance problems associated with file scanning are historically one of the most oft-cited reasons for complaints from users and something that the industry has attempted to solve in various ways.
One typical solution employed by many AV scanners is to limit the maximum file size the scanner will accept. In the days when few legitimate programs reached more than 20MB that may have seemed like an acceptable compromise, but given today’s bloated binaries, that’s clearly no longer viable: it would mean that a lot of known malware would go undetected. Threat actors have even been known to bloat files with junk code precisely to defeat file size limits of scanners and malware repositories like VirusTotal, which as we noted above has a max file size upload limit of 650MB.
Massive files are not just a problem for detection software, but also for researchers, reverse engineers and malware analysts. With tens of megabytes of code to analyze, most of which is benign, junk or part of a standard runtime like Go, analysts can have a difficult time identifying exactly which parts of a binary are malicious. This can hamper efforts to find other, possibly undetected, malware samples using the same or similar code and allow threat actors to extend their campaigns without detection.
How to Detect Malware Hidden Inside Massive Binaries
Fortunately, there are solutions to the problem of massive binaries both for detection and analysis. The problems inherent in relying solely on file scanning have been well understood by vendors such as SentinelOne and were part of the paradigm shift that caused such solutions to adopt behavioral detection.
In contrast to a file scanning engine, a behavioral engine examines what a binary does when it is executed rather than examining the file’s content prior to execution. A behavioral approach allows a solution to avoid scanning large amounts of files or files of large sizes and instead determines whether an execution process is involved in malicious activity. Solutions like SentinelOne can thus detect and kill malware regardless of how it is packaged or how large the file is.
Security software that combines multiple detection mechanisms including behavioral and machine learning detection engines is now the standard for enterprise security.
How to Analyze Large macOS Malware Binaries
Large binaries present malware analysts with a number of challenges. In this section, we will briefly describe a useful technique for finding interesting code among hundreds of thousands of lines of disassembly leveraging YARA and radare2.
Threat hunters are most familiar with using YARA to determine if a sample file contains strings or bytes similar to other known malware families, but we can also use the same technique to find interesting code typical of malware TTPs. Take the following YARA rule, for example:
This rule returns a match if the binary contains certain strings related to disabling or modifying tools or other processes on a device, a typical anti-analysis and evasion technique. We can create a list of rules with various TTP indicators to help us to statically determine what capabilities a file has that may be related to malware behavior. Here is another example of a rule to indicate a binary that contains code related to system discovery.
We can run our YARA rule set on a given binary from within a radare2 session and, by leveraging YARA’s -m and -s switches, obtain a list of possible TTPs and their offsets for further investigation.
In this example we create a radare2 alias to run our YARA TTP ruleset over the file. The alias is equivalent to the command:
yara -ms ttp.yara
In radare2, the alias can be defined locally within the current r2 session or more usefully as a global alias in the .radare2rc config file as:
(ttp x; !yara -$0w <path to>/ttp.yara `o.`)
We provide a starter YARA rule set here that other macOS malware analysts can use as a base from which to develop their own more comprehensive ttp.yara file.
Conclusion
Massive binaries are becoming increasingly common on the macOS platform and defenders need strategies for dealing with them. Malware authors have embraced the idea of distributing huge binaries in part as a tactic for defense evasion and anti-analysis and in part as a result of turning to cross-platform languages that pack a runtime, library and other dependencies in the final payload.
Organizations can detect large malicious binaries by turning to solutions that include behavioral detection and do not rely solely on file scanning. Analysts can implement techniques such as those discussed above to help them triage massive macOS malware samples faster and more efficiently.
SentinelLabs has identified suspected-Chinese malware and infrastructure potentially involved in China-associated operations directed at the gambling sector within Southeast Asia.
The threat actors drop Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons.
We’ve observed related malware using the signature of a likely stolen code signing certificate issued to PMG PTE LTD, a Singapore-based vendor of Ivacy VPN services.
Indicators point to the China-aligned BRONZE STARLIGHT group; however, the exact grouping remains unclear due to the interconnected relationships among various Chinese APT groups.
Overview
Thriving after China’s crackdown on its Macao-based gambling industry, the Southeast Asian gambling sector has become a focal point for the country’s interests in the region, particularly data collection for monitoring and countering related activities in China.
We observed malware and infrastructure likely related to China-aligned activities targeting this sector. The malware and infrastructure we analyze are related to indicators observed in Operation ChattyGoblin and are likely part of the same activity cluster. Operation ChattyGoblin is ESET’s name for a series of attacks by China-nexus actors targeting Southeast Asian gambling companies with trojanizedComm100 and LiveHelp100 chat applications.
The targeting, used malware, and C2 infrastructure specifics point to past activities that third parties have linked to the China-aligned BRONZE STARLIGHT group (also known as DEV-0401 or SLIME34). This is a suspected Chinese ‘ransomware’ group whose main goal appears to be espionage rather than financial gain, using ransomware as means for distraction or misattribution. Team T5 has also reported on BRONZE STARLIGHT’s politically-motivated involvement in targeting the Southeast Asian gambling industry.
Despite the indicators observed, accurate clustering remains challenging. The Chinese APT ecosystem is plagued by extensive sharing of malware and infrastructure management processes between groups, making high confidence clustering difficult based on current visibility. Our analysis has led us to historical artifacts that represent points of convergence between BRONZE STARLIGHT and other China-based actors, which showcases the complexity of a Chinese threat ecosystem composed of closely affiliated groups.
Background
ESET reported that a ChattyGoblin-related attack in March 2023 targeted the support agents of a gambling company in the Philippines. In the attack, a trojanized LiveHelp100 application downloaded a .NET malware loader named agentupdate_plugins.exe. The final payload was a Cobalt Strike beacon using the duckducklive[.]top domain for C2 purposes. The hash of this malware loader was not disclosed.
We subsequently identified malware loaders that we assess are closely related to those observed as part of Operation ChattyGoblin and are likely part of the same activity cluster – a .NET executable also named agentupdate_plugins.exe and its variant AdventureQuest.exe.
This association is based on naming conventions, code, and functional overlaps with the sample described in ESET’s report. Although we cannot conclusively determine whether the agentupdate_plugins.exe we analyzed is the same as that reported by ESET, we note that one of its VirusTotal submissions is dated March 2023 and originates from the Philippines. This aligns with the geolocation of the target and the timeline of the ChattyGoblin-related attack involving agentupdate_plugins.exe.
The Malware Loaders
agentupdate_plugins.exe and AdventureQuest.exe deploy .NET executables based on the SharpUnhooker tool, which download second-stage data from Alibaba buckets hosted at agenfile.oss-ap-southeast-1.aliyuncs[.]com and codewavehub.oss-ap-southeast-1.aliyuncs[.]com. The second-stage data is stored in password-protected zip archives.
The zip archives downloaded by agentupdate_plugins.exe and AdventureQuest.exe contain sideloading capabilities. Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted data file named agent.data.
The executables are components of the software products Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan. The malicious DLLs masquerade as their legitimate counterparts: They export functions with the same names, such that specific functions, when invoked by the legitimate executables, decrypt and execute code embedded in the data files. The data files we could retrieve implement Cobalt Strike beacons.
The 100helpchat[.]com and live100heip[.]com C2 domains follow the naming convention of the LiveHelp100 trojanized application used in operation ChattyGoblin, possibly to make malicious network activity look like legitimate LiveHelp100 activity.
agentupdate_plugins.exe and AdventureQuest.exe implement geofencing based on the ifconfig.co IP-based geolocation service. The loaders are meant to stop their execution if they are run on a machine located in the United States, Germany, France, Russia, India, Canada, or the United Kingdom. This may indicate that the threat actors have no interest in intrusions in these countries for this campaign. Due to errors in implementation, the geofencing fails to work as intended.
Stolen Ivacy VPN Certificate
AdventureQuest.exe is signed using a certificate issued to the Ivacy VPN vendor PMG PTE LTD:
Ivacy has been present on the market since 2007 and attracts users with low-price offerings.
It is likely that at some point the PMG PTE LTD singing key has been stolen – a familiar technique of known Chinese threat actors to enable malware signing. VPN providers are critical targets, since they enable threat actors to potentially gain access to sensitive user data and communications.
At the time of writing, we have not observed any public statements by PMG PTE LTD clarifying the circumstances that have led to the use of their signing keys for signing malware. The DigiCert Certificate Authority has revoked the compromised certificate after a public discussion on the issue.
HUI Loader
The malicious DLLs libcef.dll, msedge_elf.dll, and LockDown.dll distributed by agentupdate_plugins.exe and AdventureQuest.exe are HUI Loader variants. HUI Loader is a custom malware loader shared between several China-nexus groups. The loader is executed through sideloading by legitimate executables vulnerable to DLL hijacking and stages a payload stored in an encrypted file. HUI Loader variants may differ in implemented payload staging and execution techniques as well as additional functionalities, such as establishing persistence and disabling security features.
libcef.dll, msedge_elf.dll, and LockDown.dll closely resemble HUI Loader variants observed in a string of cyberespionage and ransomware operations that third parties have linked to APT10, TA410, and BRONZE STARLIGHT.
Threat actor
Description
BRONZE STARLIGHT Aliases: DEV-0401, SLIME34
A China-based ransomware operator active since 2021. The group is known for deploying a variety of ransomware families, such as LockFile, AtomSilo, NightSky, LockBit 2.0, and Pandora, and shares tooling with APT10. BRONZE STARLIGHT’s main goal is suspected to be espionage rather than financial gain, using ransomware as means for distraction or misattribution.
APT10 Aliases: BRONZE RIVERSIDE, MenuPass
A China-nexus cyberespionage group active since at least 2009. The group focuses on targeting entities considered strategically important by the Chinese state.
TA410
A China-nexus cyberespionage group loosely linked to APT10, tracked as a distinct entity. The group is mostly known for targeting the US utilities sector and Middle Eastern governments.
APT10 and TA410 Operations
The cef_string_map_key function of libcef.dll downloaded by agentupdate_plugins.exe references the C:\Users\hellokety.ini file.
HUI Loader variants with this exact artifact have been reported as part of several cyberespionage operations:
enSilo (now Fortinet) has disclosed cyberespionage activities in Southeast Asia observed in April 2019 and attributed them with medium confidence to APT10.
Researchers from Macnica, Secureworks, and Kaspersky have presented on A41APT campaign activity conducted throughout 2021. A41APT is a long-running cyberespionage campaign targeting Japanese companies and their overseas branches. Kaspersky has attributed earlier A41APT activity (from March 2019 to the end of December 2020) with high confidence to APT10. TrendMicro has attributed A41APT activity over 2020 and 2021 to a group they track as Earth Tengshe, noting that Earth Tengshe is related to APT10 with some differences in employed TTPs.
ESET has presented on TA410 activities, noting the hellokety.ini artifact in this context. ESET also notes the possibility of misattribution the April 2019 activities reported by Fortinet to APT10 instead of TA410.
BRONZE STARLIGHT Operations
Since around 2021, HUI Loader variants have been deployed in operations involving the ransomware families LockFile (Symantec, 2021; NSFOCUS, 2021), AtomSilo (Sophos, 2021), NightSky (Microsoft, 2021), LockBit 2.0 (SentinelLabs, 2022), and Pandora (TrendMicro, 2022). Some of these operations have been attributed to BRONZE STARLIGHT by the organizations disclosing them and all of them collectively by Secureworks. All of these ransomware families have been noted by Microsoft as being part of the BRONZE STARLIGHT arsenal in time intervals aligning with those of the previously mentioned operations.
C2 Infrastructure
The Cobalt Strike C2 GET and POST URIs associated with the Operation ChattyGoblin domain duckducklive[.]top contain /functionalStatus and /rest/2/meetings, respectively. Their uncommon full forms closely resemble those observed by Secureworks in AtomSilo, Night Sky, and Pandora operations they attribute to BRONZE STARLIGHT. The researchers reported that, as of June 2022, they had not seen this Cobalt Strike configuration associated with other ransomware families. The threat actors have likely adapted a public Cobalt Strike malleable C2 profile available in a Github repository of the user xx0hcd.
The C2 GET and POST URIs associated with the www.100helpchat[.]com and live100heip[.]com domains we observed contain /owa followed by character strings. The format of these strings resembles those in the URIs associated with duckducklive[.]top and also those reported in past BRONZE STARLIGHT activities. It is likely that the threat actors have adapted another open source Cobalt Strike malleable C2 profile, which is also available in a Github repository of the user xx0hcd.
The Cobalt Strike profiles associated with the duckducklive[.]top, www.100helpchat[.]com, and live100heip[.]com domains share a C2 port number (8443) and a watermark (391144938). The earliest record of duckducklive[.]top becoming active is dated 24 Feb 2023. The earliest records of live100heip[.]com and 100helpchat[.]com becoming active are dated 24 Feb 2023 (overlapping with that of duckducklive[.]top) and 28 Feb 2023, respectively.
The three domains are each hidden behind CloudFlare, who were quick in remediation after we reported the service abuse. In this case, however, the actors revealed their true-hosting locations due to an OPSEC mistake in their initial deployment of the domain’s SSL certificates on their Alibaba Cloud hosting servers at 8.218.31[.]103, 47.242.72[.]118, and 47.242.159[.]242.
While the analysis of the Cobalt Strike profiles provides links to previous BRONZE STARLIGHT activities, an assessment of the specific group attribution based on current intelligence should be treated with caution. It is noteworthy that Chinese cyber espionage threat actors are progressively refining their operational tactics in manners that obfuscate clear attribution through publicly available intelligence sources alone.
To illustrate this concept, consider the scenario where a broader array of domains imitating various brands may be interconnected, such as those publicly documented involving the BRONZE STARLIGHT, TA410, and APT10 threat actors. Examples include microsofts[.]net, microupdate[.]xyz, microsofts[.]info, microsofts[.]org, miscrosofts[.]com, microsofts[.]com, kaspresksy[.]com, tencentchat[.]net, and microsoftlab[.]top.
Conclusion
China-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and continue to do so. The activities this post discusses illustrate the intricate nature of the Chinese threat landscape.
Better understanding of this landscape is essential for keeping up with its dynamics and improving defense strategies. Achieving this necessitates consistent collaborative and information sharing efforts. SentinelLabs remains dedicated to this mission and continues to closely monitor related threats.
SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.
Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.
Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.
At this time, we cannot determine the potential nature of the relationship between the two threat actors. We acknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the possibility that tasking deemed this target important enough to assign to multiple independent threat actors.
Background
North Korean threat actors have caught our attention over the past year, providing us with fruitful insight into a variety of campaigns, such as new reconnaissance tools, (multiple) new supply chain intrusions, elusive multi-platform targeting, and new sly social engineering tactics. To add to that list, let’s take a look at an intrusion into what might be considered a highly desirable strategic espionage mission – supporting North Korea’s contentious missile program.
The Target Organization
While conducting our usual hunting and tracking of suspected-North Korean threat actors, we identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns. A thorough investigation of the email archive revealed a larger intrusion, not fully recognized at the time by the compromised organization.
The victim organization is NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash), a leading Russian manufacturer of missiles and military spacecraft. The organization’s parent company is JSC Tactical Missiles Corporation KTRV (Russian: АО «Корпорация Тактическое Ракетное Вооружение», КТРВ). NPO Mashinostroyeniya is a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.
We are highly confident that the emails related to this activity originate from the victim organization. Furthermore, there are no discernible signs of manipulation or technically verifiable inaccuracies present in these emails. It’s essential to highlight that the leaked data comprises a substantial volume of emails unrelated to our current research scope. This suggests that the leak was likely accidental or resulted from activity unrelated to the specific intrusion under scrutiny in our investigation. However, this collection provides valuable background context for our understanding of their internal network design, security gaps, and even cases of activity by other attackers.
In mid-May 2022, roughly a week prior to Russia vetoing a U.N. resolution to impose new sanctions on North Korea for intercontinental ballistic missile launches that could deliver nuclear weapons, the victim organization internally flagged the intrusion. Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure. The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal systems. The month following the intrusion, NPO Mashinostroyeniya engaged with their AV solution’s support staff to determine why this and other activity was not detected.
Following an examination of the emails and an in-depth investigation into the two separate sets of suspicious activity, we have successfully established a correlation between each cluster of activity and a respective threat actor amounting to a more significant network intrusion than the victim organization realized.
North Korean Overlap
During our investigation, we identified the suspicious file in question to be a version of the OpenCarrot Windows OS backdoor, previously identified by IBM XForce as part of Lazarus group activities. As a feature-rich, configurable, and versatile backdoor, the malware is a strong enabler of the group’s operations. With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network. The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise.
Additionally, we discovered the suspicious network traffic discussed in emails is the compromise of the business’ Linux email server, hosted publicly at vpk.npomash[.]ru (185.24.244[.]11). At time of discovery, the email server was beaconing outbound to infrastructure we now attribute to the ScarCruft threat actor. ScarCruft is commonly attributed to North Korea’s state-sponsored activity, targeting high value individuals and organizations near-globally. The group is also referred to as Inky Squid, APT37, or Group123, and often showcases a variety of technical capabilities for their intrusions. While we are unable to confirm the initial access method and implant running on the email server at time of discovery, we link malware loading tools and techniques involving this set of infrastructure to those seen in previously reported ScarCruft activity using the RokRAT backdoor.
This intrusion gives rare insight into sensitive DPRK cyberespionage campaigns, and an opportunity to expand our understanding of the relationship and goals between various North Korean cyber threat actors. It also highlights a potential rift in relations between Russia and North Korea, considering their growing relationship.
This engagement establishes connections between two distinct DPRK-affiliated threat actors, suggesting the potential for shared resources, infrastructure, implants, or access to victim networks. Moreover, we acknowledge the possibility that the assigned task of an intrusion into NPO Mashinostroyeniya might have warranted targeting by multiple autonomous threat actors due to its perceived significance.
OpenCarrot Backdoor Activity
The OpenCarrot sample we analyzed is implemented as a Windows service DLL file, intended to execute in a persistent manner. In line with typical practices of the Lazarus group, OpenCarrot is subject to continuous, not necessarily incremental, changes. The file has a compilation timestamp of Wednesday, Dec. 01, 2021. Although the timestamp could have been manipulated by the threat actors, given the proximity to the May 2022 suspected intrusion date, it’s likely that the timestamp is authentic. Our confidence in this assessment also increases through the infrastructure analysis below.
The OpenCarrot variant we analyzed implements over 25 backdoor commands with a wide range of functionality representative of Lazarus group backdoors. In this case, supported functionality includes:
Reconnaissance: File and process attribute enumeration, scanning and ICMP-pinging hosts in IP ranges for open TCP ports and availability.
Filesystem and process manipulation: Process termination, DLL injection, and file deletion, renaming, and timestomping.
Reconfiguration and connectivity: Managing C2 communications, including terminating existing and establishing new comms channels, changing malware configuration data stored on the filesystem, and proxying network connections.
The OpenCarrot sample displays further characteristics often seen among Lazarus Group malware.
Its backdoor commands are indexed by consecutive integers, a common trait of Lazarus group malware. In addition to integer-indexed commands, the developers implement string-indexed sub-commands.
Keeping with their typicalmode of operations, the malware is intended to execute as a Windows service and exports the ServiceMain function.
OpenCarrot implements executable code in a section named .vlizer indicating the use of code virtualization for obfuscation. The .vlizer section is associated with the Oreans Code Virtualizer code protection platform, a functional subset of Themida. As previously observed in Themida-protected Lazarus group malware, some code segments of the OpenCarrot variant we analyzed are not protected.
As part of its initialization process, OpenCarrot ingests configuration data from a file whose name is composed of the service name in whose context the malware executes and the dll.mui extension. The configuration data contains encryption-protected C2 information. The use of configuration files with the dll.mui extension is a long-standing theme among Lazarus group malware, mimicking a lesser-known standard Windows file extension used to denote application resources and externalities.
OpenCarrot implements relatively long sleep time periods. To avoid remaining idle for too long whenever the user of the infected machine is active, OpenCarrot implements a mechanism to exit its sleep state earlier than instructed. If the malware is instructed to sleep for 15 seconds or more, it then monitors in 15 second intervals for the insertion of new drives, such as USBs. If such an event occurs, the malware exits its sleep state before the configured sleep time elapses. A variant of this technique has been previously observed in the Pebbledash malware.
OpenCarrot’s versatility is evident with its support of multiple methods for communicating with C2 servers. The malware dispatches commands for execution based on attacker-provided data originating not only from remote C2 servers, but also from local processes through named pipes and incoming connections to a TCP port on which OpenCarrot listens.
Infrastructure Analysis
North Korean-nexus of threat actors are known for not maintaining the OPSEC of their campaigns. A characteristic lack of segmentation allows researchers to amass unique insights across a variety of unreported activity. Infrastructure connections in particular often allow us to track the evolution of their campaigns over long periods of time.
We link the NPO Mashinostroyeniya email discussing suspicious networking communication as active C2 communications occurring through 192.169.7[.]197, and 5.134.119[.]142. The internal host, the organization’s Red Hat email server, was actively compromised and in communication with the attackers malicious infrastructure. A review of all details concludes the threat actor was likely operating on this server for an extensive period of time prior to the internal team’s discovery.
This set of malicious infrastructure was served via CrownCloud (Australia) and OhzCloud (Spain) VPS hosting providers. During the intrusion, the two domains centos-packages[.]com and redhat-packages[.]com were resolving to those C2 IP addresses. Our assessment is that this particular cluster of infrastructure became active in November 2021, and was immediately paused the same day of NPO Mashinostroyeniya’s intrusion discovery in May 2022. This finding may indicate the intrusion was high priority and closely monitored by the operators.
A relationship can be observed between this cluster of activity and a more recent ScarCruft campaign. Following the intrusion operators immediately killing their C2 server when the suspicious traffic was identified by the victim in May 2022, the centos-packages[.]com domain use was paused until it began resolving to 160.202.79[.]226 in February 2023. 160.202.79[.]226 is a QuickPacket VPS (US) hosting IP also being shared with the domain dallynk[.]com and others used by ScarCruft for malware delivery and C2 initiated through malicious documents.
Further, the domain dallynk[.]com follows the theme we’ve previously reported in which DPRK-associated threat actors impersonate Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea.
The collection of activity stemming from the dallynk[.]com domain contains malware loading tools and techniques matching those seen in previously reported ScarCruft activity using the RokRAT backdoor. Similarities in server configuration history can also link to lower-confidence BlueNoroff relationships.
While conducting this research, we first publicly identified the link between the JumpCloud intrusion and North Korean threat actors. One detail that immediately struck us was the domain theme similarities, such as centos-pkg[.]org / centos-repos[.]org (JumpCloud), and centos-packages[.]com (NPO Mash). This detail is superficial and not strong enough alone to base direct clustering, but alongside other aforementioned North Korean threat actor connections, it stokes our curiosity for the particulars of the threat actors’ infrastructure creation and management procedures.
Lastly, we advise particular care into how this infrastructure is further attributed when reviewed historically. For example, the C2 server IP address 192.169.7[.]197 was used between January and May 2022 by the DPRK linked threat actor; however, that same IP was used by the Arid Viper/Desert Falcon APT in 2020, first reported by Meta Threat Investigators. Arid Viper is associated with Palestinian interests, conducting activity throughout the Middle East. We assess the Arid Viper activity is unrelated to our findings and the overlap of infrastructure is simply an example of commonly reused dubious VPS hosting providers. This further highlights the importance of associating active timeframes with IP-based indicators.
Conclusion
With a high level of confidence, we attribute this intrusion to threat actors independently associated with North Korea. Based on our assessment, this incident stands as a compelling illustration of North Korea’s proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization.
The convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting comprehensive global monitoring. Operating in unison as a cohesive cluster, these actors consistently undertake a diverse range of campaigns motivated by various factors. In light of these findings, it becomes crucial to address and mitigate this threat with utmost vigilance and strategic response.