2021 Q3 APT Trend Report (Part 2)
APT attacks in the Middle East
Lyceum is an attack group that has been targeting high-profile targets in the Middle East since at least 2018. This year, researchers uncovered an attack by the group targeting the Tunisian aviation and telecommunications sector. They found that attackers were more aggressive and faster when developing two new C++-based malware implants, which the researchers named Kevin and James. Both rely on techniques and communication protocols from older malware used by the group and developed DanBot. Following the researchers’ report on this activity and the deployment of corresponding protections against the group’s newly discovered implants, the researchers observed repeated attempts by the attackers to deploy new samples not specified in their previous reports. Some of these samples show that the attackers also exploited two new C2 domains, possibly to bypass security mechanisms to mitigate communication with known domains. This exemplifies the fact that the group insists on attacking the targeted organization and shows that it has not ceased operations after being discovered, a fact that can be attested by another set of activities that the group has recently publicly exposed. You can read more about the researchers’ findings in the “Lyceum group reborn” article.
APT attacks in Southeast Asia and the Korean Peninsula
In June, researchers observed the Lazarus group using the MATA malware framework to attack defense enterprises. Historically, Lazarus has used MATA to attack various industries for cybercriminal-like intent: stealing customer databases and spreading ransomware. In this case, however, the researchers saw Lazarus use MATA for cyber espionage. The attackers provided a trojanized version of an application known to be used by their chosen victims, representing a known feature of Lazarus. Executing this application initiates a multi-stage infection chain starting with the downloader. The downloader grabs additional malware from infected C2 servers. Researchers have access to several MATA components, including plug-ins. Compared to previous versions, the MATA malware found in this campaign has iterated several times and signed some of its components with stolen legitimate certificates. Through this study, the researchers found stronger links between the MATA and Lazarus groups, including that the downloader that obtained the MATA malware showed a link to TangoDaiwbo, which the researchers previously believed was developed by the Lazarus group.
The researchers also discovered Lazarus group activity using the updated DeathNote cluster. The first involved an attack on a South Korean think tank in June. The second was an attack on an IT asset monitoring solution provider in May. The researchers’ investigation revealed signs pointing to Lazarus building supply chain attack capabilities. In one case, the researchers found that the infection chain originated from legitimate Korean security software executing malicious payloads; in the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim of Lazarus By. The DeathNote malware cluster contains a slightly updated variant of BLINDINGCAN, a malware previously reported by the US CISA (Cybersecurity and Infrastructure Security Agency). BLINDINGCAN has also been used to provide new variants of COPPERHEDGE, also reported in the CISA article. The researchers previously reported initial findings on COPPERHEDGE in January 2020. As part of the infection chain, Lazarus used a downloader called Racket, which they signed with a stolen certificate. As a result of taking over the attacker’s infrastructure using a local CERT, the researchers had the opportunity to study several C2 scripts associated with the DeathNote cluster. The attacker compromised vulnerable web servers and uploaded several scripts to filter and control malicious implants on successfully compromised victim devices.
The Kimsuky group is one of the most active APT groups out there, with attackers known for their focus on cyber espionage, but occasionally for financial gain. Like other APT groups, Kimsuky includes several clusters: BabyShark, AppleSeed, FlowerPower, and GoldDragon.
Each cluster uses a different approach and has different characteristics:
?BabyShark relies heavily on scripted malware and infected web servers for C2 operations;
?AppleSeed uses a unique backdoor called AppleSeed;
?FlowerPower uses PowerShell scripts and malicious Microsoft Office documents;
?GoldDragon is the oldest cluster and closest to the original Kimsuky malware.
However, these clusters also showed some overlap. In particular, GoldDragon and FlowerPower share strong connections in their C2 infrastructure. However, other clusters also have a small number of connections to the C2 infrastructure, illustrating that BabyShark and AppleSeed have different operational strategies.
Back in May, researchers published a report on the newly discovered Andariel activity. During this campaign, numerous businesses located in South Korea were targeted by custom ransomware. In the researchers’ study, the researchers found that the attackers used two vectors to compromise the target. The first is the use of weaponized Microsoft Office documents with malicious macros. The second vector was still unknown when the researchers initially reported it, but the researchers found artifacts containing a path to the tool ezPDF Reader, developed by a South Korean software company called Unidocs. To address the lack of clear evidence that the attack exploited a vulnerability in the software, the researchers decided to audit the application’s binaries. Analysis of the software led to the discovery of a remote code execution vulnerability in ezpdfwslauncher.exe that could be exploited to compromise computers on a network with ezpdfwslauncher.exe without any user interaction. The researchers confidently assess that the Andariel group used the same vulnerability in its attacks. Following this discovery, the researchers contacted the developers of Unidocs and shared details of the vulnerability with them. At present, the vulnerability has been named CVE-2021-26605 and has been fixed.
During the quarter, researchers described activity associated with the Origami Elephant attackers (aka Team DoNot, APT-C-35, SECTOR02) from early 2020 through this year. While Origami Elephant continues to exploit known Backconfig (aka Agent K1) and Simple Uploader components, researchers also discovered a lesser-known malware called VTYREI (aka BREEZESUGAR) used as a first-stage payload. Additionally, the researchers observed a unique technique to encode remote templates used in malicious documents, which they have not seen used by other attackers. Attackers continue to focus on South Asia, targeting government and military targets primarily in Pakistan, Bangladesh, Nepal and Sri Lanka.
The researchers also tracked Origami Elephant activity on Android phones from late 2020 until the report’s release. The researchers found that the infrastructure was still active, communicating with the same malware previously reported, albeit with some changes in code obfuscation. The target is the same as last year, the victims are located in South Asia: especially India, Pakistan and Sri Lanka. The attackers modified the infection chain compared to last year’s campaign. The researchers observed that the Android Trojan spreads directly, rather than providing a downloader stager. This is done via a link to a malicious login page or a direct message via some instant messaging platforms such as WhatsApp. The samples analyzed by the researchers mimicked a variety of applications, such as private messaging, VPNs, and media services. The researcher’s report covers the current state of Origami Elephant’s activity for Android devices and provides additional IoCs related to recent and historical activity. Scanning the internet using clues available from the researchers’ previous studies, the researchers were able to spot newly deployed hosts, in some cases even before they became active.
Other interesting finds
In September, the researchers provided an overview of the FinSpy PC implant. This includes not only the Windows version, but also the Linux and macOS versions, which share the same internal structure and functionality. FinSpy is a notorious surveillance tool that several NGOs have repeatedly reported being used against journalists, political dissidents and human rights activists. Historically, its Windows implantation was represented by a single-stage spyware installer. Until 2018, this version has been tested and studied several times. Since then, researchers have observed a drop in detection rates with FinSpy for Windows. While the nature of this anomaly remains unknown, researchers have begun to detect some suspicious installer packages with Metasploit stagers backdoors. The researchers were not able to determine the properties of these packages until mid-2019, when they found the hosts serving these installers in the FinSpy Mobile implant for Android. During the researchers’ investigation, they discovered that the backdoor installer was nothing more than a first-stage dropper to download and deploy more payloads before the actual FinSpy Trojan. In addition to the Trojan installer, researchers also observed infections involving the use of UEFI or MBR bootkits. While MBR infections have been known since at least 2014, the details of the UEFI bootkit were only publicly disclosed for the first time in the researchers’ article. Here are some unknown discoveries about the actual state of the FinSpy implant.
At the end of the third quarter, researchers discovered a previously unknown payload with advanced capabilities that used two chains of infection to spread to various government organizations and telecommunications companies in the Middle East. The payload uses a Windows kernel-mode rootkit to facilitate some of its activities and is capable of persistent deployment via MBR or UEFI bootkits. Interestingly, some of the components observed in this attack have been deployed in memory multiple times before by the Slingshot agent, a post-exploitation framework that researchers have introduced in several cases in the past (not to be confused with the “Slingshot” APT confusion). It is a proprietary commercial penetration testing tool. However, this is not the first time attackers have exploited it. A previous report by researchers on FruityArmor activity in 2019 revealed that it was used by attack groups to target organizations across multiple industries in the Middle East, possibly using vulnerabilities in Skype as an infection vector. In a recent report, the researchers conducted an in-depth analysis of the newly discovered malicious toolkit that the researchers observed with Slingshot and how it was exploited in active clusters in the wild. The researchers also specifically Some advanced features are introduced.
While some attackers’ TTPs remain consistent for short periods of time, relying heavily on social engineering as a means to gain a foothold in the target organization or compromise personal devices, others have updated their toolsets and expanded their reach .
Here are the key trends the researchers saw in the third quarter of 2021:
1. Supply chain attacks continue, including attacks by SmudgeX, DarkHalo, and Lazarus.
2. During the quarter, researchers focused on researching and defending surveillance frameworks after malicious activity they detected. These include FinSpy and an advanced and powerful payload staged using a commercial post-development framework called Slingshot. These tools contain powerful stealth features such as persistence using bootkit. Bootkits are still active components of some high-profile APT attacks, although Microsoft has added various mitigations to make them easier to deploy on Windows operating systems.
3. Social engineering remains a key method for launching attacks; there are also exploits (CloudComputating, Origami Elephant, Andariel), including exploiting firmware vulnerabilities.
4. Geopolitics continues to drive the development of APTs, as demonstrated by the activities of various attackers including Gamaredon, CloudComputating, ExCone, Origami Elephant, ReconHellcat, SharpPanda.
The Links: J2-Q04A-D 2MBI200NB-120-01