Executive Summary
- On 9 August, Security Researcher detected an ongoing APT28 campaign, which likely started on 5 August.
- The malware used in the attack was the Zebrocy Delphi version. All the artifacts had very low Anti-Virus (AV) detection rates on VirusTotal when they were first submitted.
- At the time of the discovery, the C2 infrastructure hosted in France was still live.
- The campaign used NATO’s upcoming training as a lure.
- The campaign targeted a specific government body in Azerbaijan, however; it is likely that attackers also targeted NATO members or other countries involved in NATO exercises.
- The analysis revealed interesting correlations with ReconHell/BlackWater attack, which we uncovered in August.
- As part of our responsible disclosure, we reported our findings to French authorities for taking down the C2, and to NATO for their awareness.
Introduction
On 9 August, QuoINT Security team disseminated a Warning to its government customers about a new APT28 (aka Sofacy, Sednit, Fancy Bear, STRONTIUM, etc.) campaign targeting government bodies of NATO
members (or countries cooperating with NATO). In particular, we found a
malicious file uploaded to VirusTotal, which ultimately drops a Zebrocy
malware and communicates with a C2 in France. After our discovery, we
reported the malicious C2 to the French law enforcement as part of our
responsible disclosure process.
Zebrocy is a malware used by APT28 (also known as Sofacy), which was reported by multiple security firms[1][2][3][4][5][6] in the last two years.
Finally,
our investigation concluded that the attack started on 5 August and
targeted at least a government entity located in the Middle East.
However, it is highly likely that NATO members also observed the same
attack.
Technical Analysis
At a first look, the sample seems to be a valid JPEG image file:
In fact, if the file is renamed as a JPG, the Operating System will show the logo of the Supreme Headquarters Allied Powers Europe (SHAPE), which is the NATO’s Allied Command Operations (ACO) located in Belgium.
However, further analysis revealed the sample as having a Zip file
concatenated. This technique works because JPEG files are parsed from
the beginning of the file and some Zip implementations parse Zip files
from the end of the file (since the index is located there) without
looking at the signature in the front.
The technique is also used
by threat actors to evade AVs, or other filtering systems since they
might mistake the file for a JPEG and skip it. Interestingly, in order
to trigger the decompression of the file on Windows after the user
clicks on it, the following conditions need to be met: a) the file must
be correctly named .zip(x); b) the file needs to be opened with WinRAR.
The file will show an error message claiming it is corrupted if the
targeted victim uses WinZip or the default Windows utility.
After decompressing the appended ZIP file, the following two samples are dropped:
- Course 5 – 16 October 2020.exe (Zebrocy malware)
SHA256:
aac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec
- Course 5 – 16 October 2020.xls (Corrupted file) SHA256: b45dc885949d29cba06595305923a0ed8969774dae995f0ce5b947b5ab5fe185
Considering the lure uses a NATO image, the attackers likely picked the filenames in order to leverage upcoming NATO courses in October 2020. Additionally, the Excel file (XLS) is corrupted and cannot be opened by Microsoft Excel, it contains – what seems to be – information about military personnel involved in the military mission “African Union Mission for Somalia”. The long list of information includes names, ranks, unit, arrival/leave dates, and more.
To note, QuoINT was not able to determine if the information contained in the file is legitimate or not.
One
of the hypotheses explaining the corrupted file is an intentional
tactic of the attacker. The rationale could be that the attacker makes
the user attempt to first open the XLS file, and then open the .exe with
the same filename as a second try. The .exe file has a PDF icon, so if
file extensions are not shown, targeted users might be lured into
opening the executable.
The sample analyzed is a Delphi executable. Since 2015, multiple researchers have already covered Zebrocy Delphi versions in-depth. Interestingly, last Zebrocy observations seemed to suggest a discontinuity of the Delphi versions in favor of a new one written in Go language.
Behavior Analysis
Once executed, the sample copies itself into
%AppData%\Roaming\Service\12345678\sqlservice.exe by adding 160 random
bytes to the new file. This padding is used to evade hash-matching
security controls, since the dropped malware will always have a
different file hash value.
Next, the malware creates a new scheduled task, and it is executed with the /s parameter
The task runs regularly and tries to POST stolen data (e.g. screenshots) to hxxp://194.32.78.245/protect/get-upd-id.php
At a first glance, the data seems to be obfuscated and encrypted. Another request looks like this:
The heading number 12345678 (the original eight digits were redacted)
seems to be constant, suggesting its use as a unique ID of the infected
machine. Notably, the same number is also used by the malware while
creating the folder that contains sqlservice.exe
Letting the
sample talk to its actual C2 on the Internet did not change its actual
behavior during our analysis. The malware sends POST requests about once
per minute without getting a response back. Additionally, the server
closes the connection after waiting for about 10 more seconds. It is
possible that this unresponsive behavior is due to the C2 determining
the infected machine as not interesting.
Lastly, the network traffic generated to the C2 triggers the following Emerging Threats (ET) IDS rule:
- ET TROJAN Zebrocy Screenshot Upload” (SID: 2030122)
Conclusion:
We concludes with medium-high confidence that the campaign targeted a specific government body, at least
in Azerbaijan. Although Azerbaijan is not a NATO member, it closely
cooperates with the North-Atlantic organizations and participates in
NATO exercises. Further, the same campaign very likely targeted other
NATO members or countries cooperating with NATO exercises.
By
analyzing the Tactics, Techniques and Procedures (TTPs), the targeting,
and the theme used as a lure, we have high confidence in attributing
this attack to the well-known APT28/Zebrocy TTPs disclosed by the
security community in the last year.
MITRE ATT&CK:
IOC Details:
Indicator type | Indicator |
FileHash-SHA256 | fae335a465bb9faac24c58304a199f3bf9bb1b0bd07b05b18e2be6b9e90d72e6 |
FileHash-SHA256 | eb81c1be62f23ac7700c70d866e84f5bc354f88e6f7d84fd65374f84e252e76b |
FileHash-SHA256 | 6e89e098816f3d353b155ab0f3377fe3eb3951f45f8c34c4a48c5b61cd8425aa |
FileHash-SHA256 | aac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec |
FileHash-SHA256 | b45dc885949d29cba06595305923a0ed8969774dae995f0ce5b947b5ab5fe185 |
URL | http://194.32.78.245/protect/get-upd-id.php |
FileHash-MD5 | 7b7125426d8874acdfba034fa26200e9 |
FileHash-MD5 | a14c1fd7b59b34515e6a8a286114c48f |
FileHash-MD5 | d5e45a9db7f739979105e000d042f1fe |
FileHash-MD5 | b66c2aa25d1f9056f09d0a158d20faef |
FileHash-SHA1 | 537224111b8e5bdce214d408c07774894ae3ea24 |
FileHash-SHA1 | 99c6c6fb3ff79680f8cefeaee0b019993e05fa0d |
FileHash-SHA1 | 6861a086926980ec01d6f25985ea2498b4aee0a4 |
FileHash-SHA1 | d7bf3ea3966f0399acfc3886ec66a7ca4d1675bf |
VT Engine Detection:
No comments:
Post a Comment