Common TTPs of attacks against industrial organizations. Implants for remote access | Kaspersky ICS CERT

In 2022 we investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems.

Based on similarities found between these campaigns and previously researched campaigns (e.g., ExCone, DexCone), including the use of FourteenHi variants, specific TTPs and the scope of the attack, we have medium to high confidence that a threat actor called APT31, also known as Judgment Panda and Zirconium, is behind the activities described in this report.

To exfiltrate data and deliver next-stage malware, the threat actor (or actors) abuse(s) a cloud-based data storage, e.g., Dropbox or Yandex Disk, as well as a service used for temporary file sharing. They also use C2 deployed on regular virtual private servers (VPS). In addition, the threat actor(s) deploy(s) a stack of implants that collect data from air-gapped networks via infected removable drives.

For most implants, the threat actor(s) use(s) similar implementations of DLL hijacking (often associated with Shadowpad malware) and memory injection techniques, along with using RC4 encryption to hide the payload and to evade detection. In addition, libssl.dll or libcurl.dll was statically linked to implants to implement encrypted C2 communications.

In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.

The entire stack of implants used in attacks can be divided into three categories based on their roles:

  • First-stage implants for persistent remote access and initial data gathering
  • Second-stage implants for gathering data and files, including from air-gapped systems
  • Third-stage implants and tools used to upload data to C2

In this article (which is the first part of the report) we analyze common TTPs of first-stage implants used by threat actors to establish a persistent remote access channel into the infrastructure of industrial organizations.

The full report is available on the Kaspersky Threat Intelligence portal.
For more information please contact ics-cert@kaspersky.com.

Variants of FourteenHi

FourteenHi is a malware family discovered in 2021 in a campaign that was dubbed ExCone (1, 2), active since mid-March 2021 and targeting government entities. In 2022 we discovered new variants used in attacks on the infrastructure of industrial organizations.

Various samples of FourteenHi (both x64 and x86) are significantly different from each other in terms of their code structure, implementations of their loaders, and C2 types. But their core distinctive features, such as the C2 communication protocol and the list of commands, are pretty much the same. The most significant difference exists between x86 and x64 variants of FourteenHi.

Samples for x64 have persistence capabilities and a 2-step C2 communication protocol. They accept a relatively long list of commands, including:

  • upload arbitrary files,
  • download arbitrary files,
  • run arbitrary commands,
  • set communication delay,
  • start reverse shell,
  • terminate own process and remove persistence.

To protect communication with C2, they use the API of the statically linked OpenSSL library. In addition, they use RC4 to encrypt / decrypt the data they send / receive from C2.

FourteenHi x64 code for parsing a C2 response
FourteenHi x64 code for parsing commands in a C2 response

The samples for x86 have no persistence capabilities, are not linked with OpenSSL, but still use RC4 encryption. They use a 1-step communication protocol, but the list of commands is almost the same, except for the removal of persistence mechanisms. 

FourteenHi x86 simple switch case for C2 response command matching

The absence of persistence capabilities (which usually require privilege escalation) in variants for x86 and the overall lightness of compiled code make them good candidates for an initial infection stage, which may be used to collect initial information on a host or the local network, download next-stage malware and data stealers, and provide a remote shell for the threat actor. Nevertheless, the threat actor may easily add persistence to the implant by creating a task in Windows Task Scheduler, as we have observed in the wild.

The loading scheme is more or less the same for all of the variants and consists of three main components used by the threat actor to deploy an implant on a victim’s machine:

  1. Legitimate application that is vulnerable to DLL hijacking.
  2. Malicious DLL that is loaded via DLL hijacking and is used to read and decrypt the FourteenHi payload from a binary data file and inject it into some system process such as svchost.exe or msiexec.exe.
  3. A binary data file containing the FourteenHi binary code encrypted with RC4.

All known variants of FourteenHi have config data embedded in their code and encrypted with RC4. The configuration defines the campaign ID, C2 address and port. The configuration of FourteenHi x64 also defines the name and description of the Windows service it creates for persistence when executed without parameters.

MeatBall backdoor

The MeatBall backdoor is a new implant that we discovered in the process of researching attacks. It has vast remote access capabilities, including making lists of running processes, connected devices and disks, performing file operations, capturing screenshots, using remote shell, and self-updating. The implant exists in variants for x86 and x64.

The implant uses a loading scheme based on the DLL hijacking technique, but unlike many other implants, the payload is stored in the malicious DLL loader itself, not in a separate file.

When the vulnerable host application is executed without parameters, the implant calls IsNTAdmin and, if it has sufficient privileges, creates a service named “esetcss”. Otherwise it simply adds itself to the registry key “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunesetcss”
to be automatically executed at OS startup. 

Service created by the MeatBall implant

In both cases the implants are configured to be executed with the parameter “-S”, which tells the implant to read the payload from its own module (.dll) file, decrypt the payload using a one-byte XOR key, start “svchost.exe”, and inject the decrypted payload into it. Then it starts the main C2 communication loop by calling ResumeThread for “svchost.exe”.

The implant is statically linked with libssl.dll, which is used for SSL encryption of C2 communication.

Command codes Description
0x2, 0x11 Update C2 address
0x3 List running processes
0x5 List connected devices
0x6 List connected disks
0x7, 0x8 Collect datetime attributes for files in the folder specified
0x9 Terminate process
0xB Write file
0xC Create file
0xD, 0xF Upload size and content of a file
0x10 Delete file
0x13 Run file
0x14 Close C2 connection
0x15, 0x1C, 0x1D, 0x1E Terminate own process
0x16, 0x17,0x18, 0xA, 0x1F Create remote shell
0x19 Delete files in a folder recursively
0x1A, 0x1B Capture screenshot

Implant using Yandex Cloud as C2

Another interesting implant we found was one that uses the Yandex Cloud data storage as a C2 (https://cloud-api.yandex[.]net) similarly to the malware described in an earlier report. The implant uses a DLL hijacking based loading scheme, in which the malicious DLL decrypts the implant’s body stored in a separate file and injects it into a legitimate process’s memory.

The implant uses statically linked libcurl.dll for SSL-encrypted communication. First it creates a mutex named “Njg8”to prevent more than one instance of itself from being executed at any time, then it collects the following data on the host:

  • Computer name
  • User name
  • IP address
  • MAC address
  • OS version
  • Path to %System%

To upload the data collected to C2, the implant sends a request using an embedded API token to create a directory with a name that is unique to the victim host. Then it creates a file with the prefix “1770_” and the extension “.dat”, saving all information collected in that file.

The main loop of the implant periodically checks a cloud folder named “content” for the latest uploaded files with prefixes “1780_”, “1781_” and “1784_”:

  • Files with prefixes “1780_” and “1781_” contain code in the PE format, e.g., a legitimate application and a malicious DLL for next-stage DLL hijacking.
  • Files with the prefix “1784_” contain commands to be executed using cmd.exe. The output is then stored in a log file, which is immediately uploaded back to C2 and removed from the victim host.

All uploaded and downloaded data is encrypted with the RC4 algorithm.

Strings found in a sample which uses Yandex Disk
Log containing the result of command execution using cmd

Conclusion

The tendency to abuse cloud services (e.g., Dropbox, Yandex, Google, etc.) is not new, but it continues to expand, because it is hard to restrict / mitigate in cases when an organization’s business processes depend on using such services.

Threat actors keep making it more difficult to detect and analyze threats by hiding payloads in encrypted form in separate binary data files and by hiding malicious code in the memory of legitimate applications via DLL hijacking and a chain of memory injections.

Recommendations

  • Install security software with support for centralized security policy management on all servers and workstations and keep the antivirus databases and program modules of your security solutions up-to-date.
  • Check that all security software components are enabled on all systems and that a policy is in place which requires the administrator password to be entered in the event of attempts to disable protection.
  • Consider using Allowlisting and Application Control technologies to prevent unknown applications from being executed.
  • Consider using the Golden image configuration mode for Allowlisting and Application Control to prevent any software that is not allowed (including known vulnerable applications) from being executed.
  • Consider restricting internet access from the OT network by default, allowing access to specific users for limited periods of time and only when it is required to perform their duties.

Appendix I – Indicators of compromise

Note: The indicators in this section are valid at the time of publication.

The full version of indicators of compromise, including Yara rules, is available in a .ioc file on the Kaspersky Threat Intelligence portal.

Variants of FourteenHi

MD5

7332710D10B26A5970C5A1DDF7C83FBA (mpsvc.dll)
2A1CFA6D17627EAAA7A63F73038A93DA (taskhost.doc)
BB02A5D3E8807D7B13BE46AD478F7FBB (cclib.dll)
22E66E0BE712F2843D8DB22060088751 (ToastUI.exe.png)
D75C7BD965C168D693CE8294138136AE (ToastUI.exe.dat)

C2 IP/URL

sfb.odk-saturn[.]com/dialin/login
87.121.52[.]86

Backdoor.Win32.MeatBall

MD5

FFF248DB8066AE3D30274996BAEDDAB6 (oleacc.dll)

C2 IP/URL

freetranslatecenter[.]com
help.freetranslatecenter[.]com
onlinenewscentral[.]com
onlinemapservices[.]com
search.onlinemapservices[.]com
help.onlinemapservices[.]com
apps.onlinemapservices[.]com
edit.onlinemapservices[.]com
booking-onlines[.]com
81.28.13[.]74
92.38.160[.]142
92.38.188[.]135
92.38.190[.]55
103.221.222[.]133
193.109.78[.]243
193.124.112[.]206
194.87.95[.]125

Implant using Yandex Cloud as C2

MD5

A05D6D7A6A1E9669FC4C61223DA3953F (dbghelp.dll)
2F5C889A819CFE0804005F7CE5FD956E (vmService.pkg)

Appendix II – MITRE ATT&CK Mapping

The table below contains all the TTPs identified in the analysis of the activity described in this report.

Tactic Technique Number Technique Name and Description
Execution T1204.002 User Execution: Malicious File
A system is infected when the user runs the malware believing it to be a legitimate document.
T1059.003 Command and Scripting Interpreter: Windows Command Shell
Uses cmd.exe to execute multiple commands.
T1106 Native API
Uses the CreateProcessW function to execute commands in the Windows command line interpreter
T1053.005 Scheduled Task/Job: Scheduled Task
Malware is executed with a Windows task created by the threat actor.
Persistence T1547.001 Registry Run Keys / Startup Folder:
Malware achieves persistence by adding itself to the Registry as a startup program.
T1543.003 Create or Modify System Process: Windows Service
Installs itself as a service to achieve persistence.
T1053.005 Scheduled Task/Job: Scheduled Task
Malware is executed with a Windows task created by the threat actor.
Defense Evasion T140 Deobfuscate/Decode Files or Information
Uses RC4 key to decrypt the malware configuration, as well as to protect communication.
T1055.002 Process Injection: Portable Executable Injection
Malware injects itself into various legitimate processes upon execution (msiexec.exe, svchost.exe).
T1497.001 System Checks
Employs various system checks to detect and avoid virtualization and analysis environments.
T1497.003 Time Based Evasion
Employs various time-based methods to detect and avoid virtualization and analysis environments.
T1574.002 Hijack Execution Flow: DLL Side-Loading
Threat actors abuse a legitimate application binary to load malicious DLL.
Discovery T1033 System Owner/User Discovery
Threat actors use systeminfo, whoami, and net utilities to get information about the user and the infected system.
T1057 Process Discovery
Threat actors use tasklist to enumerate running processes.
Command and Control T1071.001 Application Layer Protocol: Web Protocols
Malware uses HTTPS and raw TCP for communication with C2.
T1573.001 Encrypted Channel: Symmetric Cryptography
Malware uses RC4 and SSL TLS v3 (using libssl.dll) to encrypt communication.
Exfiltration T1041 Exfiltration Over C2 Channel
Threat actors exfiltrate data using Dropbox, Yandex Disk, Yandex email and temporary file sharing services as a C2 channel

Authors

  • Kirill Kruglov

    Senior Research Developer, Kaspersky ICS CERT

  • Vyacheslav Kopeytsev

    Senior Security Researcher, Kaspersky ICS CERT

  • Artem Snegirev

    Security Researcher, Kaspersky ICS CERT

Source: https://ics-cert.kaspersky.com/publications/reports/2023/07/20/common-ttps-of-attacks-against-industrial-organizations-implants-for-remote-access/