“Earth Simnavaz Launches Advanced Cyberattacks on UAE and Gulf Regions”

Earth Simnavaz has been known to leverage compromised organizations to conduct supply chain attacks on other government entities. We expected that the threat actor could use the stolen accounts to initiate new attacks through phishing against additional targets.

There is also a documented overlap between Earth Simnavaz and another APT group, FOX Kitten. In August, an alert from the Cybersecurity and Infrastructure Security Agency (CISA) highlighted FOX Kitten’s role in enabling ransomware attacks targeting organizations in the US and the Middle East. These threats should be taken seriously, as the potential impact on compromised entities could be significant.

Observed toolset and techniques

An initial infection was detected when a web shell was uploaded to a vulnerable web server. This web shell extracts values from HTTP request headers (“func” and “command”), as shown in Figure 2. By passing both arguments to other functions, the web shell allows the threat actor to perform various actions (Table 1):

The web shell also decrypts arguments received from the threat actor. It takes a Base64-encoded, AES-encrypted string, decrypts it using a specified key and initialization vector (IV), and returns the decrypted plaintext (Figure 3).

The response sent back to the threat actor is encrypted using a different function. This response is encrypted with AES using the given key IV. The resulting encrypted string is Base64-encoded (Figure 4). 

Exploiting CVE-2024-30088 for persistence

After the web shells were implanted on the victim machines, another file called “r.exe” was dropped and executed. This is a simple loader that takes the first argument as the input file, decodes it in one-byte-XOR operation, and executes it. The codes in this loader were reused from an open-source tool (Figure 5). The payload file was encoded to bypass traditional detection methods.

A payload file called “p.enc” comes with the loader under the same folder. The decoded payload turns out to be a privilege escalation tool. As its PDB string represents, this tool exploits CVE-2024-30088:

C:UsersreymondDesktopCVE-2024-30088-mainx64Releasepoc.pdb

This vulnerability, which was patched in June, allows threat actors to run arbitrary code in the context of SYSTEM and it works on multiple versions of Windows 10 and 11.

Our analysis showed that the codes were reused from an open-source project (Figure 6). By using RunPE-In-Memory, combined with CVE-2024-30088, the threat actor was able to carry out their malicious actions stealthily.

This privilege escalation tool is coded to execute another dropped executable named “t.exe”, a .NET-compiled installer that creates persistence by using the predefined task definition “e.xml”. The installed schedule task is for executing the script “u.ps1”. The final “u.ps1” we collected seemed to be replaced with a useless script, leading us to suspect that the threat actors intentionally altered the script and disrupted the incident investigation.

Abusing the dropped password filter policy

As mentioned earlier, the threat actor has been observed utilizing a tool similar to one identified in our previous research on the same entity. This tool exploits on-premises Exchange servers to exfiltrate credentials to email accounts under their control.

Additionally, abusing the dropped password filter policy has been detected as a method for acquiring credentials, which are then exfiltrated via email. Threat actors can manipulate password filters to intercept or retrieve credentials from domain users via domain controllers or local accounts on local machines. This exploitation occurs because the password validation process necessitates the plaintext password from the Local Security Authority (LSA).

Consequently, deploying and registering a malicious password filter can facilitate credential harvesting each time a user updates their password. This technique necessitates elevated privileges (local administrator access) and can be executed through the following steps:

1. Password Filter psgfilter.dll be dropped into C:WindowsSystem32
2. Registry key modification to register the Password Filter [DLL HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa
   Notification Packages = scecli, psgfilter]

By using this technique, the threat actor can capture and harvest every password from compromised machines, even after they have been modified. The malicious DLL includes three exported functions (Figure 9) that facilitate the primary functionality of registering the DLL with the LSA (Figure 8):

• InitializeChangeNotify: Indicates that a password filter DLL is initialized.
• PasswordChangeNotify: Indicates that a password has been changed.
• PasswordFilter: Validates a new password based on password policy.

The malicious actor took great care in working with the plaintext passwords while implementing the password filter export functions. Similar to the incident in our previous research, the threat actor also utilized plaintext passwords to gain access and deploy tools remotely.  The plaintext passwords were first encrypted before being exfiltrated when sent over networks.

Exfiltrating data through legitimate mail traffic

The primary function of the exfiltration tool (identified by Trend Micro as STEALHOOK) involves retrieving valid domain credentials from a specific location, which it then uses to access the Exchange Server for data exfiltration. The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments. Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers.

The backdoor exhibits significant similarities to one previously attributed to the same group in our earlier research. The main functionalities of the backdoor can be categorized as follows:

• Retrieving User Credentials (Figure 10) – Calls the GetUserPassFromData function to retrieve the username and password needed for authentication from this file: C:ProgramDataWindowsUpdateServiceUpdateDiredf 

• Retrieving Email Sending Data (Figure 11) – Calls the GetSendData function to retrieve necessary configuration data for sending an email from this file: C:ProgramDataWindowsUpdateServiceUpdateDiredf 
  • Server: The specific Exchange mail server for the targeted government entity where the data is leaked through.
  • Target: The email addresses through which the malicious actors receive the exfiltrated data.
  • Domain: The internal active directory (AD) domain name related to the targeted entity.

• Sending Email (Figure 12) – If the configuration data retrieval is successful, the program constructs a message containing the user credentials and the configuration data. The email is sent with a specified subject and body, and all files in the following directory are attached: C:ProgramDataWindowsUpdateServiceUpdateDir
  • Email Subject: “Update Service”
  • Body: “Update Service Is Running…”

Using RMM tools

The threat actor recently upgraded their toolkit by incorporating RMM tools such as ngrok in their latest attacks. Ngrok is a legitimate tool used to create secure tunnels from a local machine to the internet, allowing access to internal services through public URLs. However, cyber attackers can exploit ngrok to bypass firewalls and network security controls for malicious purposes. They may use it to establish command-and-control (C&C) communication, exfiltrate sensitive data, or deploy payloads by creating undetected tunnels between compromised machines and their servers, making it harder for security teams to detect suspicious activity.

The ngrok tool was downloaded onto the server using a PowerShell script (Figure 13), after which a WMI command was utilized to authenticate to a remote server, copy the file, and execute it remotely.

It appears that the threat actor utilized this tool in the later stages of the attack, leveraging a valid account and password for authentication. These credentials were likely obtained during earlier phases of the operation, in which accounts and passwords were stolen and exfiltrated.

Attribution

Multiple data points and indicators attribute this attack to Earth Simnavaz, with evidence showing that the group remains active, specifically targeting Middle Eastern countries and government entities. This campaign, like that in our previously reported research, involved the targeting of Exchange servers and relaying communications through them. A significant similarity has been observed at both the code and functionality levels between the Exchange backdoor used in this attack and the one seen in the earlier campaign.

Additionally, both tools share characteristics with the Karkoff backdoor, which is also linked to the same threat actors and exploits the Exchange Web Services (EWS) API for malicious activities. Earth Simnavaz’s tactics also overlap with that of FOX Kitten, another threat group which likewise has been observed using the RMM tool ngrok.

Conclusion

Iranian APT groups like Earth Simnavaz have become increasingly active, particularly in targeting the government sector in the Middle East, with a strong focus on the Gulf region. Based on the group’s toolset and activities, it’s evident that they aim to establish a persistent presence within compromised entities, using the affected infrastructure to launch further attacks on additional targets. Their primary goals appear to be espionage and the theft of sensitive governmental information.

Earth Simnavaz continues to rely on IIS-based malware such as web shells, customized .NET tools, and PowerShell scripts as core components of their attack arsenal. Recent campaigns have confirmed this technique remains actively in use.Geopolitical tensions likely play a significant role in this surge, and government sectors in the Middle East and Gulf region should take these threats seriously. Earth Simnavaz’s approach involves blending into normal network activity and customizing its malware to avoid detection.

Intelligence-driven incident response will be essential in effectively managing and mitigating these types of attacks. While the group’s techniques haven’t evolved drastically, implementing a Zero Trust architecture, alongside mature SOC, EDR, and MDR capabilities, can greatly enhance defensive measures against threats like that posed by Earth Simnavaz.