Hellhounds: Operation Lahat. Part 2

Introduction

In November 2023, the team at the Positive Technologies Expert Security Center (PT ESC) released their first research report on attacks by the hitherto-unknown group Hellhounds on Russian companies’ infrastructure: Operation Lahat. The report focused on the group’s attacks on Linux hosts that relied on a new backdoor known as Decoy Dog. Hellhounds carried on attacks on organizations located in Russia, scoring at least 48 confirmed victims by Q2 2024.

As the PT ESC CSIRT team responded to an incident at a transportation company, they detected previously unreported attacks on Windows-based infrastructure, besides already-known TTPs (Tactics, Techniques, and Procedures) and attacks on Linux hosts. The new investigation also found that Hellhounds had been successfully hitting Russian companies since at least 2021. It is a known fact that development of the malware began at least as early as 2019.

The Hellhounds group compromises organizations they select and gain a foothold on their networks, remaining undetected for years. In doing so, the group leverages primary compromise vectors, from vulnerable web services to trusted relationships. The malicious actor presumably penetrated the infrastructures by using supply chain attacks.

It would often disguise its tools as legitimate software processes including Positive Technologies products.

The report describes previously unknown parts of the group’s toolkit, their obfuscation methods, and lists indicators of compromise and malware sample detection signatures.

An extended version of the research report was first presented at the international information security cyberfestival Positive Hack Days 2.

First Stage (Decoy Dog Loader for Windows)

After successfully compromising a Linux infrastructure, an event we described in detail last year, the malicious actor made a successful attempt to compromise mission-critical hosts running Windows. Having gained access to the system, the attackers installed a service named “Microsoft Account Service” or “Microsoft Viewer Service”, which ran the PE executable AccSrvX64__STABLE__2016-11-10.exe or R_TARIF.VIEWS_X86.EXE. Below is an example of the services.

    
{
"Name": "Microsoft Account Service",
"Caption": "Microsoft Account Service",
"Description": "",
"DisplayName": "Microsoft Account Service",
"PathName": "C:[REDACTED]accounts64AccSrvX64__STABLE__2016-11-10.exe",
"ProcessId": 5092,
"Started": true,
"State": "Running",
"SystemName": "[REDACTED]",
"TimeLine": "2024-01-02T21:14:53.132165Z",
"ModuleName": "Win32_Service"
}

    
{
"Name": "Microsoft Viewer Service",
"Caption": "Microsoft Viewer Service",
"Description": "",
"DisplayName": "Microsoft Viewer Service",
"PathName": "C:[REDACTED] R_TARIF.VIEWS_X86.EXE",
"ProcessId": 5548,
"Started": true,
"State": "Running",
"SystemName": "[REDACTED]",
"TimeLine": "2024-01-03T22:04:30.5586058Z",
"ModuleName": "Win32_Service"
}

Interestingly, the malicious actor’s activity in the compromised organization’s Windows-based infrastructure began amid the New Year’s holiday season on January 2 and 3.

The executable file size is 17 KB. After the service is started successfully, the sample decrypts a list of domains inside the .rdata section and then attempts to resolve the resulting domain names.

Each encrypted domain begins with an FF byte. Encryption uses a simple algorithm based on two operations: xor and subtract. Decryption involves the number of the character in the row and the row number; row character numbers start at zero.

The domains have the following format:

    
[-][!][!][...]<domain>

The “-” option means the domain does not have to be resolved. If it could not be resolved, the loader moves on to the next domain on the list. The “!” option is only used together with the “-” to show the number of resolve attempts that were made before the domain was skipped. The number of resolve attempts is calculated as 2^n, where n is the number of consecutive “!” options. If the option is missing, only one resolve attempt is made.

Domains in the configuration are used when obtaining a part of the key for payload decryption. They also can be used for generating legitimate-looking traffic and getting around sandboxes.

A superficial dynamic analysis may suggest that domains used at this stage are C2 servers. However, a detailed analysis shows that both domains and subsequently obtained IP addresses are used for key generation only and possibly, for disguising as legitimate utilities. Besides, the malware is notable for its ability to use non-existent subdomains located in valid domains, such as mp0.ptsecurity.com. While this may create a semblance of legitimacy, the domain is certain not to be resolved.

A domain with a “-” option is used for generating traffic but not a key. A domain like that must not be resolved, or alternatively, it is resolved after the right domain. One of the domains must be resolved and have a static IP address—this is what will be used for generating a key. The malicious actor notably used this feature as a kill switch to shut down the malware in a target system.

After all domains in the configuration are decrypted and resolved, the loader proceeds to decrypting the next block.

The block has a fixed size of 256 bytes, and it is encrypted with the CLEFIA algorithm in CBC mode. It contains the path to the main backdoor. The key is generated as follows: the name of the executable file minus the final zero is uppercased, and the byte-coded IP address is appended to it. The resulting byte string is hashed with SHA-3 to produce a 256 byte output. The first 16 bytes are used as the key, and bytes 5 through 20, as the initialization vector. Example of key generation.

After decrypting the path to the backdoor, the loader reads and decrypts it in the same manner, by using the same key and initialization vector, and then passes control to its entry point. Interestingly, unlike the Linux sample, the Windows malware does not check the integrity of decrypted data.

The backdoor has the MZ signature replaced with HE, and the PE signature, overwritten as a random 4-byte sequence.

The malicious actor invested a lot of effort in disguising its activity on the hosts that it compromised. To do this, they imitated MaxPatrol SIEM and Microsoft services.

Tellingly, the Linux samples were virtually unusable unless they passed a machine-id check, that is, the malware could not be run without a valid identifier. The Windows samples do not contain a check like that, although they do check the executable name, which never matches the original filename in the metadata, a weaker check. If the IP address changes, the researchers can use PDNS (Passive DNS) services.

Second Stage (Decoy Dog for Windows)

The decrypted payload is all but identical to the Decoy Dog version for Linux examined earlier. The backdoor is based on the open-source project Pupy RAT.

All of the samples we managed to discover used the C2 server net-sensors[.]net and the DGA domain dynamic-dns[.]net. Neither of the samples had a dynamic configuration.

Configuration example:

    
{'debug': False, 'launcher': 'dnscnc', 'launcher_args': ['--domain', 'net-sensors.net', '-E', 'dynamic-dns.net'], 'delays': [(10, 5, 10), (50, 30, 50), (-1, 150, 300)] [REDACTED] 'cid': 61336226}

Below is a detailed chart showing how Decoy Dog works on Windows hosts.

In the course of our research, we detected samples targeting Windows, the oldest of these compiled on 29.11.2019, and the newest one, on January 3, 2024. Besides Decoy Dog, the malicious actor made use of the well-known Sliver framework with the C2 server 31.184.204[.]42 (ns2.maxpatrol[.]net). Similar samples are examined in detail in “Sliver Implants under a Lens: Extracting the Configuration and Other Useful Data“. The table below shows all of the Windows samples we obtained.

Most of the samples contain the domain dns.msftncsi.com in their configurations, a test server for the Windows Network Connectivity Status Indicator, NCSI.

After examining the configurations of all samples we obtained during the research, we identified SSL certificates that the backdoor used to encrypt its connections with remote hosts. The certificates contained the earliest notBefore option at the end of 2021 (12/26/2021 at 21:51:52), and the latest option, on 11/8/2023 at 13:48:36. This places the campaign start at the end of 2021. Certificates were issued for one and three years from the time the images were generated. This certificate generation algorithm is implemented in the public Pupy RAT project.

After analyzing all of the samples we found, we compared their features, the issue dates of the certificates in the configuration, and the VirusTotal upload dates. The relevant feature set appeared in between these dates—this time range is marked dull blue in the image. This data can be used to tentatively distinguish two versions of Decoy Dog. Compared with Pupy RAT, the project migrated to Python 3.8, added new transports, and received a DGA mechanism. The second version, created between April 2022 and February 2023, gets a telemetry scriptlet described in detail in the previous article, a dynamic configuration, and a Special launcher to run as a server on the local machine.

The earliest Decoy Dog loader sample, compiled at the end of 2019 (11/29/2019), deserves special attention. The sample is the original version of the loader whose code contains several debugging strings. This suggests that the development of the Decoy Dog loader began in 2019.

3snake

The malicious actor used a modified open-source 3snake utility to obtain credentials on hosts running Linux. To reduce excess functionality and evade signature detection, the command-line start option was disabled in the utility, which left just demon mode. Additionally, the utility ignores “-o” values, instead using the hardcoded path /var/log/apt/term.log.gz for outputting compromised credentials.

Unlike the original utility, the path to the file in the sample and intercepted data are encrypted with the RC4 algorithm. The utility can intercept SIGINT, SIGQUIT, SIGHUP, SIGPIPE, SIGTERM, SIGSEGV, SIGBUS, SIGILL, and SIGCHLD system-call interrupts. It also adds intercept_openldap to the already-available intercept_ssh, intercept_sudo, intercept_su, intercept_ssh_client, and intercept_passwd functions. This is how the malicious actor stole a number of credentials for further movement across the network.

Initial Access

In two incidents, the attackers managed to penetrate the victims’ infrastructure via a contractor. By compromising SSH login credentials, the malicious actor got in and installed the Decoy Dog backdoor.

We also managed to obtain content from the C2 server net-sensor[.]net and discovered that the malicious actor disguised Decoy Dog as ISO images for the iMind online meeting, video conferencing, and webinar service. Unfortunately, we could not find out under what pretext and how exactly the malicious actor made the victims run one of the ISOs. Note that in September 2023, the National Computer Incident Response and Coordination Center issued a notice about an increased frequency of computer incidents associated with exploiting a vulnerability in the iMind video conferencing service and recommended updating iMind to version 3.19.

Victims

As a result of the research into the group’s activities, we detected a number of previously unknown attacks on organizations located in Russia: the number of confirmed victims more than doubled, reaching 48. At the time of preparing part one of the research report, we were aware of 20 Hellhounds victims. An analysis of the new attacks suggests that, in addition to focusing on the public sector, the attackers have been harassing Russian IT companies, most of these being contractors for critical organizations. These companies were presumably targeted for trusted relationship attacks. The up-to-date victim breakdown by industry looks as follows: