Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing



Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing





























December 2022, the automated synchronized fluxing of dynamic DNS records across Telegram channels and Telegraph sites at scale points to a potential elevation in actor resources and capability devoted to ongoing operations. In addition, by deploying multiple consecutive stages of Hive0051’s exclusive Gamma variant malware, the actor is able to remap victims to separate sets of actor-controlled C2 fluxing clusters.

Based on X-Force observations, these Gamma variants have evolved over time from the initial VBS-based GammaLoad variant, to include multiple obfuscation stages and several scripts designed to enumerate victims and spread malware via connected USB devices. Of note, the most recent iterations of the GammaLoad PowerShell variant moved to a fileless approach and stored all malicious code dispersed in the registry. Likewise, the same has been observed for the GammaSteel PowerShell variant used to exfiltrate files upon infection.

X-Force assesses with high confidence that the evolution of rapid remapping of infrastructure to include multi-channel DNS fluxing, continuous malware development and the growing sophistication of malware and obfuscation is evidence of Hive0051’s increasingly elevated level of capability.

Key findings

  • For at least the last 12 months, Hive0051 has utilized a “multi-channel” fluxing approach to rapidly remap infrastructure to conduct operations and obfuscate activity.

  • X-Force is tracking multiple infrastructure clusters with dedicated Telegram channels, DNS apex domains, and Telegraph sites.

  • Hive0051 is able to graduate victims from one cluster to another by deploying multiple consecutive stages of Gamma variants.

  • Based on X-Force observations, Hive0051 has continuously evolved its malware development, experimenting with new techniques, adding obfuscation and several scripts designed to enumerate victims and spread malware to connected USB devices.

  • The recent PowerShell variant of the Gamma malware has switched to using a fileless approach, storing all malicious code dispersed in the Windows registry. The same has been observed for the GammaSteel PowerShell variant used to exfiltrate files and credentials upon infection.

  • It is highly likely that Hive0051 will continue to foster evolving methodologies to facilitate operations potentially indicating increasingly elevated levels of capability.

Analysis

What is multi-channel DNS fluxing? 

Standard DNS fluxing or fast-fluxing, is a technique threat actors use to rapidly rotate infrastructure by regularly changing the IP address their C2 domain points to in public DNS records. Hive0051 has adopted the novel use of multiple channels to store DNS records as opposed to a traditional DNS record configuration. In this methodology, public Telegram channels and Telegraph sites are essentially used as DNS servers and are fluxed in synchrony together with the DNS records. This enables Hive0051 to fallback to secondary channels in order to resolve the currently active C2 server, should the domain be blocked via any of the other channels. 

Infection chain

The use of fast fluxing in place of definite subdomains to facilitate operations is a relatively new technique employed by Hive0051 to obfuscate activity and avoid threat detection. During the course of routine tracking of Hive0051 activity, X-Force uncovered new HTA files delivering Hive0051’s exclusive GammaLoad malware. The machine-translated text of collected HTA filenames pointing to a wscript.exe executable, appear in multiple Slavic languages and are crafted to appear as legitimate legal or project notifications to manufacture a sense of urgency. Given past Hive0051 operations, the files were likely delivered via phishing campaigns; however, X-Force observed the added functionality featured in the uncovered VBS and PS GammaLoad variants which enables its spread via USB drives signaling the potential use of physical access via infected USB devices.

Activation of the malicious links initiates the infection chain illustrated in the following diagram, which visualizes the various stages of a GammaLoad infection observed by X-Force.

Hive0051_1.png

Fig. 1: GammaLoad multi-stage infection graph

Infection vector

GammaLoad infections can be traced back to a number of malicious .XHMTL files. These contain obfuscated and Base64 encoded data, revealing a JavaScript dropper.

Hive0051_2.png

Fig. 2: .XHMTL file containing space separated Base64 data

Hive0051_3.png

Fig. 3: JavaScript dropper 

The dropper contains a payload which is decoded and downloaded by the browser as a RAR file. It also loads a remotely hosted resource, only displayed as a single pixel, in order to track successful downloads. 

The resulting RAR archive contains a folder and an .HTA file (HTML Application), both using enticing names designed to trick victims into opening it:

Hive0051_4.png

Fig. 4: .HTA file with filename lure

Once opened, the .HTA file runs a short VBScript block to download and execute another remote .HTA file via the windows binary mshta.exe.

Hive0051_5.png

Fig. 5: .HTA downloader

GammaDrop: HTA variant

The downloaded .HTA is the VBScript-based GammaLoad installer, which has been used consistently for several months as of October 2023. It drops the embedded GammaLoad payload as a text file to:

Scroll to view full table

Note that the filename differs among samples. 

The most recent variants also search for a specific process running on the host: QHActiveDefense.exe. This process is part of the 360 Total Security anti-virus software. If it is detected, the embedded GammaLoad payload is run using the command:

Scroll to view full table

without establishing persistence in the registry. 

If the installer does not detect the anti-virus process, it additionally writes the above command into a registry key at:

Scroll to view full table

The name of the registry key also varies between samples.

Lastly, the installer attempts to open a document located at:

Scroll to view full table

This may intentionally throw an unobtrusive error.

GammaLoad: VBS variant

One of the most commonly observed variants of GammaLoad is written in VBS. It runs its main function in regular intervals of approx. 90 seconds. During a run, it will start by resolving its C2 server. GammaLoad has several techniques to accomplish this, also depending on the variant. All variants support resolving an IP via DNS. GammaLoad uses a unique mechanism, by executing a WMI query:

Scroll to view full table

This runs the ping command against a specific domain. The prefix used is often a hardcoded keyword found in VBScript, for example, “FileExists” or “Asc”. It is then concatenated with a random integer between 1 and 100 that is generated at runtime. Each sample also contains a hardcoded apex domain, which is used to build the subdomain for the DNS query. A few such example domains would be:

Scroll to view full table

Secondary mechanisms to resolve C2 IPs include querying hardcoded Telegram channels or Telegraph websites.

Hive0051_6.png

Fig. 6: Telegram channel

Hive0051_7.png

Fig. 7: GammaLoad parsing C2 IP from Telegram

Hive0051_8.png

Fig. 8: Telegraph site displaying C2 IP and Telegram channel ID

The more recent variants would not only resolve an IP address but also a corresponding Telegram channel ID. Both are written into text files and dropped to the %TEMP% directory or a folder within %APPDATA%.

Once GammaLoad retrieves an active C2 IP address, it goes on to craft multiple HTTP requests. The target URLs would often contain multiple random integers at specific locations, as well as hardcoded paths. These differ between samples, just like the custom HTTP headers added to the requests. Below is a list of different attempted header variants incorporating hardcoded values:

Scroll to view full table

Note that some of these headers are actually overwritten by the MSXML2.XMLHTTP object and cannot be manually set by the malware (such as Content-Length). This may be used to identify requests crafted by researchers, as well as non-matching hardcoded values such as Cookie. 

The User-Agent string follows a specific format. It usually contains a real user agent, followed by the C-drive serial number and the computer name environment variable. The information is likely used to register a victim with the C2 server and control further payloads.

Scroll to view full table

As a response, GammaLoad expects two types of payloads. If the response is between 5 and 20 characters long, it treats it as a new telegram ID and updates the corresponding file. Any longer response is deobfuscated, base64-decoded and executed as VBScript in memory.

GammaDrop: VBS variant

One of the GammaLoad payloads X-Force observed is a more sophisticated variant of GammaDrop. It consists of a large VBScript file, with multiple encoded and hardcoded payloads. Each of the components accomplishes a different task, by either deobfuscating others, establishing persistence, or being the next payload. 

This variant of GammaDrop creates a new scheduled task after dropping its payload. The payload is another variant of GammaLoad. Of note, GammaDrop already writes the two text files GammaLoad needs, containing a hardcoded IP address and Telegram chat ID. By deploying another variant of GammaLoad on an already infected host, the threat actor is able to sort victims and transfer them to a new C2 cluster.

USB Spreader

GammaLoad also has the capability to spread via USB drives. It does this by copying itself recursively into subfolders of connected USB drives. In order to lure victims into executing it, GammaLoad uses enticing filenames for Windows shortcut files pointing to wscript.exe with a hidden payload.

Hive0051_9.png

Fig. 9: Deobfuscated GammaLoad USB spreader

The USB drives’ subfolders are recursively infected up to a depth of 3.  

GammaLoad: Fileless PS variant

In addition to the VBScript-based variants, there is also a PowerShell version. Most of its functionality such as the USB spreading, C2 resolving and communication works very similarly. One observed advantage of the PowerShell version is the storing of all necessary code in the registry, making it almost completely fileless:

Hive0051_10.png

Fig. 10: GammaLoad code stored in the registry 

In order to run, this variant dynamically loads and stores PowerShell code under the registry path

Scroll to view full table

The following diagram illustrates how the different PowerShell execution blocks are used:

Hive0051_11.png

Fig. 11: GammaLoad PowerShell registry execution

Most of the code is executed as a PowerShell job after being loaded from the registry. Before copying to the USB drive, GammaLoad makes sure to merge all of the codebase back into a single PowerShell template, which also writes the initial registry persistence key and populates the registry again for the next victim. 

Just like the VBS variant, it chooses from a list of potentially luring filenames to create malicious shortcut files:

Hive0051_12.png

Fig. 12: GammaLoad preparing shortcut file

The PowerShell variant of GammaLoad also uses a different prefix for resolving its C2 address and is likely operated by a separate cluster of C2 servers.

C2 infrastructure

GammaLoad uses several different mechanisms to resolve its C2 server’s IP address. To avoid detection and takedown, the C2 infrastructure also makes use of a technique known as fast-fluxing. 

Every GammaLoad sample contains (or receives) a hardcoded apex domain, as well as a telegram channel ID. In some cases, there is an additional telegraph URL, which is used as well. The apex domain is set up with a wildcard DNS record, causing all subdomains to resolve. Since GammaLoad chooses random subdomains of a specific pattern, the DNS queries are always for a different subdomain. 

The C2 infrastructure consists of a large cluster of IP addresses. A GammaLoad sample’s apex domain rotates through these IP addresses, by having its DNS records changed frequently. Currently the IP addresses are updated between 1-3 times a day.

Below is a table outlining the scale of one campaign. A large quantity of actor-controlled domain names resolves to one active C2 IP address.

Hive0051_13.png

Fig. 13: Passive DNS results for GammaLoad (VBS) C2

The subdomains contain a specific keyword, which is hardcoded in each sample. For instance, a single day of activity in late September 2023 and a single C2 server, hosted more than 120 unique apex domains found in passive DNS data. Using the hardcoded prefixes X-Force was able to estimate a lower bound of infected victims within that 24-hour period – adding up to at least 247 infections. It is virtuality certain the actual number of infections is higher, as these calculations are based solely on directly observed unique keyword+apex pairs and DNS requests whose visibility is limited by the scope of available DNS telemetry. However, the number of infections may also be impacted by “intentional” infections caused by the engagement of researchers executing payloads within sandbox environments.

Over the course of X-Force monitoring, Hive0051 has demonstrated a notable increase in volume of attacks. In late October 2023, a single C2 server hosted a minimum of 1,027 active GammaLoad VBS infections spanning across 327 unique domains in a single 24-hour period.

For comparison, GammaLoad’s PowerShell variant uses a different prefix for its apex domains, consisting only of a random integer, in order to avoid generating duplicate subdomains:

Hive0051_14.png

Fig. 14: Passive DNS results for GammaLoad (PS) C2

By looking at the domain history of some of these domains, we can pivot to find further IP addresses used for C2 communication: 

Hive0051_15.png

Fig. 15: Domain history for apex domain antarcticos[.]ru

Hive0051_16.png

Fig. 16: Domain history for apex domain garibdo[.]ru

Both domains show the same pool of rotated IP addresses in their historic DNS records, with only a few exceptions. This is an indicator that both domains are used by the same campaign and GammaLoad variant. 

Of note, GammaLoad fluxes its DNS records in sync with its multi-channel infrastructure; like Telegram and Telegraph. Every time the DNS record is updated, the corresponding telegram channel’s operator deletes the last message and sends a new one containing the latest IP address. This “multi-channel-fluxing” technique ensures correct dynamic IP resolving, even if the apex domain has been found and blocked by a DNS server.

Secondary payloads

After connecting to its C2 server, GammaLoad quickly downloads and executes further payloads. These are often VBS/PS scripts with different objectives. Firstly, it is not uncommon for GammaLoad to drop another stage of GammaLoad onto an infected host. This is often a different variant, containing a new apex domain and telegram channel ID. Presumably, this is done to “graduate” infected machines into another cluster after initial infection, making it easier to sort victim machines. The new C2 apex and telegram combination often has little to no overlap with the previous one. The next stage of GammaLoad may include additional functions that support more payloads, enumeration or USB spreading. 

GammaLoad also downloads data exfiltration and reconnaissance scripts within minutes of infection. These are often PowerShell-based, per the example below:

Hive0051_17.png

Fig. 17: PowerShell reconnaissance script

The full script collects the following information:

  • Screenshot

  • Anti-virus products

  • System info

GammaSteel

X-Force also observed a PowerShell-based GammaSteel variant residing in the registry, dispersed among different keys just like GammaLoad. GammaSteel makes use of a database file “layout.xml” to store pseudo-hashes of exfiltrated files and avoid duplicate uploads. The files are selected based on hardcoded extensions and copied into a temporary directory before the upload.

Hive0051_18.png

Fig. 18: GammaSteel PowerShell variant

This particular sample also used a hardcoded IP address as a fallback C2 server, obfuscated as an integer array:

Hive0051_19.png

Fig. 19: GammaSteel script defining configuration values

Conclusion

Hive0051’s signature style is the use of relatively simple yet effective malware. Evidence of this is this group’s wide arsenal of different variants as well as the large scale of its campaigns and infrastructure, observed in passive DNS data. Hive0051 does not appear to focus on staying under the radar but rather relies on increasing obfuscation and using longer infection chains before deploying more novel or advanced variants. Over time Hive0051 has exhibited the tendency to reuse code, TTPs, and infrastructure. Nevertheless, Hive0051 has steadily introduced credible improvements and explored new techniques such as moving code to the registry, dispersing payloads, switching C2 request patterns, and adding further functionality to its toolsets. 

It is highly likely Hive0051 will continue to focus activity against entities based in and surrounding Ukraine given its established mission space and demonstrated operations tempo. The observed malware undergoes constant improvement, making it more resilient against detection and blocking. The new use of multi-channel DNS Fluxing capability to rapidly remap infrastructure to conduct activity may possibly point to an elevated threat capability. X-Force recommends entities in-region remain at heightened level of defensive security.

Recommendations

    • .HTA

    • .HTML

    • .XHTML

    • .LNK

  • Monitor for suspicious connections to Telegram and Telegraph services

  • Hunt for registry keys containing PowerShell code.

  • Search for existing signs of the indicated IoCs in your environment. 

  • Keep applications and operating systems running at the current released patch level.

  • Exercise caution with attachments and links in emails.

To learn how IBM Security X-Force can help with anything regarding cybersecurity including incident response, threat intelligence or offensive security services, schedule a meeting here: IBM Security X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact IBM Security X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Threat Intelligence

A red digital rendering of the globe of the Earth
A red digital rendering of the globe of the Earth

Hive0051 goes all in with a triple threat

13 min read – As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051’s use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

A blue rendering of the Earth from space at night with neon pink lines connecting various geographies
A blue rendering of the Earth from space at night with neon pink lines connecting various geographies

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read – As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Computer screen displaying a hack in progress exploiting vulnerabilities & granting access
Computer screen displaying a hack in progress exploiting vulnerabilities & granting access

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read – CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities – Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.

Subscribe today

Source: https://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/

Tags: CVE, PATCH, VULNERABILITY, PERSISTENCE, DNS, PAYLOAD, BROWSER, MONITOR