Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

MASEPIE, a new backdoor replacing Headlace to facilitate follow-on actions. In addition to MASEPIE, ITG05 developed another new backdoor dubbed OCEANMAP. X-Force analysis revealed the code basis of CREDOMAP was likely used in the creation of OCEANMAP. In place of CREDOMAP, ITG05 has opted for the use of a new simplified PowerShell script named STEELHOOK.

ITG05 is a Russian state-sponsored group consisting of multiple activity clusters and shares overlap with APT28, UAC-028, Fancy Bear and Forest Blizzard. The observed tools, tactics and procedures (TTPs) featured in the campaigns strongly correlate to recent ITG05 activity. Given their sustained operations tempo and continuously evolving methodologies, it is highly likely that ITG05 will continue to carry out malicious activity against global targets to support state objectives.

Key points

  • As of late February 2024, ITG05 is running multiple phishing campaigns impersonating entities from at least Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States
  • The uncovered lures appear to feature a mixture of internal and publicly available documents, including possible actor-generated lures
  • ITG05 leveraged lures featuring multiple topics including finance, critical infrastructure, executive engagements, cybersecurity, maritime security, healthcare, and defense industrial production
  • ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads
  • X-Force observed several new techniques such as the abuse of the “search-ms” protocol and WebDAV servers to deploy malware
  • ITG05 is evolving its malware arsenal, altering older malware such as CREDOMAP and introducing the MASEPIE backdoor

Background

In late 2023, X-Force reported ITG05’s use of authentic publicly available government and non-government lure documents in phishing campaigns across at least 13 nations worldwide. In the reported phishing campaigns, ITG05 delivered Headlace malware to victims within specific geographic boundaries. To facilitate operations, ITG05 leveraged freely available development services including mocky.io, mockbin and infinityfreeapp to stage malicious payloads.

Beginning in November 2023, X-Force uncovered ITG05’s use of multiple lure documents designed to impersonate government organizations in Ukraine, Georgia, Kazakhstan, Belarus, Argentina, and the United States. In concert with reports highlighting ITG05’s campaigns impersonating additional entities in Poland, Armenia and Azerbaijan, the X-Force uncovered lures are likely predominately derived from a mixture of public and internal documents.

However, in an update to their methodologies ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations. To engender victim engagement ITG05 presents an intentionally opaque image of the lures to entice the victim to click through the content and reveal the document. Upon clicking, the victim ultimately launches the infection chain to deliver MASEPIE malware.

Analysis

Lures

Between late November 2023 and February 2024, X-Force uncovered at least 11 unique lures associated with the delivery of the ITG05-exclusive MASEPIE malware. The documents appear to be official documents associated with at least five governments throughout Europe, North and South America, Central Asia, and the South Caucuses. The topics of the documents feature multiple themes including finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, and defense industrial production. Of note, it is possible some of the lures may be actor-created decoy documents.

Argentina

Between December 2023 and late January 2024, X-Force uncovered three unique Spanish-language lure files that likely imitate official documents directed at the Executive Branch of the Argentine Republic.

Fig 1 - Screenshot 2024-01-17 094232.png
Fig 2 - Screenshot 2024-01-17 093959.png
Fig 3 - Screenshot 2024-01-25 131700.png

Dated January 11, 2024, the first lure appears to imitate a government document of the Republic of Argentina’s National Executive Branch. The machine-translated contents reference titled “Notify Refund of Warranty Maintenance Offer” is associated with the legitimate Power Construction Corporation of China (POWERCHINA). However, a close examination of the document reveals multiple misspellings, potentially pointing to evidence that the document is actor-generated.

The second document dated December 27, 2023, features the hallmark and signature block of the Municipality of Saladas and reads as an invitation to the President of Argentina, Javier Milei for an event taking place in February 2024. The final document features the translated title “Budgetary Policy of the Jurisdiction”, which describes the role of the Ministry of Economy in crafting “strategic guidelines” to assist the President with the creation of national economic policy. In January 2024, Russia expressed regret that Argentina rejected an invitation to join the BRICS and hopes it may reconsider. It is possible that ITG05 seeks to attain access that may yield insight into the priorities of the Argentine government.

Ukraine

Within 60 days, X-Force discovered four separate Ukrainian-language documents that feature a range of topics from legislative amendments and the defense-industrial complex to joint science research initiatives and international healthcare acquisitions. Several of the lures appear to be printed documents from public-facing websites, while others seem to be internal policy documents, some of which appear as digital copies of physical documents. Of note, the documents appear to be dated between November 2023 and January 2024. The ongoing war in Ukraine virtually guarantees the continued targeting of Ukrainian mission-critical entities by ITG05.

Fig 4 - Screenshot 2024-02-19 090838.png
Fig 5 - Screenshot 2024-01-09 110526.png
Fig 6 - Screenshot 2024-01-22 185017.png
Fig 7 - Screenshot 2023-12-29 153136.png

Global Security and Investment

X-Force uncovered two English language lures leveraged by ITG05. The first appears as a policy paper originating from the Georgian NGO, Georgian Center for Security and Development, from December 2023 that details cybersecurity recommendations. The second English language document reads as a January 2024 itinerary distributed to participants in the Pacific Indian Ocean Shipping Working Group (PACIOSWG), hosted by the US Navy detailing the 2024 Meeting and Exercise Bell Buoy (XBB24).

In addition, X-Force uncovered what appears to be an internal document belonging to the Ministry of Defense of the Republic of Kazakhstan describing military unit finances. X-Force also discovered a single Belarussian document detailing project recommendations for the creation of commercial conditions to facilitate interstate enterprise under the auspices of the Eurasian Economic Union Integration initiative by 2025. Finally, X-Force uncovered a single French language document that appears to feature a 2024 operating budget proposal by a General Secretariat of the Government. It is likely the collection of sensitive information regarding budget concerns and the security posture of global entities is a high-priority target given ITG05’s established mission space.

Fig 8 - Screenshot 2024-01-23 133120.png
Fig 9 - Screenshot 2024-01-17 094140.png
Fig 10 - Screenshot 2024-02-19 101304.png
Fig 11 - Screenshot 2024-01-22 185105.png

The new infection chain

As of late November 2023, X-Force observed ITG05 using the FirstCloudIT web hosting provider to stage malicious files likely distributed by phishing emails. To avoid victim suspicion, ITG05 crafts what appear as benign subdomains which feature keywords such as ‘docs’ and ‘files’. Similar techniques were observed in previously reported campaigns delivering Headlace. X-Force observed the URLs hosted on FirstCloudIT were available on average for only one to two days.

The flowchart below outlines the stages of an infection via the search-ms protocol, custom WebDAV servers and the delivery of first and second-stage malware: MASEPIE, OCEANMAP and STEELHOOK respectively.

Fig 12- 05_Winter_campaign.drawio (1).png

Fig. 1: Example infection chain of recent ITG05 campaign

Abusing the “search-ms” protocol

Once a victim visits a weaponized site, they are presented with a blurred image of the lure document. A button prompts the user to view the document by clicking.

Fig 13 - Screenshot 2024-01-18 091437.png

Fig. 2: Screenshot of a weaponized site used in a campaign impersonating a municipality in Argentina

Upon access, the victim unknowingly executes the following JavaScript code (example from a campaign impersonating the Argentinian government):

Screenshot 2024-03-11 at 7.50.33 AM.png

A query is executed to an actor-controlled WebDAV server via a “search-ms” URL, stored in the JavaScript command. This action results in prompting the user for their permission to open the Windows File Explorer before initiating the next stages of infection.

Fig 14 - image-2024-1-23_17-33-34.png

Fig. 3: Windows Explorer pop-up

If the victim accepts, the “search-ms” functionality begins by locating the Saved Search XML file (*.search-ms) from the path specified in the “subquery” parameter:

code after fig 3.png

Saved Search File used for the Georgia campaign

From the victim’s perspective, a new File Explorer window is opened with the name “Documents”, provided in the “displayname” parameter of the viewInfo element. The .LNK file is presented to the victim from the path specified in the Saved Search file on the adversary’s server. Should the victim decide to open the malicious .LNK file, a PowerShell command embedded inside is executed:

code snippet after big code after fig 3.png

As a result, the lure PDF is opened in MSEdge, while the malicious Python script (Client.py) is executed by the remote Python interpreter (python.exe) from the actor-controlled WebDAV server.

Of note, X-Force observed that PowerShell was only used in the initial campaigns active in late 2023. The latest builds of the .LNK file use the built-in functionality of a relative path target to reference and run the remote Python executable with a hardcoded argument. The relative path and binary name used on the WebDAV server also mimics the path of the legitimate Microsoft Office executable:

Target code snippet.png

During analysis, X-Force was able to access an open directory on an actor-controlled WebDAV server used in multiple active campaigns.

Fig 15 - image-2024-1-24_14-21-29 (1).png

Fig. 4: Open directory of a WebDAV server used in multiple campaigns

Each of the *.search-ms files indicates an individual campaign linking to their respective weaponized .LNK file contained in the directories. The “User” directory contains the Python interpreter, as well as the MASEPIE payload. Assuming the last-modified timestamps are in standard UTC, these modifications would fall into the regular working hours of 08:46-17:53 Moscow time (UTC+3).

X-Force’s analysis of the infrastructure revealed that the Common Name used in the TLS certificates indicates that both the WebDAV, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers. On February 15, 2024, the U.S. Department of Justice published a press release on the disruption of an APT28 botnet hosted on compromised Ubiquiti routers. There is a realistic possibility that the takedown featured the same infrastructure leveraged by ITG05.

NTLMv2 hash exfiltration

In previous campaigns observed by X-Force, the exfiltration of NTLMv2 hashes for offline cracking or NTLM relay attacks has been a major objective. Campaigns reported by Zscaler, in April 2023, outline ITG05’s use of modified open-source scripts designed to capture NTLM hashes on an infected machine. In addition, the scripts were part of X-Force’s observed ITG05 campaigns that delivered Headlace, which facilitates follow-on payloads capable of NTLM hash extraction.

According to a Palo Alto report, ITG05 also made use of exploits such as CVE-2023-23397, which was actively exploited in email campaigns throughout 2023.

In mid-January 2024, Varonis published a report demonstrating several new vulnerabilities that may be used to leak NTLMv2 hashes. One notable technique demonstrates the abuse of the “search-ms” protocol, which is used by ITG05 as of November 2023 to deploy MASEPIE. In addition to loading payloads, this technique may attempt forced authentication when trying to load a remote resource hosted on actor-controlled infrastructure and resembles techniques used against CVE-2023-23397.

Considering ITG05’s prior campaign objectives, this suggests that ITG05 may be using the new vulnerabilities to leak NTLMv2 hashes in addition to deploying secondary payloads. X-Force also assesses that ITG05 may seek to exploit further vulnerabilities that enable the theft of NTLMv2 hashes, including Outlook vulnerabilities (CVE-2023-35636, CVE-2024-21413). The recent Microsoft Exchange vulnerability (CVE-2024-21410) would enable attackers to use exfiltrated NTLMv2 hashes in relay attacks.

Webhooks usage

Consistent with early Headlace campaigns, the latest ITG05 operations heavily rely on the use of public services such as webhooks (webhook[.]site) to closely track infections. Webhook services are legitimate development tools but are commonly abused for malicious purposes. The ongoing ITG05 campaigns include Interact.sh webhooks in various scripts to relay information back to the operators. The webhooks placed by ITG05 activate once a victim accesses a lure site, and again if they choose to click on a “VIEW DOCUMENT” button. In addition, the initial variants of MASEPIE included further hooks to notify ITG05 operators upon successful execution of malware.

MASEPIE backdoor

The first known variant of MASEPIE was reported by CERT-UA in late December 2023 and continues to evolve. Through analysis, X-Force discovered that the most recent version of MASEPIE does not include any webhooks. To avoid running PowerShell from the weaponized .LNK, ITG05 changed to regular .LNK targets with command line arguments and moved the functionality into MASEPIE. The new variants will immediately open a remote PDF document containing the lure as a decoy with the following Python command:

popen snip.png

The objective of the MASEPIE backdoor is similar to Headlace but is a separate implementation of the unique ITG05 backdoor. MASEPIE attempts to connect every 50 seconds to its hardcoded C2 server port via TCP, sending the result of the “whoami” command together with a random 16-byte key. Then, starts AES-128-CBC encrypted communication listening for one of three commands:

  • “check” which will have MASEPIE return “check-ok”
  • “send_file” which allows MASEPIE to receive a file
  • “get_file” which allows MASEPIE to exfiltrate an arbitrary file

Any other command which is not an empty string will be executed on the machine via Python’s os.popen(<command>) method and return the response.

OCEANMAP backdoor

The OCEANMAP backdoor drops a file “EdgeContext.url” into the Windows Startup directory pointing to its executable for persistence. Then, it starts by logging into the IMAP server used for C2 communication and adds a new email containing the result of the “dir” command among other identifying parameters.

Fig 16 - image-2024-1-25_12-0-45.png

Fig. 5: OCEANMAP C2 communication (IMAP)

OCEANMAP checks the inbox once every minute for any of the following commands:

  • “changesecond” which changes the C2 server and credentials of both the primary and secondary servers
  • “newtime” to change the command checking interval
  • any other command is executed via cmd exe. If it contains the string “echo” the results are returned to the inbox

To check for new commands, the malware searches for emails in the “Drafts” mailbox containing its “name_id” string in the subject. All remotely initiated configuration changes are performed by patching the binary on disk and restarting the malware.

This new malware variant is a more capable backdoor version of its predecessor CREDOMAP, first discovered by CERT-UA in 2022. X-Force’s analysis revealed that OCEANMAP has a strong overlap in both technique and .NET implementation. Several of the functions used in OCEANMAP were repurposed from the original CREDOMAP stealer and used as a base to build the new persistent backdoor. Of note, the stealing functionality has been removed completely and has likely been shifted to a smaller stealer called STEELHOOK.

Fig 17 - image-2024-1-25_8-41-57 (1).png

Fig. 6: Comparison of OCEANMAP and CREDOMAP functions

The “Login” functions used to access the inbox of the IMAP server, are identical in both samples. A comparison of the “create” function, however, reveals several updates:

Fig 18 - image-2024-1-25_8-54-37 (1).png

Fig. 7: Comparison of OCEANMAP and CREDOMAP create() function

The function above generates the emails placed into the IMAP inbox used for C2 communication to return responses. OCEANMAP supports two new parameters in the email-type beacons. The first, “name_id” is a Base64 encoded string of the formatted machine name, username and OS version. The second new parameter “newtime”, is a hardcoded string “newtime1:” followed by a long string of zeroes, for example:

Screenshot 2024-03-11 at 8.17.07 AM.png

The integer directly after newtime (1) denotes the time interval in minutes, how regularly the malware checks for new commands in the inbox.

STEELHOOK stealer

STEELHOOK is a simple PowerShell stealer, likely modified from the PowerShell webhook keylogger found in the PoshC2 framework. It likely replaces the functionality of CREDOMAP as it exfiltrates browser data from Google Chrome and Microsoft Edge via a webhook. According to Google TAG, which tracks the stealer as IRONJAW, the malware was used previously in campaigns from July through August, and September 2023. The activity was attributed to FROZENLAKE, which overlaps with ITG05.

Actions on objective

As stated in the December 2023 CERT-UA report, operations featuring this new ITG05 activity exhibited near immediate follow-on actions, including the deployment of backdoors, initiating network reconnaissance activities, and attempting lateral movement to access domain controllers within one hour of the initial attack. It should be noted that NTLMv2 hashes exfiltrated during an attack are likely to be used in NTLM relay attacks or used for the offline cracking of credentials. A successful relay attack for instance against a Microsoft Exchange server facilitated through CVE-2024-21410 could lead to elevated privileges.

Conclusion

ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities. X-Force assesses with high confidence that ITG05 will continue to leverage attacks against world governments and their political apparatus to provide Russia with advanced insight into emergent policy decisions.

Technical recommendations

X-Force recommends entities with an increased risk to maintain a defensive security posture and to:

  • Monitor for emails containing *.firstcloudit[.]com URLs
  • Stay abreast of newly published exploits likely to be used by APT actors
  • Block NTLMv2 authentication, especially for outgoing connections, and use Kerberos for authentication instead
  • Monitor for abuse of “search-ms” and “wpa” URI handlers
  • Monitor for abuse of WebDAV
    • Process: rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie <malicious_URL>
  • Monitor for .LNK files downloaded from or referencing WebDAV servers
  • Monitor network traffic for signs of webhooks/OOB communication services
    • *.webhook[.]site
    • *.oast[.]fun
    • *.oast[.]pro
    • *.oast[.]live
    • *.oast[.]site
    • *.oast[.]online
    • *.oast[.]me
  • Monitor for suspicious Python files spawning cmd exe
  • Monitor for raw TCP traffic containing the string “<SEPARATOR>” as an indicator of a MASEPIE infection
  • Monitor for suspicious IMAP traffic to unknown servers
  • Monitor for IMAP traffic containing the string “newtime1:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000” as an indicator for an OCEANMAP infection
  • Install and configure endpoint security software
  • Update relevant network security monitoring rules
  • Educate staff on the potential threats to the organization

Indicators of compromise

This table includes campaigns previously reported on by InsideTheLab and CERT-UA for completeness:

Scroll to view full table

Threat Intelligence Index report promo with red, purple & blue fingerprint image

More from X-Force

A diverse group of professionals having a discussion in a modern cyber defense office with large digital screen wall
A diverse group of professionals having a discussion in a modern cyber defense office with large digital screen wall


Why federal agencies need a mission-centered cyber response

4 min read – Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Computer screen displaying a hack in progress exploiting vulnerabilities & granting access
Computer screen displaying a hack in progress exploiting vulnerabilities & granting access


CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read – CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities – Cisco) details CVE-2023-20078 and…

A white envelope and a red triangle with red exclamation point inside standing on a red circuit board
A white envelope and a red triangle with red exclamation point inside standing on a red circuit board


X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read – The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.

Subscribe today

Source: Original Post


“An interesting youtube video that may be related to the article above”