www.secureworks.com
Open in
urlscan Pro
13.93.233.100
Public Scan
Submitted URL: http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/
Effective URL: https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
Submission: On December 05 via api from IT
Effective URL: https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
Submission: On December 05 via api from IT
Form analysis 1 forms found in the DOM
<form><span class="fieldset">
<p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
</span></form>Text Content
Cookie Notice
This website uses cookies to help personalize and improve your experience. Learn
more by visiting our privacy policy. By Continuing to use this site, you are
consenting to the use of cookies.
Close
Accept Cookies
Cookie Settings
* Your Privacy
* Strictly Necessary Cookies
* Performance Cookies
* Functional Cookies
* Targeting Cookies
* More Information
Privacy Preference Center
Active
Always Active
Save Settings
Allow All
Emergency Incident ResponseReport a Confirmed or Potential Breach? Call +1
770-870-6343
* Resources
* Blog
* Contact
* Support
* Login
*
* Products
* Main Menu
* Products
* Red Cloak™ Threat Detection & Response
* * Detect and respond to advanced and unknown threats with a software
application built on advanced analytics, automation and threat
intelligence.
Learn More
INTRODUCING RED CLOAK™ THREAT DETECTION & RESPONSE WEBCAST
Detect, investigate and respond to advanced threats across your
environment.
Watch On-demand
* Solutions
* Main Menu
* Solutions
* Detect & Respond to Advanced Threats
* Hunt for Advanced Threats
* Orchestrate and Automate Response
* Protect Your Endpoints
* Protect Your Networks
* Protect Your Clouds
* Manage Increasing Risk
* Virtual Application Defense
* Meet Compliance Requirements
* BY INDUSTRY
* Solutions
* BY INDUSTRY
* Financial Institutions
* Government & Higher Education
* Healthcare
* Manufacturing
* Retail
* * Solutions
We combine proprietary technologies with 20+ years of expertise to help
you tackle your security challenges.
Solutions Overview
Detect & Respond to Advanced Threats
* Enhance visibility, reduce complexity, and accelerate response
Hunt for Advanced Threats
* Identify hidden adversaries in your environment with our experts
Orchestrate and Automate Response
* Receive all the benefits of SOAR – provided as a managed service
Protect Your Endpoints
* Find threats faster to minimize damage and protect your business
Protect Your Networks
* Fortify network defense capabilities and boost response time
Protect Your Clouds
* Gain multi-cloud security across public, private, and hybrid clouds
Manage Increasing Risk
* Align risk and strategy to be more effective against the evolving
threat landscape
Virtual Application Defense
* A joint Dell Technologies security solution between Secureworks and
VMware
Meet Compliance Requirements
* Implement and optimize security defenses to meet and exceed
compliance mandates
BY INDUSTRY
* Financial Institutions
* Government & Higher Education
* Healthcare
* Manufacturing
* Retail
* Services
* Main Menu
* Services
* Managed Detection & Response
* Managed Security
* Incident Response
* Adversarial Security Testing
* Vulnerability Management
* Security Consulting
* Threat Intelligence
* Cloud Security
* * Services
Whether you need us to take care of security for you, respond to
incidents, or provide consulting advice, we help you stay protected.
Services Overview
Managed Detection & Response
* Detect, investigate, and act quickly against advanced threats
Managed Security
* Safeguard critical assets and effectively manage risk
Incident Response
* Prepare for and respond to cyber incidents
Adversarial Security Testing
* Test your networks, systems, facilities, and employees to improve
defenses
Vulnerability Management
* Define and analyze key risk areas with intelligence-driven context
Security Consulting
* Mitigate risk and thrive in an evolving threat and regulatory
landscape
Threat Intelligence
* Enhance your threat landscape visibility to stay ahead of threat
actors
Cloud Security
* Security services that enable your multi-cloud journey
2019 GARTNER MAGIC QUADRANT FOR MANAGED SECURITY SERVICES, WORLDWIDE
Read the Report
* Why Secureworks
* Main Menu
* Why Secureworks
* Security Operations Centers
* Counter Threat Unit
* Counter Threat Platform
* * Why Secureworks
Secureworks® protects organizations in a digitally connected world. We
offer a cyber-defense that is Collectively Smarter. Exponentially
Safer.™
Security Operations Centers
* Enable scalable threat intelligence and predictive security
intelligence
Counter Threat Unit
* Enhance security operations with elite cyber threat intelligence
Counter Threat Platform
* Combines the speed of machine learning with the insight of human
intelligence
DIGITAL TRANSFORMATION EXECUTIVE REPORT
An examination of best practices for balancing security, strategy, and
productivity in your digital transformation.
Download Now
* Insights
* Main Menu
* Insights
* Counter Threat Research
* Secureworks Blog
* Cybersecurity Resources
* Knowledge Centers
* * Insights
Cybersecurity knowledge for the good guys.
Counter Threat Research
* World-class threat research from some of the brightest minds in the
industry
Secureworks Blog
* Incisive opinion and advice from our team of experts
Cybersecurity Resources
* Latest webcasts, reports, white papers, data sheets and more to help
you plan and run a security operation
Knowledge Centers
* Everything you need to know about the biggest topics in cybersecurity
HAS POOR CYBER HYGIENE REACHED CRISIS POINT?
Get our 2019 Incident Response Insights Report to find out how different
threat actors evolve to exploit the same gaps in security fundamentals
and basic controls.
Download Now
* Company
* Main Menu
* Company
* Corporate Overview
* Our Leadership
* Investor Relations
* Office Locations
* Events
* Press
* Careers
* Partners
* * Company
We help you defeat cybercriminals and make security simpler. We believe
the good guys win when we’re on the same team.
Learn More
Corporate Overview
Our Leadership
Investor Relations
Office Locations
Events
Press
Careers
Partners
HIRING SUPERSTARS
At Secureworks we’re united in our mission to do whatever it takes to
make the world a safer place. Why not join us?
View Careers
* Resources
* Blog
* Contact
* Support
* Login
0 Results Found
* PRODUCTS
* SERVICES, SOLUTIONS & CAPABILITIES
* INSIGHTS
* ABOUT
* CONTACT
* OTHER
Back To Results
*
* Research
* Threat Group 3390 Cyberespionage
Threat Analysis
THREAT GROUP 3390 CYBERESPIONAGE
Dell SecureWorks Counter Threat UnitTM (CTU) Investigated Activities Associated
with Threat Group-3390
Wednesday, August 5, 2015 By: Dell SecureWorks Counter Threat Unit Threat
Intelligence
*
*
*
*
* Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence
* Date: August 5, 2015
SUMMARY
Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated
activities associated with Threat Group-3390[1] (TG-3390). Analysis of TG-3390's
operations, targeting, and tools led CTU researchers to assess with moderate
confidence the group is located in the People's Republic of China. The threat
actors target a wide range of organizations: CTU researchers have observed
TG-3390 actors obtaining confidential data on defense manufacturing projects,
but also targeting other industry verticals and attacking organizations involved
in international relations. The group extensively uses long-running strategic
web compromises[2] (SWCs), and relies on whitelists to deliver payloads to
select victims. In comparison to other threat groups, TG-3390 is notable for its
tendency to compromise Microsoft Exchange servers using a custom backdoor and
credential logger.
CTU researchers divided the threat intelligence about TG-3390 into two sections:
strategic and tactical. Strategic threat intelligence includes an assessment of
the ongoing threat posed by the threat group. Executives can use this assessment
to determine how to reduce risk to their organization's mission and critical
assets. Tactical threat intelligence is based on incident response
investigations and research, and is mapped to the kill chain. Computer network
defenders can use this information to reduce the time and effort associated with
responding to TG-3390.
KEY POINTS
Explanations of how CTU researchers identify attribution and gauge confidence
levels are available in the Appendix A.
* CTU researchers assess with moderate confidence that TG-3390 is based in the
People's Republic of China.
* CTU researchers have evidence that the threat group compromised U.S. and UK
organizations in the following verticals: manufacturing (specifically
aerospace (including defense contractors), automotive, technology, energy,
and pharmaceuticals), education, and legal, as well as organizations focused
on international relations. Based on analysis of the group's SWCs, TG-3390
operations likely affect organizations in other countries and verticals.
* TG-3390 operates a broad and long-running campaign of SWCs and has
compromised approximately 100 websites as of this publication. Through an IP
address whitelisting process, the threat group selectively targets visitors
to these websites.
* After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to
its victims. The threat actors then move quickly to compromise Microsoft
Exchange servers and to gain complete control of the target environment.
* The threat actors are adept at identifying key data stores and selectively
exfiltrating all of the high-value information associated with their goal.
* CTU researchers recommend the following practices to prevent or detect
TG-3390 intrusions:
* Search web log files for evidence of web server scanning using the URIs
listed in the Exploitation section and evidence of exfiltration using the
User-Agent in the Actions on objective section.
* Require two-factor authentication for all remote access solutions,
including OWA.
* Audit ISAPI filters and search for web shells on Microsoft Exchange
servers.
STRATEGIC THREAT INTELLIGENCE
CTU researchers assess the threat posed by a threat group by reviewing intent
and capability (see Figure 1). Threat groups pose varying threats to different
organizations, and even a very capable group may pose a low threat if it does
not have the intent to target a particular organization.
Figure 1. Threat is based on a threat group's intent and capability. (Source:
Dell SecureWorks)
INTENT
CTU researchers infer intent by aggregating observations, analyzing a threat
group's activity, and placing the information in a wider context.
Like many threat groups, TG-3390 conducts strategic web compromises (SWCs), also
known as watering hole attacks, on websites associated with the target
organization's vertical or demographic to increase the likelihood of finding
victims with relevant information. CTU researchers assess with high confidence
that TG-3390 uses information gathered from prior reconnaissance activities to
selectively compromise users who visit websites under its control. Most websites
compromised by TG-3390 actors are affiliated with five types of organizations
around the world:
* large manufacturing companies, particularly those supplying defense
organizations
* energy companies
* embassies in Washington, DC representing countries in the Middle East,
Europe, and Asia, likely to target U.S.-based users involved in international
relations
* non-governmental organizations (NGOs), particularly those focused on
international relations and defense
* government organizations
Based on this information, CTU researchers assess that TG-3390 aims to collect
defense technology and capability intelligence, other industrial intelligence,
and political intelligence from governments and NGOs.
Attribution
To assess attribution, CTU researchers analyze observed activity, third-party
reporting, and contextual intelligence. For the following reasons, CTU
researchers assess with moderate confidence that TG-3390 has a Chinese nexus:
* The SWC of a Uyghur cultural website suggests intent to target the Uyghur
ethnic group, a Muslim minority group primarily found in the Xinjiang region
of China. Threat groups outside of China are unlikely to target the Uyghur
people.
* TG-3390 uses the PlugX remote access tool. The menus for PlugX's server-side
component are written exclusively in Standard Chinese (Mandarin), suggesting
that PlugX operators are familiar with this language.
* CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC,
which is 12:00 to 17:00 local time in China (UTC +8). The timeframe maps to
the second half of the workday in China.
* The threat actors have used the Baidu search engine, which is only available
in Chinese, to conduct reconnaissance activities.
* CTU researchers have observed the threat group obtaining information about
specific U.S. defense projects that would be desirable to those operating
within a country with a manufacturing base, an interest in U.S. military
capability, or both.
CTU researchers recognize that the evidence supporting this attribution is
circumstantial. It is possible that TG-3390 is false-flag operation by a threat
group outside of China that is deliberately planting indications of a Chinese
origin.
CAPABILITY
To assess a threat group's capability, CTU researchers analyze its resources,
technical proficiency, and tradecraft.
Resources
TG-3390 has access to proprietary tools, some of which are used exclusively by
TG-3390 and others that are shared among a few Chinese threat groups. The
complexity and continual development of these tools indicates a mature
development process. TG-3390 can quickly leverage compromised network
infrastructure during an operation and can conduct simultaneous intrusions into
multiple environments. This ability is further demonstrated by analysis of
interactions between TG-3390 operators and a target environment. CTU researchers
found no evidence of multiple operators working simultaneously against a single
organization. This efficiency of operation (a 1:1 ratio of operator to observed
activity) suggests that TG-3390 can scale to conduct the maximum number of
simultaneous operations. These characteristics suggest that the threat group is
well resourced and has access to a tools development team and a team focused on
SWCs.
Technical proficiency
TG-3390's obfuscation techniques in SWCs complicate detection of malicious web
traffic redirects. Malware used by the threat group can be configured to bypass
network-based detection; however, the threat actors rarely modify host-based
configuration settings when deploying payloads. CTU researchers have observed
the threat actors installing a credential logger and backdoor on Microsoft
Exchange servers, which requires a technical grasp of Internet Information
Services (IIS). TG-3390 uses older exploits to compromise targets, and CTU
researchers have not observed the threat actors using zero-day exploits as of
this publication. The threat actors demonstrated the ability to adapt when
reentering a network after an eviction, overcoming technical barriers
constructed by network defenders.
Tradecraft
In addition to using SWCs to target specific types of organizations, TG-3390
uses spearphishing emails to target specific victims. CTU researchers assess
with high confidence that the threat actors follow an established playbook
during an intrusion. They quickly move away from their initial access vector to
hide their entry point and then target Exchange servers as a new access vector.
As of this publication, CTU researchers have not discovered how TG-3390 keeps
track of the details associated with its compromised assets and credentials.
However, the threat actors' ability to reuse these assets and credentials,
sometimes weeks or months after the initial compromise, indicates the group is
disciplined and well organized. After gaining access to a target network in one
intrusion analyzed by CTU researchers, TG-3390 actors identified and exfiltrated
data for specific projects run by the target organization, indicating that they
successfully obtained the information they sought. Data exfiltration occurred
almost four weeks after the initial compromise and continued for two weeks (see
Figure 2).
Figure 2. Data exfiltration timeline. (Source: Dell SecureWorks)
Note: The adversary's end goal is to exfiltrate, not infiltrate. Organizations
often miss multiple opportunities to detect and disrupt the threat actors before
they can achieve their objective. Alerts for credential theft tools and
privileged account lockouts should be investigated.
TACTICAL THREAT INTELLIGENCE
KNOWN TOOLS
CTU researchers have observed TG-3390 actors using tools that are favored by
multiple threat groups:
* PlugX — A remote access tool notable for communications that may contain HTTP
headers starting with "X-" (e.g., "X-Session: 0"). Its presence on a
compromised system allows a threat actor to execute a wide variety of
commands, including uploading and downloading files, and spawning a reverse
shell. The malware can be configured to use multiple network protocols to
avoid network-based detection. DLL side loading is often used to maintain
persistence on the compromised system.
* HttpBrowser (also known as TokenControl) — A backdoor notable for HTTPS
communications with the HttpBrowser/1.0 User-Agent (see Figure 3).
HttpBrowser's executable code may be obfuscated through structured exception
handling and return-oriented programming. Its presence on a compromised
system allows a threat actor to spawn a reverse shell, upload or download
files, and capture keystrokes. Antivirus detection for HttpBrowser is
extremely low and is typically based upon heuristic signatures. DLL side
loading has been used to maintain persistence on the compromised system. More
information about HttpBrowser is available in Appendix B.
Figure 3. HttpBrowser URI. (Source: Dell SecureWorks)
* ChinaChopper web shell — A web-based executable script (see Figure 4) that
allows a threat actor to execute commands on the compromised system. The
server-side component provides a simple graphical user interface for threat
actors interacting with web shells.
Figure 4. ChinaChopper web shell. (Source: Dell SecureWorks)
Passwords, like "admin-na-google123!@#" shown in Figure 4, are required to
interact with the web shell. TG-3390 has used additional web shells
containing similarly formatted passwords.
* Hunter — A web application scanning tool written by @tojen to identify
vulnerabilities in Apache Tomcat, Red Hat JBoss Middleware, and Adobe
ColdFusion (see Figure 5). It can also identify open ports, collect web
banners, and download secondary files.
Figure 5. Hunter usage. (Source: Dell SecureWorks)
The following tools appear to be exclusive to TG-3390:
* OwaAuth web shell — A web shell and credential stealer deployed to Microsoft
Exchange servers. It is installed as an ISAPI filter. Captured credentials
are DES-encrypted using the password "12345678" and are written to the
log.txt file in the root directory. Like the ChinaChopper web shell, the
OwaAuth web shell requires a password. However, the OwaAuth web shell
password contains the victim organization's name. More information about the
OwaAuth web shell is available in Appendix C.
* ASPXTool — A modified version of the ASPXSpy web shell (see Figure 6). It is
deployed to internally accessible servers running Internet Information
Services (IIS).
Figure 6. ASPXTool web shell. (Source: Dell SecureWorks)
TG-3390 actors have also used the following publicly available tools:
* Windows Credential Editor (WCE) — obtains passwords from memory
* gsecdump — obtains passwords from memory
* winrar — compresses data for exfiltration
* nbtscan — scans NetBIOS name servers
TACTICS, TECHNIQUES, AND PROCEDURES
Incident response engagements have given CTU researchers insight into the
tactics TG-3390 employs during intrusions.
Reconnaissance
CTU researchers have not observed TG-3390 actors performing reconnaissance prior
to compromising organizations. As discussed in the Actions on objectives
section, the threat actors appear to wait until they have established a
foothold.
Development
TG-3390 actors use command and control (C2) domains for extended periods of time
but frequently change the domains' IP addresses. The new IP addresses are
typically on the same subnet as the previous ones.
TG-3390 is capable of using a C2 infrastructure that spans multiple networks and
registrars. The most common registrar used by the adversary is HiChina Zhicheng
Technology Ltd. The threat actors have a demonstrated ability to move from one
network provider to another, using some infrastructure for extended periods of
time and other domains for only a few days. Seemingly random activity patterns
in infrastructure deployment and usage, along with the ability to use a wide
variety of geographically diverse infrastructure, help the threat actors avoid
detection.
TG-3390 SWCs may be largely geographically independent, but the group's most
frequently used C2 registrars and IP net blocks are located in the U.S. Using a
U.S.-based C2 infrastructure (see Figure 7) to compromise targets in the U.S.
helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in
network defense.
Figure 7. Geolocation of TG-3390 infrastructure observed by CTU researchers. The
dark green signifies a high count of C2 registrars and IP net blocks, while the
light green represents a smaller count. (Source: Dell SecureWorks)
The threat actors create PlugX DLL stub loaders that will run only after a
specific date. The compile dates of the samples analyzed by CTU researchers are
all later than the hard-coded August 8, 2013 date, indicating that the code
might be reused from previous tools.
The OwaAuth web shell is likely created with a builder, given that the PE
compile time of the binary does not change between instances and the
configuration fields are padded to a specific size. The adversaries modify
publicly available tools such as ASPXSpy to remove identifying characteristics
that network defenders use to identify web shells.
Weaponization
As of this publication, CTU researchers are unsure if TG-3390 relies on
weaponizers to package tools and exploits.
Delivery
TG-3390 conducts SWCs or sends spearphishing emails with ZIP archive
attachments. The ZIP archives have names relevant to the targets and contain
both legitimate files and malware. One archive sample analyzed by CTU
researchers contained a legitimate PDF file, a benign image of interest to
targets (see Figure 8), and an HttpBrowser installer disguised as an image file.
Figure 8. Decoy image. (Source: Dell SecureWorks)
In SWCs analyzed by CTU researchers, the threat actors added the Dean Edwards
packed JavaScript code shown in Figure 9 to the end of a legitimate website's
menu page.
Figure 9. SWC code. (Source: Dell SecureWorks)
As shown in Figure 10, the unpacked JavaScript code reveals an iframe pointing
to an IP address that is hosting the exploit.
Figure 10. Unpacked JavaScript code. (Source: Dell SecureWorks)
Both the redirect code on the compromised site and the exploit code appear and
disappear, indicating that the adversaries add the code when they want to
leverage the SWC and remove the code when it is not in use to limit the
visibility of their operations. The threat actors have evolved to whitelisting
IP addresses and only delivering the exploit and payload to specific targets of
interest. CTU researchers have observed TG-3390 compromising a target
organization's externally and internally accessible assets, such as an OWA
server, and adding redirect code to point internal users to an external website
that hosts an exploit and delivers malware.
Exploitation
TG-3390 actors have used Java exploits in their SWCs. In particular, the threat
actors have exploited CVE-2011-3544, a vulnerability in the Java Runtime
Environment, to deliver the HttpBrowser backdoor; and CVE-2010-0738, a
vulnerability in JBoss, to compromise internally and externally accessible
assets used to redirect users' web browsers to exploit code.
In activity analyzed by CTU researchers, TG-3390 executed the Hunter web
application scanning tool against a target server running IIS. Hunter queried
the following URIs in a specific order to determine if the associated software
configurations are insecure, and all queries contained the HttpClient
User-Agent:
* GET /manager/html/ — Tomcat web application manager
* GET /jmx-console/ — JBoss configuration
* GET /CFIDE/administrator/login.cfm — ColdFusion configuration
Installation
TG-3390 uses DLL side loading, a technique that involves running a legitimate,
typically digitally signed, program that loads a malicious DLL. CTU researchers
have observed the threat actors employing legitimate Kaspersky antivirus
variants in analyzed samples. The DLL acts as a stub loader, which loads and
executes the shell code. The adversaries have used this technique to allow PlugX
and HttpBrowser to persist on a system.
Note: DLL side loading is a prevalent persistence technique that is used to
launch a multitude of backdoors. The challenge is detecting known good software
loading and running malware. As security controls have improved, DLL side
loading has evolved to load a payload stored in a different directory or from a
registry value.
In other cases, threat actors placed web shells on externally accessible
servers, sometimes behind a reverse proxy, to execute commands on the
compromised system. TG-3390 actors have deployed the OwaAuth web shell to
Exchange servers, disguising it as an ISAPI filter. The IIS w3wp.exe process
loads the malicious DLL, which CTU researchers have observed in the Program
Files\Microsoft\Exchange Server\ClientAccess\Owa\Bin directory.
Command and control
To traverse the firewall, C2 traffic for most TG-3390 tools occurs over ports
53, 80, and 443. The PlugX malware can be configured to use HTTP, DNS, raw TCP,
or UDP to avoid network-based detection. In one sample analyzed by CTU
researchers, PlugX was configured with hard-coded user credentials to bypass a
proxy that required authentication. Newer HttpBrowser versions use SSL with
self-signed certificates to encrypt network communications.
TG-3390 actors frequently change the C2 domain's A record to point to the
loopback IP address 127.0.0.1, which is a variation of a technique known as
"parking." Other variations of parking point the IP address to Google's
recursive name server 8.8.8.8, an address belonging to Confluence, or to other
non-routable addresses. When the adversaries' operations are live, they modify
the record again to point the C2 domain to an IP address they can access. A
domain name parking example is available in Appendix D.
Actions on objective
CTU researchers have discovered numerous details about TG-3390 operations,
including how the adversaries explore a network, move laterally, and exfiltrate
data. As shown in Figure 11, after compromising an initial victim's system
(patient 0), the threat actors use the Baidu search engine to search for the
victim's organization name. They then identify the Exchange server and attempt
to install the OwaAuth web shell. If the OwaAuth web shell is ineffective
because the victim uses two-factor authentication for webmail, the adversaries
identify other externally accessible servers and deploy ChinaChopper web shells.
Within six hours of entering the environment, the threat actors compromised
multiple systems and stole credentials for the entire domain.
Figure 11. Timeline, in Eastern Time, of TG-3390's initial entry into a victim's
network. (Source: Dell SecureWorks)
The threat actors use the Hunter and nbtscan tools, sometimes renamed, to
conduct network reconnaissance for vulnerable servers and online systems (see
Figure 12). TG-3390 actors favor At.exe to create scheduled tasks for executing
commands on remote systems.
Figure 12. nbtscan batch script (renamed ipcan.exe) used to profile network.
(Source: Dell SecureWorks)
Over a few days' span, the threat actors install remote access tools on
additional systems based upon the results of the network reconnaissance. They
use At.exe to schedule tasks to run self-extracting RAR archives, which install
either HttpBrowser or PlugX. CTU researchers observed the threat actors
collecting Cisco VPN profiles to use when accessing the victim's network via VPN
(see Figure 13).
Figure 13. Copying of .pcf files. (Source: Dell SecureWorks)
To facilitate lateral movement, the adversaries deploy ASPXTool web shells to
internally accessible systems running IIS.
CTU researchers have observed the threat actors encrypting data using the
password "admin-windows2014" and splitting the RAR archives into parts in the
recycler directory, with the same name as the uncompressed data (see Figure 14).
Figure 14. Batch script used to archive data. (Source: Dell SecureWorks)
The number at the end of the password corresponds to the year of the intrusion.
For example, the password "admin-windows2014" shown in Figure 14 was changed to
"admin-windows2015" for TG-3390 intrusions conducted in 2015.
Note: CTU researchers frequently observe threat actors renaming archiving tools
and storing data for exfiltration in uncommon directories. In some instances,
adversaries exceed disk space limits during the exfiltration process, requiring
the staging of archives on multiple systems. Unexplained disk quota alerts on
typically underutilized systems warrants immediate investigation.
Another batch script run by a scheduled task renames the archives on the file
server (see Figure 15).
Figure 15. Batch script used to rename exfiltrated data. (Source: Dell
SecureWorks)
CTU researchers have observed TG-3390 actors staging RAR archives, renamed with
a .zip file extension, on externally accessible web servers. The adversaries
then issue HTTP GET requests, sometimes with the User-Agent MINIXL, to
exfiltrate the archive parts from the victim's network (see Figure 16).
Figure 16. Example GET request from IIS log. (Source: Dell SecureWorks)
In other intrusions, data was exfiltrated using the PlugX remote access tool.
Figure 17 shows network data transfer sizes for a month-long period beginning
with TG-3390's re-entry into a network. Approximately 300 GB of data was
exfiltrated during that span.
Figure 17. Network data transfer sizes to C2 servers after TG-3390 reentry into
a network. (Source: Dell SecureWorks)
CTU OBSERVATIONS
Figure 18 is a UTC time wheel depicting which hours the threat actors actively
operated in one target environment during a three-day intrusion observed by CTU
researchers. The concentric bands represent the days of the week, with Saturday
as the outside band and Sunday as the innermost band, and each cell represents
an hour. The darker the cell color, the higher the activity level; white
indicates no observed activity. TG-3390 was most active between 04:00 and 09:00
UTC.
Figure 18. Mapping of TG-3390's interactions with web shells during an intrusion
responded to by CTU researchers. The legend across the bottom of the figure
lists the upper bound of interactions that are represented by each color
variation on the wheel. Times are based on UTC. (Source: Dell SecureWorks)
Response to eviction
Successfully evicting TG-3390 from an environment requires a coordinated plan to
remove all access points, including remote access tools and web shells. Within
weeks of eviction, the threat actors attempt to access their ChinaChopper web
shells from previously used IP addresses. Finding the web shells inaccessible,
the adversaries search google.co.jp for remote access solutions. CTU researchers
discovered the threat actors searching for "[company] login," which directed
them to the landing page for remote access. TG-3390 attempts to reenter the
environment by identifying accounts that do not require two-factor
authentication for remote access solutions, and then brute forcing usernames and
passwords. After reestablishing access, the adversaries download tools such as
gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously
compromised but never used. CTU researchers believe legitimate websites are used
to host tools because web proxies categorize the sites as benign.
Note: Numerous threat groups use legitimate remote access solutions (VPN,
Citrix, OWA, etc.) to enter or reenter a network. After executing an eviction
plan, it is paramount to reset all credentials, including those for third-party
accounts, preferably after implementing two-factor authentication.
TG-3390 actors keep track of and leverage existing ASPXTool web shells in their
operations, preferring to issue commands via an internally accessible web shell
rather than HttpBrowser or PlugX. After reentering an environment, the threat
actors focus on obtaining the active directory contents. Figure 19 shows a
timeline of TG-3390 attempting to regain a foothold in a network in a span of
only five hours.
Figure 19. Timeline, in Eastern Time, of TG-3390's reentry into a compromised
network. (Source: Dell SecureWorks)
Note: Relying primarily on network-based security controls will not deter most
threat groups from achieving their objective. Adversaries can overcome
blacklisted infrastructure in minutes, as TG-3390 actors did when they staged
tools on compromised web servers.
Team member or team identifier
Analysis of the OwaAuth web shell revealed a PDB string with the "SyberSpace"
username (see Figure 20).
Figure 20. OwaAuth web shell PDB string. (Source: Dell SecureWorks)
Further research revealed additional tools containing the same username (see
Figure 21).
Figure 21. PDB strings containing the 'SyberSpace' username. (Source: Dell
SecureWorks)
CTU researchers have no evidence to determine if these tools are also used by
TG-3390.
CONCLUSION
TG-3390 is known for compromising organizations via SWCs and moving quickly to
install backdoors on Exchange servers. Despite the group's proficiency, there
are still many opportunities to detect and disrupt its operation by studying its
modus operandi. The threat actors work to overcome existing security controls,
or those put in place during an engagement, to complete their mission of
exfiltrating intellectual property. Due to TG-3390's determination,
organizations should formulate a solid eviction plan before engaging with the
threat actors to prevent them from reentering the network.
THREAT INDICATORS
The indicators in Table 1 are associated with TG-3390 activity. The domains and
IP addresses may contain malicious content, so consider the risks before opening
them in a browser.
Indicator Type Context american.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High api.apigmail.com Domain name TG-3390 infrastructure
Confidence: High apigmail.com Domain name TG-3390 infrastructure
Confidence: High backup.darkhero.org Domain name TG-3390 infrastructure
Confidence: High bel.updatawindows.com Domain name TG-3390 infrastructure
Confidence: High binary.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High blackcmd.com Domain name TG-3390 infrastructure
Confidence: High castle.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High ctcb.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High darkhero.org Domain name TG-3390 infrastructure
Confidence: High dav.local-test.com Domain name TG-3390 infrastructure
Confidence: High test.local-test.com Domain name TG-3390 infrastructure
Confidence: High dev.local-test.com Domain name TG-3390 infrastructure
Confidence: High ocean.local-test.com Domain name TG-3390 infrastructure
Confidence: High ga.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High helpdesk.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High helpdesk.csc-na.com Domain name TG-3390 infrastructure
Confidence: High helpdesk.hotmail-onlines.com Domain name TG-3390 infrastructure
Confidence: High helpdesk.lnip.org Domain name TG-3390 infrastructure
Confidence: High hotmail-onlines.com Domain name TG-3390 infrastructure
Confidence: High jobs.hotmail-onlines.com Domain name TG-3390 infrastructure
Confidence: High justufogame.com Domain name TG-3390 infrastructure
Confidence: High lnip.org Domain name TG-3390 infrastructure
Confidence: High local-test.com Domain name TG-3390 infrastructure
Confidence: High login.hansoftupdate.com Domain name TG-3390 infrastructure
Confidence: High long.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High longlong.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High longshadow.dyndns.org Domain name TG-3390 infrastructure
Confidence: High longshadow.update-onlines.org Domain name TG-3390
infrastructure
Confidence: High longykcai.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High lostself.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High mac.navydocument.com Domain name TG-3390 infrastructure
Confidence: High mail.csc-na.com Domain name TG-3390 infrastructure
Confidence: High mantech.updatawindows.com Domain name TG-3390 infrastructure
Confidence: High micr0soft.org Domain name TG-3390 infrastructure
Confidence: High microsoft-outlook.org Domain name TG-3390 infrastructure
Confidence: High mtc.navydocument.com Domain name TG-3390 infrastructure
Confidence: High navydocument.com Domain name TG-3390 infrastructure
Confidence: High mtc.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High news.hotmail-onlines.com Domain name TG-3390 infrastructure
Confidence: High oac.3322.org Domain name TG-3390 infrastructure
Confidence: High ocean.apigmail.com Domain name TG-3390 infrastructure
Confidence: High pchomeserver.com Domain name TG-3390 infrastructure
Confidence: High registre.organiccrap.com Domain name TG-3390 infrastructure
Confidence: High security.pomsys.org Domain name TG-3390 infrastructure
Confidence: High services.darkhero.org Domain name TG-3390 infrastructure
Confidence: High sgl.updatawindows.com Domain name TG-3390 infrastructure
Confidence: High shadow.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High sonoco.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High test.logmastre.com Domain name TG-3390 infrastructure
Confidence: High up.gtalklite.com Domain name TG-3390 infrastructure
Confidence: High updatawindows.com Domain name TG-3390 infrastructure
Confidence: High update-onlines.org Domain name TG-3390 infrastructure
Confidence: High update.deepsoftupdate.com Domain name TG-3390 infrastructure
Confidence: High update.hancominc.com Domain name TG-3390 infrastructure
Confidence: High update.micr0soft.org Domain name TG-3390 infrastructure
Confidence: High update.pchomeserver.com Domain name TG-3390 infrastructure
Confidence: High urs.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High wang.darkhero.org Domain name TG-3390 infrastructure
Confidence: High webs.local-test.com Domain name TG-3390 infrastructure
Confidence: High word.apigmail.com Domain name TG-3390 infrastructure
Confidence: High wordpress.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High working.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High working.darkhero.org Domain name TG-3390 infrastructure
Confidence: High working.hotmail-onlines.com Domain name TG-3390 infrastructure
Confidence: High www.trendmicro-update.org Domain name TG-3390 infrastructure
Confidence: High www.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High x.apigmail.com Domain name TG-3390 infrastructure
Confidence: High ykcai.update-onlines.org Domain name TG-3390 infrastructure
Confidence: High ykcailostself.dyndns-free.com Domain name TG-3390
infrastructure
Confidence: High ykcainobody.dyndns.org Domain name TG-3390 infrastructure
Confidence: High zj.blackcmd.com Domain name TG-3390 infrastructure
Confidence: High laxness-lab.com Domain name TG-3390 infrastructure
Confidence: High google-ana1ytics.com Domain name TG-3390 infrastructure
Confidence: High www.google-ana1ytics.com Domain name TG-3390 infrastructure
Confidence: High ftp.google-ana1ytics.com Domain name TG-3390 infrastructure
Confidence: High hotmailcontact.net Domain name TG-3390 infrastructure
Confidence: High 208.115.242.36 IP address TG-3390 infrastructure
Confidence: High 208.115.242.37 IP address TG-3390 infrastructure
Confidence: High 208.115.242.38 IP address TG-3390 infrastructure
Confidence: High 66.63.178.142 IP address TG-3390 infrastructure
Confidence: High 72.11.148.220 IP address TG-3390 infrastructure
Confidence: High 72.11.141.133 IP address TG-3390 infrastructure
Confidence: High 74.63.195.236 IP address TG-3390 infrastructure
Confidence: High 74.63.195.236 IP address TG-3390 infrastructure
Confidence: High 74.63.195.237 IP address TG-3390 infrastructure
Confidence: High 74.63.195.238 IP address TG-3390 infrastructure
Confidence: High 103.24.0.142 IP address TG-3390 infrastructure
Confidence: High 103.24.1.54 IP address TG-3390 infrastructure
Confidence: High 106.187.45.162 IP address TG-3390 infrastructure
Confidence: High 192.151.236.138 IP address TG-3390 infrastructure
Confidence: High 192.161.61.19 IP address TG-3390 infrastructure
Confidence: High 192.161.61.20 IP address TG-3390 infrastructure
Confidence: High 192.161.61.22 IP address TG-3390 infrastructure
Confidence: High 103.24.1.54 IP address TG-3390 infrastructure
Confidence: High 67.215.232.179 IP address TG-3390 infrastructure
Confidence: High 96.44.177.195 IP address TG-3390 infrastructure
Confidence: High 49.143.192.221 IP address TG-3390 infrastructure
Confidence: Moderate 67.215.232.181 IP address TG-3390 infrastructure
Confidence: Moderate 67.215.232.182 IP address TG-3390 infrastructure
Confidence: Moderate 96.44.182.243 IP address TG-3390 infrastructure
Confidence: Moderate 96.44.182.245 IP address TG-3390 infrastructure
Confidence: Moderate 96.44.182.246 IP address TG-3390 infrastructure
Confidence: Moderate 49.143.205.30 IP address TG-3390 infrastructure
Confidence: Moderate working_success@163.com Email address TG-3390 email address
Confidence: High ykcaihyl@163.com Email address TG-3390 email address
Confidence: High working_success@163.com Email address TG-3390 email address
Confidence: High yuming@yinsibaohu.aliyun.com Email address TG-3390 email
address
Confidence: Low 1cb4b74e9d030afbb18accf6ee2bfca1 MD5 hash HttpBrowser RAT
dropper b333b5d541a0488f4e710ae97c46d9c2 MD5 hash HttpBrowser RAT dropper
86a05dcffe87caf7099dda44d9ec6b48 MD5 hash HttpBrowser RAT dropper
93e40da0bd78bebe5e1b98c6324e9b5b MD5 hash HttpBrowser RAT dropper
f43d9c3e17e8480a36a62ef869212419 MD5 hash HttpBrowser RAT dropper
57e85fc30502a925ffed16082718ec6c MD5 hash HttpBrowser RAT dropper
4251aaf38a485b08d5562c6066370f09 MD5 hash HttpBrowser RAT dropper
bbfd1e703f55ce779b536b5646a0cdc1 MD5 hash HttpBrowser RAT dropper
12a522cb96700c82dc964197adb57ddf MD5 hash HttpBrowser RAT dropper
728e5700a401498d91fb83159beec834 MD5 hash HttpBrowser RAT dropper
2bec1860499aae1dbcc92f48b276f998 MD5 hash HttpBrowser RAT dropper
014122d7851fa8bf4070a8fc2acd5dc5 MD5 hash HttpBrowser RAT
0ae996b31a2c3ed3f0bc14c7a96bea38 MD5 hash HttpBrowser RAT
1a76681986f99b216d5c0f17ccff2a12 MD5 hash HttpBrowser RAT
380c02b1fd93eb22028862117a2f19e3 MD5 hash HttpBrowser RAT
40a9a22da928cbb70df48d5a3106d887 MD5 hash HttpBrowser RAT
46cf2f9b4a4c35b62a32f28ac847c575 MD5 hash HttpBrowser RAT
5436c3469cb1d87ea404e8989b28758d MD5 hash HttpBrowser RAT
692cecc94ac440ec673dc69f37bc0409 MD5 hash HttpBrowser RAT
6a39a4e9933407aef31fdc3dfa2a2a95 MD5 hash HttpBrowser RAT
8b4ed3b392ee5da139c16b8bca38ea5e MD5 hash HttpBrowser RAT
8ea5d8bb6b28191e4436456c35477e39 MD5 hash HttpBrowser RAT
9271bcfbba056c8f80c7f04d72efd62d MD5 hash HttpBrowser RAT
996843b55a7c5c7a36e8c6956e599610 MD5 hash HttpBrowser RAT
a554efc889714c70e9362bdc81fadd6a MD5 hash HttpBrowser RAT
c9c93c2d62a084031872aab96202ee3e MD5 hash HttpBrowser RAT
ddbdf0efdf26e0c267ef6155edb0e6b8 MD5 hash HttpBrowser RAT
e7df18a17d8e7c2ed541a57020444068 MD5 hash HttpBrowser RAT
ea4dcafc224f604c096032dde33a1d6d MD5 hash HttpBrowser RAT
f658bb17d69912404f34532901edad0e MD5 hash HttpBrowser RAT
f869a1b40f6438dfdd89e73480103211 MD5 hash HttpBrowser RAT
81ed752590752016cb1c12f3e9ab3454 MD5 hash HttpBrowser RAT
5ef719f8aeb9bf97beb24a5c2ed19173 MD5 hash HttpBrowser RAT
7ec91768376324be2bad4fd30b1c2051 MD5 hash HttpBrowser RAT
20c446ad2d7d1586138b493ecddfbbc7 MD5 hash HttpBrowser RAT
44cf0793e05ba843dd53bbc7020e0f1c MD5 hash HttpBrowser RAT
02826bb6636337963cc5162e6f87745e MD5 hash HttpBrowser RAT
1606ab7a54735af654ee6deb7427f652 MD5 hash HttpBrowser RAT
1539b3a5921203f0e2b6c05d692ffa27 MD5 hash HttpBrowser RAT
c66e09429ad6669321e5c69b1d78c082 MD5 hash HttpBrowser RAT
225e10e362eeee15ec64246ac021f4d6 MD5 hash HttpBrowser RAT
a631fc7c45cbdf80992b9d730df0ff51 MD5 hash HttpBrowser RAT
af785b4df71da0786bcae233e55cf6c1 MD5 hash HttpBrowser RAT
e3e0f3ad4ff3b981b513cc66b37583e8 MD5 hash HttpBrowser RAT
5cd0e97a1f09001af5213462aa3f7eb1 MD5 hash HttpBrowser RAT
15fd9c04d6099273a9acf8feab81acfe MD5 hash HttpBrowser RAT
ea8b9e0bf95fc0c71694310cb685cd3b MD5 hash HttpBrowser RAT
5c3ab475be110ec59257617ee1388e01 MD5 hash HttpBrowser RAT
6aac7417ea1eb60a869597af9049b8fa MD5 hash HttpBrowser RAT
372f5370085a63f5b660fab635ce6cd7 MD5 hash HttpBrowser RAT
fac4885324cb67bd421d6250fdc9533c MD5 hash HttpBrowser RAT
e7e555615a07040bb5dbe9ce59ac5d11 MD5 hash HttpBrowser RAT
ff34cb1d90d76a656546293e879afe22 MD5 hash HttpBrowser RAT
2abf7421c34c60d48e09325a206e720e MD5 Hash HttpBrowser RAT
396b4317db07cc8a2480786160b33044 MD5 hash HttpBrowser RAT
e404873d3fcd0268db10657b53bdab64 MD5 hash HttpBrowser RAT
6e4189b20adb253b3c1ad7f8fdc95009 MD5 hash HttpBrowser RAT
bff424289c38d389a8cafb16b47dfe39 MD5 hash HttpBrowser RAT
7294c7f3860315d51f74152e8ad353df MD5 hash HttpBrowser RAT
40092f76fea082b05e9631d91975a401 MD5 hash HttpBrowser RAT
e42fce74bbd637c35320cf4e95f5e055 MD5 hash HttpBrowser RAT
d0dafc3716a0d0ce393cde30b2b14a07 MD5 hash HttpBrowser RAT
ae66bad0c7de88ab0ab1050c4bec9095 MD5 hash HttpBrowser RAT
c7c2be1cd3780b2ba4638cef9a5422c7 MD5 hash HttpBrowser RAT
405949955b1cb65673c16bf7c8da2f4d MD5 hash HttpBrowser RAT
ff4f052dbe73a81403df5e98313000fb MD5 hash HttpBrowser RAT
b30fcd362c7b8ac75b7dddfe6cb448c7 MD5 hash HttpBrowser RAT
1d24f4d20b80562de46a8ac95d0ff8c2 MD5 hash HttpBrowser RAT
9538bbdb3a73201b40296e9d4dc80ade MD5 hash HttpBrowser RAT
46bb2caeda30c09a6337fd46ec98c32c MD5 hash HttpBrowser RAT
0c8842e48e80643d91dd290d0f786147 MD5 hash HttpBrowser RAT
0fc975c3c4e6c546b4f2b5aaed50dd78 MD5 hash HttpBrowser RAT
41be449f687828466ed7d87f0f30a278 MD5 hash HttpBrowser RAT
2b95caf3307ebd36cf405b1133b30aa8 MD5 hash HttpBrowser RAT
ccc715a4d9d0157b9776deacdb26bf78 MD5 hash HttpBrowser RAT
37933acfa8d8e78c54413d88ca705e17 MD5 hash HttpBrowser RAT
2813c5a1c87f7e3d33174fed8b0988a1 MD5 hash HttpBrowser RAT
8f22834efe52ccefb17e768569eb36b9 MD5 hash HttpBrowser RAT
6f01628a0b5de757a8dbe99020499d10 MD5 hash HttpBrowser RAT
7f8d9f12f41156512b60ab17f8d85fe9 MD5 hash HttpBrowser RAT
debe5ef2868b212f4251c58be1687660 MD5 hash HttpBrowser RAT
e136d4ebab357fd19df8afe221460571 MD5 hash HttpBrowser RAT
a86a906cfafaf1d7e3725bb0161b0cfe MD5 hash HttpBrowser RAT
03e1eac3512a726da30fff41dbc26039 MD5 hash HttpBrowser RAT
baac5e5dd3ce7dae56cab6d3dac14e15 MD5 hash HttpBrowser RAT
0f7dde31fbeb5ddbb6230c401ed41561 MD5 hash HttpBrowser RAT
36d957f6058f954541450f5a85b28d4b MD5 hash HttpBrowser RAT
42d874f91145bd2ddf818735346022d8 MD5 hash HttpBrowser RAT
3468034fc3ac65c60a1f1231e3c45107 MD5 hash HttpBrowser RAT
4e3b51a6a18bdb770fc38650a70b1883 MD5 hash HttpBrowser RAT
3647068230839f9cadf0fd4bd82ade84 MD5 hash HttpBrowser RAT
550922107d18aa4caad0267997709ee5 MD5 hash HttpBrowser RAT
d8f0a6450f9df637daade521dc90d29d MD5 hash HttpBrowser RAT
bf2e2283b19b0febc4bd1f47aa82a94c MD5 hash HttpBrowser RAT
d0eec2294a70ceff84ca8d0ed7939fb5 MD5 hash HttpBrowser RAT
e91d2464c8767552036dd0294fc7e6fb MD5 hash HttpBrowser RAT
f627bc2db3cab34d97c8949931cb432d MD5 hash HttpBrowser RAT
b313bbe17bd5ee9c00acff3bfccdb48a MD5 hash PlugX RAT dropper
f7a842eb1364d1269b40a344510068e8 MD5 hash PlugX RAT dropper
8dacca7dd24844935fcd34e6c9609416 MD5 hash PlugX RAT dropper
7cffd679599fb8579abae8f32ce49026 MD5 hash PlugX RAT dropper
462fd01302bc40624a44b7960d2894cd MD5 hash PlugX RAT dropper
Table 1. TG-3390 indicators.
APPENDIX A — IDENTIFYING ATTRIBUTION AND GAUGING CONFIDENCE
IDENTIFYING ATTRIBUTION
In most cases, CTU researchers not have intelligence to directly attribute a
threat group, so attribution relies on circumstantial evidence and is an
assessment rather than a fact. CTU researchers draw on three distinct
intelligence bases for evidence of attribution:
* Observed activity is gathered from CTU researchers' observation and
investigation of a threat group's activity on a target network and across
Dell SecureWorks data, and analysis of tactics, techniques, and procedures
(TTPs) the threat group employs.
* Third-party intelligence is gained from trusted relationships within the
security industry and with other private and public sector organizations, as
well as analysis of open source intelligence.
* Contextual analysis compares threat group targets against intelligence
requirements of nation states and other threat actors and compares tradecraft
employed by a threat group to tradecraft of known threat actors.
GAUGING CONFIDENCE LEVEL
CTU researchers have adopted the grading system published by the U.S. Office of
the Director of National Intelligence to indicate confidence in their
assessments:
* High confidence generally indicates that judgments are based on high-quality
information, and/or that the nature of the issue makes it possible to render
a solid judgment. A "high confidence" judgment is not a fact or a certainty,
however, and such judgments still carry a risk of being wrong.
* Moderate confidence generally means that the information is credibly sourced
and plausible but not of sufficient quality or corroborated sufficiently to
warrant a higher level of confidence.
* Low confidence generally means that the information's credibility and/or
plausibility is questionable, or that the information is too fragmented or
poorly corroborated to make solid analytic inferences, or that [there are]
significant concerns or problems with the sources.
APPENDIX B — HTTPBROWSER ANALYSIS
HttpBrowser is a remote access tool whose name originates from the hard-coded
"HttpBrowser/1.0" User-Agent. CTU researchers also identified a PDB string in
the binaries, J:\TokenControlV3\ServerDll\Release\ServerDll.pdb, which implies
that the threat actors may refer to the tool as "TokenControl." Table 2 lists
the commands available to threat actors in one of the HttpBrowser variants.
Command Functionality Init Create a reverse shell Write Write a file to the
compromised system from the C2 server List List the files in a directory Upload
Upload a file from the compromised system to the C2 server
Table 2. HttpBrowser command set. (Source: Dell SecureWorks)
Other variants of the backdoor may include additional commands such as setcmd,
settime, uninstall, and down. Table 3 shows the unencrypted URL parameters,
along with sample data and a description of the data.
URL parameter Sample data Description c= Victim->Administrator Hostname and
username l= 192.168.1.100 Compromised system's IP address o= 5,1,1,32 Windows
major and minor version, coupled with
architecture (32 v. 64) u= {B5B70BD7-87FC-499A-B4D1-
98163306F0D8} A GUID r= 1 Boolean value if the malware is running as injected
code t= 8035187 Number of milliseconds the computer has been running
Table 3. HttpBrowser parameters. (Source: Dell SecureWorks)
APPENDIX C — OWAAUTH WEB SHELL ANALYSIS
OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers
and shares characteristics with the ChinaChopper web shell. Like ChinaChopper,
it parses HTTP requests for the Z1 and Z2 parameters (see Table 4). The
legitimate owaauth.dll file resides in %ProgramFiles%\Microsoft\Exchange
Server\ClientAccess\Owa\Auth\ while CTU researchers have observed the backdoor
using the same filename in the %ProgramFiles%\Microsoft\Exchange
Server\ClientAccess\Owa\bin\ directory. In addition to acting as a web shell,
the malware captures and DES-encrypts credentials before writing the username
and password to disk. The OwaAuth web shell enables a threat actor to upload and
download files, launch processes, and execute SQL queries.
Each web shell instance is configured to contain SP, Key, and Log variables. The
SP variable is a string containing the victim's username. When the malicious
ISAPI filter captures a username matching this variable, it knows to handle the
incoming HTTP request as a command to the web shell. The DES key to encrypt the
credentials in the configuration observed by CTU researchers is 12345678, and
the log file is c:\log.txt. The decrypted contents of the log file adhere to the
format in Figure 22.
Figure 22. Decrypted OwaAuth log file format. (Source: Dell SecureWorks)
Table 4 lists the OwaAuth web shell commands available to the adversary.
Command Functionality A List logical drives B List directory (Z1 = directory
name to list) C Read data from file (Z1 = filename to read) D Write content to
file (Z1 = filename to write, Z2 = content to write) E Delete file in directory
(Z1 = file) F Generate custom web response "->|value in Z1|<-" G Write
hex-encoded content to file (Z1 = filename to write, Z2 = hex encoded content to
write) H Call _Notice(Z1, Z2) I Move/rename file or directory (Z1 = target, Z2 =
new name) J Create directory (Z1 = directory name) K Timestomp file or directory
(Z1 = target, Z2 = time/date string to stomp to) L Download file from Internet
(Z1 = URL, Z2 = filename to write to) M Launch process (Z1 = process name, Z2 =
arguments) N Test connect to SQL database (Z1 = SqlConnect String) O SQL Get
database table scheme (Z1 = \r delimited parameters to command) P SQL Get
database table scheme with restrictions (Z1 = \r delimited parameters to
command) Q SQL execute SQL command (Z1 = \r delimited parameters to command)
Table 4. OwaAuth web shell command set. (Source: Dell SecureWorks)
APPENDIX D — DOMAIN NAME PARKING EXAMPLE
CTU researchers have observed TG-3390 parking domains by pointing their A record
to a non-routable IP space, including the 127.0.0.[x] loopback address. Table 5
demonstrates how the threat actors change one of their C2 domains to point to
routable and non-routable IP addresses over time.
Start date End date IP change Location 7/9/13 7/31/13 210.116.106.66 Seoul,
Korea 7/31/13 10/12/13 127.0.0.1 N/A 10/12/13 11/5/13 122.10.10.196 Hong Kong
11/5/13 1/12/14 198.100.107.107 California, U.S. 1/12/14 3/5/14 127.0.0.1 N/A
3/5/14 3/31/14 103.24.0.142 Hong Kong 3/31/14 10/27/14 103.24.1.54 Hong Kong
10/27/14 11/9/14 127.0.0.1 N/A 11/9/14 5/25/15 127.0.0.3 N/A 5/25/15 Current as
of this publication 127.0.0.1 N/A
Table 5. Example parking of trendmicro-update . org (Source: Dell SecureWorks)
ENDNOTES
[1] The Dell SecureWorks Counter Threat Unit(TM) (CTU) research team tracks
threat groups by assigning them four-digit randomized numbers (3390 in this
case), and compiles information from first-hand incident response observations
and from external sources.
[2] Threat groups use strategic web compromises (SWCs), also known as watering
hole attacks, to target a wide array of potential victims. Threat actors
compromise a website used by their target demographic (e.g., compromising a
website specializing in oil and gas industry news when targeting the energy
vertical). Visitors to the compromised website are redirected to a server under
the threat group's control, where their system is compromised with the threat
group's malware. With this tactic, a threat group increases the likelihood of
compromising systems that possess desired information.
5 ESSENTIALS FOR THE SOC OF THE FUTURE
Watch this On Demand Webcast
learn more
Enjoyed what you read? Share it!
*
*
*
*
RELATED CONTENT
Blog
COBALT DICKENS GOES BACK TO SCHOOL…AGAIN
Counter Threat Unit™ Research Team
Blog
REVIL: THE GANDCRAB CONNECTION
Counter Threat Unit™ Research Team
Threat Analysis
REVIL/SODINOKIBI RANSOMWARE
Counter Threat Unit™ Research Team
Blog
COBALT DICKENS GOES BACK TO SCHOOL…AGAIN
Counter Threat Unit™ Research Team
Blog
REVIL: THE GANDCRAB CONNECTION
Counter Threat Unit™ Research Team
*
*
*
*
* Careers
* RSS Feed
* Manage Subscriptions
* Sitemap
* Privacy Policy
* Supply Chain Transparency
* Terms & Conditions
* Dell Technologies
English
* 日本語
© 2019 SecureWorks, Inc.
*
*
*
*