ics-cert.kaspersky.com Open in urlscan Pro
185.105.225.103  Public Scan

URL: https://ics-cert.kaspersky.com/publications/reports/2023/07/20/common-ttps-of-attacks-against-industrial-organizations-implants...
Submission: On August 14 via api from DE — Scanned from DE

Form analysis 4 forms found in the DOM

<form class="header__search-form">
  <input type="text" class="header__input">
</form>

<form class="header__search-form">
  <input type="text" class="header__input">
</form>

POST #

<form class="modal-m__form form-subscription" method="POST" action="#">
  <input type="hidden" name="Услуга" id="advisories_info">
  <span class="modal-m__title">Подписка на рассылку</span>
  <label class="modal-m__label">
    <span>E-mail</span>
    <input type="text" class="modal-m__input field__input input" id="email">
    <div class="input--info"></div>
  </label>
  <div class="arcs-modal__field-wrapper_checkbox field_checkbox checkbox modal-m__privacy form-check">
    <label for="vulnerabilities" class="checkbox__label modal-m__text"> Данные по уязвимостямо </label>
    <input type="checkbox" class="checkbox__input visually-hidden" name="vulnerabilities" checked="" id="vulnerabilities">
    <span class="checkbox__input-fake"></span>
  </div>
  <div class="arcs-modal__field-wrapper_checkbox field_checkbox checkbox modal-m__privacy">
    <label for="threats" class="checkbox__label modal-m__text"> Информация об угрозах </label>
    <input type="checkbox" class="checkbox__input visually-hidden" name="threats" checked="" id="threats">
    <span class="checkbox__input-fake"></span>
  </div>
  <div class="arcs-modal__field-wrapper_checkbox field_checkbox checkbox modal-m__privacy">
    <label for="condition" class="checkbox__label modal-m__text"> I agree to provide my contact information to Kaspersky Lab (first name, last name, email address, phone, country postal code) to be contacted by Kaspersky Lab sales representatives by
      phone for a personalized offer that could be based, in particular, on geography and company size information provided; to receive information via email about Kaspersky Lab products and services including promotional offers, product updates and
      premium assets like white papers, webcasts, videos, events etc.; to participate in surveys to vocalize opinion on various aspects of Kaspersky Lab business, in particular, about products, and technical support. I understand that I can withdraw
      this consent at any time via unsubscribe link from email or via <a href="#" class="modal-m__link">
                                         Privacy Policy                                         </a>
    </label>
    <input type="checkbox" class="checkbox__input visually-hidden" name="condition" id="condition">
    <span class="checkbox__input-fake"></span>
  </div>
  <div class="g-recaptcha" data-sitekey="6Lc4EwkUAAAAAMHZJ47EcbYQ2SNuyT-nYvVtRfqq">
    <div style="width: 304px; height: 78px;">
      <div><iframe title="reCAPTCHA"
          src="https://www.google.com/recaptcha/api2/anchor?ar=1&amp;k=6Lc4EwkUAAAAAMHZJ47EcbYQ2SNuyT-nYvVtRfqq&amp;co=aHR0cHM6Ly9pY3MtY2VydC5rYXNwZXJza3kuY29tOjQ0Mw..&amp;hl=de&amp;v=3kTz7WGoZLQTivI-amNftGZO&amp;size=normal&amp;cb=6ev2hzpdu4dw"
          width="304" height="78" role="presentation" name="a-7vrj11eliynv" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe>
      </div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
        style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
    </div><iframe style="display: none;"></iframe>
  </div>
  <br>
  <button class="arcs-modal__form-button button-ajax" type="submit">
    <span class="button__text">Подписаться</span>
  </button>
</form>

POST https://ics-cert.kaspersky.com/wp-content/themes/new_ics_cert/ajax/cookie-usage.php

<form action="https://ics-cert.kaspersky.com/wp-content/themes/new_ics_cert/ajax/cookie-usage.php" class="notification_form js-cookie-notification" method="post">
  <input type="hidden" id="_wpnonce" name="_wpnonce" value="cbde7fa9ed"><input type="hidden" name="_wp_http_referer" value="/publications/reports/2023/07/20/common-ttps-of-attacks-against-industrial-organizations-implants-for-remote-access/"> <input
    type="hidden" name="agree" value="true">
  <div class="notification_description">
    <p>We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking
      on&nbsp;<a class="external-link" href="https://www.kaspersky.com/web-privacy-policy" rel="nofollow">more information</a>.</p>
  </div>
  <button class="footer__download-key button_hover" style="border: none" type="submit">Accept and Close</button>
</form>

Text Content

 * Publications
 * Services
 * Advisories
 * Events
 * Statistics

English English Русский
English
English
Русский

 * Publications
 * Services
 * Advisories
 * Events
 * Statistics

English English Русский
English
English
Русский
Contents:
 * Variants of FourteenHi
 * MeatBall backdoor
 * Implant using Yandex Cloud as C2
 * Conclusion
 * Recommendations
 * Appendix I – Indicators of compromise
 * Appendix II – MITRE ATT&CK Mapping





Filter


 * Main
 * Publications
 * Reports
 * Common TTPs of attacks against industrial organizations. Implants for remote
   access
 * Common TTPs of attacks against industrial organizations. Implants for remote
   access

20 July 2023


COMMON TTPS OF ATTACKS AGAINST INDUSTRIAL ORGANIZATIONS. IMPLANTS FOR REMOTE
ACCESS

 * 
 * 
 * 
 * 

Download PDF
 * Variants of FourteenHi
 * MeatBall backdoor
 * Implant using Yandex Cloud as C2
 * Conclusion
 * Recommendations
 * Appendix I – Indicators of compromise
   * Variants of FourteenHi
     * MD5
     * C2 IP/URL
   * Backdoor.Win32.MeatBall
     * MD5
     * C2 IP/URL
   * Implant using Yandex Cloud as C2
     * MD5
   
   
 * Appendix II – MITRE ATT&CK Mapping

In 2022 we investigated a series of attacks against industrial organizations in
Eastern Europe. In the campaigns, the attackers aimed to establish a permanent
channel for data exfiltration, including data stored on air-gapped systems.

Based on similarities found between these campaigns and previously researched
campaigns (e.g., ExCone, DexCone), including the use of FourteenHi variants,
specific TTPs and the scope of the attack, we have medium to high confidence
that a threat actor called APT31, also known as Judgment Panda and Zirconium, is
behind the activities described in this report.

To exfiltrate data and deliver next-stage malware, the threat actor (or actors)
abuse(s) a cloud-based data storage, e.g., Dropbox or Yandex Disk, as well as a
service used for temporary file sharing. They also use C2 deployed on regular
virtual private servers (VPS). In addition, the threat actor(s) deploy(s) a
stack of implants that collect data from air-gapped networks via infected
removable drives.

For most implants, the threat actor(s) use(s) similar implementations of DLL
hijacking (often associated with Shadowpad malware) and memory injection
techniques, along with using RC4 encryption to hide the payload and to evade
detection. In addition, libssl.dll or libcurl.dll was statically linked to
implants to implement encrypted C2 communications.

In total we have identified over 15 implants and their variants planted by the
threat actor(s) in various combinations.

The entire stack of implants used in attacks can be divided into three
categories based on their roles:

 * First-stage implants for persistent remote access and initial data gathering
 * Second-stage implants for gathering data and files, including from air-gapped
   systems
 * Third-stage implants and tools used to upload data to C2

In this article (which is the first part of the report) we analyze common TTPs
of first-stage implants used by threat actors to establish a persistent remote
access channel into the infrastructure of industrial organizations.

The full report is available on the Kaspersky Threat Intelligence portal.
For more information please contact ics-cert@kaspersky.com.


VARIANTS OF FOURTEENHI

FourteenHi is a malware family discovered in 2021 in a campaign that was dubbed
ExCone (1, 2), active since mid-March 2021 and targeting government entities. In
2022 we discovered new variants used in attacks on the infrastructure of
industrial organizations.

Various samples of FourteenHi (both x64 and x86) are significantly different
from each other in terms of their code structure, implementations of their
loaders, and C2 types. But their core distinctive features, such as the C2
communication protocol and the list of commands, are pretty much the same. The
most significant difference exists between x86 and x64 variants of FourteenHi.

Samples for x64 have persistence capabilities and a 2-step C2 communication
protocol. They accept a relatively long list of commands, including:

 * upload arbitrary files,
 * download arbitrary files,
 * run arbitrary commands,
 * set communication delay,
 * start reverse shell,
 * terminate own process and remove persistence.

To protect communication with C2, they use the API of the statically linked
OpenSSL library. In addition, they use RC4 to encrypt / decrypt the data they
send / receive from C2.

FourteenHi x64 code for parsing a C2 response FourteenHi x64 code for parsing
commands in a C2 response

The samples for x86 have no persistence capabilities, are not linked with
OpenSSL, but still use RC4 encryption. They use a 1-step communication protocol,
but the list of commands is almost the same, except for the removal of
persistence mechanisms. 

FourteenHi x86 simple switch case for C2 response command matching

The absence of persistence capabilities (which usually require privilege
escalation) in variants for x86 and the overall lightness of compiled code make
them good candidates for an initial infection stage, which may be used to
collect initial information on a host or the local network, download next-stage
malware and data stealers, and provide a remote shell for the threat actor.
Nevertheless, the threat actor may easily add persistence to the implant by
creating a task in Windows Task Scheduler, as we have observed in the wild.

The loading scheme is more or less the same for all of the variants and consists
of three main components used by the threat actor to deploy an implant on a
victim’s machine:

 1. Legitimate application that is vulnerable to DLL hijacking.
 2. Malicious DLL that is loaded via DLL hijacking and is used to read and
    decrypt the FourteenHi payload from a binary data file and inject it into
    some system process such as svchost.exe or msiexec.exe.
 3. A binary data file containing the FourteenHi binary code encrypted with RC4.

All known variants of FourteenHi have config data embedded in their code and
encrypted with RC4. The configuration defines the campaign ID, C2 address and
port. The configuration of FourteenHi x64 also defines the name and description
of the Windows service it creates for persistence when executed without
parameters.


MEATBALL BACKDOOR

The MeatBall backdoor is a new implant that we discovered in the process of
researching attacks. It has vast remote access capabilities, including making
lists of running processes, connected devices and disks, performing file
operations, capturing screenshots, using remote shell, and self-updating. The
implant exists in variants for x86 and x64.

The implant uses a loading scheme based on the DLL hijacking technique, but
unlike many other implants, the payload is stored in the malicious DLL loader
itself, not in a separate file.

When the vulnerable host application is executed without parameters, the implant
calls IsNTAdmin and, if it has sufficient privileges, creates a service named
“esetcss”. Otherwise it simply adds itself to the registry key
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\esetcss”
to be automatically executed at OS startup. 

Service created by the MeatBall implant

In both cases the implants are configured to be executed with the parameter
“-S”, which tells the implant to read the payload from its own module (.dll)
file, decrypt the payload using a one-byte XOR key, start “svchost.exe”, and
inject the decrypted payload into it. Then it starts the main C2 communication
loop by calling ResumeThread for “svchost.exe”.

The implant is statically linked with libssl.dll, which is used for SSL
encryption of C2 communication.

Command codes Description 0x2, 0x11 Update C2 address 0x3 List running processes
0x5 List connected devices 0x6 List connected disks 0x7, 0x8 Collect datetime
attributes for files in the folder specified 0x9 Terminate process 0xB Write
file 0xC Create file 0xD, 0xF Upload size and content of a file 0x10 Delete file
0x13 Run file 0x14 Close C2 connection 0x15, 0x1C, 0x1D, 0x1E Terminate own
process 0x16, 0x17,0x18, 0xA, 0x1F Create remote shell 0x19 Delete files in a
folder recursively 0x1A, 0x1B Capture screenshot


IMPLANT USING YANDEX CLOUD AS C2

Another interesting implant we found was one that uses the Yandex Cloud data
storage as a C2 (https://cloud-api.yandex[.]net) similarly to the malware
described in an earlier report. The implant uses a DLL hijacking based loading
scheme, in which the malicious DLL decrypts the implant’s body stored in a
separate file and injects it into a legitimate process’s memory.

The implant uses statically linked libcurl.dll for SSL-encrypted communication.
First it creates a mutex named “Njg8”to prevent more than one instance of itself
from being executed at any time, then it collects the following data on the
host:

 * Computer name
 * User name
 * IP address
 * MAC address
 * OS version
 * Path to %System%

To upload the data collected to C2, the implant sends a request using an
embedded API token to create a directory with a name that is unique to the
victim host. Then it creates a file with the prefix “1770_” and the extension
“.dat”, saving all information collected in that file.

The main loop of the implant periodically checks a cloud folder named “content”
for the latest uploaded files with prefixes “1780_”, “1781_” and “1784_”:

 * Files with prefixes “1780_” and “1781_” contain code in the PE format, e.g.,
   a legitimate application and a malicious DLL for next-stage DLL hijacking.
 * Files with the prefix “1784_” contain commands to be executed using cmd.exe.
   The output is then stored in a log file, which is immediately uploaded back
   to C2 and removed from the victim host.

All uploaded and downloaded data is encrypted with the RC4 algorithm.

Strings found in a sample which uses Yandex Disk Log containing the result of
command execution using cmd


CONCLUSION

The tendency to abuse cloud services (e.g., Dropbox, Yandex, Google, etc.) is
not new, but it continues to expand, because it is hard to restrict / mitigate
in cases when an organization’s business processes depend on using such
services.

Threat actors keep making it more difficult to detect and analyze threats by
hiding payloads in encrypted form in separate binary data files and by hiding
malicious code in the memory of legitimate applications via DLL hijacking and a
chain of memory injections.


RECOMMENDATIONS

 * Install security software with support for centralized security policy
   management on all servers and workstations and keep the antivirus databases
   and program modules of your security solutions up-to-date.
 * Check that all security software components are enabled on all systems and
   that a policy is in place which requires the administrator password to be
   entered in the event of attempts to disable protection.
 * Consider using Allowlisting and Application Control technologies to prevent
   unknown applications from being executed.
 * Consider using the Golden image configuration mode for Allowlisting and
   Application Control to prevent any software that is not allowed (including
   known vulnerable applications) from being executed.
 * Consider restricting internet access from the OT network by default, allowing
   access to specific users for limited periods of time and only when it is
   required to perform their duties.


APPENDIX I – INDICATORS OF COMPROMISE

Note: The indicators in this section are valid at the time of publication.

The full version of indicators of compromise, including Yara rules, is available
in a .ioc file on the Kaspersky Threat Intelligence portal.


VARIANTS OF FOURTEENHI

MD5

7332710D10B26A5970C5A1DDF7C83FBA (mpsvc.dll)
2A1CFA6D17627EAAA7A63F73038A93DA (taskhost.doc)
BB02A5D3E8807D7B13BE46AD478F7FBB (cclib.dll)
22E66E0BE712F2843D8DB22060088751 (ToastUI.exe.png)
D75C7BD965C168D693CE8294138136AE (ToastUI.exe.dat)

C2 IP/URL

sfb.odk-saturn[.]com/dialin/login
87.121.52[.]86


BACKDOOR.WIN32.MEATBALL

MD5

FFF248DB8066AE3D30274996BAEDDAB6 (oleacc.dll)

C2 IP/URL

freetranslatecenter[.]com
help.freetranslatecenter[.]com
onlinenewscentral[.]com
onlinemapservices[.]com
search.onlinemapservices[.]com
help.onlinemapservices[.]com
apps.onlinemapservices[.]com
edit.onlinemapservices[.]com
booking-onlines[.]com
81.28.13[.]74
92.38.160[.]142
92.38.188[.]135
92.38.190[.]55
103.221.222[.]133
193.109.78[.]243
193.124.112[.]206
194.87.95[.]125


IMPLANT USING YANDEX CLOUD AS C2

MD5

A05D6D7A6A1E9669FC4C61223DA3953F (dbghelp.dll)
2F5C889A819CFE0804005F7CE5FD956E (vmService.pkg)


APPENDIX II – MITRE ATT&CK MAPPING

The table below contains all the TTPs identified in the analysis of the activity
described in this report.

Tactic Technique Number Technique Name and Description Execution T1204.002 User
Execution: Malicious File
A system is infected when the user runs the malware believing it to be a
legitimate document. T1059.003 Command and Scripting Interpreter: Windows
Command Shell
Uses cmd.exe to execute multiple commands. T1106 Native API
Uses the CreateProcessW function to execute commands in the Windows command line
interpreter T1053.005 Scheduled Task/Job: Scheduled Task
Malware is executed with a Windows task created by the threat actor. Persistence
T1547.001 Registry Run Keys / Startup Folder:
Malware achieves persistence by adding itself to the Registry as a startup
program. T1543.003 Create or Modify System Process: Windows Service
Installs itself as a service to achieve persistence. T1053.005 Scheduled
Task/Job: Scheduled Task
Malware is executed with a Windows task created by the threat actor. Defense
Evasion T140 Deobfuscate/Decode Files or Information
Uses RC4 key to decrypt the malware configuration, as well as to protect
communication. T1055.002 Process Injection: Portable Executable Injection
Malware injects itself into various legitimate processes upon execution
(msiexec.exe, svchost.exe). T1497.001 System Checks
Employs various system checks to detect and avoid virtualization and analysis
environments. T1497.003 Time Based Evasion
Employs various time-based methods to detect and avoid virtualization and
analysis environments. T1574.002 Hijack Execution Flow: DLL Side-Loading
Threat actors abuse a legitimate application binary to load malicious DLL.
Discovery T1033 System Owner/User Discovery
Threat actors use systeminfo, whoami, and net utilities to get information about
the user and the infected system. T1057 Process Discovery
Threat actors use tasklist to enumerate running processes. Command and Control
T1071.001 Application Layer Protocol: Web Protocols
Malware uses HTTPS and raw TCP for communication with C2. T1573.001 Encrypted
Channel: Symmetric Cryptography
Malware uses RC4 and SSL TLS v3 (using libssl.dll) to encrypt communication.
Exfiltration T1041 Exfiltration Over C2 Channel
Threat actors exfiltrate data using Dropbox, Yandex Disk, Yandex email and
temporary file sharing services as a C2 channel

Authors

 * Kirill Kruglov
   
   Senior Research Developer, Kaspersky ICS CERT

 * Vyacheslav Kopeytsev
   
   Senior Security Researcher, Kaspersky ICS CERT

 * Artem Snegirev
   
   Security Researcher, Kaspersky ICS CERT

APT31
DLL hijacking
FourteenHi
MeatBall
cloud services
APT
 * 
 * 
 * 
 * 

APT31
DLL hijacking
FourteenHi
MeatBall
cloud services
APT
Download PDF

See also

 * Common TTPs of attacks against industrial organizations. Implants for
   uploading data
   
   10 August 2023

 * Common TTPs of attacks against industrial organizations. Implants for
   gathering data
   
   31 July 2023

 * Why APTs are so successful – stories from IR trenches
   
   30 May 2023

Back to top

See also

 * Common TTPs of attacks against industrial organizations. Implants for
   uploading data
   
   10 August 2023

 * Common TTPs of attacks against industrial organizations. Implants for
   gathering data
   
   31 July 2023

 * Why APTs are so successful – stories from IR trenches
   
   30 May 2023

Подписка на рассылку E-mail

Данные по уязвимостямо
Информация об угрозах
I agree to provide my contact information to Kaspersky Lab (first name, last
name, email address, phone, country postal code) to be contacted by Kaspersky
Lab sales representatives by phone for a personalized offer that could be based,
in particular, on geography and company size information provided; to receive
information via email about Kaspersky Lab products and services including
promotional offers, product updates and premium assets like white papers,
webcasts, videos, events etc.; to participate in surveys to vocalize opinion on
various aspects of Kaspersky Lab business, in particular, about products, and
technical support. I understand that I can withdraw this consent at any time via
unsubscribe link from email or via Privacy Policy


Подписаться

A global project run by Kaspersky to coordinate the efforts of industrial
automation system vendors and industrial facility owners and operators.

   RSS feed

 * Publications
 * Services
 * Advisories
 * Statistics
 * Events
 * About

Download PGP/GPG key

Authorized to Use CERT™

CERT is a mark owned by
Carnegie Mellon University

© 2023 AO Kaspersky Lab

Privacy policy
If you have any questions remaining, please email us at ics-cert@kaspersky.com



We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.

Accept and Close

We'd like to show you notifications for the latest news and updates.


AllowCancel