A new APT group dubbed Chamelgang has emerged targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks.
ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, avoiding detection
One is to acquire domains that imitate their legitimate counterparts such as newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com and mcafee-upgrade.com. The other is to place SSL certificates that also imitate legitimate ones such as github.com, http://www.ibm.com, jquery.com, update.microsoft-support.net – on its servers.
ChamelGang like Nobelium and REvil before it has hopped on the bandwagon of attacking the supply chain first to gain access to its ultimate target.The attackers also appear malware-agnostic when it comes to tactics, using both known malicious programs such as FRP, Cobalt Strike Beacon, and Tiny Shell, as well as previously unknown malware ProxyT, Beacon Loader and the DoorMe backdoor.
The first investigation was triggered after a Russia-based energy company’s antivirus protection repeatedly reported the presence of the Cobalt Strike Beacon in RAM. Attackers gained access to the energy company’s network through the supply chain, compromising a vulnerable version of a subsidiary company’s web application on the JBoss Application Server. Upon investigation, researchers found that attackers exploited a critical vulnerability, CVE-2017-12149, to remotely execute commands on the host.
Known vulnerabilities in Microsoft Exchange ProxyShell CVE-2021-34473, CVE-2021-34523 CVE-2021-31207 used by APT to compromise network nodes and gain a foothold. Indeed, a number of attackers took advantage of ProxyShell throughout August, pummeling unpatched Exchange servers with attacks after a researcher at BlackHat revealed the attack surface.
Once invading network, attackers installed a modified version of the backdoor DoorMe v2 on two Microsoft Exchange mail servers on the victim’s network. Attackers also used BeaconLoader to move inside the network and infect nodes, as well as the Cobalt Strike Beacon.
This attack vector spreaded in 13 more compromised organizations in nine other countries the U.S., Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In the last four countries mentioned, attackers targeted government servers, they added.
ChamelGang’s tendency to reach its targets through the supply chain also is likely one that it as well as other APTs will continue, given the success attackers have had so far with this tactics. “New APT groups using this method to achieve their goals will appear on stage,”.