Researchers have discovered previously undocumented threat group unknown targeting a materials research organization in Asia and called a Clasiopa.
Clasiopa has a distinct toolset, which includes custom malware (Backdoor.Atharvan).The infection vector used by Clasiopa is unknown. But the evidence suggests that the attackers gain access through brute force attacks on public facing servers.
The TTP’s observed are as follows
- The attackers checked the IP addresses of the computers they were on using: https://ifconfig.me/ip
- An attempt was made to disable Symantec Endpoint Protection by stopping the SepMasterService. The result of this query was checked, and then a second attempt was made to disable SEP using “smc -stop.”
- The attackers used multiple backdoors to build lists of file names and exfiltrate them. These lists were exfiltrated either in a Thumb.db file or a Zip archive.
- Sysmon logs were cleared using wsmprovhost.
- All eventlogs were cleared using PowerShell.
- A scheduled task named “network service” was created to list file names.
A few of the evidence suggests that the attackers used two legitimate software packages. One compromised computer was running Agile DGS and Agile FD servers
Array of tools used by the attacker
- Atharvan: Custom developed remote access Trojan (RAT).
- Lilith: The attackers used modified versions of Lilith RAT. The versions used were capable of carrying out the following tasks:
- Killing the process
- Restarting the process
- Modifying the sleep interval
- Uninstalling the RAT
- Executing a remote command or PowerShell script
- Exiting the process
- Thumbsender: Hacking tool, which, when it receives a command from a C&C server, will list file names on the computer and save them in a file called Thumb.db before sending them to a specified IP address.
- Custom proxy tool.
Motivation of Clasiopa is not known. A Hindi mutex is used in the Atharvan backdoor: “SAPTARISHI-ATHARVAN-101.” The backdoor also sends a post request to a C&C server with the arguments:
While these details could suggest that the group is based in India, it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue.
This research was documented by researchers from Symantec
Indicators of Compromise
- 5b74b2176b8914b0c4e6215baab9e96d1e9a773803105cf50dac0427fac79c1b – Backdoor.Atharvan
- 8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b – Backdoor.Atharvan
- 95f76a95adcfdd91cb626278006c164dcc46009f61f706426b135cdcfa9598e3 – Lilith
- 940ab006769745b19de5e927d344c4a4f29cae08e716ee0b77115f5f2a2e3328 – Lilith
- 38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07 – Lilith
- c94c42177d4f9385b02684777a059660ea36ce6b070c2dba367bf8da484ee275 – Thumbsender
- f93ddb2377e02b0673aac6d540a558f9e47e611ab6e345a39fd9b1ba9f37cd22 – Custom Proxy Tool
- 3aae54592fe902be0ca1ab29afe5980be3f96888230d5842e93b3ca230f8d18d – Backdoor
- 0550e1731a6aa2546683617bd33311326e7b511a52968d24648ea231da55b7e5 – Backdoor
- 8023b2c1ad92e6c5fec308cfafae3710a5c47b1e3a732257b69c0acf37cb435b – Hacktool
- 1569074db4680a9da6687fb79d33160a72d1e20f605e661cc679eaa7ab96a2cd – Hacktool