October 2, 2023

A China-linked group APT31 (Zirconium) has been linked to a cyberespionage campaign targeting industrial organizations in Eastern Europe. The attackers aimed to steal valuable intellectual property from victims, including data stored on air-gapped systems. 

The attackers abused DLL hijacking vulnerabilities in cloud based data storage systems such as Dropbox or Yandex, as well as a temporary file-sharing service, to deliver next-stage malware.  

A total of 15 implant variants with different capabilities were used in the attack. Some of these were different versions of FourteenHi malware, which were distributed as first-stage implants, enabling attackers to gain persistent remote access, upload and download files, and initializing a reverse shell.

Advertisements

The attackers leveraged a new malware, dubbed MeatBall, that comes with vast remote access capabilities, including making a list of processes running on systems, capturing screenshots, and using a remote shell.

Samples for x64 have persistence capabilities and a 2-step C2 communication protocol. They accept a relatively long list of commands, including:

  • upload arbitrary files,
  • download arbitrary files,
  • run arbitrary commands,
  • set communication delay,
  • start reverse shell,
  • terminate own process and remove persistence.

To protect communication with C2, they use the API of the statically linked OpenSSL library. In addition, they use RC4 to encrypt / decrypt the data they send / receive from C2.

Another interesting implant was found using Yandex cloud data storage as the C2 server. It exfiltrated computer names, usernames, IP addresses, Mac addresses, and OS versions from compromised systems.  

Advertisements

European entities are persistently targeted by different state-sponsored threat groups and have become part of a larger attack trend now. Organizations are advised to use the IOCs associated with the campaign to understand the attack pattern and implement effective security measures to detect and remediate unusual activities at the initial stage.

Indicators of Compromise

Variants of FourteenHi

MD5

7332710D10B26A5970C5A1DDF7C83FBA (mpsvc.dll)
2A1CFA6D17627EAAA7A63F73038A93DA (taskhost.doc)
BB02A5D3E8807D7B13BE46AD478F7FBB (cclib.dll)
22E66E0BE712F2843D8DB22060088751 (ToastUI.exe.png)
D75C7BD965C168D693CE8294138136AE (ToastUI.exe.dat)

C2 IP/URL

sfb.odk-saturn[.]com/dialin/login
87.121.52[.]86

Backdoor.Win32.MeatBall

MD5

FFF248DB8066AE3D30274996BAEDDAB6 (oleacc.dll)

C2 IP/URL

freetranslatecenter[.]com
help.freetranslatecenter[.]com
onlinenewscentral[.]com
onlinemapservices[.]com
search.onlinemapservices[.]com
help.onlinemapservices[.]com
apps.onlinemapservices[.]com
edit.onlinemapservices[.]com
booking-onlines[.]com
81.28.13[.]74
92.38.160[.]142
92.38.188[.]135
92.38.190[.]55
103.221.222[.]133
193.109.78[.]243
193.124.112[.]206
194.87.95[.]125

Implant using Yandex Cloud as C2

MD5

A05D6D7A6A1E9669FC4C61223DA3953F (dbghelp.dll)
2F5C889A819CFE0804005F7CE5FD956E (vmService.pkg)

Tags:

Leave a Reply

You may have missed

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023

Exim Mail Transfer Server Vulnerabilities

September 30, 2023
%d bloggers like this: