You would think that for how sophisticated Russian hacking techniques are, they would have to be based on some secret technique that is impossible to crack.
But you’d be wrong for thinking that.
In fact, APT29 (aka Cozy Bear) and other Russian cyber espionage groups operate their campaigns by exposing the vulnerabilities that naturally exist in Active Directory. Credentials theft, reconnaissance, and lateral movement—the three integral steps in any APT campaign—can all be achieved by manipulating Active Directory.
The APT29 (GRIZZLY STEPPE) malware variants identified in the wild are POSHSPY, HAMMERTOSS and PowerDuke. This blog will include the modus operandi of all those variants linked to APT29.
In a surprisingly simple maneuver, they launched the attack with spearphishing email. The email contains a link to download a password protected zipped file. Once decompressed, these ZIP files include various methods as a deployer, specially crafted to avoid detection. It includes:
- Decoy Office Document with Macro Code/PDFs
Embedded with macro code to launch the backdoor PowerShell code – POSHSPY/PowerDuke, sometimes the document is embedded with Executable file/DLL. - LNK file embedded with the backdoor’s macro code to launch the backdoor PowerShell code – POSHSPY/PowerDuke.
- Exe / DLL/ LCK / DAT file (Executables) backdoor file POSHSPY, PowerDuke – hidden with Alternate Data Stream as PNG file.
This is how it looks:
eFax Phishing email with a password protected zip file with the “PIN Code”.
This variant of Power Duke dropper opens the decoy PDF along with the executable.
Once the decoy document is opened, it drops the backdoor file to “%APPDATA%\Roaming\”. Backdoor persistency is created via the current running user AutoRun key.
After the main backdoor is executed, it downloads POSHSPY straight from APT29’s Command and Control Server, which is a PowerShell-based malicious script that bypasses the AV.
Now that the backdoor is installed on the victim’s computer, there needs to be a line of communication to the “mothership”. This is set up using domain fronting TOR. The communication is encrypted and proxied via cloud services like google, aws, or azure. It also downloads additional modules and binaries, and the file headers of the binaries are modified in order to evade network security solutions.
The tor meek client hidden as “GoogleService.exe”.
Some variants also uses steganography in pictures from Twitter, concealing the commands inside pictures. With this technique, the C&C communication is hidden in the organization’s legitimate traffic. Some others variants utilize GitHub to receive execution commands. The malware only visits these during work hours to blend in with the legitimate traffic.
So now the communication channels are set up, but there are some more configurations that need to be enabled.
First, the backdoor deploys its binaries and configurations in Program Files inside a concealed folder like “Google”. Then, it installs its persistency spots using either WMI subscriptions or scheduled tasks and services.
Other variants overwrite the WERMGR.EXE file, which is launched every 4 hours as “Error Reporting” in all operating systems by default using Scheduled Task.
In order to deceive people trying to investigate whether the file wermgr.exe is real, they have time stamped the EXE, changed the file information, and created a malware with the exact size of the original wermgr.exe.
Next, the backdoor enables RDP with multiple logons simultaneously.
Lastly, it uses the Sticky Keys backdoor technique as a privileged backdoor (replacing sethc.exe with cmd.exe), granting privileged access to the endpoint without logon. (Some variants utilize known CVEs to escalate their local privileges, like CVE-2016-7255, which leverages vulnerability in the “Win32k” driver.)
Yes yes, I know….that was a lot of work to get everything configured. But these specifications need to be in place for the attack to be successful.
Now, let’s get to the attack!
The attackers send reconnaissance commands to the Active Directory to identify the entire network topology and privileged identities, hunting down domain users with high domain privileges.
Once they determine which computers and servers are most valuable, they utilize pass-the-hash and pass-the-ticket to execute lateral movement with stolen credentials.
Then, they exfiltrate the data from the C2 communication set up earlier or through a cloud storage service.
Pretty simple, right? That’s because they attacked Active Directory, which is the core of every Microsoft domain network around the world. Once you compromise it, you can get any computer, server, or identity you want! And this is exactly what happened during the DNC hack. The Cozy Bear attackers got inside the network with spearphishing email, accessed Active Directory, and leaked emails stored in the servers.
Sources:
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
Comments