Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Custom Malware. Show all posts

State-Backed Harvester Group is Going After Telecommunications Providers

 

Researchers discovered a previously unidentified state-sponsored actor that appears to be conducting cyberattacks against South Asian telecommunications companies and IT corporations using a unique combination of technologies. The goal of the cybercrime gang is considered to be data collection. They use highly focused espionage efforts that target IT, telecom, and government organizations. Harvester is a new threat actor with no known adversaries, as the attacker's damaging tools have never been encountered before in the wild.

"The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT)," Symantec researchers said. "The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor."

Backdoor appears to be used by the attackers. Metasploit, Graphon, Custom Downloader, Custom Screenshotter, Cobalt Strike Beacon are some of them. Although Symantec researchers were unable to determine the initial attack vector, evidence of a malicious URL being exploited for that purpose was identified.

By blending command-and-control (C2) communication activity with actual network traffic from CloudFront and Microsoft infrastructure, the Graphon backdoor gives the attackers remote network access and covers their existence. The custom downloader's functionality is impressive, as it can create critical system files, add a registry value for a new load-point, and start an embedded web browser at hxxps:/usedust[.]com.

Despite the fact that it appears to be the Backdoor, the actors are only using the URL as a ruse to create confusion, but Graphon is being retrieved from this address. The custom screenshot application captures screenshots of the desktop and saves them to a password-protected ZIP folder, which Graphon then steals. Each ZIP file is kept for a week before being automatically deleted. 

While there isn't enough proof to link Harvester's activities to a single nation-state, the group's use of custom backdoors, intensive efforts to conceal its harmful activity, and targeting all point to it being a state-sponsored actor, according to Symantec researchers. Given the recent upheaval in Afghanistan, the campaign's targeting of organizations in that nation is also intriguing. Harvester's activities make it evident that the goal of this campaign is espionage, which is a common incentive for nation-state-backed action, the researchers added.

Nobelium APT Group Uses Custom Backdoor to Target Windows Domains

 

Researchers from Microsoft Threat Intelligence Center (MSTIC) identified FoggyWeb, a new custom malware utilized by the Nobelium APT group to distribute further payloads and steal critical information from Active Directory Federation Services (AD FS) servers. 

FoggyWeb is a post-exploitation backdoor utilized by the APT group to remotely exfiltrate the setup databases of affected Active Directory Federation Services (AD FS) servers, as well as the decrypted token-signing and token-decryption certificates. It also enables threat actors to download and execute additional elements. 

The analysis published by Microsoft stated, “Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.” 

“Use of FoggyWeb has been observed in the wild as early as April 2021.” 

The hackers load FoggyWeb from the encrypted file Windows.Data.TimeZones.zh-PH.pri using the version.dll DLL. The version.dll is loaded by the AD FS service executable 'Microsoft.IdentityServer.ServiceHost.exe' via the DLL search order hijacking approach, which involves the core Common Language Runtime (CLR) DLL files. 

To decrypt the backdoor directly in memory, the loader employs a proprietary Lightweight Encryption Algorithm (LEA) function. The backdoor sets up HTTP listeners for actor-defined URIs in order to intercept GET/POST requests to the AD FS server that match the custom URI patterns. 

Microsoft researchers offered the following advice to companies that have been affected or are suspected of being under attack by the group: 
  • Examine your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and any other modifications made by the actor to retain their access. 
  • Remove user and app access, evaluate each's settings, and re-issue fresh, strong credentials in accordance with established industry best practices. 
  • To prevent the exfiltration of secrets via FoggyWeb, use a hardware security module (HSM), as explained in Securing AD FS servers. 
The NOBELIUM APT is the threat actor behind the SolarWinds supply chain assault, which included various implant families such as the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors. 

NOBELIUM focuses on government agencies, non-governmental organizations (NGOs), think tanks, military, information technology service providers, health technologies and research, and telecommunications providers.