Category Archives: Cyberespionage

Operation Soft Cell – Multiple telco firms hacked by nation-state actor

Operation Soft Cell – Experts at Cybereason discovered that China-linked hackers have breached numerous telco providers controlling their networks.

Researchers at Cybereason uncovered an ongoing long-running espionage campaign, tracked as Operation Soft Cell, that targets telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.

Once compromised the networks of telecommunication companies, attackers can access to mobile phone users’ call data records.

“Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. The attack was aiming to obtain CDR records of a large telecommunications provider.” reads the report published by Cybereason.

“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”

Torpedo attack

According to Amit Serper, head of security research at Cybereason, attackers exfiltrated gigabytes of data from the target networks, but always in relatively smaller amounts to remain under the radar.

Experts explained that attackers did not exfiltrate the entire archives of the telco companies, instead, they accessed to the data by querying the systems from within the target network.

Attack scenario sees hackers planting a malicious web shell on an IIS server, identified as a modified version of the China Chopper web shell, that was used to run reconnaissance commands, steal credentials, and deploy other hacking tools.

Then attackers launched a series of reconnaissance commands to gather information about the target infrastructure (i.e. machines within the network, network architecture, users, and active directory enumeration).

Hackers also used a modified version of Nbtscan to determine the availability of NetBIOS name servers locally or over the network. The attackers also used multiple Windows built-in tools (i.e. whoami, net.exe, ipconfig, netstat, portqry) and WMI and PowerShel commands.

The threat actors also used Poison Ivy RAT to maintain long-term access across the compromised network, and a modified version of Mimikatz to dump credentials. WMI and PsExec were used by the hackers for lateral movement, while Winrar was used to compress and password-protect stolen data, and a modified version of hTran was used to exfiltrate the data.

operation soft cell

Experts believe that hundreds of millions of mobile phone users around the world have been affected, including foreign intelligence agents, politicians, opposition candidates for espionage.

“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network.” concludes the analysis.

“This attack has widespread implications, not just for individuals, but also for organizations and countries alike.”

Pierluigi Paganini

(SecurityAffairs – telco firms, operation soft cell)

The post Operation Soft Cell – Multiple telco firms hacked by nation-state actor appeared first on Security Affairs.

NASA hacked! An unauthorized Raspberry Pi connected to its network was the entry point

NASA Office of Inspector General revealed that the Agency’s network was hacked in April 2018, intruders exfiltrated roughly 500 MB of data related to Mars missions.

According to a report published by the NASA Office of Inspector General, hackers breached the Agency’s network in April 2018 and remained undetected for nearly a year. The report says that hackers stole roughly 500 MB of data related to Mars missions from NASA’s Jet Propulsion Laboratory in Southern California.

The attackers exploited a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or implementing proper security measures.

“The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network.” reads the report. “The device should not have been permitted on the JPL network without the JPL OCIO’s review and approval.”

The report states that IT staff failed to implement segmentation of Network Environment Shared with External Partners through a JPL network gateway. The gateway was used to allow external users and its partners, including foreign space agencies, contractors, and educational institutions, to remotely access to a shared environment for specific missions and data.

“In this case the attacker, using an external user account, exploited weaknesses in JPL’s system of security controls to move undetected within the JPL network for approximately 10 months.” the NASA OIG said.

“Prior to detection and containment of the incident, the attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission.”

The NASA’s JPL division operates planetary robotic spacecraft, including the popular the Curiosity rover, it also manages various satellites that orbit planets in the solar system.

The hack has also affected the NASA’s Deep Space Network (DSN) managed by the JPL, it is a worldwide network of satellite dishes that allows to send and receive information from NASA spacecrafts in active missions.

After the discovery of the intrusion, other NASA divisions disconnected from the JPL and DSN networks to avoid further lateral movements of the attackers.

According to the investigators, the attack was carried out by an APT group. While an investigation is still ongoing, the Agency announced to have installed additional monitoring agents on its firewalls.

“Classified as an advanced persistent threat, the attack went undetected for nearly a year. The investigation into this incident is ongoing. In response to the attack, JPL” continues the report. “The investigation into this incident is ongoing.”

As reported in the document, the entry point was an unmanaged Raspberry device, for this reason, the NASA OIG also blamed the JPL for failing to maintain up to date the Information Technology Security Database (ITSDB).

The Technology Security Database (ITSDB) is a web-based application used to track and manage physical assets and applications on its network.

The archive was incomplete and inaccurate, the Raspberry Pi used to penetrate the NASA network had not been listed in the ITSDB.

Investigators also found problems in patch management procedures.

“We also found that security problem log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were not resolved for extended periods of time-sometimes longer than 180 days,” the report added.

Unfortunately, this was not the first time hackers broke into JPL, it has already happened back in 2009, 2011, 2014, 2016 and 2017.


In December the U.S. National Aeronautics and Space Administration (NASA) notifies employees of a data breach that exposed social security numbers and other personal information.

According to the data breach notification, hackers have breached at least one of the agency’s servers, the security breach impacted both past and present employees. 

Pierluigi Paganini

(SecurityAffairs – NASA, hacking)

The post NASA hacked! An unauthorized Raspberry Pi connected to its network was the entry point appeared first on Security Affairs.

Russia-Linked Turla APT group Hijacked C2 of the Iranian OilRig

Russia-Linked cyberespionage group Turla uses a new toolset and hijacked command and control infrastructure operated by Iran-Linked OilRig APT.

Russia-linked Turla cyberspies used a new set of tools in new attacks and hijacked command and control infrastructure operated by Iran-Linked OilRig APT.

Recent campaigns demonstrate that Turla continues to evolve its arsenal and adopt news techniques to remain under the radar.

Turla (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON), has been active since at least 2007 targeting government organizations and private businesses.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In June, ESET researchers observed the Russia-linked cyberespionage group using weaponizing PowerShell scripts in attacks against EU diplomats.

Experts at Symantec observed in the last eighteen months at least three distinct campaigns, each using a different set of hacking tools. In one campaign the attackers used a previously unseen backdoor tracker as Neptun (Backdoor.Whisperer), the malicious code is deployed on Microsoft Exchange servers and passively listen for commands from the attackers.

Experts noticed that in one attack, Turla hackers used the infrastructure belonging to another espionage group tracked as Crambus (aka OilRig, APT34).  

In a second campaign, the group used three different backdoors, it involved a modified version of Meterprete, a publicly available backdoor, two custom loaders, a custom backdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor.

The third wave of attacks was characterized by the usage of another custom RPC backdoor, that borrowed the code derived from the PowerShellRunner tool to execute PowerShell scripts and bypass detection. 

“Recent Waterbug activity can be divided into three distinct campaigns, characterized by differing toolsets.” reads the analysis published by Symantec. “One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus (aka OilRig, APT34).”

Turla Waterbug_Infographics_Final_Part_1

Turla attackers used many other tools and malware in the latest campaigns, such as a custom dropper to deliver the Neptun backdoor, a USB data collecting tool, a hacking tool that combines four NSA tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch)

Attackers also used a set of Visual Basic and PowerShell scripts for reconnaissance, and publicly available tools such as IntelliAdmin, SScan, NBTScan, PsExec, Mimikatz, and Certutil.exe.

The three recent Turla campaigns targeted governments and international organizations worldwide. Since early 2018, the cyberspies hit at least 13 organizations across 10 different countries:

  • The Ministry of Foreign Affairs of a Latin American country
  • The Ministry of Foreign Affairs of a Middle Eastern country
  • The Ministry of Foreign Affairs of a European country
  • The Ministry of the Interior of a South Asian country
  • Two unidentified government organizations in a Middle Eastern country
  • One unidentified government organization in a Southeast Asian country
  • A government office of a South Asian country based in another country
  • An information and communications technology organization in a Middle Eastern country
  • Two information and communications technology organizations in two European countries
  • An information and communications technology organization in a South Asian country
  • A multinational organization in a Middle Eastern country
  • An educational institution in a South Asian country

“This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown.” Symantec concludes.

“Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets.”  

Pierluigi Paganini

(SecurityAffairs – Turla, hacking)

The post Russia-Linked Turla APT group Hijacked C2 of the Iranian OilRig appeared first on Security Affairs.

Bouncing Golf cyberespionage campaign targets Android users in Middle East

According to security researchers at Trend Micro, a cyberespionage campaign is targeting Android users in Middle Eastern countries.

Security researchers at Trend Micro have spotted a cyberespionage campaign, dubbed ‘Bouncing Golf, that is targeting Android users in Middle Eastern countries.

Threat actors are using a piece of malware detected as GolfSpy, that implements multiple features and can hijack the victim’s device.

GolfSpy could steal the following information:

  • Device accounts
  • List of applications installed in the device
  • Device’s current running processes
  • Battery status
  • Bookmarks/Histories of the device’s default browser
  • Call logs and records
  • Clipboard contents
  • Contacts, including those in VCard format
  • Mobile operator information
  • Files stored on SDcard
  • Device location
  • List of image, audio, and video files stored on the device
  • Storage and memory information
  • Connection information
  • Sensor information
  • SMS messages
  • Pictures

Attackers distributed the malware in tainted legitimate applications that are hosted on websites advertised on social media. The tainted applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East.

“We uncovered a cyberespionage campaign targeting Middle Eastern countries. We named this campaign “Bouncing Golf” based on the malware’s code in the package named “golf.”” reads the blog post published by Trend Micro. “The malware involved, which Trend Micro detects as  AndroidOS_GolfSpy.HRX, is notable for its wide range of cyberespionage capabilities. Malicious codes are embedded in apps that the operators repackaged from legitimate applications.”

According to the experts that have analyzed the command and control (C&C) servers used in the Bouncing Golf campaign, more than 660 Android devices have been infected with GolfSpy malware. The attackers appear to be focused on stealing military-related information.

The researchers speculate on a possible connection to Domestic Kitten espionage activities, an extensive surveillance operation conducted by Iranian APT actor aimed at specific groups of individuals since 2016.

Experts found some similarities between the similarly structured strings of code and the format of the data targeted for theft.

bouncing golf golfspy

The GolfSpy malware is also able to connect to a remote server to fetch and perform a broad range of commands such as searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.

Once the malware is executed, it generates a unique ID and then collects targeted data and writes it to a file on the mobile device.

The malicious code allows the attackers to choose the data types to collect, stolen data is encrypted using a simple XOR operation with a pre-configured key, then it is sent to the C2 via HTTP POST requests.

GolfSpy also connects C2 via a socket in order to receive additional commands. In this case, stolen data is also sent to the C2 in encrypted forms via the socket, experts pointed out that the encryption key is different from the one used when data is sent via HTTP.

The operators behind the Bouncing Golf campaign attempt to cover their tracks, for example, they masked the registrant contact details of the C&C domains used in the campaign. The IP addresses associated with the C&C servers used in the campaign also appear to be located in many European countries, including Russia, France, Holland, and Germany.

“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users.” Trend Micro concludes. “The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,”

Pierluigi Paganini

(SecurityAffairs – Bouncing Golf, hacking)

The post Bouncing Golf cyberespionage campaign targets Android users in Middle East appeared first on Security Affairs.

Security Affairs 2019-06-11 00:49:57

The MuddyWater cyber espionage group has used an updated multi-stage PowerShell backdoor in recent cyber attacks.

Security experts at Trend Micro report that the MuddyWater APT group (aka SeedWorm and TEMP.Zagros), has used an updated multi-stage PowerShell backdoor in recent cyber espionage campaigns.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

The threat actors continue to evolve their TTPs, a few weeks ago Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group and highlighted the usage of new anti-detection techniques.

Now, according to Trend Micro, the APT group has updated its multi-stage PowerStats backdoor, the experts already observed a new variant in spear-phishing attacks aimed at a university in Jordan and the Turkish government.

“One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government. The said legitimate entities’ sender addresses were not spoofed to deceive email recipients. Instead, the campaign used compromised legitimate accounts to trick victims into installing malware.” reads the analysis published by Trend Micro.

“Our analysis revealed that the threat actor group deployed a new multi-stage PowerShell-based backdoor called POWERSTATS v3.”

MuddyWater hackers used some compromised legitimate accounts to send out spear-phishing message containing a document embedded with a malicious macro.

MuddyWater email

The macro was used to drop a VBE file that holds a block of data containing an obfuscated PowerShell script. 

The block of data will be decoded and saved to the %PUBLIC% directory with various names and image file extensions such as .jpeg and .png. The attackers’ PowerShell code implements a custom string obfuscation and junk stubs of code to make it difficult to analyze.

Once all the strings are deobfuscated, a final backdoor code is revealed. The malicious code backdoor first gathers operating system (OS) information and save the result to a log file that is sent back to the C&C server.

“Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server.” continues the analysis. “If such a file is found, it will be downloaded and executed using the Powershell.exeprocess.”

The hackers can launch a second state attack by sending specific commands to the backdoor. The malicious code is also able to install and execute other payloads, including another backdoor analyzed by Trend Micro that supports several commands such as taking screenshots, and executing commands via the cmd.exe binary.

The backdoor is also able to execute PowerShell code via the “Invoke-Expression” cmdlet.

The hackers connect to the C2 with PHP scripts that have a hardcoded token and a set of backend functions such as sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).

Trend Micro observed an evolution of the malicious code used by the MuddyWater group, in March and April, the hackers were using the heavily obfuscated POWERSTATS v2, but in May they deployed the new/ POWERSTATS v3 in May. 

The following table reports some of the campaigns observed by Trend Micro in H1 2019 with associated payloads and publicly available post-exploitation tools:


Discovery Date Method for dropping malicious codeType of files droppedFinal payload
2019-03MacrosBase64 encoded, BATPOWERSTATS v2
2019-04Template injectionDocument with macrosPOWERSTATS v1 or v2
2019-05MacrosVBEPOWERSTATS v3

It is interesting to note that the MuddyWater attackers are not using zero-days exploits in their campaigns, anyway the threat actors continue to evolve their TTPs to avoid the detection.

“While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns,” Trend Micro concludes. 

Pierluigi Paganini

(SecurityAffairs – MuddyWater, hacking)

The post appeared first on Security Affairs.

Hunting the ICEFOG APT group after years of silence

A security researcher found new evidence of activities conducted by the ICEFOG APT group, also tracked by the experts as Fucobha.

Chi-en (Ashley) Shen, a senior security researcher at FireEye, collected evidence that demonstrates that China-linked APT group ICEFOG (aka Fucobha) is still active.

The activities of the APT group were first uncovered by Kaspersky Lab in September 2013, at the time the researchers defined the crew as an emerging group of cyber-mercenaries that was able to carry out surgical hit and run operations against strategic targets.  The cyber mercenaries were recruited by governments and private companies, it was composed of highly skilled hackers able to conduct sophisticated attacks.

The APT group is considered a persistent collector of sensitive information, Kaspersky team detected a series of attacks against the defense supply chain (e.g. Military contractors, shipbuilders, satellite operators, high-tech companies ) in Japan and South Korea.

The Icefog team also targeted companies in the energy industry in the US, threat actors used a custom backdoor dubbed “Fucobha”, which included exploits for both Microsoft Windows and Mac OS X.

At the time the “hit and run” nature of the operations appeared unusual, the attackers were processing victims rapidly, stealing only information of interest and showing a deep knowledge of the targets and the information they were searching for.

The group of hackers went dark just after the Kaspersky shared findings of its investigation in September 2013.

This week, Chi-en (Ashley) Shen presented at the CONFidence cybersecurity conference held in Poland her analysis on new samples of malware associated with the ICEFOG group.

Two of them, tracked as ICEFOG-P and ICEFOG-M, have been used in targeted attacks in 2014 and 2018, respectively. Some samples for both variants have been compiled between 2014 and 2019.


Both ICEFOG-P and ICEFOG-M are more complex of the original backdoor, a circumstance that suggests the threat actors have continued to develop and use it.

ICEFOG-M is the latest variant, it is a fileless malware that supports the same features of the ICEFOG-P but leverages HTTPs for communications.

The researchers explained that the ICEFOG-P variant is not particularly complex, it remained under the radar simply because was rarely used.

The researcher also spotted a Mac version of the malware, tracked as MacFog) that was unknown in the cyber security community. MacFog was initially distributed in Chinese forums

Unlike the operations observed between 2011 and 2013, the new malware variants were involved in multiple campaigns conducted by different groups,

Shen spotted variants of the ICEFOG malware in attacks targeting:

  • an unnamed agriculture company in Europe in 2015
  • government, media, and finance organizations in Russia and Mongolia in 2015 (TOPNEWS campaign)
  • the government of multiple former Soviet states in 2015 (Roaming Tiger)
  • Kazach officials in 2016 (APPER campaign)
  • water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan in 2018 (WATERFIGHT campaign)
  • an unknown entity in the Philippines in 2018 (PHKIGHT campaign)
  • organizations in Turkey and Kazakhstan in 2018 and 2019 (SKYLINE campaign)

In the latest campaign in 2019, tracked as SKYLINE Campaign, hackers targeted Turkey and Kazakhstan, the timestamp suggests the campaign might have been active at least since 2018. Attackers leveraged CVE 2017-11882 shared exploit template and used a fileless version of the ICEFOG-M.

icefog attacks timeline

According to Shen, most samples were mainly involved in cyber espionage campaign, threat actors appear to be politically motivated.

Below the conclusions of the excellent analysis conducted by Shen:

  • ICEFOG is malware shared among Roaming Tiger, APT15, Temp Group A and suspected APT9.
  • Shared malware is a pitfall for attribution, we should not do attribution only based on malware.
  • Temp Group A is aggressively using ICEFOG-P and ICEFOG-M to target Russia, Kazakhstan, Tajikistan, Uzbekistan and Turkey.
  • With the file-less ICEFOG-M, host-based detection for payloads are more difficult.
  • Continued development indicates there could be more attacks leveraging ICEFOG in future campaigns, and possibly leveraged by more attackers

Pierluigi Paganini

(SecurityAffairs – cyberespionage, hacking)

The post Hunting the ICEFOG APT group after years of silence appeared first on Security Affairs.

ESET analyzes Turla APT’s usage of weaponized PowerShell

Turla, the Russia-linked cyberespionage group, is weaponizing PowerShell scripts and is using them in attacks against EU diplomats.

Turla (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON), the Russia-linked APT group, is using weaponized PowerShell scripts in attacks aimed at EU diplomats.

Turla group has been active since at least 2007 targeting government organizations and private businesses.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Turla is back, in a recent wave of attacks, the cyberspies targeted diplomatic entities in Eastern Europe.

“To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk.” reads the report published by ESET.

The PowerShell scripts used by Turla in recent attacks allow direct, in-memory loading and execution of malicious executables and libraries avoiding detection.

Turla first used PowerShell in 2018, at the time experts from Kaspersky Labs collected evidence that demonstrated overlaps between the activity of Russian APT groups Turla and Sofacy. 

Turla attacks

Kaspersky Lab said the APT was experimenting with PowerShell in-memory loads to bypass security protections, at the time the loader used by the cyberspies was based on the legitimate PoshSec-Mod software. Anyway, experts believe that due to the presence of bugs in the code it would often crash.

ESET believes that now the problems have been solved and the Turla threat actors leverage the PowerShell scripts to load an array of malware.

“The PowerShell scripts are not simple droppers; they persist on the system as they regularly load into memory only the embedded executables.” continues the report.

We have seen Turla operators use two persistence methods:

  • A Windows Management Instrumentation (WMI) event subscription
  • Alteration of the PowerShell profile (profile.ps1 file).”

When the persistence is implemented through WMI, attackers create two WMI event filters and two WMI event consumers. The consumers are command lines launching base64-encoded PowerShell commands that load a PowerShell script stored in the Windows registry.

The second method used by the group consists of altering the PowerShell profile that is a script that runs when PowerShell starts.

In both cases the decryption of payloads stored in the registry is done using the 3DES algorithm. Once decrypted, a PowerShell reflective loader then comes into action.

“The payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework” reads the analysis.

“The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system,”

Attackers avoid targeting processes that could be specifically referred as legitimate defense solutions, such as the Kaspersky anti-virus protection software.

In some samples, Turla attackers have modified the PowerShell script in order to bypass the Antimalware Scan Interface (AMSI) implemented by Windows.

“This is an interface allowing any Windows application to integrate with the installed antimalware product. It is particularly useful for PowerShell and macros.” continues the report.

“They did not find a new bypass but re-used a technique presented at Black Hat Asia 2018 in the talk The Rise and Fall of AMSI. It consists of the in-memory patching of the beginning of the function AmsiScanBuffer in the library amsi.dll.”

The attackers are also able to modify the PowerShell script, in particular, the AmsiScanBuffer in a way that the antimalware product will not receive the buffer, which prevents any scanning.

The PowerShell loader is used to lauch malware, one of these malicious codes is a backdoor based on the RPC protocol.

Turla also has also a lightweight PowerShell backdoor in its arsenal, tracked as PowerStallion it uses cloud storage as C2 server.

A few weeks ago, ESET researchers discovered a Turla’s backdoor tracked as LightNeuron, that has been specifically developed to hijack Microsoft Exchange mail servers.

ESET confirmed that the PowerShell scripts have been used involved in campaigns aimed at political targets in Eastern Europe. According to the researchers the same scripts are also used globally against other targets in Western Europe and the Middle East.

“Finally, the usage of open-source tools does not mean Turla has stopped using its custom tools. The payloads delivered by the PowerShell scripts, the RPC backdoor and PowerStallion, are actually very customized. Our recent analysis of Turla LightNeuron is additional proof that this group is still developing complex, custom malware.” concludes the report.

ESET report includes technical details and IoCs associated with recent attacks.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Turla, hacking)


The post ESET analyzes Turla APT’s usage of weaponized PowerShell appeared first on Security Affairs.

Emissary Panda APT group hit Government Organizations in the Middle East

Chinese Cyber-Spies Target Government Organizations in Middle East

Chinese APT group Emissary Panda has been targeting government organizations in two different countries in the Middle East.

Experts at Palo Alto Networks reported that the Chinese APT group Emissary Panda (aka APT27, TG-3390, Bronze Union, and Lucky Mouse) has been targeting government organizations in two different countries in the Middle East.

The Emissary Panda APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

Emissary Panda Espionage-r3d1-1024x512

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. 

The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated.

In April 2019, the group targeted organizations of two different countries in the Middle East. Hackers hit webservers to install of webshells on SharePoint servers, threat actors leveraged the CVE-2019-0604 vulnerability to compromise SharePoint servers. 

Once compromised the network, attackers will upload a variety of tools to perform additional activities, including dumping credentials, and locating and pivoting to additional systems on the network.

Experts pointed out that attackers used tools to scan the network for systems vulnerable to CVE-2017-0144, the flaw exploited by the NSA-linked EternalBlue exploit.

The campaign appears related to attacks exploiting CVE-2019-0604 reported by the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security. The report by the Saudi Cyber Security Centre suggests threat actors are primarily targeting organizations within the kingdom. The Canadian Cyber Security Centre reported similar attacks aimed at delivering the China Chopper web-shell to ensure persistence in the target networks.

“the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks. We also found the China Chopper webshell on the SharePoint servers, which has also been used by the Emissary Panda threat group.” states the report published by PaloAlto Networks.a

PaloAlto experts observed between April 1 and April 16, the threat actors-using webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations. Experts noticed that the same tools were uploaded across the three webshells, suggesting the involvement of the same attacker. 

The longest activity involving one of the three webshells was observed on April 16, 2019.

The list of the tools uploaded by cyberspies included legitimate applications such as cURL, post-exploitation tools like Mimikatz, tools to scan for and exploit potential vulnerabilities in the target network, and custom backdoors such as HyperBro, which was used by Emissary Panda in the past. 

One of the webshells used by the attackers is a variant of the Antak webshell, other webshells appear related to the China Chopper webshell.

“We were able to gather one of the webshells with which we saw the actor interacting, specifically the error2.aspx file listed above. The error2.aspx file (SHA256: 006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38) is a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang. ” continues the report.

Cyber spies also uncovered the use of additional sideloaded DLLs in this campaign. 

“The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604,” Palo Alto Networks concludes. 

“Once the adversary established a foothold on the targeted network, they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials, perform network reconnaissance and pivot to other systems.  “

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Emissary Panda)

The post Emissary Panda APT group hit Government Organizations in the Middle East appeared first on Security Affairs.