CyberWire Daily - Leveraging COVID-19 themes for malicious purposes. [Research Saturday]
Episode Date: May 22, 2021Guest Joe Slowik joins us from DomainTools to discuss his team's research "COVID-19 Phishing With a Side of Cobalt Strike." Multiple adversaries, from criminal groups to state-directed entities, engag...ed in malicious cyber activity using COVID-19 pandemic themes since March 2020. Adversaries continue to leverage the pandemic, arguably the most significant issue globally as of this writing, in various ways. Yet the most persistent avenue remains using COVID-19 themes for building malicious document files. Examples include lures associated with Cloud Atlas-linked activity and broader targeting of health authorities. Given the continued significance of the pandemic and persistent use of pandemic themes by adversaries, DomainTools researchers continuously monitor for items leveraging COVID-19 content for malicious purposes. While conducting this research, DomainTools analysts identified an interesting malicious document with what appeared to be unique staging and execution mechanisms. Research can be found here: COVID-19 Phishing With a Side of Cobalt Strike Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Just in the course of every day, keeping an eye on the security landscape,
looking for things that just seem interesting and related to items of interest.
looking for things that just seem interesting and related to items of interest.
And the main item of interest for everyone right now is still and remains the ongoing pandemic.
That's Joe Slowik. He's a senior security researcher at Domain Tools. The research we're discussing today is titled COVID-19 Fishing with a Side of Cobalt Strike.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware
attacks and a $75 million record payout in 2024. These traditional security tools expand your
attack surface with public-facing IPs that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network, continuously verifying every
request based on identity and context, simplifying security management with AI-powered automation, Thank you. more at zscaler.com slash security.
And related to that, identified in the wild a Microsoft Office spreadsheet, Excel file that had a COVID-19 theme related to vaccines.
So, oh, this is interesting.
And had some curious scripting items associated with it
or visual basic for application macros within the document.
And so interest was peaked a little bit.
And that led to an investigation that really,
as these things kind of do, went down a little bit of a little bit. And that led to an investigation that really, as these things kind of do,
went down a little bit of a rabbit hole.
Because while this wasn't,
it's always troubling to use words like complex or sophisticated
because those are kind of weasel words.
And this isn't any of those things.
But that almost stands out on its own
for a sort of brute force simplicity
that really what we were looking at here was an Excel file
that contained an encoded object that turned out to be a Windows cabinet file
that then had some bonus materials inside of it.
And that's where things start to get really interesting.
Well, let's walk through it together here. I guess it's worth mentioning, as you do in your
research, that if you are running a current version of Excel, that you're already sort of
protected against this, yes? That's right. This was really designed to run in legacy office environments,
which can tell us a few things already,
since this is a recent document.
All items related to it show that it was created
within the last month or so.
But the most recent office versions,
let alone updates of those versions,
will prevent this from running.
So this implies that the adversary
in question is fairly confident that its intended audience is using older versions or perhaps even
pirated versions of the software. So that can start focusing our efforts on, you know, like,
this is probably not targeting the latest and greatest or the most up-to-date organizations, but rather something else.
What that something else is is certainly up for discussion, but it does look weird if nothing else.
Yeah.
Well, let's say I'm minding my own business here, and I come across this file that promises to show me a list of the various COVID-19 vaccines.
And I think that's something that I may be interested
in. I open up this document. What starts happening behind the scenes? So if you're running an older
version of Office, what will happen is you'll get the classic, would you like to open this document
in disabled protected mode? And then with some macro enablement later in order to show the actual content,
behind the scenes, this will launch a sequence of actions that uses built-in system functionality
to then construct a sequence of commands that will, as so many adversaries do,
will, as so many adversaries do,
launch some PowerShell as well as some other scripting items
in order to decode
and then execute a binary file.
But what's interesting about this binary file
is that it's actually a legitimate executable
that's used and an older one to boot,
which kind of hints back to
some legacy components being used
in this infection chain,
but leveraging a technique of trying to get malicious code to run under a code signed front or code signed basis.
So the way this works in this specific instance is the attackers took a legitimate F-secure binary
and used the legitimate executable,
but then used a modified
dynamic link library
associated with it
and took advantage of something called
DLL path hijacking
in order to load
the malicious content from the DLL
under the signed executable.
And this is a method used by a number of attackers in order to gain greater trust and evade defenses
when trying to gain malicious code execution.
Can you explain it to us? It's fascinating here. Can you walk us through how it works?
Sure. So the way that this works is that for the majority of programs operating in a Windows environment,
that when they're associated with a dynamic link library or DLL file,
they will typically search for that library by first checking for the same folder that the executable ran in and then apply a search algorithm
of either moving up the file system
or checking certain locations
like in the system folder
for where that DLL is anticipated to be located.
Well, an attacker can take advantage of this
by running the legitimate executable in a non-standard location or a custom location, such as just a folder created in a temporary location around the desktop, and dropping a version of the DLL with the same name in the same directory to take advantage of that sequence of that search sequence. And that could be used to
run the content of the DLL file under the context of the legitimate signed executable.
Wow. So the system goes and checks the signing of the executable, says all is good here,
and then basically gets tricked into running something that has the same name.
Is that basically how it works?
Basically, yes.
And like I said, this is a way of circumventing certain types of application control
by really taking advantage of a feature.
Really, you can't really call this a bug because it's intentional by design
as a way of facilitating program execution.
It's interesting, sort of as a side note in your research, you mentioned that folks have been using this file from F-Secure for quite a while now.
Is there a subtext there? Is it just convenient?
Right. And that was something that was really curious about this entire sequence of events is that we see a blending of fairly old and previously disclosed techniques down to specific versions and types of payloads like the F-Secure binary used in order to launch this incident, and then blending in newer items, like ultimately leading to a Cobalt Strike beacon payload, which we can get into a little bit later. And it is very strange
because you could look at this from a number of ways, and this maybe ties into the targeting of
legacy versions of Microsoft Office, that the intruder in this question,
having some background or understanding
about the environment that they were targeting,
knew that they didn't need the latest and greatest
in order to get into this environment.
They were operating with legacy systems
or not the most up-to-date security
as well as just basic operational tools.
And so they could recycle well-known previously disclosed events.
And there's a certain economy or efficiency that gets associated with this activity
that you don't risk burning or disclosing novel techniques and other items in this way
while still achieving mission success or effectiveness.
Right, right. That's interesting.
Well, let's walk through what happens next.
I mean, they're able to execute their file here.
Where do we go from here?
Right. So after the file is executed,
there is a sequence of events that then a decoy spreadsheet is loaded,
which provides a list of COVID-19 vaccines listed in what is presented as order of safe to least safe, which is interesting.
If you look at the content itself, we can discuss that if you'd like.
itself. We can discuss that if you'd like. But then we have the DLL loaded into memory,
and then this loads and decodes a third file that's also included with the cabinet file that contains obfuscated commands that begins establishing persistence and contacting
a command and control domain. So really we're getting into the sort of meat of the activity here,
which with further analysis
and being able to capture
the network traffic in question
shows that we have an adversary
going to, you know,
again, a fairly tried and true method,
but one that's a bit more recent
than some of the other things
we've discussed so far
in using a Cobalt Strike beacon payload.
In this case,
using some masquerading of tunneling the actual command and control
underneath a lookup to Google Video or YouTube services
to add a further layer of obfuscation and defensive agent to matters.
Wow. And this is presumably effective?
I mean, they're successful in having this fly under the radar.
Right.
So that's another interesting thing about this is that unless you are performing SSL or TLS capture and inspection within your network environment,
the communication, it will look to anyone observing that you are initiating communication with YouTube or Google Video,
which maybe is a little odd depending on where the communication is coming from or seeing it. to anyone observing that you are initiating communication with YouTube or Google Video,
which maybe is a little odd depending on where the communication is coming from
or seeing it initiated from Excel
or from another unfamiliar process.
But still, you're probably not doing that level of logging
if you're already running very legacy versions of Office and whatnot.
And so that really serves to hide
that you ultimately have communication
going to a adversary-created and controlled domain,
Rabbit-Ely, if you,
I don't know really how to pronounce it.
If it's even a real word,
it's probably more of a made-up item.
So yeah, I mean, it just adds another way
of trying to avoid attention and response.
And so that's where this campaign gets kind of curious,
is that we have that combination of recycled legacy, fairly old tradecraft,
in some instances that look like it's recycling things that were first observed in 2014,
with fairly recent and more technically savvy items,
such as just using the DLL search order hijacking method
to execute with code signing privileges
and using this way of circumventing network traffic,
monitoring and analysis,
unless you're doing SSL inspection,
to obfuscate what the ultimate C2 location would be.
So, yeah, it's, again, a very interesting combination of techniques as part of this intrusion operation.
Yeah, it's almost like these folks are reaching into their bag full of Lego bricks,
and those old bricks work just as well as the new ones.
They all click together, right?
Right, and I think that's almost a really good observation
about network intrusion activity more generally
is that I think we've kind of built this expectation
that adversaries, especially if we're talking about state-directed adversaries,
which this might be, we don't quite know.
There's some possibilities here which we can get into.
But anyway, that such adversaries will use custom bespoke
purpose-built tooling for their campaigns,
when really what we've observed over the last couple of years,
especially, is adversaries are very happy to use whatever works.
And if that means using some scripts and tools procured via GitHub, a cracked version of Cobalt Strike, or a recycling tradecraft that was documented on a publicly accessible blog from over five years ago, that's fine. I think what we're starting to see is adversaries realizing that they don't need to invest an inordinate amount of resources and tooling if they could just identify what's good enough for the environments they think that they'll be operating within.
Now, as part of your research, you and your colleagues went looking for some more samples of this, and you did find some similar documents. We did. And looking at other documents,
both by the structure of the Excel files themselves,
as well as looking at where these documents
may have come from,
which looks like a hosting provider
or a hosting service located in Vietnam,
we found several other documents
with health-related themes
or the title or file names of the documents were in Vietnamese,
as well as the content of the spreadsheets themselves, including things like a list of cancer centers and other items.
And so expanding out from that original list of COVID-19 vaccines and seeing this further landscape, it starts looking like there's a general theme here from December
through March of targeting Vietnamese-related entities that were operating in the healthcare
space, which was very interesting when, you know, with a little bit of tried and true web searching,
we were able to identify a couple of government communications that had been uploaded to the internet or were
accessible over the internet from provincial authorities in Vietnam warning about this sort
of phishing activity in January of this year, which seems to lend some support to the idea that
this is something that, if not exclusively targeting Vietnam, at least had a focus on
Vietnamese institutions.
Well, and that leads us to the possibility that this could be the work of a threat group called Goblin Panda. What do we know about them? Right. And this was really interesting because
this is one of those cases where we see some things that seem more than just a coincidence,
whereas other items that are more difficult to try to
really make this connection. So, Galpin Panda, which, you know, since we're using the CrowdStrike
naming convention here, is an entity that is assessed or thought to be linked to Chinese
interests in some fashion, although it's never been
conclusively proven, has previously used some of the techniques that we identified
in these documents, such as the search order hijacking for DLLs, targeting of Vietnam,
as well as another sort of oddity of using older vulnerabilities, execution pathways, and office
formats as part of their activity in targeting entities like the government of Vietnam.
So while we could look at this as a series of coincidences, the fact that there was more
than one here certainly indicates that this is something worth considering, even if we
can't prove it just yet.
that this is something worth considering, even if we can't prove it just yet.
But it's also worth noting that these are techniques
that are generally available to a number of threat actors.
Another consideration is that Goblin Panda
is not previously linked to deployment of Cobalt Strike,
usually associated with tools like PlugX
or Chinoxie variants and similar,
and use of a Cobalt Strike beacon payload would be something new.
So again, there's items that seem to relate to this entity,
including targeting and geographic emphasis,
and then other items which are a little more indeterminate,
at least without having additional data.
Well, I mean, let's go through some of the take-homes together.
And why don't we start here by, you know,
what opportunities would folks have to protect themselves
against this along the various steps of the way?
Right. I mean, first and foremost,
we have just run up-to-date patched software.
It might seem like a silly, stupid one,
but it still comes into play
and goes into the overall concept
of reducing attack surface.
After that, we have options
such as identifying interesting process chains
or process execution chains,
such as the classic identifying scripting frameworks
being executed from Office documents.
So seeing PowerShell or WScript or similar items with apparent process of Microsoft Office is a
almost universal sign that something suspicious, if not outright malicious, is going on.
And then another interesting item, as we start getting into some of the more operationally secure or security
savvy elements of this campaign. So for example, the DLL search order hijacking. This might seem
a difficult problem, but in well-architected environments, we can do things like search for
or even outright prevent the execution of binaries in untrusted locations like user temporary directories or similar items.
Obviously, there's some pain that could be associated with that in terms of convenience,
but either detecting or outright preventing such activity can drastically reduce scope
if the environment is set up to allow for such activity to take place.
Similarly, for the network communication aspect,
I think this is something that we're increasingly seeing with a number of items.
Adversaries are aware of the limitations imposed
by the increasing adoption of encrypted communications,
whether we're talking about HTTPS or DNS over HTTPS
or similar widespread adoption of SSL TLS encryption.
As a result, more organizations will need to ask the question, is it appropriate to
begin proxying and capturing encrypted communication for defensive purposes?
There's obviously a number of potential risks and drawbacks involved in doing so. But as we see adversaries just rely
upon legitimate encrypted communications channels to mask or hide their operations, it's something
that organizations are going to need to think about because for certain techniques, such as
what we talked about here, it becomes one of the only ways of
really detecting this sort of activity with any degree of certainty. Our thanks to Joe Slowik from Domain Tools for joining us. The research
is titled COVID-19 Fishing with a Side of Cobalt Strike. We'll have a link in the show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
approach can keep your company safe and compliant. Thanks for listening.