CyberWire Daily - The persistent and patient nature of advanced threat actors. [Research Saturday]
Episode Date: February 5, 2022Guest Danny Adamitis from Black Lotus Labs joins Dave to discuss their team's new research "New Konni Campaign Kicks the New Year Off by Targeting Russian Ministry of Foreign Affairs." Black Lotus Lab...s, the threat research team of Lumen Technologies, uncovered a series of targeted actions against the Russian Federation’s Ministry of Foreign Affairs (MID). Based upon the totality of information available and the close correlation with prior reporting, we assess with moderate confidence these actions leveraged the Konni malware, which has previously been associated with the Democratic People’s Republic of Korea, and were undertaken to establish access to the MID network for the purpose of espionage. This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks. After gaining access through stolen credentials, the actor was able to exploit trusted connections to distribute and load the malware, first by impersonating a government software program coinciding with new Covid mandates, and then through sending trojanized files from a compromised account. The research can be found here: New Konni Campaign Kicks Off The New Year By Targeting Russian Ministry Of Foreign Affairs Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So as part of our proactive hunt mission, we are constantly looking for advance for actors that we
believe could be impacting our organizations for some of our customers. So as part of that,
we just write these proactive URL roles
that are constantly running in the background.
And we received an alert
that this malware sample actually hit
on one of our rules from a prior campaign.
That's Danny Adamidis.
He's a senior lead information security engineer
at Lumen's Black Lotus Labs.
The research we're discussing today
is titled New Kony Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs.
And now a message from our sponsor, Zscaler, the leader in cloud security.
From our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever
with AI tools.
It's time to rethink your security.
Zscaler Zero Trust
plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to
specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, let's walk through it together. Can we, I guess, begin with a little overview of exactly what we're
talking about here? Sure. So our report is talking about a months-long campaign that we really want
to highlight because it demonstrates the persistent and patient nature of some of these advanced
threat actors. So our report actually starts in September, which is about three months prior to
everything else. In this September timeframe, we've observed this threat actor setting up a number of spoofed host names, which we believe they were using to actually
harvest credentials for foreign diplomats. This is actually correlated with some of the reporting
done by Proofpoint, where they also noted some of these same domains being used for credential
harvesting campaigns. We believe that they then were able to successfully compromise at least a few accounts, and then they actually used one of them almost three months
later in December to do a more targeted attack against some more government officials that were
actually part of that same organization. So the other kind of really interesting thing about this
is that they're abusing the inherited trust relationship that exists within an own organization. So for those people who work in corporate America, if you receive an email from
someone outside of your company, you may get this big banner at the top of the email saying that
this originated from outside your organization, please proceed with caution. Or you might have
some sort of alerting mechanism. You don't typically get that from emails sent within
your own organization.
So by doing that, it kind of allowed them to bypass some of those email-based protections that typically alert the user to exercise more caution when they're proceeding with these exploits.
Yeah, it's like that old horror movie trope, you know, the call is coming from inside the house.
Exactly.
Yeah. So this is targeting the Russian Federation's Ministry of
Foreign Affairs, as you outline in your research here. Can we just sort of go through it step by
step? I mean, how did they find themselves being penetrated by this threat actor? So one of the
things we want to highlight is that we actually saw this being sent to at least some officials from the Russian Ministry of Foreign Affairs.
But there could be indications that, you know, since these diplomats typically interact with each other so often, there could be additional victims out there that we're just not aware of.
Unfortunately, though, we're only able to report on the information that we have access to and the things that we were able to find on the Internet.
So that's kind of the first thing I wanted to throw out there.
that we were able to find on the internet.
So that's kind of the first thing I wanted to throw out there.
The second thing is that this all kind of started, again,
with us kind of just looking at the email header information.
And we were able to see that this malicious email was actually being sent from an IP address in Germany.
And then kind of looking at that previous PDNS history
of the IP address in Germany,
we were able to identify some additional spoofed host names
that I believe kind of had that flavor
that looked like they were trying to socially engineer
particular organizations.
So that's how we were able to kind of determine
that at least one of the impacted organizations
was this Russian Ministry of Foreign Affairs
because they contained that reference to the MID.ru.
We were then able to kind of delineate that timeframe
based off the issuance of the Lux Encrypt X509 certificates.
So as you guys may know, Lux Encrypt is a trusted CA.
So when they actually issue a certificate to someone, they have to have that valid timestamp, which is kind of what gave us that initial timestamp value for when this began.
We then were able to kind of continue following them.
And we saw something that looked
like it was most likely coming from the same threat actor actually in November. And this was
kind of something else which we kind of previously tweeted about, but we didn't get very far with,
is that we saw them impersonate a COVID mandate. So like the rest of the world, Russia is dealing
with the current COVID pandemic, and one of the procedures that they were trying to do for their population
is basically make all of their citizens register with a QR code.
And you would need this if you wanted to go to a restaurant, a gym, a bar,
someplace like that in a public space.
So they were able to actually trojanize that registration software.
And we believe that that would then download some additional type of payload.
Unfortunately, we were not able to recover that particular payload,
but we saw a very similar file being used in December for the Happy New Year's campaign.
Well, let's talk about that Happy New Year's activity that you all tracked here. What was
going on there? So this was, again, a very interesting campaign because it just plagued
so much off of the social,
and I want to say that kind of human aspect of security, which I know you love to highlight here on this show.
We were able to kind of see that they were sending a New Year's campaign basically the
week before New Year's.
So again, this is something where, you know, in most professional cultures, you may receive
an email from your boss saying, you know, happy holidays or happy Christmas or Kwanzaa
or whatever it is that you celebrate in your region. This was something that is kind of expected in some parts
of the world. And by doing this, they were able to kind of play off of that social norm in order
to kind of exploit the human act factor to then kind of click on the screensaver. They would then
kind of have the screensaver load. And again, in order to kind of avoid raising suspicion,
they would actually display this lovely screensaver,
which we have a snapshot of on our blog,
if people are curious.
They show us the red square
with kind of a very festive message saying,
you know, happy new year to you.
Surreptitiously in the background,
it would then actually start, you know,
loading this additional file.
One of the really interesting aspects
about this particular campaign
is that the threat actor went through additional steps to avoid detection of their actual payload server.
So one kind of thing that I thought was rather interesting is that if you were to go to a website, say CyberWire, you would typically get a server 200 error, which says, yes, you are allowed to go here.
And that tells the browser to start downloading additional content. The threat actors actually configured their server
to respond with a 401 error code,
which would typically be indicative of an unauthorized message.
This allowed, I think, for some sort of web crawlers,
if they were to just, say, go over that particular host name,
it might just deter them from actually trying to do anything else
and download or index any additional content
because it would just say,
oh no, I'm not allowed to view this webpage,
I'm just going to move on to the next one.
So that was kind of a really interesting technique.
And then, of course, it was just sort of the level of obfuscation
that they went through.
The payload itself was, again, previously reported by some people
at Malware Bikes, and it actually hasn't changed very much,
but they have just done a whole lot to obviously decode
in order to try to evade detection from EDR products.
And then ultimately it would result in that colony rat
where they were able to get some host-based information
and then communicate back to that C2,
where we suspect they're doing some sort of filtering
to say, hey, does this host-based information
match with what I think my target looks like?
And if so, they would likely deploy
potentially a second stage payload, but they would kind of avoid researchers from getting
that additional sample. So we think that the goal here is espionage of gathering information on the
systems that they're able to get into? Yes. Based off everything we believe with this particular
threat actor, we suspect that this was a espionage
based campaign. While there have been efforts from certain North Korean groups to try to obtain
cryptocurrency in order to try to get money, we believe that this particular cluster of activity
is more aligned with their information gathering operations. Do we suspect that this could be North
Korea or where are we on attribution? So as you all know, attribution is a very interesting and tricky subject.
So what we are going to say is that we are aligning this activity cluster
with what some of the other groups are calling TA406,
if you are a big fan of Proofpoint,
or this is kind of put under the banner of the KonyRat malware.
We believe that this sometimes seems to align with North Korean interests,
but we're not really in a position to say who exactly that is at a more granular level.
What did you all track in terms of once they're in the system,
things like lateral movement and persistence?
Was there anything noteworthy there?
So there was two commands that we saw. they were actually running from the command line.
One of them was command forward slash C system info,
and that would kind of collect information about the actual host it's running in.
So this would be things like the size of the RAM, your internal domain,
basically all the information that your computer has to have,
and that would allow them to kind to identify who the actual user is,
what domain they're on,
if this is something that they believe would be of interest.
And then there was a second command that was run
that was called task list.
So it would be command forward slash C task list.
This would allow them to obtain information
about everything that's currently running
on that particular machine.
So this would allow them to look for things
like potential EDR products.
Are they running any sort of thing that might prevent them from being able to successfully execute?
So this is something that could also help with things like that
for their kind of operational security.
So if you see these two commands being running in succession,
that would set off a whole bunch of flags for me, and that's something I would start looking at.
running Succession, that would set off a whole bunch of flags for me, and that's something I would start looking at. In terms of their communication back and forth
with the command and control servers, what can you share with us
there? To what degree were they trying to be stealthy with that?
Any insights there? So it was kind of more of a
blend-in-the-noise sort of aspect. So they were just communicating over
port 80 HTTP.
However, in order to kind of secure their communications,
they were actually taking all of the information
such as the system info.
They would actually then zip that up into a CAP file
and then encrypt that.
So that way, if you were just looking at something
like packet capture or snort,
it might not be able to actually trigger on anything
inside of the packet because it was encrypted,
but you could potentially get the information
about the fact of communication
with this abnormal at webpages.com hostname.
Is there any sense that these folks are still at this?
Was this a campaign that ran its course
or is this a group we're still looking at?
This is a group that we are still looking at, and I believe that they're not going to be going away anytime soon.
As we kind of highlighted, they were at this for a number of months, and I don't think that this group is going to really be deterred.
I suspect that they're going to continue with operations.
They may kind of switch some of their payloads.
They may kind of switch some of the infrastructure that they're using. But I unfortunately don't think that this is a group
that's just going to be going away anytime soon. And what are your recommendations for organizations
to best protect themselves? So there's a number of things we can do. So one of the things we first
had on was the credential harvesting. So I'm sure everyone has kind of heard this by now until
they're blue in their face, but multi-factor authentication would help with some of this stuff. If you were to use
an app-based application, that could help generate those one-time pegs, which could make it a lot
harder for threat actors to try to obtain access to your encrypted email to then perform this sort
of email threat hijacking. Or if you work for an actual sensitive organization, or you believe that
you could be a target of these sorts of attacks, we would also work for an actual sensitive organization, or you believe that you
could be a target of these sorts of attacks, we would also recommend using an actual hardware-based
token. So that would be something that would kind of help with some of this email phishing problems.
The other things you could do is you can kind of look at some of the reports we've done and look
at actually these command line arguments. So if you have some sort of EDR product, or if you're
pumping your information into, I want to say, some sort of centralized SEM and you have things like syslogging installed, you can say, hey, have I seen anyone else in this network run things like system info or task list?
Which is something that your typical user isn't really going to be looking at what processes are running in our machine.
So it would kind of at least alert them that something is happening.
And then of course, there is also the opportunity
with some of the domain-based monitoring,
where if you're looking for things like at webpages,
which could help kind of tip you off to some of this.
However, I would almost kind of minimize that one
because it's very trivial for them to set up a new domain
on some other service, whether it be Hop2 or Dynamic DNS
or whatever the new one
is, the new flavor of the week.
But by kind of monitoring these actual hosts themselves for these kind of odd command line
arguments and by implementing multi-factor authentication for your email, that will really
help hardening your perimeter and then to help provide some alerting if someone is inside
of your network, whether it be this Kony threat actor or even a different threat actor, because we've seen that there's always this kind of system enumeration from
almost every threat actor. So I think that's kind of going to be your biggest bang for your buck.
Our thanks to Danny Adamidis from Black Lotus Labs for joining us.
The research is titled,
New Kony Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brendan Karpf, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Karol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week.