kill chain of eight steps and seals
Warm greetings from Alexander Badaev from the information security threat investigation department and Yana Avezova, analyst of the research group. We both work at Positive Technologies, and as you might think, our paths in the company do not cross very often. Well, judge for yourself: on the one hand – hacker groups, unraveling chains of attacks, and on the other – analysis of cyber threats, statistics, dry numbers and beautiful graphs. Yes, but not so. And so, when one of us collected information about 16 hacker groups attacking the Middle East, the other (or rather, the other) analyzed their tactics and techniques, the result of this tandem was a large study. Well, in this article we will talk about how APT groups operate, where they begin the attack and how they develop it, moving towards the intended goal.
Step 1. Prepare for attack
Complex, targeted attacks begin with reconnaissance. Attackers can conduct large-scale network scans (Active Scanning) in search of suitable targets. As a result, attackers have information that is sufficient for the initial stage of penetration. Such information includes, for example, a list of public systems susceptible to known vulnerabilities (T1595.002). In addition, attackers can collect lists of subdomains and open web directories in order to later use them to host web shells (T1595.003). For example, the Volatile Cedar group used DirBuster and Gobuster utilities for this purpose.
The APT35 group, which attacked mainly Saudi Arabia and Israel in the Middle East, collected information about employees of target organizations (Gather Victim Identity Information), including mobile phone numbers. They could be used to send messages with links to mobile malware for spying and data theft. The group tracked IP addresses (T1590.005) and location (T1591.001) visitors to their phishing sites. In addition, the attackers identified valuable email addresses (T1589.002) to use them in your attacks as a starting point. The Hexane group previously established the identities of managers, employees of human resources departments and information technology departments of target organizations (T1591.004).
Reconnaissance is followed by the stage of preparing the instrumental base for carrying out attacks. Attackers can register fake domains (T1583.001) and create email accounts (T1585.002) or social media accounts (T1585.001) to conduct targeted phishing. Thus, the APT35 group registered accounts on LinkedIn and other social networks in order to contact victims and, through messages and voice communications, convince them to open malicious links.
Step 2: Getting initial access
To get into the internal network, cybercriminals need a penetration point – an employee’s work computer or a server, which they will infect with malware and from which they will begin further movement through the organization’s network. Most APT groups begin attacks on corporate systems with targeted phishing (Phishing). Most often we are talking about sending emails with malicious content (T1566.001, T1566.002). For example, the Desert Falcon group was discovered distributing its malware through porn phishing scams.
In addition to email, some attackers (APT35, Bahamut, Dark Caracal, OilRig) used social networks and instant messengers for phishing attacks (T1566.003).
The APT35, Bahamut and Dark Caracal groups infected victims with malware using the watering hole method. In such attacks, attackers compromise web resources visited by future victims, after which malicious programs are quietly downloaded from these resources onto their computers (Drive-by Compromise).
Some attackers gained access to internal infrastructure due to vulnerabilities in resources accessible from the Internet (Exploit Public-Facing Application). For example, the APT35 and Moses Staff groups used a bunch of ProxyShell vulnerabilities to gain initial access and gain control over victims (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) on Microsoft Exchange servers. The APT35 and MuddyWater groups exploited a critical Log4Shell vulnerability in the Apache Log4j library (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832).
Step 3. Consolidation
After gaining initial access, attackers seek to gain a foothold in the infrastructure. They take measures to be able to return to the victim's company. To gain a foothold in the system, most APT groups in the Middle East use a task scheduler (Scheduled Task/Job). In a campaign against the UAE government, described Fortinet specialists in May 2023, the OilRig group created a scheduled MicrosoftEdgeUpdateService task that ran every five minutes and launched malware.
Many attackers configure auto-loading of malicious programs (Boot or Logon Autostart Execution). For example, the Bahamut group created LNK files in the Startup directory, and the Dark Caracal group's Bandook Trojan software added a key to the HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run section.
To gain a foothold in the system, some APT groups configure malicious code to trigger when a certain event occurs (Event Triggered Execution). For example, the groups APT33, Mustang Panda and Stealth Falcon became embedded in the victims' infrastructure by creating a subscription to WMI events (T1546.003).
If enterprise server applications allow administrators to install software, attackers can use this to install backdoors (Server Software Component). Groups inject web shells onto hacked nodes (T1505.003) to support access to victim networks. Web shells can be used not only for pinning, but also for collecting information. For example, web shell ExchangeLeech OilRig group monitors traffic and collects credentials of users using insecure authentication methods. The operator can request a list of collected logins and passwords by sending the appropriate command to the web shell through specially generated cookies.
Step 4. What is studied inside
After penetrating a corporate network, attackers seek to examine the devices they managed to gain access to in order to understand how to proceed. First of all, attackers are interested in data about the operating system and architecture of the compromised node, as well as information about software versions, installed patches and service packs (System Information Discovery). For example, one of the malware from the APT35 group used a PowerShell command to determine whether a host's processor was x64, and other malware from this group obtained the operating system version, UUID, and host name and transmitted them to the command and control server.
Attackers collect information about the network configuration and parameters of the compromised system (System Network Configuration Discovery). Attackers launch network diagnostic utilities and malware with related functionality. The Mustang Panda group used ipconfig and arp, while the Hexane group used ping and tracert. The Dark Caracal group used a Trojan to remotely control Bandook, which contains a command to obtain the public IP address of the host.
Most groups try to identify users of a compromised node and determine their level of activity (System Owner, User Discovery). For this purpose, attackers launch system utilities or malware with corresponding functionality. Web shell Caterpillardeveloped by the Volatile Cedar team, allows you to get system information, network configuration data, user lists, and more.
Attackers study processes running on compromised nodes (Process Discovery). For this purpose, both system utilities and malware can be used. For example, the APT15 and OilRig groups collected information about processes using the tasklist command line utility. The Bitter group used malware that created a snapshot of running processes using the CreateToolhelp32Snapshot function from the Windows API.
Attackers look for any potentially useful information in files and directories that exist on compromised hosts (File and Directory Discovery). File listing is one of the functionality of the applications deployed by the Bahamut group as part of the Operation BULL and Operation ROCK campaigns. The MuddyWater APT group used malware in its attacks that checked whether the ProgramData directory contained subdirectories or files with the keywords Kasper, Panda or ESET. The Desert Falcons group has a tool for recursively scanning directories on all disks and searching for specific files by their paths.
Step 5: Find Credentials
To access information of interest, attackers may require additional credentials. One common technique is to extract passwords from the memory of system processes (OS Credential Dumping). Groups APT15, APT33, APT35, MuddyWater and OilRig used publicly available tools for this purpose – Mimikatz or LaZagne (T1003.001, T1003.004, T1003.005). The APT15 and Mustang Panda groups extracted accounts from the NTDS.dit file, a database that stores Active Directory information (T1003.003). Mustang Panda used the vssadmin system utility designed to administer the volume shadow copy service. With its help, cybercriminals created a shadow copy of the volume on the victim’s domain controller and extracted from it the NTDS.dit file, which stores password hashes for all domain users.
Another common technique for obtaining accounts is to intercept data that the victim enters on a compromised device (Input Capture). To implement it, attackers use special malware – keyloggers. For example, it is in the arsenal of the APT15, APT35, Bahamut, Desert Falcons, Molerats and Volatile Cedar groups.
Some groups retrieved credentials from specialized repositories (Credentials From Password Stores), including from browsers (T1555.003). The OilRig and Stealth Falcon groups were stealing them from the Windows Credential Manager (T1555.004).
There are other ways to collect accounts. For example, the groups APT33, Hexane, OilRig and Volatile Cedar obtained passwords using brute force methods (Brute Force). It has been successfully used in organizations with weak password policies that allow employees to set simple passwords. Unprotected or weakly protected logins and passwords become easy prey (Unsecured Credentials). This category includes passwords saved by administrators in Group Policy Preference files (T1552.006). Although passwords are stored encrypted here, there are specialized tools that can extract and decrypt them. For example, the APT33 group used the Get-GPPPassword utility to do this.
Step 6: Gather valuable information
APT groups often take screenshots of victims' screens (Screen Capture) and transferred them to their servers. Some made video recordings from the screen (Video Capture) and audio recording from the victim's microphone (Audio Capture). Attackers use malware, including proprietary tools, such as StrifeWater and CANDYKING, to take screenshots, video and audio recordings. The Dark Caracal group used Bandook malware, which contains modules capable of intercepting video from a victim’s webcam and audio from a victim’s microphone.
Attackers look for valuable information directly on employee computers: in user and configuration files, local databases (Data From Local System). For example, the Dark Caracal group collected the entire contents of the Pictures directory from compromised Windows hosts.
Some groups archive the data they collect (Archive Collected Data). Thus, the Mustang Panda group used an archiver to create password-protected archives of collected documents (T1560.001), and also encrypted files using RC4 (T1560.003) before sending them to the attackers’ server. The Molerats team used a tool called DustySky, which created temporary directories to house collected files and allowed them to be archived before being sent outside the corporate infrastructure. Every fourth group automated data collection.
Step 7. Connect with the command server
As needed, APT groups download additional tools to maintain and expand their foothold in the victim’s infrastructure (Ingress Tool Transfer). The transfer is carried out through communication channels with command servers or via alternative protocols. Teams often use common application layer protocols (Application Layer Protocol). For example, the interaction of the APT35 group’s malware with the command center was carried out via the IRC protocol, while the OilRig group used the DNS protocol (T1071.004), in particular the public tunnel service requestbin.net. MuddyWater's Small Sieve malware interacted with the command center via the Telegram API over HTTPS (T1071.001). The use of common application layer protocols results in malicious activity being mixed with legitimate traffic, which can make it difficult to detect.
To mask communication channels (Encrypted Channel) APT groups use encryption. Most attackers encrypted traffic using symmetric AES and RC4 algorithms (T1573.001). The OilRig team used the plink utility to create tunnels (T1573.002).
To exchange information and files with the command and control server, groups use external legitimate web services (Web Service). For example, the APT35 malware group operates through a SOAP web service. The MuddyWater group distributed tools for remote access through the Onehub cloud storage. The Mustang Panda group used Dropbox to distribute the PlugX Trojan.
An interesting way to manage malware used by the OilRig group. The victim's Microsoft Exchange mail server was used as a command center. The attackers sent letters to compromised mailboxes. The email headers contained the symbols “@@”. Based on them, the PowerExchange backdoor recognized the necessary letters and executed the instructions contained in them, after which the letters were automatically deleted. Requests to the Exchange server from the internal network do not cause anomalies in network traffic, which allowed attackers to remain undetected for a long time. Experts note that the campaign of the OilRig group lasted from February to September 2023.
Step 8. Concealing traces of the crime
It is important for APT groups to remain undetected in a compromised environment for as long as possible. They resort to various methods of hiding traces of their presence. Typically, attackers pre-test their malware samples and subsequently modify them to bypass anti-virus detection. One way is to obfuscate (obfuscate) malicious code and use special wrappers (Obfuscated Files or Information). For example, the Dark Caracal group obfuscated strings in Bandook using Base64 encoding and then encrypting them.
A common way to bypass protection is to disguise malware as legitimate files or applications (Masquerading). For example, the Bahamut group used icons that imitated Microsoft Office files to disguise malware. In addition, this group tried to hide executable files by changing the file extension to .scr to simulate Windows screensavers. The OilRig group used the .doc file extension to disguise malware as office documents. Another example is Moses Staff's StrifeWater malware. It was named calc.exe to look like a legitimate calculator program.
Many APT groups remove signs of their activity (Indicator Removal): clear event logs and network connection history, change timestamps. Thus, the APT35 group deleted requests to export mailboxes from hacked Microsoft Exchange servers. Most attackers, after achieving their goals, completely remove their entire arsenal of software from the compromised devices. These actions subsequently make it much more difficult for cybersecurity professionals to investigate incidents.
To bypass security measures, attackers can proxy the execution of malicious commands using files signed with trusted digital certificates (System Binary Proxy Execution). For example, the APT35 group used rundll32.exe to execute the MiniDump function from the comsvcs.dll system library when dumping the memory of the LSASS process. Another example is that the Dark Caracal group used a Microsoft Compiled HTML Help file containing a command to download and run a malicious file.
Using the example of the actions of the APT groups that we studied attacking the Middle East, we traced in many ways the typical path of attackers to their goal – an attack on an organization, the result of which could be any undesirable event, including unacceptable ones (for example, a stoppage of production, man-made or even ecological catastrophy). In our opinion, the tactics and techniques of attackers presented in this article largely correlate with the typical techniques of a group operating in any other region, which is confirmed by our other research. One could even say that the actions of these groups demonstrate an exemplary chain of attacks, so they can be taken as a model and lectured on kill chains for novice cyber detectives. If you don’t agree, write in the comments. Only, mind you, with arguments.
Until new unravelings!
Yes, we almost forgot: as you noticed, there are a lot of cats in the article, and they are here for a reason. Therefore, a question for readers: what does fluffy have to do with it? Whoever answers correctly first gets respect from us personally and cool merch as a gift!
Yana Avezova
Senior Research Analyst, Positive Technologies
Alexander Badaev
Information Security Threat Investigation Department Specialist, Positive Technologies
