In the autumn of 2018, experts of PT Expert Security Center revealed the activity of a criminal gang, whose activities were aimed at the theft of confidential documents and espionage. Today we will talk about the progress of the investigation, as well as describe the main methods and tools used by the group.
Note: The link provides a full report of the investigation. It also provides indicators of compromise, which can be used to identify signs of attack.
Who is attacked by the group, and when it is discovered
The group was identified by experts of PT Expert Security Center in 2018. The criminals used an unusual method of consolidation in the infrastructure, based on the creation of specific tasks (tasks) in the task scheduler – that's why PT ESC experts called TaskMasters grouping.
Task Scheduler allows you to run OS commands and run software at a specific point in time specified in the task. Moreover, the AtNow scheduler used by this grouping allows you to perform tasks not only locally, but also on remote computers on the network, and to do this regardless of the time settings of these nodes. In addition, this utility does not require installation. These features simplify attack automation.
Hackers hacked companies from different countries, with a significant number of victims in Russia and the CIS. Most of the attacked companies can be attributed to industry. In total, we are aware of the compromise of more than 30 organizations of various industries, including the energy and oil and gas sectors and government bodies.
The main purpose of the group is the theft of confidential information. Attackers are trying to gain a foothold in the corporate information system for a long time and get access to key servers of the company, workstations of the top management, and critical business systems.
The earliest traces of the presence of groups in the infrastructure were dated 2010, and at that time the criminals were already in full control of some servers and workstations, which means penetration occurred much earlier.
The code on the GitHub of the ASPXSpy2014 web shell, which was used during the attack, contains links to Chinese developers. However, the version we found contains instead a link to google.com.
ASPXSpy: public and attackable versions
In requests to web shells, IP addresses belonging to a hosting provider and a print shop in Eastern Europe were identified. But the events of the proxy log of one of the attacked organizations reflected the moment when the attackers switched to the Chinese resident IP address 220.127.116.11, which most likely happened due to the disabling of the VPN software at the time of the attack.
During the attack, the attackers used a copy of the WinRAR archiver, which was activated by a key that is widely used in forums where users communicate in Chinese.
Licensed version of WinRAR in software resources
WinRAR license key published on Chinese forums
In one of the tasks used domain Brengkolang.com, registered through the Chinese registrar. Also, many utilities contain error messages and other debug information written in English with errors, which may indicate that it is not native to developers.
How do attackers
The overall attack vector is quite predictable. After penetrating the local network, attackers investigate the infrastructure, exploit system vulnerabilities (for example, CVE-2017-0176), then upload to compromised nodes and unpack a set of utilities. With this set, they search, copy and archive files of interest to them, and then send them to management servers.
To move around the network, criminals execute system commands on remote nodes using the AtNow utility, which allows you to run software and execute commands after a specified time interval. To manage the nodes use small backdoors, through which they connect to the control servers. At the same time, there are backup channels in the form of web shells uploaded to external resources, for example, to the Exchange server.
The group uses the Dynamic DNS infrastructure for its domains. Malefactors use the big set of utilities and tools for carrying out cyber attacks and actively apply the supply chain attack scheme.
To scan the network and compromise systems, attackers use free software (including NBTScan, PWDump, Mimikatz). In addition to third-party tools, applied and proprietary programs.
The main TaskMasters grouping software, through which they controlled infected nodes, consists of two components:
- RemShell Downloader – downloader,
- RemShell – software with the main set of functions.
Let us consider in more detail each of the components.
This malware component is designed to deliver the main payload to the attacked system. The general scheme of the boot loader is shown in the figure below.
RemShell bootloader operation scheme
The loader accesses the HTML page at the address pre-specified in its code, and reads the value of the Attribute attribute of the HTML tag:
HTML sample file
Then the read value is decrypted, and depending on what was contained there, the loader either goes into standby mode (the Sleep command), or saves the PE file to disk and starts it. The downloaded PE file is just the payload – the main RemShell trojan.
RemShell, the main malware used by attackers to control infected sites, provides attackers with the following features:
- Terminal for remote node management (cmd shell).
- Uploading files to a remote site.
- Uploading files from a remote site to the management server.
Trojan uses two control servers. The first acts as an intermediary or proxy, which provides the address of the main control server at the request of malware. Also, a command can be received from the first controlling server for transferring malware to another controlling proxy server.
Transition from the first managing server to the main
We found various variations of this malware. In some, for example, there was no command to download files from the site to the management server – in such cases, the attackers used a proprietary utility to upload files. In others, commands were added to get the list of processes running on the system and terminate the process by PID (process ID).
Configuration data, such as the address of the controlling proxy server, the port, the user-agent, is encrypted using RC4 and given by constants in the malware code.
The data sent between the control servers and the malware is encrypted using the RC4 algorithm and additionally encoded with Base64. The key for RC4 is generated using a constant string by calculating the MD5 hash. The result of executing commands received from the management server is sent as an HTTP request to a URL with a specific prefix of 1111.
The malware also includes the Heartbeat mechanism, which at random intervals “knocks out” with an HTTP request containing the result of the hostname command, at a given URL with a specific prefix of 0000.
The server part for managing malware on infected sites is represented by console ELF files. The server management interface is designed as a shell and supports the commands shown in the figure below.
The server logs in detail all the commands sent to the remote host. These log files are stored on the disk in encrypted form. The RC4 algorithm is used to encrypt log files.
We were able to analyze several instances of the server part of malware. In one case, we found a mention of the developer AiMi, references to which we met in other tools group TaskMasters.
The mention of developers in the output of the script information
Web shell 404-input-shell
The authorization window for accessing web shell functionality is disguised as a standard 404 IIS web server error page. To access the command line and execute commands, you must enter a password. The password field is hidden and displayed when you click the Back link.
Click the Back button to try another link.
For authorization, the attackers used the password 0p; / 9ol. – they used the same password to encrypt archives. The web shell code contains the MD5 hash of this password.
In total, within the framework of the investigations, we discovered three modifications of this web shell. They differ in functionality: one of them is used only for uploading files from the server, the other for uploading files to the server, the third for executing OS commands.
Our research shows that cybercriminals can pursue more than short-term financial goals. Increasingly, they seek to gain access to data and seize control of information flows of organizations.
Companies from various sectors of the economy can become victims of cyber espionage. In order to understand how to defend against such attacks, you must use specialized tools. Also at the investigation stage it is important to study in detail the tactics applied by the attackers. It is rather difficult for organizations to solve this problem on their own, as this requires not only advanced tools, but also highly qualified information security specialists. The implementation of recommendations received from security professionals will increase the level of infrastructure security and make it harder to break.