company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Phishing

APT

loading..
loading..
loading..

ColdRiver: Russia-Backed APT Tactics with Spica Malware

Explore ColdRiver's Spica malware in this detailed threat analysis. Uncover Russia-backed APT tactics, Spica code insights, and proactive defense measures

31-Jan-2024
4 min read

Related Articles

loading..

Turla

APT

Uncover the latest tactics of Russia's Turla APT. This technical report analyze...

Turla, a Russian state-sponsored Advanced Persistent Threat (APT) group, conducts sophisticated cyberespionage against government institutions, NGOs, and organizations aligned with Russian interests. This [Threat Research](https://www.secureblink.com/threat-research) provides a detailed analysis of Turla's historical context, recent operations named "Turla Wields," and a thorough technical analysis of their tools and techniques. ### Origins and Historical Context Turla, also known as Snake, Uroburos, Waterbug, and Venomous Bear, emerged in the late 1990s, targeting governments and militaries globally. Their operations align with Russia's geopolitical interests, focusing on nations bordering Russia and former Soviet states. Turla is adept at evading detection, preferring long-term intelligence gathering over disruptive attacks. ### Turla Wields: Recent Attack Trends and Targeting Recent campaigns target NGOs, particularly those supporting Ukrainian causes. Turla exploits legacy infections like Andromeda botnet, employs spear-phishing with weaponized PDFs, and constantly evolves its toolkit, including TinyTurla-NG and TurlaPower-NG. Motives range from military intelligence gathering to destabilizing opposition parties and supporting hybrid warfare. ### Technical Analysis of Turla Techniques Turla's initial infection vectors include spear-phishing, zero-day vulnerabilities, and compromised websites. They establish persistence using TinyTurla-NG, leveraging DLL loading and file masquerading. Communication with command and control servers is disguised within regular web traffic, employing redundant C2s for resilience. ### Data Exfiltration Techniques Turla employs custom tools like TurlaPower-NG to target password managers and browser history databases. Data exfiltration involves file archiving and staged uploads, obscuring their activities over time. ### "Living off the Land" Approach Turla increasingly relies on PowerShell for operations, employing obfuscation techniques and disabling command history recording to evade detection. ### Countermeasures and Defense Considerations Patching vulnerabilities, especially zero-days, is crucial. Endpoint Detection and Response (EDR) platforms with behavioral baselining and anomaly detection can spot Turla's subtle activities. Application and script whitelisting, along with security awareness training, enhance defenses. Web infrastructure hardening and intrusion detection systems are also recommended. ## Technical Analysis: Evolving Toolset Breakdown ### TinyTurla-NG and TurlaPower-NG Deep Dive #### TinyTurla-NG - Network Protocols: HTTP/HTTPS with custom headers and unusual User-Agent strings. - C2 Commands: Task scheduling logic and data encoding for exfiltration. - Persistence: Registry hiding, DLL hijacking methods, and boot-time execution. #### TurlaPower-NG - Target Files: Focus on password managers and browser history SQLite databases. - Data Extraction Logic: Parsing methods and obfuscation techniques. - Archiving: Compression and encryption methods used for file uploads. ### Obfuscation and Anti-Forensics Turla employs meaningless variable names, packed executables, and sandbox evasion techniques to hinder analysis. They ensure minimal forensic traces by cleaning temporary files and overwriting disk images. ### Historical Malware Progression Turla's tools have evolved from executable-based to PowerShell-based, leveraging trusted Windows programs for stealth and adaptability. Staged exfiltration and variable beaconing remain consistent features across toolsets. ## Victim Profiling & Targeting Patterns ### Target Industries & Organizations Turla targets a range of industries, including defense, technology, government, diplomacy, and NGOs. Specific organizations and job titles vary, with a focus on technical staff for network compromise and decision-makers for policy insight. ### Geographic Shifts & Geopolitical Correlation Turla's targeting intensifies around geopolitical events involving Russia, such as elections and conflicts. Analysis reveals patterns of intelligence gathering preceding significant actions, indicating strategic alignment with Russian interests. ## Code Snippets for Detection The following are representative indicators based on open-sourced reports on TinyTurla-NG and similar C2 mechanisms Turla often uses. Use with caution – APTs evolve, so these patterns may change in future samples: `Registry Modification (Possible Turla DLL Loading)` HKEY_CURRENT_USER\Software\Classes\CLSID\{<unusual-looking-GUID>} –Suspicious values within this key can point to persistence via COM object loading `Unusual HTTP Beaconing Traffic Patterns` # Example YARA-like Pattern – simplified - targeting WordPress C2 traffic rule turla_wp_beacon { meta: description = "Possible Turla compromise of WordPress sites for C2" author = "<Your Org Name>" date = "2024-02-27" strings: $http_header = {Content-Type: multipart/form-data;} $beacon_id = /page=[0-9]{8}/ condition: $http_header and $beacon_id and all of them } `PowerShell Obfuscation Techniques (Simplified Examples)` PowerShell # Base64 Encoding to Conceal Commands $cmd = "iex <base64 encoded command>" Invoke-Expression $cmd # Modifying Command Execution Flow $var = 'Something'; $var[3..1] -join '' # Reconstructs a hidden string # PowerShell History Evasion Set-PSReadLineOption -HistorySaveStyle SaveNothing ## Conclusion Turla's persistence and adaptability make them a formidable threat to global security. Understanding their techniques and motivations is crucial for developing effective defense strategies. By implementing rigorous countermeasures and leveraging threat intelligence, organizations can mitigate the risk posed by Turla's cyberespionage activities.

loading..   21-Feb-2024
loading..   1 min read
loading..

Infostealer

Explore the stealthy tactics of AgentTesla, distributed via deceptive CHM files ...

We have comprehensively analyzed the infostealer in this threat research delving into the intricate workings of AgentTesla, operating since 2014. The following sections provide a rigorous analysis of its tactics, evolution, and the technical nuances observed during recent encounters. ## Evolution of AgentTesla ### Initial Access via Spam Emails AgentTesla infiltrates systems primarily through spam emails carrying malicious attachments, often in the form of .doc, .xls, and .ppt files[^1^]. These attachments, housing macros, facilitate the installation of AgentTesla onto the victim's system[^1^]. #### Recent Encounter: Gzip Compressed File On October 4, 2023, a malicious Gzip compressed file within VirusTotal triggered the initiation of AgentTesla infection[^1^]. This underscores the malware's continuous evolution and adaptability in its attack vectors[^1^]. ### CHM File Exploitation AgentTesla's sophistication is evident in its use of CHM files, compressed with Gzip, acting as a lure[^1^]. Recent campaigns indicate a focus on targeting professionals in network engineering, telecommunications, or information technology[^1^]. #### PowerShell Script Execution Upon opening the crafted CHM file, a PowerShell script is downloaded from a remote server, encoded and deflated to avoid detection[^1^]. This script further reveals a loader DLL file, named Hur.dll, responsible for loading the AgentTesla malware[^1^]. #### Infection Chain The infection chain starts with a malicious spam email delivering a Gzip-compressed file that, upon execution, runs a PowerShell command, initiating the download and execution of AgentTesla[^1^]. ### PDF-Based Attacks AgentTesla exhibits versatility by utilizing PDF files for distribution[^1^]. PDF campaigns employ two methods: triggering a PowerShell command and displaying a fake message leading to the download of a PPAM file[^1^]. #### JavaScript Execution Upon execution, the PDF initiates JavaScript execution, triggering a malicious PowerShell script hosted at "htlbook.blogspot.com/atom.xml"[^1^]. ## Technical Analysis ### PowerShell Script Decryption The critical PowerShell script, "nn.txt," employs Base64 encoding and deflation to conceal a second Base64-encoded string representing a malicious DLL[^1^]. This DLL, named Hur.dll, undergoes decryption, exposing encrypted data within its resource section[^1^]. #### Decrypted AgentTesla Payload The decrypted data reveals the AgentTesla malware, invoking various APIs for malicious purposes[^1^]. This payload exhibits complex and dynamic behavior, making it a formidable challenge to detect and eradicate[^1^]. ### Campaign Variations #### CHM Campaign Insights Campaigns involving CHM files showcase AgentTesla's dynamic adaptation, with encrypted data in the resource section revealing a persistent threat[^1^]. #### PDF Campaign Nuances PDF-based campaigns leverage JavaScript execution and fake messages to entice users into AgentTesla infection[^1^]. The use of PPAM files and VBA macros further illustrates the malware's multifaceted approach[^1^]. ## Conclusion AgentTesla's resourceful tactics in data pilfering pose a significant and enduring threat to organizations and individuals alike[^1^]. Its diverse attack vectors demand a multifaceted defense strategy, emphasizing the importance of robust email filtering, cautious link and attachment handling, and reliable antivirus solutions[^1^]. ## Recommendations 1. Implement robust email filtering solutions to detect and block spam emails and malicious attachments. 2. Exercise caution when opening links and email attachments, verifying their authenticity. 3. Utilize reputable antivirus and Internet security software on all connected devices. 4. Stay informed about MITRE ATT&CK® techniques associated with AgentTesla, adapting defenses accordingly[^1^]. ## MITRE ATT&CK® Techniques ### Initial Access - Phishing (T1566.001): AgentTesla employs phishing emails with malicious attachments[^1^]. ### Execution - User Execution (T1203): Victims open malicious attachments, initiating AgentTesla execution[^1^]. - Command and Scripting Interpreter (T1059.001): PowerShell commands download and execute additional payloads[^1^]. ### Persistence - Registry Run Keys / Startup Folder (T1547.001): AgentTesla adds a run entry for persistence[^1^]. ### Defense Evasion - Masquerading (T1036.006): PowerShell scripts masquerade as text files[^1^]. ### Collection - Data from Local System (T1005): AgentTesla collects sensitive data from the victim's system[^1^]. ### Command and Control - Application Layer Protocol: Web Protocols (T1437.001): AgentTesla communicates with C&C servers using HTTP[^1^]. ### Exfiltration - Exfiltration Over C2 Channel (T1041): AgentTesla exfiltrates data over C&C channels[^1^]. ## Indicators of Compromise (IOCs) - Malicious CHM files, Gzip-compressed, SHA256 hashes: 5df434..., 00dc35..., a4de9d..., c7ebda..., 6665f9..., 0bcc3c...[^1^]. - Malicious IP: 82.115.209.180[^1^]. - Malicious Domains: htlbook.blogspot.com/atom.xml, hxxps://booking-comdetails.blogspot.com/[^1^]. - Malicious PDF file, SHA256 hash: 92533be6c7fd...[^1^]. - PPAM file, SHA256 hash: 3a8ac8048d42...[^1^]. ## Final Thoughts This meticulous analysis underscores the ever-evolving threat landscape presented by AgentTesla. Organizations and individuals must remain vigilant, implementing proactive security measures to mitigate the risks posed by this resilient malware[^1^].

loading..   17-Jan-2024
loading..   1 min read
loading..

APT

Sandman, a mysterious APT group out of unknown origin, strategically targets tel...

Sandman APT emerges as a mysterious actor targeting telecommunication providers. This [Threat Research](https://www.secureblink.com/threat-research) thoroughly delves deeper into its maliciously tactical activities, particularly concentrating on the LuaJIT toolkit and the LuaDream modular backdoor. ### Sandman's Strategic Approach Sandman, a threat actor of unknown origin, strategically targets telecommunication providers in the Middle East, Western Europe, and South Asia. Characterized by strategic lateral movements and minimal engagements, Sandman aims to achieve objectives while evading detection. ### LuaJIT Toolkit Adoption Sandman's novel modular backdoor, LuaDream, stands out for utilizing the LuaJIT platform—a rare occurrence in the threat landscape. The LuaDream implementation reflects a well-executed, actively developed project of considerable scale. ## LuaDream: A Deep Dive ### Architecture and Development Style LuaDream, a multi-protocol backdoor, excels in managing attacker-provided plugins and exfiltrating system and user information. Its architecture, consisting of 34 components, indicates a project of substantial scale. #### Code Comment Insight Intriguingly, a code comment in LuaDream's main_proto_WinHttpServer component hints at potential Chinese origin, adding a layer of complexity to Sandman's attribution. ```lua -- Code comment (translates from Chinese to “returned handle”) ``` ### Intricate Staging Process LuaDream's staging process involves seven main stages conducted thoroughly in memory, showcasing an intricate design focused on evading detection. Anti-analysis measures include thread hiding and detection of sandboxes. #### DLL Timestamp Analysis Analysis of DLL timestamps, while acknowledging potential manipulation, suggests authentic proximity to the intrusion date, indicating meticulous planning. ### Sandman's Espionage Motivations The targeted approach, advanced techniques, and victimology suggest Sandman's likely espionage motivations. Telecommunication providers, holding sensitive data, become prime targets in this landscape. ### Network Infrastructure Evolution Sandman's network infrastructure evolution from ssl.explorecell[.]com to mode.encagil[.]com reflects an intentional shift to cloud-based reverse proxy infrastructure, enhancing operational security. ```markdown - SSL.explorecell[.]com to mode.encagil[.]com - Utilization of cloud-based reverse proxy for enhanced security ``` ## Sandman vs. STORM-0866/Red Dev 40 ### Shared Infrastructure Practices Sandman shares infrastructure control and management practices with the STORM-0866/Red Dev 40 APT cluster, emphasizing cooperation and coordination among China-based threat groups. #### Domain Certificate Overlaps Analysis reveals SSL certificate overlaps between Sandman's LuaDream C2 domain and STORM-0866/Red Dev 40's dan.det-ploshadka[.]com, highlighting potential collaboration or shared resources. ```markdown - SSL certificate overlaps: ssl.explorecell[.]com and dan.det-ploshadka[.]com - Shared domain certificates indicating potential collaboration ``` ## LuaDream and KEYPLUG Collaboration ### Shared Development Practices While LuaDream and KEYPLUG are distinct, they exhibit indicators of shared development practices, including infrastructure control, design overlaps, and functionalities. This suggests a cohesive approach by their operators. #### Modular Design and Functionality Overlaps The modular design and functionality overlaps between LuaDream and KEYPLUG further emphasize shared requirements by the threat actors, showcasing the evolving nature of China-based threat landscapes. ```markdown - Modular design similarities between LuaDream and KEYPLUG - Overlapping functionalities indicating shared requirements ``` ### Lua-Based APT Landscape Evolution Historically associated with Western actors, the Lua development paradigm is now embraced by a broader set of cyberespionage threat actors. Sandman's use of LuaDream signifies a shift in development preferences for its modularity, portability, and simplicity. ## Sandman's Targeted Activities ### Victimology and Activities Sandman's targeted activities, observed primarily in the telecommunication sector, demonstrate a meticulous focus on specific workstations. The threat actor exhibits a deliberate approach, limiting actions to minimize detection risks. #### Implementation Timeline Compilation timestamps and artifacts within LuaDream hint at development efforts dating back to 2022, suggesting a persistent threat actor engaging in espionage activities over time. ```markdown - Compilation timestamps hinting at development since 2022 - Persistent threat actor engagement in espionage activities ``` ### Infiltration Techniques Sandman employs sophisticated infiltration techniques, including stealing administrative credentials and utilizing the pass-the-hash technique over the NTLM authentication protocol. Strategic patience is evident in waiting for system boot services to load malicious components. #### DLL Hijacking Technique The DLL hijacking technique, with ualapi.dll masquerading as a legitimate component, showcases Sandman's methodical approach to execute LuaDream without service restarts for evasion. ```markdown - Strategic patience in waiting for system boot services - DLL hijacking technique for discreet LuaDream execution ``` ### LuaDream Staging Process The LuaDream staging process, executed fully in memory, involves intricate steps to evade detection. The use of LuaJIT as a just-in-time compiler enhances the difficulty of detecting malicious Lua script code. ```markdown - LuaDream staging fully in memory for evasion - LuaJIT usage for obfuscation and detection evasion ``` ### Communication Protocols LuaDream and KEYPLUG, both highly modular, implement support for HTTP, TCP, WebSocket, and QUIC protocols for C2 communication. The adoption of QUIC and WebSocket together is a rare feature, possibly reflecting shared functional requirements. ```markdown - Adoption of QUIC and WebSocket for C2 communication - Shared functional requirements in LuaDream and KEYPLUG ``` ## Conclusion In the evolving landscape of cyber threats, Sandman APT exemplifies the intricate nature of China-based threat clusters. The collaboration with STORM-0866/Red Dev 40, shared development practices, and the adoption of LuaDream underscore the complexity and cooperation within this threat landscape. ### Ongoing Monitoring While acknowledging the association of Sandman with China-based adversaries, ongoing monitoring is crucial. The distinct cluster status of Sandman is maintained, pending further conclusive information. #### Broader Lua Development Paradigm Adoption Sandman's use of LuaDream signals a broader adoption of the Lua development paradigm in cyberespionage. This paradigm, historically Western-aligned, now extends to a diverse set of threat actors for its modularity and simplicity. ```markdown - Ongoing monitoring of Sandman's distinct cluster status - Broader adoption of Lua development paradigm in cyberespionage ```

loading..   10-Jan-2024
loading..   1 min read