Summary
On December 19, 2022 malware researcher known as StopMalvertisin twitted about a possible APT29 attack.
The spear-phishing campaign targets SberAuto, a Russian online car trading platform associated with the state-owned banking and financial services company Sberbank.
The analyzed attack displayed similar TTPs commonly attributed to APT29 (aka Cozy Bear), even though it is unclear why a Russian-backed hacking group should be targeting a domestic web service.
Technical Analysis
Initial Stage
The first stage of this attack is represented by an ISO file (0b32bd907072d95223e5eb2dc5e3d9e0) named “Алкоголь_2023_zip.iso”, uploaded on VirusTotal from Russia on December 19, 2022 and potentially delivered as an email attachment.
The archive content closely resembles the one of previous APT29 campaigns.
The only folder visible item is a shortcut file disguised as “Алкоголь_2023.pdf”.
%windir%/system32/cmd.exe /c start update.exe & "%ProgramFiles(x86)%/Microsoft/Edge/Application/msedge.exe" %cd%/alcohol.pdf
Once clicked on the LNK file, update.exe is firstly executed, followed by the lure PDF document called “alcohol.pdf”, which displays the alcohol catalog from the Russian market chain called Globus Gourmet.
The files “thumbcache.dll” and “update.exe” are actually two legit signed binaries of Microsoft OneDrive: the latter exploits Windows search order hijacking to load the malicious DLL named “version.dll,” which has been modified by the threat actor to load an encrypted payload file.
Second stage: version.dll
The dynamic-linked library “version.dll” is a 64-bit DLL which is side-loaded by the legit Microsoft OneDrive binary.
The compile-timestamp shows Sunday, December 18 2022.
The binary first employs GetComputerNameExA
API function to retrieve the hostname of the infected machine and check whether it is equal to corp.sberauto[.]com
, an online russian service facilitating car sales website.
If the hostname does not match, the program terminates.
After that, the malicious DLL iterates through the running processes using Process32Next
to find the ID of explorer.exe and obtain its process handle.
It then creates a suspended-process called RuntimeBroker.exe using CreateProcessA
and sets “explorer.exe” as the parent process via UpdateProcThreadAttribute
API.
The attribute parameter with the value 0x20007 corresponds to the definition of PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, while the value 0x100000000000
corresponds to PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON: it is typical for CobaltStrike to use CreateProcess API call along with a STARTUPINFOEX structure containing this mitigation policy to block DLLs that are not signed by Microsoft.
Finally, the DLL decrypts the shellcode into “RuntimeBroker.exe” through NtAllocateVirtualMemory
and NtWriteVirtualMemory
, sets it to an executable APC routine and run it via the NtAlertResumeThread
.
All this function API calls are done directly via syscall to hinder analysis.
The presence of specific debug strings shows that the program was created with Shhhloader framework, a “shellcode loader that takes raw shellcode as input and compiles a C++ stub that does a bunch of different things to try and bypass AV/EDR”.
Final stage: Cobalt Strike payload
The APC inject shellcode represents a Cobalt Strike backdoor, as evidenced by the multiple signature matches of the THOR APT Scanner.
Firstly, the shellcode finds the “MZ” and “PE” header in the memory.
Then it links the following Windows API function at runtime by parsing PEB_LDR_DATA to avoid detection:
- GetProcAddress
- GetModuleHandleW
- LoadLibraryW
- VirtualAlloc
- VirtualProtect
After allocating a RWX protected memory portion, it injects the shellcode into “RuntimeBroker.exe” process by calling once again the same initial entry function.
To extract the C2 configuration of Cobalt Strike beacon, SentinelOne CobaltStrikeParser Python script comes in handy.
python parse_beacon_config.py --json version.dll
{
"BeaconType": [
"HTTPS"
],
"Port": 443,
"SleepTime": 46000,
"MaxGetSize": 1398924,
"Jitter": 32,
"MaxDNS": "Not Found",
"PublicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSrC60Ubq+U90iLmHldoLVFW6Bc7vLsQ12BXGcc2c8TQJbnaf8I9dm/dhdZPEoCwQKRbjD/2xlR4Vr/S7IGj1Sh8gKHfJXh96lIhR5W85/+Fdi0weqGbrx9mbu70Ir7bA0ar1vwK17RFIla7B24ffVWNTfsO4fuagDSmR6MSKK2wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"PublicKey_MD5": "ad07d632e310a66efeb503ee9089ad64",
"C2Server": "adblockext.ru,/functionalStatus/hw7s8TE4f9GtrBHb8iiFT7RyIAuN",
"UserAgent": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36",
"HttpPostUri": "/rest/2/meetingsfR4TG1Qpai0Oa1Q5fNxdUoAAfFn1"
}
The Cobalt Strike beacon uses Base64 scheme to communicates with the C2 domain adblockext[.]ru
over HTTPS.
Conclusion
The analyzed sample looks interesting because a Russian state-sponsored hacking group targeting a domestic website is highly unlikely, and generates suspicion. Cozy Bear has been always implicated in various cyber espionage activities targeting foreign entities, including governments, organizations, and think tanks.
In conclusion, the similarities with previous APT29 campaigns (i.e., the use of ISO files containing binaries vulnerable to DLL hijacking) may then lead to a couple of hypotheses about what this campaign could be:
- An internal Red Teaming exercise, aimed at enhancing cybersecurity measures inside SberAuto employees;
- An attack orchestrated by Ukrainian groups (particularly, the IT Army of Ukraine), trying to simulate Cozy Bear TTPs.