Trellix logo
Trellix Introduction Video
Trellix Introduction

A living security platform with a pulse that is always learning and always adapting.

Gartner Magic Quadrant for Endpoint Protection Platforms
Gartner MQ (Endpoint)

Download the Magic Quadrant report, which evaluates the 19 vendors based on ability to execute and completeness of vision.

Gartner Marketplace Guide (XDR)
Gartner® Report: Market Guide for XDR

As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."

The Threat Report - Summer 2022
Latest Report

Our Summer 2022 threat report details the evolution of Russian cybercrime, research into medical devices and access control systems, and includes analysis of email security trends.

Critical Flaws in Widely Used Building Access Control System
Critical Flaws in Widely Used Building Access Control System

At Hardwear.io 2022, Trellix researchers disclosed 8 zero-day vulnerabilities in HID Global Mercury access control panels, allowing them to remotely unlock and lock doors, modify and configure user accounts and subvert detection from management software.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Trellix Introduction Video
Trellix Introduction

A living security platform with a pulse that is always learning and always adapting.

Stories

The latest cybersecurity trends, best practices,
security vulnerabilities, and more

Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes

Have you ever been curious about how nation-state actors operate and what their day-to-day work looks like?

This blog reveals some of these details observed based on our Advanced Threat Research team’s analysis of Operation Graphite, a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.

In summary, Trellix’s Advanced Threat Research team recently exposed what appears to be a nation-state operator using Microsoft’s OneDrive as a Command and Control (C2) server as a first interaction with its victims. When the results of the initial attack passed the test, more stages were installed ending with an Empire Agent interacting with the threat-actor's Empire server. When investigating incidents, the timestamps of actions, files are important indicators in the investigation. The timestamps of the actor’s activity were based on the forensic artifacts discovered at both victims’ sites and from the Empire’s servers the actors used in the campaign. Thanks to the partnerships between the public sector and us a private company, we were able to exchange data and information that was beneficial for the parties involved into this investigation.

As a reminder, we highlight the timeline of events below:

Figure 1. Timeline of the campaign
Figure 1. Timeline of the campaign

From our timeline, we observed the registration of one of the C2 domains in June 2021. Later, the actor is uses OneDrive to drag, and sync encrypted command files with its victims. Using a OneDrive as a C2 server is a simple but effective defensive evasion tactic.

Let us be honest, how many companies are not using it and synchronisation traffic is happening every second in the network? It is a wonderful way for an attacker to hide his C2 traffic, and it is a novel way of interacting fast with your victims. But what if you accidentally dragged the wrong folder to the server?

Блин!

This is exactly what happened... One of the files that was accidently synchronised, contained the setup process of the C2 server:

Figure 2. Setup script for C2 server
Figure 2. Setup script for C2 server

In the screenshot, where we have redacted a few parts, we observe the steps and commands taken on the server to install the Empire software and setup routing and the payloads.

The domain-name and URL (Uniform Resource Locator) paths, combined with the observed payload names in our research match exactly.

When the C2 was abandoned, the actors might have been in a hurry and did not clean up the disk. Thanks to our partnership, we were able to investigate the Empire server logs that helped identify victims, but, moreover, gave a sneak-peek into how the threat actors operated once they had access to their victim’s computers. We will share some of our findings and where needed we redacted for the sake of privacy the data.

Testing the infrastructure

Before the first victim, the actors infected a virtual machine with an Empire agent on the September 15th in 2021 to test the connectivity to the C2 and execute a few reconnaissance commands. We will take you through that day:

Figure 3. Attacker testing the waters
Figure 3. Attacker testing the waters

We observe in this first part the attacker checking if the machine is still reachable using the Empire Agent and next reconnaissance commands are sent to discover the hostname, IP-address, the user account logged in at the time of asking and finally confirming that the network connection with the C2 server is established.

Later, on the 21st of September 2021, the threat actors tested the full infection chain by infecting another virtual machine. The commands issued to the machine are the following:

Figure 4. Attacker listing network settings
Figure 4. Attacker listing network settings

The attacker is verifying for any scheduled tasks that are running on the infected machine and continues to verify the settings and ability of network connectivity. To test if the computer can reach the Internet, a ping command towards Google’s DNS (Domain Name System) (8.8.8.8) is executed.

On the 29th of September 2021, to double check the infection chain was working they infected another virtual machine. Both infection dates of the testing virtual machines match the ones we mentioned in the Timeline of the operation in our previous research.

In the image below, we show the commands executed in this new testing machine:

Figure 5. Attacker testing persistence
Figure 5. Attacker testing persistence

First, the attacker checks the architecture of the machine, which in this case is 64 bits, and uploads an DLL (Dynamic Link Library) Empire agent corresponding to the architecture of the system. Next, it moves the payload to the directory “C:\ProgramData” and establishes persistence in the system overriding the CLSID (Class Identifier) “{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}” with the path to Empire agent file. This technique is known as COM (Component Object Model) Hijacking and was discussed in the previously report of the campaign.

Start of the campaign

We started identifying victims in the logs on the 6th of October 2021, the same day the attackers launched the attack, and the Excel documents were uploaded to Virus Total. We identified several different infected systems all of them from the same organization.

Once the attacker got access to the victims’ machines, he uploaded the DLL Empire agent and executed the exact same commands we have seen in the previous testing machine to establish persistence as if he were following the APT (Advanced Persistent Threat) operators’ manual.

After executing the commands to establish persistence, the actors started executing commands to gather information about the context, the machine, and the username of the victim. First, they queried the current path the Empire agent is executing, they listed the directory “C:\Program Data” to check if the Empire agent was properly moved, through the systeminfo command they got the statistics and technical information of the infected machine, they obtained the current user and finally they listed all the software installed.

Figure 6. Reconnaissance commands on victims’ machines
Figure 6. Reconnaissance commands on victims’ machines

Continuing in the reconnaissance stage of the attack, the operators gathered more information about the users in the Administrators group, the domain information about the current user, the list of shares available in the machine, the current active processes executing in the machine. The adversaries spend quite time in the Discovery phase to gain knowledge about the system and the internal network to understand how they can escalate privileges and move laterally to fulfil their objective of information-gathering.

Figure 7. User reconnaissance commands
Figure 7. User reconnaissance commands

After the user reconnaissance and discovery phase, the adversaries elevated privileges from the current user to SYSTEM. We do not have full visibility on how the process was completed, but we assess with medium confidence they used a custom tool mimicking or abusing the ThinPrint software installer. The assessment is based on that after the upload and execution of the tools, a new Empire agent on the same machine with SYSTEM privileges does the “check-in” task into the Empire server.

Figure 8. Privilege escalation commands
Figure 8. Privilege escalation commands

From this point on, the attacker(s) are using several commands to gain more information about the system, which software is installed, add a user account for persistence and dump the LSASS (Local Security Authority Subsystem Service) memory, and identifying the antivirus vendor installed. Dumping the LSASSS, with the use of Minidump is used for getting credentials out of that dump that might assist in more lateral movement through the victims’ network. In the below picture, we highlight some of these interesting commands:

Figure 9. Examples of lateral movement
Figure 9. Examples of lateral movement

Once all is clear to the attacker, we observed the attacker harvesting for data and documents with topics of interest. Since we identified the machine(s) used by the attacker(s), the attacker verified if the upload were successful and by frequent directory listings executed on the systems, the progress of the download of this information could be observed. A lot of the information the threat actor was interested in was related to diplomatic and political oriented content. For example, documentation around the European Union meetings and other notes of diplomatic meetings.

Figure 10. Examples of lateral movement
Figure 10. Examples of lateral movement

After all the information was gathered, the actors uploaded a tool that by the command line they used to execute resembles to a VNC remote access software. After executing the file, they started testing their connection to other critical machines inside the victim infrastructure to check if they can reach and remotely control them.

Figure 11. Possible VNC tool
Figure 11. Possible VNC tool

When the actor finished operating with the tools in the victims’ systems, he started to clean some of the tools used:

Figure 12. Deleting the files
Figure 12. Deleting the files

When you are in digital forensics, your heart will start to jump up and down, since deleting files is great, but if they are not overwritten, using file-carving of deleted files gives an opportunity to recover those files.

Conclusion

This blog gave an overview of the operational details inside the campaign we unveiled the past month where a Prime Minister’s Office was compromised in Western Asia by a Russian threat actor. The threat actor was extremely interested in information on the current political landscape. With high confidence, we observed the actor gathering information about the relationships established between these victims and the European Union and other diplomatic relationships were of interest. A clear example of an intelligence operation that assisted in gaining insights into the political landscape.

As we already said in the previous blog, the actors behind this campaign are very advanced as they spent months setting up the infrastructure, creating the lure documents with the embedded exploit, and testing all the components before launching the attack. Even though the actors are very advanced, nonetheless they are still human, therefore they make mistakes as we have seen in this blog.

Following the trail of breadcrumbs left by the threat actors, we gathered valuable intel on how the operators operate on a compromised network allowing us to observe the tactics, techniques, and procedures in a complex espionage campaign.

MITRE ATT&CK

ATT&CK ID Tactics Name Observable
T1560 Collection Archive Collected Data Add-Type -Assembly
System.IO.Compression.FileSystem
[IO.Compression.ZipFile]::CreateFromDirectory([folderPath], [zipFilePath])
T1005 Collection Data from Local System dir c:\users\USERX\desktop
T1114.001 Collection Email Collection: Local Email Collection reg query HKEY_USERS\S-1-5-21-
***\software\microsoft\office\16.0\Outlook
T1003.001 Credential Access OS Credential Dumping: LSASS Memory rundll32
C:\windows\system32\comsvcs.dll,MiniDump 788
c:\temp\dmlsdif\dmlsdif5.bin full
T1003.002 Credential Access OS Credential Dumping: Security Account Manager reg save hklm\system c:\windows\temp\tmpsystl /y
reg save hklm\security c:\windows\temp\tmpsectl /y
reg save hklm\sam c:\windows\temp\tmpsmstl /y
T1562.001 Defense Evasion Impair Defenses: Disable or Modify Tools
T1562.010 Defense Evasion Impair Defenses: Downgrade Attack
T1070.004 Defense Evasion Indicator Removal on Host: File Deletion del ThinPrint.dll
del ThinPrintInst.exe
T1112 Defense Evasion Modify Registry reg add HKCU\Software\Classes\CLSID\{D9144DCD-
E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32
T1078.003 Defense Evasion, Initial Access, Persistence, Privilege Escalation Valid Accounts: Local Accounts net user /add user1 XXXXX
T1087.002 Discovery Account Discovery: Domain Account cmd /c query user net user /domain XXXX
T1087.003 Discovery Account Discovery: Email Account reg query HKEY_USERS\S-1-5-21-
***\software\microsoft\office\16.0\Outlook\Profiles
\Outlook
T1087.001 Discovery Account Discovery: Local Account net localgroup
net localgroup Administrators
T1057 Discovery Process Discovery tasklist
tasklist | findstr /i lsas
T1069 Discovery Permission Groups Discovery net localgroup Administrators
T1012 Discovery Query Registry reg query HKCU\\Software\\Classes\\CLSID\\
T1518 Discovery Software Discovery reg query HKCU\Software\
T1518.001 Discovery Software Discovery: Security Software Discovery Get-WmiObject -Namespace root/SecurityCenter2 -
Class AntiVirusProduct | format-list
T1082 Discovery System Information Discovery systeminfo
net statistics workstation
T1016 Discovery System Network Configuration Discovery ipconfig
ipconfig /all
T1016.001 Discovery System Network Configuration Discovery: Internet Connection Discovery ping 8.8.8.8
T1049 Discovery System Network Connections Discovery netstat
netstat -n
T1033 Discovery System Owner/User Discovery whoami /all
cmd /c query user
T1135 Discovery Network Share Discovery net share
T1007 Discovery System Service Discovery
T1041 Exfiltration Exfiltration Over C2 Channel download c:\users\USERX\desktop\mail.docx
T1570 Lateral Movement Lateral Tool Transfer
T1098 Persistence Account Manipulation net user /add user1 XXXXX
T1136.001 Persistence Create Account: Local Account net user /add user1 XXXXX
T1546.015 Persistence Event Triggered Execution: Component Object Model
Hijacking
CLSID: D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D

Featured Content

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.
Zero spam. Unsubscribe at any time.