Since the beginning of this year, a known APT group of Chinese origin has been targeting military-industrial complex companies and state institutions in Ukraine, Russia and Belarus, as well as other parts of the world such as Afghanistan. The group, tracked in the past as TA428, has an interesting approach where it deploys up to six different backdoors on compromised targets that can achieve persistence and redundancy.
The targets included industrial factories, engineering offices, research institutes and government ministries, agencies and departments, according to researchers from antivirus vendor Kaspersky Lab, who investigated the attack campaign.
“Attackers were able to break into dozens of companies and even hijack some’s IT infrastructure, taking control of the systems used to manage security solutions,” the researchers said in a report. “An analysis of information obtained during the investigation of the incidents indicates that cyber espionage was the objective of this series of attacks.”
TA428 has a history of attacking defense targets
Of the six backdoor programs used in the latest campaign, five have already been used by the Chinese cyber espionage group TA428. This group targeted defense-related organizations in Russia and Mongolia last year, and some of those attacks were documented by other security companies at the time.
However, there is a lot of code and tool sharing between Chinese APT groups, especially those allegedly associated with the Chinese government, so multiple groups may use some of the backdoor programs: PortDoor, nccTrojan, Logtu, Cotx and DNSep. “We believe that the series of attacks we have identified are most likely an extension of a known campaign that has been described in research by Cybereason, DrWeb and NTTSecurity and has been attributed with a high degree of confidence to the APT TA428 activity,” the Kaspersky researchers said.
In addition to the backdoor programs themselves, there is also an overlap of techniques and even command and control servers used by TA428 in the past, as well as circumstantial evidence.
Targeted phishing with malicious documents
The initial infection vector consists of carefully crafted spear phishing emails aimed at employees of the targeted organizations. Some of these emails contained operational details specific to each targeted organization and were not publicly available, such as the names of employees in charge of certain projects or code names of internal projects. This suggests that the attackers performed a thorough reconnaissance beforehand or obtained these sensitive details from past compromises.
The spear-phishing emails contained maliciously crafted Word documents that attempted to exploit CVE-2017-11882, a remote code execution vulnerability in Microsoft Equation Editor, which is part of Microsoft Word. This vulnerability is also listed in CISA’s Catalog of Known Exploited Vulnerabilities with an update deadline of May 3, 2022 for US government agencies.
“An analysis of the document’s metadata showed that, with a high probability, the attackers stole the document (while it was still legitimate) from another company in the military-industrial complex, after which they modified it to the using a militarizer, a program designed to inject malicious code into documents,” the researchers said.
If successful, the exploit deploys a new version of the PortDoor backdoor, which is used to collect information about the infected system, send it back to a C2 server and, if the attackers deem the system interesting, deploy malware additional. This backdoor was associated with TA428 in an old report by security firm Cybereason.
TA428’s Backdoor Collection
PortDoor is then used to deploy another malicious program with backdoor functionality called nccTrojan, which provides another way to control the infected system and exfiltrate interesting files from it. This Trojan has been associated with TA428 in previous research by NTT Security, the security arm of Japanese telecommunications giant NTT.
As part of its lateral move activities, hackers have also been seen deploying two backdoor programs called Cotx and DNSep on newly infected local systems. These backdoor programs have nearly identical functionality and differ only in code. Both are deployed using DLL hacking techniques against outdated versions of McAfee SecurityCenter, Sophos SafeStore Restore tool, and Intel Common UI. DLL hijacking refers to the practice of dropping a malicious DLL into a priority folder in the library search path of a legitimate program. This means that the program will end up loading the malicious DLL if it exists with a particular name and in a particular location. The technique is intended to make detection more difficult because it is legitimate to load the malicious code instead of a new process.
Both programs also use another detection evasion technique known as process mining, which involves replacing the legitimate code of an existing program in memory. Cotx injects itself into dllhost.exe, a legitimate Windows process, while DNSep injects itself into the process of powercfg.exe, a power management utility.
Another backdoor used by hackers and loaded similarly to Cotx and DNSep is called Logtu and has been linked to TA428 attacks in the past by Russian antivirus vendor Dr.Web.
Finally, Kaspersky researchers detected a previously undocumented backdoor in the latest attacks. This malware has been dubbed CotSam because it looks like Cotx, but is deployed in a very different way.
In one case, attackers associated the malware with versions of Microsoft Word (Microsoft Word 2007 for 32-bit systems and Microsoft Word 2010 for 64-bit systems) that were vulnerable to DLL hacking. In another case, they exploited a DLL hijacking vulnerability in the applaunch.exe application, a technique previously used in ShadowPad supply chain attacks by Chinese APT Winnti (APT41).
Finally, in addition to these backdoor programs, the attackers also used the Ladon modular hacking framework for lateral movement activities, as well as the NBTscan network scanner and various manual commands. Their goal was to identify vulnerable systems on the network, collect and decrypt password hashes for network resources, identify users with RDP remote access, search for passwords in text files and finally gain access to the network’s domain controller.
Once attackers compromise a domain controller, they dump password hashes for all existing user identities and investigate relationships with other domain controllers if they exist on the same network. “By attacking a domain controller, the attackers obtained, among other things, the hash of the password for the user krbtgt (Active Directory service account), allowing them to carry out an attack known as the Golden Ticket”, the researchers said. “This allowed them to issue Kerberos (TGT) tickets independently and authenticate against any Active Directory service – all for an unlimited time.”
This attack is powerful because it allows attackers to continue to abuse an identity with Kerberos tickets even after the account has been reported as compromised and its password has been reset.
Attackers managed to compromise dozens of organizations despite exploiting known vulnerabilities and using known detection evasion techniques and backdoor programs. This attack campaign is therefore likely to continue and possibly expand. Government and industry organizations need to ensure that they have the security hardening and detection capabilities necessary to prevent such intrusions. The Kaspersky ICS CERT report contains indicators of compromise associated with this latest campaign.
Copyright © 2022 IDG Communications, Inc.