Russian APT investigation

Matthew Rich, Cyber Security AnalystMatthew Rich, Cyber Security Analyst

Security researchers at Mandiant (global cyber security specialists) have been closely following multiple clusters of suspected Russian intrusion activity that has been targeting businesses and government entities across the world.

These clusters, known as UNC3004 and UNC2652, have been associated with the group UNC2452 who have been named Nobelium by Microsoft. Nobelium being the same group behind the SolarWinds attacks.

Tactics that have been observed include:

  • Compromise of multiple technology solutions and services since 2020
  • Use of credentials likely to be obtained from info stealer malware following an infection chain leading to workstations infected with CryptoBot malware
  • Use of accounts with specific privileges used to harvest sensitive mail data
  • Utilising non-suspicious IP addresses and new infrastructures located in countries that would raise minimal suspicion to communicate with compromised victims.
  • Use of a bespoke downloader known as CEELOADER.
  • Abusing MFA (multi-factor authentication) by sending push notifications to get the user to allow thinking its normal behaviour

The post-compromise activity included theft of data relevant to Russian interests, however it has also been common for the threat actor to harvest credentials that are used to access routes to other victims’ environments.

The following sections will detail the activity that was detected during multiple incident response efforts that are currently categorised as uncategorised clusters, which are suspected by Mandiant as being linked to a common Russian threat.

Initial compromise

Compromise of CSPs (cloud service providers)

Mandiant has identified multiple instances where the threat actor has compromised a service provider to use credentials to further compromise its customers. The credentials included a local VPN account which was used to perform reconnaissance and ultimately lead to the compromise of internal domain accounts.

Access obtained by third party malware campaign

Mandiant has also identified a campaign whereby threat actors infected a system with CRYPTBOT which was downloaded due to the user visiting low reputation websites that offer freeware or cracked versions of software. In this instance the CRYPTBOT was used to gather a session token, which was then utilised to compromise their organisation’s Microsoft 365 environment.

Abuse of repeated MFA push notifications

Mandiant has also observed the abuse of MFA push notifications by triggering multiple prompts to the users’ phone to trick the user into thinking they are only able to disable the prompts by clicking accept. This method of abuse only works once the threat actor has access to the username and password of the target.

Post compromise activity via the CSP

Establish foothold

In at least one case the threat actor compromised a Microsoft Azure AD account within the tenant of a CSP. The compromised account had sufficient privileges to use the “Admin on Behalf Of” feature, which enabled the threat actor to essentially take owner level access to azure subscriptions that were created through the reseller relationship.

The threat actor executed commands with NT AUTHORITYSYSTEM privileges within Azure VMs using the Azure Run Command feature. This feature allows the user to run PowerShell Scripts within the VMs using the Azure Portal, REST API or PowerShell without any knowledge of valid windows credentials on the VM itself

Privilege escalation

Mandiant has found evidence that the threat actor has used RDP to pivot between systems that may have limited internet access and has utilised RDP to run multiple windows commands. The threat actor was also seen obtaining data relating to the Azure AD Connect service account which is used to replicate the on-premises instance of Active Directory into Azure AD.

Furthermore, the threat actor also managed to obtain the Active Directory Federation Services signing certificate and key material which allowed the threat actor to forge a SAML token used to bypass 2FA.

The threat actors used compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands within the victim’s environment. These protocols were used to perform reconnaissance, distribute Cobalt Strike Beacons around the network, as well as run native Windows commands for credential harvesting.

Lateral movement between CSP and downstream clients

Mandiant has identified that the threat actor used vSphere PowerCLI and custom PowerShell scripts configured to target the vCenter Web endpoint to export the virtual disk image of a specific network device. To authenticate to vCenter the threat actor used a stolen session cookie for a Privileged Access Management account.

The threat actor compromised authorised jump hosts that circumvented the network security restrictions of the service provider, allowing the threat actor to move laterally through RDP using stolen target credentials towards the victims’ network.

The threat actors have also been seen using Azures built in Run Command feature to execute commands on devices. The intent of these commands included reconnaissance, credential theft, and deployment of Cobalt Strike Beacons to devices via PowerShell. This beacon was then used to persistently install CEELOADER as a scheduled task that ran as SYSTEM.

Data collection

Mandiant identified multiple attempts by the threat actor to dump the Active Directory Database using the built in ntdsutil.exe command. Evidence has also been gathered that suggests the threat actor used Sysinternals ProcDump to dump the process memory of the LSASS process. In addition to this the threat actor had stolen the ADFS Signing Certificate and Key Material allowing the threat actor to authenticate as any user into federated environments that used ADFS for authentication.

The threat actors also performed data theft through several PowerShell commands which uploaded archival files ending with the .7z extension to web servers.

Mandiant has also identified binaries that were configured to upload data to the MegaCloud storage provider. The tool was stored in the %TEMP%d folder and was named mt.exe and mtt.exe. This is due to a mistake made by the threat actor as the binary fails to execute if renamed and due to this it is unclear if this method was successful.

There have also been observations that the threat actor has accessed a victim’s on-premises SharePoint server looking for sensitive data used to move laterally around the network.

Threat actor infrastructure

Residential internet access

In some of the campaigns, Mandiant has identified that the threat actor was using residential IP address ranges to authenticate to the victim’s environment. This is facilitated by residential and mobile IP proxy providers who will traffic data through actual mobile devices which allows the threat actor to mask their activity behind an IP address that may look legitimate or non-suspicious.

This technique allows for mitigation of alerts that trigger based on location or known malicious IPs allowing the traffic to look like it’s come from a country and ISP that is deemed “safe”. 

Geo-located Azure infrastructure

The threat actor used a provisioned system within Microsoft Azure that was within proximity to a legitimate Azure hosted system belonging to the CSP to access their customers’ environment. This allowed the threat actor to establish geo-proximity with the victims and lead to the recorded source IP being that of a legitimate Azure IP range.

Compromised WordPress site hosting second stage payload

As documented across multiple campaigns the threat actor was hosting second stage payloads on legitimate websites running WordPress. Of this, Mandiant has observed at least two separate malware families attributed to the threat actor located on compromised WordPress sites

TOR, VPS, and VPN providers

The threat actor has been seen to use a mixture of TOR, Virtual Private Servers, and public VPNs to access victims’ environments. In one campaign the threat actor used a VPS located in the same region as the victim to perform reconnaissance.

CyberGuard recommended actions

(1) The primary defence in a lot of cases is the implementation of a SIEM (Security Information & Event Management) solution to maximise visibility in areas such as critical server assets and Azure AD infrastructure. This would allow for detection rules to be created and monitored for malicious/suspicious activity.

(2) Implementation of EDR (Endpoint Detection & Response) upon all hosts (laptops, desktops & servers) in order to act as layered defence for your environment and used to effectively block processes and packages used to compromise the host and carry out their attack.

CyberGuard will continue to monitor the situation and will release more information should any further updates be provided. For our enterprise customers, Cyberguard currently use state-of-the-art detection rules which aid in monitoring and countering these threats at each phase of the cyber kill chain.

If you have any questions, please don’t hesitate to contact us at [email protected]

Technical information

Staging directories

  • %PROGRAMFILES%Microsoft SQL Serverms
  • %WINDIR%Temp
  • %WINDIR%Tempd

Staging names

  • d.7z
  • vcredist.ps1
  • fc.r
  • out
  • d.ps1
  • d.z
  • megatools.exe
  • mt.exe
  • mtt.exe
  • ntds.dit
  • handle64.exe
  • movefile.exe
  • diagview.dll
  • diag.ps1
  • diag.bat

Recent scheduled task names

  • Microsoft Diagnostics
  • Microsoft Azure Diagnostics
  • Google Chrome Update

Recent administrative or utility tools

  • Azure Run Command
  • Sysinternals Handle
  • Sysinternals MoveFile
  • ntdsutil
  • netstat
  • net
  • tasklist
  • RAR / 7zip
  • AADInternals
  • vSphere PowerCLI
  • Sysinternals Procdump
  • Windows Task Manager

Indicators of compromise

Hashes for known activity:

diag.ps1 (MD5: 1d3e2742e922641b7063db8cafed6531)

BEACON.SMB malware connecting to .pipechrome.5687.8051.183894933787788877a1

vcredist.ps1 (MD5: 273ce653c457c9220ce53d0dfd3c60f1)

BEACON malware connecting via HTTPS to nordicmademedia[.]com

logo.png (MD5: 3304036ac3bbf6cb2205e30226c89a1a)

Hosted on http://23.106.123[.]15/logo.png
BEACON malware connected via HTTPS to stonecrestnews.com

LocalData.dll (MD5: 3633203d9a93fecfa9d4d9c06fc7fe36)

CEELOADER malware that obtains a payload from http://theandersonco[.]com/wp_info.php

Unknown (MD5: e5aacf3103af27f9aaafa0a74b296d50)

BEACON malware connecting via HTTPS to nordicmademedia[.]com

DiagView.dll (MD5: f3962456f7fc8d10644bf051ddb7c7ef)

CEELOADER malware that obtains a payload from http://tomasubiera[.]com/wp_getcontent.php

IP addresses used for authenticating through public VPN providers

  • 20.52.144[.]179
  • 20.52.156[.]76
  • 20.52.47[.]99
  • 51.140.220[.]157
  • 51.104.51[.]92
  • 146.105.10[.]215
  • 176.67.86[.]130
  • 176.67.86[.]52

IP Addresses used for authenticating from the mobile proxy providers:

  • 216.155.158[.]133
  • 63.75.244[.]119
  • 63.162.179[.]166
  • 63.162.179[.]94
  • 63.75.245[.]144
  • 63.75.245[.]239
  • 63.75.247[.]114

IP addresses used for command and control:

  • 91.234.254[.]144
  • 23.106.123[.]15

URL addresses used for command and control:

  • nordicmademedia[.]com
  • stonecrestnews[.]com

URL addresses of compromised WordPress sites hosting CEELOADER payloads:

Note: Mandiant believes the actor hosted a malicious payload on the following domains.

  • tomasubiera[.]com
  • theandersonco[.]com

If you have any questions, please don’t hesitate to contact us at [email protected].