By Warren Mercer, Paul Rascagneres and Vitor Ventura.
Summary Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims' infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack.
We found a great variety of malicious files on this server, ranging from ransomware like the DoppelPaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2)
The data found on this server shows how malicious actors can diversify their activities to target different organizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an adversary that is resourceful and has a widespread infrastructure shared across different operations.
Targets' profiles While performing our analysis, we identified at least two targets based on screenshots and memory dumps.
Target No. 1: Based on screenshot The first target we identified is an aluminium and stainless steel gratings company located in the U.S. This identification was made based on the screenshot from the HPE Data Protector management interface. The screenshot shows the domain name (which we have redacted), thus leading us to the company's name. This screenshot demonstrates that the level of access the attackers had on the victims' infrastructure.
Screenshot from HPE Data protector manager.
This screenshot contains some important information for the adversary. On one side, it shows which servers are being backed up on another shows which ones are important to the victim.
This, in conjunction with the ransomware located on the server, indicates the intent of deploying ransomware on the infrastructure, showing a manual and targeted approach more advanced than the simple execution of malware.
Target No. 2: Based on the LSASS dump
We identified a second target due to a process dump we found on the server. The dumped process is responsible for managing credentials on Windows (lsass.exe). Using a tool like Mimikatz, it's possible to retrieve credentials from the process dump.
The content of the dump showed us the hostname and Windows domain of the system and the "support" username. To perform the process dump, the attacker had high privileges on the system. This would help him to perform lateral movement. Which suggest a manual and targeted approach to this target.
The dump was uploaded on the server on Sept. 24, the same date as the login time stored in the memory dump.
The majority of the Windows binaries available on the server are DoppelPaymer samples. This malware is a ransomware, an evolution of Bitpaymer documented by Crowdstrike. We identified seven different binaries. The oldest one was uploaded on Oct. 5, with the most recent originating from Oct. 20. As previously documented, the ransomware needs to be executed with a key in argument. We identified how the key was put in argument by this actor. A WinRAR self-extracting archive (SFX) is used to extract the ransomware and execute the following command:
In our example, the key is 'QWD5MRg95gUEfGVSvUGBY84h'. The hard-coded path proves the attackers either had prior knowledge of the target's infrastructure prepared the package in the target infrastructure.
This variant uses alternate data streams to partially hide its data.
The remaining behavior and ransom note are consistent with the previous documented variant.
On the same server we also found a TinyPOS sample. This malware is installed using a batch file.
The batch file creates a scheduled task that will be executed every 6 hours and is executed has Local System.
The script deploys a scheduled task:
The PowerShell contains the TinyPOS code, which is defined as an array of bytes written with hexadecimal values. The PowerShell script creates an execution threat using the TinyPOS previously copied into memory.
TinyPOS is a point-of-sale malware which is directly developed in assembly. This sample exfiltrates data to the C2 hardcoded in the sample: jduuyerm[.]website.
The data going out is obfuscated using XOR operations with a hardcoded key of 0xcaef3d8a. The malware exfiltrates the hostname and the local IP of the infected system. It searches and parses targeted processes memory to retrieve credit card information, which is usually stored in tracks 1 and 2 of the magnetic strip of the credit card.
The adversaries uploaded tinyPOS on Sept. 26.
This sample is a simple loader. The loader code is packed and obfuscated using XOR operations. The sample will load an offset of itself and perform XOR operations until the beginning of such offset matches the pattern 0x90909090.
Once the pattern is found, the decoding starts using the number of iterations needed to find the pattern as the XOR key.
The packed code imports several functions among them are the winsock32 module functions, connect(), send() and recv(). Using these functions it contacts the hardcoded C2 sending message that starts with the byte 0x0C.
Afterward, the loader will read 1,024 bytes from the server, until all data is read. The data received has a header of 12 bytes. The message is obfuscated using a XOR operation, the key for this XOR is at the 0x4 offset of the message. Before the sample calls the received code it will check if the last byte of the obfuscated code is 0xC3. This represents the opcode RET, which allows the loader to get the execution control back from the payload it receives from the C2.
We identified additional binaries on the server. The tools are used by the attacker to perform tasks on the compromised infrastructure. We identified:
- Mimikatz: A tool to retrieve Windows credentials from the memory
- PsExec: A tool to remotely connect on Windows system. The attacker probably used it to pivot inside the infrastructure by using the credential previously retrieved.
- Procdump: A tool to dump process. The attacker probably used it to dump the LSASS.exe process to then use with Mimikatz.
Potential infection vectors
Fake tech support
The TinyPOS C2 server is jduuyerm[.]website and the IP 185.254.188[.]11.
The IP resolved the following domains:
- techsupport[.]org[.]ru from March 21, 2019 to Oct. 7, 2019
- www.techsupport[.]org[.]ru from May 19, 2019 to Oct. 1, 2019
- techsupportlap[.]icu from March 13, 2019 to April 2, 2019
- techsupportnet[.]icu from March 12, 2019 to April 1, 2019
Two domains were available during the campaigns described in the article. The attacker likely was planning to carry out fake tech support scam to attempt to compromise infrastructure. This would likely be carried out by asking employees to execute specific commands or attempting to download the malware provided by the attacker.
From the April 16, 2019 through Aug.18, 2019, the IP resolved to aefawexxr54xrtrt[.]softether[.]net. SoftEther is a powerful VPN platform that offers many features, such as a dynamic DNS service that could allow an adversary to evade detection based on ip addresses. SoftEther also prides itself on being able to "punch" through most firewalls due to only using HTTPS-based traffic. We haven't found any software that would allow the screenshots found. In theory, if the actors can open a VPN back to their own server, they could then RDP into the systems, bypassing all firewalls in between. Softether seems to be the perfect solution for this.
SoftEther says it is a VPN that "has strong resistance against firewalls than ever [SIC].Built-in NAT-traversal penetrates your network admin's troublesome firewall for overprotection. You can setup your own VPN server behind the firewall or NAT in your company, and you can reach to that VPN server in the corporate private network from your home or mobile place, without any modification of firewall settings. Any deep-packet inspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage [SIC]."
This server pulls back the curtain on an active threat actor targeting and compromising different companies. The attacker is not only limited to ransomware, even if it covers the vast majority of files available on the server. The adversary can steal credit card information via a point-of-sale malware and remotely managed compromised infrastructure. Based on the victims in this case, we can conclude that this attacker wants to target medium-sized companies in the industrial space. During this investigation, Talos notified potential victims to ensure they could remediate and ensure they were not under a current attack. This is a good example of how an attacker can be diverse during their use of infrastructure and their use of different tools, techniques and procedures (TTPs).
Ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.
Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.
Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.