Une question ? Contactez notre standard : 01 41 91 58 61 - Un incident de sécurité ? Faites-vous assister : 01 47 28 38 39

Context

During 2022, a company discovered that one of their equipments was communicating with a known command and control server. As a result, the company decided to contact CERT Intrinsec in order to get help to handle the security breach and manage the crisis. CERT Intrinsec gathered information about malicious activities that were discovered on victim’s information system, and past incidents. Our in-depth analysis led us to conclude that an advanced persistent threat dubbed APT27 (a.k.a LuckyMouse, EmissaryPanda) actually compromised the company’s internal network by exploiting a public facing application. Our analysis showed that the threat actor managed to compromise several different domains and to gain persistence on many equipments while trying to hide in plain sight. As investigations went on, we observed tactics, techniques and procedures that had already been documented in papers, but we discovered new ones as well. CERT Intrinsec wanted to share with the community fresh and actionnable threat-intelligence related to APT27. That is why this report presents a timeline of actions taken by the attackers and the tactics, techniques and procedures seen during our incident response. It provides as well a MITRE ATT&CK diagram and several recommendations to follow if you came across such incident, and to prevent them.

CERT Intrinsec presentation

CERT Intrinsec is a private French incident response team dealing between 50 to 100 major incidents per year and works to help its customers to recover from cyber-attacks and strengthen their security. Since 2017, CERT Intrinsec has responded to hundreds of security breaches involving companies and public entities. The majority of those incidents are related to cybercriminality and ransomware attacks with financial objectives, hence, Intrinsec follows those groups activities and generates comprehensive intelligence `from the field`. ANSSI (French National Security Agency) granted CERT Intrinsec PRIS (State-Certified Security Incident Response Service Providers) certification. The latter testify that CERT Intrinsec meets specific incident response requirements, using dedicated procedures, qualified people and appropriate infrastructures. Should you need our expertises, Intrinsec provides Incident response & Crisis services, Threat Intelligence services & datas, Detection services (SOC/MDR/XDR), supported by a large set of other services (pentests & audits, consulting, …) .

APT27 Presentation

APT27 (a.k.a LuckyMouse, EmissaryPanda, Iron Tiger or Mustang Panda) is a supposed nation state cyber threat actor linked to RPC governement. Since at least 2010, the group has been reported targeting numerous public organisations as well as private companies. Known APT27 sectors of interest are: Defense contractors, Aerospace, Telecommunication, Energy, Manufacturing, Technology, Education and finally governement’s data (ambassies has been reported targeted). The group is also well known for exploiting internet facing applications to get access within the victim’s networks. Known targeted application were MySQL, Microsoft SharePoint (CVE-2019-0604 RCE), Apache Zookeeper and more recently Microsoft Exchange servers. In addition, the group is also known to rely on the HyperBRO malware, a Remote Access Trojan (RAT). Capabilities description and decryption tool are available on behalf of the report.

Operation’s timeline

It is important to look at the timeline of malicious activities. The first activity discovered was the exploitation of a Microsoft Exchange server using ProxyLogon vulnerabilities chain and the domains discovery performed from this server. APT27’s operators then compromised several domains in a few months, dumping credentials and gathering technical data about victim’s information system. Finally, they started exfiltrating data in archives using different means. Gigabytes of data were exfiltrated in 17 days. Attackers tried to hide their activities using many defense evasion techniques that we present to you in this report.
The following timeline shows the different steps of the operation, especially regarding domains compromise and data exfiltration.
MITRE Timeline
The following diagram summarizes APT27 modus operandi during the attack. It emphasizes intrusion vector, data exfiltration as well as command and control activities.
Attack Path

APT27 Techniques, Tactics and procedures

 Tactic ID Technique ID Technique Name
Initial Access T1190 Exploit Public-Facing Application
Initial compromise is the adversaries actions performed to gain access of their target’s organisations. It can be performed by sending spear-phishing email or exploiting vulnerable internet facing applications to, then, move within the network. During CERT Intrinsec investigations, we found that on March, 4th of 2021, APT27 exploited ProxyLogon vulnerabilities chain affecting Microsoft Exchange server to gain initial access of the targeted organisation’s network. As a reminder, ProxyLogon related Microsoft advisory was initially published by Microsoft on March, 2th of 2021. First known information related to those CVE came back from december 2020, when DEVCORE Team discovered both CVE-2021-26855 and CVE-2021-27065. The exploitation of these two vulnerabilities leads to remote code execution with SYSTEM permissions, allowing attackers to drop webshells, for instance.
Same initial intrusion date, also involving a successful ProxyShell exploitation as entry vector has been also reported by HVS-Consulting for one of their customer in their incident response report related to APT27. Many others security vendors also reported active exploitation of Microsoft Exchange Server on that date. We can assume that the threat group was aware of the vulnerability before the Microsoft Advisory (or quickly developped an exploit) and managed to perform a massive exploitation campaign before companies had a chance to apply security fixes.

Execution

Tactic ID Technique ID Technique Name
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell
Execution T1047 Windows Management Instrumentation
Adversaries were wrapping their commands through calls to cmd.exe /Q /c command line. In addition, all results were stored int the ADMIN$ administrative share, in a file of type __[UNIX_EPOCH_DATETIME]

 

This a likely the impacket’s behaviour and hence, Intrinsec CERT assumes that adversaries used that framework during their operation.
C:\Windows\System32\cmd.exe(cmd.exe /Q /c powershell Add-MpPreference -ExclusionPath C:\Windows\temp 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1)
In order to execute remote command, threat actors also relied on valid credentials collected in previous stages used wmic tool to execute commands on remote hosts.
As exemple, a command where attackers executed a script located in the recycle bin of a remote computer:
cmd.exe /Q /c wmic /node:[IP] /user:[DOMAIN]\[ACCOUNT] /password:[PASSWORD] process call create cmd /c d:\$recycle.bin\2.bat

Persistence

Tactic Technique ID Technique Name
Persistence T1569.002
Create or Modify System Process: Windows Service
Persistence T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence T1112
Modify Registry
Persistence T1078.002
Valid Accounts: Domain Accounts
Typical next step after a successful initial intrusion is to ensure persistance within the target’s network and be sure that attacker’s will not be kick-out easily.
It is commonly achieved by deploying webshells, Remote Access Trojan or Remote Administration Tool, such as AnyDesk / Teamviewer.

First payload found by CERT Intrinsec was the HyperBRO Remote Access Trojan. HyperBRO malware is a closed-sources application typical of APT27 threat group’s activities.
HyperBRO is a fully featured Remote Access Trojan (RAT) and is used by APT27 operators to (not exaustive):

 

  • Bypass UAC
  • Execute local & remote commands
  • Steal data
  • Keylogging
  • Capture keyboard
  • Edit registry
  • Manage files, process, services

HyperBRO Malware description

HyperBro is a custom in-memory RAT backdoor used by APT27 and associated groups (Emissary Panda, Iron Tiger, LuckyMouse…)
Once the HyperBro virus has infected a host, it’s used by APT27 to execute remote commands from it’s C2 server. HyperBro also includes features for taking screenshots, stealing clipboard content, modifying Windows services, editing the registry, and manipulating files (downloading and uploading, deleting, renaming).

Deployment

First, a legitimate program (linked to CyberArk software) (vfhost.exe  / msmpeng.exe) with a DLL side-loading vulnerability is used to load vftrace.dll (Initial loader / Stage 1).
Then the loader will be able to decrypt thumb.dat (Stage 2) file, “encrypted” with a 1 byte key algorithm, decompress it and finaly extract the actual HyperBro backdoor (Stage 3) (compressed with lznt1 algorithm).
The loader will then use the process hollowing technique to inject HyperBro backdoor (Stage 3)
The HyperBro backdoor configuration is embedded into its own PE. At its first execution, the configuration is copied into the config.ini file and into the config_ registry key.
hyperbro workflow

Known Paths

%ProgramData%\windefenders\
%ProgramData%\windefenders\config.ini
%ProgramData%\windefenders\msmpeng.exe
%ProgramData%\windefenders\thumb.dat
%ProgramData%\windefenders\vftrace.dll
%ProgramFiles%\Common Files\windefenders\
%ProgramFiles%\Common Files\windefenders\config.ini
%ProgramFiles%\Common Files\windefenders\msmpeng.exe
%ProgramFiles%\Common Files\windefenders\thumb.dat
%ProgramFiles%\Common Files\windefenders\vftrace.dll


SOFTWARE\WOW6432Node\Microsoft\config_
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windefenders
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windefenders

HyperBRO Extractor

CERT Intrinsec made a tool to extract HyperBro configuration from Stage 2 samples.

 

This program is based on the work done on project HyperBroExtractor by HVS-Consulting 

Description

This tool is able to decrypt Stage 2 (thumb.dat), decompress and extract the actual hyperBro PE file(Stage 3), and parse the configuration it embeds.

 

HyperExtractor will try to automatically bruteforce the 1 byte key and decrypt Stage 2, then it will decompress the LZNT1 compressed Stage 3 and extract the configuration.

 

To work with as many samples as possible, this program uses patterns scanning to find configurations.
In some cases the extraction of the configuration may fail but you can try to search for utf16 strings.

 

NB: We have recently noticed that some new samples have some of their configuration fields encrypted or obfuscated and this tool will not be able to extract all of the configutation.

Usage

-i input file (Stage2 e.g: thumb.dat)
-o output file (extracted PE)
.\hyperbro_extractor.exe -i .\samples\thumb_dat.bin -o thumb_dat_extracted_pe.bin

Output Example

 /!\ — HyperBro config extractor — /!\
 [+] ==> The decryption Key is: 0xfc
 /!\ — Successfully exported PE to : thumb_dat_extracted_pe.bin — /!\
 [-] HyperBro Configuration registry key: config
 [-] Legit loader: vfhost.exe
 [-] First stage: VFTRACE.DLL
 [-] Second stage: thumb.dat
 [-] Windows service name: vfhost
 [-] C2 address: 80.92.206[.]158
 [-] C2 Path: /api/v2/ajax
 [-] Verb: POST
 [-] Named Pipe: \\.\pipe\testpipe
 [-] Mutex: 80A85553-1E05-4323-B4F9-43A4396A4507
You can download it on our github repository: https://github.com/Intrinsec/HyperBroExtractor

Discovery & Lateral Movement

Tactic ID Technique ID Technique Name
Discovery
T1087.002
Account Discovery: Domain Account
Discovery
T1087.003
Account Discovery: Email Account
Discovery
T1087.001
Account Discovery: Local Account
Discovery
T1482
Domain Trust Discovery
Discovery
T1083
File and Service Discovery
Discovery
T1146
Network Service Discovery
Discovery
T1135
Network Share Discovery
Discovery
T1018
Remote System Discovery
Discovery
T1082
System Information Discovery
Discovery
T1057
Process Discovery
Lateral Movement
T1570
Lateral Tool Transfer
Lateral Movement
T1021.006
Remote Services: SMB Windows Admin Shares
Lateral Movement
T1021.001
Remote Services: Remote Desktop Protocol
Once access gained on the Microsoft Exchange server, adversaries managed to perform an initial reconnaissance of the network and domain caracteritics, such as hosts, account, policy enumeration.

 

This operation was performed by executing a script that lists all domains in the selected forest, related domain controllers, computer’s names and versions and finally list of domain’s users and save it into a file named owa_font_[2-letters].css in the directory C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\ :

 

Below an exemple of data saved into the owa_font_[2-letters].css file:
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. Tous droits réservés.

 

All Domains in the forest:
   Domain_NAME

 

********************************************************
*                   Domain Controller                  *
********************************************************

 

CN=[REDACTED]-DC1                   DOMAIN
CN=[REDACTED]-DC1                   DOMAIN

 

********************************************************
            Domain_NAME
********************************************************

 

Hostname                      DNSHostName                                       OperatingSystem                                                       Description

 

HOST_A                          DNS_NAME                                                Windows Server                                                          [REDACTED]
….

 

   Domain Policy: Password will Expired in 90 Days

 

********************************************************
           Domain Admins & Enterprise Admins            
********************************************************
********************************************************
                       All Users                        
********************************************************
krbtgt
   Display Name:
   Password Last Set: [REDACTED]
   Password Expired: [REDACTED]
   Active: No
   Last Logon:
   Description: Compte de service du centre de distribution de clés
   Member Of:
   CN=Groupe de réplication dont le mot de passe RODC est refusé [REDACTED]
Adversaries also managed to extract all email addresses and associated users from the Exchange server.
powershell -exec bypass -command Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;Get-Mailbox | format-table Name,WindowsEmailAddress
In order to perform internal reconnaissance, adversaries also relied on Windows built-in commands :
ipconfig /all              
net session                  
net share                  
net use                    
net use \\[IP]\ipc$ /d /y
net use \\[IP]\ipc$
net use \\[IP] /user:[DOMAIN]\[ACCOUNT] [PASSWORD]
net user                    
net user [ACCOUNT] /domain  
net user [ACCOUNT]          
net view /all                
net view /domain
net view /domain:[DOMAIN]
net view
nltest /domain_trusts        
nslookup -type=srv _ldap._tcp  
nslookup [IP]
ping -n 1 [IP]
query query user
whoami
tasklist /svc  
In addition, they used Sysinternals tools PsLoggedon.exe to identify where specific users are logged in.

 

They also used Remote Desktop protocol, to connect to computers within the targeted organisation’s network, and admin shares to move laterally.

 

The targeted organization was managing numerous domains. APT27 operators managed to compromised them successively. a few months separated compromise of first domain and the second one. However, adversaries accelerated their operation and managed to get access to remaining domains in a few weeks interval.

Credential Access

Tactic ID Technique ID Technique Name
Credential Access T1003.001 OS Credential Dumping: LSASS Memory
Credential Access T1003.003 OS Credential Dumping: NTDS
Adversaries managed to elevate their privileges to the domain administrator level within the victim’s network and systematically compromised domain controller with HyperBro malware.

In order to stealth authentication materials on compromised hosts, adversaries relied on the mimikatz tool. However, they tried to stay stealthly and used the sysinternal’s procdump tool, renamed in error.log to bypass Windows Defender detection and dump lsass process memory :
C:\Windows\Temp\error.log -accepteula -ma lsass.exe c:\windows\temp\error.dmp
Threat actors also used SysInternal’s PsLoggedon tool to search for specific account usage. We especially seen that threat actors were interested in backups related accounts usage.
cmd.exe /Q /c PsLoggedon.exe -accepteula [VEEAM_ACCOUNT] 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1
Once access gained on domain controllers, adversaries managed to extract and exfiltrate NTDS.DIT database.
ntdsutil ac i ntds ifm create full c:\\windows\\temp\\winstore\\  quit quit
Operators then create archive, named error.rar, containing NTDS database prior to exfiltrating it.
cmd.exe /Q /c rar.exe a -r -y -[PASSWORD] -df c:\windows\temp\error.rar c:\windows\temp\winstore\ 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1

Defense Evasion

Tactic ID Technique ID Technique Name
Defense Evasion
T1574.002
Hijack Execution Flow: DLL Side Loading
Defense Evasion
T1070.004
Indicator Removal on Host: File Deletion
Defense Evasion
T1036.004
Masquerading: Masquerade Task or Service
Defense Evasion
T1036.005
Masquerading: Match Legitimate Name or Location
Defense Evasion
T1562.001
Impair Defenses: Disable of Modify Tools
Defense Evasion
T1548.002
Abuse Elevation Control Mechanism: Bypass User Account Control (UAC bypass using CMSTPLUA COM interface)
To prevent detection from Microsoft Windows Defender antivirus, APT27 operators modified system’s settings to add exclusion path to the Defender’s configuration and remove it once their operations done.

 

They achieved that operation with the following command:

 

The commands below allow attackers to add and remove the C:\windows\temp directory to Windows Defender excluded folders in order to try hiding in plain sight
C:\Windows\System32\cmd.exe(cmd.exe /Q /c powershell Get-MpPreference -ExclusionPath C:\Windows\temp 1>
\\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1)
C:\Windows\System32\cmd.exe(cmd.exe /Q /c powershell Add-MpPreference -ExclusionPath C:\Windows\temp 1>
\\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1)
C:\Windows\System32\cmd.exe(cmd.exe /Q /c powershell Remove-MpPreference -ExclusionPath C:\Windows\temp 1>
\\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1)
In order to slow down investigations, attackers deleted their tools as well as the archives built during exfiltration phase. They use the following commands to do so.
cmd.exe /Q /c del rar.exe error.log error1.rar error.dmp 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1

Command and Control

Tactic ID Technique ID Technique Name
Command and Control T1090.001 Proxy: Internal Proxy
Command and Control T1071.001 Application Layer Protocol: Web Protocols
APT27 operators mainly used HyperBro C2 feature to send commands to infected hosts, using POST request /api/v2/ajax and user-agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36.

 

CERT Intrinsec also discovered a second application used to expose the targeted organisation’s internal network to adversaries.

 

The application is a reverse SOCKS proxy written in GoLang called Chisel. It transports TCP/UDP traffic over SSH, which is encapsulated into HTTP.

 

APT27 operators executed Chisel using wmic and rename it to veeamGues.exe to hide it in plain sight. The following command runs a server listening on port 9080 allowing clients to access the SOCKS5 proxy.
cmd.exe /Q /c wmic /node:127.0.0.1 process call create cmd /c c:\Windows\Temp\veeamGues.exe server -p 9080 –socks5 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1)

Data Collection

Tactic ID Technique ID Technique Name
Collection T1560.001
Archive Collected Data: Archive via Utility
Collection T1114.001
Email Collection: Local Email collection
Collection T1074.001
Data Staged : Local Data Staging
Collection T1074.002
Data Staged: Remote Data Staging
Collection T1005
Data from Local System
Collection T1038
Data from Network Shared Drive
Once APT27 operators have stolen credentials, they started the collection process by checking size and usage of directories. To do so, they used diruse command, as illustrated below.
cmd.exe /Q /c wmic /node:127.0.0.1 process call create cmd /c D:\$RECYCLE.BIN\diruse.exe /m /* D:\data >> D:\$RECYCLE.BIN\temD.txt 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1)
Operators then browsed directories in order to find personal information and data related to research and development, leveraging dir command and wmic to look for files on network shares.
cmd.exe /Q /c wmic /node:[IP_ADDRESS] /user:[DOMAIN]\[USERNAME] /password:[PASSWORD] process call create cmd /c dir [DIRECTORY] > d:\$recycle.bin\1.txt 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1
cmd.exe /Q /c dir \\[IP_ADDRESS]\Z$\[DIRECTORY] 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1
Once they found relevant data, they created password-protected archives using -t to test files after archiving, -inul to disable all messages, -hp to provide a password and -v to adjust size.
wmic /node:[IP_ADDRESS] /user:[USER_ACCOUNT] /password:[PASSWORD] process call create “cmd /c c:\temp\rar.exe a c:\temp\temp.rar c:\temp\temp.dat -r -t -inul -hp[PASSWORD] -v[SIZE]
cmd.exe /Q /c del rar.exe c:\windows\temp\rar.exe a -r -y -inul -[PASSWORD] g:\$recycle.bin\error.rar [DRIVE]:\[FOLDER]\*.ppt* 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1
rar.exe a -r -y -hp[PASSWORD] -df error1.rar error.dmp error.log
Besides, APT27 operators collected data about mailboxes on the Exchange server, using Get-Mailbox powershell command, as shown below :
cmd.exe /Q /c powershell -c Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;Get-Mailbox 1> \\127.0.0.1\ADMIN$\__[UNIX_EPOCH_DATETIME] 2>&1)

Exfiltration

Tactic ID Technique ID Technique Name
Exfiltration T1071.001 Application Layer Protocol: Web Protocols
Attackers used different methods to exfiltrate data.

 

First, archives containing stolen data were moved to the Exchange server,  in the Exchange folder C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\, an easy way to exfiltrate data as this server had direct access to the Internet. These RAR archives  were renamed with a .png file extension to hide in plain sight and try to avoid detection. Attackers then deleted them. By investigating files and Exchange server, CERT Intrinsec managed to carve some archives from disk images and retrieve passwords used to create the latter. It was then possible to know which data were exfiltrated by attackers.

 

You can see below archives’ names created by the attackers prior to exfiltrating.
.\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\error1.png
.\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\error2.png
.\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\error3.png
[…]
.\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\error.part025.rar
.\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\error.part026.rar
Attackers used HyperBro command and control server as well to exfiltrate WinRAR archives.
Most of the exfiltration was carried out in 26 days and involve gigabytes of data, from 4 different domains.

APT27 Intrusion Set

The following diagram sums up APT27 techniques, tactics and procedures.
APT27 Intrusion Set

Lessons Learned

To prevent those types of attacks, CERT Intrinsec recommends monitoring network and endpoints activities. Indeed, supervising network equipments allows to track down malicious activities performed by advanced persistent threat, including command and control communications and exfiltration. Depending on your situations : XDR / MDR approaches combined with SOC and proper threat intelligence.

Ensuring a proper log retention and storage is a good way to improve detection of malicious behaviour.

Handling network, Active Directory hardening especially regarding trusts, and least privilege principle is very important to slow down attackers in the event of an intrusion.

When compromising servers, particularly domain controllers, operators are used to execute commands to collect credentials or to dump NTDS database. Very useful information sources are available on systems and need to be monitored to spot attackers’ actions. These sources are Sysmon, that allows to log various events helping detection, and Microsoft Protection Logs where many evidences were found during the investigation. CERT Intrinsec published an article about this artefact and a parser to extract useful informations from it. You can read this article here.

As explained previously, adversaries can take advantage of a vulnerable exposed server to enter the corporate’s network. That shows the importance of keeping public-facing equipments up-to-date and managing vulnerabilities (support at least by an external asset security monitoring approach to ensure a second line of defense in complexe / fast evolving environment).

External Resources