{"id":223295,"date":"2022-10-18T12:59:46","date_gmt":"2022-10-18T10:59:46","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=223295"},"modified":"2022-10-18T12:59:46","modified_gmt":"2022-10-18T10:59:46","slug":"apt27-analysis","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/apt27-analysis\/","title":{"rendered":"APT27 \u2013 One Year To Exfiltrate Them All: Intrusion In-Depth Analysis"},"content":{"rendered":"

[et_pb_section fb_built= \u00bb1\u2033 _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb][et_pb_row _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb][et_pb_column type= \u00bb4_4\u2033 _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n

Context<\/h2>\n

[\/et_pb_text]<\/p>\n

\n
During 2022, a company discovered that one of their equipment was communicating with a known command and control server. As a result, the company decided to contact CERT Intrinsec in order to get help to handle the security breach and manage the crisis. CERT Intrinsec gathered information about malicious activities that were discovered on victim's information system, and past incidents. Our in-depth analysis led us to conclude that an advanced persistent threat dubbed APT27 (aka LuckyMouse, EmissaryPanda) actually compromised the company's internal network by exploiting a public facing application. Our analysis showed that the threat actor managed to compromise several different domains and to gain persistence on many equipments while trying to hide in plain sight. As investigations went on, we observed tactics, techniques and procedures that had already been documented in papers, but we discovered new ones as well. CERT Intrinsec wanted to share with the community fresh and actionable threat-intelligence related to APT27. That is why this report presents a timeline of actions taken by the attackers and the tactics, techniques and procedures seen during our incident response. It provides as well a MITER ATT&CK diagram and several recommendations to follow if you came across such incident, and to prevent them.
<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n

CERT Intrinsic presentation<\/h2>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n

APT27 Presentation<\/h2>\n

[\/et_pb_text]<\/p>\n

\n
CERT Intrinsec is a private French incident response team dealing between 50 to 100 major incidents per year and works to help its customers to recover from cyber-attacks and strengthen their security. Since 2017, CERT Intrinsec has responded to hundreds of security breaches involving companies and public entities. The majority of those incidents are related to cybercrime and ransomware attacks with financial objectives, hence, Intrinsec follows those groups activities and generates comprehensive intelligence <\/span>`from the field`<\/span>. ANSSI (French National Security Agency) granted CERT Intrinsec PRIS<\/a> (State-Certified Security Incident Response Service Providers) certification. The latter testify that CERT Intrinsec meets specific incident response requirements, using dedicated procedures, qualified people and appropriate infrastructures. Should you need our expertise, Intrinsec provides Incident response & Crisis services, Threat Intelligence services & data, Detection services (SOC\/MDR\/XDR), supported by a large set of other services (pentests & audits, consulting, etc.). .
<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb text_orientation= \u00bbjustified \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

\n
APT27 (aka LuckyMouse, EmissaryPanda, Iron Tiger or Mustang Panda) is a supposed nation state cyber threat actor linked to RPC government. Since at least 2010, the group has been reported targeting numerous public organizations as well as private companies. Known APT27 sectors of interest are: Defense contractors, Aerospace, Telecommunication, Energy, Manufacturing, Technology, Education and finally government's data (ambassies has been reported targeted). The group is also well known for exploiting internet facing applications to get access within the victim's networks. Known targeted application were MySQL, Microsoft SharePoint (CVE-2019-0604 RCE), Apache Zookeeper and more recently Microsoft Exchange servers. In addition, the group is also known to rely on the HyperBRO malware, a Remote Access Trojan (RAT). Capabilities description and decryption tool are available on behalf of the report.<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n

\n

Operation's timeline<\/span><\/h1>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb text_orientation= \u00bbjustified \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

\n
It is important to look at the timeline of malicious activities. The first activity discovered was the exploitation of a Microsoft Exchange server using ProxyLogon vulnerabilities chain and the domains discovery performed from this server. APT27's operators then compromised several domains in a few months, dumping credentials and gathering technical data about victim's information system. Finally, they started exfiltrating data in archives using different means. Gigabytes of data were exfiltrated in 17 days. Attackers tried to hide their activities using many defense evasion techniques that we present to you in this report.<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

\n
The following timeline shows the different steps of the operation, especially regarding domains compromised and data exfiltration.<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_image src="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/11\/timeline_2.png" alt="MITER Timeline" title_text="MITER Timeline" align="center" _builder_version="4.18.0" _module_preset="default" global_colors_info="{}"][\/et_pb_image][et_pb_text _builder_version="4.20.4" _module_preset="default" hover_enabled="0" global_colors_info="{}" text_font_size="13px" sticky_enabled="0"]<\/p>\n

\n
The following diagram summarizes APT27 modus operandi during the attack. It emphasizes intrusion vector, data exfiltration as well as command and control activities.<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_image src="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/10\/attack_path_white_background.png" alt="Attack Path" title_text="attack path" align="center" _builder_version="4.18.0" _module_preset="default" global_colors_info="{}"][\/et_pb_image][et_pb_text _builder_version="4.18.0" _module_preset="default" global_colors_info="{}"]<\/p>\n

APT27 Techniques, Tactics and procedures<\/h2>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n\n\n\n\n
\u00a0Tactic ID<\/td>\nTechnical ID<\/td>\nTechnique Name<\/td>\n<\/tr>\n
Initial Access<\/td>\nT1190<\/td>\nPublic-Facing Application Exploit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb text_orientation= \u00bbjustified \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

\n
Initial compromise is the adversaries actions performed to gain access of their target's organizations. It can be performed by sending spear-phishing email or exploiting vulnerable internet facing applications to, then, move within the network. During CERT Intrinsec investigations, we found that on March, 4th of 2021, APT27 exploited ProxyLogon vulnerabilities chain affecting Microsoft Exchange server to gain initial access of the targeted organization's network. As a reminder, ProxyLogon related Microsoft advisory was initially published by Microsoft on March, 2th of 2021. First known information related to those CVE came back from December 2020, when DEVCORE Team discovered both <\/span>CVE-2021-26855<\/a><\/span> and <\/span>CVE-2021-27065<\/a><\/span>. The exploitation of these two vulnerabilities leads to remote code execution with SYSTEM permissions, allowing attackers to drop webshells, for instance.<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb text_orientation= \u00bbjustified \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

\n
Same initial intrusion date, also involving a successful ProxyShell exploitation as entry vector has been also reported by HVS-Consulting<\/a> for one of their customer in their incident response report related to APT27<\/span>. Many other security vendors also reported active exploitation of Microsoft Exchange Server on that date. We can assume that the threat group was aware of the vulnerability before the Microsoft Advisory (or quickly developed an exploit) and managed to perform a massive exploitation campaign before companies had a chance to apply security fixes.<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n

Execution<\/h2>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n\n\n\n\n\n\n
Tactic ID<\/td>\nTechnical ID<\/td>\nTechnique Name<\/td>\n<\/tr>\n
Execution<\/td>\nT1059.001<\/td>\nCommand and Scripting Interpreter: PowerShell<\/td>\n<\/tr>\n
Execution<\/td>\nT1059.003<\/td>\nCommand and Scripting Interpreter: Windows Command Shell<\/td>\n<\/tr>\n
Execution<\/td>\nT1047<\/td>\nWindows Management Instrumentation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb text_font= \u00bb|||||||| \u00bb text_orientation= \u00bbjustified \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

\n
Adversaries were wrapping their commands through calls to <\/span>cmd.exe \/Q \/c<\/span><\/span> command line. In addition, all results were stored in the <\/span>ADMIN$<\/span><\/span>\u00a0administrative share, in a file of type <\/span>__[UNIX_EPOCH_DATETIME]<\/span><\/span><\/div>\n

 <\/p>\n

This a likely the impacket's behavior and hence, Intrinsec CERT assumes that adversaries used that framework during their operation.<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb text_font= \u00bbCourier Prime|||||||| \u00bb text_text_color= \u00bb#FFFFFF \u00bb background_color= \u00bb#000000\u2033 background_layout= \u00bbdark \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n

\n
C:\\Windows\\System32\\<\/span>cmd.exe<\/span>(<\/span>cmd.exe<\/span> \/Q \/c powershell <\/span>Add-MpPreference<\/span> -ExclusionPath C:\\Windows\\temp 1> \\\\<\/span>127.0<\/span>.<\/span>0.1<\/span>\\ADMIN$\\<\/span>__[UNIX_EPOCH_DATETIME<\/span>]<\/span> 2>&1)<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

\n
In order to execute remote command, threat actors also relied on valid credentials collected in previous stages used <\/span>wmic<\/span><\/span>\u00a0tool to execute commands on remote hosts.<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

\n
As example, a command where attackers executed a script located in the recycle bin of a remote computer:<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb text_font= \u00bbCourier Prime|||||||| \u00bb text_text_color= \u00bb#FFFFFF \u00bb background_color= \u00bb#000000\u2033 global_colors_info= \u00bb{} \u00bb]<\/p>\n

\n
cmd.exe<\/span> \/Q \/c wmic<\/span> \/node:[<\/span><\/span>IP<\/span>]<\/span> \/user:[<\/span><\/span>DOMAIN<\/span>]<\/span>\\[<\/span><\/span>ACCOUNT<\/span>]<\/span> \/password:[<\/span><\/span>PASSWORD] <\/span>process<\/span> call create cmd \/cd:\\<\/span>$recycle.bin<\/span>\\<\/span>2.<\/span>bat<\/span><\/div>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.18.0\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb]<\/p>\n

Persistence<\/h2>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n\n\n\n\n\n\n\n
Tactic<\/td>\nTechnical ID<\/td>\nTechnique Name<\/td>\n<\/tr>\n
Persistence<\/td>\nT1569.002<\/td>\n\n
\n
Create or Modify System Process: Windows Service <\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n
Persistence<\/td>\nT1547.001<\/td>\n\n
\n
Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n
Persistence<\/td>\nT1112<\/td>\n\n
\n
Modify Registry<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n
Persistence<\/td>\nT1078.002<\/td>\n\n
\n
Valid Accounts: Domain Accounts<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

[\/et_pb_text][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb text_orientation= \u00bbjustified \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]<\/p>\n

Typical next step after a successful initial intrusion is to ensure persistence within the target's network and be sure that attacker's will not be kicked-out easily.<\/span><\/div>\n
It is commonly achieved by deploying webshells, Remote Access Trojan or Remote Administration Tool, such as AnyDesk \/ Teamviewer.<\/span><\/div>\n

First payload found by CERT Intrinsec was the HyperBRO Remote Access Trojan. HyperBRO malware is a closed-sources application typical of APT27 threat group's activities.<\/span><\/div>\n
<\/span><\/div>\n
HyperBRO is a fully featured Remote Access Trojan (RAT) and is used by APT27 operators to (not exhaustive):<\/span><\/div>\n

 <\/p>\n