Cybersecurity researchers from ESET have identified a new APT group targeting various countries Ministry of Foreign Affairs and Telecommunication companies since atleast 2017.
Researcher stated “For initial infection vectors, the group favors exploiting vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment. “
“Once on a system, its operators make use of open-source tools for scanning the environment and lateral movement. Interactive access is achieved in two ways: (1) via a custom backdoor we are calling Turian that is derived from the Quarian backdoor; and (2) in fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed. ” Stated in the ESET’s Statement.
While the APT targets servers with internet-exposed ports, it also tries to exploit unpatched vulnerabilities or poorly configured file upload functionality.
On the first instance, researchers observed the APT groups exploit F5 BIG-IP vulnerability(CVE-2020-5902) to drop the Linux backdoor. on another instance, Microsoft Exchange server where also exploited via the PowerShell dropper which installed China Chopper(Web shell).
On the Third instance, researchers also observed a Plesk server which was poorly configured on file upload feature was used to execute another Webshell similar to China Chopper.
Indicator’s of Compromise:
| SHA-1 | Filename | ESET Detection Name | Description |
|---|---|---|---|
| 3C0DB3A5194E1568E8E2164149F30763B7F3043D | logout.aspx | ASP/Webshell.H | BackdoorDiplomacy webshell – variant N2 |
| 32EF3F67E06C43C18E34FB56E6E62A6534D1D694 | current.aspx | ASP/Webshell.O | BackdoorDiplomacy webshell – variant S1 |
| 8C4D2ED23958919FE10334CCFBE8D78CD0D991A8 | errorEE.aspx | ASP/Webshell.J | BackdoorDiplomacy webshell – variant N1 |
| C0A3F78CF7F0B592EF813B15FC0F1D28D94C9604 | App_Web_xcg2dubs.dll | MSIL/Webshell.C | BackdoorDiplomacy webshell – variant N3 |
| CDD583BB6333644472733617B6DCEE2681238A11 | N/A | Linux/Agent.KD | Linux Turian backdoor |
| FA6C20F00F3C57643F312E84CC7E46A0C7BABE75 | N/A | Linux/Agent.KD | Linux Turian backdoor |
| 5F87FBFE30CA5D6347F4462D02685B6E1E90E464 | ScnCfg.exe | Win32/Agent.TGO | Windows Turian backdoor |
| B6936BD6F36A48DD1460EEB4AB8473C7626142AC | VMSvc.exe | Win32/Agent.QKK | Windows Turian backdoor |
| B16393DFFB130304AD627E6872403C67DD4C0AF3 | svchost.exe | Win32/Agent.TZI | Windows Turian backdoor |
| 9DBBEBEBBA20B1014830B9DE4EC9331E66A159DF | nvsvc.exe | Win32/Agent.UJH | Windows Turian backdoor |
| 564F1C32F2A2501C3C7B51A13A08969CDC3B0390 | AppleVersions.dll | Win64/Agent.HA | Windows Turian backdoor |
| 6E1BB476EE964FFF26A86E4966D7B82E7BACBF47 | MozillaUpdate.exe | Win32/Agent.UJH | Windows Turian backdoor |
| FBB0A4F4C90B513C4E51F0D0903C525360FAF3B7 | nvsvc.exe | Win32/Agent.QAY | Windows Turian backdoor |
| 2183AE45ADEF97500A26DBBF69D910B82BFE721A | nvsvcv.exe | Win32/Agent.UFX | Windows Turian backdoor |
| 849B970652678748CEBF3C4D90F435AE1680601F | efsw.exe | Win32/Agent.UFX | Windows Turian backdoor |
| C176F36A7FC273C9C98EA74A34B8BAB0F490E19E | iexplore32.exe | Win32/Agent.QAY | Windows Turian backdoor |
| 626EFB29B0C58461D831858825765C05E1098786 | iexplore32.exe | Win32/Agent.UFX | Windows Turian backdoor |
| 40E73BF21E31EE99B910809B3B4715AF017DB061 | explorer32.exe | Win32/Agent.QAY | Windows Turian backdoor |
| 255F54DE241A3D12DEBAD2DF47BAC5601895E458 | Duser.dll | Win32/Agent.URH | Windows Turian backdoor |
| A99CF07FBA62A63A44C6D5EF6B780411CF1B1073 | Duser.dll | Win64/Agent.HA | Windows Turian backdoor |
| 934B3934FDB4CD55DC4EA1577F9A394E9D74D660 | Duser.dll | Win32/Agent.TQI | Windows Turian backdoor |
| EF4DF176916CE5882F88059011072755E1ECC482 | iexplore32.exe | Win32/Agent.QAY | Windows Turian backdoor |
Network
C&Cs
| AS | Hoster | IP address | Domain |
|---|---|---|---|
| AS20473 | AS-CHOOPA | 199.247.9[.]67 | bill.microsoftbuys[.]com |
| AS132839 | POWER LINE DATACENTER | 43.251.105[.]218 | dnsupdate.dns2[.]us |
| 43.251.105[.]222 | |||
| AS40065 | Cnservers LLC | 162.209.167[.]154 | |
| AS132839 | POWER LINE DATACENTER | 43.225.126[.]179 | http://www.intelupdate.dns1[.]us |
| AS46573 | LAYER-HOST | 23.247.47[.]252 | http://www.intelupdate.dns1[.]us |
| AS132839 | POWER LINE DATACENTER | 43.251.105[.]222 | winupdate.ns02[.]us |
| AS40065 | Cnservers LLC | 162.209.167[.]189 | |
| AS25820 | IT7NET | 23.83.224[.]178 | winupdate.ns02[.]us |
| 23.106.140[.]207 | |||
| AS132839 | POWER LINE DATACENTER | 43.251.105[.]218 | |
| AS20473 | AS-CHOOPA | 45.76.120[.]84 | icta.worldmessg[.]com |
| AS20473 | AS-CHOOPA | 78.141.243[.]45 | |
| 78.141.196[.]159 | Infoafrica[.]top | ||
| 45.77.215[.]53 | szsz.pmdskm[.]top | ||
| 207.148.8[.]82 | pmdskm[.]top | ||
| AS132839 | POWER LINE DATACENTER | 43.251.105[.]139 | http://www.freedns02.dns2[.]us |
| 43.251.105[.]139 | web.vpnkerio[.]com | ||
| AS20473 | AS-CHOOPA | 45.77.215[.]53 | |
| AS135377 | UCloud (HK) Holdings Group Limited | 152.32.180[.]34 | |
| AS132839 | POWER LINE DATACENTER | 43.251.105[.]218 | officeupdates.cleansite[.]us |
| AS25820 | IT7NET | 23.106.140[.]207 | dynsystem.imbbs[.]in |
| officeupdate.ns01[.]us | |||
| systeminfo.oicp[.]net | |||
| AS40676 | Psychz Networks | 23.228.203[.]130 | systeminfo.myftp[.]name |
| systeminfo.cleansite[.]info | |||
| updateip.onmypc[.]net | |||
| buffetfactory.oicp[.]io |
DDNS providers
| Provider | Domain |
|---|---|
| expdns[.]net | update.officenews365[.]com |
| ezdnscenter[.]com | bill.microsoftbuys[.]com |
| changeip[.]org | dnsupdate.dns2[.]us |
| dnsupdate.dns1[.]us | |
| http://www.intelupdate.dns1[.]us | |
| winupdate.ns02[.]us | |
| http://www.freedns02.dns2[.]us | |
| officeupdates.cleansite[.]us | |
| officeupdate.ns01[.]us | |
| systeminfo.cleansite[.]info | |
| updateip.onmypc[.]net | |
| hichina[.]com | Infoafrica[.]top |
| domaincontrol[.]com | web.vpnkerio[.]com |
| exhera[.]com | dynsystem.imbbs[.]in |
| systeminfo.oicp[.]net |
-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1