Posted on Leave a comment

Russian Energy And Aviation Businesses Are Being Targeted By New APT Group.

Positive Technologies Expert Security Center (PT ESC) researchers have discovered a new APT group dubbed “ChameGang” that has targeted Russia’s fuel ,energy and the aviation industry by exploiting known vulnerabilities such as Microsoft Exchange Server’s ProxyShell and deploying both new and existing malware to attack networks.

Experts also identified that the threat actors are  targeting organisations in nine other countries such as the United States, India, Nepal, Taiwan,Turkey,Vietnam,Afghanistan,Lithuania, Japan with major focus on Targeting Government Servers in India, Afghanistan,Lithuania and Nepal.

ChamelGang got its name from the word “chameleon,” which was used to describe how the organisation hid its malware and network infrastructure behind  Microsoft, TrendMicro, McAfee, IBM, and Google services.

Denis Kuvshinov ,Head of Threat Analysis at Positive Techologies reported that “Targeting the fuel and energy complex and the aviation industry in Russia this  is one of the three most regularly attacked. The majority of such attacks result in financial in 84 percent of all incidents last year, the attacks were designed to steal data causing significant financial and reputational harm.

Main logic of the application
Main Logic of this malware(Source: PTsecurity)

 In addition, many industrial organisations are unable to detect a targeted cyberattack on their own because they feel their defences are strong and that such disruptions are unlikely. In actuality, though, attackers can breach an industrial enterprise’s corporate network.

Positive Technologies experts analysed that two attacks were conducted by APT in march and august respectively. Experts discovered the March attack after discovering that antivirus software installed on the systems of a Russian energy company repeatedly reported the presence of the Cobalt Strike Beacon in RAM.

The ChamelGang organisation was able to achieve its goal and take data from the infiltrated network using this strategy in the first example.The attackers also left a passive backdoor DoorMe in the form of an IIS server module.”

Researchers reported that  “We believe the supply chain strategy will continue to be popular. New APT organisations will arise on stage using this strategy to achieve their objectives.”

Indicators Of Compromise


File indicators

FileSHA-256MD5SHA-1
6793e9299cab4cd07d4ddf35e03b32a05b0e965b3691d258ec2568402cf8d28f206e15f750f7fee32b110f5c79cf068b2e0d998775653135966ea7e3bdf1b7e90b5c6b0b
e8ee5b0d6b683407aa9cb091bf92273af0e287d4e7daa94ca93cd230e94df37a4e49adfed966f5d54cd1b89e1acb18ef683a38d352b4f5689b5395c955ba5f2cc77a2209
d4e3747658e1a9e6587da411dc944597af95dd49b07126b8b090c7677ee306745d09c85b349d457471b18b598bb63e5dab6a56ba3eb8f33e7373ffa3404c79f502873f98
.vim16b54dc11dbe2948467a10d68728811b03c12b12f7b29e53d0985fa07e29f9b7cab9ecc235a0fe544e01dd6b30463f11f65731c9a218d8a40c1804eaf22fdacd1dc83622
avp.exeba867705eb986d1975abcf2f2b90ee2c7fdd09255076823cdd85c0feeea15a1b371a13ca89bf3b01346a8f7631a9be7501536e40e3c5c1d5d742dd5f58b9b468ad788aa3
curlt.exef1afce3be297fa6185903274b3b44cd263b4c1ea89e8282334bc5771c53af1c58550e586e7ae73863de0c5a6c11c5dc1ce22e857eb05aae7fe0df52a9e0fb89fe9ef869a
dlang.dat8e0e5ec7ed16e5fb1e8980a3ec6e3c5982fd8fa4cfc31428a6638950bbe5607a1a7f1012ea071e1b9955e502fab3023ce4a097b79a5a1f2a74af7599a6fb305c78d98f39
dlang.datb9a231496682cd6bed978fb1b2b15986211e5c38a13cbb246de3dcf1d8db41f46a3c69384237078b6ab03ab7c38970ca0bf324fa87bab837e1c91d8022ad82dc33291a8e
dlang.datd831a87c6abd1bbb5a9ac9e1aac06a3d9b81b6e474bdc0c78e1908e26a6166b390cc1835823d5f86cd1947b03e6111a949e6775288bea7fdaff4b16bfd0f1608b0eb149e
iis64.dll, iisfcgix64.dll, modrpflt.dll, httpsrfm64.dll538d423e3a8a884aac2d80b248d194388d3520cc508990da14c0a1384e7eddbd23f06ae1f9c78d2dc8f8d8b3cb3c5978e21802dbd68416a324b84f62b56bb8af0bfa7035
modrpflt.dll73e9f7b9d22159f485b1c733981261ddc26fe7fcd104babfcc60369b354ccbe7905aa9b9055592b585edb89eda23698466ea9d5ef286c21dd96289c3943dcb376c3fc271
modrpflt.dll27b64e64b6787ad0682eac8aa42f9cd423518a92c4f6ce98596339363eeeebcc41cfb3db9837377e7f3a4a18d5b444e1c7b1b348b8671b9440219843fc868f49beb7edef
MpCmdRun.log.1be147fe9110e32b4c4558900f63888756941bf0d0519dc25c075509457748c258dee79145aac1e5ffcd801ef07390fde8b2e5dcb9df689190f4e4662ad34badf5ad68a30
nfsd21d41a206cd12784473bec587a0b014b7cfd29c8da958531c773547402a16908ea7d091e2d565f452b4735bc9ee966e6d13e1462977dd8437797029bedcf6154c91abc43
o.r9dd08351c1094e29f279e66731bea55f546e534fdff8688b16b44b86f67df6cb4cb26fd5ca9bc238803e0971914039e226142e92c5a5a80d7a92d4372e46fc5bd8a1f8b9
oci.dll60758fd51c29c09b989be480107f36e7c5552e99a283588ad31c0f87a9353f69cf0cc54e91b59ccafdc36a8f4b04f9c6e2050319a08e9bd51eedc45e5660ac289b2052d9
oci.dll8f349ea483b4986b90384bcdde30666669303ede91f9261f40213bac9e44f286cd4750c84f1a89f0db6c3d68a6530ad645e86bcd4cd48a55b8cbecd9b07dd1d61ea1d777
oci.dll9f0fc02c4cc5d77f28f3828a361afc93459c888acb1a186e874a60ead3c68ba66164f85c6273ea1bf7e2f051ceaacf318d9445f4d0057118a48f3c2503b4117194a4a255
oci.dll3b3d097873899e1a1d99c2ba5aedfc68b67f30acfeefc74e30eb02647729602f57eb643949a9a0fcd20dfe59af02c8d2f8773ec1ec5bb3a241364ea5ac04b2b69fcdf2c5
ocilib.dlle18546ad747fa063285f24264f9dc3d452c9eb94dc7f1e87b5a8b0677bbf78d79c519480c8dd187222e32711a59c4d3c3dccb69365d07ec77cdf510186034d66c140eb35
old.awk21d41a206cd12784473bec587a0b014b7cfd29c8da958531c773547402a16908ea7d091e2d565f452b4735bc9ee966e6d13e1462977dd8437797029bedcf6154c91abc43
p.exe, proxyT.exef1afce3be297fa6185903274b3b44cd263b4c1ea89e8282334bc5771c53af1c58550e586e7ae73863de0c5a6c11c5dc1ce22e857eb05aae7fe0df52a9e0fb89fe9ef869a
protsdown.dllbe34984240e19e64eebcf7f31be9d1dee3defdefb7c9c5de77693527cfb8933302da966d81c83867dbba69fba2954366d50d21a249dbcb76c7cd0fdd18abaa9562f4b1d2
RunCheckConfig.classc6b0ea8e61dffe61737911cceafdf281c9e656e87365e9119184e4f42bd42c11d3888adb6b71cb60e18c37ea16dbd502fc40752cbafebd2a381f8e3b6a7d0396a7c49c17
siiHost.exe5c61d82b42c91c387d5ea6e245056b7a8aa213fcafe08c3a72e1866554931290c18d3128042528e4a1ea9e34a9300bad18ac5d1bc6beb80e5c00cdc414dc2106661c1763
siihost.exeeb4a359c73c31e262e17a6bc2ccefa20429c3f5e2f6e9c521b9ad0ff96fd6ce08b8dc2f6fcb503092d57ec1857ddbddc2d5ebf4d8b7aff9f3c074aa0909cc3625ebade7a
ssconfe3af2ef75033f3ececfd102ca116476397bac6244a8baafb1adebbe8d79c292ee4f785396fc10f0c200e0743cf75666cbe7f2ab2e4893b242b612b3b3ee3aaf1d3aa2eda
sshost.exeba867705eb986d1975abcf2f2b90ee2c7fdd09255076823cdd85c0feeea15a1b371a13ca89bf3b01346a8f7631a9be7501536e40e3c5c1d5d742dd5f58b9b468ad788aa3
tcs.jspdbf16553507202fbd1aed5057df92d11b88563585ae9bcc517f584826fe4819dd19e9d9c648faeb92fd69b5bbf2e0c6ea130b48ecc23009b8ea5146ef43f8fa2e5e5a479
tunnel.jsp8491a786a3a00549f35302160c70e6b8cca6e9792be82e0092e7444850ebdfe96dace1bf8d7d3b8b1d21a5a32217406d8da1597cb34547dc23387e6b6f49fda2179317c5
wl23403a06e470420b8f02d3c352f08446146920412d02444771b42c561d69ba8381ab2303c56b563c106ec0f454b5da8311baf308948fcd058a7b1b9a2dfb6a18f9dba635
wl.dll132688d482129c3935577e73de15f4cc5f382bd511c249d19adbb78b9f1d16c342f1215a4d6261c2d5ee28eecb60bc1c0f452c0ce26b848a6340665416cc25690828969b
wlbsctrl.dll373974f2e7933ec8b6eb7afbc98d2d4e0cfc348321864aaf1bbaf66d4d9ef83b5fb9ea9b063548193bbebc3f8f2b193cc2d30cf0a337b945122673e3d75c94ffac14fefe
wlbsctrl.dll

Network indicators

softupdate-online.top
internet.softupdate-online.top
update.softupdate-online.top
download.softupdate-online.top
online.softupdate-online.top
downloads.softupdate-online.top
mcafee-service.us.com
cn.mcafee-service.us.com
en.mcafee-service.us.com
http://www.mcafee-service.us.com
mcafee-upgrade.com
tw.mcafee-upgrade.com
http://www.mcafee-upgrade.com
ssl.mcafee-upgrade.com
test.mcafee-upgrade.com
us.mcafee-upgrade.com
microsoft-support.net
http://www.microsoft-support.net
os.microsoft-support.net
docs.microsoft-support.net
tstartel.org
app.tstartel.org
mail.tstartel.org
http://www.tstartel.org
webmail.tstartel.org
newtrendmicro.com
auth.newtrendmicro.com
upgrade.newtrendmicro.com
contents.newtrendmicro.com
content.newtrendmicro.com
http://www.newtrendmicro.com
market.newtrendmicro.com
centralgoogle.com
app.centralgoogle.com
derbox.centralgoogle.com
content.centralgoogle.com
collector.centralgoogle.com
ibmlotus.net
appupdate.ibmlotus.net
http://www.ibmlotus.net
mail.ibmlotus.net
helpdisk.ibmlotus.net
upgrade.ibmlotus.net
search.ibmlotus.net
microsofed.com
api.microsofed.com
cdn-chrome.com
login.cdn-chrome.com
funding-exchange.org
snn1.mhysl.org
snn2.mhysl.org
snn3.mhysl.org
static.mhysl.org
kaspernsky.com
update.kaspernsky.com
103.151.228.119
103.80.134.159
115.144.122.8
172.104.109.12
42.99.116.14
45.91.24.73
91.204.227.130

Source: PTsecurity

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin



Leave a Reply