Positive Technologies Expert Security Center (PT ESC) researchers have discovered a new APT group dubbed “ChameGang” that has targeted Russia’s fuel ,energy and the aviation industry by exploiting known vulnerabilities such as Microsoft Exchange Server’s ProxyShell and deploying both new and existing malware to attack networks.
Experts also identified that the threat actors are targeting organisations in nine other countries such as the United States, India, Nepal, Taiwan,Turkey,Vietnam,Afghanistan,Lithuania, Japan with major focus on Targeting Government Servers in India, Afghanistan,Lithuania and Nepal.
ChamelGang got its name from the word “chameleon,” which was used to describe how the organisation hid its malware and network infrastructure behind Microsoft, TrendMicro, McAfee, IBM, and Google services.
Denis Kuvshinov ,Head of Threat Analysis at Positive Techologies reported that “Targeting the fuel and energy complex and the aviation industry in Russia this is one of the three most regularly attacked. The majority of such attacks result in financial in 84 percent of all incidents last year, the attacks were designed to steal data causing significant financial and reputational harm.
In addition, many industrial organisations are unable to detect a targeted cyberattack on their own because they feel their defences are strong and that such disruptions are unlikely. In actuality, though, attackers can breach an industrial enterprise’s corporate network.
Positive Technologies experts analysed that two attacks were conducted by APT in march and august respectively. Experts discovered the March attack after discovering that antivirus software installed on the systems of a Russian energy company repeatedly reported the presence of the Cobalt Strike Beacon in RAM.
The ChamelGang organisation was able to achieve its goal and take data from the infiltrated network using this strategy in the first example.The attackers also left a passive backdoor DoorMe in the form of an IIS server module.”
Researchers reported that “We believe the supply chain strategy will continue to be popular. New APT organisations will arise on stage using this strategy to achieve their objectives.”
Indicators Of Compromise
File indicators
| File | SHA-256 | MD5 | SHA-1 |
| – | 6793e9299cab4cd07d4ddf35e03b32a05b0e965b3691d258ec2568402cf8d28f | 206e15f750f7fee32b110f5c79cf068b | 2e0d998775653135966ea7e3bdf1b7e90b5c6b0b |
| – | e8ee5b0d6b683407aa9cb091bf92273af0e287d4e7daa94ca93cd230e94df37a | 4e49adfed966f5d54cd1b89e1acb18ef | 683a38d352b4f5689b5395c955ba5f2cc77a2209 |
| – | d4e3747658e1a9e6587da411dc944597af95dd49b07126b8b090c7677ee30674 | 5d09c85b349d457471b18b598bb63e5d | ab6a56ba3eb8f33e7373ffa3404c79f502873f98 |
| .vim | 16b54dc11dbe2948467a10d68728811b03c12b12f7b29e53d0985fa07e29f9b7 | cab9ecc235a0fe544e01dd6b30463f11 | f65731c9a218d8a40c1804eaf22fdacd1dc83622 |
| avp.exe | ba867705eb986d1975abcf2f2b90ee2c7fdd09255076823cdd85c0feeea15a1b | 371a13ca89bf3b01346a8f7631a9be75 | 01536e40e3c5c1d5d742dd5f58b9b468ad788aa3 |
| curlt.exe | f1afce3be297fa6185903274b3b44cd263b4c1ea89e8282334bc5771c53af1c5 | 8550e586e7ae73863de0c5a6c11c5dc1 | ce22e857eb05aae7fe0df52a9e0fb89fe9ef869a |
| dlang.dat | 8e0e5ec7ed16e5fb1e8980a3ec6e3c5982fd8fa4cfc31428a6638950bbe5607a | 1a7f1012ea071e1b9955e502fab3023c | e4a097b79a5a1f2a74af7599a6fb305c78d98f39 |
| dlang.dat | b9a231496682cd6bed978fb1b2b15986211e5c38a13cbb246de3dcf1d8db41f4 | 6a3c69384237078b6ab03ab7c38970ca | 0bf324fa87bab837e1c91d8022ad82dc33291a8e |
| dlang.dat | d831a87c6abd1bbb5a9ac9e1aac06a3d9b81b6e474bdc0c78e1908e26a6166b3 | 90cc1835823d5f86cd1947b03e6111a9 | 49e6775288bea7fdaff4b16bfd0f1608b0eb149e |
| iis64.dll, iisfcgix64.dll, modrpflt.dll, httpsrfm64.dll | 538d423e3a8a884aac2d80b248d194388d3520cc508990da14c0a1384e7eddbd | 23f06ae1f9c78d2dc8f8d8b3cb3c5978 | e21802dbd68416a324b84f62b56bb8af0bfa7035 |
| modrpflt.dll | 73e9f7b9d22159f485b1c733981261ddc26fe7fcd104babfcc60369b354ccbe7 | 905aa9b9055592b585edb89eda236984 | 66ea9d5ef286c21dd96289c3943dcb376c3fc271 |
| modrpflt.dll | 27b64e64b6787ad0682eac8aa42f9cd423518a92c4f6ce98596339363eeeebcc | 41cfb3db9837377e7f3a4a18d5b444e1 | c7b1b348b8671b9440219843fc868f49beb7edef |
| MpCmdRun.log.1 | be147fe9110e32b4c4558900f63888756941bf0d0519dc25c075509457748c25 | 8dee79145aac1e5ffcd801ef07390fde | 8b2e5dcb9df689190f4e4662ad34badf5ad68a30 |
| nfsd | 21d41a206cd12784473bec587a0b014b7cfd29c8da958531c773547402a16908 | ea7d091e2d565f452b4735bc9ee966e6 | d13e1462977dd8437797029bedcf6154c91abc43 |
| o.r | 9dd08351c1094e29f279e66731bea55f546e534fdff8688b16b44b86f67df6cb | 4cb26fd5ca9bc238803e0971914039e2 | 26142e92c5a5a80d7a92d4372e46fc5bd8a1f8b9 |
| oci.dll | 60758fd51c29c09b989be480107f36e7c5552e99a283588ad31c0f87a9353f69 | cf0cc54e91b59ccafdc36a8f4b04f9c6 | e2050319a08e9bd51eedc45e5660ac289b2052d9 |
| oci.dll | 8f349ea483b4986b90384bcdde30666669303ede91f9261f40213bac9e44f286 | cd4750c84f1a89f0db6c3d68a6530ad6 | 45e86bcd4cd48a55b8cbecd9b07dd1d61ea1d777 |
| oci.dll | 9f0fc02c4cc5d77f28f3828a361afc93459c888acb1a186e874a60ead3c68ba6 | 6164f85c6273ea1bf7e2f051ceaacf31 | 8d9445f4d0057118a48f3c2503b4117194a4a255 |
| oci.dll | 3b3d097873899e1a1d99c2ba5aedfc68b67f30acfeefc74e30eb02647729602f | 57eb643949a9a0fcd20dfe59af02c8d2 | f8773ec1ec5bb3a241364ea5ac04b2b69fcdf2c5 |
| ocilib.dll | e18546ad747fa063285f24264f9dc3d452c9eb94dc7f1e87b5a8b0677bbf78d7 | 9c519480c8dd187222e32711a59c4d3c | 3dccb69365d07ec77cdf510186034d66c140eb35 |
| old.awk | 21d41a206cd12784473bec587a0b014b7cfd29c8da958531c773547402a16908 | ea7d091e2d565f452b4735bc9ee966e6 | d13e1462977dd8437797029bedcf6154c91abc43 |
| p.exe, proxyT.exe | f1afce3be297fa6185903274b3b44cd263b4c1ea89e8282334bc5771c53af1c5 | 8550e586e7ae73863de0c5a6c11c5dc1 | ce22e857eb05aae7fe0df52a9e0fb89fe9ef869a |
| protsdown.dll | be34984240e19e64eebcf7f31be9d1dee3defdefb7c9c5de77693527cfb89333 | 02da966d81c83867dbba69fba2954366 | d50d21a249dbcb76c7cd0fdd18abaa9562f4b1d2 |
| RunCheckConfig.class | c6b0ea8e61dffe61737911cceafdf281c9e656e87365e9119184e4f42bd42c11 | d3888adb6b71cb60e18c37ea16dbd502 | fc40752cbafebd2a381f8e3b6a7d0396a7c49c17 |
| siiHost.exe | 5c61d82b42c91c387d5ea6e245056b7a8aa213fcafe08c3a72e1866554931290 | c18d3128042528e4a1ea9e34a9300bad | 18ac5d1bc6beb80e5c00cdc414dc2106661c1763 |
| siihost.exe | eb4a359c73c31e262e17a6bc2ccefa20429c3f5e2f6e9c521b9ad0ff96fd6ce0 | 8b8dc2f6fcb503092d57ec1857ddbddc | 2d5ebf4d8b7aff9f3c074aa0909cc3625ebade7a |
| ssconf | e3af2ef75033f3ececfd102ca116476397bac6244a8baafb1adebbe8d79c292e | e4f785396fc10f0c200e0743cf75666c | be7f2ab2e4893b242b612b3b3ee3aaf1d3aa2eda |
| sshost.exe | ba867705eb986d1975abcf2f2b90ee2c7fdd09255076823cdd85c0feeea15a1b | 371a13ca89bf3b01346a8f7631a9be75 | 01536e40e3c5c1d5d742dd5f58b9b468ad788aa3 |
| tcs.jsp | dbf16553507202fbd1aed5057df92d11b88563585ae9bcc517f584826fe4819d | d19e9d9c648faeb92fd69b5bbf2e0c6e | a130b48ecc23009b8ea5146ef43f8fa2e5e5a479 |
| tunnel.jsp | 8491a786a3a00549f35302160c70e6b8cca6e9792be82e0092e7444850ebdfe9 | 6dace1bf8d7d3b8b1d21a5a32217406d | 8da1597cb34547dc23387e6b6f49fda2179317c5 |
| wl | 23403a06e470420b8f02d3c352f08446146920412d02444771b42c561d69ba83 | 81ab2303c56b563c106ec0f454b5da83 | 11baf308948fcd058a7b1b9a2dfb6a18f9dba635 |
| wl.dll | 132688d482129c3935577e73de15f4cc5f382bd511c249d19adbb78b9f1d16c3 | 42f1215a4d6261c2d5ee28eecb60bc1c | 0f452c0ce26b848a6340665416cc25690828969b |
| wlbsctrl.dll | 373974f2e7933ec8b6eb7afbc98d2d4e0cfc348321864aaf1bbaf66d4d9ef83b | 5fb9ea9b063548193bbebc3f8f2b193c | c2d30cf0a337b945122673e3d75c94ffac14fefe |
| wlbsctrl.dll |
Network indicators
| softupdate-online.top |
| internet.softupdate-online.top |
| update.softupdate-online.top |
| download.softupdate-online.top |
| online.softupdate-online.top |
| downloads.softupdate-online.top |
| mcafee-service.us.com |
| cn.mcafee-service.us.com |
| en.mcafee-service.us.com |
| http://www.mcafee-service.us.com |
| mcafee-upgrade.com |
| tw.mcafee-upgrade.com |
| http://www.mcafee-upgrade.com |
| ssl.mcafee-upgrade.com |
| test.mcafee-upgrade.com |
| us.mcafee-upgrade.com |
| microsoft-support.net |
| http://www.microsoft-support.net |
| os.microsoft-support.net |
| docs.microsoft-support.net |
| tstartel.org |
| app.tstartel.org |
| mail.tstartel.org |
| http://www.tstartel.org |
| webmail.tstartel.org |
| newtrendmicro.com |
| auth.newtrendmicro.com |
| upgrade.newtrendmicro.com |
| contents.newtrendmicro.com |
| content.newtrendmicro.com |
| http://www.newtrendmicro.com |
| market.newtrendmicro.com |
| centralgoogle.com |
| app.centralgoogle.com |
| derbox.centralgoogle.com |
| content.centralgoogle.com |
| collector.centralgoogle.com |
| ibmlotus.net |
| appupdate.ibmlotus.net |
| http://www.ibmlotus.net |
| mail.ibmlotus.net |
| helpdisk.ibmlotus.net |
| upgrade.ibmlotus.net |
| search.ibmlotus.net |
| microsofed.com |
| api.microsofed.com |
| cdn-chrome.com |
| login.cdn-chrome.com |
| funding-exchange.org |
| snn1.mhysl.org |
| snn2.mhysl.org |
| snn3.mhysl.org |
| static.mhysl.org |
| kaspernsky.com |
| update.kaspernsky.com |
| 103.151.228.119 |
| 103.80.134.159 |
| 115.144.122.8 |
| 172.104.109.12 |
| 42.99.116.14 |
| 45.91.24.73 |
| 91.204.227.130 |
Source: PTsecurity
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin