Posted on Leave a comment

Experts Discover A Backdoor On A US Federal Agency’s Network

Czech security firm Avast said in a report published last week,” This attack could have provided total visibility of the network and complete control of a system, and thus could have been used as the first step in a multi-stage attack to penetrate this or other networks more deeply.”

A federal government commission associated with international rights in the United States was reportedly targeted by a backdoor that compromised its internal network in what the researchers called a “classic APT-type operation.”

The federal entity’s name was not revealed, but reports from Ars Technica and The Record linked it to the United States Commission on International Religious Freedom (USCIRF). Avast said it was making its findings public after failing to notify the agency directly and through other channels established by the US government.

The first file creates a fake oci.dll and uses WinDivert, a legitimate packet capturing utility, to listen in on all internet traffic. It gives the attacker the ability to download and execute any malicious code on the infected system. The main purpose of this downloader may be to bypass firewalls and network monitoring by using priviliged local rights.

The second file, which also creates a fake  as oci.dll and replaces the first at a later stage of the attack, is a decryptor very similar to the one described by Trend Labs from Operation Red Signature. The following text analyses both of these files, describes the internet protocol used, and shows the execution of any code on an infected machine.

Exported functions of NTLib are:

  • NTAccept
  • NTAcceptPWD
  • NTSend
  • NTReceive
  • NTIsClosed
  • NTClose
  • NTGetSrcAddr
  • NTGetDscAddr
  • NTGetPwdPacket

The exported functions’ names are self-explanatory. The only interesting function is NTAcceptPWD, which takes an activation secret as an argument and sniffs all incoming TCP communication for communication containing that activation secret.

It means that the malware does not open any ports on its own; instead, it communicates through ports opened by the system or other applications. Because the malicious communication is not reinjected into the Windows network stack, the application listening on that port does not receive it and is unaware that some traffic to its port is being intercepted.

The attack was carried out in two stages, with each stage deploying two malicious binaries that allowed the unidentified adversary to intercept internet traffic and execute code of their choosing, allowing the operators to take complete control of the infected systems. It accomplishes this by abusing WinDivert, a legitimate Windows packet capturing utility.

Trend Micro researchers in 2018, which delved into an information theft-driven supply chain attack dubbed “Operation Red Signature” aimed at South Korean organisations. Because of the overlaps, the Avast Threat Intelligence Team suspects that the attackers had access to the latter’s source code.

Finally the researchers concluded that “It is reasonable to speculate that some form of data gathering and exfiltration of network traffic occurred. However, beyond what we’ve seen, we have no way of knowing for certain the size and scope of this attack.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply