Russia-linked APT29 uses Google Drive, and Dropbox to Evade – Detection & Response

0

Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.

The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least 2014, along with the APT28 cyber espionage group that was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

The attackers used online storage services to exfiltrate data and drop their malicious payloads. The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.

Source: unit42.paloaltonetworks.com

“The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.” reads the analysis published by Palo Alto Network. “The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador.”

The recent campaigns observed by the experts targeted multiple Western diplomatic missions between May and June 2022. The lures included in these campaigns revealed that the nation-state actors targeted a foreign embassy in Portugal as well as a foreign embassy in Brazil. The phishing messages included a link to a malicious HTML file (EnvyScout) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of the second state of malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.

A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.

“Many of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.” continues the report.

The file Agenda.html employed in the attack was used to deobfuscate a payload, and also for writing a malicious ISO file to the victim’s hard drive. The payload file is an ISO file named Agenda.iso.

Also Read: Latest Cyber Security News – Hacker News !

Once the ISO has been downloaded, the user has to click it to start the infection chain and execute the malicious code on the target system. The user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to launch the infection process.

“Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.” concludes the report.

Indicators of Compromise

Lure File Samples-PDFs:

CE9802B22A37AE26C02B1F2C3225955A7667495FCE5B106113434AB5A87AE28A
F9B10323B120D8B12E72F74261E9E51A4780AC65F09967D7F4A4F4A8EABC6F4C
A0BDD8A82103F045935C83CB2186524FF3FC2D1324907D9BD644EA5CEFACBAAF

ISO File Samples:

347715F967DA5DEBFB01D3BA2EDE6922801C24988C8E6EA2541E370DED313C8B
DE06CF27884440F51614A41623A4B84E0CB3082D6564EE352F6A4D8CF9D92EC5

EnvyScout Samples-HTML Files:

0ED71B0F4F83590CCA66C0C9E9524A0C01D7A44CF06467C3AE588C1FE5B13118
CBE92ABB2E275770FDFF2E9187DEE07CCE1961B13C0EDA94237ACEEB06EEFBBD

Malicious DLLs:

A018F4D5245FD775A17DC8437AD55C2F74FB6152DD4FDF16709A60DF2A063FFF
9230457E7B1AB614F0306E4AAAF08F1F79C11F897F635230AA4149CCFD090A3D
FBA3A311A4C0A283753B5A0CDCADD3FE19F5A1174F03CB966F14D04BBF3D73EE

Compressed Payload Files-Underscore Files:

09F0EA9B239385EB22F794DCECAEC1273BE87F3F118A2DA067551778971CA677
56CFFE5E224ACBE5A7E19446238E5BB9110D9200B6B1EA8B552984D802B71547

Decompressed in-memory payload:

295452A87C0FBB48EB87BE9DE061AB4E938194A3FE909D4BCB9BD6FF40B8B2F0
BC9AD574C42BC7B123BAAAFB3325CE2185E92E46979B2FAADDD4BC80DDFAC88A

Infrastructure linked to samples:

porodicno[.]ba/wp-content/Agenda.html
wethe6and9[.]ca/wp-content/Agenda.html
dropbox[.]com/s/raw/dhueerinrg9k97k/agenda.html

Cobalt Strike C2s:

crossfity[.]com
techspaceinfo[.]com

Cobalt Strike IPs:

185.47.128[.]39
31.31.74[.]79

Registry Keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgendaE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate

Email Senders:

matysovi@seznam[.]cz

Emails:

761ED73512CB4392B98C84A34D3439240A73E389F09C2B4A8F0CCE6A212F529C
4C1ED0F6470D0BBE1CA4447981430E8CEB1157D818656BE9C8A992C56C10B541

Detection & Response:

Splunk:

source="WinEventLog:*" AND (((Image="*\\Acrobat.exe") AND Image="*\\agenda.exe") OR ((FileName="*\\Users\*\\AppData\\Roaming\\*") AND (FileName="*agenda.exe" OR FileName="*vcruntime14.dll" OR FileName="*vctool140.dll")))

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ((("Image" ilike '%\Acrobat.exe') and "Image" ilike '%\agenda.exe') or (("Filename" ilike '%\Users\%\AppData\Roaming\%') and ("Filename" ilike '%agenda.exe' or "Filename" ilike '%vcruntime14.dll' or "Filename" ilike '%vctool140.dll')))

Elastic Query:

((process.executable:*\\Acrobat.exe AND process.executable:*\\agenda.exe) OR (file.path:*\\Users\*\\AppData\\Roaming\\* AND file.path:(*agenda.exe OR *vcruntime14.dll OR *vctool140.dll)))

CarbonBlack:

((process_name:*\\Acrobat.exe AND process_name:*\\agenda.exe) OR ((process_original_filename:*\\Users\*\\AppData\\Roaming\\* OR process_name:*\\Users\*\\AppData\\Roaming\\*) AND (process_original_filename:(*agenda.exe OR *vcruntime14.dll OR *vctool140.dll) OR process_name:(*agenda.exe OR *vcruntime14.dll OR *vctool140.dll))))

GrayLog:

((Image.keyword:*\\Acrobat.exe AND Image.keyword:*\\agenda.exe) OR (FileName.keyword:*\\Users\*\\AppData\\Roaming\\* AND FileName.keyword:(*agenda.exe *vcruntime14.dll *vctool140.dll)))

Logpoint:

((Image IN "*\\Acrobat.exe" Image="*\\agenda.exe") OR (FileName IN "*\\Users\*\\AppData\\Roaming\\*" FileName IN ["*agenda.exe", "*vcruntime14.dll", "*vctool140.dll"]))

Microsoft Defender:

DeviceProcessEvents | where (((FolderPath endswith @"\Acrobat.exe") and FolderPath endswith @"\agenda.exe") or ((FolderPath matches regex @".*\\Users\.*\\AppData\\Roaming\\\.*") and (FolderPath endswith "agenda.exe" or FolderPath endswith "vcruntime14.dll" or FolderPath endswith "vctool140.dll")))

Microsoft Sentinel:

SecurityEvent |  where EventID == 1 | where (((NewProcessName endswith @'\Acrobat.exe') and NewProcessName endswith @'\agenda.exe') or ((TargetFilename matches regex '(?i).*\Users\.*\AppData\Roaming\\.*') and (TargetFilename endswith 'agenda.exe' or TargetFilename endswith 'vcruntime14.dll' or TargetFilename endswith 'vctool140.dll')))

Sumologic:

(_sourceCategory=*windows* AND ((((Image = "*\Acrobat.exe") AND Image="*\agenda.exe") OR ((("\Users\" AND "\AppData\Roaming\\")) AND ("agenda.exe" OR "vcruntime14.dll" OR "vctool140.dll")))))

RSA Netwitness:

(((Image contains '\Acrobat\.exe') && (Image contains 'agenda.exe')) || ((FileName regex '.*\\Users\.*\\AppData\\Roaming\\\.*') && (FileName contains 'agenda\.exe', 'vcruntime14\.dll', 'vctool140\.dll')))

Google Chronicle:

((target.process.file.full_path = /.*\\Acrobat\.exe$/ and target.process.file.full_path = /.*\\agenda\.exe$/) or (target.file.full_path = /.*\\Users\\.*\\AppData\\Roaming.*/ and (target.file.full_path = /.*agenda\.exe$/ or target.file.full_path = /.*vcruntime14\.dll$/ or target.file.full_path = /.*vctool140\.dll$/)))

Source/Credits: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/

hs://securityaffairs.co/wordpress/133409/apt/apt29-google-drive-dropbox.html

Previous articleUEFI Persistence via WPBBIN – Detection & Response
Next articleNew Luna ransomware targets Windows, Linux and ESXi systems
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here