The persistent and patient nature of advanced threat actors.
Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Danny Adamitis: So, as part of our proactive hunt mission, we are constantly looking for events for actors that we believe could be impacting our organizations for some of our customers. So, as part of that, we just create these proactive YARA rules that are constantly running in the background, and we received an alert that this malware sample actually hit on one of our rules from a prior campaign.
Dave Bittner: That's Danny Adamitis. He's a senior lead information security engineer at Lumen's Black Lotus Labs. The research we're discussing today is titled, "New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs."
Dave Bittner: Well, let's walk through it together. Can we, I guess, begin with a little overview of exactly what we're talking about here?
Danny Adamitis: Sure. So our report is talking about a months-long campaign that we really want to highlight because it demonstrates the persistent and patient nature of some of these advanced threat actors. So our report actually started in September, which is about three months prior to everything else. In this September timeframe, we've observed this threat actors setting up a number of spoofed hostnames, which we believe they were using to actually harvest credentials for foreign diplomats. This is actually correlated with some of the reporting done by Proofpoint, where they also noted some of these same domains being used for credential-harvesting campaigns. We believe that they then were able to successfully compromise at least a few accounts, and then they actually used one of them almost three months later in December to do a more targeted attack against some more government officials that were actually, you know, part of that same organization.
Danny Adamitis: So the other kind of really interesting thing about this is that they're abusing the inherited trust relationship that exists within an organization. So for those people who work in corporate America, if you receive an email from someone outside of your company, you may get this big banner at the top of the email saying that this originated from outside your organization, please proceed with caution, or you might have some sort of alerting mechanism. You don't typically get that from emails sent within your own organization, so by doing that, it kind of allowed them to bypass some of those email-based protections that typically alert the user to exercise more caution when they're proceeding with these exploits.
Dave Bittner: Yeah, it's like that old horror movie trope – you know, the call is coming from inside the house.
Danny Adamitis: Exactly.
Dave Bittner: Yeah. So, this is targeting the Russian Federation's Ministry of Foreign Affairs, as you outlined in your research here. Can we just sort of go through it step-by-step? I mean, how did they find themselves being penetrated by this threat actor?
Danny Adamitis: So, one of the things we want to highlight is that we actually saw this being sent to at least some officials from the Russian Ministry of Foreign Affairs. But there could be indications that, you know, since these diplomats typically interact with each other so often, there could be additional victims out there that we're just not aware of. Unfortunately, though, we're only able to report on the information that we have access to and the things that we were able to find on the internet. So it's kind of the first thing I wanted to throw out there.
Danny Adamitis: The second thing is that this all kind of started, again, with us kind of just looking at the email header information, and we were able to see that this malicious email was actually being sent from an IP address in Germany. And then kind of, you know, looking at that previous PDNS history of that IP address in Germany, we were able to identify some additional spoofed hostnames that I believe kind of had that flavored – that looked like they were trying to socially engineer particular organizations. So that's how we were able to kind of determine that at least one of the impacted organizations was this Russian Ministry of Foreign Affairs, because they contained that reference to the mid.ru, who we were then able to kind of delineate that time frame based of the issuance of the Let's Encrypt X.509 certificates.
Danny Adamitis: So, as you guys may know, Let's Encrypt is a trusted CA, so when they actually issue a certificate to someone, they have to have that valid timestamp, which is kind of what gave us that initial timestamp value for when this began. We then were able to kind of continue following them, and we saw something that looked like it was most likely coming from the same threat actor actually in November. And this was kind of something else which we kind of previously tweeted about, but we didn't get very far with, is that we saw them impersonate a COVID mandate. So, like the rest of the world, Russia is dealing with the current COVID pandemic, and one of the procedures that they were trying to do for their population is basically make all of their citizens register with a QR code, and you would need this if you wanted to go to a restaurant, a gym, a bar, someplace like that in the public space. So they were able to actually Trojanize that registration software, and we believe that that would then download some additional type of payload. Unfortunately, we were not able to recover that particular payload, but we saw a very similar file being used in December for the Happy New Year's campaign.
Dave Bittner: Well, let's talk about that Happy New Year's activity that you all tracked here. What was going on there?
Danny Adamitis: So this was, again, a very interesting campaign because it just played so much off of the social and I want to say that kind of human aspect of security, which I know you love to highlight here on this show. We were able to kind of see that they were sending a New Year's campaign basically the week before New Year's. So again, this is something where, you know, in most professional cultures, you may receive an email from your boss saying, you know, Happy Holidays or Happy Christmas or Kwanzaa or whatever it is that you celebrate in your region. This was something that is kind of expected in some parts of the world. And by doing this, they were able to kind of play off of that social norm in order to kind of exploit the human factor to then kind of click on the screensaver.
Danny Adamitis: They would then kind of have the screensaver load and again, in order to avoid raising suspicion, they would actually display this lovely screensaver, which we have a snapshot of on our blog if people are curious. They show the Red Square with kind of a very festive message saying, you know, "Happy New Year to you." Surreptitiously, in the background, it would then actually start loading this additional file.
Danny Adamitis: One of the really interesting aspects about this particular campaign is that the threat actor went through additional steps to avoid detection of their actual payload server. So one kind of thing that I thought was rather interesting is that if you were to go to a website – say, CyberWire – you would typically get a server 200 error, which says, yes, you are allowed to go here, and that tells the browser to start downloading additional content. The threat actors actually configured their server to respond with a 401 error code, which would typically be indicative of an unauthorized message. This kind of allowed, I think, for some sort of web crawlers, if they were to just say go over that particular hostname, it might just kind of deter them from actually trying to do anything else and download or index any additional content, because they would just say, oh no, I'm not allowed to view this web page, I'm just going to move on to the next one. So that was kind of a really interesting technique. And then, of course, it was just sort of the level of obfuscation that they went through.
Danny Adamitis: The payload itself was, again, previously reported by some people at Malwarebytes, and it actually hasn't changed very much. But they have just done a whole lot to obfuscate the code in order to try to evade detection from EDR products. And then ultimately, it would result in that Konni RAT, where they were able to get some host-based information and then communicate back to that C2, where we suspect they're doing some sort of filtering to say, hey, does this host-based information match with what I think my target looks like? And if so, they would likely deploy potentially a second-stage payload, but they would kind of avoid researchers from getting the additional sample.
Dave Bittner: So, we think that the goal here is espionage, of gathering information on on the systems that they're able to get into?
Danny Adamitis: Yes. Based off everything we believe with this particular threat actor, we suspect that this was an espionage-based campaign. While there have been efforts from certain North Korean groups to try to obtain cryptocurrency in order to try to get money, we believe that this particular cluster of activity is more aligned with their information-gathering operations.
Dave Bittner: Do we suspect that this could be North Korea, or where are we on attribution?
Danny Adamitis: So, as you all know, attribution is a very interesting and tricky subject. So what we are going to say is that we are aligning this activity cluster with what some of the other groups are calling it –TA406, if you are a big fan of Proofpoint, or this is kind of put under the banner of the Konni RAT malware. We believe that this sometimes seems to align with North Korean interests, but we're not really in a position to say who exactly that is, you know, at a more granular level.
Dave Bittner: What did you all track in terms of, once they're in the system, you know, things like lateral movement and persistence? Was there anything noteworthy there?
Danny Adamitis: So, there were two commands that we saw that they were actually running from the command line. One of them was command /c systeminfo, and that would kind of collect information about the actual host that's running it. So this would be things like the size of the RAM, your internal domain, basically all the information that, you know, your computer has to have, and that would allow them to kind of identify who the actual user is, what domain they're on, if this is something that they believe would be of interest.
Danny Adamitis: And then there was a second command that was run that was called tasklist. So it would be command /c tasklist. This would allow them to obtain information about everything that's currently running on that particular machine. So this would allow them to look for things like potential EDR products. Are they running, you know, any sort of thing that might prevent them from being able to successfully execute? So this is something that could also help with things like that for their operational security. So if you see these two commands being run in succession, that would set off a whole bunch of flags for me, and that's something I would start looking at.
Dave Bittner: In terms of their communication, you know, back and forth with the command-and-control servers, what can you share with us there? I mean, were they – to what degree were they trying to be stealthy with that? Any insights there?
Danny Adamitis: So it was kind of more of a blend in the noise sort of aspect. So they were just communicating over port 80 HTTP. However, in order to kind of secure their communications, they were actually taking all of the information, such as the system info, they would actually then zip that up into a .cab file and then encrypt that. So that way, if you were just looking at something like a packet capture or Snort, it might not be able to actually trigger on anything inside of the packet because it was encrypted. But you could potentially get the information about the fact of communication with this abnormal "atwebpages[.]com" hostname.
Dave Bittner: Is there any sense that these folks are still at this? Was this a campaign that ran its course, or is this a group we're still looking at?
Danny Adamitis: This is a group that we are so looking at, and I believe that they're not going to be going away anytime soon. As we kind of highlighted, they were at this for a number of months, and I don't think that this group is going to really be deterred. I suspect that they're going to continue with operations. They may kind of switch some of their payloads, they may kind of switch some of the infrastructure that they're using, but I unfortunately don't think that this is a group that's just going to be going away anytime soon.
Dave Bittner: And what are your recommendations for organizations to best protect themselves?
Danny Adamitis: So, there's a number of things you can do. So, one of the things we first found was the credential harvesting. So I'm sure everyone is kind of heard this by now until they're blue in their face, but multifactor authentication would help with some of this stuff. If you were to use an app-based application that could help generate those one-time PINs which could make it a lot harder for threat actors to try to obtain access to your encrypted email to then perform this sort of email thread hijacking. Or if you work for an actual sensitive organization or you believe that you could be a target of these sorts of attacks, we would also recommend using an actual hardware-based token. So that would be something that would kind of help with some of these email phishing problems.
Danny Adamitis: The other things you could do is you can kind of look at some of the reports we've done and look at actually these command line arguments. So if you have some sort of EDR product or if you're pumping your information into, I want to say, some sort of centralized SIEM and you have things like syslog installed, you can say, hey, have I seen anyone else in this network run things like systeminfo or tasklist, which is something that, you know, your typical user isn't really going to be looking at what processes are running in their machine, so it would kind of at least alert them that something is happening.
Danny Adamitis: And then of course, there is also the opportunity with some of the domain-based monitoring where if you're looking for things like "atwebpages," which could help kind of tip you off to some of this. However, I would almost kind of minimize that one because it's very trivial for them to set up a new domain on some other service, whether it be Hopto or dynamic DNS or whatever the new one is, the new flavor of the week. But by kind of monitoring these actual hosts themselves for these kind of odd command line arguments and by implementing, you know, multifactor authentication for your email, that will really help harden your perimeter and then help provide some alerting if someone is inside your network, whether it be this Konni threat actor or even a different threat actor, because we've seen that there's always this kind of system enumeration from almost every threat actor. So I think that's kind of going to be your biggest bang for your buck.
Dave Bittner: Our thanks to Danny Adamitis from Black Lotus Labs for joining us. The research is titled, "New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.