Podcasts
Research Saturday
Ep 429
Research Saturday 6.13.26
Ep 429 | 6.13.26

This Sparrow doesn't migrate.

Show Notes
Transcript

Dave Bittner: Hello everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Martin Zugec: As Russia is focusing more and more on Europe and the Ukraine, of course, we are seeing a little bit of conflict between the Russian and Chinese APTs. We pay a lot of attention to countries that are areas of interest for these two powers.

Dave Bittner: That's Martin Zugec, Technical Solutions Director at Bitdefender. The research we're discussing today is titled "FamousSparrow APT Targets Azerbaijani Oil and Gas Industry." [ Music ] Well, take us through the research. What initially caught your attention here, and what did you discover?

Martin Zugec: What initially got our attention was, actually, old news because we found some of the malware, Deed RAT, for example, Mofu, Terndoor, that is associated with the FamousSparrow group. What we found out early on is that these malware samples are slightly modified compared to what is publicly known. That is always a sign that part of the portfolio from the APT keeps developing and keeps changing. We are always interested in following anytime we find a new version of the known malware. It is something that we pay a lot of attention to. We started following the whole case, the whole incident, and we discovered there is actually quite a lot of new stuff and that's how this research came together. It started with us finding a modified version of known malware, and then we started discovering the whole operation behind it.

Dave Bittner: Well, reading through the research, I mean, there were three waves of activity. What changed each time? Can you take us through what you all saw?

Martin Zugec: Yes, so exactly. There were three waves of activity, and all of them came through the same door. All of them came to Exchange Server, so "Proxyhell" -- ProxyShell, ProxyNotShell, we call it internally "Proxyhell." It's kind of all encompassing. It's really nothing new because we've been talking about it since 2022. More and more threat actors are focused on vulnerability exploits, and every single year this is becoming more obvious. This was one of those cases where you have one of these services that is commonly targeted. You don't patch it, and it's only a question of time who and how many threat actors will get inside through the same door. What we saw here was three separate waves of attack, every time focusing on ProxyNotShell exploitation of Microsoft Exchange, but every time using a slightly different version of the malware where they were trying to establish persistence to this environment. We've also seen the victim in this case that discovered this ongoing operation. They tried to clean it up, but unfortunately, they never closed the entry door that the attackers used, so they came back with different set of malwares.

Dave Bittner: Who was the victim in this case? The research mentions the Azerbaijani oil and gas industry, folks. Is that the degree to which we can identify them?

Martin Zugec: Yes, it is.

Dave Bittner: Fair enough. What do we suppose the attackers were after here? Is this an espionage kind of thing? Are they looking to gain control? Any insights there?

Martin Zugec: In this case, it was almost certainly an espionage operation. The reason why we decided to name the country and industry is that Azerbaijan is becoming critically important for Europe and the European Union. We documented -- we didn't go too much into geopolitical implications here, but Azerbaijan has been expanding its role as a strategic energy partner for Europe, including Germany, Austria. I believe they signed the contracts, like, in the last 12 months or so. This is definitely an important energy partner for Europe, and that's what we believe. Again, it's pretty much always, I would say, an educated guess because in cyberespionage you never have all the information. You need to make a lot of assumptions based on what you see. Again, in this case, what we can see is that this was, in our opinion, an espionage operation, specifically because how Azerbaijan is becoming more important for Europe.

Dave Bittner: I see. The research mentions the use of DLL sideloading and particular techniques with that. Can you explain to us what that means and why the threat actors may have selected this technique?

Martin Zugec: For me, if we put aside, like, all geopolitical implications, the DLL sideloading was the most interesting part of this research. Now, before we get to what is new about this one, if you don't mind, let me just briefly talk about DLL sideloading in general.

Dave Bittner: Please. DLL sideloading is a defense evasion technique where the threat actors are actually relying on the behavior of the Windows operating system. What they are going to find is that they will use a legitimate process, and when you run that process, it's going to load the libraries where the functions are available in the program. They can either replace the library with a malicious library that has the same name. That is the most common method, and pretty much what you are going to do is that if you are defending and you are monitoring, you are going to see, let's say, Outlook.exe, a legitimate process signed by Microsoft in this case. On execution, it is going to load a library that is malicious. That is DLL sideloading. Now, a couple of years ago, and the last few years are kind of blending together, so I cannot say when, but we started noticing DLL sideloading appearing more and more. We actually did, like, a detailed explainer when we first encountered it, because there was not enough information for what we were seeing. The most important takeaway is following, in my opinion. When we saw DLL sideloading being used as an effective technique, in a very short time, the same technique was adopted by various different APT groups and then by financially motivated cyber criminals. There was a very short time between this is a new technique -- or the technique itself is known for a long time, but this is kind of a new technique that is becoming more popular until the moment when this became like a commodity technique across, especially, the Chinese APT ecosystem. There is a lot of theories behind it. One thing that we are seeing with all these advanced APT groups there must be -- for the lack of better words -- I'm going to call it "academies" for teaching offensive researchers. What we are seeing, very often is one group comes up with a new approach, and very quickly, all the groups from the same ecosystem are going to adopt that technique. Why it matters is that anytime we discover a new advanced version, for example, of the DLL sideloading, even if we found it in a specific country, in this case, Azerbaijan, it's really critical to pay attention because you are going to see the same technique used by other APT groups in the next few months, essentially. That is why even though the research is specifically focused on oil and gas industry in Azerbaijan, this specific technique is really critical because, again, we believe this will be adopted by multiple groups with different workloads in the next few months. [ Music ] We'll be right back. [ Music ] Well --

Martin Zugec: So that is kind of a high level, a little bit of history and why this matters, now I can tell you what was new and different about the DLL sideloading in this case, maybe?

Dave Bittner: Yeah, please.

Martin Zugec: Typically, as I mentioned, the way -- how DLL sideloading works is you have a legitimate process, legitimate executable. When you execute it, it's going to locate the library that has been replaced. It's going to load that library and execute malicious code inside. We have a lot of detection technology that is already looking at this, looking at unusual locations and this behavior. What was advanced in this case is that the malicious code itself is not initialized when the library is loaded. Instead, there were multiple sub steps, and when they all worked together, only then, the malicious code is executed. When the host executable is going to be executed in this case, it's going to load malicious DLL, and it's going to trigger one of the functions. The functions, in this malicious library, is just going to patch one of the APIs in memory to create a hook. It is not going to execute anything malicious, and then it's going to stop working. Going back to that legitimate process that loaded this library and executed one of the functions, it will continue with execution until it comes to the moment in execution when it's going to call another function from the same library. It is the second function that is going to pretty much execute the load from the API and restore the payload and execute it. What this means is that typically the detection that we are seeing in these malicious libraries, they are typically looking, hey, am I running in the sandbox? Is this a virtual environment? There is a lot of logic like this. In this case, this is not needed because this advanced DLL sideloading is completely hidden from security sandboxes. If the sandbox is going to execute it, it is most probably, in most cases, is just going to say, hey, all of this is completely clean. I haven't seen anything suspicious.

Dave Bittner: That's because it's happening in multiple stages?

Martin Zugec: Yes, and you need to execute those stages in specific order. For example, if you will have a look at this library and try to analyze what are exported functions, which functions are available to you, and then you will try to execute those functions one by one, there is not going to be any malicious behavior. You need to execute those functions, kind of, in the same session and in a specific order, and only then it becomes malicious. For any kind of analysis, this is actually going to be really hard to observe. I remember when we were working on this research, I immediately went, okay, let me have a look at the VirusTotal. This was, like, completely undetected by all the engines.

Dave Bittner: Now, the research mentions deployment of a couple of backdoor families. You've got Deed RAT and Terndoor. What part do they play in all this?

Martin Zugec: Yes, so there were a couple of different backdoors that they've used, and pretty much all of this was for the threat actors after initial access. Again, it's the same door every single time. They were just trying to use some of these backdoors that are well-known to us. The only thing that was interesting for us is that there were slight modifications between them. Some bits have been changed. So again, for us, this is kind of the proof that the toolkit itself continues being actively developed and modified.

Dave Bittner: What are the opportunities for detection here? If I'm a defender, what should I be looking for?

Martin Zugec: We shared, as we always do, the complete list of IOCs is publicly available, which we are doing every single time. My recommendation, the reason why we share this, is also giving opportunities for other security companies to test out this new technique of DLL sideloading and making sure that their technology is able to recognize and detect when this is happening. Typically, with DLL sideloading attacks, it is a combination of legitimate executable with malicious DLL. We documented which executable was used in this case, but as I mentioned before, DLL sideloading, it is not vulnerability of a specific executable. It is legitimate behavior of Windows operating system that are the threat actor is abusing. So again, like, we are pretty sure that we are not only going to see the same technique used by different groups, but we are also going to see different executables that are vulnerable to the same execution flow.

Dave Bittner: You mentioned that the victim organization had discovered some things and had efforts to remove the malware, but ultimately, they were not successful. Why did they come up short?

Martin Zugec: So that is something that I have very strong opinions about. [Laughter] We have been documenting for many years how the threat actors, again, are very actively looking for Internet-facing services and abusing them. We are still seeing organizations are very slow in patching, and they still don't understand how the time to exploit is shortening dramatically. There is a lot of reports and numbers related to how quickly are these new vulnerabilities weaponized? Typically, last year, we've been talking, when there is new vulnerability and POCs is available, you have less than 24 hours before weaponization is industrialized, is what I would call it. Again, this is another example of an attack that we've seen many, many, many times over the last few weeks. We did have interesting research in 2024 or 2025 where one of these exposed Internet-facing services was compromised as well. The customer haven't patched this for a month, which like a few years ago, leaving something unpatched for a month was not considered such a big deal, but, for example, what we've seen with this victim from -- again, from different research, was that within a month after the vulnerability was announced, so pretty much, like, 24 hours after the vulnerability was discovered, we started seeing attacks. One month later, we have seen 70 different threat actors occupying the same machine in the DMZ. Again, whether you are looking at ransomware groups, initial-access brokers, APTs, for all of them, any Internet-facing service, any vulnerability that leads to remote code execution is immediately, like, a huge target that they will start focusing on.

Dave Bittner: What are, ultimately, the takeaways here based on the information you all have gathered and shared? What do you hope people come away with?

Martin Zugec: One of the key takeaways here should be it is important to pay attention to research, even if it is not in your geo. As I mentioned before, we actually spent quite a lot of time discussing how to address something like this because it is oil and gas. It's in Azerbaijan, and at the same time, we believe everyone should pay attention to this research because it is talking about a technique that is going to be used everywhere very soon. So again, like, one of the takeaways should be understand how APT groups are working together, how they are sharing the knowledge, and this is different for different countries, I would say. They have different approach to this, but again, for example, with Chinese APTs, what we are seeing is anytime one of the groups come up with a new or improved technique, all of them are going to adopt it quickly. [ Music ]

Dave Bittner: Our thanks to Martin Zugec from Bitdefender for joining us. The research is titled "FamousSparrow APT Targets Azerbaijani Oil and Gas Industry." We'll have a link in the show notes. That's "Research Saturday" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to CyberWire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tré Hester. Our Executive Producer is Jennifer Eiben. Peter Kilpe is our Publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.