Hackers have attacked at least 48 organizations by 2024.
In November 2023, experts from the Positive Technologies Cybersecurity Expert Center (PT Expert Security Center) published their first study on attacks by the previously unknown hacker group Hellhounds on Russian companies. The study, titled "Operation Lahat," focused on the group's attacks on Linux-based systems using a new backdoor called Decoy Dog. However, ongoing investigations by Positive Technologies have shown that by the second quarter of 2024, the number of confirmed victims of Hellhounds has more than doubled and reached at least 48 Russian organizations.
While responding to a recent incident at a transportation and transportation company, the Positive Technologies CSIRT cybersecurity team was able to identify successful Hellhounds attacks not only on Linux infrastructure, but also on systems running Windows that were not previously reported. Moreover, a new in-depth study has found that the Hellhounds group has been successfully attacking the infrastructure of Russian organizations since at least 2021. In addition, it turned out that the malware used by hackers was developed at least since 2019.
In its attacks, Hellhounds relies on a wide range of primary compromise vectors, including vulnerable web applications, as well as penetration into the victim's infrastructure through the systems of third-party contractors with whom the attacked organizations have a trusted relationship. It is assumed that the attackers also penetrated the infrastructure using attacks such as supply chain.
When conducting their attacks, hackers often disguised malicious tools as legitimate software processes, including the products of Positive Technologies itself. This allowed them to remain undetected for a long time in compromised systems.
In a detailed new report, Positive Technologies researchers describe previously unknown malicious tools from Hellhounds, reveal the masking techniques used by attackers, and provide compromise indicators and signatures for detecting samples of the malware involved. The extended version of the study was presented for the first time at the Positive Hack Days 2 international cyber festival on information security.
After successfully compromising Linux systems, which Positive Technologies detailed in a report last year, attackers from Hellhounds made a successful attempt to compromise critical nodes running Windows. After gaining access, the attackers installed malicious services named Microsoft Account Service or Microsoft Viewer Service, which ran executable PE files that were loaders for the Decoy Dog backdoor.
Detailed scheme of Decoy Dog operation on nodes running Windows.
To decrypt the main payload of the backdoor, the loader used a clever algorithm based on domain names and IP addresses. It decrypted a list of domains from its own code, tried to resolve these domains, and then used one of the successfully resolved IP addresses to generate a key to decrypt the path to the main backdoor. At the same time, attackers could use non-existent subdomains of real domains to simulate legitimate traffic.
After decryption, the loader transferred control to the main load - the Decoy Dog backdoor based on the open-source Pupy RAT framework, but with a number of new features, including support for dynamic configuration and a mechanism for redundant DGA domains.
To steal accounts on compromised Linux systems, attackers used a modified open-source utility called 3snake. Unlike the original version, the utility removed the possibility of terminal startup mode, added the OpenLDAP interception function, and intercepted credentials were encrypted using the RC4 algorithm.
In two cases studied by Positive Technologies, the initial vector of compromise was a compromised contractor who had SSH access to the victim's infrastructure. And to disguise the Decoy Dog executable files and get the malware to run on the victims ' devices, the attackers used ISO images that spoof the iMind video conferencing service.
According to the study, the victims of Hellhounds are mainly Russian IT companies, many of which are contractors of mission-critical organizations. It is assumed that attackers specifically target these companies in order to then use them to conduct attacks through trusted relationships with the final victims. However, the group also continues to target organizations from other industries, including the public sector.
Despite the fact that all the malicious tools used by Hellhounds are based on open source, the attackers managed to significantly modify them. This allows attackers to successfully bypass security measures and remain undetected in compromised systems of critical organizations in Russia for many years.
In November 2023, experts from the Positive Technologies Cybersecurity Expert Center (PT Expert Security Center) published their first study on attacks by the previously unknown hacker group Hellhounds on Russian companies. The study, titled "Operation Lahat," focused on the group's attacks on Linux-based systems using a new backdoor called Decoy Dog. However, ongoing investigations by Positive Technologies have shown that by the second quarter of 2024, the number of confirmed victims of Hellhounds has more than doubled and reached at least 48 Russian organizations.
While responding to a recent incident at a transportation and transportation company, the Positive Technologies CSIRT cybersecurity team was able to identify successful Hellhounds attacks not only on Linux infrastructure, but also on systems running Windows that were not previously reported. Moreover, a new in-depth study has found that the Hellhounds group has been successfully attacking the infrastructure of Russian organizations since at least 2021. In addition, it turned out that the malware used by hackers was developed at least since 2019.
In its attacks, Hellhounds relies on a wide range of primary compromise vectors, including vulnerable web applications, as well as penetration into the victim's infrastructure through the systems of third-party contractors with whom the attacked organizations have a trusted relationship. It is assumed that the attackers also penetrated the infrastructure using attacks such as supply chain.
When conducting their attacks, hackers often disguised malicious tools as legitimate software processes, including the products of Positive Technologies itself. This allowed them to remain undetected for a long time in compromised systems.
In a detailed new report, Positive Technologies researchers describe previously unknown malicious tools from Hellhounds, reveal the masking techniques used by attackers, and provide compromise indicators and signatures for detecting samples of the malware involved. The extended version of the study was presented for the first time at the Positive Hack Days 2 international cyber festival on information security.
After successfully compromising Linux systems, which Positive Technologies detailed in a report last year, attackers from Hellhounds made a successful attempt to compromise critical nodes running Windows. After gaining access, the attackers installed malicious services named Microsoft Account Service or Microsoft Viewer Service, which ran executable PE files that were loaders for the Decoy Dog backdoor.
Detailed scheme of Decoy Dog operation on nodes running Windows.
To decrypt the main payload of the backdoor, the loader used a clever algorithm based on domain names and IP addresses. It decrypted a list of domains from its own code, tried to resolve these domains, and then used one of the successfully resolved IP addresses to generate a key to decrypt the path to the main backdoor. At the same time, attackers could use non-existent subdomains of real domains to simulate legitimate traffic.
After decryption, the loader transferred control to the main load - the Decoy Dog backdoor based on the open-source Pupy RAT framework, but with a number of new features, including support for dynamic configuration and a mechanism for redundant DGA domains.
To steal accounts on compromised Linux systems, attackers used a modified open-source utility called 3snake. Unlike the original version, the utility removed the possibility of terminal startup mode, added the OpenLDAP interception function, and intercepted credentials were encrypted using the RC4 algorithm.
In two cases studied by Positive Technologies, the initial vector of compromise was a compromised contractor who had SSH access to the victim's infrastructure. And to disguise the Decoy Dog executable files and get the malware to run on the victims ' devices, the attackers used ISO images that spoof the iMind video conferencing service.
According to the study, the victims of Hellhounds are mainly Russian IT companies, many of which are contractors of mission-critical organizations. It is assumed that attackers specifically target these companies in order to then use them to conduct attacks through trusted relationships with the final victims. However, the group also continues to target organizations from other industries, including the public sector.
Despite the fact that all the malicious tools used by Hellhounds are based on open source, the attackers managed to significantly modify them. This allows attackers to successfully bypass security measures and remain undetected in compromised systems of critical organizations in Russia for many years.
