ESET THREAT REPORT Q2 2020 | 2 ESET Researchers Reveal the Modus Operandi of the Elusive Invisimole Group, Including Newly Discovered Ties with the Gamaredon Group

ESET THREAT REPORT Q2 2020 | 2 ESET Researchers Reveal the Modus Operandi of the Elusive Invisimole Group, Including Newly Discovered Ties with the Gamaredon Group

THREAT REPORT Q2 2020 WeLiveSecurity.com @ESETresearch ESET GitHub Contents Foreword Welcome to the Q2 2020 issue of the ESET Threat Report! 3 FEATURED STORY With half a year passed from the outbreak of COVID-19, the world is now trying to come 5 NEWS FROM THE LAB to terms with the new normal. But even with the initial panic settled, and many countries easing up on their lockdown restrictions, cyberattacks exploiting the pandemic showed no 8 APT GROUP ACTIVITY sign of slowing down in Q2 2020. Our specialists saw a continued influx of COVID-19 lures in web and email attacks, with fraudsters trying to make the most out of the crisis. ESET telemetry also showed a spike 14 STATISTICS & TRENDS in phishing emails targeting online shoppers by impersonating one of the world’s leading package delivery services — a tenfold increase compared to Q1. The rise in attacks target- 15 Top 10 malware detections ing Remote Desktop Protocol (RDP) — the security of which still often remains neglected — continued in Q2, with persistent attempts to establish RDP connections more than doubling 16 Downloaders since the beginning of the year. 17 Banking malware One of the most rapidly developing areas in Q2 was the ransomware scene, with some operators abandoning the — still quite new — trend of doxing and random data leaking, 18 Ransomware and moving to auctioning the stolen data on dedicated underground sites, and even forming “cartels” to attract more buyers. 20 Cryptominers Ransomware also made an appearance on the Android platform, targeting Canada under the 21 Spyware & backdoors guise of a COVID-19 tracing app. ESET researchers quickly put a halt to this campaign and provided a decryptor for victims. Among many other findings, our researchers: uncovered 22 Exploits Operation In(ter)ception, which targeted high-profile aerospace and military companies; revealed the modus operandi of the elusive InvisiMole group; and dissected Ramsay, 23 Mac threats a cyberespionage toolkit targeting air-gapped networks. 24 Android threats Besides offering recaps of these findings, this report also brings exclusive, previously unpublished ESET research updates, with a special focus on APT group operations — see 25 Web threats the News From the Lab and APT Group Activity sections! 27 Email threats Throughout the first half of 2020, ESET has also actively contributed to the MITRE ATT&CK knowledge base in its newly released, revamped version with sub-techniques. The latest 29 IoT security ATT&CK update includes four new ESET contributions. And finally, after a break, this quarter has seen new conference plans take shape — 30 ESET RESEARCH CONTRIBUTIONS although with packed venues replaced by virtual streams — and we are excited to invite you to ESET’s talks and workshops at BlackHat USA, BlackHat Asia, VB2020 and others. Happy reading, stay safe — and stay healthy! Roman Kovác, Chief Research Officer ESET THREAT REPORT Q2 2020 | 2 ESET researchers reveal the modus operandi of the elusive InvisiMole group, including newly discovered ties with the Gamaredon group. The InvisiMole Group is a threat actor InvisiMole’s toolset operating since at least 2013, whose malware was first reported by ESET [1] ESET telemetry suggests that the in 2018 in connection with targeted attackers were actively developing cyberespionage operations in Ukraine their malware throughout the campaign, and Russia. redesigning and recompiling its compo- nents, as well as introducing new ones. We previously documented the group’s two feature-rich backdoors, RC2CL and For example, we found several versions RC2FM, that provide extensive espionage of InvisiMole’s loader and RC2FM back- capabilities such as recording from the door, with one of the samples apparently victims’ webcam and microphone, tracking freshly compiled before being deployed the victims’ geolocation, and collecting and detected by ESET. FEATURED recently accessed documents. We also observed that, later in the However, little was known about the rest operation, the attackers abandoned the of the group’s tactics, techniques and use of the PE format for their files, in procedures (TTPs). an attempt to avoid detection. As for the newly introduced components, we discov- In late 2019, InvisiMole resurfaced ered a previously unreported TCP down- with an updated toolset, targeting a loader and a DNS downloader, the latter few high-profile organizations in the using DNS tunneling to communicate with STORY the C&C server. military sector and diplomatic missions, both in Eastern Europe. Overall, the campaign is characterized ESET researchers investigated these by long execution chains with multiple attacks in cooperation with the affected layers of per-victim encryption, making organizations and were able to uncover it difficult to reconstruct the attack. the extensive, sophisticated toolset In these execution chains, the attack- used for delivery, lateral movement and ers used several interesting living off — execution of InvisiMole’s backdoors the land techniques — they abused legiti- the missing pieces of the puzzle in our mate applications (also called living off previous research. the land binaries or LOLBins [3]) to exe- The investigation also led us to reveal cute their own code, set up persistence, Digging up InvisiMole’s previously unknown cooperation between perform lateral movement and other the InvisiMole Group and Gamaredon [2], a operations, aiming to bypass application hidden arsenal highly active threat group also operating whitelisting and fly under the radar. since at least 2013, and mainly targeting Furthermore, we found that InvisiMole Zuzana Hromcová and Anton Cherepanov Ukrainian institutions. delivers vulnerable executables to ESET THREAT REPORT Q2 2020 | 3 compromised computers and exploits them for covert code Execution guardrails execution and long-term persistence. InvisiMole uses a Windows feature called Data Protection browsers, is abused by InvisiMole to protect its payload The attackers brought a vulnerable speedfan.sys driver API (DPAPI) to place execution guardrails and encrypt the from security researchers. Even if they find InvisiMole’s onto a compromised computer, exploiting it in order to payloads individually per-victim, specifically: components in telemetry or on malware sharing platforms, inject InvisiMole into a legitimate process from kernel they can’t decrypt them outside the victim’s computer. mode. This technique was used previously, for example, • the CryptProtectData API for data encryption by the Slingshot APT [4] and has been referred to as • the CryptUnprotectData API for data decryption However, thanks to direct cooperation with the affected Bring Your Own Vulnerable Driver [5] (BYOVD) by fellow organizations, we were able to recover the payloads and This symmetric encryption scheme uses a key derived researchers. reconstruct four of InvisiMole’s execution chains. from the user’s login secrets, so the decryption must Besides the driver, the attackers delivered a vulnerable be performed on the same computer where the data was Acknowledgements to fellow ESET researchers Matthieu Faou, Windows component from Windows XP and exploited its in- encrypted. Ladislav Janko and Michal Poslušný for their work on this investigation. put validation vulnerability, or a vulnerable third-party The DPAPI feature, intended for local storage of creden- software package and exploited its stack overflow vulner- tials such as Wi-Fi passwords or login passwords in web WeLiveSecurity blogpost [6] | White paper [7] ability — a technique we named Bring Your Own Vulnerable Software (BYOVS). Stage Stage Stage Stage For lateral movement, we observed that the InvisiMole Group steals documents or software installers from the Control Panel misuse chain compromised organization, and replaces them in the orig- LNK JS inal locations with their own trojanized versions, or uses Startup folder LNK file JS script Control shellcode EternalBlue and BlueKeep exploits to spread to vulnerable Panel loader hosts within the network. Stage Stage TCP SMInit downloader Cooperation between InvisiMole and exploit chain Gamaredon Scheduled task Total Video shellcode During our investigation, we discovered that InvisiMole is Player loader delivered to the compromised systems by a .NET downloader Stage Stage Stage Stage Stage Stage detected by ESET products as MSIL/Pterodo, the work of Speedfan RCCL the Gamaredon group. Gamaredon malware is usually dis- exploit chain backdoor tributed through spearphishing emails and used to move laterally as far as possible within the target’s network, Service srvanyng winapiexec shellcode driver kernel mode shellcode loader exploit inject loader while fingerprinting the machines. Stage Stage Stage Stage Stage Our research now shows Gamaredon is used to pave the way DNS downloader for a far stealthier payload — according to our telemetry, Wdigest a small number of Gamaredon’s targets are “upgraded” exploit chain to the advanced InvisiMole malware, likely those deemed Scheduled task setupSNK wdigest shellcode user mode shellcode particularly significant by the attackers. loader inject loader ??? InvisiMole’s execution chains; padlocks indicate use of per-machine encryption ESET THREAT REPORT Q2 2020 | 4 IoT Serious flaws found in multiple smart home hubs ESET researchers found numerous serious security vulnerabilities in three different home hubs — Fibaro Home Center Lite, Homematic Central Control Unit (CCU2) and eLAN-RF-003. These devices are used to monitor and control smart homes and other

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    36 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us