From an information security perspective, 2020 was a complicated year. Not only did the pandemic affect the threat landscape, but double extortion ransomware attacks have become the new normal. To top the year off, in December the massive supply-chain campaigns were discovered, whose real extent is not yet clear.
An additional thing of note from last year is the emergence of the weaponization of cloud services by state-sponsored groups. Exploiting the cloud for criminal purposes such as phishing and malware delivery (the Ryuk ransomware is probably the most noteworthy) is now a consolidated trend. However, some recent campaigns show how cloud exploitation is becoming increasingly common, even in cyber-espionage operations, where legitimate services are used to deliver the malicious payload within a multi-stage kill chain, adding an additional layer of evasion.
MuddyWater and GitHub
MuddyWater (AKA Seedworm and TEMP.Zagros) is an Iranian threat group that primarily targets the Middle East, but also Europe and North America. The group's victims are mainly in the telecommunications, government (IT services) and oil sectors.
Its latest campaign deploys an extremely complex kill chain where the malware strain is initially delivered via a Word file with an embedded macro. When the macro is executed, it launches a Powershell that downloads and executes a Powershell script from GitHub. This Powershell script then downloads a PNG file from the image hosting service Imgur and, through steganography, the pixel values of the image are used to decode a Cobalt Strike script that connects to the command and control to receive additional instructions.
Cobalt Strike is a penetration testing tool that allows, among the other things, commands to be run on the endpoint and is often weaponized by threat actors (as in this case). This benign characteristic is exploited by the attackers as the decoded payload includes an EICAR string to deceive analysis tools and SOC analysts, making them believe that the payload is part of a test.
This campaign has an uncommon degree of complexity with multiple stages that provide different levels of evasion: the exploitation of a well-known cloud service, steganography and the weaponization of a security tool.
A Cocktail of Cloud Services for Molerats
Security researchers from Cybereason have recently revealed the details of an active espionage campaign carried out by Molerats (also known as The Gaza Cybergang), a politically motivated threat group with victims primarily in the Middle East, Europe and the United States. This campaign, aimed at Arab-speaking targets, used two previously unidentified backdoors called Sharpstage and DropBook (this second name may sound familiar), and exploited multiple cloud services for the stages of malware delivery (Dropbox and Google Drive) and command and control (again Dropbox and Facebook, hence the name DropBook for the second backdoor).
The attack chain starts with phishing documents delivered via social engineering with themes related to current Middle Eastern affairs. Once executed, the bait documents download the two backdoors from either Dropbox or Google Drive.
- SharpStage is a .NET malware with backdoor capabilities. Among the different malicious features, the backdoor implements a Dropbox client that exfiltrates the data
- Dropbook is a Python backdoor that can execute commands received from Facebook and also download and execute additional payloads from Dropbox
Unsurprisingly, as observed by the researchers, the exploitation of cloud services has the purpose to avoid detection and make the malicious infrastructure resilient:
"Both backdoors operate in a stealthy manner, implementing the legitimate cloud storage service Dropbox to exfiltrate the stolen information from their targets, thus evading detection or takedowns by using legitimate web service. In addition, […] DropBook, […], exploits the social media platform Facebook, where the backdoor operators create fake accounts to control the backdoor while hiding in plain sight. DropBook differs from the other espionage tools in the arsenal since it relies solely on fake Facebook accounts for C2 to receive instructions from its operators. While the exploitation of social media for C2 communication is not new, it is not often observed in the wild."
Sometimes They Come Back
In the last example, a 13-year-old backdoor trojan dubbed Bandook (a commercially available Remote Access Tool available since 2007) has recently returned from the past for a new espionage campaign against various targets worldwide, adapting itself to the existing trend of exploiting the cloud inside a complex multi-stage kill chain.
Even in this case the attack chain is quite sophisticated, and can be simplified as follows:
- The malware reaches the targets’ computers as a malicious Microsoft Word document inside a .zip file. The documents are related to cloud-based services like Office365, OneDrive and Azure, and the content can be accessed only if the victims click on “Enable Content”
- Once the document is opened, a malicious macro is downloaded via an external template (invisible to the victim), which loads a second-stage payload: a PowerShell script that after several steps, downloads a .zip file containing three files from one of the following cloud services such as Dropbox, Bitbucket or an S3 bucket
- The downloaded files (disguised as images) are combined in the victim’s machine to build the final Bandook Loader which, using the Process Hollowing technique, creates a new instance of an Internet Explorer process and injects a malicious payload into it
All three of these cyber-espionage campaigns share a common aspect: a complex kill chain that deploys multiple evasion mechanisms, including the abuse of legit cloud services to distribute the malicious payload.