The National Cybersecurity and Communications Integration Center (NCCIC) at the US Department of Homeland Security has issued a warning on an emerging sophisticated campaign targeting critical verticals, including public health, critical manufacturing and IT.
The campaign has been active since at least May 2016, NCCIC said, using multiple malware implants. The threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates—and could instigate a medium-priority incident affecting public health or safety, national security, economic security, foreign relations, civil liberties or public confidence.
“Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments,” the organization noted, in a bulletin, which also includes NCCIC mitigations and recommendations. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”
The bad actors generally use malware implants to acquire legitimate credentials, and then leverage those credentials to pivot throughout the local environment. A secondary technique involves using backdoors left behind on key relay and staging machines.
NCCIC said that PLUGX/SOGU and REDLEAVES are the most interesting malware samples being employed. PLUGX is a sophisticated remote access tool (RAT) operating since approximately 2012. Once the PLUGX RAT is installed on the victim, the actor has complete C2 capabilities of the victim system, including the ability to take screenshots and download files from the compromised system. Also, the PLUGX operator may dynamically add, remove or update PLUGX plugins during runtime to dynamically adjust C2 capabilities based on the requirements of the C2 operator. Advanced capabilities include key-logging, system enumeration, port-mapping and the ability to initiate a system shutdown, adjust shutdown-related privileges for a given process and lock the user's workstation.
REDLEAVES meanwhile is a remote administration trojan that consists of three parts: An executable, a loader and the implant shellcode. Its capabilities include system enumeration, command execution and creating a remote shell back to the C2.
“A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed,” NCCIC said. “Possible impacts include temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files and potential harm to an organization’s reputation.”