Operation TaskMasters: How We Exposed the Cyber ​​Group Attacking Organizations in Russia and the CIS



    Image: Unsplash

    In autumn 2018, PT Expert Security Center experts revealed the activity of a criminal group whose activities were aimed at stealing confidential documents and espionage. Today we will talk about the progress of the investigation, as well as describe the main methods and tools that the group used.

    Note : The link provides a full investigation report . It also provides indicators of compromise that can be used to identify signs of an attack.

    Who the group is attacking, and when it was discovered


    The grouping was identified by experts of PT Expert Security Center in 2018. The criminals used an unusual method of securing in the infrastructure, based on the creation of specific tasks (tasks) in the task scheduler - that's why PT ESC called the TaskMasters group.

    Task Scheduler allows you to execute OS commands and run software at a specific point in time specified in the task. Moreover, the AtNow scheduler used by this grouping allows you to perform tasks not only locally, but also on remote computers on the network, and to do this regardless of the time settings of these nodes. In addition, this utility does not require installation. These features simplify attack automation.

    Hackers hacked companies from different countries, with a significant number of victims in Russia and the CIS. Most of the attacked companies can be attributed to the industry. In total, we are aware of the compromise of more than 30 organizations in various industries, including the energy and oil and gas sectors and government bodies.

    The main goal of the group is to steal confidential information. Attackers try to gain a foothold in the corporate information system for a long time and gain access to key company servers, top management workstations, and critical business systems.

    The earliest traces of the presence of the group in the infrastructure date back to 2010, and at that time the criminals already completely controlled some servers and workstations, which means that the penetration occurred much earlier.

    Asian footprint


    In the code on GitHub of the ASPXSpy2014 web shell, which was used during the attack, there are links to Chinese developers. However, the version we found contains a link to google.ru instead.



    ASPXSpy: a public and attacked version.

    In requests for web shells, IP addresses belonging to the hosting provider and printing house in Eastern Europe were identified. But in the events of the proxy server log of one of the attacked organizations, the moment the attackers switched to the resident Chinese IP address 115.171.23.103 was reflected, which most likely happened due to disconnection of the software VPN at the time of the attack.

    During the attack, the attackers used a copy of the WinRAR archiver, which was activated with a key that is widely distributed in forums whose users communicate in Chinese.



    Licensed version of WinRAR in software resources.



    Licensed key from WinRAR published in Chinese forums

    . One of the tasks was using the Brengkolang.com domain registered through a Chinese registrar. Also, many utilities contain error messages and other debugging information written in English with errors, which may indicate that it is not native to developers.

    How attackers act


    The overall attack vector is fairly predictable. After penetrating the local network, attackers examine the infrastructure, exploit system vulnerabilities (for example, CVE-2017-0176 ), then download to compromised nodes and unpack a set of utilities. Using this set, they search, copy, and archive the files of interest to them, and then send them to the management servers.

    To navigate the network, criminals execute system commands on remote nodes using the AtNow utility, which allows you to run software and execute commands after a specified time interval has passed. To manage the nodes using small backdoors, through which they connect to the management servers. At the same time, there are backup channels in the form of web shells uploaded to external resources, for example, to the Exchange server.



    Attack Scheme The

    group uses the Dynamic DNS infrastructure for its domains. Attackers use a large set of utilities and tools to conduct cyber attacks and actively use the supply chain attack scheme.

    To scan the network and compromise systems, attackers use free software (including NBTScan, PWDump, Mimikatz). In addition to third-party tools, self-developed programs are also used.

    The main software of the TaskMasters group, with which they controlled infected nodes, consists of two components:

    • RemShell Downloader - loader,
    • RemShell - software with a basic set of functions.

    Let us consider in more detail each of the components.

    RemShell Downloader


    This component of malware is designed to deliver the main payload to the attacked system. The general scheme of the boot loader is shown in the figure below.



    The RemShell

    loader working scheme The loader accesses the HTML page at the address specified in its code and reads the value of the Attribute attribute of the HTML tag:



    Example HTML file

    Then the read value is decrypted, and depending on what it contains, the loader either goes to standby mode (Sleep command), or saves the PE file to disk and launches it. The downloaded PE file is just the payload - the main RemShell trojan.

    Trojan RemShell


    RemShell, the main malware used by attackers to control infected nodes, provides attackers with the following options:

    1. Terminal for remote host control (cmd shell).
    2. Uploading files to a remote host.
    3. Download files from a remote host to the management server.

    The trojan uses two management servers. The first acts as an intermediary or proxy, which, at the request of malware, provides the address of the main management server. Also, a command can be received from the first management server to transfer malware to another management proxy server.



    Switching from the first managing server to the main

    We found various variations of this malware. In some, for example, there was no command to download files from the node to the management server - in such cases, the attackers used a proprietary utility to upload files. In others, commands were added that allow you to get a list of processes running in the system and complete the process by PID (process identifier).
    Configuration data, such as the address of the controlling proxy server, port, user-agent, is encrypted using RC4 and set by constants in the malware code.

    The data sent between the management servers and malware is encrypted using the RC4 algorithm and additionally encoded with Base64. The key for RC4 is generated using a constant string by calculating the MD5 hash. The result of executing commands received from the management server is sent as an HTTP request to the URL with a specific prefix 1111.

    The malware also includes the Heartbeat mechanism, which at random intervals “taps” with an HTTP request containing the result of the hostname command, at the given URL with a specific prefix of 0000.



    Heartbeat

    Management servers


    The server part for managing malware on infected nodes is represented by console ELF files. The server management interface is made in the form of a shell and supports the commands presented in the figure below.



    The server logs in detail all the commands sent to the remote host. These log files are stored on disk in encrypted form. To encrypt log files, the RC4 algorithm is used.

    We were able to analyze several instances of the server side of the malware. In one case, we found a mention of the AiMi developer, which we found references to in other tools of the TaskMasters grouping.



    Mentioning developers in the information displayed by the script

    Web Shell 404-input-shell


    The authorization window for accessing the functionality of the web shell is disguised as the standard error page 404 of the IIS web server. To access the command line and execute commands, you must enter a password. The password field is hidden and displayed if you click the Back link.



    Click the Back button to try another link.

    For authorization, the attackers used the password 0p; / 9ol. - they used the same password to encrypt archives. The web shell code contains the MD5 hash of this password.



    In total, as part of the investigations, we discovered three modifications of this web shell. They differ in functionality: one of them is used only for downloading files from the server, the other for uploading files to the server, the third for executing OS commands.

    Conclusion


    Our study shows that cybercriminals can pursue not only momentary financial goals. Increasingly, they seek to gain access to data and capture control of information flows of organizations.

    The victims of cyber espionage can be companies in various sectors of the economy. In order to understand how to defend against such attacks, it is necessary to use specialized tools. Also at the investigation stage, it is important to study in detail the tactics used by the attackers. It is quite difficult for organizations to solve this problem on their own, because this requires not only advanced tools, but also highly qualified information security specialists. Implementation of recommendations received from security professionals will increase the level of security of the infrastructure and complicate its hacking.

    Also popular now: