Cyber-Criminal espionage Operation insists on Italian Manufacturing

ZLab researchers spotted a new malicious espionage activity targeting Italian companies operating worldwide in the manufacturing sector.

Introduction

During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain.

The group behind this activity is the same we identified in the past malicious operations described in Roma225 (12/2018), Hagga (08/2019), Mana (09/2019), YAKKA (01/2020). This actor was first spotted by PaloAlto’s UNIT42 in 2018 during wide scale operations against technology, retail, manufacturing, and local government industries in the US, Europe and Asia. They also stated the hypothesis of possible overlaps with the Gorgon  APT group, but no clear evidence confirmed that.

However, in order to keep track of all of our report, we synthesized all the monitored campaigns, with their TTPs and final payload:

Table 1: Synthetic table of the campaigns

As we can see from the table, the Aggah campaigns varied in the time, but it maintained some common points. All campaigns used as the initial stage an office document (PowerPoint or Excel) armed with macro and some of them used injection methods. 

All attack operations used a “Signed Binary Proxy Execution” technique abusing Mshta, a legit Microsoft tool, and used at least an executable file for the infection. In addition, the use of PowerShell stage or the abuse of legit web service has been reported in some campaigns. 

Furthermore the CMSTP bypass exploit is a new feature present only in the 2020, because the first malwares identified to exploit this vulnerability all date back to mid/end 2019, making think the fact that the Threat Actor likes to test the latest disclosed exploits in order to make its campaigns always at the forefront. Regarding persistence mechanisms, we note that initially scheduled tasks were used, but in the latest infections the registry run keys were used. All threats use at least one obfuscation method to make the analysis harder. 

Looking at the evolution of the final payloads, we can say that this evolution is certainly due to a chronological factor, since Revenge rat had become obsolete, but the evolution is also due to the technological factor and its means: revenge rat has the classic functionality of spyware, while AZORult is considered an info stealer. As a last payload, Agent Tesla was used which collects all the functionality of the previous payloads as it is considered an info stealer and spyware.

Technical Analysis

The infection chain starts with a malicious Microsoft Powerpoint weaponized with a malicious macro.

Table 2. Sample information

The content of the macro is quite easy to read and the content is short and easy to read:

Figure 1: Content of the malicious macro

The VBA macro is responsible to download and execute malicious code retrieved from pastebin.  j[.mp is an url shortening service, the following request redirect and download a pastebin content:

Figure 2: Shortener resolution

The MSHTA Drop Chain

Like the previous campaigns, this threat actor uses a Signed Binary Proxy Execution (ID: T1218) technique abusing “mshta.exe” (T1170) a signed and legit Microsoft tool. Adversaries can use mshta.exe to proxy execution of malicious .hta files, Javascript or VBScript.

Figure 3: Piece of code of the Bnv7ruYp paste

As shown in the above figure, the code is simply URI encoded by replacing each instance of certain characters by one, two or three escape sequences representing the UTF-8 encoding of the character. 

Code Snippet 1

This stage acts as a dropper, in fact, it downloads and executes some pastebin contents through mshta.exe. 

Figure 4: Evidence of the NIBBI author

This lasta campaign has been dubbed with the name of the Pastebin user spreading the malicious pastes. This time the name is “NIBBI”. The first component is 5CzmZ5NS:

Figure 5: Piece of the code of 5CzmZ5NS paste

The second one is sJEBiiMw:

Figure 6: Piece of the code of the sJEBiiMw paste

The third one, YL0je2fU:

Figure 7: Piece of the code of the YL0je2fU paste

and the fourth component, UyFaSxgj:

Figure 8: Piece of the code of the UyFaSxgj paste

This obfuscation technique is typical of this particular actor and he largely leveraged it in many malicious operations. Moreover, the usage of a legit website such as pastebin (T1102) gives a significant amount of cover such as advantages of being very often whitelisted. Using such a service permits to reduce the C2 exposure. In the past, other groups also used similar techniques to decouple attack infrastructure information from their implant configuration, groups such as APT41, FIN6 or FIN7.

Once decoded the first component (5CzmZ5NS), it unveils some logic, as shown in Code Snippet 2. First of all, the script set a registry key, as a windows persistence mechanism (T1060) in which it place the execution of the following command: “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX“

Code Snippet 2

The code contains some “funny” comments related to the twitter community of security researchers which constantly monitor the actor operations. Then, the final payload is identified by Rk4engdU paste.

Figure 9: Piece of the rnS6CUz paste

Decoding this hex stream we get the following powershell code:

Code Snippet 3 

The Powershell Loader

The Code Snippet 3 is a Powershell script in which the function “UNpaC0k3333300001147555” is declared, having the purpose to manipulate the two payloads in the right way. Both of them are .NET binaries. The de-obfuscated code is stored in the deblindB variable and then executed.

As suggested by the name deblindB, invoke the execution of the static method “Bypass” of the “Amsi” class.

Figure 10: Amsi Bypass exploit evidence

Instead, the payload embedded inside the variable $MNB is another type of injection tool, but this one is not executed by the script, probably because both the binaries perform the same action and only one is sufficient.

At this point, we deepen the “sJEBiiMw” component obtaining:

Code Snippet 4

This script downloads and executes another script from pastebin: ygwLUS9C. It is a base64 encoded script with some basic string replacing. We also noticed this executable uses the CMSTP bypass technique (T1191), already seen in our previous report.

Figure 11: CMSTP Bypass evidence

However, in this case, there is a new element differently the previous version: through the CMSTP bypass, a VBS script is written in the “\%TEMP%\” folder, which executes many disruptive commands:

Figure 12: Evidence of the VBS script loaded and executed

The VBS script, as also mentioned inside the first row as comment, has the objective to set to zero the level of security of the infected machine. The script is the following:

Code Snippet 5

As seen in the code a powershell command is hidden inside the variable named $cici, which is immediately converted from the decimal to the relative ascii value. 

Code snippet 6

In Code Snippet 6 we found a powershell code instructed to insert in the Microsoft Windows Anti-Malware exclusions the following processes: msbuild, calc, powershell, wscript, mshta and cmd.

Another script in this intricated chain is YL0je2fU:

Code Snippet 7

Even in this case there is a powershell script embedded in it using the same variable name “$cici”, but with the following body:

Code Snippet 8

The script performs a constant check in the clipboard of the victim machine, looking for bitcoin addresses and some of them are also hardcoded. The last stage is UyFaSxgj:

Code Snippet 9

This component spawn through powershell a script a binary file from a pastebin, eyGv9x4B, but, unfortunately, at the time of analysis, the paste has been removed.

This example could suggest to us the power of the malicious infrastructure built from the attacker, where  components could be removed or replaced with another one in every moment.

The Payload

As previously stated, the final payload is AgentTesla. It remains one of the most adopted commodity malware instructed to steal a large number of sensitive information about the victim. During the past years, we constantly studied the evolution of this threat and we enumerated all the sensitive data grasped by it. 

However, also in this case, we obtained the final payload and the configuration of the SMTP client where sends the stolen information:

Figure 13: Configuration of the AgentTesla SMTP client

The domain “atn-com.pw” has been created ad-hoc in order to manage the infection campaign. Studying the uptime of the domain we were able to reconstruct the infection campaign of the threat actor.

Figure 14: Information about the C2 uptime stats

As shown above, the domain has been registered on the last days of january and it has been active since the middle of April. After a short period of inactivity, it compared another time the 2nd of May since these days.

Conclusion

The actor hiding behind this campaign can undoubtedly be considered a persistent cyber-threat to many organizations operating in production sectors in Europe and, in the last months, also in Italy. Its intricate infection chain developed and tested during the years gave him the flexibility needed to bypass many layers of traditional security defences, manipulating the delivery infrastructure from time to time.

During the time, the actor’s delivery infrastructure was leveraged to install different kinds of malware: most of the time remote access trojans and info and credential stealing software. Such malware types are capable of enabling cyber-espionage and IP theft operations, potentially to re-sell stolen information on dark markets.

No doubt, we will keep going to track this threat.

Additional details, including IoCs and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – Italian manufacturing, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On