New APT ChamelGang Targets energy and aviation companies in Russia

ChamelGang APT is a new cyberespionage group that focuses on fuel and energy organizations and aviation industry in Russia

ChamelGang is a new APT group that was first spotted in March by researchers at security firm Positive Technologies, it targets Russian companies in the energy and aviation industry.

In March, the cyberespionage group was observed leveraging ProxyShell against targets in 10 countries and used a variety of malware in its campaign.

Now the group is targeting organizations in Russia by exploiting known vulnerabilities like Microsoft Exchange ProxyShell issues, it also used a new set of malware to exfiltrate sensitive information from target networks.

The name ChamelGang comes from the word “chameleon” that was used because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.

The threat actors used domains mimicking legitimate ones (newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com, mcafee-upgrade.com) and installed SSL certificates on its servers that imitated legitimate ones (github.com, www.ibm.com, jquery.com, update.microsoft-support.net) on its servers.

Experts pointed out that the ChamelGang group was also involved in supply chain attacks in order to hit the actual victims.

The analysis of the techniques used by the threat actors revealed that the ChamelGang group used both known malicious software (i.e. FRP, Cobalt Strike Beacon, and Tiny Shell) and previously undetected malware tracked as ProxyT, BeaconLoader and the DoorMe backdoor.

Positive Technologies experts investigated two attacks conducted by APT that took place in March and August respectively.

The March attack was spotted after the experts noticed that the antivirus software installed on the systems of a Russia-based energy company repeatedly reported the presence of the Cobalt Strike Beacon in RAM.

“At the end of March 2021, the attackers compromised a subsidiary organization to gain access to the energy company’s network, using a vulnerable version of a web application on the JBoss Application Server platform. The investigation revealed that the attackers, having exploited vulnerability CVE-2017-12149, were able to remotely execute commands on the host.” reads the analysis published by the experts. “When analyzing the server logs, vuln6581362514513155613jboss records were found on the compromised host, indicating that the public exploit jboss-_CVE-2017-12149 had been used.”

Once gained access to the target network through a supply chain attack, the attackers deployed post-exploitations tools to maintain persistence and exfiltrate information. Experts reported the use of the Tiny Shell and the Cobalt Strike Beacon.

The attackers placed collected data on web servers on the compromised network and then downloaded them using the Wget utility.

The August attack was aimed at a Russian organization from the industry.

“We notified the affected company on time—four days after the server was compromised—and, in cooperation with its employees, promptly eliminated the threat. In total, the attackers remained in the victim’s network for eight days, and two weeks passed from the moment of notification to the completion of the incident response and investigation.” continues the report. “According to our data, the APT group did not expect that its backdoors would be detected so quickly, so it did not have time to develop the attack further.”

Experts reported that the threat actors used ProxyShell flaws in this second attack and installed the backdoor DoorMe v2 on two mail servers (Microsoft Exchange Server) on the victim’s network. 

Then the attackers used BeaconLoader for lateral movement and the Cobalt Strike Beacon.

Positive Technologies researchers determined that the hackers have compromised another 13 organizations in the US, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In most of the attacks, threat actors compromised Microsoft Exchange Servers by exploiting ProxyLogon and ProxyShell flaws.

“Trusted relationship attacks are rare today due to the complexity of their execution. Using this method in the first case, the ChamelGang group was able to achieve its goal and steal data from the compromised network. Also, the group tried to disguise its activity as legitimate, using OS features and plausible phishing domains. In addition, the attackers left a passive backdoor DoorMe in the form of a module for the IIS server.” concludes the report. “We predict that the trend using the supply chain method will continue. New APT groups using this method to achieve their goals will appear on stage.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ChamelGang)

[adrotate banner=”5″]

[adrotate banner=”13″]