12207704459?profile=RESIZE_400xActivity Summary - Week Ending on 24 August 2023:

  • Red Sky Alliance identified 1,592 connections from new IP’s checking in with our Sinkholes
  • MS – 48 Hits
  • 64 ‘new’ Botnets hits
  • Preparing for a Ransomware Attack
  • DLL Highjacking
  • Poland Attacks
  • UK
  • John Clifton Davies

 

Red Sky Alliance Compromised (C2) IP’s 

IP

Contacts

172.172.123.62

2

95.25.207.56

1

91.226.129.183

1

89.151.186.254

1

85.174.196.166

1

172.172.123.62 was reported 49 times. Confidence of Abuse is 100%  ISP:  Microsoft Limited;  Usage Type:  Data Center/Web Hosting/Transit:  Domain Name:  microsoft.com:  Country: USA; City: Boydton, Virginia
https://www.abuseipdb.com/check/172.172.123.62

  

On 23 August 2023, Red Sky Alliance identified 1,592 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Top 5 Malware Variant and number of contacts.  Sality and Corkow has consistently remain the top variants. 
Wekby follows.   

 Red Sky Alliance Malware Activity   

Malware Variant

Times Seen

sality

1466

corkow

110

wekby

6

tidserv

5

shiz

3

  

 

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker


On 23 August 2023, analysts identified 64 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

First_ Seen

Botnet Attribution

Infected Host’s IPv4 Address

2023-08-22T19:10:55

HTTP proxy|port: 999

45.175.236.0

2023-08-18T07:00:43

HTTP proxy|port: 999

45.181.123.145

2023-08-18T07:00:24

HTTP proxy|port: 999

45.181.123.146

2023-08-18T07:00:23

HTTP proxy|port: 999

45.181.123.147

2023-08-18T07:00:27

HTTP proxy|port: 999

45.181.123.148

 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Preparing for a Ransomware Attack - It’s 2023 and although ransomware has existed for decades, organizations still struggle with this evolving threat.  In fact, based on data from our latest Fortinet 2023 Global Ransomware Report, two-thirds of organizations were targeted by ransomware and half of those fell victim to an attack. So it’s not a question of “if” organizations might experience an incident, it’s “when.”   How will teams perform to get their organizations back to normal as quickly and with as little adverse impact as possible?

The challenge is more pronounced than ever. For instance, in the 2022 Verizon Data Breach Investigations Report, ransomware’s involvement in successful breaches doubled to 25% compared to the year prior.  The Fortinet FortiGuard Labs threat research team closely monitors the growth in ransomware attacks.  In the second half of 2022, the volume of ransomware attacks grew by 16% compared to the previous six-month period.3 While this is unsettling, it isn’t surprising: Ransomware-as-a-Service (RaaS) offers even novice cybercriminals the opportunity to easily launch sophisticated attacks for a quick payout when those attacks are successful.

There are many actions organizations can take, from implementing the right security tools to ensuring all employees have basic cyber-hygiene knowledge, to guard against this growing threat. However, given the risk involved, organizations must have a sense of urgency and take action across technology, people, and processes. As a result, security leaders, those in the C-suite, and boards of directors must collectively prioritize ransomware risk mitigation and prevention.

Link to full report: preparing-for-a-ransomware-attack.pdf

DLL Highjacking - Thriving after China’s crackdown on its Macao-based gambling industry, the Southeast Asian gambling sector has become a focal point for the country’s interests in the region, particularly data collection for monitoring and countering related activities in China.  Sentinel Labs observed malware and infrastructure likely related to China-aligned activities targeting this sector.  The malware and infrastructure we analyze are related to indicators observed in Operation ChattyGoblin and are likely part of the same activity cluster.  Operation ChattyGoblin is ESET’s name for a series of attacks by China-nexus actors targeting Southeast Asian gambling companies with trojanized Comm100 and LiveHelp100 chat applications.[1]  The targeting, used malware, and C2 infrastructure specifics point to past activities that third parties have linked to the China-aligned BRONZE STARLIGHT group (also known as DEV-0401 or SLIME34).  This is a suspected Chinese ‘ransomware’ group whose main goal appears to be espionage rather than financial gain, using ransomware as means for distraction or misattribution. T eam T5 has also reported on BRONZE STARLIGHT’s politically-motivated involvement in targeting the Southeast Asian gambling industry.

Despite the indicators observed, accurate clustering remains challenging.  The Chinese APT ecosystem is plagued by extensive sharing of malware and infrastructure management processes between groups, making high confidence clustering difficult based on current visibility. The Sentinel analysis led to historical artifacts that represent points of convergence between BRONZE STARLIGHT and other China-based actors, which showcases the complexity of a Chinese threat ecosystem composed of closely affiliated groups.

Background - ESET reported that a ChattyGoblin-related attack in March 2023 targeted the support agents of a gambling company in the Philippines.  In the attack, a trojanized LiveHelp100 application downloaded a .NET malware loader named agentupdate_plugins.exe. The final payload was a Cobalt Strike beacon using the duckducklive[.]top domain for C2 purposes.  The hash of this malware loader was not disclosed.  Anayysts subsequently identified malware loaders that we assess are closely related to those observed as part of Operation ChattyGoblin and are likely part of the same activity cluster – a .NET executable also named agentupdate_plugins.exe and its variant AdventureQuest.exe.

This association is based on naming conventions, code, and functional overlaps with the sample described in ESET’s report.  Although one cannot conclusively determine whether the agentupdate_plugins.exe what was analyzed is the same as that reported by ESET and noted that one of its VirusTotal submissions is dated March 2023 and originates from the Philippines.  This aligns with the geolocation of the target and the timeline of the ChattyGoblin-related attack involving agentupdate_plugins.exe.

The Malware Loaders - agentupdate_plugins.exe and  AdventureQuest.exe  deploy .NET executables based on the SharpUnhooker tool, which download second-stage data from Alibaba buckets hosted at agenfile.oss-ap-southeast-1.aliyuncs[.]com and codewavehub.oss-ap-southeast-1.aliyuncs[.]com.  The second-stage data is stored in password-protected zip archives. 

The zip archives downloaded by agentupdate_plugins.exe and AdventureQuest.exe contain sideloading capabilities. Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted data file named agent.data.  The executables are components of the software products Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan.  The malicious DLLs masquerade as their legitimate counterparts:   They export functions with the same names, such that specific functions, when invoked by the legitimate executables, decrypt and execute code embedded in the data files.  The data files we could retrieve implement Cobalt Strike beacons.

Zip archive 

Archive content

Final payload

adobe_helper.zip (agentupdate_plugins.exe)

Adobe CEF Helper.exe libcef.dll agent.data (not available)

/

cefhelper.zip (AdventureQuest.exe)

identity_helper.exe msedge_elf.dll agent.data

Cobalt Strike C2: www.100helpchat[.]com

Agent_bak.zip (AdventureQuest.exe)

mfeann.exe LockDown.dll agent.data

Cobalt Strike C2: live100heip[.]com

The 100helpchat[.]com and live100heip[.]com C2 domains follow the naming convention of the LiveHelp100 trojanized application used in operation ChattyGoblin, possibly to make malicious network activity look like legitimate LiveHelp100 activity.

agentupdate_plugins.exe and AdventureQuest.exe implement geofencing based on the ifconfig.co IP-based geolocation service.  The loaders are meant to stop their execution if they are run on a machine located in the United States, Germany, France, Russia, India, Canada, or the United Kingdom.  This may indicate that the threat actors have no interest in intrusions in these countries for this campaign.  Due to errors in implementation, the geofencing fails to work as intended.

  • Stolen Ivacy VPN Certificate
  • exeis signed using a certificate issued to the Ivacy VPN vendor PMG PTE LTD:
  • Thumbprint: 62E990CC0A26D58E1A150617357010EE53186707
  • Serial number: 0E3E037C57A5447295669A3DB1A28B8A.
  • Ivacy has been present on the market since 2007 and attracts users with low-price offerings.

It is likely that at some point the PMG PTE LTD singing key has been stolen, a familiar technique of known Chinese threat actors to enable malware signing.  VPN providers are critical targets, since they enable threat actors to potentially gain access to sensitive user data and communications.  At the time of writing, analysts have not observed any public statements by PMG PTE LTD clarifying the circumstances that have led to the use of their signing keys for signing malware.  The DigiCert Certificate Authority has revoked the compromised certificate after a public discussion on the issue.

HUI Loader- The malicious DLLs libcef.dll, msedge_elf.dll, and LockDown.dll distributed by agentupdate_plugins.exe and AdventureQuest.exe are HUI Loader variants.  HUI Loader is a custom malware loader shared between several China-nexus groups.  The loader is executed through sideloading by legitimate executables vulnerable to DLL hijacking and stages a payload stored in an encrypted file. HUI Loader variants may differ in implemented payload staging and execution techniques as well as additional functionalities, such as establishing persistence and disabling security features.

libcef.dll, msedge_elf.dll, and LockDown.dll closely resemble HUI Loader variants observed in a string of cyberespionage and ransomware operations that third parties have linked to APT10, TA410, and BRONZE STARLIGHT.

Threat actor

Description

BRONZE STARLIGHT
Aliases: DEV-0401, SLIME34

A China-based ransomware operator active since 2021. The group is known for deploying a variety of ransomware families, such as LockFile, AtomSilo, NightSky, LockBit 2.0, and Pandora, and shares tooling with APT10. BRONZE STARLIGHT’s main goal is suspected to be espionage rather than financial gain, using ransomware as means for distraction or misattribution.

APT10
Aliases: BRONZE RIVERSIDE, MenuPass

A China-nexus cyberespionage group active since at least 2009. The group focuses on targeting entities considered strategically important by the Chinese state.

TA410

A China-nexus cyberespionage group loosely linked to APT10, tracked as a distinct entity. The group is mostly known for targeting the US utilities sector and Middle Eastern governments.

   

APT10 and TA410 Operations

The cef_string_map_key function of libcef.dll downloaded by agentupdate_plugins.exe references the C:\Users\hellokety.ini file.

12207702256?profile=RESIZE_584xThe cef_string_map_key function

HUI Loader variants with this exact artifact have been reported as part of several cyberespionage operations:

enSilo (now Fortinet) has disclosed cyberespionage activities in Southeast Asia observed in April 2019 and attributed them with medium confidence to APT10.

Researchers from Macnica, Secureworks, and Kaspersky have presented on A41APT campaign activity conducted throughout 2021. A41APT is a long-running cyberespionage campaign targeting Japanese companies and their overseas branches. Kaspersky has attributed earlier A41APT activity (from March 2019 to the end of December 2020) with high confidence to APT10. TrendMicro has attributed A41APT activity over 2020 and 2021 to a group they track as Earth Tengshe, noting that Earth Tengshe is related to APT10 with some differences in employed TTPs.

ESET has presented on TA410 activities, noting the hellokety.ini artifact in this context. ESET also notes the possibility of misattribution the April 2019 activities reported by Fortinet to APT10 instead of TA410.

12207702295?profile=RESIZE_584xHUI Loader variants (hellokety.ini) used in APT10 and TA410 operations

BRONZE STARLIGHT Operations - Since around 2021, HUI Loader variants have been deployed in operations involving the ransomware families LockFile (Symantec, 2021; NSFOCUS, 2021), AtomSilo (Sophos, 2021), NightSky (Microsoft, 2021), LockBit 2.0 (SentinelLabs, 2022), and Pandora (TrendMicro, 2022). Some of these operations have been attributed to BRONZE STARLIGHT by the organizations disclosing them and all of them collectively by Secureworks. All of these ransomware families have been noted by Microsoft as being part of the BRONZE STARLIGHT arsenal in time intervals aligning with those of the previously mentioned operations.

C2 Infrastructure - The Cobalt Strike C2 GET and POST URIs associated with the Operation ChattyGoblin domain duckducklive[.]top contain /functionalStatus and /rest/2/meetings, respectively. Their uncommon full forms closely resemble those observed by Secureworks in AtomSilo, Night Sky, and Pandora operations they attribute to BRONZE STARLIGHT. The researchers reported that, as of June 2022, they had not seen this Cobalt Strike configuration associated with other ransomware families. The threat actors have likely adapted a public Cobalt Strike malleable C2 profile available in a Github repository of the user xx0hcd.

Cobalt Strike C2 POST URI

Relation

/rest/2/meetingsmCRW64qPFqLKw7X56lR41fx

Operation ChattyGoblin

/rest/2/meetingsVDcrCtBuGm8dime2C5zQ3EHbRE156AkpMu6W

AtomSilo

/rest/2/meetingsQpmhJveuV1ljApIzpTAL

Night Sky

/rest/2/meetingsKdEs85OkdgIPwcqbjS7uzVZKBIZNHeO4r5sKe

Pandora

The C2 GET and POST URIs associated with the www.100helpchat[.]com and live100heip[.]com domains we observed contain /owa followed by character strings. The format of these strings resembles those in the URIs associated with duckducklive[.]top and also those reported in past BRONZE STARLIGHT activities. It is likely that the threat actors have adapted another open source Cobalt Strike malleable C2 profile, which is also available in a Github repository of the user xx0hcd.

Domain

Cobalt Strike C2 URIs

live100heip[.]com

GET: /owa/Z7bziD-BDtV9U1aLS9AhW4jyN1NEOelTEi
POST: /owa/LAC9kgQyM1HD3NSIwi–mx9sHB3vcmjJJm

www.100helpchat[.]com

GET: /owa/aLgnP5aHtit33SA2p2MenNuBmYy
POST: /owa/XF0O-PjSCEslnDo51T0K4TOY

The Cobalt Strike profiles associated with the duckducklive[.]top, www.100helpchat[.]com, and live100heip[.]com domains share a C2 port number (8443) and a watermark (391144938). The earliest record of duckducklive[.]top becoming active is dated 24 Feb 2023. The earliest records of live100heip[.]com and 100helpchat[.]com becoming active are dated 24 Feb 2023 (overlapping with that of duckducklive[.]top) and 28 Feb 2023, respectively.

The three domains are each hidden behind CloudFlare, who were quick in remediation after we reported the service abuse. In this case, however, the actors revealed their true-hosting locations due to an OPSEC mistake in their initial deployment of the domain’s SSL certificates on their Alibaba Cloud hosting servers at 8.218.31[.]103, 47.242.72[.]118, and 47.242.159[.]242.

12207702874?profile=RESIZE_584xCertificates use on Alibaba IPs

While the analysis of the Cobalt Strike profiles provides links to previous BRONZE STARLIGHT activities, an assessment of the specific group attribution based on current intelligence should be treated with caution. It is noteworthy that Chinese cyber espionage threat actors are progressively refining their operational tactics in manners that obfuscate clear attribution through publicly available intelligence sources alone.

To illustrate this concept, consider the scenario where a broader array of domains imitating various brands may be interconnected, such as those publicly documented involving the BRONZE STARLIGHT, TA410, and APT10 threat actors.
Examples include:  microsofts[.]net, microupdate[.]xyz, microsofts[.]info, microsofts[.]org, miscrosofts[.]com, microsofts[.]com, kaspresksy[.]com, tencentchat[.]net, and microsoftlab[.]top.

Conclusion - China-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and continue to do so. The activities this post discusses illustrate the intricate nature of the Chinese threat landscape.  Better understanding of this landscape is essential for keeping up with its dynamics and improving defense strategies. Achieving this necessitates consistent collaborative and information sharing efforts. SentinelLabs remains dedicated to this mission and continues to closely monitor related threats.

Indicators of Compromise:

Files (SHA1)

Indicator

Description

09f82b963129bbcc6d784308f0d39d8c6b09b293

agentupdate_plugins.exe

1a11aa4bd3f2317993cfe6d652fbe5ab652db151

LockDown.dll

32b545353f4e968dc140c14bc436ce2a91aacd82

mfeann.exe

4b79016d11910e2a59b18275c786682e423be4b4

Adobe CEF Helper.exe

559b4409ff3611adaae1bf03cbadaa747432521b

identity_helper.exe

57bbc5fcfd97d25edb9cce7e3dc9180ee0df7111

agentdata.dat

6e9592920cdce90a7c03155ef8b113911c20bb3a

AdventureQuest.exe

76bf5ab6676a1e01727a069cc00f228f0558f842

agentdata.dat

88c353e12bd23437681c79f31310177fd476a846

libcef.dll

957e313abaf540398af47af367a267202a900007

msedge_elf.dll

Second-Stage Data URLs

https[://]agenfile.oss-ap-southeast-1[.]aliyuncs.com/agent_source/temp1/cefhelper.zip

AdventureQuest.exe

https[://]agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp2/agent_bak.zip

AdventureQuest.exe

https[://]agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp3/adobe_helper.zip

agentupdate_plugins.exe

https[://]codewavehub.oss-ap-southeast-1.aliyuncs[.]com/org/com/file/CodeVerse.zip

AdventureQuest.exe

C2 Domains

www.100helpchat[.]com

Cobalt Strike

live100heip[.]com

Cobalt Strike

C2 IP Addresses

8.218.31[.]103

Cobalt Strike

47.242.72[.]118

Cobalt Strike

GLOBAL TRENDS:

Poland – Last week, the Polish Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości) under the supervision of the Regional Prosecutor's Office in Katowice (Prokuratura Regionalna w Katowicach) took action against LolekHosted.net, a bulletproof hosting service used by criminals to launch cyber-attacks across the world.  Five of its administrators were arrested, and all of its servers seized, rendering LolekHosted.net no longer available.  This latest success in the fight against cybercrime follows a complex investigation supported by Europol and the US Federal Bureau of Investigation (FBI).[2]

Criminal hideouts for lease - Bulletproof hosting is a service in which an online infrastructure is offered, and operators will generally turn a blind eye to what customers use their rented domains for.  However, being willing to ignore the transgressions of clients does not mean that law enforcement will take the same stance.

The complex investigation into LolekHosted.net revealed how the service facilitated the distribution information-stealing malware, and also the launching of DDoS (distributed denial of service) attacks, fictitious online shops, Botnet server management and distribution of spam messages worldwide.  The suspects marketed privacy as a key feature of this service, using slogans such as “You can host anything here!” and “no-log policy”. Payments were to be made in cryptocurrencies.

European coordination - Europol’s European Cybercrime Centre (EC3) provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through operational analysis, crypto tracing, and forensic analysis.  The Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters facilitated the information exchange. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

UK - John Clifton Davies was convicted in 2015 of swindling businesses throughout the UK that were struggling financially and seeking to restructure their debt.  For roughly six years, Davies ran a series of firms that pretended to offer insolvency services.  Instead, he simply siphoned what little remaining money these companies had, spending the stolen funds on lavish cars, home furnishings, vacations and luxury watches.   In a three-part series published in 2020, KrebsOnSecurity exposed how Davies, wanted by authorities in the UK — had fled the country, taken on the surname Bernard, remarried, and moved to his new (and fourth) wife’s hometown in Ukraine.[3]

12207703257?profile=RESIZE_400xAfter eluding justice in the UK, Davies reinvented himself as The Private Office of John Bernard, pretending to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking private equity investment opportunities.  In case after case, Bernard would promise to invest millions in hi-tech startups, only to insist that companies pay tens of thousands of dollars’ worth of due diligence fees up front. However, the due diligence company he insisted on using, another Swiss firm called The Inside Knowledge, also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.  Bernard found a constant stream of new marks by offering extraordinarily generous finders fees to investment brokers who could introduce him to companies seeking an infusion of cash. Inside Knowledge and The Private Office both closed up shop not long after being exposed here in 2020.

In April 2023, Krebs wrote about Codes2You, a recent Davies venture which purports to be a “full cycle software development company” based in the UK.  The company’s website no longer lists any of Davies’ known associates, but the site does still reference software and cloud services tied to those associates, including MySolve, a “multi-feature platform for insolvency practitioners.”   Earlier this month, an investment broker who found out his client had paid more than $50,000 in due diligence fees related to a supposed multi-million dollar investment offer from a Swiss concern called Equity-Invest[.]ch.

The investment broker, who spoke on condition that neither he nor his client be named, said Equity-Invest began getting cold feet after his client plunked down the due diligence fees.  “Things started to go sideways when the investor purportedly booked a trip to the US to meet the team but canceled last minute because ‘his pregnant wife got in a car accident,'” the broker explained.  “After that, he was radio silent until the contract expired.”   The broker said he grew suspicious when he learned that the Equity-Invest domain name was less than six months old.  The broker’s suspicions were confirmed after he discovered the due diligence company that Equity-Invest insisted on using,  Diligere[.]co.uk, included an email address on its homepage for another entity called Ardelis Solutions.   A corporate entity in the UK called Ardelis Solutions was key to showing the connection to Davies’ former scam investment and due diligence firms in the Codes2You investigation published earlier this year by Krebs.

Although Diligere’s website claims the due diligence firm has “13 years of experiance” [sic], its domain name was only registered in April 2023.  What’s more, virtually all of the vapid corporate-speak published on Diligere’s homepage is identical to text on the now-defunct InsideKnowledge[.]ch, the fake due diligence firm secretly owned for many years by The Private Office of John Bernard (John Clifton Davies).  Davies,  “Our steadfast conviction and energy for results is what makes us stand out,” both sites state.  “We care for our clients’ and their businesses; we share their ambitions and align our goals to complement their objectives.  Our clients know we’re in this together. We work in close partnership with our clients to deliver palpable results regardless of geography, complexity or controversy.”

 

[1] https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/

[2] https://www.europol.europa.eu/media-press/newsroom/news/5-arrested-in-poland-for-running-bulletproof-hosting-service-for-cybercrime-gangs

[3] https://krebsonsecurity.com/2023/08/diligere-equity-invest-are-new-firms-of-u-k-con-man/#more-64560

Topics by Tags

Monthly Archives