On
December
2022,
we
identified
a
suspicious
executable
(detected
by
Trend
Micro
as
Trojan.MSIL.REDCAP.AD)
that
was
dropped
and
executed
on
multiple
machines.
Our
investigation
led
us
to
link
this
attack
to
advanced
persistent
threat
(APT)
group
APT34,
and
the
main
goal
is
to
steal
users’
credentials.
Even
in
case
of
a
password
reset
or
change,
the
malware
is
capable
of
sending
the
new
credentials
to
the
threat
actors.
Moreover,
after
analyzing
the
backdoor
variant
deployed,
we
found
the
malware
capable
of
new
exfilteration
techniques —
the
abuse
of
compromised
mailbox
accounts
to
send
stolen
data
from
the
internal
mail
boxes
to
external
mail
accounts
controlled
by
the
attackers.
While
not
new
as
a
technique,
this
is
the
first
instance
that
APT34
used
this
for
their
campaign
deployment.
Following
this
analysis,
it
is
highly
likely
that
this
campaign’s
routine
is
only
a
small
part
of
a
bigger
chain
of
deployments.
Users
and
organizations
are
strongly
advised
to
reinforce
their
current
security
measures
and
to
be
vigilant
of
the
possible
vectors
abused
for
compromise.
Routine
In
this
section,
we
describe
the
attack
infection
flow
and
its
respective
stages,
as
well
as
share
details
on
how
the
group
uses
emails
to
steal
and
exfiltrate
critical
information.
First
Stage:
Initial
Droppers
We
found
the
initial
stage
.Net
dropper
malware
called
MrPerfectInstaller
(detected
by
Trend
Micro
as
Trojan.MSIL.REDCAP.AD)
responsible
for
dropping
four
different
files,
with
each
component
stored
in
a
Base64
buffer
inside
the
main
dropper.
It
drops
the
following:
-
%System%psgfilter.dll:
The
password
filter
dynamic
link
library
(DLL)
used
to
provide
a
way
to
implement
the
password
policy
and
change
notification -
%ProgramData%WindowsSoftwareDevicesDevicesSrv.exe:
The
main
.Net
responsible
for
exfiltrating
and
leaking
specific
files
dropped
into
the
root
path
of
this
backdoor
execution.
This
backdoor
requires
the
.Net
library
implementing
Microsoft
Exchange
webservices
to
authenticate
with
the
victim
mail
server
and
exfiltrate
through
it. -
%ProgramData%WindowsSoftwareDevicesMicrosoft.Exchange.WebServices.dll:
The
library
to
support
the
second
component’s
capability. -
%ProgramData%WindowsSoftwareDevicesDevicesSrv.exe.config:
An
app
configuration
file
for
runtimes
of
the
.Net
execution
environment.
This
allows
the
option
of
falling
back
to
.Net
2.0.
The
dropper
also
adds
the
following
registry
key
to
assist
in
implementing
the
password
filter
dropped
earlier:
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa
Notification
Packages
=
scecli,
psgfilter
The
main
.Net
binary
implements
two
arguments
for
its
operation:
the
first
argument
for
installing
the
second
stage,
and
the
second
argument
for
uninstalling
it
and
unregistering
the
password
filter
dropped.
Second
Stage:
Abusing
The
Dropped
Password
Filter
Policy
Microsoft
introduced
Password
Filters
for
system
administrators
to
enforce
password
policies
and
change
notifications.
These
filters
are
used
to
validate
new
passwords,
confirm
that
these
are
aligned
with
the
password
policy
in
place,
and
ensure
that
no
passwords
in
use
can
be
considered
compliant
with
the
domain
policy
but
are
considered
weak.
These
password
filters
can
be
abused
by
a
threat
actor
as
a
method
to
intercept
or
retrieve
credentials
from
domain
users
(domain
controller)
or
local
accounts
(local
computer).
This
is
because
for
password
filters
to
perform,
password
validation
requires
the
password
of
the
user
in
plaintext
from
the
Local
Security
Authority
(LSA).
Therefore,
installing
and
registering
an
arbitrary
password
filter
could
be
used
to
harvest
credentials
every
time
a
user
changes
his
password.
This
technique
requires
elevated
access
(local
administrator)
and
can
be
implemented
with
the
following
steps:
-
Password
Filter
psgfilter.dll
be
dropped
into
C:WindowsSystem32 -
Registry
key
modification
to
register
the
Password
Filter
[DLL
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa
Notification
Packages
=
scecli,
psgfilter]
Using
this
technique,
the
malicious
actor
can
capture
and
harvest
every
password
from
the
compromised
machines
even
after
the
modification.
The
DLL
has
three
export
functions
to
implement
the
main
functionality
of
support
for
registering
the
DLL
into
the
LSA,
as
follows:
-
InitializeChangeNotify:
Indicates
that
a
password
filter
DLL
is
initialized. -
PasswordChangeNotify:
Indicates
that
a
password
has
been
changed. -
PasswordFilter:
Validates
a
new
password
based
on
password
policy.
When
implementing
the
password
filter
export
functions,
the
malicious
actor
took
great
care
working
with
the
plaintext
passwords.
When
sent
over
networks,
the
plaintext
passwords
were
first
encrypted
before
being
exfiltrated.
Data
Exfiltration
Through
Legitimate
Mail
Traffic
The
main
backdoor
function
(detected
by
Trend
Micro
as
Backdoor.MSIL.REDCAP.A)
receives
the
valid
domain
credentials
as
an
agrument
and
uses
it
to
log
on
to
the
Exchange
Server
and
use
it
for
data
exfilteration
purposes.
The
main
function
of
this
stage
is
to
take
the
stolen
password
from
the
argument
and
send
it
to
the
attackers
as
an
attachment
in
an
email.
We
also
observed
that
the
threat
actors
relay
these
emails
via
government
Exchange
Servers
using
vaild
accounts
with
stolen
passwords.
First,
the
.Net
backdoor
parses
a
config
file
dropped
in
the
main
root
path
where
it
is
executing
from
and
checks
for
a
file
callled
ngb
inside
<%ProgramData%WindowsSoftwareDevicesDevicesTemp>
to
extract
three
parameters:
-
Server:
The
specific
Exchange
mail
server
for
the
targeted
government
entity
where
the
data
is
leaked
through. -
Target:
The
email
addresses
where
the
malicious
actors
receive
the
exfiltrated
data
in. -
Domain:
The
internal
active
directory
(AD)
domain
name
related
to
the
targeted
government
entity
in
the
Middle
East.
However,
the
malware
also
supports
for
the
modification
of
old
passwords
to
new
ones,
which
are
sent
through
the
registered
DLL
password
filter.
The
malware
proceeds
to
initialize
an
ExchangeService
object
in
the
first
step
and
supplies
the
stolen
credentials
as
WebCredentials
to
interface
with
the
victim
mail
server
in
the
second
step.
Using
these
Exchange
Web
Service
(EWS)
bindings,
the
malicious
actor
can
send
mails
to
external
recipients
on
behalf
of
any
stolen
user
and
initialize
a
new
instance
of
the
WebCredentials
class
with
the
username
and
password
for
the
account
to
authenticate.
The
malware
then
iterates
through
the
files
found
under
the
target
path.
For
each
file
found,
it
adds
its
path
to
a
list,
which
will
be
exfilterated
later
in
the
last
step.
The
final
stage
is
to
iterate
over
the
collected
list
of
file
paths.
For
each
path,
it
prepares
an
EmailMessage
object
with
the
subject
“Exchange
Default
Message”,
and
a
mail
body
content
of
“Exchange
Server
is
testing
services.”
The
iteration
attaches
the
whole
file
to
this
EmailMessage
object
and
sends
it
using
the
previous
initalized
EWS
form
(Steps
1
and
2
in
Figure
10),
which
already
authenticated
the
user
account.
APT34
Targeting
and
Arsenal
Evolution
APT34
has
been
documented
to
target
organizations
worldwide,
particularly
companies
from
the
financial,
government,
energy,
chemical,
and
telecommunications
industries
in
the
Middle
East
since
at
least
2014.
Documented
as
a
group
primarily
involved
for
cyberespionage,
APT34
has
been
previously
recorded targeting
government
offices
and
show
no
signs
of
stopping
with
their
intrusions.
Our
continuous
monitoring
of
the
group
proves
it
continues
to
create
new
and
updated
tools
to
minimize
the
detection
of
their
arsenal:
Shifting
to
new
data
exfilteration
techniques
—
from
the
heavy
use
of
DNS-based
command
and
control
(C&C)
communication
to
combining
it
with
the
legitimate
simple
mail
transfer
protocol
(SMTP)
mail
traffic
—
to
bypass
any
security
policies
enforced
on
the
network
perimeters.
From
three
previously
documented
attacks,
we
observed
that
while
the
group
uses
simple
malware
families,
these
deployments
show
the
group’s
flexibility
to
write
new
malware
based
on
researched
customer
environments
and
levels
of
access.
This
level
of
skill
can
make
attribution
for
security
researchers
and
reverse
engineers
more
difficult
in
terms
of
tracking
and
monitoring
because
patterns,
behaviors,
and
tools
can
be
completely
different
for
every
compromise.
For
instance,
in
the
two
separate
attacks
using
Karkoff
(detected
by
Trend
Micro
as
Backdoor.MSIL.OILYFACE.A)
in
2020
and
Saitama
(detected
by
Trend
Micro
as
Backdoor.MSIL.AMATIAS.THEAABB)
in
2022,
the
group
used
macros
inside
Excel
files
as
part
of
the
first
stage
to
send
phishing
emails
since
the
group
did
not
have
access
to
the
enterprise
yet.
Contrary
to
this
newest
compromise,
however,
the
first
stage
was
rewritten
completely
in
DotNet
and
executed
by
the
actor
directly.
Moreover,
Karkoff
malware
has
a
full
backdoor
module
using
a
government
exchange
server
as
a
communication
channel
via
send/received
commands
over
an
exchanged
server,
and
used
a
hardcoded
account
to
authenticate
the
said
communication.
Compared
to
the
new
malware,
the
latest
compromise
seems
to
be
rewritten
to
use
the
same
technique
but
only
to
exfiltrate
data
over
the
mail
channel.
Aside
from
using
hardcoded
accounts
as
exchange
accounts,
APT34
can
add
a
new
module
that
can
monitor
changes
in
passwords
and
use
the
new
accounts
to
send
mails,
exfiltrating
data
via
Microsoft
Exchange
servers.
Based
on
a
2019
report
on
APT34,
the
top
countries
targeted
by
the
group
are:
-
The
United
Arab
Emirates -
China -
Jordan -
Saudi
Arabia
While
not
at
the
top
of
the
group’s
list,
other
countries
in
the
Middle
East
considered
as
targets
are
Qatar,
Oman,
Kuwait,
Bahrain,
Lebanon,
and
Egypt.
Attribution
Analysis
There
are
several
data
points
and
indicators
that
suggest
APT34
carried
out
this
attack,
and
that
this
group
is
still
active
in
targeting
countries
in
the
Middle
East
with
a
special
focus
on
compromising
government
entities.
1.
The
first
stage
dropper
The
first
stage
dropper
between
the
Saitama
backdoor
and
this
new
operation’s
first
stage
.Net
dropper
have
a
few
similarities.
Despite
the
dated
Saitama
operation’s
first
stage
dropper,
a
VBA
macro
that
drops
the
actual
.Net
backdoor
Saitama
malware,
the
new
attack
implemented
in
the
group’s
latest
deployment
is
a
.Net
dropper
that
drops
the
actual
malware.
Both
deployments’
final
stages
leverage
EWS’
Managed
API
(Microsoft.Exchange.WenServices.dll).
2.
Leveraging
exchange
servers
for
communications
(Uni-
and
bidirectional)
Both
this
campaign
and
the
Karkoff
campaign
made
use
of
targeted
exchange
servers
and
relayed
communications
through
it.
In
the
previous
campaign,
this
was
reportedly
done
with
the
deployment
of
the
Karkoff
implant.
The
old
Karkoff
sample
attributed
to
APT34
share
a
common
functionality
for
abusing
the
EWS
API.
3.
The
victim
targeted
APT34
has
been
documented
for
targeting
countries
in
the
Middle
East.
In
a
previous
campaign
analyzed
by
Yoroi
Labs,
the
Karkoff
sample
(SHA256:
1f47770cc42ac8805060004f203a5f537b7473a36ff41eabb746900b2fa24cc8)
attributed
to
APT34
has
the
mail
server
domain
hardcoded
inside
the
sample.
Alongside
the
target
mail
recipient
the
attackers
receive
information
from
is
the
same
hardcoded
mail
server
domain
found
in
the
latest
backdoor,
including
the
targeted
Exchange
Server
for
a
government
ministry.
Both
samples
included
some
hardcoded
credentials
as
well.
However,
the
newer
backdoor
includes
support
for
stealing
the
new
passwords
of
previously
compromised
users
who
changed
their
passwords,
ensuring
their
legitimate
accounts
stay
compromised.
Conclusions
At
first
glance,
security
teams
can
mistakenly
tag
the
sample
as
safe
or
as
a
benign
activity
given
the
validity
of
the
domains
and
mail
credentials.
It
will
take
more
experienced
analysts
to
see
that
the
domains
abused
is
part
of
a
bigger
active
directory
domain
“forest”,
which
share
a
trust
relationship
with
each
other
to
allow
different
government
ministries
or
agencies
to
communicate.
Considering
we
found
a
compromised
account
from
one
entity
inside
a
sample
sourced
from
a
different
agency
indicates
APT34
now
has
a
deep
foothold
in
the
government
domain
forest.
Following
the
stages
executed,
APT34’s
repeated
use
of
the
Saitama
backdoor
technique
in
the
first
stage
indicates
a
confidence
that
even
the
dated
malware’s
technique
will
continue
to
work
and
initiate
compromise.
The
next
stages
for
exfiltrating
data,
however,
are
considerably
new
and
are
considered
exploratory
for
the
group.
Despite
the
routine’s
simplicity,
the
novelty
of
the
second
and
last
stages
also
indicate
that
this
entire
routine
can
just
be
a
small
part
of
a
bigger
campaign
targeting
governments.
We
continue
tracking
and
monitoring
the
abuse
of
this
threat
to
determine
the
depth
and
breadth
of
this
compromise.
Indicators
of
Compromise
(IOCs)
SHA256 |
File name |
Detection |
---|---|---|
5ed7ebc339af6ca6a5d1b9b45db6b3ae00232d9ccd80d5fcadf7680320bd4e6b | DevicesSrv.exe | Backdoor.MSIL.REDCAP.A |
827366355c6429a7fe12d111e240c5bcec3ed61e717fb84ea8b771672dd1f88e | psgfilter.dll | Trojan.Win64.REDCAP.AF |
Emails
abused
-
Jaqueline[.]Herrera@proton[.]me -
Ciara[.]Stoneburner@proton[.]me -
marsha[.]fischer556@gmail[.]com -
Kathryn[.]Firkins@proton[.]me -
Susan[.]potts454@proton[.]me -
Earl[.]butler945@gmail[.]com