Image: Malik Shibly (unsplash)
Middle Eastern and African governmental bodies have been enduring relentless cyber-espionage assaults, utilising novel and infrequently seen credential theft and Exchange email exfiltration tactics.
Palo Alto Networks’ senior threat researcher, Lior Rochberger, indicated in a technical deep dive released last week that the core purpose of these attacks was to gather top secret and sensitive data, particularly focusing on areas of politics, military operations, and foreign affairs ministries.
The firm’s Cortex Threat Research team is monitoring the operations under the interim identifier CL-STA-0043 (CL stands for cluster and STA symbolises state-backed intention), characterising it as a distinct advanced persistent threat.
The chain of infection is initiated via the exploitation of susceptible on-site Internet Information Services (IIS) and Microsoft Exchange servers to penetrate the target networks.
It was revealed by Palo Alto Networks that unsuccessful attempts were made to carry out the China Chopper web shell in an attack. This failure led the adversary to modify their approach and utilise an in-memory Visual Basic Script implant from the Exchange Server.
Upon successful intrusion, reconnaissance activities follow to survey the network and identify crucial servers storing valuable data. These include domain controllers, web servers, Exchange servers, FTP servers, and SQL databases.
CL-STA-0043 has also been noticed utilising inherent Windows tools for privilege escalation, hence providing it with the capacity to generate admin accounts and execute other programs with heightened privileges.
A subsequent privilege escalation tactic involves exploiting accessibility features in Windows, specifically the “sticky keys” utility (sethc.exe), which facilitates system backdooring by evading login prerequisites.
Rochberger further elucidated this technique, where the attacker usually substitutes the sethc.exe binary or pointers/references to these binaries in the registry with cmd.exe. This action furnishes the attacker with an elevated command prompt shell to run arbitrary commands and other tools.
CrowdStrike had documented a similar tactic using the Utility Manager (utilman.exe) to establish lasting backdoor access to the victim’s system earlier in April.
Besides employing Mimikatz for credential theft, the threat actor’s operational mode also impresses with its adoption of other innovative methods to purloin passwords, enable lateral movement, and export sensitive data. These methods include:
- Employing network service providers to run a malicious DLL, with the intent to collect and forward unencrypted passwords to a remote server.
- Making use of an open-source penetration testing suite named Yasso to extend their influence throughout the network.
- Exploiting the capabilities of the Exchange Management Shell and PowerShell snap-ins to gather emails that are of particular interest.
Rochberger concluded that the high level of sophistication, adaptability, and victimisation tactics suggest that this activity group is a highly competent APT threat actor and is suspected to be a nation-state threat actor.