# SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought **[securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought](https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought)** [1. Blog](https://securityscorecard.com/blog) Ryan Sherstobitoff Posted on June 18th, 2021 [SecurityScorecard’s Investigations & Analysis team conducted an investigation into the details surrounding the USAID.gov attack. As has been](https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium) previously reported, the attack has been potentially attributed to the organization commonly known as Cozy Bear, but our investigation found that the campaign is likely much larger, and began much earlier than has been reported. ## Key findings Some of the attack components were created as early as February 2021, potentially suggesting this campaign had multiple waves dating back to the beginning of this year. SecurityScorecard’s analysis suggests that there are multiple campaigns connected to the USAID.gov attack that focus on European governments. We suspect that the attackers are located in the Central Europe and Pacific time zones based on the time zones of the timestamps from the ISO files containing malicious implants. _Timeline of APT29 Activity against US AID_ ## Background ----- O ay, 0, [c oso t e eased a b og post stat g t at](https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/) obe u /Co y ea, t e sa e uss a ac e s o ca ed out t e So a ds attack, was attacking government agencies, think tanks, consultants, and non-governmental organizations. The company said the breach began with a takeover of an email marketing account utilized by the U.S. Agency for International Development (USAID). ## Analysis The SecurityScorecard Investigations & Analysis team conducted an investigation to understand the extent of the campaign and its association with APT29, also known as CozyBear. In an effort to understand actor(s) capabilities and intent, the team analyzed a number of different samples and artifacts which were part of this campaign. We uncovered a longer-running espionage campaign focused on European Governments dating back to earlier this year. The USAID-themed campaign was just the latest in a series of operations involving very similar techniques, tactics, and procedures (TTPs). SecurityScorecard’s Investigations & Analysis team analyzed the reported implant and associated artifacts with the US AID campaign. Our goal was to find any linkage to previous operations conducted by the same adversary. The primary implant is a file known as a DLL (Dynamic Link Library) which contains an encrypted Cobalt Strike beacon. Cobalt Strike is a penetration testing product that is favored among threat actors because it’s well-written, stable, and customizable for ransomware, keylogging, and other payloads. Its use in criminal activities has increased significantly since March 2020 when the product source code was cracked and [distributed on the dark web. Cobalt Strike is an implant used commonly by Russian advanced persistent threat (APT) actors, and other](https://securityscorecard.com/blog/what-is-an-advanced-persistent-threat) cybercrime groups. The DLL file operates as a loader for the beacon and has a number of interesting functionalities. From SecurityScorecard’s analysis of some of the delivery malware (ISO and MacOS DMG files), the attack occurred on May 25, 2021. However, according to file metadata and other information, the attackers began preparing for the attack on April 22, 2021. We collected a total of 6 disk image files with the volume_id of ICA_DECLASS dating back to April 22, 2021. _File Metadata from Disk Image file (ICA-declass.iso)_ Investigating further, we found three DMG (Disk iMaGe) files created on April 22, 2021, and one created on April 25, 2021, which were likely used to create the two ICA-declass.iso files found in the wild. This data indicates that the attack preparation stages began in late April with several targeted image files containing the same implant, LNK, and decoy document. Malware delivered by threat actors often utilizes what is called a decoy document, which is presented to the user as a benign document while the execution of the malicious code occurs in the background. ----- _File Metadata from Disk Image file found earlier in April (ICA-declass.iso)_ The decoy document is based on a report written by the U.S Intelligence community in March 2021. ### Primary delivery From our analysis, the .ISO files containing the implant, LNK, and PDF files were delivered from the following URL. hxxps://usaid.theyardservice.com/d/[victim email address] We found evidence of appended victim email addresses, which indicates possible victims (i.e. victimology) and better information on specifically who the threat actor was interested in. ### Possible false flags In many APT attacks, threat actors will implement false flags (a method used in intelligence trade-craft to misdirect and confuse the true origin of the threat actors) that will lead investigators to then misattribute the attack. In this case, we observed Korean language characters within the PDB value for the primary implant. The PDB path indicates the folder path on the disk where the code was compiled. However, we did not find any evidence that would indicate the origin of this attack had any association with Korean-speaking threat actors. C:\Users\dev\Desktop\나타나게 하다\Dll6\x64\Release\Dll6.pdb ### ISO time zones Using the ExifTool, we extracted the following timestamps from the ISO and DMG files: RootDirectoryCreateDate - the timestamp when the root directory was created VolumeCreateDate - the timestamp when the volume was created VolumeModifyDate - the timestamp when the volume was modified Since these timestamps contain the time zone, they can give us indicators about the attacker’s location. We suspect these timestamps are accurate because they match the timeframe of the campaigns as reported by Microsoft. Additionally, it seems unlikely the attackers would have changed only the time zone values in the ISO files, especially given the locations indicated by the time zones. If the attackers were to make changes to these timestamps, they would have: removed the timestamps entirely, changed the timestamps to completely different values, as they did with the implant DLL files contained in the ISOs, which were changed to April 27, 2019, for both April and May waves, or changed only the time zones to match the Korean one, given that they tried to place a false flag leading investigators to think it might be a North Korean APT using the program debug path (PDB) string. ----- index hash name timestamp timezone 1 2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 ICA-declass.iso 2021:05:25 14:39:25+01:00 2 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 ICA-declass.iso 2021:04:22 12:17:12+01:00 3 324c9201b71c9e62dc7120a0e010617039ea6a25df0d1fee9eaa1fbd3e87bff1 ICA-declass 2021:04:22 12:17:12+01:00 4 54923793beb5d51261effaf636e3b95c64f38daeca8594fb72ad278844ce2eac ICA-declass 2021:04:22 12:17:12+01:00 5 b36823cea4ef39b9a30efb57d6db1c1dc15f2e65d16af217b554506cb7ee7bbe ICA-declass 2021:04:22 12:17:12+01:00 6 d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 ICA-declass 2021:05:25 14:39:25+01:00 7 6e2069758228e8d69f8c0a82a88ca7433a0a71076c9b1cb0d4646ba8236edf23 invitation.iso 2021:02:17 06:10:38-08:00 8 f006af714379fdd63923536d908f916f4c55480f3d07adadd53d5807e0c285ee Reply slip.iso 2021:03:15 11:33:55-07:00 9 749bf48a22ca161d86b6e36e71a6817b478a99d935cd721e8bf3dba716224c84 NV.img 2021:05:12 17:01:30-07:00 10 89016b87e97a07b4e0263a18827defdeaa3e150b1523534bbdebe7305beabb64 AktualizC!ciu.img 2021:03:22 10:06:58-07:00 _Table 1: Time zones for the image files containing the DLL implant_ Central European Time Central European Time Central European Time Central European Time Central European Time Central European Time Pacific Standard Time Pacific Daylight Time Pacific Daylight Time Pacific Daylight Time This means that the location of the systems on which the ISO files were created is somewhere in the Central European time zone (UTC+01:00) for the ICA_DECLASS campaign (samples 1-6) and somewhere in the Pacific time zone (UTC-08:00 during Standard Time and UTC-07:00 during Daylight time) for the non-ICA_DECLASS campaigns (samples 7-10). This might suggest: a group split in two different locations, changing the clock settings to reflect the target’s local two different groups The hypothesis for this being two different groups is supported by the fact that both campaigns coexisted during a period of time in which the ICA_DECLASS campaign didn’t change much between its April and May waves (the decoy document and the shortcut are identical, the DLL file is identical except some anti-analysis techniques added to the packer), while the non-ICA_DECLASS campaigns varied significantly the malware delivery mechanism for the February, March and May waves using various components such as the NV HTML dropper, the BoomBox malware, and the NativeCacheSvc loader. ### Anti-analysis In the US AID attack, the implant from April makes use of techniques to complicate analysis. The implant from May is identical but without the anti-analysis techniques. ----- e a t a a ys s co po ates et ods to e su e t does ot e ecute a tua o sa dbo ed e o e t s s o as e as e malware” because it attempts to avoid detection by being aware of the environment in which it has landed. Modern anti-virus solutions and platforms create so-called “detonation environments” for email attachments and file downloads in a virtual or sandboxed workstation instance in order to observe any malicious behavior by the malware in order to keep it from infecting or compromising actual company assets and environments. **Processor make** One specific evasive malware technique is obtaining information about the CPU processor make and model through querying the cpuid. If the cpuid matches any of those in the list shown in the screenshot, the implant will exit without exhibiting its next attack phase behaviors. The implant incorporates a predefined list of cpuid values that are associated with popular virtualized and sandboxed environments. **Virtualbox guest addition utilities** The implant will also exit if any of the following files exist on the target machine as shown in the screenshot below. **Adapter organizational unique identifier (OUI)** The implant will check the adapter OUI for a set of specific values and will exit if the OUI matches. ----- a ys s o t e a a e e ea s t e o o g p ede ed st o OU a ues, a y o c cause t e p a t to e t e ecut o 08:00:27 PCS Systemtechnik GmbH 08:00:20 Oracle Corporation 00:1c:42 Parallels, Inc. 00:05:69 VMware, Inc. 00:00:29 IMC NETWORKS CORP. 00:01:14 KANDA TSUSHIN KOGYO CO., LTD. 00:50:56 VMware, Inc. **Checking registry keys** Furthermore, the implant will exit if the following registry keys exist on the target system as they are associated with virtual server environments and sandboxed environments. The implant will try to open each registry key using the API RegOpenKeyExA to determine if a registry key exists in the system. If the registry key exists the malware decides to discontinue further execution of the payload until such time as it has reached a “real” laptop or workstation. ### Second-stage payload If all the checks mentioned in the section above pass, the implant is ready to deploy second-stage payloads and will de-obfuscate the next stage malware payload in a newly allocated memory address on the laptop or workstation and jump to it. **Memory allocation** The memory will be created with the protection flag “PAGE_READWRITE” Therefore the 261,670 bytes allocated only allows read and write access. After the code was written to an active memory location, the implant will change the flag to “PAGE_EXECUTE_READ”, which changes the memory address to be executable. **De-obfuscation** The implant de-obfuscates data stored in the “.data” section and stores it in the newly allocated memory for execution. The de-obfuscation is simply swapping two consecutive bytes’ order After this change, the code calls the start of the allocated address: Since the allocated address contains the packed DLL prepended by a few NOP instructions, it interprets the first few bytes of the DLL MS-DOS header as code instructions and executes them. These few code instructions compute an address located somewhere in the middle of the allocated memory, which contains the only un-encrypted part of the code. It starts executing from there in order to decrypt the rest of the DLL by XOR-ing each byte with a single byte key and execute it. **Cobalt Strike beacon** The de-obfuscated code is a customized Cobalt Strike beacon with the following configuration: ----- payload type windows-beacon_https-reverse_https port 443 sleeptime 45000 maxgetsize 1403644 jitter 37 publickey 30819f300d06092a864886f70d010101050003818d003081890281810086bae1427b24ba6af5627f9fcc0266babc4ecc server, get-uri 'dataplane.theyardservice.com,/jquery-3.3.1.min.woff2,cdn.theyardservice.com,/jquery-3.3.1.min.woff2,static.theyard spawnTo (NULL ...) spawnto_x86 '%windir%\\syswow64\\dllhost.exe' spawnto_x64 '%windir%\\sysnative\\dllhost.exe' cryptoScheme 0 get-verb 'GET' post-verb 'POST' HttpPostChunk 0 license-id 1359593325 bStageCleanup 1 bCFGCaution 0 useragent 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko' post-uri '/jquery-3.3.2.min.woff2' Malleable_C2_Instructions '\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x05ò\x00\x00\x00\x02\x00\x00\x00T\x00\x00\x00\x02\x00\x00\x0f[\x00\x http_get_header b'_cfuid=', b'Cookie' http_post_header b'_cfuid' HostHeader (NULL ...) UsesCookies 1 proxy_type 2 IE settings killdate 0 textSectionEnd 177872 ----- ObfuscateSectionsInfo '\x00À\x02\x00r¸\x03\x00\x00À\x03\x00\x88\x85\x04\x00\x00\x90\x04\x004°\x04\x00\x00À\x04\x00^Ï\x04' process-inject-start-rwx PAGE_READWRITE process-inject-use-rwx PAGE_EXECUTE_READ process-inject-min_alloc 0 process-inject-transformx86 process-inject-transformx64 '\x00\x00\x00\x1e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ '\x00\x00\x00 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 process-inject-stub '\x0câõTDäy5\x16µ¯ég¾\x92U' process-inject-execute '\x06\x00B\x00\x00\x00\x06ntdll\x00\x00\x00\x00\x13RtlUserThreadStart\x00\x01\x08\x03\x04' process-inject-allocationmethod 1 ## Cobalt Strike watermark The U.S. Government and open source reporting potentially attributed the attack to APT 29 (aka Cozy Bear). The SecurityScorecard Investigations & Analysis team has observed multiple artifacts indicating multiple possible sources, including false flags and intentional overlaps with other cybercrime groups. Through our analysis of this attack, we observed in the Cobalt Strike beacon configuration file found within Document.DLL a value associated with license-id. This value is 1359593325; this particular value has been identified as a digital watermark in open source reporting as [associated with actors involved with Trickbot and ransomware as well as Nim. It is possible that this is another potential false flag intended to](https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c) misattribute, or the usage of the same leaked or pirated kit of Cobalt Strike used by multiple attackers. ## Attacker infrastructure In our analysis using NetFlow data we were able to obtain visibility into how the attacker utilized various infrastructures. The adversary accessed infrastructure via proxies/VPNs from the United States, Brazil, Vietnam, Bulgaria, Bangladesh, Netherlands, and Mozambique. ----- _SSH connections to 83.171.237[.]173_ ## Victimology Through the analysis of the implant some possible clues exist about the victimology of this campaign. The analysis of the implant indicates that a connection is made from the malware-infected device to usaid.gov on TCP port 443 as part of the execution process. _TCP Connection made to USAID.gov_ Using insights with NetFlow data we were able to determine that connections were made from numerous countries from May 25 to May 28. This has revealed the extent of this campaign, in relation to the usaid.gov intrusion and the targeted countries that we were able to observe. Some of the connections made to usaid.gov are legitimate connections while others are from infected systems. ----- _Connections made to USAID.gov during the campaign_ Victims in click-through campaigns from targeted spear phishing emails are directed to download the ISO or DMG file. https://r20.rs6.net/tn.jsp?f=001R6x5duwxLa513iT3wolVtyZj3Ojypr9nwPwZKB3X68SGRFzUVNUR4MdENUXj_c4poo1hx_rFF79P1NsazEFONIrA9G0ypkCwKTRfL95fp3xUyuceYYrPAtcDp20R1wmwXZ197ks1FH22V3BIcZYlAfIHdUZQ3M&c=6nYGyV77i2Z48gKmOkG81MeQ_ZZV6tFO7EIWrx0Ptyld2S0ieISXPQ==&ch=thDJXBA5D5ATg95nuLlO [[email protected]](https://securityscorecard.com/cdn-cgi/l/email-protection) _Link tied to downloading MacOS DMG image with implant_ https://r20.rs6.net/tn.jsp?f=001R6x5duwxLa513iT3wolVtyZj3Ojypr9nwPwZKB3X68SGRFzUVNUR4MdENUXj_c4poo1hx_rFF79P1NsazEFONIrA9G0ypkCwKTRfL95fp3xUyuceYYrPAtcDp20R1wmw-XZ197ks1FH22V3BIcZYlAfIHdUZQ3M&c=3kzVSpJEUGcXfsBoW4ytkDpjQ5l[BL4puvzumdVoEf0b3lDcRJGgvA==&ch=FGxQis-Nw2yGirWi8qjdrsv_upu7Nv9idIt4bOJx8RKMhJ6tZx8d7w==&[email protected]](https://securityscorecard.com/cdn-cgi/l/email-protection) _Link tied to downloading ISO image with implant_ https://r20.rs6.net/tn.jsp?f=001R6x5duwxLa513iT3wolVtyZj3Ojypr9nwPwZKB3X68SGRFzUVNUR4MdENUXj_c4poo1hx_rFF79P1NsazEFONIrA9G0ypkCwKTRfL95fp3xUyuceYYrPAtcDp20R1wmw-XZ197ks1FH22V3BIcZYlAfIHdUZQ3M&c=3kzVSpJEUGcXfsBoW4ytkDpjQ5l[BL4puvzumdVoEf0b3lDcRJGgvA==&ch=FGxQis-Nw2yGirWi8qjdrsv_upu7Nv9idIt4bOJx8RKMhJ6tZx8d7w==&[email protected]](https://securityscorecard.com/cdn-cgi/l/email-protection) _Link tied to downloading ISO image with implant_ ## Campaign analysis While this report focuses primarily on the USAID breach and the campaign surrounding that, additional IOCs have surfaced in the public, indicating that the campaign is much larger than originally thought. Based on the indicators of compromise available, our analysis indicates that there are multiple campaigns that focus on European governments. Many of the methods are similar to that of the USAID attack (using ISO files with malicious content). The data that we have collected indicates multiple campaigns by the same adversary dating back to early 2021. ### Invitation campaign - February to March 2021 Some of the components were created as early as February 2021, potentially suggesting this campaign had multiple waves dating back to the beginning of this year. While the method of utilizing a malicious ISO file has remained unchanged, additional information has provided valuable new insights. ----- _Invitation Document.iso_ **139.99.167.177 (Cobalt Strike)** The following IP address is a Cobalt Strike command and control endpoint discovered to be associated with Invitation Document.iso. The URL for this command and control server is hxxps://139.99.167.177/jquery-3.3.1.min.js. We observed connections being made to the Cobalt Strike server during the period of the campaign from the United States, Brazil, India, France, Sweden, Turkey, Ukraine, and many other countries. _Victimology Map_ **Invitation.html** The following file was sent as a malicious attachment in a spear phishing email. Just as we observed with the USAID attack, the victim is being redirected to a site to download the invitation.iso file. [https://humanitarian-forum.web... email belonging to the Auswärtiges Amt, the German Federal Foreign Affairs Office](https://humanitarian-forum.web.app/mail) In this campaign the attackers were found to be using FireBase in order to track who clicked on the links in the spear phishing emails. ----- ### Embassy of Hellenic Republic Campaign - March 2021 Another campaign that we observed occurred in March 2021, using the Embassy of Hellenic Republic (i.e. Greece) as a lure. This campaign also utilizes an ISO file with a decoy document and a malicious .DLL file. _Reply_Slip.ISO_ ----- _Decoy document used in campaign, with multiple typos and misspellings_ _Malicious HTML to load ISO file_ ----- _Malicious HTML_ ### Ministry of Foreign Affairs Italy Campaign - May 2021 Another campaign that was observed was using the Ministry of Foreign Affairs in Italy as a lure. This campaign also utilizes the BOOM loader as described below in the Belgium campaign analysis. _Attachment.img_ ----- _Decoy Document_ ### Belgium Government Campaign - May 2021 Another campaign that was discovered to be operating using decoy documents used content from the Government of Belgium. The following decoy document was contained within a file named NV.img. ----- _NV.PDF decoy document_ ----- _NV.img metadata_ _NV.img contents_ A basic data gathering implant known as BOOM was involved in this campaign, compiled May 12, 2021. This file is also designed to load a DLL file into Explorer.exe, a native Windows executable. The BOOM.exe contained the following PDB path contained within the metadata. C:\Users\dev10vs\Desktop\Prog\Obj\BOOM\BOOM\BOOM\obj\Release\BOOM.pdb Based on the .NET GUID value there are four variants of the BOOM malware. The BOOM executable is a .NET executable. _.NET properties for BOOM.exe_ The implant has the capability of capturing host information such as IP address, domain name, operating system, etc. ----- _Get host information_ Based on code analysis of the BOOM.exe there is a function to also get Active Directory information from a target system. _Get ADINFO function_ The implant had the capability of uploading and downloading files on Dropbox. ----- _URL Definitions_ _Download Function_ _Upload File function_ Besides the data gathering functionality, this implant will also load a DLL file (NativeCacheSvc.dll) into Explorer.exe. ----- [The associated spear phishing email accompanying the malicious files was sent on May 12, 2021.](https://securityscorecard.com/blog/cybersecurity-threats-to-protect-against-in-2021) ----- The following is an analysis associated with the URL contained within the attachment NV.html. We observed a number of connections being made to the IP address hosting a malicious file img_lk.png during the month of May. The domain enpport.com, used to deliver the malicious HTML, resolved to the IP address 54.38.137.218. This URL is contained within an attachment for an email sent to victims in a targeted spear phishing campaign. Attachment in spear phishing email _Connections made to hxxp://54.38.137.218/img_lk.png_ ### What can organizations do to detect the activity? All organizations are susceptible to cyber attacks. For any that suspect they have been affected (and even those who don't) continuous monitoring is critical to have in place to alert on suspicious IPs. We also cannot overstate the importance of human error and not falling prey to phishing emails. No firewall product will stop an organization from getting breached if employees click on compromised links. Cybersecurity training and basic literacy are essential to an organization’s safety. Additionally, not having exposed services is the top barrier to most adversaries. Keep in mind that ransomware groups scan the internet for vulnerable services and run automated code to hack the boxes. APTs however are dedicating teams to researching and understanding very specific targets and exploiting an organization’s weaknesses -- be they social or digital. Constant vigilance is key to understanding if your organization has been compromised and how to prevent it in the future. ## Conclusion ----- at bega as a a a ys s o a attac o US as e pa ded ou u de sta d g o t e scope o ta gets to c ude se e a u opea government offices as well as non-government organizations. The piece that links all of these entities is their role in shaping international policy. A combination of evasive malware, spear phishing, and vulnerability exploits in the targets of the attack provides ample evidence that this is the work of an APT and not the usual organized crime behavior looking to make money through ransomware and malware. If this pattern of attack were to be extrapolated beyond the current TTPs, one can presume that data exfiltration, extortion, disinformation, and disruption of the targeted organizations is to be expected in the near future. In order to mitigate and lessen the impact of these attacks, SecurityScorecard has dedicated the attention of its Investigations & Analysis team to researching and understanding the mechanics of the attacks in order to share that information with the larger community of threat intelligence researchers, government agencies, information security professionals and associated media organizations. It is through the sharing of information that our collective awareness and ability to defend against these and other attacks is fortified. In the delivery of our security ratings platform and threat intelligence research, we have built a powerful engine of analysis and insights into the daily changes to the security posture of over 5 million companies and organizations. [Return to Blog](https://securityscorecard.com/blog) -----