SecurityScorecard’s Investigations & Analysis team conducted an investigation into the details surrounding the USAID.gov attack. As has been previously reported, the attack has been potentially attributed to the organization commonly known as Cozy Bear, but our investigation found that the campaign is likely much larger, and began much earlier than has been reported.
- Some of the attack components were created as early as February 2021, potentially suggesting this campaign had multiple waves dating back to the beginning of this year.
- SecurityScorecard’s analysis suggests that there are multiple campaigns connected to the USAID.gov attack that focus on European governments.
- We suspect that the attackers are located in the Central Europe and Pacific time zones based on the time zones of the timestamps from the ISO files containing malicious implants.
Timeline of APT29 Activity against US AID
On May 27, 2021, Microsoft released a blog post stating that Nobelium/CozyBear, the same Russian hackers who carried out the SolarWinds attack, was attacking government agencies, think tanks, consultants, and non-governmental organizations. The company said the breach began with a takeover of an email marketing account utilized by the U.S. Agency for International Development (USAID).
The SecurityScorecard Investigations & Analysis team conducted an investigation to understand the extent of the campaign and its association with APT29, also known as CozyBear. In an effort to understand actor(s) capabilities and intent, the team analyzed a number of different samples and artifacts which were part of this campaign. We uncovered a longer-running espionage campaign focused on European Governments dating back to earlier this year. The USAID-themed campaign was just the latest in a series of operations involving very similar techniques, tactics, and procedures (TTPs).
SecurityScorecard’s Investigations & Analysis team analyzed the reported implant and associated artifacts with the US AID campaign. Our goal was to find any linkage to previous operations conducted by the same adversary.
The primary implant is a file known as a DLL (Dynamic Link Library) which contains an encrypted Cobalt Strike beacon. Cobalt Strike is a penetration testing product that is favored among threat actors because it’s well-written, stable, and customizable for ransomware, keylogging, and other payloads. Its use in criminal activities has increased significantly since March 2020 when the product source code was cracked and distributed on the dark web. Cobalt Strike is an implant used commonly by Russian advanced persistent threat (APT) actors, and other cybercrime groups. The DLL file operates as a loader for the beacon and has a number of interesting functionalities.
From SecurityScorecard’s analysis of some of the delivery malware (ISO and MacOS DMG files), the attack occurred on May 25, 2021. However, according to file metadata and other information, the attackers began preparing for the attack on April 22, 2021. We collected a total of 6 disk image files with the volume_id of ICA_DECLASS dating back to April 22, 2021.
File Metadata from Disk Image file (ICA-declass.iso)
Investigating further, we found three DMG (Disk iMaGe) files created on April 22, 2021, and one created on April 25, 2021, which were likely used to create the two ICA-declass.iso files found in the wild. This data indicates that the attack preparation stages began in late April with several targeted image files containing the same implant, LNK, and decoy document. Malware delivered by threat actors often utilizes what is called a decoy document, which is presented to the user as a benign document while the execution of the malicious code occurs in the background.
File Metadata from Disk Image file found earlier in April (ICA-declass.iso)
The decoy document is based on a report written by the U.S Intelligence community in March 2021.
From our analysis, the .ISO files containing the implant, LNK, and PDF files were delivered from the following URL.
- hxxps://usaid.theyardservice.com/d/[victim email address]
We found evidence of appended victim email addresses, which indicates possible victims (i.e. victimology) and better information on specifically who the threat actor was interested in.
Possible false flags
In many APT attacks, threat actors will implement false flags (a method used in intelligence trade-craft to misdirect and confuse the true origin of the threat actors) that will lead investigators to then misattribute the attack. In this case, we observed Korean language characters within the PDB value for the primary implant. The PDB path indicates the folder path on the disk where the code was compiled. However, we did not find any evidence that would indicate the origin of this attack had any association with Korean-speaking threat actors.
- C:\Users\dev\Desktop\나타나게 하다\Dll6\x64\Release\Dll6.pdb
ISO time zones
Using the ExifTool, we extracted the following timestamps from the ISO and DMG files:
- RootDirectoryCreateDate - the timestamp when the root directory was created
- VolumeCreateDate - the timestamp when the volume was created
- VolumeModifyDate - the timestamp when the volume was modified
Since these timestamps contain the time zone, they can give us indicators about the attacker’s location.
We suspect these timestamps are accurate because they match the timeframe of the campaigns as reported by Microsoft. Additionally, it seems unlikely the attackers would have changed only the time zone values in the ISO files, especially given the locations indicated by the time zones.
If the attackers were to make changes to these timestamps, they would have:
- removed the timestamps entirely,
- changed the timestamps to completely different values, as they did with the implant DLL files contained in the ISOs, which were changed to April 27, 2019, for both April and May waves, or
- changed only the time zones to match the Korean one, given that they tried to place a false flag leading investigators to think it might be a North Korean APT using the program debug path (PDB) string.
Central European Time
Central European Time
Central European Time
Central European Time
Central European Time
Central European Time
Pacific Standard Time
Pacific Daylight Time
Pacific Daylight Time
Pacific Daylight Time
Table 1: Time zones for the image files containing the DLL implant
This means that the location of the systems on which the ISO files were created is somewhere in the Central European time zone (UTC+01:00) for the ICA_DECLASS campaign (samples 1-6) and somewhere in the Pacific time zone (UTC-08:00 during Standard Time and UTC-07:00 during Daylight time) for the non-ICA_DECLASS campaigns (samples 7-10).
This might suggest:
- a group split in two different locations,
- changing the clock settings to reflect the target’s local
- two different groups
The hypothesis for this being two different groups is supported by the fact that both campaigns coexisted during a period of time in which the ICA_DECLASS campaign didn’t change much between its April and May waves (the decoy document and the shortcut are identical, the DLL file is identical except some anti-analysis techniques added to the packer), while the non-ICA_DECLASS campaigns varied significantly the malware delivery mechanism for the February, March and May waves using various components such as the NV HTML dropper, the BoomBox malware, and the NativeCacheSvc loader.
In the US AID attack, the implant from April makes use of techniques to complicate analysis. The implant from May is identical but without the anti-analysis techniques.
The anti-analysis incorporates methods to ensure it does not execute in a virtual or sandboxed environment. This is known as “evasive malware” because it attempts to avoid detection by being aware of the environment in which it has landed. Modern anti-virus solutions and platforms create so-called “detonation environments” for email attachments and file downloads in a virtual or sandboxed workstation instance in order to observe any malicious behavior by the malware in order to keep it from infecting or compromising actual company assets and environments.
One specific evasive malware technique is obtaining information about the CPU processor make and model through querying the cpuid. If the cpuid matches any of those in the list shown in the screenshot, the implant will exit without exhibiting its next attack phase behaviors. The implant incorporates a predefined list of cpuid values that are associated with popular virtualized and sandboxed environments.
Virtualbox guest addition utilities
The implant will also exit if any of the following files exist on the target machine as shown in the screenshot below.
Adapter organizational unique identifier (OUI)
The implant will check the adapter OUI for a set of specific values and will exit if the OUI matches.
Analysis of the malware reveals the following predefined list of OUI values, any of which will cause the implant to exit execution:
- 08:00:27 PCS Systemtechnik GmbH
- 08:00:20 Oracle Corporation
- 00:1c:42 Parallels, Inc.
- 00:05:69 VMware, Inc.
- 00:00:29 IMC NETWORKS CORP.
- 00:01:14 KANDA TSUSHIN KOGYO CO., LTD.
- 00:50:56 VMware, Inc.
Checking registry keys
Furthermore, the implant will exit if the following registry keys exist on the target system as they are associated with virtual server environments and sandboxed environments.
The implant will try to open each registry key using the API RegOpenKeyExA to determine if a registry key exists in the system. If the registry key exists the malware decides to discontinue further execution of the payload until such time as it has reached a “real” laptop or workstation.
If all the checks mentioned in the section above pass, the implant is ready to deploy second-stage payloads and will de-obfuscate the next stage malware payload in a newly allocated memory address on the laptop or workstation and jump to it.
The memory will be created with the protection flag “PAGE_READWRITE”
Therefore the 261,670 bytes allocated only allows read and write access. After the code was written to an active memory location, the implant will change the flag to “PAGE_EXECUTE_READ”, which changes the memory address to be executable.
The implant de-obfuscates data stored in the “.data” section and stores it in the newly allocated memory for execution. The de-obfuscation is simply swapping two consecutive bytes’ order
After this change, the code calls the start of the allocated address:
Since the allocated address contains the packed DLL prepended by a few NOP instructions, it interprets the first few bytes of the DLL MS-DOS header as code instructions and executes them. These few code instructions compute an address located somewhere in the middle of the allocated memory, which contains the only un-encrypted part of the code. It starts executing from there in order to decrypt the rest of the DLL by XOR-ing each byte with a single byte key and execute it.
Cobalt Strike beacon
The de-obfuscated code is a customized Cobalt Strike beacon with the following configuration:
'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko'
2 IE settings
Cobalt Strike watermark
The U.S. Government and open source reporting potentially attributed the attack to APT 29 (aka Cozy Bear). The SecurityScorecard Investigations & Analysis team has observed multiple artifacts indicating multiple possible sources, including false flags and intentional overlaps with other cybercrime groups.
Through our analysis of this attack, we observed in the Cobalt Strike beacon configuration file found within Document.DLL a value associated with license-id. This value is 1359593325; this particular value has been identified as a digital watermark in open source reporting as associated with actors involved with Trickbot and ransomware as well as Nim. It is possible that this is another potential false flag intended to misattribute, or the usage of the same leaked or pirated kit of Cobalt Strike used by multiple attackers.
In our analysis using NetFlow data we were able to obtain visibility into how the attacker utilized various infrastructures. The adversary accessed infrastructure via proxies/VPNs from the United States, Brazil, Vietnam, Bulgaria, Bangladesh, Netherlands, and Mozambique.
SSH connections to 83.171.237[.]173
Through the analysis of the implant some possible clues exist about the victimology of this campaign. The analysis of the implant indicates that a connection is made from the malware-infected device to usaid.gov on TCP port 443 as part of the execution process.
TCP Connection made to USAID.gov
Using insights with NetFlow data we were able to determine that connections were made from numerous countries from May 25 to May 28. This has revealed the extent of this campaign, in relation to the usaid.gov intrusion and the targeted countries that we were able to observe. Some of the connections made to usaid.gov are legitimate connections while others are from infected systems.
Connections made to USAID.gov during the campaign
Victims in click-through campaigns from targeted spear phishing emails are directed to download the ISO or DMG file.
Link tied to downloading MacOS DMG image with implant
Link tied to downloading ISO image with implant
Link tied to downloading ISO image with implant
While this report focuses primarily on the USAID breach and the campaign surrounding that, additional IOCs have surfaced in the public, indicating that the campaign is much larger than originally thought. Based on the indicators of compromise available, our analysis indicates that there are multiple campaigns that focus on European governments. Many of the methods are similar to that of the USAID attack (using ISO files with malicious content).
The data that we have collected indicates multiple campaigns by the same adversary dating back to early 2021.
Invitation campaign - February to March 2021
Some of the components were created as early as February 2021, potentially suggesting this campaign had multiple waves dating back to the beginning of this year. While the method of utilizing a malicious ISO file has remained unchanged, additional information has provided valuable new insights.
22.214.171.124 (Cobalt Strike)
The following IP address is a Cobalt Strike command and control endpoint discovered to be associated with Invitation Document.iso. The URL for this command and control server is hxxps://126.96.36.199/jquery-3.3.1.min.js. We observed connections being made to the Cobalt Strike server during the period of the campaign from the United States, Brazil, India, France, Sweden, Turkey, Ukraine, and many other countries.
The following file was sent as a malicious attachment in a spear phishing email. Just as we observed with the USAID attack, the victim is being redirected to a site to download the invitation.iso file.
https://humanitarian-forum.web... email belonging to the Auswärtiges Amt, the German Federal Foreign Affairs Office
In this campaign the attackers were found to be using FireBase in order to track who clicked on the links in the spear phishing emails.
Embassy of Hellenic Republic Campaign - March 2021
Another campaign that we observed occurred in March 2021, using the Embassy of Hellenic Republic (i.e. Greece) as a lure. This campaign also utilizes an ISO file with a decoy document and a malicious .DLL file.
Decoy document used in campaign, with multiple typos and misspellings
Malicious HTML to load ISO file
Ministry of Foreign Affairs Italy Campaign - May 2021
Another campaign that was observed was using the Ministry of Foreign Affairs in Italy as a lure. This campaign also utilizes the BOOM loader as described below in the Belgium campaign analysis.
Belgium Government Campaign - May 2021
Another campaign that was discovered to be operating using decoy documents used content from the Government of Belgium. The following decoy document was contained within a file named NV.img.
NV.PDF decoy document
A basic data gathering implant known as BOOM was involved in this campaign, compiled May 12, 2021. This file is also designed to load a DLL file into Explorer.exe, a native Windows executable. The BOOM.exe contained the following PDB path contained within the metadata.
Based on the .NET GUID value there are four variants of the BOOM malware.
The BOOM executable is a .NET executable.
.NET properties for BOOM.exe
The implant has the capability of capturing host information such as IP address, domain name, operating system, etc.
Get host information
Based on code analysis of the BOOM.exe there is a function to also get Active Directory information from a target system.
Get ADINFO function
The implant had the capability of uploading and downloading files on Dropbox.
Upload File function
Besides the data gathering functionality, this implant will also load a DLL file (NativeCacheSvc.dll) into Explorer.exe.
The associated spear phishing email accompanying the malicious files was sent on May 12, 2021.
The following is an analysis associated with the URL contained within the attachment NV.html. We observed a number of connections being made to the IP address hosting a malicious file img_lk.png during the month of May. The domain enpport.com, used to deliver the malicious HTML, resolved to the IP address 188.8.131.52. This URL is contained within an attachment for an email sent to victims in a targeted spear phishing campaign.
Attachment in spear phishing email
Connections made to hxxp://184.108.40.206/img_lk.png
What can organizations do to detect the activity?
All organizations are susceptible to cyber attacks. For any that suspect they have been affected (and even those who don't) continuous monitoring is critical to have in place to alert on suspicious IPs.
We also cannot overstate the importance of human error and not falling prey to phishing emails. No firewall product will stop an organization from getting breached if employees click on compromised links. Cybersecurity training and basic literacy are essential to an organization’s safety.
Additionally, not having exposed services is the top barrier to most adversaries. Keep in mind that ransomware groups scan the internet for vulnerable services and run automated code to hack the boxes. APTs however are dedicating teams to researching and understanding very specific targets and exploiting an organization’s weaknesses -- be they social or digital. Constant vigilance is key to understanding if your organization has been compromised and how to prevent it in the future.
What began as an analysis of an attack on US AID has expanded our understanding of the scope of targets to include several European government offices as well as non-government organizations. The piece that links all of these entities is their role in shaping international policy. A combination of evasive malware, spear phishing, and vulnerability exploits in the targets of the attack provides ample evidence that this is the work of an APT and not the usual organized crime behavior looking to make money through ransomware and malware. If this pattern of attack were to be extrapolated beyond the current TTPs, one can presume that data exfiltration, extortion, disinformation, and disruption of the targeted organizations is to be expected in the near future.
In order to mitigate and lessen the impact of these attacks, SecurityScorecard has dedicated the attention of its Investigations & Analysis team to researching and understanding the mechanics of the attacks in order to share that information with the larger community of threat intelligence researchers, government agencies, information security professionals and associated media organizations. It is through the sharing of information that our collective awareness and ability to defend against these and other attacks is fortified. In the delivery of our security ratings platform and threat intelligence research, we have built a powerful engine of analysis and insights into the daily changes to the security posture of over 5 million companies and organizations.