Threat Research

Clasiopa: New Group Targets Materials Research

Securonix

A hitherto unknown attack group named Clasiopa was observed targeting a materials research organization in Asia, wielding a distinct toolset that includes a custom backdoor (Atharvan). The operation exhibits multiple defense-evading and data-exfiltrating techniques, including brute-force access attempts, file-list collection, and C2 communications over HTTP. #Clasiopa #Atharvan

Keypoints

  • The group, dubbed Clasiopa by Symantec, targets a materials research organization in Asia and uses a distinctive toolset including a custom RAT named Atharvan.
  • The infection vector is not identified, but brute-force access on public-facing servers is suspected.
  • Attackers checked device IPs with ifconfig.me/ip and attempted to disable security tooling (SEP) via SepMasterService and smc -stop, aided by administrative credentials.
  • Backdoors were used to enumerate and exfiltrate file lists, via Thumb.db or Zip archives.
  • Sysmon logs and all event logs were cleared using wsmprovhost and PowerShell, respectively, indicating defense evasion.
  • A scheduled task named “network service” was created to list file names, suggesting ongoing data discovery.
  • Legitimate software (Agile DGS/Agile FD, and HCL Domino) appeared on compromised hosts; backdoors were sometimes renamed to mimic benign processes.

MITRE Techniques

  • [T1110] Brute Force – Brute force attacks on public facing servers to gain initial access. ‘The infection vector used by Clasiopa is unknown, although there is some evidence to suggest that the attackers gain access through brute force attacks on public facing servers.’
  • [T1016.001] System Network Configuration Discovery – Discovery of the impacted system’s IP address via ifconfig.me/ip. ‘The attackers checked the IP addresses of the computers they were on using: https://ifconfig.me/ip’
  • [T1562.001] Impair Defenses – Disable or modify security tools. ‘An attempt was made to disable Symantec Endpoint Protection (SEP) … second attempt was made to disable SEP using “smc -stop”.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltration of file lists via Thumb.db or a Zip archive to a C2 channel. ‘The attackers used multiple backdoors to build lists of file names and exfiltrate them. These lists were exfiltrated either in a Thumb.db file or a Zip archive.’
  • [T1070.001] Clear Windows Event Logs – Clearing logs to evade detection. ‘Sysmon logs were cleared using wsmprovhost’ and ‘All eventlogs were cleared using PowerShell.’
  • [T1053.005] Scheduled Task – Create a scheduled task to enumerate files. ‘A scheduled task named “network service” was created to list file names.’
  • [T1059.001] PowerShell – Use of PowerShell for command execution and defense evasion. ‘All eventlogs were cleared using PowerShell.’
  • [T1083] File and Directory Discovery – Enumerate files to exfiltrate via Thumbsender. ‘Thumbsender: Hacking tool which, when it receives a command from a C&C server will list file names on the computer and save them in a file called Thumb.db before sending them to a specified IP address.’
  • [T1090] Proxy – Use of a custom proxy tool to route or obfuscate traffic. ‘Custom proxy tool.’
  • [T1071.001] Web Protocols – C2 communications over HTTP POST with a spoofed host header. ‘The C&C communications are formatted as HTTP POST requests … Host header: “update.microsoft.com”‘
  • [T1027] Obfuscated/Compressed Data – Encryption/decryption routines to obfuscate command data. ‘def encrypt(plaintext): return bytes([((2 – byte) & 0xff) for byte in plaintext])’ and ‘def decrypt(ciphertext): return bytes([((2 – byte) & 0xff) for byte in ciphertext])’
  • [T1036] Masquerading – Rename or disguise malicious files as legitimate ones (e.g., atharvan.exe renamed to agile_update.exe). ‘one of the backdoors used was renamed from atharvan.exe to agile_update.exe.’

Indicators of Compromise

  • [Domain] update.microsoft.com – used in HTTP Host header for C2 communications
  • [File] atharvan.exe – backdoor executable
  • [File] Thumb.db – exfiltration artifact
  • [File] agile_update.exe – renamed backdoor executable
  • [File] dgs – folder used to drop malicious files
  • [Mutex] SAPTARISHI-ATHARVAN-101 – mutex created to ensure single copy

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint