Bitdefender’s deep-dive analyzes a corporate espionage operation targeting a small U.S. technology company, detailing how initial access was gained through an unpatched internet-facing vulnerability and how attackers staged months of data exfiltration. The operation leveraged hybrid techniques—web shells, credential dumping, and encrypted/archived data exfiltration across hundreds of IPs (many linked to China)—to siphon sensitive information. #Karakurt #WebShell #China #Mimikatz #ManageEngineADSelfServicePlus
Keypoints
- The initial infection vector was an internet-facing instance of ZOHO ManageEngine ADSelfService Plus web server exploited via a known unpatched vulnerability CVE-2021-40539.
- A web-shell phase followed, with Tunna, ReGeorg, and China Chopper deployed; Exchange Server became the attackers’ base of operations for persistence.
- Threat actors conducted extensive credential access using Mimikatz DCSync, Windows Vault Password Decryptor, NTDSDumpEx, SAM hive exports, and WDigest-enabled plaintext credentials.
- Data exfiltration involved collecting SSH keys, VPN certificates, and Git credentials, with Git repos downloaded via git2.exe and archives created with WinRAR (renamed to .jpg) and encrypted with a password.
- Exfiltration used HTTP GET requests with parallel transfers, leveraging over 650 IPs (primarily from China) and a publicly accessible exfiltration folder.
- Hybrid attack characteristics are highlighted, with automated opportunistic scanning followed by human triage; small/medium targets can be high-value data sources for espionage and supply-chain breaches.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – “The initial infection vector was an internet-facing instance of ZOHO ManageEngine ADSelfService Plus web server exploited via a known unpatched vulnerability CVE-2021-40539. ‘This is one of the top 15 routinely exploited vulnerabilities (source: CISA)’”
- [T1505.003] Web Shell – “A web shell is a malicious shell-like interface … that is used to access a web server remotely. For this operation, a combination of different web shells was used – Tunna, ReGeorg, and China Chopper Webshell.”
- [T1016] System Network Configuration Discovery – “continued with system discovery, identifying and locating other machines and file shares on the network.”
- [T1059.003] Windows Command Shell – “cmd /c cd /d “C:inetpubwwwrootaspnet_clientcss”® add HKLM…WDIGEST…”
- [T1003] Credential Dumping – “To capture more credentials, threat actors enabled the Digest Authentication protocol (WDigest) in the registry.”
- [T1560] Archive Collected Data – “WinRAR was used to compress files and pull archives … data and headers were encrypted … password CIA@NSA@FBI … all files were renamed from .rar to .jpg”
- [T1071.001] Web Protocols – “exfiltration was launched using normal HTTP GET requests … HTTP Range Header”
Indicators of Compromise
- [IP] IPs used to access the web shells – 113[.]25[.]2[.]136, 139[.]162[.]2[.]70, and 29 more IPs (many traced to China)
- [URL] URLs – https://app.jetboatpilot[.]com/utils/optimize/ver.ico, http://node-sdk-sample-760723cc-b7e7-43ef-9f5b-9eca39acdefe.s3.us-west-1.amazonaws[.]com/git2.exe
- [File Path/Name] File paths used by the malware – C:inetpubwwwrootaspnet_clientcssrr.aspx, C:inetpubwwwrootaspnet_clientcssex.aspx
- [SHA256] SHA-256 hashes – 742a27fb2a87e2c660fea0bb8184b53e, 84b5e2ac1846d268f1cf9581b63bf953
Read more: https://businessinsights.bitdefender.com/deep-dive-into-a-corporate-espionage-operation