Symantec details Cicada (a China-linked APT) widening its espionage activity, targeting governments and NGOs across multiple regions with Exchange server exploits, custom loaders, and backdoors such as Sodamaster and Mimikatz loader, plus tools like VLC and WinVNC. The operation appears long-running, with activity spanning months and a focus on credential access and data exfiltration. #Cicada #Sodamaster #Mimikatz #VLC #WinVNC #MicrosoftExchange #NGOs #Japan #Espionage
Keypoints
- Initial access likely via an unpatched Microsoft Exchange vulnerability on Exchange Servers.
- Deployment of a custom loader and the Sodamaster backdoor (fileless, includes sandbox evasion and credential-related functions).
- Credential dumping using a custom Mimikatz loader that drops mimilib.dll for plain-text credentials and persistence across reboots.
- Use of legitimate VLC Media Player to launch a loader via the VLC Exports function and WinVNC for remote control.
- Additional tools include RAR archiving (likely for exfiltration), system/network discovery, WMIExec, and NBTScan for internal reconnaissance.
- Victims are predominantly government-related institutions and NGOs across the US, Canada, HK, Turkey, Israel, India, Montenegro, Italy, with Japan notable for a lone victim; campaigns lasted up to nine months.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploiting a known, unpatched vulnerability in Microsoft Exchange to gain access. ‘initial activity on victim networks is seen on Microsoft Exchange Servers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.’
- [T1218] Signed Binary Proxy Execution – Using a legitimate application to execute code: VLC Media Player to launch a custom loader via the VLC Exports function. ‘the attackers are seen dumping credentials…’
- [T1021.005] Remote Services – Remote control of victim machines using WinVNC. ‘WinVNC tool for remote control of victim machines.’
- [T1003] Credential Dumping – Dumping credentials via a Mimikatz-based loader, including dropping mimilib.dll. ‘dump credentials, including by using a custom Mimikatz loader.’
- [T1547] Boot or Logon Autostart Execution – Providing persistence across reboots via the loader. ‘provides persistence across reboots.’
- [T1057] Process Discovery – Enumerating running processes on targeted systems. ‘searching for running processes’
- [T1012] Query Registry – Checking for a registry key or delaying execution to evade detection. ‘by checking for a registry key or delaying execution.’
- [T1016] System Network Configuration Discovery – Determining what systems or services are connected to an infected machine. ‘System/Network discovery – a way for attackers to determine what systems or services are connected to an infected machine.’
- [T1046] Network Service Discovery – Discovering services on the network to map the environment. ‘System/Network discovery …’
- [T1560] Archive Collected Data – Using RAR to compress/encrypt/archive files, likely for exfiltration. ‘RAR archiving tool – can be used to compress, encrypt, or archive files, likely for exfiltration.’
- [T1573] Encrypted Channel – Obfuscating/encrypting traffic to C2 to evade detection. ‘obfuscating and encrypting traffic that it sends back to its command-and-control (C&C) server.’
Indicators of Compromise
- [Hash (MD5)] File hash – 01b610e8ffcb8fd85f2d682b8a364cad2033c8104014df83988bc3ddfac8e6ec, 056c0628be2435f2b2031b3287726eac38c94d1e7f7aa986969baa09468043b1, and other hashes
- [IP Address] – 88.198.101.58, 168.100.8.38, and other IOCs (listed in the report)