Threat Research

Common TTPs of attacks against industrial organizations. Implants for remote access | Kaspersky ICS CERT

Securonix

In 2022, Kaspersky ICS CERT investigated a series of attacks against industrial organizations in Eastern Europe aiming to establish a persistent data-exfiltration channel, including from air-gapped systems. Attribution points to APT31 (Judgment Panda / Zirconium), using FourteenHi variants and a multi-stage implant stack that relies on cloud storage and VPS-based C2 to steal data and maintain access. #APT31 #FourteenHi

Keypoints

  • Attacks in 2022 targeted industrial organizations in Eastern Europe to create a permanent exfiltration channel, even from air-gapped systems.
  • Threat attribution with medium-high confidence to APT31 (Judgment Panda / Zirconium).
  • Exfiltration and C2 leverage cloud storage (Dropbox, Yandex Disk) and temporary file-sharing services, plus VPS-based C2 infrastructure.
  • Implant stack divided into first-stage (remote access), second-stage (data gathering including from air-gapped systems), and third-stage (data upload to C2).
  • FourteenHi variants (x64 with persistence and 2-step C2; x86 with no persistence) use DLL hijacking, memory injections, RC4, and libssl.dll for encrypted C2.
  • MeatBall is a new backdoor with broad remote-access capabilities, uses DLL hijacking, self-updating, and a structured command set; C2 is encrypted via RC4/SSL.
  • Another implant uses Yandex Cloud as C2, collecting host data and uploading via RC4-encrypted channels with a mutex to prevent multiple instances.
  • Recommendations emphasize security policy enforcement, allowlisting, Golden image/OT network restrictions to reduce risk.

MITRE Techniques

  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – The loading scheme uses a legitimate application vulnerable to DLL hijacking to load the malicious DLL. ‘Legitimate application that is vulnerable to DLL hijacking.’
  • [T1543.003] Create or Modify System Process: Windows Service – The implant creates a Windows service for persistence. ‘creates a service named “esetcss”.’
  • [T1547.001] Registry Run Keys / Startup Folder – The implant is configured to run at startup via registry keys. ‘to be automatically executed at OS startup.’
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Malware is executed with a Windows task created by the threat actor. ‘Windows task created by the threat actor.’
  • [T1055.002] Process Injection: Portable Executable Injection – Malware injects into svchost.exe or msiexec.exe. ‘inject it into some system process such as svchost.exe or msiexec.exe.’
  • [T1497.001] System Checks – Performs checks to detect virtualization and analysis environments. ‘System checks to detect and avoid virtualization and analysis environments.’
  • [T1497.003] Time Based Evasion – Employs time-based evasion to hinder analysis. ‘Time Based Evasion.’
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – (see above)
  • [T1033] System Owner/User Discovery – Uses systeminfo, whoami, net utilities to gather user/system info. ‘systeminfo, whoami, and net utilities to get information about the user and the infected system.’
  • [T1057] Process Discovery – Uses tasklist to enumerate running processes. ‘tasklist to enumerate running processes.’
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications over HTTPS/web protocols. ‘HTTPS and raw TCP for communication with C2.’
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Uses RC4 and SSL/TLS for encryption. ‘RC4 and SSL TLS (using libssl.dll) to encrypt communication.’
  • [T1041] Exfiltration: Exfiltration Over C2 Channel – Exfiltration via cloud storage and file-sharing services as C2 channel. ‘exfiltrate data using Dropbox, Yandex Disk, Yandex email and temporary file sharing services as a C2 channel.’

Indicators of Compromise

  • [MD5] FourteenHi variants – 7332710D10B26A5970C5A1DDF7C83FBA, 2A1CFA6D17627EAAA7A63F73038A93DA, BB02A5D3E8807D7B13BE46AD478F7FBB, 22E66E0BE712F2843D8DB22060088751, D75C7BD965C168D693CE8294138136AE
  • [C2 IP/URL] – sfb.odk-saturn[.]com/dialin/login, 87.121.52[.]86
  • [Backdoor.Win32.MeatBall] MD5 – FFF248DB8066AE3D30274996BAEDDAB6
  • [C2 IP/URL] – freetranslatecenter[.]com, help.freetranslatecenter[.]com, onlinenemapservices[.]com
  • [MD5] Yandex Cloud implant – A05D6D7A6A1E9669FC4C61223DA3953F, 2F5C889A819CFE0804005F7CE5FD956E
  • [Mutex] Njg8 – used to prevent multiple instances of Yandex Cloud C2 implant
  • [MD5] Yandex Cloud loader – dbghelp.dll (A05D6D7A6A1E9669FC4C61223DA3953F), vmService.pkg (2F5C889A819CFE0804005F7CE5FD956E)

Read more: https://ics-cert.kaspersky.com/publications/reports/2023/07/20/common-ttps-of-attacks-against-industrial-organizations-implants-for-remote-access/