Keypoints
- Initial access via an uploaded IIS web shell that executes PowerShell, and supports file upload/download and encrypted command channels.
- Threat actors use a loader (r.exe) that decodes a payload (p.enc) and runs it in memory via RunPE-In-Memory to exploit CVE-2024-30088 for privilege escalation.
- Post-exploitation includes registering a malicious password filter DLL (psgfilter.dll) to capture plaintext passwords during password changes.
- Credential harvesting and exfiltration are performed by a backdoor (identified as STEALHOOK) which reads credentials/config from C:ProgramDataWindowsUpdateServiceUpdateDir and sends them as email attachments via Exchange servers.
- Ngrok and other RMM techniques are used to create tunnels for command-and-control and remote execution, often deployed via PowerShell and WMI.
- Persistence is achieved through a scheduled task defined in e.xml that runs a .NET installer (t.exe) which executes scripts such as u.ps1.
- Attack chain mixes custom .NET tools, PowerShell scripts, IIS-based web shells, in-memory execution, and known public exploit code to evade detection.
MITRE Techniques
- [T1003] Credential Dumping – The actors harvest credentials by abusing a dropped password filter policy: (‘exploiting password filter policies to harvest credentials during password changes.’)
- [T1068] Exploitation for Privilege Escalation – They exploited CVE-2024-30088 to run code as SYSTEM using an encoded payload and in-memory execution: (‘exploiting CVE-2024-30088 for privilege escalation’)
- [T1219] Remote Access Tools – Used ngrok to establish tunnels for C2 and persistence and to bypass network controls: (‘using ngrok for establishing command-and-control communication and maintaining persistence.’)
- [T1041] Exfiltration Over C2 Channel (Email) – Stolen credentials and files were exfiltrated via Exchange by sending emails with attachments to attacker-controlled addresses: (‘Exfiltrating sensitive data through email using compromised Exchange servers.’)
- [T1100] Web Shell – Deployed IIS web shells to execute commands, run PowerShell, and upload/download files on vulnerable servers: (‘Deploying web shells on vulnerable servers to maintain access and execute commands.’)
Indicators of Compromise
- [SHA-256] Malware/file hashes – db79c39bc06e55a52741a9170d8007fa93ac712df506632d624a651345d33f91, a24303234e0cc6f403fca8943e7170c90b69976015b6a84d64a9667810023ed7, and other hashes from the report.
- [File names] Deployed/malicious files – Update.dll (STEALHOOK), passwin.dll (password filter), p.enc (exploit payload), r.exe (loader), t.exe (installer), n.exe (renamed ngrok), PsExec64.exe.
- [Registry/PDB] Configuration and build artifacts – PDB path indicating CVE-2024-30088 exploit: C:UsersreymondDesktopCVE-2024-30088-mainx64Releasepoc.pdb; registry modification to Notification Packages = scecli, psgfilter.
Earth Simnavaz’s technical attack chain begins with an IIS web shell that extracts encrypted commands from HTTP headers, decrypts Base64/AES payloads, and supports execution of PowerShell commands plus file upload/download. The web shell is used to stage tools (e.g., ngrok renamed to n.exe) and a one-byte-XOR encoded loader (r.exe) that decodes and runs an encoded payload (p.enc) in memory using RunPE-In-Memory. That decoded payload is a privilege-escalation exploit for CVE-2024-30088 which executes code at SYSTEM level and launches a .NET installer (t.exe) that creates persistence via a scheduled task defined in e.xml to execute u.ps1.
After gaining elevated privileges, the operators register a malicious password filter DLL (psgfilter.dll) in C:WindowsSystem32 and modify the LSA Notification Packages registry key (e.g., Notification Packages = scecli, psgfilter) so the DLL receives plaintext passwords on change events via its InitializeChangeNotify, PasswordChangeNotify, and PasswordFilter exports. Stolen credentials are harvested by the backdoor (STEALHOOK) which reads credential/config files from C:ProgramDataWindowsUpdateServiceUpdateDir (e.g., ‘edf’ file), constructs emails with subject “Update Service”, attaches files from the UpdateDir, and sends them through on-premises Exchange servers to attacker-controlled addresses. Ngrok and WMI/PowerShell orchestration are used to tunnel access, move laterally, and maintain remote control while utilizing in-memory execution and encoded payloads to evade detection.
Read more: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html