Keypoints
- Pawn Storm continues large-scale brute-force attacks against mail servers and corporate VPNs to obtain credentials.
- The group exploited Outlook vulnerability CVE-2023-23397 to force NTLM authentication to attacker-controlled SMB servers and capture Net-NTLMv2 hashes.
- Attackers used anonymization layers (commercial VPNs, Tor, compromised EdgeOS routers) and shared infrastructure to hide activity.
- PowerShell payloads and local HTTP listeners were used to trigger WebDAV/HTTP-based NTLMv2 authentication and exfiltrate authentication blobs.
- Mockbin-hosted scripts and free web hosting (e.g., infinityfreeapp[.]com) were used as redirectors to PHP scripts that facilitate credential capture or deployment of phishing pages.
- A lightweight information stealer uploaded collected documents to free.keep.sh and created tinyurl shortlinks for retrieval, using predictable alias generation.
- Indicators include implanted EdgeOS routers running Waitress/Werkzeug, open SMB on port 445, SOCKS5 proxies, and specific SHA256 payload hashes.
MITRE Techniques
- [T1110] Brute Force – Pawn Storm employs brute-force credential attacks against mail servers and VPNs (“brute-force its way into mail servers and the corporate virtual private network (VPN) services”).
- [T1566.001] Spearphishing Attachment – Malicious .msg calendar invites were sent to trigger Outlook’s vulnerable API (“malicious calendar invite represented by .msg … trigger the vulnerable API endpoint PlayReminderSound”).
- [T1550.002] Use Alternate Authentication Material (Pass the Hash) – The attacker captures and relays Net-NTLMv2 hashes for authentication/relay (“the attacker can use for authentication against other systems that support NTLM authentication. This attack is known as a hash relay attack”).
- [T1203] Exploitation for Client Execution – CVE-2023-23397 is exploited via Outlook reminders to force SMB connections and NTLM negotiation (“the attack involves an email message … with a UNC path to a remote attacker-controlled SMB … to trigger the vulnerable API”).
- [T1090] Proxy – Use of commercial VPNs, Tor, and compromised EdgeOS routers to anonymize scanning, IMAP access, and email sending (“more anonymizing shells were put in place (including Tor and commercial VPN networks)”).
- [T1098] Account Manipulation – Mailbox folder permission changes were used to enhance persistence and enable internal misuse of compromised accounts (“modification of folder permissions within the victim’s mailbox, leading to enhanced persistence”).
- [T1567] Exfiltration Over Web Service – Stolen documents uploaded via HTTP PUT to free.keep.sh and shortened using tinyurl (“uploads the files in succession with an HTTP PUT request to a free file-sharing service, free.keep.sh”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – A PowerShell script was used to spawn listeners and trigger NTLMv2 authentication via WebDAV (“a PowerShell script that helps steal Net-NTLMv2 hashes … leaves two background processes sending requests to localhost at port 8080”).
Indicators of Compromise
- [File hash] observed payloads – 52951f2d92e3d547bad86e33c1b0a8622ac391c614efa3c5d167d8a825937179 (PowerShell Net-NTLMv2 capture), 4f3992b9dbd1c2a64588a5bc23f1b37a12a4355688d6e1a06408ea2449c59368 (information stealer).
- [Domain/Service] redirectors and hosting – mockbin.org, free.keep.sh, and infinityfreeapp[.]com (used for script hosting, redirects, and file storage).
- [URL shortener] credential retrieval workflow – tinyurl.com (used to create public shortlinks for exfiltrated files).
- [IP address] compromised router example – 202.175.177[.]238 (EdgeOS router with Werkzeug implant and proxying activity).
- [VPN services] anonymization infrastructure – Cactus VPN, Mullvad, Whoer, IPVanish (used as exit nodes for IMAP/email and phishing activity).
- [File path/startup] persistence artifact – %APPDATA%MicrosoftWindowsStart MenuProgramsStartupsearch.url (used by the information stealer to autorun).
Pawn Storm performs multi-stage technical operations that begin with large-scale credential probing and anonymized reconnaissance, move into exploitation and credential capture, and finish with local capture and web-based exfiltration. The actor scans and brute-forces Outlook/IMAP and VPN endpoints (often from data center servers, then via commercial VPNs or Tor) to obtain or validate credentials. They send spear-phishing emails containing malicious .msg calendar reminders that reference a UNC path to an attacker-controlled SMB server; when Outlook attempts to access the UNC resource, the victim machine performs NTLM authentication and transmits a Net-NTLMv2 blob that can be relayed or stored for offline cracking (this is the CVE-2023-23397 exploitation chain).
For on-host capture, Pawn Storm has deployed PowerShell payloads that spawn background processes which repeatedly send requests to localhost ports (example: port 8080) and create local HTTP listeners; these listener/client exchanges craft NEGOTIATE/CHALLENGE/AUTHENTICATE NTLM messages, forward the AUTHENTICATE blob to services like mockbin.org, and thereby capture the AUTHENTICATE_MESSAGE needed to assemble a Net-NTLMv2 hash string. Variants also trigger NTLMv2 via WebDAV (HTTP-based) to collect authentication blobs. EdgeOS routers with implanted Waitress/Werkzeug, an SMB server on port 445, open SOCKS5 proxies, and SSH on nonstandard ports have been used as anonymizing forwarders and proxy hosts for these operations.
After capture, the actor uses simple exfiltration pipelines: files harvested by a small information stealer are uploaded via HTTP PUT to free.keep.sh, then tinyurl.com API calls create short aliases for retrieval, and Mockbin-hosted scripts redirect victims to PHP pages on free hosting (e.g., infinityfreeapp[.]com) to support credential harvesting. Defenders should focus on detecting anomalous IMAP/SMB/HTTP authentication attempts, unusual UNC/callbacks to external SMB servers, local processes opening HTTP listeners on loopback ports, the specific PowerShell payload behaviors, and reuse of VPN/Tor exit nodes or compromised EdgeOS devices as pivot/proxy infrastructure.
Read more: https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html