Threat Research

Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government

Securonix

A Southeast Asian government target was observed in a CL-STA-0046 activity cluster potentially linked to the Gelsemium APT group, showcasing a rare blend of backdoors and proxy tools used over six months in 2022–2023. The cluster prominently used OwlProxy and SessionManager to establish footholds and pivot within networks, with corroborating indicators and a timeline for defenders. #Gelsemium #CL-STA-0046 #SessionManager #OwlProxy #EarthWorm #CobaltStrike

Keypoints

  • The activity cluster CL-STA-0046 targets a Southeast Asian government and is attributed to Gelsemium APT with moderate confidence based on tool usage patterns.
  • Core backdoors used: SessionManager and OwlProxy, complemented by web shells (reGeorg, China Chopper, AspxSpy).
  • Initial access occurred via web shells on a compromised web server, followed by lateral movement and tool deployment.
  • Tools observed include Cobalt Strike, EarthWorm, SpoolFool, and the JuicyPotato/BadPotato/SweetPotato suite for privilege escalation.
  • Network discovery and credential-related activities included ipconfig, whoami, netscan, and nbtscan, with attempts to escalate privileges using SpoolFool.
  • The campaign provides insights into Gelsemium’s TTPs and arms defenders with an IOC timeline and mitigations.

MITRE Techniques

  • [T1100] Web Shell – The attackers gained access by installing web shells on a compromised web server. Quote: “The threat actor behind CL-STA-0046 gained access to the environment after installing several web shells on a compromised web server.”
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement via SMB after initial access. Quote: “The attackers conducted additional activities using the web shells. They moved laterally via SMB and downloaded additional tools.”
  • [T1082] System Information Discovery – Basic host discovery using commands like ipconfig and whoami. Quote: “Initially, the attackers performed basic reconnaissance commands such as ipconfig and whoami.”
  • [T1046] Network Service Scanning – Information gathering with netscan and nbtscan. Quote: “Later, they used netscan and nbtscan to gather further information about the victim.”
  • [T1059.003] Windows Command Shell – Command execution using a shell-like tool (demo.exe). Quote: “the attackers started to deliver tools to the compromised server. The attackers used a “shell-like” tool named demo.exe to run additional commands.”
  • [T1105] Ingress Tool Transfer – Downloading multiple tools to establish footholds. Quote: “The attackers downloaded several different tools.”
  • [T1090] Proxy – Use of web server as a proxy to reach other network systems (SessionManager and OwlProxy both provide proxy capabilities). Quote: “This threat also allows attackers to use the web server as a proxy to communicate with additional systems on the network.”
  • [T1071.001] Web Protocols – Cobalt Strike beacon communicating with C2 (HTTP/Web protocols). Quote: “The attackers attempted to execute Artifactd.exe, as shown in Figure 2 above, which is a Cobalt Strike beacon configured to communicate with the command and control (C2) 27.124.26[.]83.”
  • [T1572] Protocol Tunneling – EarthWorm used to tunnel C2 traffic to external servers. Quote: “EarthWorm is a publicly available SOCKS tunneler… Using EarthWorm, the attackers sent and received data to and from their C2 server.”
  • [T1068] Exploitation for Privilege Escalation – SpoolFool PoC used for privilege escalation (CVE-2022-21999). Quote: “The attackers used this tool to attempt to create a local administrator user (username admin with the default password Passw0rd!).”

Indicators of Compromise

  • [Hash] Web Shells – 24eb9c77448dda2d7cfecc60c804a378e89cbd450fbf7f4db875eb131cd4510a, 4dcdce3fd7f0ab80bc34b924ecaa640165ee49aa1a22179b3f580b2f74705dd9, and 6 more hashes
  • [Hash] The Potato Suite – c7bd78b9a68198b8787d28ba5094827eb99a0798719bcb140f3afb695925566c, fd0b9f09770685ed6f40ecabcd31bc467fa22801164b52fdc638334009b7c06f, and 4 more hashes
  • [Hash] Demo.exe – 527063cb9da5eec2e4b290019eaac5edd47ff3807fec74efa0f1b7ddf5a1b271
  • [Hash] OwlProxy – 2f3abc59739b248ee26a575700eef93b18bd2029eb9f8123598ffdd81fa54d8b
  • [Hash] SessionManager – b9a9e43e3d10cf6b5548b8be78e01dc0a034955b149a20e212a79a2cf7bee956
  • [Hash] Cobalt Strike – ff7485d30279f78aba29326d9150b8c302294351e716ece77f4a3b890008e5fe
  • [Hash] SpoolFool – c0a7a797f39b509fd2d895b5731e79b57b350b85b20be5a51c0a1bda19321bd0
  • [Hash] EarthWorm – c254dc53b3cf9c7d81d92f4e060a5c44a4f51a228049fd1e2d90fafa9c0a44ee
  • [IP] Infrastructure – 27.124.26[.]83, 27.124.26[.]86

Read more: https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/#post-130207-_p2rfyft6epfb

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint