Threat Research

StellarParticle Campaign: Novel Tactics and Techniques | CrowdStrike

Securonix

StellarParticle is CrowdStrike’s tracked campaign tied to COZY BEAR (APT29) and the SolarWinds incident, with activity continuing against multiple organizations. The operation employs novel techniques such as browser cookie theft and O365 service principal hijacking, and leverages malware families like TrailBlazer and GoldMax across hard-to-detect periods. #StellarParticle #TrailBlazer

Keypoints

  • StellarParticle is linked to COZY BEAR (APT29) and the SolarWinds incident, continuing against multiple organizations with new tools and techniques.
  • The campaign includes novel techniques such as browser cookie theft and O365 service principal hijacking to access cloud resources.
  • Two sophisticated malware families were observed: a Linux variant of GoldMax and a new implant named TrailBlazer.
  • Credential hopping and cross-tenant O365 access enable stealthy lateral movement and cloud access, often via MFA-bypassing methods.
  • Abuses of O365 delegated administration and service principals allow broad access to customer tenants and data.
  • Windows User Access Logging (UAL) and other artifacts aid long-term attribution and timeline building across engagements.

MITRE Techniques

  • [T1021] Remote Services – ‘Gain access to the victim’s network by logging into a public-facing system via Secure Shell (SSH) using a local account acquired during previous credential theft activities… Use port forwarding capabilities built into SSH on the public-facing system to establish a Remote Desktop Protocol (RDP) session to an internal server (Server 1) using a domain service account. From Server 1, establish another RDP session to a different internal server (Server 2) using a domain administrator’s account.’
  • [T1555.003] Credentials in Web Browsers – ‘Even though the victims required MFA… the threat actor managed to bypass MFA through the theft of Chrome browser cookies… copied their Chrome profile directories as well as DPAPI data.’
  • [T1047] Windows Management Instrumentation – ‘TrailBlazer persists on a compromised host using WMI event subscriptions— a technique also used by SeaDuke.’
  • [T1071.001] Web Protocols – ‘Masquerades its command-and-control (C2) traffic as legitimate Google Notifications HTTP requests.’
  • [T1053.005] Cron – ‘Crontab entry for a non-root user… @reboot line so the GoldMax binary would execute again upon system reboot.’
  • [T1003.006] NTDS/DSReplication (DCSync) – ‘Get-ADReplAccount targeting two of the victim’s domains… outputs including hashes and credentials.’
  • [T1036] Masquerading – ‘TA Masquerading of System Names’ as part of VPN/host-name spoofing and file names to blend in with the environment.

Indicators of Compromise

  • [URL] TrailBlazer C2 – http://satkas.waw[.]pl/rainloop/forecast
  • [SHA256] TrailBlazer SHA256 – 1326932d63485e299ba8e03bfcd23057f7897c3ae0d26ed1235c4fb108adb105
  • [Hostname] GoldMax C2 – vm-srv-1.gel.ulaval.ca
  • [SHA256] GoldMax SHA256 – 2a3b660e19b56dad92ba45dd164d300e9bd9c3b17736004878f45ee23a0177ac
  • [IP] TA Infrastructure – 156.96.46.116, 188.34.185.85, 212.103.61.74, 192.154.224.126, 23.29.115.180, 104.237.218.74, 23.82.128.144

Read more: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/