CrowdStrike researchers detect DecisiveArchitect activity cluster targeting global telecom entities

CrowdStrike researchers have encountered, on multiple occasions dating back to 2019, an adversary targeting global entities, particularly telecommunications companies, to obtain targeted personal user information. Data such as call detail records (CDRs) or information relating to specific phone numbers are believed to have been accessed during the breaches. CrowdStrike Intelligence is currently tracking these intrusions under the DecisiveArchitect activity cluster, also publicly known as Red Menshen.

“DecisiveArchitect exhibits a high degree of operational security as part of their tactics to make it more difficult for defenders to identify and investigate their activity through the use of various defense evasion techniques,” Jamie Harries, a CrowdStrike executive, wrote in a company blog post. “While other publicly available research highlights how the implant operates, this blog focuses on methods to hunt for this implant, or implants that may operate in a similar manner, while also highlighting techniques of interest across Solaris systems,” he added.

“Similar to the activity cluster reported as LightBasin, this adversary primarily focuses on Linux and Solaris systems using a custom-built implant tracked by CrowdStrike Intelligence as JustForFun (also publicly known as BPFDoor),” according to Harries. “While this adversary does interact with Windows systems, mostly during the early stages of an intrusion, CrowdStrike has not yet identified any custom implants geared toward Windows systems. Instead, the adversary relies on publicly available tools, such as ‘ldapdomaindump,’ or the post-exploitation framework ‘Impacket,’ to target Windows systems from previously compromised Linux systems,” he added.

CrowdStrike Intelligence said that it had not attributed these infractions to a specific country nexus. In addition, while CrowdStrike has primarily observed the adversary targeting telecommunications companies, other isolated incidents targeting organizations, such as logistics entities, have also been observed.

DecisiveArchitect utilizes a custom implant tracked by CrowdStrike as JustForFun, which is typically persisted using SysVinit scripts, the post said. When executed, the implant overwrites the process command line within the process environment by randomly selecting a new command line from one of ten hard-coded options. “When DecisiveArchitect interacts with the implants to establish an interactive shell on a system, the bash process spawned by the implant process displays the following command line instead. This makes it appear as if the Postfix queue manager is executing as a way to hide itself from analysts and system administrators,” it added.

Harries said that on Solaris systems, though the executable itself exhibits no mechanism for similar command-line spoofing, DecisiveArchitect achieves similar functionality through the LD_PRELOAD. When executed, the process only shows the command line, where the actual JustForFun implant is the file, it added.

Last month, CrowdStrike observed further variations concerning DecisiveArchitect’s tactics, techniques and procedures (TTPs), with the hackers using the LD_PRELOAD environment variable across Linux systems as well, loading the JustForFun implant, /lib64/libcaac.so.1, within the legitimate process /sbin/agetty. The post highlighted highlights a deviation from the standard list of spoofed command lines, likely as part of a further effort to remain undetected and emphasize the importance of behavioral-based hunting and detection methods.

According to Harries, the spoofed command line appears in commands such as ps that may be used to investigate suspicious activity on the host. As a result, the spoofed command line makes it less likely that the process will be treated as suspicious. “The way in which DecisiveArchitect achieves persistence across Linux systems involves the usage of SysVinit scripts (i.e., rc.d/init.d scripts). Instead of simply creating a new script that references the JustForFun implants, DecisiveArchitect uses a more operational security-conscious approach by modifying existing SysVinit scripts to reference a small script file, which then finally references the JustForFun implant,” he added. 

With this method of nested persistence, if an analyst simply reviews a set of SysVinit scripts by themselves, identifying the malicious line associated with the JustForFun implant would likely prove difficult without subsequently reviewing all of the files referenced within the scripts, Harries said. “Additionally, as part of DecisiveArchitect’s continued commitment to operational security, the adversary modifies different legitimate SysVinit scripts across systems, and uses different file names/paths for the implant and associated persistence-related scripts, making it difficult to search across other systems for indicators identified through analysis of a single system,” he added.

Harries also provided hunting techniques for identifying DecisiveArchitect activity based on activity observed across multiple intrusions. “CrowdStrike expects that DecisiveArchitect will continue development of their implant across both Linux and Solaris platforms, while also improving their techniques regarding operational security of their intrusions to further hinder the ability of a defender to identify or investigate their activity, which might include identifying ways to combat these hunting techniques,” he added.

Last month, IBM Security X-Force identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman. Although the campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails have been addressed to users in Lithuania, Estonia, and Russia in the telecommunications, electronic and industrial sectors.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.