Kaspersky reports on first-stage implants used for persistent remote access across industrial infrastructure

Researchers from the Kaspersky ICS CERT team announced that it investigated a series of attacks against industrial organizations in Eastern Europe in 2022. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. The team identified over 15 implants and their variants planted by the threat actor(s) in various combinations, which were categorized into three stages: first-stage for persistent remote access and initial data gathering, second-stage for data gathering, and third-stage implants and tools used to upload data to C2. 

“Based on similarities found between these campaigns and previously researched campaigns (e.g., ExCone, DexCone), including the use of FourteenHi variants, specific TTPs, and the scope of the attack, we have medium to high confidence that a threat actor called APT31, also known as Judgment Panda and Zirconium, is behind the activities described in this report,” the researchers wrote in a Thursday report that analyzes common TTPs (Tactics, Techniques, and Procedures) of first-stage implants used by threat actors to establish a persistent remote access channel into the infrastructure of industrial organizations.

They added that to exfiltrate data and deliver next-stage malware, the threat actor (or actors) abuse(s) cloud-based data storage, e.g., Dropbox or Yandex Disk, as well as a service used for temporary file sharing. “They also use C2 deployed on regular virtual private servers (VPS). In addition, the threat actor(s) deploy(s) a stack of implants that collect data from air-gapped networks via infected removable drives.” 

The researchers disclosed that for most implants, the threat actor(s) use(s) similar implementations of DLL hijacking (often associated with Shadowpad malware) and memory injection techniques, along with using RC4 encryption to hide the payload and evade detection. “In addition, libssl[dot]dll or libcurl[dot]dll was statically linked to implants to implement encrypted C2 communications.”

The Kaspersky report detailed FourteenHi, a malware family discovered in 2021 in a campaign that was dubbed ExCone, active since mid-March 2021 and targeting government entities. “In 2022 we discovered new variants used in attacks on the infrastructure of industrial organizations. Various samples of FourteenHi (both x64 and x86) are significantly different from each other in terms of their code structure, implementations of their loaders, and C2 types. But their core distinctive features, such as the C2 communication protocol and the list of commands, are pretty much the same. The most significant difference exists between x86 and x64 variants of FourteenHi,” the researchers outlined.

Samples for x64 have persistence capabilities and a two-step C2 communication protocol. They accept a relatively long list of commands, including uploading arbitrary files, downloading arbitrary files, running arbitrary commands, setting communication delay, starting the reverse shell, terminating their own process, and removing persistence.

They also reported that all known variants of FourteenHi have config data embedded in their code and encrypted with RC4. “The configuration defines the campaign ID, C2 address, and port. The configuration of FourteenHi x64 also defines the name and description of the Windows service it creates for persistence when executed without parameters.”

The MeatBall backdoor is another new implant that the researchers discovered in the process of researching attacks. “It has vast remote access capabilities, including making lists of running processes, connected devices, and disks, performing file operations, capturing screenshots, using remote shell, and self-updating. The implant exists in variants for x86 and x64. The implant uses a loading scheme based on the DLL hijacking technique, but unlike many other implants, the payload is stored in the malicious DLL loader itself, not in a separate file,” they added.

“When the vulnerable host application is executed without parameters, the implant calls IsNTAdmin and, if it has sufficient privileges, creates a service named ‘esetcss,’ the researchers detailed. “Otherwise it simply adds itself to the registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\esetcss’ to be automatically executed at OS startup. In both cases, the implants are configured to be executed with the parameter ‘-S,’ which tells the implant to read the payload from its own module ([dot]dll) file, decrypt the payload using a one-byte XOR key, start ‘svchost[dot]exe.’ and inject the decrypted payload into it. Then it starts the main C2 communication loop by calling ResumeThread for ‘svchost[dot]exe,’” they added. 

The researchers also found an implant that uses the Yandex Cloud data storage as a C2. “The implant uses a DLL hijacking-based loading scheme, in which the malicious DLL decrypts the implant’s body stored in a separate file and injects it into a legitimate process’s memory,” they added.

The implant uses statically linked libcurl[dot]dll for SSL-encrypted communication. First, it creates a mutex named ‘Njg8’ to prevent more than one instance of itself from being executed at any time, then it collects the following data on the host, including computer name, user name, IP address, MAC address, OS version, and Path to %System%.

“To upload the data collected to C2, the implant sends a request using an embedded API token to create a directory with a name that is unique to the victim host. Then it creates a file with the prefix ‘1770_’ and the extension ‘[dot]dat,’ saving all information collected in that file,” the researchers said. The main loop of the implant periodically checks a cloud folder named ‘content’ for the latest uploaded files with prefixes ‘1780_,’ ‘1781_,’ and ‘1784_.’ All uploaded and downloaded data is encrypted with the RC4 algorithm.”

In conclusion, the researchers said that the tendency to abuse cloud services is not new, but it continues to expand because it is hard to restrict/mitigate in cases when an organization’s business processes depend on using such services. “Threat actors keep making it more difficult to detect and analyze threats by hiding payloads in encrypted form in separate binary data files and by hiding malicious code in the memory of legitimate applications via DLL hijacking and a chain of memory injections,” they added.

Earlier this month, the Cybersecurity Assessment Netherlands 2023 (CSAN 2023) report highlighted the importance of operational technology (OT) security despite facing challenges. It warns of state actors using cyberattacks for geopolitical goals, extortion as a lucrative business model, and new technologies like AI posing new threats. The report emphasizes the need for broader risk management and integration of digital risks into national security risks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.