pawn storm


In this entry, we share Pawn Storm’s recent activities, focusing on their use of simple methods that are not normally associated with APT groups.

Defenders who find a simple remote access Trojan (RAT) in the network will not immediately think it is from an advanced persistent threat (APT) actor. Similarly, brute force attacks on Internet-facing services (such as email, Microsoft Autodiscover, SMB, LDAP, and SQL) are so common that they look like negligible background noise. But in 2020, the infamous APT actor happened to use these uncomplicated attack methods, so that their attacks might get lost in the noise.

In 2020, spread a simple Google Drive and IMAP remote access Trojan (RAT) to attack its usual targets, such as the Ministry of Foreign Affairs, embassies, defense industry and military departments. RATs are also sent to a wider range of target networks, including various industries around the world. The organization also carried out extensive brute force attacks to steal credentials, such as those of the company’s email account, which we attributed to Pawn Storm’s online investigation and the participant’s abuse of the compromised email account in the malware and sending spear The loose way of phishing emails proves this. Pawn Storm even hard-coded military and government-related email addresses in its IMAP RAT malware to communicate with the victim’s computer. Recently, the Norwegian authorities announced that Pawn Storm had invaded the Norwegian Parliament through brute force attacks.

As shown by incremental improvements, subsequent versions of malware hint at a learning curve for malware authors, which is more typical for less experienced participants than advanced participants. First, RATs are so simple that they don’t even consider international keyboards. This means that it is difficult for an attacker to enumerate the victim’s hard drive with files and folders containing international characters. The error has been quickly corrected, but it shows that this particular operator is relatively inexperienced. Later versions of RAT malware start to use encryption, and encryption can be added from the beginning. The only auxiliary load we observed was a simple keylogger, which stored the stolen information locally on the victim’s machine.

Using only samples, it is difficult to attribute these malware samples to Pawn Storm. Generally, cyber defenders will not attribute this malware to APT participants at all. However, based on the long-term monitoring of activities, we have a reliable attribution to these samples.

Review of recent activities

Damaged accounts from users in the Middle East

Trend Micro has been closely and continuously monitoring the activities of Pawn Storm. We published the latest research on the group in March 2020. In the above research paper, we shared that Pawn Storm severely abused stolen accounts (mainly in the Middle East) to send spear-phishing emails. The abuse of infected email accounts in the Middle East continues in 2020. For example, in early December 2020, the organization used a VPN service to connect to an infected cloud server, and then used the cloud server to connect to a commercial email service provider. The team then logged into an infected e-mail account of a chicken farm in Oman, and then sent credential phishing spam emails to high-profile targets around the world. This shows that Pawn Storm carefully blurred their trajectory on multiple levels.

The abuse of various infected email accounts in the Middle East began in May 2019 and continues to this day. Since August 2020, they no longer use these email addresses to only send spear phishing emails, but instead use them as a way to communicate with compromised systems in the IMAP RAT.

Brute force attack

We believe that Pawn Storm destroys many email accounts through brute force attacks on Internet-facing services such as email, LDAP, Microsoft Autodiscover, SMB and SQL. For example, in May 2020, Pawn Storm scanned the world’s IP addresses on TCP ports 445 and 1433, including those from the European defense industry, possibly to find vulnerable SMB and SQL servers or brute force credentials . In August 2020, Pawn Storm also sent UDP probes from one of its dedicated IP addresses to LDAP servers around the world.

In 2020, Pawn Storm usually attempts to cover up these brute force attempts by routing attack traffic on Tor and VPN servers. However, this is not always enough to hide these activities. In a Microsoft article on the forced use of Office365 credentials through Tor, Microsoft attributed the activity to Strontium, which is another name for Pawn Storm. We wrote an article about the attack in early 2020. These brute force attacks started in 2019, and then we can firmly attribute them to Pawn Storm, because we can cross-correlate the extensive detection of global Microsoft Autodiscover servers with high-confidence indicators. Group’s more traditional attack methods (spear phishing and credential phishing).

To illustrate the simplicity of the malware in Pawn Storm’s recent spear phishing attack, we describe the following example:

Technical analysis of Google Drive RAT


Figure 1. Spear phishing emails from Pawn Storm-collected in August 2020.

Starting in August 2020, Pawn Storm has sent several spear-phishing emails with malicious RAR attachments. In the earliest sample we received, there were two almost identical RAR files, which contained a file called info.exe. Both versions of info.exe files are self-extracting archives (SFX). They extract and execute two files: decrypt.exe and gdrive.exe. We have:

c4a61b581890f575ba0586cf6d7d7d3e0c7603ca40915833d6746326685282b7 installation

  • crypto.exe – 661d4a0d877bac9b813769a85c01bce274a77b29ccbd4b71e5b92df3c425b93b
  • gdrive.exe – cbd9cb7b69f864ce8bae983ececb7cf8627f9c17fdaba74bd39baa5cdf605f79

3fd45b9b33ff5b6363ba0013178572723b0a912deb8235a951aa3f0aa3142509 install

  • crypto.exe – 661d4a0d877bac9b813769a85c01bce274a77b29ccbd4b71e5b92df3c425b93b
  • gdrive.exe – 2060f1e108f5feb5790320c38931e3dc6c7224edf925bf6f1840351578bbf9cc

Decoy file

We noticed that the file crypto.exe is a decoy file, once info.exe is executed, it will run. The application will only display a message box where the user can type the password for decryption. Examining the disassembly of this file, you can find that it will display another message box only after entering the password on the main application.


Figure 2-3. The message box displayed by crypto.exe

After closing this application, the SFX archive file will execute the file gdrive.exe. The different versions of gdrive.exe are almost the same, except that the base64-encoded file 2060f1e108f5feb5790320c38931e3dc6c7224edf925bf6f1840351578bbf9cc is added to the victim’s ID.


Figure 4. Drive.exe code snippet showing comp_id


Figure 5. Drive.exe code snippet showing comp_id and base64 encoding

Initial run

The first thing the malware has to do is to copy itself to the startup directory to maintain persistence. It does this through cmd.exe using the following command:

  • move / Y“ {malware_location}”
    “ C:\ Users \ {username} \ AppData \ Roaming \ Microsoft \ Windows \ Start
    Menu \ Programs \ Startup \ gdrive.exe”

Every time the malware uses cmd.exe to run a command, the standard output (STDOUT) of the executed command is piped and written to the Google Drive account in the following file name format:

  • {utcnow} _report_ {victim’s ID}


Figure 6. Code snippet showing the execution of the command

The client key and token used to read and write the attacker’s Google Drive account has been hard-coded on the malware itself.



Figure 7-8. Code snippet showing client secret and token

By sending information through Google Drive, the attacker can check whether the computer executing the malware is the target victim they want to target.

Receive commands and data breaches

The robot checks the files in Google Drive every 20 minutes. If there is a file with the corresponding file name format (cmd_{victim’s ID}), it will download the file and run its content as a batch file.


Figure 9. Code snippet showing waiting command

Similarly, the STDOUT of the command will be written back to Google Drive. Use Google Drive as a command and control (C&C) server, which can act as a reverse shell for an attacker.

The command file received by the robot from Google Drive will also be deleted as soon as it is downloaded.


Figure 10. Code snippet showing readFile

Using the “reverse shell” method mentioned above, an attacker can use the following commands to steal data/documents:

  • powershell-command “[Convert] :: ToBase64String ([IO.File] :: ReadAllBytes (‘{filename}’))


Figure 11. Code snippet showing data leakage

The auxiliary load with the file name Google Drivemonitor.exe (0b94e123f6586967819fa247cdd58779b1120ef93fa1ea1de70dffc898054a09) is a keylogger. The collected keystrokes are stored in the same directory as the executed malware.


Figure 12. Code snippet showing key log

This auxiliary payload does not have any function to upload the collected keystrokes back to the attacker. However, because the main malware acts as a “reverse shell”, the attacker can retrieve the collected keystrokes at a later time.

In the end, the threat actors made improvements to the malware, such as encryption. Later, actors also started to use IMAP RAT.