At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. Our Cybersecurity Analysis team is a leader in discovering Zero Day Vulnerabilities and providing superior Risk Mitigation recommendations. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share details on a current security threat our teams from MSS and Cybersecurity Analysis have recently been handling. So, read on to learn about what you need to look out for. We also encourage you to contact us for further discussions.
APT34 HACKING TOOLS LEAK
As reported by ZDNET, source code of several hacking tools used by the cyber espionage threat group, APT34, as well as compromised victim data was leaked on Telegram by an individual using the pseudonym “Lab Dookhtegan”.
APT34, also referred to as HelixKitten and OilRig, has been responsible for many attacks, the most recent of which involved dumping confidential data on a Telegram channel. The data released not only contained tools, but also information such as names, addresses, photos and phone numbers along with other sensitive data on some of its victims.
Lab Dookhtegan found that the data is mainly from countries in the Middle East, Africa, East Asia and Europe and belongs to both government agencies and private companies. Lab Dookhtegan has also leaked details about past APT34 operations, which includes listing of IP addresses and domains where the group previously hosted their web shells and other operational intel. Mentioned below are some of the hacking tools:
- Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks dubbed BondUpdater)
- PoisonFrog (older version of BondUpdater)
- HyperShell (web shell that Palo Alto Networks dubbed TwoFace)
- HighShell (another web shell)
- Fox Panel (phishing kit)
- Webmask (DNS tunnelling and main tool behind the DNSpionage attacks)
Besides hacking tools, Lab Dookhtegan has also published data from some of the compromised victims’ backend command-and-control (C&C) servers, mostly comprising of username and passwords combinations collected via phishing pages.
Overview of the Leak
The first leak was dubbed “Poison Frog” and contains two parts:
- A server-side module which is a c2 made in node.js
- An agent which is a payload in the PowerShell.
The agent consists of two big base64 chunks which are loaded with the PowerShell. It fetches a configuration file from “myleftheart[.]com”, creates several files/folders in the file path “C:\Users\Public\Public” and drops the other two payloads. The process involves creating two scheduled tasks- one having administrator rights and the other with normal user privileges. These tasks are set to run and drop two PowerShell scripts; “dUpdater.ps1” and “hUpdater.ps” every 10 minutes.
A major part of this leak is a rather large amount of ASP Webshell, dubbed “HighShell” and “HyperShell”, and other variants of these. HyperShell consists of more than 30,000 lines of code.
Some copycat activity derived from these leaked tools could be observed. But it is unlikely for there to be widespread use as the tools are not very sophisticated. Instead, it is likely that criminal groups who reuse these tools would do so as a smoke-screen or as a false flag to mask their operations as APT34.
Recommendations and Remediation
- If you are concerned that your organization may have been compromised, Help AG recommends the following actions in the first instance:
- Review perimeter network access logs for dates, times and sources of attempted access from the list of IP indicators in this blog.
- Review remote access logs for dates, times and sources of authentication attempts, both successful and failed, from the IP indicators in this blog. This includes Virtual Desktop infrastructure that is accessible remotely (e.g. Citrix) and VPN Authentication logs.
- If you believe you have or have had a malicious web shell present in your environment, review your organization’s web application protection and web server logs to identify the dates, times and sources of external access to the web shell URL.
- If you discover events with indicators (a positive match) it could be evidence of compromise. You can reach out to Help AG for assistance. Existing Help AG Clients can contact their respective Help AG escalation contact or Account Manager. Existing Help AG MSS Clients should contact the Help AG CSOC directly (available 24 hours a day, 7 days a week). For anyone else who has concerns regarding detections or require assistance with response actions, please contact us here.
- Whether you initiate an internal investigation or not, we recommended blacklisting the below mentioned Indicators of Compromise (IoCs) on your security appliances to help detect and prevent malicious activity.
- Exercise caution when receiving or accessing unsolicited, unexpected, or suspicious files/emails/URLs.
- Maintaining a strict password policy in an organization is mandatory to prevent/minimize the possibility of prolonged exploitation.
- Multi-factor authentication must be used for all user-login based activities for accounts, services, tools, etc.
- Review privileges regularly and remove admin privileges for domain users who do not need these for their daily activities.
- Disable the execution of scripts on users’ endpoint devices or restrict execution to virtual environment.
Indicators of Compromise
Help AG recommends reviewing historic data for the presence of these IoCs and blacklisting the above mentioned IoCs.
Help AG has already responded to multiple requests for assistance and would be glad to help you with your concerns. Our CSOC Team is committed to pro-active monitoring and is ready to respond to any detection of this threat using intelligence from our database and from external feeds.
As always, at Help AG, we’re here to help you protect against this and any other cyber threats so please reach out to us for all your cyber security needs.