Has your cybersecurity been compromised?





We respect your privacy, and we hate spam as much as you. Which is why we will never share your email address with anyone.

Enquire Now

Top Middle East Cyber Threats- APT34 Special Edition

By Help AG MSS & Cybersecurity Analysis Team   |  Posted Tuesday, 23rd April 2019

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. Our Cybersecurity Analysis team is a leader in discovering Zero Day Vulnerabilities and providing superior Risk Mitigation recommendations. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, we share details on a current security threat our teams from MSS and Cybersecurity Analysis have recently been handling. So, read on to learn about what you need to look out for. We also encourage you to contact us for further discussions.

APT34 HACKING TOOLS LEAK

As reported by ZDNET, source code of several hacking tools used by the cyber espionage threat group, APT34, as well as compromised victim data was leaked on Telegram by an individual using the pseudonym “Lab Dookhtegan”.

APT34, also referred to as HelixKitten and OilRig, has been responsible for many attacks, the most recent of which involved dumping confidential data on a Telegram channel. The data released not only contained tools, but also information such as names, addresses, photos and phone numbers along with other sensitive data on some of its victims.

Lab Dookhtegan found that the data is mainly from countries in the Middle East, Africa, East Asia and Europe and belongs to both government agencies and private companies. Lab Dookhtegan has also leaked details about past APT34 operations, which includes listing of IP addresses and domains where the group previously hosted their web shells and other operational intel. Mentioned below are some of the hacking tools:

  • Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks dubbed BondUpdater)
  • PoisonFrog (older version of BondUpdater)
  • HyperShell (web shell that Palo Alto Networks dubbed TwoFace)
  • HighShell (another web shell)
  • Fox Panel (phishing kit)
  • Webmask (DNS tunnelling and main tool behind the DNSpionage attacks)

Besides hacking tools, Lab Dookhtegan has also published data from some of the compromised victims’ backend command-and-control (C&C) servers, mostly comprising of username and passwords combinations collected via phishing pages.

Overview of the Leak

The first leak was dubbed “Poison Frog” and contains two parts:

  • A server-side module which is a c2 made in node.js
  • An agent which is a payload in the PowerShell.

The agent consists of two big base64 chunks which are loaded with the PowerShell. It fetches a configuration file from “myleftheart[.]com”, creates several files/folders in the file path “C:\Users\Public\Public” and drops the other two payloads. The process involves creating two scheduled tasks- one having administrator rights and the other with normal user privileges. These tasks are set to run and drop two PowerShell scripts; “dUpdater.ps1” and “hUpdater.ps” every 10 minutes.

A major part of this leak is a rather large amount of ASP Webshell, dubbed “HighShell” and “HyperShell”, and other variants of these. HyperShell consists of more than 30,000 lines of code.

Some copycat activity derived from these leaked tools could be observed. But it is unlikely for there to be widespread use as the tools are not very sophisticated. Instead, it is likely that criminal groups who reuse these tools would do so as a smoke-screen or as a false flag to mask their operations as APT34.

Recommendations and Remediation

  • If you are concerned that your organization may have been compromised, Help AG recommends the following actions in the first instance:
    • Review perimeter network access logs for dates, times and sources of attempted access from the list of IP indicators in this blog.
    • Review remote access logs for dates, times and sources of authentication attempts, both successful and failed, from the IP indicators in this blog. This includes Virtual Desktop infrastructure that is accessible remotely (e.g. Citrix) and VPN Authentication logs.
    • If you believe you have or have had a malicious web shell present in your environment, review your organization’s web application protection and web server logs to identify the dates, times and sources of external access to the web shell URL.

 

  • If you discover events with indicators (a positive match) it could be evidence of compromise. You can reach out to Help AG for assistance. Existing Help AG Clients can contact their respective Help AG escalation contact or Account Manager. Existing Help AG MSS Clients should contact the Help AG CSOC directly (available 24 hours a day, 7 days a week). For anyone else who has concerns regarding detections or require assistance with response actions, please contact us here.

 

  • Whether you initiate an internal investigation or not, we recommended blacklisting the below mentioned Indicators of Compromise (IoCs) on your security appliances to help detect and prevent malicious activity.

 

  • Exercise caution when receiving or accessing unsolicited, unexpected, or suspicious files/emails/URLs.

 

  • Maintaining a strict password policy in an organization is mandatory to prevent/minimize the possibility of prolonged exploitation.

 

  • Multi-factor authentication must be used for all user-login based activities for accounts, services, tools, etc.

 

  • Review privileges regularly and remove admin privileges for domain users who do not need these for their daily activities.

 

  • Disable the execution of scripts on users’ endpoint devices or restrict execution to virtual environment.

 

Indicators of Compromise

IP Addresses:

185.161.210.83

185.56.91.61

46.165.246.196

185.236.76.80

185.236.77.17

185.181.8.252

185.191.228.103

70.36.107.34

109.236.85.129

185.15.247.140

185.181.8.158

178.32.127.230

146.112.61.108

23.106.215.76

185.20.187.8

95.168.176.172

173.234.153.194

173.234.153.201

172.241.140.238

23.19.226.69

185.161.211.86

185.174.100.56

194.9.177.15

185.140.249.63

81.17.56.249

213.227.140.32

46.105.251.42

185.140.249.157

198.143.182.22

213.202.217.9

158.69.57.62

168.187.92.92

38.132.124.153

176.9.164.215

88.99.246.174

190.2.142.59

103.102.44.181

217.182.217.122

46.4.69.52

185.227.108.35

172.81.134.226

103.102.45.14

95.168.176.173

142.234.200.99

194.9.179.23

194.9.178.10

185.174.102.14

185.236.76.35

185.236.77.75

185.161.209.157

185.236.76.59

185.236.78.217

23.227.201.6

185.236.78.63

Help AG recommends reviewing historic data for the presence of these IoCs and blacklisting the above mentioned IoCs.

SHA256 Hash:

27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed

b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768

2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459

07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741

dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62

c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e

a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e

fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392

File Names:

C:\Users\Public\Public\atag[0-9]{4}[A-Z]{2}

C:\Users\Public\Public\dUpdater.ps1

C:\Users\Public\Public\hUpdated.ps1

C:\Users\Public\Public\UpdateTask.vbs

Domain:

myleftheart[.]com

Help AG has already responded to multiple requests for assistance and would be glad to help you with your concerns. Our CSOC Team is committed to pro-active monitoring and is ready to respond to any detection of this threat using intelligence from our database and from external feeds.

As always, at Help AG, we’re here to help you protect against this and any other cyber threats so please reach out to us for all your cyber security needs.

 

References:

RELATED POSTS

SECURITY SPOTLIGHT FORUM JUNE 2018 ROUND UP-AI &

Security Spotlight Forum (SSF) is Help AG’s flagship cyber security event aimed at getting attendees up-to-date on the latest innovations in various aspects of cybersecurity, while also providing…

Read More

COULD THE RISE IN HACKTIVISM BE THE DOWNFALL

In the past years we have seen a massive rise in hacktivism, with specifically anonymous publishing target list after target list. Probably the most well known was the…

Read More

BEESWARM AND HONEYPOT

Honeypot – Fake Front End Emulation Hello all, Nowadays, many organizations suffer from security breaches and data leakage and this keeps increasing with available tools online which can…

Read More

Back to Top