Top Middle East Cyber Threats- APT34 Special Edition
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. Our Cybersecurity Analysis team is a leader in discovering Zero Day Vulnerabilities and providing superior Risk Mitigation recommendations. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, we share details on a current security threat our teams from MSS and Cybersecurity Analysis have recently been handling. So, read on to learn about what you need to look out for. We also encourage you to contact us for further discussions.
APT34 HACKING TOOLS LEAK
As reported by ZDNET, source code of several hacking tools used by the cyber espionage threat group, APT34, as well as compromised victim data was leaked on Telegram by an individual using the pseudonym “Lab Dookhtegan”.
APT34, also referred to as HelixKitten and OilRig, has been responsible for many attacks, the most recent of which involved dumping confidential data on a Telegram channel. The data released not only contained tools, but also information such as names, addresses, photos and phone numbers along with other sensitive data on some of its victims.
Lab Dookhtegan found that the data is mainly from countries in the Middle East, Africa, East Asia and Europe and belongs to both government agencies and private companies. Lab Dookhtegan has also leaked details about past APT34 operations, which includes listing of IP addresses and domains where the group previously hosted their web shells and other operational intel. Mentioned below are some of the hacking tools:
- Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks dubbed BondUpdater)
- PoisonFrog (older version of BondUpdater)
- HyperShell (web shell that Palo Alto Networks dubbed TwoFace)
- HighShell (another web shell)
- Fox Panel (phishing kit)
- Webmask (DNS tunnelling and main tool behind the DNSpionage attacks)
Besides hacking tools, Lab Dookhtegan has also published data from some of the compromised victims’ backend command-and-control (C&C) servers, mostly comprising of username and passwords combinations collected via phishing pages.
Overview of the Leak
The first leak was dubbed “Poison Frog” and contains two parts:
- A server-side module which is a c2 made in node.js
- An agent which is a payload in the PowerShell.
The agent consists of two big base64 chunks which are loaded with the PowerShell. It fetches a configuration file from “myleftheart[.]com”, creates several files/folders in the file path “C:\Users\Public\Public” and drops the other two payloads. The process involves creating two scheduled tasks- one having administrator rights and the other with normal user privileges. These tasks are set to run and drop two PowerShell scripts; “dUpdater.ps1” and “hUpdater.ps” every 10 minutes.
A major part of this leak is a rather large amount of ASP Webshell, dubbed “HighShell” and “HyperShell”, and other variants of these. HyperShell consists of more than 30,000 lines of code.
Some copycat activity derived from these leaked tools could be observed. But it is unlikely for there to be widespread use as the tools are not very sophisticated. Instead, it is likely that criminal groups who reuse these tools would do so as a smoke-screen or as a false flag to mask their operations as APT34.
Recommendations and Remediation
- If you are concerned that your organization may have been compromised, Help AG recommends the following actions in the first instance:
- Review perimeter network access logs for dates, times and sources of attempted access from the list of IP indicators in this blog.
- Review remote access logs for dates, times and sources of authentication attempts, both successful and failed, from the IP indicators in this blog. This includes Virtual Desktop infrastructure that is accessible remotely (e.g. Citrix) and VPN Authentication logs.
- If you believe you have or have had a malicious web shell present in your environment, review your organization’s web application protection and web server logs to identify the dates, times and sources of external access to the web shell URL.
- If you discover events with indicators (a positive match) it could be evidence of compromise. You can reach out to Help AG for assistance. Existing Help AG Clients can contact their respective Help AG escalation contact or Account Manager. Existing Help AG MSS Clients should contact the Help AG CSOC directly (available 24 hours a day, 7 days a week). For anyone else who has concerns regarding detections or require assistance with response actions, please contact us here.
- Whether you initiate an internal investigation or not, we recommended blacklisting the below mentioned Indicators of Compromise (IoCs) on your security appliances to help detect and prevent malicious activity.
- Exercise caution when receiving or accessing unsolicited, unexpected, or suspicious files/emails/URLs.
- Maintaining a strict password policy in an organization is mandatory to prevent/minimize the possibility of prolonged exploitation.
- Multi-factor authentication must be used for all user-login based activities for accounts, services, tools, etc.
- Review privileges regularly and remove admin privileges for domain users who do not need these for their daily activities.
- Disable the execution of scripts on users’ endpoint devices or restrict execution to virtual environment.
Indicators of Compromise
IP Addresses:
185.161.210.83
185.56.91.61
46.165.246.196
185.236.76.80
185.236.77.17
185.181.8.252
185.191.228.103
70.36.107.34
109.236.85.129
185.15.247.140
185.181.8.158
178.32.127.230
146.112.61.108
23.106.215.76
185.20.187.8
95.168.176.172
173.234.153.194
173.234.153.201
172.241.140.238
23.19.226.69
185.161.211.86
185.174.100.56
194.9.177.15
185.140.249.63
81.17.56.249
213.227.140.32
46.105.251.42
185.140.249.157
198.143.182.22
213.202.217.9
158.69.57.62
168.187.92.92
38.132.124.153
176.9.164.215
88.99.246.174
190.2.142.59
103.102.44.181
217.182.217.122
46.4.69.52
185.227.108.35
172.81.134.226
103.102.45.14
95.168.176.173
142.234.200.99
194.9.179.23
194.9.178.10
185.174.102.14
185.236.76.35
185.236.77.75
185.161.209.157
185.236.76.59
185.236.78.217
23.227.201.6
185.236.78.63
Help AG recommends reviewing historic data for the presence of these IoCs and blacklisting the above mentioned IoCs.
SHA256 Hash:
27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768
2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
07e791d18ea8f2f7ede2962522626b43f28cb242873a7bd55fff4feb91299741
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
File Names:
C:\Users\Public\Public\atag[0-9]{4}[A-Z]{2}
C:\Users\Public\Public\dUpdater.ps1
C:\Users\Public\Public\hUpdated.ps1
C:\Users\Public\Public\UpdateTask.vbs
Domain:
myleftheart[.]com
Help AG has already responded to multiple requests for assistance and would be glad to help you with your concerns. Our CSOC Team is committed to pro-active monitoring and is ready to respond to any detection of this threat using intelligence from our database and from external feeds.
As always, at Help AG, we’re here to help you protect against this and any other cyber threats so please reach out to us for all your cyber security needs.
References:
