When Diplomats Send Beacon — A Retrospective of APT29 Malicious Phishing Campaigns

okay hey guys um yeah two first names as an afternoon so first time last and pretty weird but yeah happens all the time so yeah good afternoon everybody uh today we're gonna talk about uh when diplomats sent Beacon which is basically uh retrospective field mt29 fishing campaigns uh since I have about 150 slides you could just gonna skip the five slide it was a joke so yeah I I'm one of the many I items for mainland in the UK and Ireland team and I work in IR for the last say seven years in the last few years where most concerned with Russian and Chinese apts so for today we're going to provide a really quick overview of apt-29 and any

updates in the last year afterwards you're going to provide an overview about fishing campaigns in January of apt-29 for last year and then we're going to dive into the details we're going to discuss uh the fishing campaigns in form of initial access what happens afterwards how they maintain access how they move laterally how they escalate privileges and so on then with a short um let's see work case study of real case of a European foreign Ministry what actually happens if such a fishing campaign is successful and then at the end of course Outlook in the future what um what's next and how can we actually defense against them but let's start with a quick overview of APD 29 and it's

a threat troops in Chandler so maintenance tracks different threat groups and we tend to group them in let's say three to four and bigger the first Google hoop is the APT group the advanced perform the system threat groups and then with two more groups but why are we grouping them in first place because we try to attribute um the text with specific threat actors in order to then use this information for future engagements for example so we check for example uh thread groups by iocs as we've heard before Marvel families gtps and so on and those artifacts make up a threat group and depending on how much information we have of a threat group it might be

categorized as an ant group an uncater Quest group which is basically just a threat group where we don't really have enough information to group them as an ADT or thing a thing group is basically a group which is financial motivated so the main um yeah goal is to gain Financial um Financial recruits why an apt is mostly orientated in Espionage kicks and so on uh but today we talked about apt-29 apt-29 um is tracked by maintenance since 2014 and we are um very sure that there are Russian Nations that sponsored Espionage group um which is sponsored by the Russian foreign intelligence service or svr so it's not really misuse so but in 2022 there were two major updates to this group

because um just because we're tracking ungroup doesn't mean that this is ungroup stays to stay ungrouped forever because depending on information and ungroup might emerge into different groups the two ungroups spinning rush into one ungroup or maybe an uncle might emerge into single origin APC group and usually it takes several months or years for an ant group to be fully promoted to interim apt so it's way more likely than ungroup gets merged into an existing ABT and exactly this happened in 2022 for apt-29 twice with two groups were first at the ankh 2652 which is mostly targeting diplomatic entities or close um national uh yeah organizations which are closely tied to embassies and so on with phishing emails

containing Hardware attachments and so on and so on um and this group was merged in February 2032 into different angle and 2452 and this particular group is for example known for the solar wind supply chain compromise in December 2022 which then laid on in April got merged into apt-29 so we can see apt-29s not really just a very small specific group it's a very sophisticated broad Group which has different types of attacks on let's say scales as well and if you now take a look at the victims and the location for Invictus for apt-29 you see that the victims are mostly spreaded in the Western World which is basically Europe or North America and if we take a look

at the Target industry stem spread across Consolidated education Financial government Healthcare and so on with a big big focus on governments and since apt-29 is rather sophisticated it might be different ways of um intruding the victims for example uh in beginning of 20 24th in 2015 we use mostly stolen credentials fish emers and so on and then later on in 2018 they began to pass its prey or 2022 where for example supply chain compromise with solarwinds and so on and if we now map those initial infection vectors onto our previously explain ungroups we suddenly can match for example the ACT 2452 with the supply chain attack and until the 652 with email fishing into those

initial infection vectors which basically means that abt29 is very likely my three different teams for different tasks so for example I'm 26 52 Main task is to gain initial access by efficient image why for example I'm 2452 might be more complex sophisticated with supply chain compromises and so on and as soon as this access has been established this access might be any overturned into a different route which main focus might be Espionage or exploration of credentials and so on and so on pretty good but now let's get back to the original topic fishing so a quick overview about 2022 and what type of fishing we've identified so apt-29 is very very active when it comes to

fishing especially when it comes to fishing uh government entities on this screen we can see here just q1 2022 because I couldn't fit the remaining three courses onto the on the screen basically for example we're here on January 18 uh um an email subject with which states node which is basically a very common term amongst International and governments which basically it's just a term to communicate different updates for example node verbal non-working days of the embassy of the Republic of Poland for example it is basically just an out of office message but why is this interesting because with those fishing campaigns we've seen that the sender is usually a government entity or they try to spoof a government

entity that means we've seen compromised carbon entities spamming other government entities in order to gain access there so therefore you don't you can't infect taking SPF things because they all about it images valid as well um and so on and the main goal with those fishing reports is of course to gain initial access and for that they use different learners for example use I'm existing access to am inboxes to use previous um conversation for example previous body conversations to use documents which they have executed from inboxes or from different networks and so on and so on and of course the um come to scrape this information this this send information from public information uh such as available and on on internet for

example if you look up for example the embassy of Austria in in UK for example you could see the contact details of the PA that Ambassador the Ambassador itself or maybe even my distribution lab uh list for the entire Embassy and with this information it's really easy to Target specific countries or specific persons let's say so what are the components of such a typical ft 29 fishing campaign first of course we have a phishing email with some form of payload this payout is usually a root search HTML attachment and we're going to cover later on then usually afterwards you have some some archive in form of um IMG um isov gmtk rvh UK and Zone and then with our

initially download them good then let's cover all of those in teeth and detail let's start with the phishing emails so for example this is all part of information by the way there's nothing confidential it's other information and in this particular case uh we can see that uh the return sender was a compromised state agency in Europe it was sent in February 2022 and it was a targeting or it was luring the victim of the subject in the north verb or non-workiness of the embassy of poor Hong Kai which is a typo but it's not the first time that we've seen apd29 having typos because apparently there's the QA in their campaigns who knows but basically it is really straightforward

but the old please regarded the north verbal attached kind regards and I'm you are Kim Antonio and so on I'm I'm the assistant to the ambassador of the Republic of the embassy of Portugal which is all the information this person is really available the signature is also valid because they're very likely exaggerated this signature from a previous Bridge somewhere else and the main failure is basically an HTML which I'm going to cover in two slides another example just a few days later in this case we have a compromised victim so complex victim wasn't that case the domain moh.gov.ps or whatever.gov address and if you don't know what the tld.ps is this is basically Palestinian in this

particular case the Ministry of Health of Palestina was compromised and was used in order to lure other governments into getting infected in this particular case they um um so that they are the embassy of the Republic of Poland again with a PA to the Ambassador and in many of those cases we actually have seen the victim and the fact that communicating with each other for example hey I can't download the attachment can you please try it again can we start again so the FedEx actually sent in different versions of the paper you can see twos and so on until they actually got the photo in there good so this was the initial phishing emails let's say so what is it um the

payload the payload is as I mentioned before something we call it roots or roots are basically just an HTML document with a bunch of JavaScript in there which uh performs an app called hmh smuggling which is basically just a smuggling often additional file in the hna file it means this HTML file is not hosted some on internet and so on it is as an attachment and if it double click it the browser will defaultly open it and instantly download my next payload which is NV dot IMG we've seen different campaigns um where router was either way delivered as an attachment or it was hosted externally on their website and in an image was a link to be downloaded

and song this was from uh fishing campaign I think in a few free 2022 where the detection was a PDF which is perfectly from the Ministry of Foreign Affairs and trade of Hungary the the stamp is returned the signatures direction are only this small little link is not traditional and this LinkedIn later on uh led to an hosted root saw um sample in the internet the questions are why did the suddenly move from an attached route so sample to uh linked router sample uh one idea might be because they now can just bypass any inbox featuring for example if you would say okay we stopping.htm.html attachment routes couldn't be downloaded but if we now suddenly go to hosted once

we are missing are we just keeping the inbox which is quite neat to be honest um Roots itself Isabel is quite boring it's just a few lines of JavaScript not really in any HTML um so yeah not too interesting it's just basically HTML smuggling good but what is actually a spicy content either spicy content in here is the next one so routes are usually drops an archive an archive would would be for example dot ISO dot IMG Dot imvationk and so on and the cool thing about that is that Windows supports a native field so if I believe this you can just double click it and suddenly have mounted a new Drive it's like if you put in and let's

say in thumb drive and so on and the cool thing about using um ISO images or eyes archives and so on is that I can um put in as many files as I want I can even have a folder structure and so on and they can hide folders so this particular screenshot you should only be able to see the document called kovit because the folder bin which contains x5s and l5s and so on and so on is hidden so you can't see unless you have of course in an extraordinary option a few hidden files and forwards and extensions enabled another cool thing is that I don't have any ads links so no Mark of the web or no Sony liquid files

it means usually if you download the five from internet and you double click it you really want to M execute it yes or no it's not the case with archives but apparently this has already been changed with the latest November update or it's going to change because windows or Microsoft Sunny got wind of it that not only MPG 209 is abusing this feature also um other spanning campaigns using the same features so what is hidden in this pin for usually there's some hidden payloads which are for example I'm beat drop or Soul Checker which I'm going to cover on some later slides but let's talk about this code with file we can already see here type shortcut

um and before that yeah cool um if you get back to the archives um if we inspect the archives we have some um let's say cool opportunities for fret time because those archives contain additional information which can we which we then can use for example to Fred hunt uh on our um let's say inboxes on our disk and so on for example we see here uh the field application ID which contains the application ID or string of the application which was used to create this archives and according about this information is that this information is static amongst all campaigns so if I know that I'm 2652 or apg29 is using this particular version of image burn version 2.5.0.0 in

an item iteration and so on I can just scan entire environment for Eisen image files with this particular ID and the chance that those might be related jpg 29 fishing appearance is relatively high so cool um thread hunting opportunities furthermore I might get an idea of when this archive was actually created so once this archive just created the day before the email send out also some old stuff for example but now let's cover um our shortcut files so we've seen them up using shortcuts so what is the shortcut for example if uh if you right click and next there are any file on your systems and then select send to desktop then a shortcut is created on

the desktop and the cool thing about shortcut files is they can basically execute anything with it so you can I can Define in the shortcut please execute Powershell with the command line ABCD and so on and as soon as I double click the shortcut file partial will execute it but it gets even nicer because I can Define different arguments in the shortcut file one argument is for example the icon location so every for example if you have a document on your on your desktop you have this little word symbol in here and shortcuts have also icons and depending on what application you executing for example run delete 32 or word and the shortcut will automatically use the icon of

duplication I execute unless I Define a different icon so I can execute Powershell or some binary but the icon is PDF text document and so on on and another cool thing is that the link here file extension is hidden by default so the victim just sees covet or whatever with a PDF double clicks the button in the background I execute around the 32 with the comment line shredded ul and the argument Shadow for example so it's really neat to be honors and of course here we have similar with the archives some thread hunting opportunities for example in the property or for example Fields such as the map address which is the MAC address of the system which

creates lnk file same with the map manufacturer in this case the embed there for the system where this identity was created was slightly a virtual system and my favorite is the machine ID which is basically just a workstation name and this information is also static amongst all campaigns of episode 29 or for example also other Russian groups such as so if I just take this um this information is the the mac and the rest of these and then hunt human entire environment and look for shortcuts or any k files with the string desktop and so on and so on then it's very very likely these any casement issues perfect great good now let's get to the

actual spicy stuff to the malware so this lnk now executes something which is cool and one of those things which usually got executed uh was a downloader written in C which we named feature by the way all this marble which I'm going to mention from now on um was the first time discovered by apg29 and it's uh not let's say open source and so on so B job is a downloader written it see that utilizes legitimate Services SC2 Channel there's some encryption going on so basically as soon as B job executes the collects information about the victim sense this information about the victim to the C2 and then depending on if there's a payload for my victims here then the

pale is going to download it so it's a bit sophisticated and then usually as follow-up payload we've seen and then deploying and executing Beacon but I just mentioned before that we use a popular legitimate Services SC2 which are for example the initial version used for example trailer to try this kind of kind of a tasky platform which is a legitimate service and it simply abused it to host uh payloads and to store cost information there and then later versions of each of Sunday switched to Dropbox and then furthermore suddenly switched to select what is the issue here the issue here is that they are basically not using any custom C2 domains or a piece they're

using legitimate service such as trailer Dropbox and slack so depending on your environment if you use churning your environment this is just going to hide in your traffic so I'm saying for Dropbox and slack for example if you even if you identify okay with some each of them are in our environment into using slack we can't just simply block select because select is our main Communication channel so it might be really tricky good um so this basically happened in February uh last year and then suddenly um in may we see something else being being executable files suddenly we don't have any any Bishop anymore with something which we named salt shaker which is basically very very similar

beat drop but it's um written in C Sharps or is it sharp missing here dot net um and suddenly we have Google Drive so with Google drive as new electric image service with again I'm with some um upload of customer data download of encrypted payloads executing payloads and so on and in addition to that which is a difference to uh B job Sunday with persistence capabilities so beat up itself was just a downloader which downloads stuff up and stuff execute stuff that's it no maintenance no persistence and suddenly soil sugar has some persistence in here and in this particular case um which is not understand unfortunately that we've seen salt shaker uh versions um disguising as Java update and so on

and so it's quite it's quite easy to be honest so we've not beat drop with no salt shaker I mean already two custom downloads which is quite interesting but then in October 2022 something new came on the floor which we named fencing yeah and by the way if you wonder how and why we name them it's basically a person who identified it can name the malware and depending on who the person is with cool names or rather lay memes but usually we just um so that's basically like password generators for kids which basically just adds to words that's how that's how we create that anyway let's get back to the slide so we identified uh thanks a bit in October

2022 and fancy bead is very very very similar to beat drop with the difference some code differences and sound with another new uh legitimate emergency 2 Channel which is in that case uh notion notion is just a note-taking application which is widely used and of course with again absolute persistential capabilities um via run keys and we today paid we still see Fancy Feet being used um by the thread actors by apt-29 and another question is okay how recently have we seen them um very recently for example this Monday um so this is also part of the information so we see here and virus total um linked to a file called uh forward meeting request ambassador of the Czech

Republic dot EML so it's an email so basically somebody uploaded on Tuesday by doing Tuesday this week uh and forwarded email with that subject antivirus total and everybody who knows Aristotle is equal to right access you can just download the files inspect them and so on so what was in this email file in this email file since it's in forward this is basically the original email and we can see here that apparently the assistant to the Ambassador um is trying to invite um yeah the episode in the best of the Czech Republic is trying to invite somebody to some random event and here's a link to register and uh another person which is apparently the assistance to

the Greek Embassy in Russia so you have 100 different countries ask in Russian hey iranica good afternoon please see the letter we received and somehow this email ended up in Aristotle weird but yeah that's how things happen so what is behind this link basically behind this link We she disappear all the way I'm also still live so if you want to visit it and have a look at it feel free to um so this is basically the ambassador's schedule for February 2023 which just um is a roots or download so basically I think with two or three seconds delay Roots is going to be downloaded um which then um contains the volume two files we have

our dll and a meeting in for an XC and this time we don't have any HTML ISO NK we just have a simplified and a DL and an exe file and basically the goal is to execute the meeting uh meeting info in order to of course view the schedule of the of the Ambassador but in reality meeting info is uh digitally signed and valid application which is a craft reporting send utility which then loads via dealer search or the high checking the file bug splat rc64 dll an issue with that DNA list that it is malicious and contains reality Fancy Feet which is quite interesting yeah and then furthermore is are there any more campaigns so if we take for somebody

information from that dll have a look at this dll and then maybe create some yarrow rules and then perform some retro hunting and virus total we find something like this which is even more up to date for example that file was created on Sunday the 5th and was initially uploaded by two uploaders on dates one was in Poland and one was in the US so there might be some other campaign going on and they might Target Poland who knows but this finish is public and we can see that they are constantly targeting different embassies with different themes different mildly families because the constantly change and so on and yeah quite interesting and again here no

HTML ISO lnk and we have not identified the corresponding email to this payload yet but it's very likely that there are some email phishing um going on with where this Soul Checker is to find payload of the same good so let's say the fishing was successful what happens next so how do they maintain access escort privileges um move laterally and so on so one way of persistence would be for example another new Marvel which we named uh boomik boomik um is another download that we can see which persists by rankings therefore persistence and contains some different um types of boomic itself tries to mimic a Java updater this Java update the downloads are loads via delay search order hijacking uh

version.pl which is hidden in edit the local Java and address which is a which is a variant of the original version dll with the difference that there's another Import in here because now we're suddenly importing javafx.font.g itself which then is finally our final boomik payload which basically just downloads files from hardcoded C2 and executes a memory which then later on it's Beacon good so if we take a quick look at the common sense uh and lettering movement it's quite straightforward to come so with our usual um reconnaissance of the of the machine of the domain of the network with a lot of net comments we have a lot of energy test comments and so on and they also try to hunt for

passwords which is quite neat for example to hunt in a suitable for password and it's something called roaming credentials which is a very Legacy version for example government credentials allows certificates to roam at different systems for particular user and this active since server 23 nobody uses it nobody knows about it and it's still active nowadays and according with Android it's a really cool blog post about it if you want to have a look at drunk Adventures on on a perspective for red team and of course they use for example beacon in form of SMP beacons and https beacons to move laterally and the game positions in their swims and another cool way how they uh try to

gain or try to escalate the Privileges or certificates so I'm not sure if you are aware of academic certificate services and so on just give you a quick overview so you can create certificates um in the Windows domain and those certificates are based on certificate templates the template just defines what properties a template is going to have and what properties the request that needs to have the main issue is that there are tons of vulnerabilities in there and for example it's a really good blog post which was published two years ago by spector's called certificate certified certified pre-owned it's a really light read within 180 pages so if you want to look go for it and it also

um have released a tool called um certified but one thing that was expected was a different company basically um it's a simple clicky tool which allows me to create certificates the vulnerability here by which can be executed is for example if I create a certificate I can define a so-called um something alternate name which is usually with uh used with domain names and so on but I can also use it in the windows domains for example I can say I want to request a certificate from for myself from a tiers with a subject alternative name and domain admin it works I can Define anything as some any system any user and so on so basically

with this certificate I'm in 78 and it works and I've seen them of using that early 2022 in the European government is accusing and this brings us to our with a case study so what actually happens um if such a campaign was successful um European government and they were constantly tied with those fishing companies basically every second day which also LED to the point that the victims were already quite uh yeah educated let's say but if you keep on poker you keep them Pokey keep them poking things should things just happen so for example if we take a look at those two timestamps so um January 18 it said 2034 the first is important factor was the beat drop

downloader and then later on uh with a cool McDonald which is persistence then with some Kerberos and activity and then suddenly with some uh internally reconnaissance and then the first of my Turbo certificate sign of interest uh was created this is basically the same availability which you just have seen before with the certificate services and then so basically between those two points between the initial bleach of infection and between the tech export that malicious created certificates basically how they created um CA Hardy created a Hardy games D.A we have 105 minutes so 100 minutes between the initial compromise of one system until the export of My Double certificates with privileged users in that particular case they had two or

three D A's and one highly produced user which is not a d8 an X and the exit rate then and this is basically how they completed the mission because the mission of I'm 2652 or not apt-29 is basically just gain initial access and they did that in 105 minutes and now it's up to the next team whatever the next team's mission is is it Espionage in this particular case 100 Espionage because at the backdos in there and now they can just come back and the cool thing about the certificates is even if they rotate the credentials of those affected users you can still use a certificate and we all know that certificates usually don't expire after half a year

or a year or 10 years so those are valid and their ballots are good and then asking about certificates is that it's actually not that easy to actually identify is if a certificate was used to authenticate of a normal possibles used so to then postmortem to fret hunt if a certificate was used is quite quite tricky nowadays but Microsoft's also aware about this whole certificate service will ability templates and so on and the now slowly starting to put let's say measurements in place for example additional event logging um I think within used versions and they also flag certificates which were created with vulnerable templates but they're not enforcing it yet because of course if a Microsoft puts on in force

that rule number 10 vulnerable certificates are not valid anymore everything would break instantly so yeah good so how did you text and defend against it illustrating there's no no yeah I feel like I can easily swallow um I would say we can Harden and detect slash hunt for it hardening would be for example I could Harden on the endpoint by simply uh disabling or just overriding the default finals for the IMG file isofize implicate files and so on because to be honest most of the normal users they don't need to mount an image file so you can just either disabled it or for example assign the text that it was a default file Handler furthermore I can disable email

attachment file tabs for example who needs to receive an.html file or an image file an ISO file or who for example needs to open an image file which is 10 megabytes which is unlikely for example to be to win the season and so on I could very could be very strict on human head verification which only works if this move the header if they're already compromised the victim and all of that is are going to be in text and of course the classic ad user awareness I constantly need to educate my users that they actually know what is malicious or what what is not malicious on detection hunting for opportunities I will publish a ton of differential

routes for roots of vitro Punic Soul check offensive beat and so on which we then for example could run against entire environments that could sweep all systems and servers or could for example sweep my inboxes or my attachments any so on and so on and of course as I mentioned before the attributes in the lnk eyes and images I can also use that to hunt and sweep across my entire environment which basically brings me to my uh last slides what's next so as we've seen before um abt29 is not going away they are currently targeting this week twice at least um government entity isn't going to continue doing that the victims and victims are Target locations is also

unlikely going to change we even have seen a more frequent targeting in 2022 with with European governments and so on um furthermore it's very likely that they're going to shift away from fans if you they may maybe um deploy a different um download because they've seen that they're victims always identified hey notion.com might be bad or they're using um specific errors for example to hand for those and of course since it's apt-29 there might be some surprise factor in the future maybe the shift from um fishing maybe there's some some new supply chain compromise in the future who knows and this would bring me to the end in presentation thanks for listening thanks for tuning