• CheckPoint.com
• 
• 
• 
• 
• 
• 

Introduction

Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.

By investigating the entire infection chain and attack infrastructure, we were able to track previous operations that share many characteristics with this attack’s inner workings. We also came across an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack.

In this article, we will discuss the infection chain, those targeted, the tools used and a possible attribution to one of the hackers behind the attack.

The Infection Chain

The infection flow starts with an XLSM document with malicious macros, which is sent to potential victims via e-mail under the subject “Military Financing Program”:

Email subject: military financing program

File name: “Military Financing.xlsm”

SHA-256:
\nefe51c2453821310c7a34dca30540
\n21d0f6d453b7133c381d75e3140901efd12

Fig 1: Decoy document

The well-crafted document bears the logo of the U.S Department of State, and is marked as Top Secret. Although the attackers have worked hard to make the document appear convincing, they seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack.

Fig 2: The infection chain

Once the macros are enabled, two files are extracted from hex encoded cells within the XLSM document:

\n
1. A legitimate AutoHotkeyU32.exe program.
\n
2. AutoHotkeyU32.ahk→an AHK script which sends a POST request to the C&C server and can receive additional AHK script URLs to download and execute.
\n

\n
• Three different AHK scripts are awaiting on the server for the next stage:\n
  \n
  1. hscreen.ahk: Takes a screenshot of the victim’s PC and uploads it to the C&C server.
  \n
  2. hinfo.ahk: Sends the victim’s username and computer information to the C&C server.
  \n
  3. htv.ahk: Downloads a malicious version of TeamViewer, executes it and sends the login credentials to the C&C server.
  \n
  \n
\n

The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more “functionality” to TeamViewer by hooking windows APIs called by the program.

Modified functionality includes:

\n
• Hiding the interface of TeamViewer, so that the user would not know it is running.
\n
• Saving the current TeamViewer session credentials to a text file.
\n
• Allowing the transfer and execution of additional EXE or DLL files.
\n

Fig 3: MoveFileW function hook: adds payload “execute” and “inject” functionality.

The following is a demonstration of how it actually works:

Fig 4: Remote payload execution demo

Victims

As described in the infection flow, one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC.

The directory which those screenshots were uploaded to was left exposed, and could have been viewed by browsing to the specific URL:

Fig 5: Open directory with victims’ screenshots

However, those screenshot files were deleted periodically from the server, and eventually the “open directory” view was disabled.

Until that time, we were able to ascertain some of the victims of these attacks, as most of the screenshots included identifying information.

From the targets we have observed in our own telemetry, as well as the information we have gathered from the server, we were able to compose a partial list of countries, where officials were targeted:

\n
• Nepal
\n
• Guyana
\n
• Kenya
\n
• Italy
\n
• Liberia
\n
• Bermuda
\n
• Lebanon
\n

It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world.

Nevertheless, the observed victims list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities.

Previous Campaigns

While all campaigns observed from this threat actor utilized a trojanized version of TeamViewer, the features of the malicious DLL have changed, and the first stage of the infection has evolved over time.

Delivery

The initial infection vector used by the threat actor also changed over time, during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey, which displayed a decoy image to the user.

For example, the self-extracting archive “Положение о прокуратуре города(приказом прокурора края)_25.12.2018.DOC.exe” (translated into “Regulations on the city prosecutor’s office (by order of the regional prosecutor)_25.12.2018.DOC.exe”) displays the following image:

\n

Fig 6: SFX archive decoy image

This image shows officials from Kazakhstan, and was taken from the website of Kazakhstan’s Ministry of Foreign Affairs. The original name of the executable and the decoy content it displays seem to suggest that it was targeting Russian speaking victims.

There were also other instances in which related campaigns were after Russian speakers, one of the weaponized Excel documents had instructions on how to enable content for the macros to run in fluent Russian:

Fig 7: Russian decoy document

SHA-256: 67d70754c13f4ae3832a5d655ff8ec2c0fb3caa3e50ac9e61ffb1557ef35d6ee

Afterwards, it would display finance-related Russian content:

Fig 8: Russian decoy document – after macros are enabled

Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers, the recurring financial and political themes that they use highlight the attacker’s interest in the financial world once more.

The Payload

Throughout the campaigns multiple changes to the functionality of the malicious TeamViewer DLL, were introduced. Below are the feature highlights of each version:

First Variant (?-2018)

\n
• Remote control via TeamViewer
\n
• Send & execute file.
\n
• Sends basic system information.
\n
• Ability to self-delete.
\n
• Usage of config.bin configuration file
\n

Second Variant (2018)

\n
• Introduced a new C&C command system.
\n
• Partial list of the commands, can be viewed using the internal help command (which also provides multiple artifacts in Russian):
\n

Fig 9: Help commands found in malicious DLL

\n
• Chrome history of banks, online shops and crypto markets – The DLL can be requested to return a list of all online services from a predefined list. (See Appendix)
\n
• Configuration file was replaced by embedded configuration.
\n

Third Variant – as observed in the current campaign (2019)

\n
• Removed the command system.
\n
• Added DLL execution feature.
\n
• Relies on external AutoHotKey scripts for information gathering and TeamViewer credential exfiltration.
\n

Attribution

Although in such campaigns it is usually unclear who is behind the attack, in this case we were able to locate a user who appears to be behind the aforementioned activity active in several online forums, or is at least the creator of the tools used in the attack.

By following the trail from the previous campaigns we were able to find a `CyberForum[.]ru` user that goes by the name “EvaPiks”.

In multiple instances, the user would suggest, or be advised by other users to use, some of the techniques we witnessed throughout the campaigns.

The following are translated snippets from some of the threads in the forum:

Fig 10: EvaPiks – suggested macro code

The macro code suggested by EvaPiks in the above thread was actually used in the latest attack, and some of the variable names such as “hextext” were not even changed.

In the following screenshot, we see EvaPiks suggesting a Delphi code snippet that “works great”:

Fig 11: EvaPiks – suggested PHP code

Fig 12: Panel URL found in DLL code

In addition to the similar Delphi usage, the URL mentioned in the forum `(newpanel_gate/gate.php)` was used in one of the attacks.

Back in 2017, EvaPiks was the one seeking advice on the forum, with questions about API function call interception:

Fig 13: EvaPiks – seeking Delphi hooking advise on the forums

Fig 14: Hooks found in DLL code

The same hooking technique of `CreateMutexA` and `SetWindowTextW` functions was utilized in the sample we have observed as well.

An additional screenshot from the forum reveals how EvaPiks is experimenting with new features, some of which were integrated into the malicious DLLs:

Fig 15: EvaPiks – development PC screenshot from the forums

Besides `CyberForum[.]ru`, we also found out that this avatar was active on an illegal Russian carding forum, strengthening the notion that their forum activity is not for “educational purposes” only:

Fig 16: EvaPiks – complaining about a fellow user on a carding forum

The Attack Infrastructure

At one point or another, all the samples observed utilized the same web hosting company: HostKey, except some of the samples from the first variant. [see appendix B for a list of URLs]

Additionally, we observed the following login panels, on the C&C servers utilized by the malicious DLLs:

Fig 17: “Cyber Industries” login panel hosted on 193.109.69[.]5

Fig 18: login panel hosted on 146.0.72[.]180

Summary

On the one hand, from the findings we have described, this appears to be a well thought-out attack that carefully selects a handful of victims and uses tailored decoy content to match the interests of its target audience.

On the other hand, some aspects of this attack were carried out with less caution, and have exposed details that are usually well disguised in similar campaigns, such as the personal information and online history of the perpetrator, as well as the outreach of their malicious activity.

The malicious DLL allows the attacker to send additional payloads to a compromised machine and remotely run them. Since we were not able find such a payload and know what other functionalities it introduces besides the ones provided in the DLL, the real intentions of the latest attack remain unclear.

However, the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated.

———————————————————————————————————————————————————————————————————————-

Check Point’s SandBlast

The malware used in this attack was caught using Check Point’s Threat Emulation and Threat Extraction.

Threat Emulation is an innovative zero-day threat sandboxing capability, used by SandBlast Network to deliver the best possible catch rate for threats, and is virtually immune to attackers’ evasion techniques. As part of the Check Point SandBlast Zero-Day Protection solution, Threat Emulation prevents infections from new malware and targeted attacks. The Threat Extraction capability removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow.

IOCs

DLLs

`013e87b874477fcad54ada4fa0a274a2
\n799AB035023B655506C0D565996579B5
\ne1167cb7f3735d4edec5f7219cea64ef
\n6cc0218d2b93a243721b088f177d8e8f
\naad0d93a570e6230f843dcdf20041e1e
\n1e741ebc08af09edc69f017e170b9852
\nc6ae889f3bee42cc19a728ba66fa3d99
\n1675cdec4c0ff49993a1fcbdfad85e56
\n72de32fa52cc2fab2b0584c26657820f
\n44038b936667f6ce2333af80086f877f`

Documents

`4acf624ad87609d476180ecc4c96c355
\n4dbe9dbfb53438d9ce410535355cd973`

C&Cs

`1c-ru[.]net/check/license
\nintersys32[.]com/3307/
\n146.0.72[.]180/3307/
\n146.0.72[.]180/newcpanel_gate/gate.php
\n185.70.186[.]145/gate.php
\n185.70.186[.]145/index.php
\n193.109.69[.]5/3307/gate.php
\n193.109.69[.]5/9125/gate.php`

Appendix A: Yara Rule

`rule \"TeamViwer_backdoor\"\n{\n\nmeta:\ndate = \"2019-04-14\"\ndescription = \"Detects malicious TeamViewer DLLs\"\n\nstrings:\n\n// PostMessageW hook function\n$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}\n\ncondition:\nuint16(0) == 0x5a4d and $x1\n}`\n

Appendix B: Online services of interest

Banks

`bankofamerica.com,pacwestbancorp.com,alipay.com,cbbank.com,firstrepublic.com,chase.com
\ncitibank.com,bankamerica.com,wellsfargo.com,citicorp.com,pncbank.com,us.hsbc.com,bnymellon.com
\nusbank.com,suntrust.com,statestreet.com,capitalone.com,bbt.com,tdbank.com,rbs.com,regions.com
\n53.com,ingdirect.com,keybank.com,ntrs.com,www4.bmo.com,usa.bnpparibas.com,mufg.jp,aibgroup.com
\ncomerica.com,zionsbank.com,mibank.com,bbvabancomerusa.com,huntington.com,bank.etrade.com,synovus.com
\nbancopopular.com,navyfcu.org,schwab.com,rbcbankusa.com,colonialbank.com,hudsoncitysavingsbank.com,db.com
\npeoples.com,ncsecu.org,associatedbank.com,bankofoklahoma.com,mynycb.com,firsthorizon.com,firstcitizens.com
\nastoriafederal.com,firstbankpr.com,commercebank.com,cnb.com,websterbank.com,fbopcorporation.com
\nfrostbank.com,guarantygroup.com,amtrust.com,nypbt.com,wbpr.com,fult.com,penfed.org,tcfbank.com,lehman.com
\nbancorpsouthonline.com,valleynationalbank.com,thesouthgroup.com,whitneybank.com,susquehanna.net,citizensonline.com
\nucbh.com,raymondjames.com,firstbanks.com,wilmingtontrust.com,bankunited.com,thirdfederal.com,wintrustfinancial.com
\nsterlingsavingsbank.com,boh.com,arvest.com,eastwestbank.com,efirstbank.com,theprivatebank.com,flagstar.com
\nbecu.org,umb.com,firstmerit.com,corusbank.com,svb.com,prosperitybanktx.com,washingtonfederal.com
\nucbi.com,metlife.com,ibc.com,cathaybank.com,trustmark.com,centralbancompany.com,umpquabank.com
\npcbancorp.com,schoolsfirstfcu.org,mbfinancial.com,natpennbank.com,fnbcorporation.com,fnfg.com,golden1.com
\nhancockbank.com,firstcitizensonline.com,ubsi-wv.com,firstmidwest.com,oldnational.com,ottobremer.org
\nfirstinterstatebank.com,northwestsavingsbank.com,easternbank.com,suncoastfcu.org,santander.com
\neverbank.com,bostonprivate.com,firstfedca.com,english.leumi.co.il,aacreditunion.org,rabobank.com
\nparknationalbank.com,provbank.com,alliantcreditunion.org,capitolbancorp.com,newalliancebank.com
\njohnsonbank.com,doralbank.com,fcfbank.com,pinnaclebancorp.net,providentnj.com,oceanbank.com
\nssfcu.org,capfed.com,iberiabank.com,sdccu.com,americafirst.com,hncbank.com,bfcfinancial.com
\namcore.com,nbtbank.com,centralpacificbank.com,banksterling.com,bannerbank.com,firstmerchants.com,communitybankna.com
\nhsbc.com,rbs.co.uk,bankofinternet.com,ally.com,bankofindia.co.in,boi.com.sg,unionbankofindia.co.in,bankofindia.uk.com
\nunionbankonline.co.in,hdfcbank.com,axisbank.com,icicibank.com,paypal.com,pnm.com,wmtransfer.com,skrill.com,neteller.com
\npayeer.com,westernunion.com,payoneer.com,capitalone.com,moneygram.com,payza.com`

Crypto Markets

`blockchain.info,cryptonator.com,bitpay.com,bitcoinpay.com,binance.com,bitfinex.com,okex.com
\nhuobi.pro,bitflyer.jp,bitstamp.net,kraken.com,zb.com,upbit.com,bithumb.com,bittrex.com,bitflyer.jp
\netherdelta.com,hitbtc.com,poloniex.com,coinone.co.kr,wex.nz,gate.io,exmo.com,exmo.me,yobit.net
\nkorbit.co.kr,kucoin.com,livecoin.net,cex.io,c-cex.com,localbitcoins.net,localbitcoins.com,luno.com
\nallcoin.com,anxpro.com,big.one,mercatox.com,therocktrading.com,okcoin.com,bleutrade.com,exchange.btcc.com
\nbitkonan.com,coinbase.com,bitgo.com,greenaddress.it,strongcoin.com,xapo.com
\nelectrum.org,etherscan.io,myetherwallet.com,bitcoin.com`

Online Shops

`ebay,amazon,wish.com,aliexpress,flipkart.com,rakuten.com,walmart.com
\ntarget.com,bestbuy.com,banggood.com,tinydeal.com,dx.com,zalando,jd.com
\njd.id,gearbest.com,lightinthebox.com,miniinthebox.co`

TOP ATTACKS AND BREACHES

• Delhi-based hack-for-hire group BellTroX has allegedly targeted thousands of high-profile individuals and hundreds of organizations worldwide in a seven-year-long campaign. The group used phishing kits to steal sensitive data from the victims and conduct commercial espionage on behalf of their clients.

Tags: #Apt

• The Japanese gaming giant Nintendo reveals hackers have breached 300,000 accounts and may have gained access to personal information, including date of birth and email addresses. The accounts were abused to purchase features and virtual coins in popular games via the connected PayPal accounts.
• Hackers are targeting executives of a German task force supplying face masks and medical equipment against COVID-19. The hackers launched a spear-phishing campaign to steal Microsoft login credentials, targeting over 100 senior executives in 40 organizations.
• Threadstone Advisors, a US-based advisory firm, has been hit by the Maze ransomware. The attackers also stole data from the company’s compromised servers, and threaten to publish it unless the ransom demands are met.
  • Check Point SandBlast and Anti-Bot blades provide protection against this threat (Ransomware.Win32.Maze)

Tags: #Doubleextortion

• The City of Florence, Alabama has been hit by a ransomware attack, forcing them to pay $300,000 in ransom to get their data decrypted. The hackers have reportedly waited for over a month after breaching the city’s system before deploying the DoppelPaymer ransomware.
  • Check Point SandBlast and Anti-Bot blades provide protection against this threat (Ransomware.Win32.DoppelPaymer)

• The city of Knoxville, Tennessee, has been forced to shut down its computer network and some of its services after an undisclosed ransomware attacked their systems.
• A1 Telekom, the leading mobile network operator in Austria, has revealed that they had fought a network intrusion for six months, after hackers breached their systems and planted multiple backdoors in November 2019. It is suspected that the intruders were members of the China-linked APT Gallium.

VULNERABILITIES AND PATCHES

• SMBleed, a new vulnerability affecting the SMB protocol, may allow attackers to leak kernel memory remotely and execute arbitrary code. To exploit the flaw, an attacker can send a specially crafted packet to a targeted SMBv3 server. The latest Windows update provides a patch for this vulnerability.
  • Check Point IPS blade provides protection against this threat (Microsoft Windows SMBv3 Client/Server Information Disclosure (CVE-2020-1206))

• SGAxe and CrossTalk, two new attacks against modern Intel processors, have been discovered. The SGAxe attack may allow attackers to extract sensitive data from SGX enclaves, and the CrossTalk attack may lead to leakage of information across CPU cores. Intel released a microcode update to the relevant software vendors.

THREAT INTELLIGENCE REPORTS

• Check Point researchers have addressed the possible security and privacy risks users of the COVID-19 contact-tracing applications face, from GPS tracking and data collection to fake applications and unauthorized data theft.
  • Check Point SandBlast Mobile provides protection against this threat

• Check Point Research team has found a commercial software tool called CloudEye offered by an Italian company, which serves as a malware dropper. While their operations is allegedly legitimate, the company seems to be making $500,000 a month from sales to cybercriminals.
  • Check Point SandBlast provides protection against this threat (Dropper.Win.CloudEyE.*)

• Microsoft warns Kubernetes users of a hacking campaign that targets Kubeflow, a machine learning toolkit, aiming at delivering a cryptocurrency miner on internet-facing instances. Threat actors behind this campaign initially scan the Internet for exposed Kubeflow admin panels and use them to move laterally and reach into the Kubernetes cluster to run an XMRig miner.
• Russia-linked Gamaredon APT is reportedly using a VBA macro tool targeting Microsoft Outlook that creates custom emails with malicious documents and uses the targets’ email accounts to send spear-phishing emails to their contacts.
  • Check Point Anti-Bot blade provides protection against this threat (Botnet.Win32.Gamaredon; Trojan.Win32.Gamaredon)

• Researchers have uncovered a malware, dubbed Stealthworker, targeting Windows and Linux servers running popular web services and platforms such as Magento, WordPress, Joomla and Drupal. The hackers use the infected hosts to launch brute force attacks against other systems.
  • Check Point Anti-Bot blade provides protection against this threat (Trojan.Win32.Stealthworker)