Detecting compromises by highly skilled attackers is no easy task, requiring advanced network traffic monitoring, behavioral analysis of endpoint logs, and even dedicated threat hunting teams that manually search for signs of compromise by imitating attackers. This is highlighted in a new McAfee report about a long-term compromise discovered on a customer network that started out as a simple malware infection investigation.
McAfee researchers have dubbed the attack campaign Operation Harvest because its goal was the long-term exfiltration of sensitive information that could be used for military strategic purposes and intellectual property that could be used for manufacturing. The group behind the attack was using Winnti, a custom backdoor program that's believed to be shared by multiple Chinese APT groups.
Based on an analysis of the techniques used in the attack, the McAfee researchers found significant overlap with APT27 aka Emissary Panda, which is known for having targeted organisations in the aerospace, government, defense, technology, energy, and manufacturing sectors, and with APT41, also known as Barium and sometimes Winnti after the malware. APT41 is believed to execute cyberespionage campaigns on behalf of the Chinese government but has also been seen performing financially motivated attacks.
Both groups have been operating for many years and are highly skilled at lateral movement, privilege escalation, and persistence. In this particular attack, the hackers broke into the network by compromising one of the victim's web servers.
Map, expand, and exfiltrate
Once they gained this initial foothold, they deployed tools on the server that allowed them to map the network and begin expanding to other systems. Tools the McAfee researchers found included PSexec, a tool that allows the execution of files on other systems over the network,Â ProcDump, a tool that can be used to extract sensitive information from the RAM memory of processes, and Mimikatz, a tool used for dumping authentication credentials from Windows. All of which are free or open-source and sometimes used by system administrators or penetration testers as well.
Two other open-source tools used by the group and found during the investigation are BadPotato and RottenPotato. These use privilege escalation techniques to execute code with SYSTEM privileges.
For privilege escalation the attackers also deployed a backdoor program called PlugX that uses a technique called DLL sideloading. This abuses the search order for DLLs programmed in some applications, trying the current directory first. So, if an application is designed to load a DLL with a particular name from the same folder, all attackers have to do is to replace that DLL with a malicious one and then execute the legitimate application. The benefit of this technique is that the malicious code is loaded into the memory of an otherwise legitimate process.
"The .exe file is a valid and signed executable and, in this case, an executable from HP (HP Customer participation)," the researchers said. "We also observed other valid executables being used, ranging from AV vendors to video software. When the executable is run, the DLL next to it is loaded. The DLL is valid but contains a small hook towards the payload which, in our case, is the .bin file. The DLL loads the PlugX config and injects it into a process."
The PlugX malware also hides its communication with the command-and-control server inside DNS traffic, by leveraging DNS TXT records. This can be easily missed by network defense tools if they don't also scan for anomalies in DNS requests.
On some systems, the SYSTEM privileges acquired through the Potato tools were used to create a new system service called "SysmainUpdate," which mimicks a legitimate service called SysMain that is associated with the Superfetch service.
"The model uses the persistence technique utilising svchost.exe with service.dll to install a rogue service," the researchers said. "It appears that the dll employs several mechanisms to fingerprint the targeted system and avoid analysis in the sandbox, making analysis more difficult. The DLL embeds several obfuscated strings decoded when running. Once the fingerprinting has been done, the malware will install the malicious service using the API RegisterServiceHandlerA then SetServiceStatus, and finally CreateEventA."
Ties to past attacks
This technique has also been described in a 2017 report by Trend Micro about malicious activity attributed to the Winnti group. The McAfee researchers also believe the payload deployed in the campaign they investigated belongs to the Winnti malware family.
The hackers also used the Windows Management Instrumentation (WMI) interface in PowerShell to execute commands on systems, set up scheduled tasks and used valid accounts acquired through their use of Mimikatz.
The PsExec variant used by the attackers was not the original tool that's part of the Windows Sysinternals suite for system administrators, but an open-source reimplementation in Python that seems to have been copied from GitHub.
The data was collected from network shares and compromised systems using batch scripts and then compressed with RAR. The attackers either exfiltrated these archives directly through their backdoors or placed them on the compromised web server from where they could be accessed and downloaded from outside the network. The User-Agent string of the tool used to download these archives had a unique fingerprint that also matches information in a 2015 report from Dell SecureWorks, suggesting these attackers have been operating for many years across different campaigns.
In fact, while investigating this incident, the McAfee researchers uncovered a second targeted attack against another organisation from the same country that used a very similar modus operandi and techniques. This suggests the attacks were part of a larger campaign where attackers managed to maintain access into victims' networks for multiple years.
Defending against APT attacks
This plethora of advanced techniques used in this Winnti-related campaign highlights the difficulty of uncovering compromises by skilled APT groups. Catching such attacks early requires a multi-layered approach with significant investments in various types of monitoring and detection technologies.
Unfortunately, the number of organisations that can afford to make such investments or to set up skilled internal threat hunting teams is small compared to the number of APT victims. And with the rise of cyber mercenary groups and with cybercriminal groups also adopting APT techniques in recent years, any organisation, regardless of size or industry can become the target of APT-level attacks.