#1238558: Golden Chickens: Uncovering A Malware-as-a-Service (MaaS) Provider and Two New Threat Actors Using It

Description: Over the last few years, QuoScient’s Intelligence Operations Team (QuoINT) has tracked activities attributed to the Cobalt group, and observed their notable evolution and continuously improving Tactics, Techniques, and Procedures (TTPs).

Since September 2018, we have identified multiple attacks that share similar TTPs used by Cobalt during a specific timeframe but exhibit enough differences to attribute them to separate threat actors. This blog post provides an overview on a specific Malware-as-a-Service (MaaS) used within the e-Crime threat actor landscape. It also provides details on two different threat actors using the MaaS that fall under the umbrella of a family we dubbed Golden Chickens: GC01 and GC02. The success of GC operations heavily relies on a specific MaaS sold in underground forums, which provides customers with the malwares and the infrastructure they need for targeted attacks. The service owner provides the MaaS through the use of the following toolkits: Venom and Taurus building kits for crafting documents used to deliver the attack, and the more_eggs (aka Terra Loader, SpicyOmelette) backdoor for taking full control of the infected computer.

Between November 2017 and July 2018, we attributed to GC02 five spear phishing waves which indiscriminately targeted companies and organizations in at least India and the United States. As a result of using the same MaaS provider, GC02 and Cobalt group’s TTPs and infrastructure strongly overlapped in May 2018, making it hard at first glance to differentiate the two threat actors.

Between August and October 2018, we attributed to GC01 nine spear phishing waves targeting multiple companies and organizations operating in the financial industry. Throughout the campaign, we observed the installation of multiple Remote Access Tool (RAT) variations as the result of a successfully compromised victim machine.

By highlighting the multi-layer infrastructure adopted by Cobalt and Golden Chickens, as well as the multi-client business model of the MaaS behind it, we emphasize the difficulty of performing reliable attribution for cyberattacks, and the high uncertainty that analysts are confronted with during the process. To note, other researchers reported the same Indicators of Compromise (IoC) and C2 infrastructure covered in this blog post. We hope that our attribution will clarify the current threat landscape and make the covered threat actor profiles more accurate.

The following blog post is a preview of the Intelligence Assessment we will disseminate to our clients, partners, and vetted requesters.
Introduction

Cyber attribution is becoming increasingly challenging as threat actors frequently use false flag techniques and shared infrastructure to increase the resiliency of their operations against takedowns and law enforcement investigations. Especially for e-Crime actors, it is a common practice to rent the same bulletproof infrastructure or botnet used by other e-Crime groups, resulting in the increased likelihood for an overlap of C2 servers. In the last years, we have noted a tendency of threat actors outsourcing even more parts of the kill-chain to third parties by using/offering MaaS solutions. Figure 1 shows an example of such a network where multiple stakeholders are involved.
Figure 1 — Example of attribution complexity

A threat actor can buy several malware from multiple developers, rent the C2 infrastructure from various providers, and deliver the attack vector to victims from yet another provider. This compartmentalized business relationship guarantees the threat actor an elevated level of privacy and deniability since the involved stakeholders rarely know the full scale of the operation. On the other hand, those providers offering MaaS solutions simplify the entire process through One Stop Shop solutions, where one single entity sells and rents both the malware and the infrastructure needed for an attack.

When profiling e-Crime threat actors, we always deal with the hypothesis that the malware and C2 infrastructure we are analyzing do not belong to the threat actor per se, but rather to the used MaaS provider. When we confirm the use of a MaaS, the attribution process focuses on how and when threat actors used it, and who they targeted. By using such an approach, we were able to differentiate past spear phishing campaigns mistakenly attributed to the Cobalt group and characterize two distinct threat actors — GC01 and GC02 — and the MaaS used by them to carry out their attacks.
Golden Chickens’ MaaS

From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”). The following section explains the operational model of the Provider, and the toolkits used to deliver the requested service to paying customers.
Operational workflow

A typical business case between a threat actor and the Provider is shown in Figure 2 and detailed below.
Figure 2 –The Provider operational workflow

1. Threat actors buy the service offered and then give the Provider Operator the final payload to be executed on the infected machine. Since we have observed the same threat actor using the Provider to different extents, we assess that the Provider Operator’s offering is modular.

2. The Provider Operator builds the malicious document (maldoc), the backdoor, and prepares the server infrastructure needed for the execution of the attack. Next, the backdoor is stored on a webserver and the full URL path of it is embedded into the maldoc. Lastly, the C2 panel that the backdoor will beacon to is set up.

3. The Provider returns the maldoc to the threat actor. Although not confirmed, the Provider Operator also likely delivers the access details for the backdoor’s C2 web panel.

4. The threat actor disseminates (directly or through the use of a botnet) the maldoc via spear phishing.

5. Once the maldoc is executed on a victim’s machine, it will retrieve and execute the backdoor from the hardcoded web location.

6. The backdoor beacons to the hardcoded C2 on a regular basis and executes the commands it receives.

7. Finally, the threat actor (or the Provider) will review the system details of the infected machine reported by the backdoor, and eventually deploy the final payload.
Building Kits Used

The Provider relies on the use of specific malicious artifacts advertised in the underground since 2017. Those artifacts are generated by three building kits and offered to paying customers with the supporting C2 infrastructure.

VenomKit. VenomKit is a tool that threat actors can use to craft malicious Rich Text File (RTF) documents that exploit multiple vulnerabilities, including CVE-2017–11882, CVE-2018–0802, and CVE-2018–8174. Successful exploitation leads to batch and scriptlet files being dropped and executed in order to download the second stage payload from a Web resource. The AV detection rate for RTF documents generated by VenomKit is moderate to high due to the exploitation of known vulnerabilities.

Taurus Builder Kit. The Taurus Builder Kit generates Microsoft Word documents weaponized with malicious Visual Basic for Application (VBA) macro code. Unlike the malicious RTFs created by VenomKit, the weaponized Word documents require user interaction in order to enable the contained malicious code. On the other hand, documents generated by this kit are more resilient to AV detection due to the use of multiple layers of obfuscation in the VBA code.

Once the VBA code is enabled by the user, documents created by Taurus Builder Kit will download and execute additional malware by using multiple legit Windows tools in order to bypass AppLocker.

More_Eggs Backdoor. More_eggs is a JavaScript (JS) backdoor capable of beaconing to a fixed C2 server and executing additional payloads downloaded from an external Web resource. The backdoor is delivered encrypted inside of another JavaScript, with changing function names, variable names, and encryption keys. Overall, the technique used allows the Provider Operator to guarantee its clients a low AV detection rate. The more_eggs building kit allows customization of its multiple variables, for values such as the C2 server, beaconing and sleeping time, and part of the cryptographic key used for ciphering the C2 communications. Figure 3 shows an example of more_eggs configuration that includes the version number BV, C2 address Gate, and part of the ciphering key used to encrypt C2 communications, Rkey.
Figure 3– Excerpt of more_eggs backdoor configured variables

Read the rest in this link

Conclusion

In general, the continued adoption of threat actors leveraging MaaS plays two roles in the cyber threat landscape: (a) it enables less sophisticated actors to execute attack campaigns against high value targets, which may otherwise be out of scope due to the potentially multi-layer perimeter defenses, and; (b) it creates a cluster of technical indicators from the same infrastructure that complicates attribution efforts. During our analysis, we identified three threat actors utilizing one particular MaaS which has operated for almost two years, proving its success and profitability. As a result, this scenario of multiple actors using the same MaaS further corroborates why attribution of campaigns incorporating aspects of MaaS becomes more complex to distinguish due to the presumable overlap in technical indicators.
First Aid: GC01

Email Subjects:

Payment Details REF # 18110486098

Payment Details REF # 18110486098

Re: Payment Ref 34981***** receive problem

Re: Bank query / S-170526–005399

Amendment/Cancellation

Fund Transfer 08-October-2018

Confirmations on October 16, 2018

confirmation-16003907

Email Attachments (Not-Malicious PDF with Google Redirector)

444c63bb794abe3d2b524e0cb2c8dcc174279b23b1bce949a7125df9fab25c1c

1c1a6bb0937c454eb397495eea034e00d1f7cf4e77481a04439afbc5b3503396

988d430ce0e9f19634cf7955eac6eb03e3b7774b788010c2a9742b38016d1ebf

1d0aae6cff1f7a772fac67b74a39904b8b9da46484b4ae8b621a6566f7761d16

57f65ecb239833e5a4b2441e3a2daf3513356d45e1d5c311baeb31f4d503703e

852f11e5131d3dab9812fd8ce3cd94c1333904f38713ff959f980a168ef0d4ce

Google Redirector links

hxxps://appengine[.]google[.]com/_ah/logout?continue=https%3A%2F%2Fsafesecurefiles[.]com%2Fdoc041791[.]pdf

hxxps://appengine[.]google[.]com/_ah/logout?continue=https%3A%2F%2Falotile[.]biz%2FDocument092018[.]doc

hxxps://appengine[.]google[.]com/_ah/logout?continue=https%3A%2F%2Ffundsxe[.]com%2FDocument09202018[.]doc

hxxps://appengine[.]google[.]com/_ah/logout?continue=https%3A%2F%2Ffundswp[.]com%2FDocument082018[.]doc

hxxps://appengine[.]google[.]com/_ah/logout?continue=https%3A%2F%2Ftransef[.]biz%2FDoc102018[.]doc

hxxps://appengine[.]google[.]com/_ah/logout?continue=https%3A%2F%2Ffundsxe[.]com%2FDocument0922018[.]doc

Landing Page

hxxps://safesecurefiles[.]com/doc041791[.]pdf

hxxps://alotile[.]biz/Document092018[.]doc

hxxps://fundsxe[.]com/Document09202018[.]doc

hxxps://fundswp[.]com/Document082018[.]doc

hxxps://transef[.]biz/Doc102018[.]doc

hxxps://fundsxe[.]com/Document0922018[.]doc

Maldocs

19dc9b93870ddc3beb7fdeea2980c95edc489040e39381d89d0dfe0a825a1570

020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee

07a3355f81ff69a197c792847d0783bfc336181d66d3a36e6b548d0dbd9f5a9a

161ba501b4ea6f7c2c8d224e55e566fef95064e1ed059d8287bc07e790f740e8

19dc9b93870ddc3beb7fdeea2980c95edc489040e39381d89d0dfe0a825a1570

dc8425f8c966708b1a3c26f0545664ccbf853852af401b91ae7f29d351e2649c

dc8425f8c966708b1a3c26f0545664ccbf853852af401b91ae7f29d351e2649c
GC02

Email Subjects:

Contract April

Description of my complaint about your service

Email Attachments (Not-Malicious PDF with Google Redirector)

45310fcc9f9ef367f16bed4c4ba4c51d7eb72550082cd572f6a5636227514d70

df18e997a2f755159f0753c4e69a45764f746657b782f6d3c878afb8befe2b69

Google Redirector links

hxxps://appengine.googlecom/_ah/logout?continue=hxxps://cloud.pallets32[.]com/Doc00581691.pdf

hxxps://appenginegooglecom/_ah/logout?continue=hxxps://cloudpallets32[.]com/Doc00581951pdf

hxxps://appengine.google.com/_ah/logout?continue=hxxps://mail.halcyonih[.]com/uploads/doc004718538.pdf

Landing Page

hxxps://cloud.pallets32[.]com/Doc00581691.pdf

hxxps://cloudpallets32[.]com/Doc00581951.pdf

hxxps://mail.halcyonih[.]com/uploads/doc004718538.pdf

Maldocs

476c9d4383505429c10c31fb72f5218b3b42d985a2b46a0de62fd6ec5d08eebf

27ec680a57b658d0e63a2b209f407253b4d8904ea025b3ef7c544d98d5798356

a1f3388314c4abd7b1d3ad2aeb863c9c40a56bf438c7a2b71cbcff384d7e7ded
GC Maas C2 infrastructure

outlooklive.org[.]kz

mail.yahoo.org[.]kz

api.outlook[.]kz

nl.web-cdn[.]kz

api.toshiba.org[.]kz

api.outlook[.]kz

api.fujitsu.org[.]kz

api.asus.org[.]kz

api.miria[.]kz

ww3.cloudfront.org[.]kz

webmail.cloudfront.com[.]kz

mail.halcyonih[.]com

cloudpallets32[.]com

contents[.]bz

safesecurefiles[.]com

usasecurefiles[.]com

freecloud[.]biz

alotile[.]biz

fundswp[.]com

transef[.]biz

fundsxe[.]com

document[.]cdn-one[.]biz
More info: https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

Date added Nov. 29, 2018, 11:17 p.m.
Source Medium
Subjects
  • All New Malware Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - Russia - New Reports in
  • (Probably Russia) - More_Eggs Malware - JavaScript backdoor used by the Cobalt group
  • Russia - Cobint Banking Malware (Used by Cobalt Group)
  • Russia - FIN7 Group/ Anunak / Carbanak Cyber Gang (Same as Cobalt Hacking Group?)
  • Russian - Cobalt hacker group / TEMP.Metastrike (also linked to Buhtrap) / Gold Kingswood
  • Russian - Cobalt Strike (Used by Cobalt Hacker Group)
  • Russia - SpicyOmelette Banking Malware - used by Cobalt Hacking Group