This report is about a malware campaign called Operation Wocao which was likely carried out by a nation-state actor with potential links to APT20. The initial point of entry seems to be public-facing infrastructure using common attack vectors. The main purpose of this campaign is the extraction of customer data and intellectual property.
The bad actor appears to enter the network by installing web shells on public-facing infrastructure with an affinity for attacking vulnerable JBoss servers. Often the servers have already been compromised by other web shells from different threat actors. If the threat actor detects an already existing web shell, they’ll use it to perform reconnaissance and lateral movement on the victim’s network. Any previously installed malware can be used as a backup method to maintain access in event of connection loss.
Once the attacker's malware maintains persistence, the threat actor changes focus to lateral movement within the environment. Some of the tactics are very common and rudimentary such as dumping credentials from memory or logging the victim’s keystrokes.
Operation Wocao targets high-value individuals in the organization such as personnel who likely have domain admin or enterprise admin credentials. Presumably, the bad actor conducts online research through sites such as LinkedIn to identify system administrators. When they have achieved the highest level of privileges possible, they use stolen credentials to connect to the organization’s VPN to avoid suspicion.
The threat actor uses both custom malware and well-established tools to achieve the goal of data exfiltration. A sample dossier of the malicious artifacts involved is listed below.
File Handling Webshell: Used to upload files as needed
Execution Webshell: Serves as file handling webshell but it is able to execute commands on UNIX/Linux and Windows hosts
Socket Tunnel: Allows for backdoor connections between infected and prospective hosts
Recon Script: Identifies potential files to be exfiltrated and gathers data on possible lateral movement paths. This script is written in Visual Basic Script (.vbs) and has the following functions:
The XServer malware is deployed from a PowerShell command or script with the file being Zlib compressed and Base64 encoded after the deployment is completed. The connections are hard-coded to listen on a specified port with 25667 and 47000 being used in the samples currently available. The malware is coded to receive a single command packet which determines whether it acts as a backdoor or as a “proxy gateway”. When proxy functionality is turned on, it runs as a SOCKS5 proxy and can proxy through multiple infected hosts. Any command and control sessions are TLS encrypted using a root certificate.
The most common working directory for the malware is C:\Windows\Temp.
LogRhythm Users:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.