This report is about a malware campaign called Operation Wocao which was likely carried out by a nation state actor with potential links to APT20. The initial point of entry seems to be public facing infrastructure using common attack vectors. The main purpose of this campaign is the extraction of customer data and intellectual property.
Tactics, Techniques, and Procedures
The bad actor appears to enter the network by installing webshells on public facing infrastructure with an affinity for attacking vulnerable JBoss servers. Often the servers have already been compromised by other webshells from different threat actors. If the threat actor detects an already existing webshell, they’ll use it to perform reconnaissance and lateral movement on the victim’s network. Any previously installed malware can be used as a backup method to maintain access in event of connection loss.
Once the attacker’s malware maintains persistence, the threat actor changes focus to lateral movement within the environment. Some of the tactics are very common and rudimentary such as dumping credentials from memory or logging the victim’s keystrokes.
Operation Wocao targets high value individuals in the organization such as personnel who likely have domain admin or enterprise admin credentials. Presumably the bad actor conducts online research through sites such as LinkedIn to identify system administrators. When they have achieved the highest level of privileges possible, they use stolen credentials to connect to the organization’s VPN to avoid suspicion.
The threat actor uses both custom malware and well-established tools to achieve the goal of data exfiltration. A sample dossier of the malicious artifacts involved is listed below.
File Handling Webshell: Used to upload files as needed
Execution Webshell: Serves as file handling webshell but it is able to execute commands on UNIX/Linux and Windows hosts
Socket Tunnel: Allows for backdoor connections between infected and prospective hosts
Recon Script: Identifies potential files to be exfiltrated and gathers data on possible lateral movement paths. This script is written in Visual Basic Script (.vbs) and has the following functions:
- A custom made backdoor that’s deployed using PowerShell and assists with the lateral movement process
- Can initiate and maintain proxy connections between hosts
- Written in the C# (C Sharp) programming language
- Host Agent:
- Behaves in the same way as XServer, but with a multi-hop proxy function
- Can be written as a Python script or a full C# program
- Directory Listing:
- Can list any and all files in the provided directory path
- Process Launcher:
- Custom built process launcher used to create child processes under a specified parent process using the CreateProcessA function in Windows
- Custom built malware to capture keystrokes and clipboard data for password gathering
Highlighted Malware – XServer:
The XServer malware is deployed from a PowerShell command or script with the file being zlib compressed and Base64 encoded after the deployment is completed. The connections are hard-coded to listen on a specified port with 25667 and 47000 being used in the samples currently available. The malware is coded to receive a single command packet which determines whether it acts as a backdoor or as a “proxy gateway”. When proxy functionality is turned on, it runs as a SOCKS5 proxy and can proxy through multiple infected hosts. Any command and control sessions are TLS encrypted using a root certificate.
The most common working directory for the malware is: C:\Windows\Temp.
- Loss of sensitive data and the compromise of multiple accounts on the network
- Network abuse on the corporate VPN as indicated by sluggishness caused by large file transfers
- Successful compromise may result in the loss of confidence by consumers, current and/or potential business partners
- Consider implementing proactive blocks on any perimeter security appliances using the Github link below
- Monitor the processes running in your environment using tools like Windows SysInternals, Nagios, or Zabbix where available
- Use the rule: AIE: C2: Abnormal Process Activity (may require tuning to avoid broad log captures) to perform process monitoring
- Consider monitoring user accounts for suspicious activity and auditing account privileges regularly to ensure that the least privilege rule is enforced in your environment
- Setup alerts for large data transfers over the corporate VPN, e.g. 25 GB in a 24-hour period
- Consider implementing this for the regular network as well
- Monitor for connections over ports 25667 and 47000 in the internal network
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.