InfoSec Insider

Defense Takeaways from Three Adversary Playbooks

An analysis of threat techniques used by Silence Group, Goblin Panda and Zegost, which can help construct effective defenses.

In these days of advanced threats, the perimeter defense strategy – though still useful and necessary – is incomplete. IT security teams need as much information about existing threats as possible, so they know what to look for and how to position proactive countermeasures. Creating and using adversary playbooks that dive-deep into current threats help in this endeavor.

Rather than focusing on the perimeter mindset of keeping the bad actors out, this new strategy focuses on preventing threat actors from achieving their goals. With this in mind, let’s look at three such playbooks.

A cybercriminal organization that targets banks, Silence Group has been actively focused on stealing information used in the payment-card industry since 2016. The group’s aim is to make as much money as possible by compromising targets via a spear-phishing strategy, that then leads to exfiltrating financial data, as well as allowing attackers to “jackpot” ATMs to withdraw money.

The Silence Group repurposes publicly available tools, combined with “living off the land” techniques [i.e., trusted off-the-shelf and preinstalled system tools to carry out their work]. This strategy has two benefits: Using locally available tools helps them better evade detection, as authorized devices with pre-existing privilege helps them establish a deeper and stronger foothold in targeted systems. In addition, the group also writes its own sets of modular, custom tools.

The standard threat begins with a spear-phishing email containing malicious attachments. These may be in the form of a weaponized Microsoft Word document or a Microsoft-compiled html help (CHM) file sent to banks to entice their employees to click on the attachments.

Next, a hidden VBS file is executed within the context of a browser window inside the help files, where it then de-obfuscates itself and executes a PowerShell command. This new PowerShell command calls out to another server to retrieve a binary file, which it then decrypts into a third-stage downloader. This last downloader then acquires the actual Silence Group payload that consists of several different modules, depending on which phase of the overall attack the group is currently in. These modules include a proxy, a monitoring agent, an ATM module and the actual main Silence module itself.

The ATM module is used in combination with human “mules” who use codes provided to their mobile devices to jackpot ATM devices – and then they physically transport cash to a drop-off site.

Focused on interests in Southeast Asia, Goblin Panda has been active since 2014. Due to non-standardized naming conventions within the industry, Goblin Panda is also known as APT 27, Hellsing, Cycledek, and perhaps 1937CN. Its targets and campaigns have been quite specific in nature. Favorite methodologies of Goblin Panda include the use of remote access trojans, including the infamous PlugX/Korplug, NewCore, and Sisfader RAT tools.

The distribution of infected samples through weaponized Microsoft Office documents is a strategy often used by attackers such as Goblin Panda. Recent examples include documents containing malicious macros, or that exploit known vulnerabilities—most recently CVE-2012-0158 and CVE-2017-11882.

Typically, Goblin Panda activity begins with a spearphishing attacks via a maliciously crafted Microsoft Office document. When the document is opened by the victim, a variety of files are dropped into different locations of the victim’s PC. Dropped files include legitimate software vendor files, an encrypted binary blog containing the payload, and DLL files containing a decryptor and loader for the payload.

The attack also uses a DLL hijacking technique to evade traditional antivirus detections during the installation of the malware. This involves hijacking a variety of legitimate DLL files from different vendors using a trojanized version of a malicious DLL file. Finally, it also checks to determine if it is running in a VM environment. Once it is finished with those tasks, it sends various parameters to a C2 server. If those parameters are deemed okay, it then downloads a payload. In most recent cases, that payload has been the NewCore RAT malicious DLL file.

An infostealer originating in China that has been active since 2011, Zegost is also known as Zusy or Kris. Zegost has recently undergone a variety of upgrades, including the ability to use specific Powershell actions to download its infostealer payload the moment a victim’s mouse moves over a specific piece of text.

It has also added the ability to clear its own event logs to provide long-term evasion capabilities, granting it more time to move laterally across the victim’s network. A previous update went so far as to enable it to use COM programming, an uncommon feature in malware.

Zegost’s main objective is to amass information about the victim’s device and exfiltrate it. Zegost will hunt for OS versions, analyze the speed and quantity of processors in the victim’s machine, check for an internet connection and look for the RDP port number.

Zegost is uniquely configured among infostealers to remain under the radar, making it far more of a long-term threat compared to its contemporaries. The malware accomplishes this by evading runtime conflicts; it creates a mutex, which it checks to ensure only a single version of itself is running.

Zegost is currently deployed as the foundation of a spear-phishing campaign against a Chinese governmental entity. The motives for this campaign are currently unclear. While Zegost hosting infrastructure is based mainly in China, third-level domains for the infostealer have been observed outside of the country.

Threat actors are a determined and innovative lot, creating schemes within schemes to get what they want. Attackers only have to be right once however – while IT security teams are charged with covering all possible attack vectors. That’s why adversary playbooks can be tremendously helpful for defensive learning.

In addition, they can play a critical role for law enforcement in identifying trends and strategies and fingerprinting common practices used by specific cybercriminal organizations. Deep analysis of threat techniques can be used to construct effective defenses. As more vendors share what they have learned with the larger industry, and create trusted partnerships even between competitors, as is the case with the Cyber Threat Alliance, everyone benefits as a whole.

Derek Manky is chief of Security Insights & Global Threat Alliances at Fortinet – Office of CISO

Please check out all of the latest posts in our Infosec Insider Community.

Suggested articles

Cyberattackers Put the Pedal to the Medal: Podcast

Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.