top of page
Search

APT28 Investigation

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 24 min read

Summary:

The provided text appears to be an internal technical report from FireEye, Inc., detailing the analysis of a specific malware variant known as CHOPSTICK. This malware is discussed in detail along with its various versions and functionalities. Below, I will break down some key points and provide additional context based on the information given: ### Malware Overview: CHOPSTICK - **Versions**: The document mentions two main versions of CHOPSTICK - v1 and v2. These versions differ primarily in their internal module names, IDs, and functionalities. - **CHOPSTICK v1**: Kernel ID is 0x0001 and includes AgentKernel, modKey, modFS, and modProcRet modules. - **CHOPSTICK v2**: Kernel ID is 0x0002 and includes a different set of modules including kernel (version 2), Logs keystrokes, takes screen captures, Facilitates filesystem access, Remote command shell access, and Load additional DLLs. ### Module Identification: - **Module IDs**: The document suggests that the first byte of a module ID identifies the type of module (e.g., keystroke logging, file system access), while the second byte indicates the kernel version. This implies consistent yet distinct functionalities across different versions. - **Commands and Capabilities**: Commands sent to modules via their module IDs are generally understood by specific modules in each version, indicating a relatively stable command set despite updates or changes in internal structures. ### Credential Harvester (OLDBAIT): - **Installation Path**: OLDBAIT installs itself in a modified directory path on the user's computer to collect credentials from various applications including browsers like Internet Explorer and Mozilla Firefox, email clients like Eudora, and email clients such as The Bat! and Becky!. - **Data Exfiltration**: Credentials can be sent out via email (SMTP) or through HTTP protocols, which are exemplified by the provided example of HTTP traffic. ### Network Traffic Analysis: - **Email Metadata**: Details about the email including headers like MIME-Version, Content-Type, and more suggest that the email was crafted programmatically or by a mail client supporting these advanced features. - **HTTP Traffic**: Examples of HTTP headers such as Accept-Language, Host, User-Agent, MIME-Version, among others, are noted within the context of potential data exfiltration through web requests. ### Technical Report Context: - **FireEye Analysis**: The document is authored by FireEye, indicating it as a source for cybersecurity insights and malware analysis. It provides detailed technical information that could be used in forensic investigations or threat intelligence to understand and combat similar threats. - **Proprietary Nature**: The end of the report includes a legal disclaimer emphasizing the confidential nature of the provided information and the importance of respecting intellectual property rights when handling such data. ### Conclusion: The document provides detailed technical analysis of CHOPSTICK malware, including its versions, functionalities, and specific behaviors during network traffic generation (emails, HTTP requests). This type of report is crucial for understanding the capabilities and operational details of cyber threats, which are essential in developing effective defense strategies against such threats.

Details:

This report, titled "REIMAGINEDAPT 28: A Window into Russia’s Cyber Espionage Operations?", provides an analysis of APT28's cyber espionage activities targeting various entities in the Caucasus and Eastern Europe. Key findings include APT28's interest in the region, particularly Georgia, where they targeted the Georgian Ministry of Internal Affairs (MIA), Ministry of Defense, a journalist covering the area, and other organizations. The report also highlights APT28’s broader activities against governments and militaries in Eastern European countries as well as NATO and other European security organizations. This document discusses the activities and characteristics of the Russian hacking group, known as APT28. The research indicates that this group has targeted various entities worldwide using sophisticated malware to gain access and steal data. Key findings include skilled developers with a modular implant structure indicating a formal development environment. Additionally, the timing of malware compilation aligns with working hours in Moscow and St. Petersburg, suggesting specific targeting related to Russian interests. The document also includes appendices that detail methods for distinguishing APT28 from other threat groups and provide a timeline of the group's lures. It concludes by highlighting the capabilities demonstrated by APT28 and emphasizing its potential as a nation-state influenced cyber warfare tool. The article discusses FireEye's assessment of a threat group originating from Russia, which has been active since at least 2007. This group is known for developing malware specific to Eastern European targets and does not appear to engage in large-scale theft of intellectual property or financial information for economic gain. Unlike some Chinese-based threat actors they track, this Russian group does not alter the language settings of malware samples to mimic a Russian origin. The lack of significant evidence linking Russia directly to cyber attacks has contributed to its phantom status in cyberspace. The provided text discusses a cyber espionage group known as APT28, which is believed to be involved in targeting political and military insiders for collecting intelligence on defense and geopolitical issues. The evidence suggests that this group operates under the guidance of a government sponsor, specifically Russia's government based in Moscow. APT28 has been identified by various sources such as Markoff (1), Knowlton (2), and fireeye.com (3-4) to have demonstrated interests in collecting information on Eastern European governments and security organizations, which could potentially benefit the Russian government. The group targets individuals associated with Georgia's Ministry of Internal Affairs and Ministry of Defense, likely seeking to gather intelligence about its security dynamics. APT28 has shown interest in influencing public opinion and gauging the ability to influence policymaker intentions by targeting officials from European security organizations like NATO and OSCE during periods of increased tension in Europe. The malware compile times suggest that the APT28 developers are skilled professionals, indicating a highly focused operations against their targets. Over the last seven years, APT28 has developed and updated its malware using flexible platforms that indicate long-term usage. The coding practices in their malware show a high level of skill and complexity, making it difficult for reverse engineering efforts. They tailor implants to specific victim environments, stealing data through compromised mail servers. Many of their malware samples include obfuscated strings, runtime checks, and unused machine instructions to hinder analysis. APT28's activities suggest that the group consists of Russian speakers working during business hours in major cities in Russia. Most of their PE resources were compiled on weekdays between 8AM-6PM in Moscow/St. Petersburg time zone, with a majority from mid-2007 to September 2014. The article "APT28: A Window into Russia’s Cyber Espionage Operations?" explores the targeting strategies and interests of APT28, a cyber espionage group believed to be affiliated with the Russian government. The analysis reveals three main themes in APT28's operations that suggest specific areas of interest for an Eastern European government, likely the Russian one: 1) **Interest in the Caucasus region**: APT28 frequently targets domains and individuals related to the Caucasus area, particularly Georgia, indicating a focus on this region. This suggests Russia’s interest in monitoring activities within Eastern Europe, especially concerning its neighboring countries. 2) **Targeting of Eastern European governments and militaries**: The group's operations often involve breaching accounts of officials from various Eastern European governments and specific security organizations. This demonstrates APT28’s efforts to gain access to sensitive information that is relevant to the political landscape and military structures in these countries. 3) **Use of mimicry tactics with registered domains**: APT28 uses tactics such as creating emails and registering domains that closely resemble legitimate entities like news, politics, or other websites. This mimicking strategy helps in gaining trust from potential targets, making them more likely to engage with the suspicious content within the email, thereby providing access for espionage purposes. The article also highlights APT28's use of spearphishing emails as a common tactic to target victims within Eastern European governments and militaries. The lures crafted by the threat group are tailored to specific topics relevant to their targets, increasing the chances that recipients will engage with the suspicious content. This approach is part of Russia’s strategy to gather intelligence on political and military organizations in the region, likely reflecting Russian interests in maintaining influence over its Eastern European neighbors through cyber espionage activities. The article discusses APT28, a Russian cyber espionage group that has been active since 2011 and primarily targets organizations in Georgia, Armenia, and Azerbaijan within the Caucasus region. APT28 uses lures designed to target Georgian government agencies or citizens, such as the Ministry of Internal Affairs (MIA) and the Ministry of Defense (MOD). The group's efforts are likely aimed at gathering information about Georgia’s security posture and diplomatic relations with the West. Additionally, APT28 has attempted to compromise a journalist working on issues in the Caucasus and a controversial Chechen news site. Specific attempts include exploiting vulnerabilities in systems to gain access through compromised credentials and using backdoors to send emails from MIA mail servers with Georgian domain names ending in "@mia.ge.gov." The passage describes an action by APT28, which is believed to be Russian cyber espionage group, targeting the MIA (Ministry of Internal Affairs) in Georgia. They used a tactic where they sent out emails referencing driver's licenses and other topics related to internal security, border patrols, etc., with the aim to gather information from MIA's network. APT28 created a decoy document that impersonated an IT-related training material for the Georgian military. This document contained references to the Windows domain "MIA Users\Ortachala…" and was authored by Beka Nozadze, who is identified as a system administrator in Tbilisi. The metadata of this document falsely stated it was created by MIA ("Beka Nozadze"). The decoy document, disguised as an educational tool for the military, contained malware that aimed to download onto victims' systems without their knowledge or consent, thus compromising the security and potentially gathering intelligence from the MIA network. This action highlights APT28’s efforts to gather information through a less-monitored route, potentially evading detection by the MIA network security measures. APT28, also known as Fancy Bear or Pawn Storm, is a cyber espionage group believed to be linked to the Russian government. It conducted operations aimed at breaching the networks of the Ministry of Defense (MIA) in Georgia and targeting journalists covering issues related to the Caucasus region. These actions were part of an effort to maintain influence over public opinion, identify dissidents, spread disinformation, and potentially facilitate further cyber attacks on specific targets. APT28's activities not only targeted Georgian military capabilities but also included attempts to monitor public opinion through journalists in the region. This indicates a strategy consistent with Russian threat perceptions, contributing to geopolitical tensions between Russia and Georgia, as well as impacting international security dynamics. This text is about a situation where, during June 2014, Georgia and other countries like Ukraine and Moldova were linked with the EU through an association agreement. Some people in charge wanted to create a department called "Caucasian Issues Department" to talk about security issues, but Russia didn't agree, so it didn't happen. There is also something related to computers and bad people from Russia who try to steal information from other countries by pretending to be nice organizations online. These bad people use two languages (Russian and English) to do this. They register fake websites that look like real ones but are actually used for stealing information. This activity is called cyber espionage, and they seem to target the Caucasus region with their attacks. This text discusses activities of the Russian APT28 group, which has been observed targeting journalists and dissidents in the Caucasus region, mimicking a US-based magazine and posing as a Chechen news website to collect intelligence or spread disinformation. The Kavkaz Center is identified as a key domain used by APT28, being operated from Russia and aimed at presenting an alternative view on the ongoing conflict between Russia and Chechen separatists. APT28's actions have drawn criticism from various governments and human rights organizations due to their surveillance tactics against journalists critical of the Kremlin. This is a summary of several related news and information sources about Russia's alleged involvement in promoting terrorism through websites and cyber espionage targeting Eastern European governments and militaries. The sources highlight specific events such as the promotion of terror by a Chechen website, which was later urged to be banned by Russian Foreign Minister Sergey Lavrov. Additionally, there are mentions of cyber attacks conducted by Russia's APT28 group (also known as Sofacy), targeting Eastern European governments and organizations with the aim of gaining influence in the region. These attacks involved malware deployment and use of decoys related to the Malaysia Airlines flight MH17 incident. The sources provide details about these activities, suggesting a pattern of Russian cyber espionage operations aimed at influencing political and military dynamics in Eastern Europe. On August 11, 2014, a webpage on malware prevention site "malware.prevenity.com" discussed APT28, a suspected Russian cyber espionage group known for targeting Eastern European governments and organizations. The group had registered domains mimicking legitimate Eastern European news sites and government entities such as standartnews.com, novinite.com, gov.hu, gov.pl, and poczta.mon.gov.pl. APT28 aimed to compromise individuals involved in or interested in Baltic military and security matters. The group's domain registrations indicated their interest in obtaining sensitive intelligence on regional military capabilities and relationships. APT28's actions were particularly noted in relation to Moscow's perspective, with Russia interpreting the military exercises as a hostile act, reflecting a pro-Kremlin stance. In June 2014, a military event called "Saber Strike and Baltic Host" took place in Latvia, Lithuania, and Estonia. This event was part of a larger U.S. Army training program to improve cooperation with regional allies and partners. The exercises focused on enhancing interoperability between different countries' forces. During this time, Russia's military actions were being closely monitored by other nations, particularly as they involved cyber-attacks targeting NATO and other European security organizations. These attacks showed interest in obtaining insider information about these organizations for influencing Russian political and military decisions. APT28 (also known as Sofacy Group) was identified as responsible for these targeted cyber-attacks, mimicking domain names of NATO and related organizations to gather sensitive data. APT28, also known as Fancy Bear or Pawn Storm, has been identified by cybersecurity researchers as part of Russia's strategic stability efforts. This group has been active in targeting various organizations and individuals within Europe, including security agencies and defense attachés working in European countries. They have used tactics such as registering domains to mimic legitimate NATO and security websites like the Organization for Security and Cooperation in Europe (OSCE). APT28 has also targeted attendees of European defense exhibitions, with a specific interest in those involved in planning events related to the Defense, Security, Energy, Utilities, Finance, and Pharmaceutical sectors. They have employed phishing lures containing decoy documents, such as lists of British officers and U.S. and Canadian military attachés in London, as well as an apparent non-public listing of contact information for defense attachés under the "Ankara Military Attaché Corps (AMAC)" umbrella, which is a professional organization of defense attachés in Turkey. APT28, also known as Fancy Bear or Pawn Storm, is a cyber espionage group that has been active since at least 2012. The group primarily targets organizations and professionals involved in defense events held in Europe such as the Farnborough Airshow, EuroNaval, EUROSATORY, and Counter Terror Expo. By registering domains to mimic those of these legitimate entities or organizations, APT28 gains access to information about new defense technologies and the victim organizations' operations, communications, and future plans. APT28 has a broad range of targets outside of the typical espionage themes, such as international organizations like the European Commission, UN Office for the Coordination of Humanitarian Affairs, APEC, NATO, OSCE, World Bank, and others including defense attaches in East Asia and diplomatic forums. These targets indicate areas of interest that many governments may find parallel to their own strategic interests without conflicting with Russian state interests. APT28's tactics include registering domains that mimic those of legitimate entities for the purpose of phishing emails and luring documents related to military trade shows, conferences, and exhibitions. Through these activities, APT28 aims to gather intelligence on new defense technologies and potentially disrupt or influence the operations of its targets. The article discusses the activities of APT28, which is believed to be linked to Russian intelligence. It has been observed that APT28 systematically updates its malware since 2007, suggesting involvement by skilled Russian developers aiming for long-term use and versatility in operations. APT28's toolkit includes tools like SOURFACE (Sofacy within the cyber security community) which is a downloader that obtains a second-stage backdoor from a C2 server. This malware has been used in various attacks, such as phishing emails targeting defense contractors and governments worldwide. PT28's CORESHELL is an updated version of malware settings suggested by the developers, SOURFACE. The majority of their work was done in a Russian language build environment during Russian business hours. This suggests that the Russian government might be sponsoring APT28, as well as some more commonly used tools like the SOURFACE downloader, its second-stage backdoor EVILTOSS, and a modular family of implants known as CHOPSTICK. Some specific malware variants from APT28 include:

  • The SOURFACE downloader, which is used to obtain 2nd stage access via an exploit in spearphishing emails containing malicious documents.

  • The EVILTOSS backdoor, delivering reconnaissance, monitoring, credential theft, and shellcode execution through the SOURFACE ecosystem.

  • CHOPSTICK, a modular implant with tailored functionality and flexibility, which is part of the second stage of the malware deployment.

APT28 has implemented several obfuscation techniques to hinder reverse engineering tactics such as unused machine instructions that create noise in static analysis during disassembly. This helps avoid easy detection by security measures. The malware also includes runtime checks to determine if it's being analyzed, and if so, it doesn't trigger its payloads, adding another layer of complexity to its operation. APT28 is a group of malware families, including SOURFACE/CORESHELL (often referred to as EVILTOSS) and others, which have been active since at least 2007. These malware families use various methods like obfuscation and custom stream ciphers to encode their strings at compile time or decode them at runtime. They share a similar design in high-level cipher operations but differ in internal arithmetic operations among the family members. The SOURFACE downloader, named netids.dll, serves as a first stage for retrieving a second stage payload from a Command and Control (C2) server via IP addresses until 2013, when domains started being used. This malware ecosystem indicates systematic development over time. A malware family consists of multiple malware samples sharing significant code, while a malware ecosystem refers to a group of related families working together for a common objective, such as deploying droppers and backdoors in an installation process. The article discusses the modifications and evolution of a malware called SOURFACE, which is associated with an APT (Advanced Persistent Threat) group operating in Russia. Initially named "Init1" during its creation in April 2013, the malware underwent significant changes by altering its name to "coreshell.dll," suggesting collaboration between the two or modifications post-initialization. The malware's communication with a command and control (C2) server changed over time, starting from an encoded URL format that included hostname, volume serial number, and OS version data. The developers made other modifications such as changing exported function names and file sizes, which are reflected in the MD5 hash of the binary, its size, compile date, export name, and notes on evolution provided in a table. As time progressed, the malware continued to evolve with new versions being deployed around August 2013, May 2014, and February 2014. The modifications were focused on enhancing functionality and evading detection, as indicated by similar MD5 hashes but different compile dates and notes suggesting updates in functionality or obfuscation techniques. The document discusses the development of a software backdoor named SOURFACE and its variants, which share some code similarities with another known backdoor, EVILTOSS. According to the report, in April 2013, based on compile time, the group began making significant alterations to the SOURFACE downloader. One variant required Windows Vista or later operating systems due to added assembly level obfuscation that slows down analysis. The antivirus report from 2004 mentioned a possible early variant of EVILTOSS sharing code similarities with SOURFACE and EVILTOSS. This backdoor, when installed, provided access to the file system and registry, enumerated network resources, created processes, logged keystrokes, stored credentials, and executed shellcode. It encrypted data uploaded using an RSA public key and communicated via SMTP to send data to nato_smtp@mail<.>

ru and receive tasks from nato_pop@mail<.>

ru. Although the exact attribution of this sample to APT28 has not been conclusively determined, the similarities suggest a possible link between the EVILTOSS variants and APT28, indicating that they may have been active since an early stage. A malware family called CHOPSTICK, likely associated with APT28 (a Russian cyber espionage group), has been identified by FireEye researchers through its modular development framework and the use of a backdoor in emails named "detaluri.dat." This malware is designed to steal data, such as keystroke logs, Microsoft Office documents, and PGP files, which are then sent via email from a Georgian MIA mail server. The CHOPSTICK variants also utilize two methods for communication: with a C2 (Command and Control) server using HTTP protocols and through emails sent via a specified mail server. Evidence suggests that APT28 has been involved in such activities since at least 2007, indicating an organized information gathering effort. This summary discusses the development efforts of a group associated with APT28, which is suspected to be linked to the Russian government's cyber espionage operations. The malware developed by this group consistently includes Russian language settings and has been compiled during normal business hours in the Russia time zone (UTC + 4), including major cities like Moscow and St. Petersburg. Researchers have noted that APT28 malware samples, which are both in Russian and English, often include PE resources with non-default language settings tailored to the developer's build environment. These PE resources contain locale identifiers that specify primary language and sublanguage codes, indicating the country/region of origin. The researchers identified 103 malware samples linked to APT28 that contained such PE resources. The table provides information on locale and language identifiers associated with APT28 malware samples, indicating which languages and countries/regions they are set for. These identifiers include a neutral or system default locale and specific locales such as Russian (ru) and English (en) for Russia (RU), United States (US), and United Kingdom (GB). The data shows that the majority of the APT28 malware samples, at least some of which were compiled between late 2007 and late 2013, have Russian language settings. This consistency suggests that the developers of APT28 malware are capable of operating in both Russian and English environments. Furthermore, the compile times for these samples largely align with working hours in Moscow and St. Petersburg (Moscow Time Zone, UTC+04:00), with over 96% being compiled during weekdays from roughly 8AM to 2PM UTC. This document discusses the APT28 malware, a type of computer attack most likely sponsored by the Russian government. It has been observed to evolve and maintain tools for long-term use, targeting specific victims' environments to hinder reverse engineering efforts. Key characteristics include backdoors using HTTP protocol and local copying techniques, as well as focusing on Georgia, the Caucasus region in Eastern Europe, and organizations related to security such as NATO, OSCE, and defense attaches. The malware consistently uses Russian language indicators throughout its development process. This text is discussing APT28, a cyber espionage group, and their malware characteristics over six years. The APT28 group appears to be skilled in both Russian and English languages as they lured journalists writing about the Caucasus region. The malware samples compiled by this group consistently showed compile times from 2007 to 2014, aligning with the standard workday in the UTC + 4 time zone which includes major cities like Moscow and St. Petersburg in Russia. FireEye researchers suggest that APT28 might be a window into Russia's cyber espionage operations based on these findings. They also mention how threat groups leave behind forensic details when they conduct their activities, making it difficult to attribute disparate intrusion activities to the same group at first glance due to similarities in methodologies and tools used. The article then goes into more technical detail about distinguishing between different threat groups using various indicators such as email patterns, file names, MD5 hashes, timestamps, custom functions, encryption algorithms, and command and control addresses or domain names embedded within malware. This process involves collecting enough forensic details to confirm that the same actor or group of actors was involved in multiple intrusion events. The text discusses cyber threat groups and their activities. It mentions that a threat actor could be a private citizen hired by multiple threat groups, which might include proprietary databases with millions of nodes and linkages between them. These threats often compromise the same target within the same timeframe but are distinguishable based on evidence left behind from incidents. The text provides a timeline of operations by APT28 (also known as Cozy Bear), a suspected Russian cyber espionage group, focusing on different lures and associated malware used in their activities:

  • 2010: Iran's work with an international organization led to the use of SOURFACE malware.

  • 2011: Various documents were distributed, including one named "military cooperation.doc" which was linked to OLDBAIT malware and an IT document for Ministry of Internal Affairs in Georgia using SOURFACE. A USB disk security warning was also disseminated.

  • 2012: Lures related to food security in Africa ("Food and nutrition crisis reaches peak but good forecast for 2013") and concerns over terror attacks, Portugal's forest fires (echoing a crisis report), and monitoring of social media platforms by the FBI used SOURFACE or CHOPSTICK malware.

  • 2013: The Asia Pacific Economic Cooperation Summit saw lures targeting reporters using SOURFACE or CORESHELL malware during the South Africa MFA document discussion.

These activities suggest that APT28, a likely Russian state actor involved in cyber espionage, used various tactics and tools to target specific individuals and organizations for intelligence gathering purposes. The document appears to be a collection of internal documents from various sources and years, each containing specific information or data related to different topics such as news about Syria's chemical weapons, Georgian drivers' licenses, possible aviation group documents in Mandarin, and cease-fire negotiations between Netherlands and Malaysia concerning an apparent Ukraine airline attack. The document also mentions a malware called CORESHELL which is identified with the source name SOURFACE/CORESHELL. This malware uses a custom stream cipher algorithm for encryption, compiled as 'coreshell.dll', using either six or eight-byte keys depending on the version. It communicates over HTTP and sends POST requests to a server with encrypted data in their bodies, often encoded in Base64. The user agent string used by CORESHELL is "MSIE 8.0", which remains consistent across different versions of the malware. The document concludes with an analysis focusing on these newer versions of CORESHELL and how they use stream ciphers for encryption with keys varying from six to eight bytes, indicating some evolution in its coding and encoding techniques compared to older versions. The provided text describes a network interaction involving encryption and data transmission using the Base64 encoding scheme. It details how an HTTP POST request, when decoded from Base64, contains specific content that includes command byte information, hostname, OS versioning, and other metadata fields, all of which are part of a larger message structure known as CORESHELL beacon. The key to decrypt this message is provided as: 30 ac e5 21 e4 a6. When decrypted using this key, the original plaintext emerges, revealing further details like command byte values (e.g., 0 for Command request and 1 for Process listing), hostname strings ("zxdfmF6f5ah"), version numbers ("0403" and "05"), and header lengths with specific values in little-endian format. Furthermore, the text explains that commands are transmitted from a C2 (Command and Control) server to the CORESHELL backdoor via HTTP responses to POST requests. These commands are identified by a NULL terminated UNICODE string "OK". The command itself is Base64 encoded and immediately follows the "OK" string in the response. The text concludes with an example of such a command structure, detailing how it appears in an HTTP response from the server. The provided information details the structure and functionalities of a CORESHELL C2 (Command and Control) message used by malware such as CHOPSTICK. Here's a summary of the key points: 1. **Message Structure**:

  • The command message starts with a constant value set to 1, followed by an unknown field (AA AA), and then an encryption key (8 bytes).

  • Encrypted data follows this structure, which can be decrypted using the provided key.

2. **Decryption Example**:

  • Given the encrypted command "10 41 70 41 10 42 33...", decrypting it with the key "01 01 01 01 01 01 01 01" results in the decrypted message:

``` 00000000 04 CC C2 04 00 42 42 42 42 43 43 43 43 44 44 44 .....BBBBCCCCDDD 00000010 44 45 45 45 45 46 46 46 46 DEEEEFFFF ``` 3. **Command Message Format**:

  • The first byte of the command message specifies the type (e.g., 04 indicates shellcode).

  • Command types include:

  • **01**: Save command data as %LOCALAPPDATA%\svchost.exe and execute using CreateProcess.

  • **02**: Save command data as %LOCALAPPDATA%\conhost.dll and execute using "rundll32.exe \”%s\”,#1".

  • **03**: Save command data as %LOCALAPPDATA%\conhost.dll and execute using LoadLibrary.

  • **04**: The command data is shell code, executed using CreateThread.

4. **Malware Overview**:

  • CHOPSTICK is a backdoor that uses a modularized, object-oriented framework written in C++.

  • It supports various communication methods including SMTP and HTTP to interact with external servers.

  • The first time it runs, it may perform certain actions before communicating over the network.

This summary provides an overview of how CORESHELL C2 messages are structured and what data they contain for specific command types, as well as information about the malware CHOPSTICK. CHOPSTICK is a malware program that targets Windows systems, utilizing specific registry keys and encryption methods to operate covertly. It stores configuration data within the Registry key HKU\S-1-5-19, which corresponds to the LOCAL_SERVICE account's SID (Security Identifier). The data stored in this key is encrypted using RC4 encryption, with a combination of a 50-byte static key and a four-byte salt value generated at runtime. This encryption method likely involves deriving the key from opcodes found within the malware itself. CHOPSTICK collects extensive information about the infected host system, including detailed Windows version and architecture details, state of Windows Firewall, UAC settings for systems running Windows Vista or later, as well as Internet Explorer configurations. It also scans for specific security software (such as Agnitum Client Security, Kaspersky, Symantec, McAfee, Avira, ESET, Dr. Web Enterprise Security, and Malwarebytes Anti-Malware) and applications (like Mozilla Firefox, Internet Explorer, Microsoft Outlook, Opera Browser, Cisco AnyConnect VPN client, Google Chrome browser, among others). After gathering this host information, CHOPSTICK generates a hidden file for temporary storage which may be named %ALLUSERSPROFILE%\edg6EF885E2.tmp. It also creates a Windows mailslot with the name "check_mes_v5555". The purpose of these actions is not explicitly detailed in the provided text, but they serve as part of its operation to gather and potentially exfiltrate data from the compromised system. CHOPSTICK is malware that operates on a Windows system, utilizing a mailslot for communication. This feature potentially allows external binaries to write data to the "check_mes_v5555" mailslot, enabling CHOPSTICK to encrypt and store output from other malware. The malware creates a thread which records user activity on the host machine, capturing various details such as desktop screenshots in JPEG format, tracks current window focus, collects keystrokes, and scrapes window contents (text, context menus, etc.). User activity is logged every 500 milliseconds in an HTML-like format. The thread sends these log messages to the "check_mes_v5555" mailslot as plain text. Upon execution for approximately 60 seconds, CHOPSTICK starts communicating with a Command and Control (C2) server over HTTP. Initially, it sends an HTTP GET request to one of its C2 servers. It then uploads the contents of the temporary file "edg6EF885E2.tmp" to the C2 server using HTTP POST requests. The upload process does not wait for a response from the server. Once uploaded, CHOPSTICK deletes the "edg6EF885E2.tmp" file. During this communication, an example of an HTTP POST request is provided (as shown in Figure 13), which uploads a segment from "edg6EF885E2.tmp". It's important to note that while the details above are based on information available at the time of analysis and may be subject to updates, CHOPSTICK uses RC4 encryption with a static key plus a random salt value, and this is likely done for encrypting data as it is sent from the system where it runs. In the context of cybersecurity, FireEye's analysis of a hacking group known as CHOPSTICK has revealed that this threat actor employs advanced persistent threats (APTs) tactics. Specifically, they utilize a technique involving Base64 encoding in their operations to evade detection and maintain communication with command-and-control (C2) servers across the network. CHOPSTICK malware uses a unique method of URL-safe Base64 encoding for its payloads, where '+' and '/' are substituted by '-' and '_', respectively. Each HTTP request sent by CHOPSTICK contains multiple Base64 encoded URL parameters; however, only one parameter carries the actual malicious information ('ai='), while the rest appear to be randomly generated each time. The 'ai=' parameter in CHOPSTICK is designed to identify specific instances of the backdoor to its C2 server. It starts with a series of random alphabetic characters followed by an XOR key, which is used to decrypt the subsequent 11-byte sequence. The first seven bytes are static and hardcoded within the malware, while the last four bytes are unique for each instance. The POST request's message body is also Base64 encoded, with random prefix characters designed to hinder automatic decoding. Similar to the 'ai=' parameter, this decoded body contains an 11-byte sequence that begins with a static seven-byte part followed by four unique bytes, and then continues with RC4 encrypted data of the user activity log file (edg6EF885E2.tmp). Upon uploading edg6EF885E2.tmp, CHOPSTICK sends HTTP GET requests to its C2 servers in an attempt to retrieve further commands from the malware. It has a capability to load or memory-map external modules exporting functions such as SendRawPacket, GetRawPacket, InitializeExp, and De. This analysis highlights that while FireEye was able to detect this APT group (CHOPSTICK), they are still managing to persist in their operations despite the efforts of security teams to thwart them. The use of Base64 encoding for evasion tactics is a common technique used by some advanced persistent threats, which makes it more challenging for defenders to identify and stop these malware campaigns. Moreover, this APT group demonstrates an understanding of how malware families function, as evidenced by the unique XOR key mechanism employed in their encoded messages. This knowledge allows them to encode critical information securely while providing a method for decryption once the appropriate key is known or reverse-engineered. As such, CHOPSTICK's tactics underscore the importance of staying vigilant and continuously updating security measures and response strategies to stay ahead of emerging cyber threats. CHOPSTICK backdoors are modularly compiled, allowing them to have diverse functionality based on included modules. These modules can be reported as part of POST messages to a C2 server. To decode such messages, characters are removed from the Base64 string, and then decryption reveals the original encrypted message. The first two words in the decoded text serve as checksums, while subsequent bytes include a salt value appended to an RC4 key for encryption. This document discusses a type of malware called CHOPSTICK, which has two main versions, v1 and v2. Both versions have hardcoded strings like "V4MGNxZWlvcmhjOG9yZQ" and "=<<\xee". The CHOPSTICK v1 implant contains modules that start at offset 0x20 in the message format. The table provided shows module information for both versions, with differences highlighted between v1 and v2:

  • In CHOPSTICK v1, the kernel ID is 0x0001 and includes AgentKernel, modKey, modFS, and modProcRet modules.

  • In CHOPSTICK v2, the kernel ID is 0x0002 and includes a different set of modules: kernel (version 2), Logs keystrokes and takes screen captures, Facilitates filesystem access, Remote command shell access, and Load additional DLLs.

The differences between the versions are primarily in the internal module names and IDs, with v2 having an updated kernel and some additional modules compared to v1. The identification of CHOPSTICK version is based on these module details. The text discusses module identification codes within a kernel system, where modules with specific capabilities are consistently identified by their module ID. This includes keystroke logging, file system access, and command shell capabilities which have consistent identifiers in the first byte of their module IDs. It is inferred that this first byte identifies the type of module, while the second byte indicates the kernel version. The kernel sends commands to these modules using their module IDs; however, it is suggested that the commands each module understands may remain relatively consistent across different builds or versions. Tables 14 and 15 provide examples of commands understood by specific modules (modFS for file system access and modProcRet for command shell capabilities). Additionally, information about OLDBAIT, a credential harvester, is provided, detailing its installation in a modified directory path on the user's computer to collect credentials from various applications including Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client), and Becky!. These harvested credentials can be sent out via both email and HTTP protocols, as illustrated by the example HTTP traffic shown in Figure 15. The provided text appears to be a technical document related to cybersecurity and network traffic analysis, possibly from FireEye, Inc., detailing the behavior and characteristics of an OLDBAIT malware component. Here's a summary of the key points: 1. **Network Headers**: The document includes various HTTP headers such as Accept-Language, Content-Type, Host, User-Agent, MIME-Version, among others, which are typically seen in HTML forms or network requests. These could be indicative of an email sent via SMTP (Simple Mail Transfer Protocol) with embedded data possibly encoded and hidden within the message body or attached files. 2. **Email Details**: The email metadata includes details about the sender ('From: lisa.cuddy@wind0ws.kz'), recipient ('To: dr.house@wind0ws.kz'), subject, date, and various header fields specific to Microsoft Outlook Express 6.00.2900.2670 such as MIME-Version, Content-Type, X-Priority, etc., which suggest the email was crafted programmatically or by a mail client that supports these headers for detailed control over the email's handling and appearance in email systems. 3. **Malware Discussion**: The document refers to OLDBAIT malware, suggesting it is similar to other known malwares like SOURFACE and EVILTOSS. It explains that APIs within these malware families handle imports similarly but have different storage mechanisms: global variables for SOURFACE and EVILTOSS, while OLDBAIT dynamically allocates memory during runtime for its import table accessed via pointers across functions. 4. **References**: The document includes a URL 'fireeye.com' which is affiliated with FireEye, Inc., a cybersecurity firm known for their research and analysis on advanced persistent threats (APTs). 5. **Legal Disclaimer**: The document ends with a legal disclaimer from FireEye, mentioning that the content within the document could be proprietary or protected by copyright laws, and that it's important to respect intellectual property rights when handling such information. This technical document provides insights into malware analysis and network traffic protocols related to advanced persistent threats, possibly providing a deeper understanding of Russia’s cyber espionage operations as referenced in the title of one of the FireEye publications mentioned.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page