Hackers are using this new malware which hides between blocks of junk code
A Russian-government back hacking group linked to the SolarWinds supply chain attack has developed new malware which has been used to conduct attacks against businesses and governments in North America and Europe in a campaign designed to secretly compromise networks, steal information, and lay down foundations for future attacks.
The attacks also involve the compromise of multiple cloud and managed service providers as part of a campaign designed to enable the hackers to gain access to clients downstream from the vendors in supply chain attacks.
The wide-ranging campaign has been detailed by cybersecurity researchers at Mandiant who’ve linked it to two hacking groups they refer to as UNC3004 and UNC2652.
Mandiant associates these groups with UNC2452 – also known as Nobelium in reports by Microsoft – a hacking operation that works on behalf of the Russian Foreign Intelligence Service and behind the cyber attack against SolarWinds.
However, while each of these hacking operations works out of Russia and appear to share similar goals, researchers can’t say for certain that they’re all part of one unit.
“While it is plausible that they are the same group, currently, Mandiant does not have enough evidence to make this determination with high confidence,” said the report.
The newly detailed campaigns include the use of a custom-developed malware downloader which researchers have called Ceeloader.
Written in the C programming language, the malware decrypts shellcode payloads to be executed in the memory of the victim Windows machine, enabling the distribution of further malware. Ceeloader hides from detection with the use of large blocks of junk code which makes the malicious code undetectable to anti-virus software.
“An obfuscation tool has been used to hide the code in Ceeloader in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling,” the report said.
SEE: A winning strategy for cybersecurity (ZDNet special report)
It isn’t clear how Ceeloader is distributed, but it provides a stealthy gateway for further malicious activity.
Other tactics which the attackers use include the abuse of the legitimate penetration testing tool Cobalt Strike to place a backdoor on the compromised system which can be used to execute commands and transfer files, as well as providing a keylogger that can be used to steal usernames and passwords.
In addition to the deployment of malware, the attackers have compromised targets via cloud services.
Like other Russia-linked hacking campaigns, these attacks also target remote desktop protocol (RDP) log-in credentials.
But no matter how the network was compromised, the organisations under attack appear to align with those targeted in previous campaigns attributed to the Russian state.
“We have seen this threat actor ultimately target government entities, consulting organisations, and NGOs in North America and Europe who directly have data of interest to the Russian government. In some cases, they first compromised technology solutions, services, and reseller companies in North America and Europe that have access to targets that are of ultimate interest to them,” Douglas Bienstock, manager of consulting at Mandiant told ZDNet.
For the attackers, targeting cloud service providers via the new and existing methods of compromise detailed by the report remains one of the key methods of compromising a wide range of organisations. By compromising the supplier, they have the potential to gain access to systems of customers.
Incidents like the SolarWinds supply chain attack attributed to the Russian state, plus cybercriminal activities like the Kaseya supply chain compromise and ransomware attack have demonstrated what a powerful tool this can be for hostile cyber campaigns – which is why cloud providers and their services remain a prominent target.
“By compromising the environment of a single cloud service provider, the threat actor may be able to access the networks of multiple organisations they are interested in that are customers of that provider. In this way, the threat actor can focus their efforts on a small number of organisations and then reap large rewards,” said Bienstock.
Mandiant researchers say they’re aware of a few dozen organisations who’ve been impacted by campaigns in 2021 and in cases where they’ve been compromised by any attackers, steps have been taken to notify them.
It’s expected that the Russia-linked hackers – and other offensive cyber operations – will continue to target organisations, supply chains, and cloud providers around the world. Mandiant has previously released advice on hardening networks against attacks, which includes enforcing multi-factor authentication across all users.
MORE ON CYBERSECURITY