DIB organizations provide military weapons system studies, innovation, design, manufacturing, distribution, and maintenance, as well as all necessary components and parts.
Details About the Malware
The Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint report containing details from the incident response activity that took place between November 2021 and January 2022.
“The hackers combined custom malware called CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples”, according to BleepingComputer.
In a separate report, CISA provides technical analysis for CovalentStealer noting that the malware relies on code from two publicly available utilities, ClientUploader and the PowerShell script Export-MFT, to upload compressed files and to extract the Master File Table (MFT) of a local storage volume.
CovalentStealer also contains resources for encrypting and decrypting the uploaded data, and configuration files, and to secure communications.
Another CISA report contains details about HyperBro RAT. A trojan that can upload/download files to/from the infected system, do logging keystrokes, execute commands on the infected device, and bypass User Account Control to function with full admin privileges.
The Timeline of the Attack
The breach happened in mid-January 2021, with the hackers gaining access to the Exchange Server of the targeted company. Four hours later they used an admin account to access the Exchange Web Services (EWS) API, gaining visibility to client application messages.
In February 2021 attackers accessed the network once more using the same admin account through a VPN. This time they used Windows Command Shell to carry out recognition activities
The actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2\he\debug directory.
In March 2021 ProxyLogon vulnerabilities were used to install 17 China Chopper webshells on the Exchange Server. And in April 2022 the hackers began the lateral movement on the network using Impacket to temper with network protocols.
Impacket allowed them to compromise an account with larger privileges, gaining remote access from multiple external IP addresses to the Exchange server through Outlook Web Access (OWA).
Between July and October 2022 cybercriminals uploaded data to a Microsoft OneDrive location using a custom-built CovalentStealer implanted deep in the infected network.
How to Detect Data Breach
The joint report from CISA, FBI, and NSA contains also a set of recommendations so organizations will detect “persistent, long-term access in compromised enterprise environments”:
monitor logs to identify connections from unusual VPSs and VPNs
monitor for suspicious account use such as inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts
monitor for the installation of unauthorized software
monitor for suspicious and known malicious command-line use
Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.