A series of campaigns, with links to the threat actor behind the SolarWinds supply-chain intrusion, have been targeting cloud service providers with a new malware loader variant called CeeLoader.
Researchers with Mandiant in a Monday analysis said they identified two distinct clusters of activity, UNC3004 and UNC2652, which they associate with UNC2452 (also known as Nobelium or APT29), the group behind the SolarWinds supply-chain hack. However, while researchers said it was “plausible” that these are the same group, they said they don't have enough evidence to make this determination with high confidence. The activity clusters utilized a variety of tactics and tools, including CeeLoader, in attacks that aimed to steal data "relevant to Russian interests" from businesses and government entities globally.
"The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts," said Luke Jenkins, Sarah Hawley, Parnian Najafi and Doug Bienstock, researchers with Mandiant.
CeeLoader, which is written in the C programming language and supports shellcode payloads that are executed in memory, was observed being installed by the Cobalt Strike Beacon malware as a Scheduled Task, which once downloaded ran on login as SYSTEM on victims' specific systems. The loader, which was first identified in the third quarter of 2021, is a variant of a malware family tracked by Microsoft as VaporRage.
While the two share some similarities in their functionalities, which are to obtain second-stage encrypted payloads, CeeLoader contains a number of changes that make analysis more difficult, said Jenkins. The loader's code is obfuscated between large blocks of junk code with meaningless calls to the Windows API.
CeeLoader uses AES-256 to encrypt payloads, whereas VaporRage uses a basic XOR algorithm," said Jenkins. "Both payloads execute shellcode that is loaded directly into memory and in both cases, the malware has been seen to load Beacon. Both samples also appear to be executed by rundll32, a windows binary for loading DLLs from disk. Additionally, in both samples, a specific export is usually called to execute the sample, this is usually a technique by the threat actor to bypass automated sandboxes.
CeeLoader was uncovered in attacks targeting Microsoft Entra ID accounts for various cloud services providers. Microsoft in October warned that UNC2452 was targeting these types of solution providers and resellers, which assist end users in deploying, customizing and managing cloud services and other technologies. The compromise of these types of companies would allow attackers to move laterally across impacted cloud environments in order to then gain access to downstream government and think tank customers, enabling further attacks, said Microsoft.
The methods of initial access varied between attacks. In one attack, the threat actor compromised a local VPN account to perform reconnaissance and gain access to the cloud service provider's (CSP) environment. In another campaign, threat actors gained access to the organizations’ Microsoft 365 account with a stolen session token.
“Mandiant analyzed the workstations belonging to the end user and discovered that some systems had been infected with Cryptbot, an info-stealer malware, shortly before the stolen session token was generated,” said researchers. "Mandiant observed that in some cases the user downloaded the malware after browsing to low reputation websites offering free, or cracked, software."
Once they had accessed the victim environments, the threat group compromised accounts with Microsoft Entra ID roles, specifically targeting a feature called Admin of Behalf of (AOBO). This feature gives specific CSP tenant users access to Azure subscriptions in the customer’s tenants - meaning they have complete control over all resources within the Azure subscription. Once the threat actor obtained these privileges they executed commands with NT AUTHORITY\SYSTEM privileges within Azure VMs, utilizing the Azure Run Command feature. This feature allows users to run PowerShell scripts within an Azure VM without the need for Windows credentials that are valid on the VM itself, said researchers.
From there, the threat actor used RDP to pivot between systems, performed reconnaissance, distributed the Beacon malware around the network (ultimately used to install CeeLoader), ran native Windows commands for credential harvesting and attempted to dump the Microsoft Entra ID database (ntds.dit) using the built-in ntdsutil.exe command.
Researchers also observed attackers leveraging various tactics to make the intrusion more difficult to defend against. In one incident, they used different compromised accounts for separate malicious functions, such as lateral movement, reconnaissance, and more. Researchers believe that this technique was used to decrease the likelihood that detecting one activity could expose the entire scope of the intrusion.
“Mandiant found evidence that the actor compromised multiple accounts and used one for the sole purpose of reconnaissance, while the others were reserved for lateral movement within the organization,” said researchers. “Mandiant previously observed this threat actor using strict operational security to use specific accounts and systems in victim environments for activities that are often higher risk, such as data theft and large-scale reconnaissance.”
As part of the threat actor’s infrastructure, researchers also found the actor hosting second-stage payloads as encrypted blobs on compromised, legitimate websites running WordPress. Attackers also utilized residential IP proxy services and geo located infrastructure when communicating with compromised victims, which researchers said "can make it very difficult for investigators to differentiate between normal user activity and the threat actor's activity.”
“These tactics showcase the complexity of the attacker's operations and is rarely seen executed by other threat actors,” said researchers.
UNC2452, which has previously been associated with several malware families, including Sunburst, Teardrop, and the FoggyWeb backdoor, continues to infect companies worldwide. On Monday, CERT-France released details on a number of spear-phishing campaigns by the threat actor directed against French entities since February 2021. Mandiant researchers said the intrusion activity demonstrates a “well-resourced threat actor set operating with a high level of concern for operational security.” The group’s abuse of the third-parties (in this case, CSPs) also gives it access to a wider scope of victims in individual attacks, said researchers.
“Though Mandiant cannot currently attribute this activity with higher confidence, the operational security associated with this intrusion and exploitation of a third party is consistent with the tactics employed by the actors behind the SolarWinds compromise and highlights the effectiveness of leveraging third parties and trusted vendor relationships to carry out nefarious operations,” said researchers.