Category: Adversary Intelligence

Industry: Government

Motivation:Access

Region: Middle East

Source: Underground

‍

Executive Summary

THREAT

• Custom-made Powershell backdoor deployed on unidentified UAE government entity.
•  Post this, multiple other implants and payloads were deployed, one such implant having credential-harvesting capabilities.

IMPACT

• Access to government assets and related entities.
• Access to government accounts.

‍

Analysis and Attribution

Technical Summary - Attack Overview

‍

• A campaign involving a custom-made Powershell backdoor has been rediscovered. This campaign targeted Microsoft Exchange servers belonging to an unidentified UAE government entity.
• The PowerExchange backdoor was delivered by the means of a phishing email, which contained an executable that served as a loader for the Powershell backdoor.
• The backdoor achieved persistence by using the MicrosoftEdgeUpdateService scheduled task, making it so that the payload runs every five minutes under a new process.

‍

• The access provided by the backdoor was used to deploy more payloads, which included modules from the open-source project Invoke The-Hash in order to laterally move across the target domain.
• Two C# webshells were also deployed in the form of .dlls. One of them was named ExchangeLeech, which had credential harvesting capabilities along with providing the ability to execute commands. Refer to Yara Rules for threat hunting.

‍

Technical Summary - PowerExchange Backdoor

• The backdoor comes in the form of a custom-made Powershell script. 
• What makes it crafty in nature is that it uses the Microsoft Exchange Web Services API to connect to the target’s Exchange servers, and receives commands from the threat actor using mailboxes on the server.

• In order to indicate that it is running, the backdoor connects to the target Exchange server, and sends the computer name encoded in base64 to a mailbox. The credentials used for the connection are hardcoded in the script.
• In order to send data, the backdoor creates an email with the subject “Update Microsoft Edge” and the body “Microsoft Edge Update”, with the data being sent in a .txt attachment.
• Commands are sent to the backdoor in the form of attachments containing base64 content, and the commands allow the threat actor to execute commands, download files or upload files.

‍

Attribution

Based on research published by multiple sources on the xHunt campaign from July 2018 targeting Kuwaiti government entities and shipping companies, we can attribute this campaign, the PowerExchange backdoor, and related tools to APT34, which is an Iranian threat.

‍

The tools used in the xHunt campaign, notably the TriFive backdoor, share many similarities with the PowerExchange backdoor. Both backdoors are Powershell scripts, and use scheduled tasks in order to achieve persistence, and use the same method for C2 communication: the Exchange servers using the EWS API. APT34 is known to use phishing in order to gain initial access, and has targeted entities from the UAE before.

‍

MITRE TTPs

The MITRE TTPs associated with this campaign are as follows:

‍

‍

YARA Rules 

The C# Webshells (.dll) are associated with the ExchangeLeech backdoor mentioned in the report.

import "pe"
rule System_Web_Transport_d11
{
meta:
description = "Webshell DLL installed as IIS module with named pipe tunneling"
author = "Digital14 Incident Response Team"
score=100
strings:
$opcode1 = {0C 72 [4] 0D 07 6F [4] 09 (1?| 1? ??) (1?| 1? ??) 6F [4] 6F [4] 1? ?? 07 6F [4] 09 (1?| 1? ??) (1?| 1? ??) 6F [4] 6F [4] 1? ??} //opcode for EndRequest
$opcode2 = {72 [4] 0A 72 [4] 0B 72 [4] 07 72 [4] 03 28 [4] 28 [4] 07 06 73 [4] 0C 08 20 [4] 6F [4].08} //opcode for Client
$PATH= "C:\\Users\\sheep\\" //DLL compilation folder
$splsvc= "splsvc" fullword wide //Named pipe defined name
condition:
pe.DLL and (($PATH and $splsvc) or any of ($opcode1, $opcode2)) and filesize < 12KB
}


rule System_Web_ServiceAuthentication_d11
{
meta:
description = "DLL installed as IIS module acting as credential harvester for users logging to OWA"
author = "Digital4 Incident Response Team"
score=100
strings:
$opcode1 {07 6F [4] 72 [4] 6F [4] 39 [4] 07 6F [4] 72 [4] 6F [4] 39 [4] 07 6F [4] 72 [4] 6F [4] 6F [4] ??} //opcode for begingHandler
$opcode2= {72 [4] 6F [4] 39 [4] 08 6F [4] 72 [4] 6F [4] 72 [4] 6F [4] 3A [4] 07 6F [4] 72 [4] 6F [4] ??} //opcode for Endrequest handler
$PATH1 = "c$\\windows\\temp\\D226B187 44C3 454B AD66" fullword wide //Users credentials output file save location
$PATH2 = "C:\\Users\\sheep\\" //DLL compilation folder
condition:
pe.DLL and (($PATH1 and $PATH2) or any of ($opcode1, $opcode2)) and filesize < 15KB
}

‍References

• Digital14 Incident Response Team
• Fortinet Threat Research
• Invoke The-Hash Github Project

‍