In the ever-evolving landscape of cyber threats, NSFOCUS Security Labs has recently unveiled a new Advanced Persistent Threat (APT) attacker named AtlasCross. This attacker, distinct in its modus operandi, uses sophisticated phishing documents to initiate its cyberattacks. The discovery led to the identification of two new Trojan horse programs, DangerAds and AtlasAgent, and a myriad of unique attack techniques and tactics. The phishing attack observed was specifically targeted, indicating a strategic intent for in-domain penetration.
AtlasCross used a decoy document titled “Blood Drive September 2023.docm” themed around the United States Red Cross blood donation. Once opened, the document prompts the user to enable word editing. If the user complies, the hidden content, a promotional file for the Red Cross blood donation, is displayed. This strategy suggests a targeted cyberattack against individuals associated with the Red Cross.
Deep Dive: Attack Process
1. Decoy Document Phase
The initial phase of the attack is orchestrated through a malicious macro embedded within the decoy document. Here’s a detailed breakdown:
- Payload Release: The malicious macro extracts an attribute named “Hyperlink Base” from the document. This is then freed to a randomly named folder under the
%APPDATA%\Microsoft\Word\path and saved as “KB4495667.zip”. The contents of this zip file, specifically a file named “KB4495667.pkg”, are then extracted to the same directory.
- Scheduled Tasks: The macro sets up a scheduled task named “Microsoft Office Updates”. This task is designed to run daily for three days after its setup. Interestingly, it uses the component
InstallUtil.exeof Windows .NET, leveraging the
/?parameter to invoke the help of the “KB4495667.pkg” file. This cleverly realizes over-protection and concealed execution of the malicious program.
- Information Upload: The malicious macro initiates communication with a specific network location (
http://data.vectorse.com/target), sending an ID composed of native information. This is presumably used by the attackers to tally their victims. Notably, the domain
data.vectorse.comwas identified as a subdomain of Vector Structural Engineering, a U.S.-based engineering company, which is likely under AtlasCross’s control.
2. Loader Phase
The main malware in this phase is DangerAds, which serves as the loader for the subsequent Trojan. Here’s an in-depth look:
- Release and Naming: The program named
KB4495667.pkg, released by the malicious macro, is the primary malware in this stage. NSFOCUS Security Labs dubbed this malicious program DangerAds based on its inherent string information.
- Functionality: DangerAds is a loader Trojan. Its primary role is to scrutinize the host environment and execute an embedded shellcode within its process. This shellcode is pivotal as it loads the final payload of the third stage.
- Targeted Execution: An intriguing aspect of DangerAds is its selective execution. The Trojan will only run its malicious code if it detects specific strings within the username or local domain name of the victim host. This specificity indicates a targeted in-domain penetration strategy post a successful intrusion into the target network.
3. Trojan Horse Phase
The culmination of the attack process is the deployment of the AtlasAgent Trojan. Here are the specifics:
- Payload Loading: The DangerAds loader Trojan eventually loads either an x86 or x64 version of a DLL program in memory. This is the final payload of the attack process. NSFOCUS Security Labs named this program AtlasAgent based on its PDB information.
- Functionality: The primary functions of AtlasAgent include obtaining host information, executing shellcode, and downloading & executing further payloads.
- Technical Aspects: AtlasAgent employs various techniques to evade detection and ensure successful execution. This includes multiple injection methods, reflective loading, API obfuscation, and anti-virtualization measures. For instance, AtlasAgent can inject shellcode into existing or new threads of other processes using kernel-layer functions, bypassing typical user-layer API hooks.
Expanded Technical and Tactical Analysis
- Public Network Hosts Control: AtlasCross demonstrated a significant capability in controlling multiple public network hosts. By exploiting vulnerabilities in these hosts, they were transformed into servers specifically for this attack. This allowed the attacker to have a distributed network of servers, reducing the risk of the entire operation being shut down if one server was compromised.
- Domain Hijacking: The attackers controlled the domain
data.vectorse.com, a subdomain of Vector Structural Engineering. This tactic of using legitimate-looking domains makes it harder for victims to recognize malicious activities, as they might trust communications coming from seemingly reputable sources.
- Scheduled Tasks: One of the primary methods AtlasCross used for persistence was the creation of scheduled tasks. By setting up tasks that run at regular intervals, the attacker ensured that their malware would be re-executed, even if some components were detected and removed. This method also has the advantage of being less suspicious than other persistence mechanisms, as many legitimate software programs use scheduled tasks for updates and other routine activities.
- Leveraging Windows Components: The use of
InstallUtil.exe, a legitimate Windows .NET component, for task execution is a classic “living off the land” technique. By using built-in tools, attackers can bypass security solutions that might flag unknown binaries.
- Process Injection: AtlasCross employed process injection techniques to run malicious code within the context of legitimate processes. This makes detection harder, as security solutions might trust these processes and not inspect their activities as closely.
- Reflective Loading: This technique involves loading a DLL directly from memory, rather than from disk. By doing so, AtlasCross avoided leaving traces on the file system, making detection and forensic analysis more challenging.
- API Obfuscation: To further complicate detection, AtlasCross obfuscated the API calls their malware made. By hiding or altering the typical patterns that security solutions look for, the attacker increased the chances of their malware going unnoticed.
- Anti-Virtualization: AtlasCross’s tools were designed to detect if they were running within a virtualized environment, such as a sandbox used for malware analysis. If such an environment was detected, the tools would alter their behavior or terminate, making automated analysis more difficult.
Command and Control (CnC):
- Backup Mechanism: Recognizing the importance of maintaining communication with their malware, AtlasCross implemented a backup CnC mechanism. If the primary communication channels were detected and shut down, the malware would switch to alternate channels, ensuring that the attacker retained control.
- Encrypted Communication: To prevent eavesdropping and analysis, all communications between the malware and the CnC servers were encrypted. This not only protected the data being exfiltrated but also made it harder for defenders to understand the malware’s operations and objectives.
AtlasCross, as identified by NSFOCUS Security Labs, is a highly skilled and cautious hacker organization. They assimilate various hacking technologies into their arsenal and opt for the most conservative strategies to minimize exposure risks. Given their advanced threat nature, it’s anticipated that they might orchestrate more cyberattacks against key targets in the future.