APT Groups on the March

It has been a bust week for advanced persistent threat (APT) groups if the cyber threat news cycle is anything to go off of. APT27, APT29, and Lazarus Group have all made the headlines on various platforms within a few days of one another. While this should not be read as a ramping up of activity precipitating a massive offensive, the developments highlight new capabilities and tactics used by each group that warrants further investigation.

Starting with Lazarus Group, the APT group from North Korea also tracked as Hidden Cobra, were last in the news when security researchers linked  the group to VHD Ransomware campaigns.

apt groups on the march

New research published by Malwarebytes shows how the group is leveraging both Windows Update Client and GitHub to distribute and install the malware in a recently detected attack campaign.

The latest campaign was discovered on January 18, 2022, when it was found that Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme. The malicious documents masqueraded as job postings for US aerospace giant Lockheed Martin.

The malicious documents both include instructions to enable macros so that the threat actors can begin to un malicious code designed to perform several code injections and achieve startup persistence on the victim’s machine.

The report published by Malwarebytes goes into depth regarding the technical aspects of the malware that is beyond the scope of this article but certainly makes for interesting reading.

What is in the scope of this article is how both Windows and GitHub were leveraged in the attack campaign. To leverage Windows Update Client, after the victims open the malicious attachments and enable macro execution, an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file, wuaueng.dll, in a hidden Windows/System32 folder.

In the next stage, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers' malicious DLL.

Regarding GitHub, the popular service used by developers as a code repository, Lazarus was effectively using the service to act as the campaign’s command and control server. Researchers noted,

“Rarely do we see malware using GitHub as C2 and this is the first time we’ve observed Lazarus leveraging it. Using Github as a C2 has its own drawbacks but it is a clever choice for targeted and short term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections.”

In attributing the attack campaign to Lazurus researchers pointed out several factors that strongly suggest Lazarus’ involvement. The first is using the job opportunities template as a phishing lure, typically from major players in the defense and aerospace industries, which has been a tried and tested method used in previous Lazarus campaigns.

Other notable signs of Lazarus’ involvement include the document’s metadata used in this campaign links them to several other documents used by this threat actor in the past. Further, several other attacks, including this one, make use of the Frame1_Layout for macro execution, another hallmark of Lazarus.

APT29 puts all Skill Points into Stealth

APT29 also tracked as DarkHalo, is best known for the SolarWinds supply chain attack, has been busy stealthily compromising networks since the SolarWinds incident.

This is according to Bleeping Computer and CrowdStrike. Security researchers discovered an attack campaign dropping a new variant of the GoldMax Linux backdoor and a previously undiscovered malware that cybersecurity company CrowdStrike now tracks as TrailBlazer.

One of the key defining tactics used in the campaign, as well as previous APT29 attack campaigns, is the abuse of cookies to bypass multi-factor authentication (MFA). In the recently discovered campaigns APT29 threat actors used credential hopping techniques to compromise Office 365 applications on internal servers by first compromising a public-facing system.

CrowdStrike says that this technique is incredibly hard to spot, particularly in environments with little visibility into identity usage, since hackers could use more than one domain administrator account. Bypassing MFA to access cloud resources by stealing browser cookies has been used since before 2020.

CrowdStrike says that APT29 kept a low profile after decrypting the authentication cookies, likely offline, by using the Cookie Editor extension for Chrome to replay them. The extension is then quickly deleted in a bid to remain undetected.

As for the malware used in the attacks, CrowdStrike believes that the newer version of GoldMax is used persistence on infected machines over extended periods of time. Regarding TrailBlazer, the new malware discovered by CrowdStrike researchers, the malware hides in a legitimate file and it was configured for persistence using the Windows Management Instrumentation (WMI) Event Subscriptions.

This is a relatively new technique first seen used in the wild in 2019. TrailBlazer is able to keep communications relatively hidden by masking any communications with command and control servers as legitimate Google Notifications HTTP requests.

CrowdStrike notes that the implant has modular functionality and “a very low prevalence” and that it shares similarities with other malware families used by the same threat actor, such as GoldMax and Sunburst both of which were used in the SolarWinds supply-chain attack.

APT27 Seen Backdooring Business Networks

On January 26, 2022,  the German Federal Office for the Protection of the Constitution (BfV) warned that the Chinese backed threat group APT27 is currency targeting German businesses. APT27 was deploying a remote access trojan named HyberBro to create backdoors onto business networks and maintain persistence on compromised networks.

HyperBro maintains persistence by being executed in-memory. Further, the malware can assist in cyberespionage activities by granting attackers remote administration capabilities. Officials stated,

“The Federal Office for the Protection of the Constitution (BfV) has information about an ongoing cyber-espionage campaign by the cyberattack group APT27 using the malware variant HYPERBRO against German commercial companies…It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack).”

The BfV also noted that APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, since March 2021.

This aligns with previous reports of Zoho ManageEngine installations being the target of multiple campaigns in 2021, coordinated by nation-state hackers using tactics and tooling similar to those employed by APT27.

APT groups, particularly those sponsored by nation-states, will continue to be a massive headache for security professionals. Due to being both well-funded and highly skilled they often discover new exploits to be abused during campaigns.

Often these exploits are then used by financially motivated threat actors in a monkey see monkey do scenario.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal