CTI Roundup: New DoJ Cyber Unit Pursues State-Sponsored Threats

In this week’s roundup, CTI provides an update on the National Security Cyber Section (NatSec Cyber) — a new litigating section within the U.S. Department of Justice’s National Security Division. Next, CTI explores how cybercriminals are leveraging expired Amazon Web Services (AWS) S3 buckets to distribute malicious code. CTI also looks at the RedClouds cyberespionage campaign, which features custom RDStealer malware designed to steal data from drives shared through remote desktop connections.

1. DOJ launches cyber unit to prosecute nation-state threat actors

The DoJ recently launched a new litigating section to increase its capacity to target and disrupt malicious cyberattacks that threaten national security. NatSec Cyber also enables the National Security Division (NSD) to prosecute nation-state threat actors with greater speed and efficiency.

The announcement came during a DoJ press release, which characterized the cyber unit’s development as a direct response to the core findings contained in Deputy Attorney General Lisa O. Monaco’s Comprehensive Cyber Review, released in July 2022.

From a SecurityWeek article covering the topic:

In tackling growing threats by nation-state attackers, the NatSec Cyber will also bolster intragovernmental collaboration between the Criminal Division’s Computer Crimes and Intellectual Property Section (CCIPS) and the FBI’s Cyber Division.

Disruption, accountability, and deterrence

As the DoJ explains in its cyber review, threats in cyberspace are evolving with unmatched speed. To disrupt attacks and hold threat actors responsible, the department must move with greater agility. The launch of NatSec Cyber is the latest action taken by the U.S. federal government to enhance and expand its efforts against evolving cyber threats.

Other supporting units and initiatives include:

• Creating the National Cryptocurrency Enforcement Team (NCET) within the Department’s Criminal Division, which focuses on combating illicit uses of cryptocurrency.
• Launching the Civil Cyber-Fraud Initiative (CCFI) by the Department’s Civil Division. The CCFI uses the department’s authorities under the False Claims Act to pursue civil actions against government grantees and contractors — including those under contract with the Department of Justice — who fail to meet cybersecurity obligations.
• Developing a new Cyber Fellowship within the Department, to foster a new generation of prosecutors and attorneys equipped to handle emerging cybercrime and cyber-based national security threats.
• Rolling out additional cybersecurity measures to improve the department’s email security. These measures included mandatory encryption training for department personnel and additional technical measures to protect against phishing and related techniques.

The driving force behind the establishment of this latest federal cyber unit is spelled out plainly in the DoJ’s press release:

The National Security Cyber Section will increase the Justice Department’s capacity to disrupt and respond to malicious cyber activity, while promoting Department-wide and intragovernmental partnerships in tackling increasingly sophisticated and aggressive cyber threats by hostile nation-state adversaries. The Section will bolster collaboration between key partners, notably the Criminal Division’s Computer Crimes and Intellectual Property Section (CCIPS) and the FBI’s Cyber Division and will serve as a valuable resource for prosecutors in the 94 U.S. Attorneys’ Offices and 56 FBI Field Offices across the country.

Responding to highly technical cyber threats often requires significant time and resources,” said Assistant Attorney General Olsen. “NatSec Cyber will serve as an incubator, able to invest in the time-intensive and complex investigative work for early-stage cases.

NatSec Cyber’s formation comes on the heels of recent, widely publicized successes in “identifying, addressing and eliminating national security cyber threats, including the charging of an alleged cybercriminal with ransomware attacks against U.S. critical infrastructure and [the] disruption [of] the Russian government’s premier cyberespionage malware tool,” as cited in the DoJ press release.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It’s encouraging to see the federal government taking concrete steps towards establishing a comprehensive national cybersecurity architecture. It appears that the FBI and DoJ understand the need for legal authority to cover the uncharacteristically brash law enforcement actions they’ve taken in recent months against some of the entities referenced above — and on foreign soil, nonetheless.”

“That kind of ‘Wild West sheriff” behavior can only continue for so long before some congressional oversight committee stops it. It seems like the DoJ has taken the logical, proactive step of making things legal by establishing NatSec Cyber.”

2. Cybercriminals use expired AWS S3 buckets to distribute malicious code

According to Checkmarx, cybercriminals are leveraging expired AWS S3 buckets to distribute malicious code and injecting it into legitimate packages in the npm repository — without having to alter any code.

Checkmarx began investigating the situation in response to an advisory published late last month by GitHub regarding several releases of an npm package called bignum, which had been weaponized by threat actors and was serving malicious binaries designed to steal sensitive user information such as user IDs, passwords, and local hostnames from victims’ devices.

From Checkmarx:

The latest version of “bignum”, 0.13.1, was published more than 3 years ago and had never been compromised. However, several prior versions were. Versions 0.12.2-0.13.0 relied upon binaries hosted on an S3 bucket. These binaries would get pulled from the bucket upon installation to support the functioning of the package. About 6 months ago, this bucket was deleted (the versions relying on it were mostly out of use).

This opened the bucket to a takeover…

S3 Buckets: a refresher

S3 buckets are AWS resources that enable users to store and retrieve massive amounts of data including files, documents, videos, and other types of digital content. Users access S3 buckets with unique URLs, making them useful for a range of purposes from website hosting and data backup to data distribution and application and content archiving and storage.

During the early stage of Checkmarx’s investigation, the bignum npm package was found to make use of “node-gyp” in order to download a .node binary file during the installation phase. The binary file in question was initially hosted on an AWS S3 bucket. If the bucket was inaccessible, it would prompt the package to search for the binary locally.

From Checkmarx:

However, an unidentified attacker noticed the sudden abandonment of a once-active AWS bucket. Recognizing an opportunity, the attacker seized the abandoned bucket. Consequently, whenever bignum was downloaded or re-installed, the users unknowingly downloaded the malicious binary file, placed by the attacker.

How was this possible? While each AWS S3 bucket must possess a globally unique name, the name becomes available again upon the bucket’s deletion. If a package happens to point to a bucket as its source, that pointer continues to exist — even after that bucket’s deletion. It is this oversight that enabled the attacker to reroute the pointer towards the commandeered bucket.

The counterfeit binary and its functions

The nature of the malicious binary — which is a C/C++ compiled binary called for by JavaScript applications — allowed Node.js modules to reach lower-level code and ultimately expand the attack surface.

The counterfeit .node binary functioned much like the legitimate one, with a few extra features thrown in. For example, along with performing the perfectly benign functions of the authentic binary, the fraudulent binary went a step further by stealing credentials and sending them to the same hijacked AWS S3 bucket referenced above. Data was exfiltrated via an HTTP GET request.

Expanding upon the binary’s method of communication, following the accomplishment of its data-harvesting functions, it would create a TCP socket intended for IPv4 communication and covertly exfiltrate the collected data in the form of a user-agent associated with a GET request.

A pattern emerges

By all accounts, this was the first time such an attack had been observed and documented. Checkmarx’s researchers conducted a “quick search across the open-source ecosystem,” with unexpected results.

From Checkmarx:

We found numerous packages and repositories using abandoned S3 buckets that are susceptible to this exploitation. The impact of this novel attack vector can vary significantly. However, the danger it poses can be huge if an attacker manages to exploit it as soon as this kind of change occurs. Another risk is posed to organizations or developers using frozen versions or artifactories as they will continue to access the same, now hijacked, bucket.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The discovery of a new open-source software supply-chain attack surface relating to subdomain takeovers is significant.”

“While much has been made of the threats facing the open-source software community of late, such a discovery should serve as a wake-up call to both developers and the organizations they work for — and act as a reminder that cybercriminals will continue to innovate new ways to weaponize widely-used and trusted software and its sources.”

From Checkmarx:

An abandoned hosting bucket or an obsolete subdomain is not just a forgotten artifact; in the wrong hands, it can become a potent weapon for data theft and intrusion.

3. New exfiltration malware targets RDP workloads

Bitdefender has discovered a new cyberespionage campaign that’s being tracked as RedClouds. It leverages a custom RDStealer malware to lift data from drives shared through remote desktop connections. The malicious campaign, which has not yet been attributed to a specific threat actor, has been targeting systems in East Asia since 2022.

RDStealer is a server-side implant that monitors incoming remote desktop protocol (RDP) connections with client drive mapping enabled. These connecting clients are then infected with the Logutil backdoor — another custom malware — before having sensitive data exfiltrated.

Both the RDStealer and Logutil malware samples analyzed by Bitdefender are written in the programming language of Go. This language is growing in popularity due to its strong cross-platform support, which makes it easier for threat actors to create malicious code that can run on multiple different operating systems. While analyzing domains connected to these attacks, researchers observed multiple references to Linux, but also to ESXi, indicating that the Logutil backdoor is a multiplatform tool.

Anatomy of the attack

After analyzing passive DNS information, VirusTotal samples, and artifacts, Bitdefender determined that the threat actor has been active since at least 2020. The threat actor originally relied on more readily available tools like AsyncRAT and Cobalt Strike before pivoting to custom-developed malware in late 2021/early 2022.

The main purpose of the attack appears to be credential theft and data exfiltration. The threat actors used folders that less commonly contain malware, and therefore are often excluded from scanning by security tools:

• %WinDir%\System32\
• %WinDir%\System32\wbem\
• %WinDir%\security\database\
• %PROGRAM_FILES%\f-secure\psb\diagnostics
• %PROGRAM_FILES_x86%\dell\commandupdate\
• %PROGRAM_FILES%\dell\md storage software\md configuration utility\

The %PROGRAM_FILES% and %PROGRAM_FILES_x86% locations are most likely chosen by the threat actor to mimic the legitimate software. Malware was also found in %WinDir%\security\database, which is a folder that serves as a storage space for security databases in Windows.

Microsoft has provided guidance on excluding specific files within this location from being scanned by endpoint security tools. It’s possible that the threat actor saw this guidance and thought that some security solutions would choose to exclude the entire folder, instead of just specific files within.

What is RDStealer?

RDStealer specializes in data gathering through tactics like capturing clipboard data content and keylogging. The malware can also monitor incoming RDP connections and compromise a remote machine if client drive mapping (CDM) is enabled.

CDM is a virtual channel that is implemented as part of the RDP protocol. It allows for the transfer of data between the RDP client and the RDP server. It is specifically responsible for displaying the local drives of the client machine within the remote desktop session.

The feature allows users to access and transfer files between the local machine and the remote server/desktop they are connected to via RDP. This is commonly used by administrators to transfer files. CDM is also frequently used by regular end users for virtual desktops and application virtualization.

Specific details regarding the initial infection vector are currently lacking, making it difficult to confirm if the compromised system was leveraged for administrative access or regular user interactions.

On compromised machines, RDStealer was located at: %PROGRAM_FILES%\dell\md storage software\md configuration utility\modular disk service daemon[.]exe.

After launching, the main function begins to collect clipboard data and keystrokes from the host. The data is periodically saved into the log file, C:\users\public\log.log, in the form of encrypted strings. It then creates an infinite loop that will call the diskMounted function. This function iperiodically confirms the availability of the tsclient connection and one of the C, D, E, F, G, or H drives. These are automatically created when CDM is enabled.

When one of these shares is confirmed detected, the following functions are triggered:

• C2 communication – notifyMaster: This function notifies command and control (C2) that a client is connected. The function makes a GET request to another server that was designated as a proxy to communicate with the C2 infrastructure controlled by the threat actor.
• Data exfiltration – DiskEnum: This function begins exfiltrating data from the connected RDP client. The function looks for any valuable information on the connected RDP client for data exfiltration.

The first target is a few specific folders which indicate that the threat actor is seeking credentials and saved connections to other systems. This same trend is seen in the next step, where a client is scanned for files with specific file extensions in the following locations: %AppData%, %LocalAppData%, Desktop, Documents, Downloads, %ProgramFiles% and %ProgramFiles(x86)%.

Any located files are stored in a zip archive on the RDP host. After exfiltrating data from the remote C drive, RDStealer begins to look at drive letters D, E, F, G, and H, but with a slightly different approach. For these drives, it will start scanning all folders with just a few exceptions. Since this recursive scan can take some time, there is a mechanism that will limit the execution to be done only once a week. The file users\public\Videos\vcache.dat is modified when data exfiltration is completed, and the last modified date is compared with the current time to determine if it’s time for another sweep of the system.

• Downstream compromise – WritePersist: This function deploys the Logutil backdoor to the connected RDP client. It obtains a list of users from tsclient\c\users.
• Logutil: The Logutil backdoor implements the capabilities that are necessary for maintaining a foothold in the network. This includes things like file download/upload and command execution.

What makes this backdoor interesting is the extent to which it leverages DLL sideloading techniques coupled with its use of WMI as a trigger for activation. While there were some traditional DLL sideloading techniques observed, a more interesting variant was seen abusing Winmgmt, leading to the execution of the malicious binary, bithostw[.]dll. To achieve this, the threat actors used a malicious loader on the wbem folder that mimicked the legitimate ncobjapi library.

The implant can be triggered by either WMI service or through the WMI host process. Logutil can communicate with the C2 infrastructure directly, or through another proxy server on the same network. A full list of commands it can retrieve from the C2 server can be found in Bitdefender’s research here.

Attribution

Despite Bitdefender’s various methods, they have been unable to attribute these attacks to a specific threat actor. They do, however, believe the threat actor’s interests align with China and that it has the sophistication of a state-sponsored APT.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This campaign uses Microsoft Windows folders that are potentially excluded from scanning by some security software. The threat actors purposely use these folders to store the backdoor payloads, knowing that they may be able to persist undetected in the network for longer.”

“Bitdefender’s research also revealed that this threat actor pivoted from using readily available tooling to creating and leveraging custom malware, such as RDStealer and Logutil. This highlights the increased sophistication of this threat actor over the past few years.”

---

Do you have insight these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.