CTI Roundup: Microsoft Warns About Mercury and DEV-1084 Attacks on Hybrid Environments

Up first in this week’s roundup CTI provides an overview of a worrying Microsoft report on its discovery of a destructive operation featuring attacks on assets belonging to both on-premises and cloud environments.

CTI wraps things up with a summary of Russian threat actor Nobelium’s latest cyberespionage campaign, informed by an advisory from Poland’s Military Counterintelligence Service.

1. Mercury and DEV-1084: destructive attack on hybrid environment

Microsoft Threat Intelligence has discovered destructive operations that attacked both on-premises and cloud environments.

The attacks are enabled by Mercury — an Iran-backed nation-state threat actor — that likely worked in partnership with actor DEV-1084 to carry out post exploitation destructive actions and pivot from on-premises to the cloud during the attack.

The attack attempts to masquerade the activity as a traditional ransomware campaign, with the ultimate goal being destruction and disruption.

• Mercury: Mercury, also known as MuddyWater, is a nation-state threat actor with ties to the Iranian government. More specifically, Mercury has been linked to Iran’s Ministry of Intelligence and Security (MOIS). Previous attacks by Mercury have targeted strictly on-premises environments in the government and private organizations across various sectors including telecommunications, local government, defense, oil, and natural gas. Its previous victims have largely been located in the Middle East, Asia, Africa, Europe, and North America. Mercury further came into the spotlight last year when it jumped on the bandwagon to leverage Log4j 2 exploits.
• DEV-1084: DEV-1084 is another Iranian threat actor tracked by Microsoft that is believed to have worked in partnership with Mercury in its latest campaign. DEV-1084 has publicly adopted the DarkBit persona earlier this year as part of a ransomware and extortion attack aimed at Technion. This attack targeted Israel with command-line options and optimized encryption routines.

The links between these two threat groups originate from infrastructure, IP addresses, and tooling overlaps. It’s unclear right now the exact relationship between these two threat actors and if they operate independently or if DEV-1084 is a sub-group of Mercury that only surfaces when Mercury operators are instructed to carry out these types of destructive attacks.

Hybrid environment attack

Microsoft believes Mercury gains initial access via remote exploitation of an unpatched internet-facing device. Mercury then appears to hand off access to DEV-1084.

It appears the threat actors made several attempts at its initial intrusion, eventually succeeding by leveraging exposed vulnerable applications.

After obtaining access, the threat actors proceeded to deploy various tools and techniques to establish persistence. This included:

• Installing web shells
• Adding of local user accounts before elevating privileges to local admin
• Installing legitimate remote access tools including RPort, Ligolo, and eHorus
• Installing a customized PowerShell script backdoor
• Stealing credentials

The threat actors then performed reconnaissance activities leveraging native Windows tools and commands like netstat and nltest.

With the help of stolen credentials, the threat actors were able to perform lateral movement actions within the environment. These actions include remote scheduled tasks to launch a customized PowerShell backdoor, WMI to launch commands, and remote services to run encoded PowerShell commands. The new infected devices were hit with the same persistence mechanisms as bulleted above.

Microsoft notes that the threat actors sometimes waited weeks (and in some cases, months) before moving to the next step of the attack chain.

On-premises impact

The threat actors interfered with security tools via Group Policy Objects (GPO) and leveraged the highly privileged credentials for access to domain controllers. This enabled them to prepare for large-scale encryption.

GPO was used to register a scheduled task to launch the ransomware which was previously loaded in the NETLOGON shares of several domain controllers. The ransomware payload encrypts files found on the system and appends the DARKBIT extension.

From on-premises to cloud

The threat actors interfered with security tools via Group Policy Objects (GPO) and leveraged the highly privileged credentials for access to domain controllers. This enabled them to prepare for large-scale encryption. GPO was used to register a scheduled task to launch the ransomware which was previously loaded in the NETLOGON shares of several domain controllers. The ransomware payload encrypts files found on the system and appends the DARKBIT extension.

Cloud impact

The threat actors were able to perform mass Azure resource deletion, abuse the Exchange Web Server API, and perform email impersonation.

• Azure resource deletion: The threat actors claimed the Global Administrator permission via PIM – Azure Privileged Identity Management – and elevated that access to get permissions to management groups and Azure subscriptions. This compromised administrator account along with the Azure AD Connector account were used for destruction of the Azure environment. Destruction included the deletion of server farms, virtual machines, storage accounts, and virtual networks in just a few hours.
• Exchange Web Server API abuse: The threat actors obtained full access to mailboxes through Exchange Web Services by providing a legitimate OAuth application with the appropriate permissions and administrator consent. These privileges allowed the threat actor to update the OAuth application with certificates to carry out malicious activities. The threat actors then used this application’s permissions to perform GetItem operations and to perform thousands of search activities — potentially to dump mailbox data or to search for sensitive data in the mailboxes.
• Email impersonation: The compromised administrator account was used to grant SMTP “send on behalf” permissions to the Azure AD Connector account. This action was performed on a high-ranking employee’s mailbox via the Set-Mailbox PowerShell cmdlet. Emails were then crafted and sent to both internal and external parties.

Credential Extraction

Compromised credentials were used to access the Azure AD Connect device two weeks prior to the ransomware deployment. At this time the threat actors initiated an SSH tunnel to a device controlled by the threat actor.

Not long before the ransomware deployment, a known attacker IP address authenticated into the Azure AD Connector cloud account. This sign-in did not involve the guessing or modification of the credential password, indicating the threat actor likely possessed the password for this account.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Hybrid campaigns which target both on-premises and cloud environments during a single attack are not something we see every day. Sure, there may be malware with multiple variants capable of targeting both on-prem and cloud environments, but the actual act of pivoting from on-prem to cloud in one attack is far less commonly observed among the threat actors we currently track.”

“Along the same vein, Mercury’s shift from solely targeting on-prem environments to engaging in attacks on both on-prem and cloud environments marks a potential evolution in the methodology embraced by the actors which populate the threat landscape, highlighting the increase in cloud exploitation. This campaign leverages TTPs that are not necessarily new or novel. For example, credential theft, privilege escalation, installing web shells, and implementing malicious group policies are all things we’ve seen in campaigns before.”

“What sets this campaign apart has to do with the impactful way in which this campaign combines these TTPs to gain access to two different types of network environments. Although this attack seems to be carried out by two threat actors working together, both activity clusters appear to be linked to the overarching Iran-based threat actor, MuddyWater. This is unsurprising, as Iranian state-backed threat actors are notorious for contracting out certain parts of operations.”

2. Russian hackers linked to widespread attacks targeting NATO and EU

According to an advisory from Poland’s Military Counterintelligence Service, its Computer Emergency Response Team has linked Russia’s state-sponsored APT29 hacking group — or Nobelium — to a recent spate of widespread attacks targeting both NATO and European Union (EU) countries as part of a large cyberespionage campaign.

Campaign details

While CERT.PL’s advisory makes a point of noting that the campaign is still ongoing, it appears that the primary goal of Nobelium’s operation is the large-scale harvesting of sensitive information — the type which both aligns with and furthers the aims of the Russian government. The targets include diplomatic entities belonging to NATO and foreign ministries in EU countries, as well as African nations.

With regards to victimology and targeting patterns, this is by no means new territory for Nobelium. However, CERT.PL reports that, despite the infrastructure and TTPs overlapping in part (or in full) with previous Nobelium activity, the unique software deployed during this campaign sets this operation apart, as it has apparently not been previously “described publicly.”

The advisory asserts that new tools were deployed both at the same time and independently of each other; the idea being that Nobelium is methodically replacing utilities whose effectiveness is on the wane and thus allowing the actor to maintain its usual high operational tempo (OPTEMPO).

Attack details

As described in CERT.PL’s advisory, the course of the attacks comprising this campaign all began with spear phishing, wherein emails impersonating European embassies were sent to specific personnel occupying diplomatic posts.

• The messages contained either an invitation to a meeting or a request to collaborate on the production of documents.
• A link was included in each message; either in the body of the email or contained within an attached PDF document.
• The link was designed to appear as though it would enable the recipient to access the impersonated ambassador’s calendar, enable the recipient to view meeting details, or bring the victim to a downloadable file.

In reality, the link directed recipients to a compromised website containing a malicious script, a piece of code publicly referred to as ENVYSCOUT — a dropper that has been leveraged by Nobelium since at least 2021.

From CERT.PL:

It utilises the HTML Smuggling technique – whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim’s device. This makes the malicious file more difficult to detect on the server side where it is stored. The web page also displayed an information intended to reassure the victim that they had downloaded the correct attachment.

According to the advisory, the adversary deployed three different versions of ENVYSCOUT – progressively adding new mechanisms to evade detection and make analysis more difficult as the campaign progressed.

Changes in file formats

CERT.PL notes that past campaigns attributed to Nobelium commonly made use of .ZIP or .ISO files to deliver malware. In this campaign, the adversary added the use of .IMG files to its normal repertoire.

As .ISO and .IMG disk images are automatically mounted in the file system when opened, their contents are displayed within Windows Explorer. Furthermore, these file types do not exhibit the mark-of-the-web (MOTW), meaning Windows will not warn the user that the files originated from the internet.

The adversary deployed a range of techniques to entice victims to launch the malware.

From CERT.PL:

One of them was a Windows shortcut (LNK) file pretending to be a document but actually running a hidden DLL library with the actor’s tools. The DLL Sideloading technique was also observed, using a signed executable file to load and execute code contained in a hidden DLL library by placing it in the same directory, under a name chosen according to the entries in the import table. At a later stage of the campaign, the name of the executable file contained many spaces to make the exe extension difficult to spot.

Tools leveraged

Aside from ENVYSCOUT, Nobelium utilized a variety of tools at different stages of the campaign. They are included in the following list from CERT.PL, with links to detailed technical analysis of each:

• SNOWYAMBER : a tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.
• HALFRIG: used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.
• QUARTERRIG: a tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.

From CERT.PL:

The SNOWYAMBER and QUARTERRIG tools were used as so-called downloaders. Both tools sent the IP address as well as the computer and username to the actor. They were used to assess whether the victim was of interest to the actor and whether it was a malware analysis environment. If the infected workstation passed manual verification, the aforementioned downloaders were used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL. HALFRIG, on the other hand, works as a so-called loader – it contains the COBALT STRIKE payload and runs it automatically.

While this campaign is somewhat unique in that it marks the emergence of new malware (which was subjected to various upgrades and alterations throughout the campaign’s progression), CERT.PL describes several of the operation’s elements as repeatable, and specifically lists the following attack attributes:

1. The way the infrastructure is built. The actor behind the espionage campaign prefers to use vulnerable websites belonging to random entities.
2. Email theme. All acquired emails used in the campaigns used the theme of correspondence between diplomatic entities.
3. The use of a tool publicly referred to as ENVYSCOUT. This script has been used by the actor since at least 20219. Modifications to the tool’s code were observed during the campaign, but they did not significantly affect its functionality.
4. A link to the ENVYSCOUT tool was provided to the victim in the form of a link embedded in the body of the email or in the body of an attached PDF file.
5. Use of ISO and IMG disc images.
6. Use of a technique called “DLL Sideloading” that uses a non-malicious, digitally signed executable file to start-up the actor’s tools.
7. Use of commercial tools COBALT STRIKE and BRUTE RATEL.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It is worth noting that the guidance around this particular security flaw has been in existence since April of 2021. While including the words “zero-day” in a blog post’s headline is sure to grab attention, there is disagreement among cybersecurity professionals as to whether this particular flaw is truly an example of a zero-day vulnerability.”

---

For further reading, catch up on our recent cyber threat intelligence roundups.