CTI Roundup: TA4557, OAuth Cryptomining, and the China-based KEYPLUG backdoor

In this week’s roundup, CTI explores how the threat actor TA4557 is actively targeting recruiters with direct emails and malware. Next, CTI investigates how threat actors are abusing OAuth applications to deploy virtual machines for cryptocurrency mining, establish persistence, and launch spam campaigns. Finally, CTI wraps up with an overview of the tactical and targeting overlaps between the Sandman APT and the China-based threat cluster Red Dev 40.

1. TA4557 targets recruiters via email

A threat actor known as TA4557 is targeting recruiters with direct emails that result in the delivery of malware.

According to Proofpoint, the initial emails are benign and aim to establish trust with the victim by expressing interest in a currently open position at the company. The attack chain commences once the recruiter replies to the email.

TA4557’s campaign strategy

In recent TA4557 campaigns, the threat actor is using a new method of emailing recruiters directly along with a previous technique of applying to jobs posted on public job boards.

In the attack chain that uses the new direct email approach, the victim must reply to the initial benign email for the attack to start. Once they reply, the threat actor responds with a URL that links the victim to an actor-controlled website that poses as a candidate resume.

In other cases, the actor replies with a PDF or Word document with instructions to visit that same site hosting the fake resume. More recent campaigns ask the email recipient to refer to the domain name of their email address to access their portfolio, allowing the email to evade detection.

If the victim visits the site as directed, they will see a page that mimics a candidate’s resume or a generic job site for that candidate. The website itself has filtering in place to determine what the next stage of the attack chain should be.

If the filtering checks are not met, the victim is directed to a page containing a resume in plain text, however, if they do pass the filtering checks, they are directed to the candidate website. This candidate website leverages CAPTCHA and, if completed, will begin to download a zip file that contains an LNK.

About TA4557

Proofpoint has been tracking TA4557 since 2018. The actor appears to be financially motivated and is known to distribute the More_Eggs backdoor that profiles an endpoint and sends additional payloads.

As Proofpoint explains, the threat actor is noticeably different from other priority threat actors that the organization is tracking. This is due to their unique malware and tool usage, use of job candidate-themed lures, campaign targeting, sophisticated evasive measures, distinct attack chains, and actor-controlled infrastructure.

Some previous TA4557 activity overlaps with the notorious FIN6 group. Further, TA4557’s malware is also used by Cobalt Group and Evilnum.

While some overlap with other groups exist, TA4557 is still believed to be its own distinct activity cluster.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This activity specifically targets recruiters. Because the first email in the attack is benign, it is not likely to be caught by email security solutions. As such, it is critical to conduct phishing training and awareness, but even more important to have tailored phishing training for individuals in roles that may be faced with more specific types of phishing lures.

2. Threat actors use OAuth apps to automate BEC and cryptomining attacks

Threat actors are now abusing OAuth applications as an automation tool to deploy virtual machines for cryptocurrency mining, establish persistence after BEC, and launch spam campaigns using the organization’s resources and domain name.

Microsoft has observed threat actors launching phishing and password-spraying attacks against accounts that did not have strong authentication in place but had permissions to create and/or modify OAuth applications.

What is OAuth?

OAuth is an open standard for token-based authentication and authorization. It enables applications to access data and resources based on the permissions set by a user. This makes OAuth an attractive target for threat actors who may look to compromise user accounts with the appropriate access and use the account to create, modify, and grant high privileges to OAuth applications. These can be used to hide further malicious activity.

Microsoft has been tracking the misuse of OAuth applications, noting that this enables a threat actor to main their access to applications even if they lose access to the account that was initially compromised.

OAuth applications to deploy VMs for cryptomining

Microsoft specifically observed a threat actor named Storm-1283 using a compromised account to create an OAuth application.

In this case, the threat actor used it to deploy virtual machines for cryptomining. The actor used the compromised account to sign in via VPN and created a new single tenant OAuth application in Microsoft Entra ID. Because this account had an ownership role of an Azure subscription the threat actor was able to grant the “contributor” role permission for the application.

The actor then leveraged existing OAuth applications that the compromised user had access to by adding an additional set of credentials to those applications. Organizations targeted by this activity incurred compute fees between $10,000 and $1.5M.

OAuth applications for BEC and phishing

In a different attack, Microsoft observed a threat actor compromising user accounts and creating OAuth applications for persistence and to launch email phishing campaigns.

An adversary-in-the-middle (AiTM) phishing kit was used to send a large campaign of phishing emails with different subject lines and URLs to victims across multiple organizations. When the victim clicked on the URL within the email, they were redirected to a Microsoft sign in page that was proxied via the actor’s proxy server. This enabled them to steal the token from the user’s session cookie and then later use this token to perform session cookie replay activity.

• Persistence following BEC: A few observed instances had additional activity following the session cookie replay activity. In some cases, the threat actor would use the compromised account for BEC reconnaissance, opening email attachments in OWA that had financial keywords of interest like payment or invoice. The threat actor would then create an OAuth application and operate under the compromised account session to add new credentials to this application.
• Email phishing activity: Microsoft observed some cases in which the threat actor did not perform BEC reconnaissance but instead created multitenant OAuth applications after the stolen session cookie replay actions. These applications were used for persistence, to add new credentials and to access Microsoft Graph API to either send phishing emails or simply read emails. Microsoft observed about 17,000 multitenant OAuth applications created by the threat actor across different tenants. The threat actor was also observed creating inbox rules within the compromised account’s inbox. Altogether the malicious applications sent more than 927,000 phishing emails.

OAuth applications for spamming activity

Large-scale spamming activity was also observed, carried out by a threat actor called Storm-1286. This threat actor carried out password spraying attacks against accounts that primarily did not have MFA enabled. The compromised accounts were then used to create 1-3 new OAuth applications using Azure PowerShell or a Swagger Codegen-based client. The threat actor waited months in some cases after creating the applications to begin the spam activity.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This campaign only took place over the duration of a few months (July to November), yet it was able to distribute almost one million phishing emails.

Even though Microsoft has since taken down all the malicious OAuth applications that were part of this campaign, it’s important to understand how the activity occurred and what we can do to better defend our organizations from this activity. Microsoft provided several mitigation steps to protect against this activity including enforcing MFA, enabling conditional access policies, routinely auditing apps and consented permissions, and more. Microsoft has also provided various hunting queries.

3. Sandman APT’s connection to China-based KEYPLUG backdoor

Researchers have discovered tactical and targeting overlaps between the Sandman APT and Red Dev 40, a China-based threat cluster that’s known for using the KEYPLUG backdoor.

The joint assessment between SentinelOne, PwC, and Microsoft is based on the fact that the threat actor’s Lua-based malware, LuaDream, and KEYPLUG were both determined to exist in the same victim networks.

The connection between Sandman and Red Dev 40

Red Dev 40 is a threat cluster that primarily targets telecommunication providers and government entities in the Middle East and South Asia, which is similar to that of Sandman. Sandman and Red Dev 40 have numerous links including victimology overlaps, cohabitation, and shared C2 infrastructure and management practices.

• KEYPLUG, a modular backdoor, is a staple tool in Red Dev 40’s arsenal but has been observed used by other threat actors as well. KEYPLUG is believed to be shared among various China-based groups.

Red Dev 40 is distinguished from other groups using KEYPLUG based on specific malware characteristics like unique encryption keys for C2 communication. They are also known for their higher sense of operational security, including their reliance on cloud-based reverse proxy infrastructure to hide the true hosting location of their C2 servers.

• LuaDream is a modular backdoor that is based on LuaJIT. Researchers have observed Sandman’s LuaDream malware and KEYPLUG implants in the same victim environments, some on the same endpoints.

In one case, KEYPLUG was deployed a full three months prior to LuaDream, and both were active at the same time for roughly two weeks. A look at the implementation and C2 infrastructure of these malware revealed shared development and infrastructure.

LuaDream and KEYPLUG

The KEYPLUG malware strain is implemented in C++, while the majority of the LuaDream components are implemented in Lua.

Researchers analyzed samples of both malware strains and confirmed that while they do not appear to be from the same source, they do have indicators of shared development practices and other overlaps.

Their research indicates that the two malware strains share functional requirements by the operators, which is not uncommon for malware of Chinese origin.

• C2: Both malware strains are highly modular and multi-protocol in design. They both support the HTTP, TCP, WebSocket, and QUIC protocols for C2 communication. The order in which the malware evaluates the configured protocol is the same: HTTP, TCP, WebSocket, and QUIC in that order.

KEYPLUG implements additional support for UDP that LuaDream does not. However, because LuaDream is believed to still be under development, there is the possibility that future variants of LuaDream will support UDP.

• Execution/C2 data management: The overall execution flow of LuaDream and KEYPLUG are very similar. They both start by collecting and exfiltrating system and user information and share overlaps in what data is collected. They then create threads that will send and receive C2 data, establish a connection to the C2 server, process backdoor commands, and manage plugins.

Both malware also store overlapping information about the global buffers including starting memory addresses, sizes, and points to Windows CRITICAL_SECTION structures. They are both designed to read from and write to these buffers. Both will also generate one-time values based on the system uptime that is returned by the GetTickCount function. This value is calculated in the same way and is used for sleep time intervals or protocol specific keys.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The threat landscape surrounding China-based threat actors is incredibly complex, especially given how often these actors share custom tooling.

This willingness to share tooling makes it less surprising that we’re seeing actors like Sandman have overlaps in infrastructure and TTPs with a China-based threat cluster.

Further, Lua-based malware has only been seen a handful of times (most recently in Cisco zero-day exploitations), so the increased adoption of Lua is certainly something to keep an eye on.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.