In early 2018, the Russian APT group Turla likely hijacked the command-and-control infrastructure of Iranian cyberespionage group OilRig, in order to deliver a custom backdoor to its intended victim, according to researchers.
The unusual attack took place during one of three Turla campaigns over the last 18 months that experts from Symantec chronicled in a blog post late last week. Collectively, the three campaigns targeted 13 organizations in the government, education and IT/communications sectors, across five global regions.
Also known as Waterbug (as well as Snake and Venomous Bear), Turla was aided in its operations by a combination of newly discovered custom malware, modified open-sourced hacking tools, and legitimate administration tools.
Victims included Ministries of Foreign Affairs in Latin America, the Middle East, Europe and South Asia; unnamed government organizations in the Middle East and Southeast Asia; IT/comm tech organizations in the Middle East, two European countries and a South Asia country; a multinational organization in the Middle East; and an educational institution in Southern Asia.
An investigation into one of the three campaigns revealed the use of "Neptun," a previously unknown backdoor that is installed on Microsoft Exchange servers. Symantec said Neptun was designed to remain under the radar by passively listening for malicious commands. Upon receiving its orders, it can download additional tools, upload stolen files and execute shell commands.
According to Symantec, Turla infected an unspecified Middle Eastern victim organization with Neptun and used the backdoor in September 2018 to drop a heavily modified variant of the post-exploitation password-stealing tool Mimikatz. But much earlier that same year, in January, someone had dropped a very similar Mimikatz tool on the same infected network from infrastructure belonging to the Iran-linked OilRig group, also known as APT34 and Crambus.
Symantec's running theory is that after Waterbug discovered that OilRig had previously compromised this Middle Eastern organization at least as far back as November 2017, the Russian actor decided to leverage the Iranian infrastructure, using it as an initial access point to deliver their customized version of Mimikatz.
"While it is possible that the two groups may have been collaborating, Symantec has found no further evidence to support this," the blog post stated. "In all likelihood, Waterbug's use of Crambus infrastructure appears to have been a hostile takeover."
The researchers said it's unlikely Turla was attempting a false flag operation, because in other instances they blatantly used their own infrastructure. However, "if a false flag operation wasn’t planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators."
The other two campaigns mentioned in Symantec's report were more global in nature and shared certain unique PowerShell commands.
The first used two versions of a custom loader, javavs.exe and javaws.exe, to load the custom backdoor PhotoBased.dll. This backdoor can download and upload files, perform shell commands, and modify the registry for the Windows Media Player to store its command-and-control configuration Symantec explains in its post.
"The attackers also install another backdoor that runs a command shell via the named pipe cmd_pipe," the post said. "Both backdoors allow the attackers to execute various commands that provide full control of the victim’s system."
The javaws.exe loader also runs a third loader, tasklistw.exe, whose job is to decode and execute various malicious executables that ultimately download the Meterpreter Metasploit payload.
The third campaign involved a different backdoor called securlsa.chk, which receives commands via the RPC protocol and is capable of executing commands through cmd.exe, directing the command output into a temporary file and then reading it, and reading and writing arbitrary files.
"This RPC backdoor also included source code derived from the tool PowerShellRunner, which allows a user to run PowerShell scripts without executing powershell.exe," Symantec reported. "Therefore, the user may bypass detection aimed at identifying malicious PowerShell usage."
Other tools observed in one or more of the three campaigns included a custom dropper for installing Neptun as a service, a custom hacking tool that combines for NSA-linked exploit tools (including EternalBlue), a USB data collection tool, Visual Basic scripts for performing system reconnaissance, PowerShell scripts that steal credentials from Windows Credential Manager, and more.