Symantec reports “sophisticated espionage group” target multiple telecomms.
Cybersecurity vendor, Symantec has reported Greenbug espionage group is actively targeting telecommunications companies in South Asia, with activity seen as recently as April 2020.
According to a recent blog by Symantec’s Critical Attack Discovery and Intelligence Team, Greenbug is using “off-the-shelf and living-off-the-land tools” in an “information-gathering campaign targeting multiple telecoms organisations.
“There are indications that at least one of the companies was first targeted as early as April 2019,” states the Team. “Email appears to be the initial infection vector used by the group. Greenbug is using a mixture of off-the-shelf tools and living-off-the-land techniques in these attacks.”
According to the blog it appears the group is interested in gaining access to database servers – where Symantec sees it stealing credentials then testing connectivity to these servers using the stolen credentials.
“Greenbug is believed to likely be based out of Iran, and there has been speculation in the past that it has connections to the destructive Shamoon group, which has carried out disk-wiping attacks against organisations in Saudi Arabia,” the blog states.
Research by Symantec in 2017 found evidence Greenbug was on an organisation’s network prior to a wiping attack that involved W32.Disttrack.B (Shamoon’s malware).
“This link was never definitively established, but cooperation between the two groups is considered a possibility,” Symantec states. “Much of the activity we saw in this attack campaign is in line with activity we have seen from Greenbug in the past, including the use of email as an initial infection vector, the use of publicly available hack tools like Mimikatz and Plink, and the apparent focus on collecting credentials and maintaining a persistent, low-profile presence on victim networks.”
Across multiple victim machines, a file named proposal_pakistan110.chm:error.html was executed via an internet browser.
“We also see the same file being opened by archiver tools,” Symantec wrote. “While we were unable to retrieve the file for analysis, the same technique has been leveraged by Greenbug in the past, as early as 2016.”
In these earlier attacks, emails were sent to targets containing a link to a likely compromised site, which hosted an archive file, said Symantec.
“This archive contains a malicious CHM file (compiled HTML Help file), which includes an ADS (alternative data steam) to hide its payload, which is installed when executed. This file usually also contains a decoy PDF file containing an error message that says the file could not be opened correctly.”
Symantec has also seen similarly named files used in other organizations in the past to drop Trojan.Ismdoor, Greenbug’s custom malware.
“Around the same time as we saw this file, a file called GRUNTStager.hta was also executed. Symantec believes the attackers used the publically available Covenant post-exploitation framework in order to gain an initial foothold in their target organisations.”
Covenant is a publicly available hack tool that is described as a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform.”
“Described as being used “red teams,” but is also open to being abused by malicious actors,” Symantec wrote. “Greenbug was present on the systems of one organization from October 2019 to April 2020. It appeared to be interested in gaining access to the organization’s database server. The attackers were observed executing various PowerShell commands on the victim system.”
The first activity was seen on October 11, 2019, when a malicious PowerShell command was executed to install a CobaltStrike Beacon module to download the next stage payload.
Tags: espionageGreenbugnetwork attackShamoonSouth AsiaSymantec