Dead Drop Resolvers - Espionage Inspired C&C Communication

-

 

A “dead drop” is a well-known espionage tactic of passing items or information between two parties using secret locations. The two parties never meet and any sign of communication is concealed. This tactic is commonly used by intelligence officers to interact with their assets in the field to avoid any suspicious meetings or either caught talking to each other. For decades, intelligence agencies have used dead drops. Two infamous double agents from the CIA and FBI - Aldrich Ames and Robert Hanssen respectively - both used dead drops to supply information to their handlers from the Soviet Union. Cyber adversaries have also come to adapt this technique into their espionage campaigns. However, instead of a human source, state-backed computer network operations (CNOs) have leveraged legitimate services for covert communications or so-called “dead drop resolvers”. 

In October 2019, ESET Research disclosed a report on Operation Ghost Dukes which detailed the activities of an APT group known as TheDukes (also called APT29 or CozyBear). This particular group reportedly operates on behalf of the Russian foreign intelligence service (also known as the SVR). It was made infamous for compromising the Democratic National Committee (DNC) in 2016 during the run-up to the US election. Operation Ghost Dukes likely began in 2013 and targeted government entities for years whilst attracting very little attention. One key reason why TheDukes were able to go undetected for this length of time was partly due the use of online services as dead drop resolvers including Twitter, Imgur, and Reddit. These acted as primary command and control (C&C) channels for the first stage of their malware.


Figure 1 - C&C Dead Drop Resolvers used by TheDukes. 


In September 2020, the Microsoft Threat Intelligence Center (MSTIC) reported that a Chinese state-sponsored threat actor known as GADOLINIUM used GitHub Commits to issue new commands to victim computers. These acted as dead drop resolvers to conceal any communications to attacker infrastructure by using GitHub pages as the intermediary. This tactic had been employed by the GADOLINIUM group since 2018 to target organisations worldwide, with a focus on the maritime and health industries. 



Figure 2 - GitHub repository controlled by GADOLINIUM used as a Dead Drop Resolver


It is also worth noting that in February 2021, Akamai researchers wrote a blog on a crypomining botnet leveraging Bitcoin blockchain transactions in order to conceal its back up C&C server addresses. This specific dead drop resolver is interesting as it effectively can defeat takedown attempts. The blog does describe a singular method of causing disruption, however, as a disruptor can send funds to the wallets the group uses to generate invalid C&C server addresses.



Figure 3 - Bitcoin transactions used to generate C&C server addresses


In August 2020, Kaspersky GReAT disclosed information on a mercenary APT group dubbed DeathStalker (previously called the Deceptikons and associated with the EvilNum group). The group heavily relied on dead drop resolvers to provide a way to store data at a fixed URL through public posts, comments, user profiles, content descriptions, etc. Messages left by the attackers follow the following patterns: “My keyboard doesn’t work… [string].” and “Yo bro I sing [Base64 encoded string] yeah”.



Figure 4 - Strings containing C&C addresses left as YouTube comments


Analysis


Defenders attempting traffic analysis would only see connections to these legitimate sites and it would not flag any suspicious alerts. This tradecraft has often been favoured by state-sponsored adversaries for intelligence gathering and long term persistence. Although this TTP of dead drop resolvers has been leveraged by the cyber arm of the Russian SVR since at least 2013 - and the idea by spies decades earlier - it is still an effective tool to bypass basic traffic analysis. It is always worth remembering that many APT groups are either directly associated with intelligence and security agencies or do contract work for them. As shown with cryptomining campaigns and the DeathStalker group, these TTPs can often transfer to the cybercriminal underground. 


Dead drops resolvers are free for threat actors to create and provide simple yet effective cover. It can also hinder defenders from disrupting the attacker’s campaign as takedown requests can be a difficult and time-consuming process. The online services like YouTube and Twitter also cannot be blocked at the company level. However, this tactic comes at a price. Once an analyst has uncovered the attacker’s dead drops, it can lead to unraveling other parts of the campaign as it can also be difficult for the attackers to remove their infrastructure and evidence of their attacks.


References:

https://www.wired.com/story/what-is-dead-drop/

https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/

https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

https://github.com/eset/malware-ioc/blob/master/dukes/README.adoc 

https://attack.mitre.org/techniques/T1102/001/

https://blogs.akamai.com/sitr/2021/02/bitcoins-blockchains-and-botnets.html

https://securelist.com/deathstalker-mercenary-triumvirate/98177/ 

https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html 

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more