Tracking Adversaries: Ghostwriter APT Infrastructure

-

Introduction to Infrastructure Pivoting

Pivoting on infrastructure is a handy skill for cyber threat intelligence (CTI) analysts to learn. It can help to reveal the bigger picture when it comes to malware, phishing, or network exploitation campaigns. Infrastructure pivoting essentially is the act of looking for more systems an adversary has created. The main benefit of this pursuit is the identification of additional targets or victims, more tools or malware samples, and ultimately new insights about the adversary’s capabilities.

If done correctly, being able to pivot on adversary infrastructure will be very useful during incident response (IR) engagements. For example, it may lead to being able to attribute the intrusion to a known adversary. This will help others during an IR engagement understand the level of threat posed to the victim organisation.

Receiving Threat Data

To be able to pivot on adversary infrastructure, threat data is needed such as the intelligence shared by threat reports put out by various researchers from public and private sector organisations. This scenario, however, involves relying on the analysis skills of other researchers to explain what the infrastructure is and when they observed it in use.

This blog will examine threat data provided by public sector organisations such as the Computer Emergency Response Team of Ukraine (CERT-UA) as well as cybersecurity vendors such as Deep Instinct, Cyble, and Fortinet. These organisations have shared indicators of compromise (IOCs) uncovered following analysis of adversary intrusion activities or upload to online malware sandboxes, such as VirusTotal, among others.

Introduction to the Ghostwriter Campaign

On 3 June 2024, Fortinet shared a report on malicious XLS macro documents leading to Cobalt Strike Beacons. Analysis of the XLS documents showed that they appeared to be targeting the Ukrainian military and linked to a known Belarusian state-sponsored APT group tracked as Ghostwriter (aka UNC1151, UAC-0057, TA445). On 4 June 2024, Cyble also shared a report on a similar campaign.  

In both reports, if the XLS was opened and the macros were executed by the target, a malicious DLL file was downloaded from an adversary-created domain. In Fortinet’s report, two similar “.shop” domains were mentioned. In Cyble’s report another “.shop” domain was also called out.

Overlapping IOCs

The first pivot on Ghostwriter APT infrastructure that will be demonstrated involves finding indicators of compromise (IOCs) such as domains and IP addresses that appear in multiple threat reports.

The fastest way to realize these overlaps is through continuous collection of reported IOCs into a Threat Intelligence Platform (TIP). This will reveal IOCs that appear in multiple threat reports through tagging and sources of where IOCs come from. Eventually, one domain or IP address will get reported by multiple entities and the connection will make itself apparent.

In Figure 1 (see below) the domain “goudieelectric[.]shop” appeared in both Cyble’s blog and Fortinet’s blog. Analysis of all three domains found that they use the same generic top-level domain (gTLD), registrar, and name servers, as well as have a robots.txt directory configured. These common infrastructure characteristics indicate that all three domains were created by the same adversary.

Figure 1. Three similar domains appearing in two threat reports.

Domain Registration & Hosting Overlaps

When more IOCs are reported in other threat reports it is possible to link them to other known domains, this is due to adversaries reusing the same registrars, name servers, and gTLDs.

In Figure 2 (see below), Deep Instinct reported two more domains that could also be linked to the previous three domains through the mutual use of the PublicDomainsRegistry registrar, Cloudflare name servers, and the robots.txt file.

Figure 2. Five similar domains that appear across three threat reports.

Further, CERT-UA reported three more domains (see Figure 3 below) that could be linked to the infrastructure cluster through this same method as well. This pattern of behaviour is a strong indicator that these domains were created by the same adversary.

Figure 3. Eight similar domains that appear across four threat reports.

Finding Unreported Domains

Since the domains from the above threat reports were collected and linked together through overlapping attributes, it is now possible to use these attributes to find more domains that had gone unreported.

Using a VirusTotal domain attribute query, additional domains can be found by using the following registration pattern:

  • Name Servers: CLOUDFLARE
  • Registrar: PublicDomainRegistry
  • TLD: *.shop

This revealed up to 24 domains that matched this pattern that were likely created by Ghostwriter, a state-sponsored APT group:

  • backstagemerch[.]shop
  • bryndonovan[.]shop
  • chaptercheats[.]shop
  • clairedeco[.]shop
  • connecticutchildrens[.]shop
  • disneyfoodblog[.]shop
  • eartheclipse[.]shop
  • empoweringparents[.]shop
  • foampartyhats[.]shop
  • goudieelectric[.]shop
  • ikitas[.]shop
  • jackbenimblekids[.]shop
  • kingarthurbaking[.]shop
  • lansdownecentre[.]shop
  • lauramcinerney[.]shop
  • medicalnewstoday[.]shop
  • moonlightmixes[.]shop
  • penandthepad[.]shop
  • physio-pedia[.]shop
  • semanticscholar[.]shop
  • simonandschuster[.]shop
  • thevegan8[.]shop
  • twisterplussize[.]shop
  • utahsadventurefamily[.]shop

Note: VirusTotal domain searches are only available to VirusTotal Enterprise users. There are other providers which allow you to search for domain registration patterns such as DomainTools, Validin, and Zetalytics. There also some free OSINT sites such as nslookup.io and viewdns.info that can be useful in certain scenarios.

Finding Related Malware Samples

Using the list of similar domains that were uncovered through the registration pattern search, it is then possible to find additional malware samples communicating with them.

This can be achieved by looking at domains in VirusTotal and checking the Relations tab can show communicating files as shown in Figure 4 below.

Figure 4. Additional malware samples uncovered via the VirusTotal relations tab

Using a VirusTotal graph can help to reveal every communicating file with every domain discovered through the registration pattern search, as shown in Figure 5 below.

Figure 5. All communicating files with every additional domain identified.

URL to the VirusTotal Graph: https://www.virustotal.com/graph/embed/gd2c04407d9ba4b75b2ce73d6155d166d3ef75eaf29894ff5ac287c90400072bc?theme=dark

URL to the VirusTotal Collection: https://www.virustotal.com/gui/collection/2aa6b36a717be8bc49f7925434ca40f3ecb9f628414b491da3e985677508ca08/iocs

Lessons Learned

In conclusion, it is important for CTI analysts to closer inspect the attributes of the IOCs they come across. It is not uncommon for state-sponsored APT groups to make such mistakes when creating their infrastructure to launch attacks from. By exploiting this fact, CTI analysts can learn much more about the adversary’s targets, capabilities, and the behaviours of the humans themselves behind such campaigns.

The importance of this type of work was demonstrated in December 2023 when the US Treasury sanctioned members of the Russian APT group known as Callisto (aka Star Blizzard, BlueCharlie, COLDRIVER, GOSSAMER BEAR). The real world identity of Andrey Korinets was revealed after he was sanctioned for fraudulently creating and registering malicious domain infrastructure for Russian federal security service (FSB) spear phishing campaigns.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to t...
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on ...
Read more