Note: This article was initially written by the QuoINT Team as part of QuoScient GmbH. Since the foundation of QuoIntelligence in March 2020, this article was transferred to this website on 21 April 2020.
Over the last few years, QuoINT has tracked activities attributed to the Cobalt group, and observed their notable evolution and continuously improving Tactics, Techniques, and Procedures (TTPs).
Since September 2018, we have identified multiple attacks that share similar TTPs used by Cobalt during a specific timeframe but exhibit enough differenced to attribute them to separate threat actors. This blog post provides an overview on a specific Malware-as-a-Service (MaaS) used within the e-Crime threat actor landscape. It also provides details on two different threat actors using the MaaS that fall under the umbrella of a family we dubbed Golden Chickens: GC01 and GC02. The success of GC operations heavily relies on a specific MaaS sold in underground forums, which provides customers with the malwares and the infrastructure they need for targeted attacks. The service owner provides the MaaS through the use of the following toolkits: Venom and Taurus building kits for crafting documents used to deliver the attack, and the more_eggs (aka Terra Loader, SpicyOmelette) backdoor for taking full control of the infected computer.
Between November 2017 and July 2018, we attributed to GC02 five spear phishing waves which indiscriminately targeted companies and organizations in at least India and the United States. As a result of using the same MaaS provider, GC02 and Cobalt group’s TTPs and infrastructure strongly overlapped in May 2018, making it hard at first glance to differentiate the two threat actors.
Between August and October 2018, we attributed to GC01 nine spear phishing waves targeting multiple companies and organizations operating in the financial industry. Throughout the campaign, we observed the installation of multiple Remote Access Tool (RAT) variations as the result of a successfully compromised victim machine.
By highlighting the multi-layer infrastructure adopted by Cobalt and Golden Chickens, as well as the multi-client business model of the MaaS behind it, we emphasize the difficulty of performing reliable attribution for cyberattacks, and the high uncertainty that analysts are confronted with during the process. To note, other researchers reported the same Indicators of Compromise (IoC) and C2 infrastructure covered in this blog post. We hope that our attribution will clarify the current threat landscape and make the covered threat actor profiles more accurate.
The following blog post is a preview of the Intelligence Assessment we will disseminate to our clients, partners, and vetted requesters.
Cyber attribution is becoming increasingly challenging as threat actors frequently use false flag techniques and shared infrastructure to increase the resiliency of their operations against takedowns and law enforcement investigations. Especially for e-Crime actors, it is a common practice to rent the same bulletproof infrastructure or botnet used by other e-Crime groups, resulting in the increased likelihood for an overlap of C2 servers. In the last years, we have noted a tendency of threat actors outsourcing even more parts of the kill-chain to third parties by using/offering MaaS solutions. Figure 1 shows an example of such a network where multiple stakeholders are involved.
A threat actor can buy several malware from multiple developers, rent the C2 infrastructure from various providers, and deliver the attack vector to victims from yet another provider. This compartmentalized business relationship guarantees the threat actor an elevated level of privacy and deniability since the involved stakeholders rarely know the full scale of the operation. On the other hand, those providers offering MaaS solutions simplify the entire process through One Stop Shop solutions, where one single entity sells and rents both the malware and the infrastructure needed for an attack.
When profiling e-Crime threat actors, we always deal with the hypothesis that the malware and C2 infrastructure we are analyzing do not belong to the threat actor per se, but rather to the used MaaS provider. When we confirm the use of a MaaS, the attribution process focuses on how and when threat actors used it, and who they targeted. By using such an approach, we were able to differentiate past spear phishing campaigns mistakenly attributed to the Cobalt group and characterize two distinct threat actors — GC01 and GC02 — and the MaaS used by them to carry out their attacks.
Golden Chickens’ MaaS
From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”). The following section explains the operational model of the Provider, and the toolkits used to deliver the requested service to paying customers.
A typical business case between a threat actor and the Provider is shown in Figure 2 and detailed below.
1. Threat actors buy the service offered and then give the Provider Operator the final payload to be executed on the infected machine. Since we have observed the same threat actor using the Provider to different extents, we assess that the Provider Operator’s offering is modular.
2. The Provider Operator builds the malicious document (maldoc), the backdoor, and prepares the server infrastructure needed for the execution of the attack. Next, the backdoor is stored on a webserver and the full URL path of it is embedded into the maldoc. Lastly, the C2 panel that the backdoor will beacon to is set up.
3. The Provider returns the maldoc to the threat actor. Although not confirmed, the Provider Operator also likely delivers the access details for the backdoor’s C2 web panel.
4. The threat actor disseminates (directly or through the use of a botnet) the maldoc via spear phishing.
5. Once the maldoc is executed on a victim’s machine, it will retrieve and execute the backdoor from the hardcoded web location.
6. The backdoor beacons to the hardcoded C2 on a regular basis and executes the commands it receives.
7. Finally, the threat actor (or the Provider) will review the system details of the infected machine reported by the backdoor, and eventually deploy the final payload.
Building Kits Used
The Provider relies on the use of specific malicious artifacts advertised in the underground since 2017. Those artifacts are generated by three building kits and offered to paying customers with the supporting C2 infrastructure.
VenomKit. VenomKit is a tool that threat actors can use to craft malicious Rich Text File (RTF) documents that exploit multiple vulnerabilities, including CVE-2017–11882, CVE-2018–0802, and CVE-2018–8174. Successful exploitation leads to batch and scriptlet files being dropped and executed in order to download the second stage payload from a Web resource. The AV detection rate for RTF documents generated by VenomKit is moderate to high due to the exploitation of known vulnerabilities.
Taurus Builder Kit. The Taurus Builder Kit generates Microsoft Word documents weaponized with malicious Visual Basic for Application (VBA) macro code. Unlike the malicious RTFs created by VenomKit, the weaponized Word documents require user interaction in order to enable the contained malicious code. On the other hand, documents generated by this kit are more resilient to AV detection due to the use of multiple layers of obfuscation in the VBA code.
Once the VBA code is enabled by the user, documents created by Taurus Builder Kit will download and execute additional malware by using multiple legit Windows tools in order to bypass AppLocker.
Threat actors can ask for the customization of the backdoor by requesting the addition of specific variables or entire functionalities. For instance, more_eggs samples attributed to GC02 contained the extra variable Researchers, differently from the ones attributed to GC01 or Cobalt Group.
Although not confirmed, it is reasonable to assume that multiple more_eggs used by different threat actors cannot share the same Gate value due to the derived complication that would imply for the backend to understand which C2 communications belong to which threat actor using the infrastructure. However, the same C2 server can host multiple gates by using different web pages; hence, multiple threat actors might use distinct gates hosted on the same domain name. Additionally, the Rkey variable can be considered as something that is randomly generated every time a new sample is created for a customer (i.e. the relationship between the threat actor and RKey used is likely 1:1). Due to this consideration, we used the Rkey variable while clustering attacks together and attributing them to specific threat actor.
The Provider Operator demonstrates notable efforts in keeping the more_eggs backdoor updated by fixing bugs and adding new features: in the last year alone, we observed six different versions in use, from 2.0 to the most recent version 5.4. Notably, more_eggs backdoors are also capable of automatically updating themselves to the latest version, and even updating the configured Gate variable.
Threat Activity Analysis
The following section highlights the operations and TTPs of three distinct threat actors that have used the Provider in the last year: the Cobalt Group, GC01 and GC02.
Figure 4 represents the multiple spear phishing campaigns we have attributed to either Cobalt or the GC family during the last year. While all GC campaigns used the Provider, only those attributed to Cobalt in May, June, and on 2 August used the Provider. QuoINT determines the level of confidence based on both the reliability of the information processed, and the extent of the analytic techniques adopted during the analysis.
Our analysis distinguished three different threat actors based on the following factors:
- Targeting. Which types of companies the threat actors targeted.
- Use of the MaaS. How the Provider was used, to what extent, and the configuration requested.
- Final Payload. What final payload the MaaS delivered.
- Time of attack. When the threat actor used the Provider
In May 2018, Cobalt executed three different spear phishing campaigns in between two GC02 campaigns. The attacks leveraged the same Provider since they used maldocs generated by either VenomKit or Taurus Building Kit, more_eggs, and the Provider’s C2 infrastructure. However, as also highlighted by researchers, the attacks presented key differences based on (a) the targeting; (b) the attack vector, and; ( c) the more_eggs configuration.
Figure 4 also shows that the Cobalt group ceased to use the Provider after the campaign on 2 August, and then started to consistently use different malware and infrastructure.
Tactics, Techniques, and Procedures
Figure 5 details the TTPs we observed during all the attacks that leveraged the Provider.
1. Delivery. Each campaign began with a spear phishing email, but each presented differences depending on the threat actor behind the attack:
- GC threat actors used either compromised or spoofed email addresses. Furthermore, GC01 targeted companies and organizations operating in the financial industry mainly in Europe, Africa, and Asia. Differently, GC02 indiscriminately targeted companies and organizations in at least India and the United States.
- Cobalt also used compromised addresses but only in three attacks. The other 12 spear phishing emails were sent from domain names previously registered by them, imitating a specific organization. Registration of look-alike domains is a common technique used by Cobalt Group. Lastly, all Cobalt campaigns targeted financial institutions and organizations mainly in Europe, Asia and Middle East.
2. Exploitation I (Optional). Both threat actor groups used a non-malicious PDF, luring the user to click on the contained link in order to download the maldoc. The attackers used a technique known as Google Redirector which consists of appending the malicious URL at the end of a Google logout URL. By doing this, the user will first visit the legit Google logout page and then automatically be redirected to the final URL, triggering the download of the malicious document.
- GC01 always used this technique. GC02 used this technique in all but one campaign (10 July), which is one reason why we assessed such attribution with low confidence.
- Cobalt only used this technique two times, during the campaigns of 7 and 29 June.
It is not clear to us if the Provider Operator offers the non-malicious PDF (with Google Redirector technique) directly or recommends the use of a third-party kit. To note, we are aware of attacks in the wild using this technique, but without relying on the Provider altogether.
3. Exploitation II — Getting the Maldoc. The user downloads either a macro-weaponized Word document created by Taurus Builder Kit, or a malicious RTF created by VenomKit. Successful execution of the maldocs initiates the download of additional batch scripts and then the ultimate download of the more_eggs backdoor.
- GC01 and GC02 used newer more_eggs versions: 3.0, 4.2, 4.4, 5.2 and 5.4. GC02 used the variable Researchers assigned with the value “We are not cobalt gang, stop associating us with such skids!“.
- Cobalt Group only used more_eggs versions 2.0, having a specific command named via_x. This command is used to execute additional executables via cmd.exe. For those campaigns that were not using the non-malicious PDF attack vector, the victims got the downloader through either browsing a link included in the email body, or directly through the email attachment.
4. C2 I — Getting the Backdoor. The maldoc retrieves more_eggs from a remote location and executes it. Next, the backdoor starts beaconing to the C2 defined in the Gate variable.
5. C2 II — Getting the Final Payload. Once the threat actor (or the Provider Operator) determines that the infected system is of interest, the final payload is eventually pushed and executed. To note, we were not always able to get the final payload because the more_eggs C2 normally has a short lifetime. However, we were able to observe the following different payloads being distributed by the different threat actors:
- Campaigns attributed to GC01 resulted in the download of three different RATs: Netwire, Remcos, and Revenge.
- Campaigns attributed to Cobalt Group resulted in the download of either the CobInt backdoor, or the Cobalt Strike beacon. So far, CobInt is a backdoor that was only observed in Cobalt Group campaigns, while Cobalt Strike is a notorious attack framework used to execute Red Team exercises. We consider the use of CobInt and Cobalt Strike as a final payload a strong indicator while attributing attacks to the Cobalt Group.
In general, the continued adoption of threat actors leveraging MaaS plays two roles in the cyber threat landscape: (a) it enables less sophisticated actors to execute attack campaigns against high value targets, which may otherwise be out of scope due to the potentially multi-layer perimeter defenses, and; (b) it creates a cluster of technical indicators from the same infrastructure that complicates attribution efforts. During our analysis, we identified three threat actors utilizing one particular MaaS which has operated for almost two years, proving its success and profitability. As a result, this scenario of multiple actors using the same MaaS further corroborates why attribution of campaigns incorporating aspects of MaaS becomes more complex to distinguish due to the presumable overlap in technical indicators.
QuoINT continues to track the activity of these threat actors to help our customers both identify and thwart potential attacks against their environments.
Our Intelligence Assessment will also cover the following points:
- More information about the Provider, its Operator, and the services advertised:
- Assessment on current and prospected capabilities of the Provider
- In depth analysis of each spear phishing campaign covered
- Full IoC list per Kit, TA, and campaign
- Recommended Course of Actions
- MITRE ATT&CK mapping
You can request it here.
 To note, we only included in the timeline those campaigns attributed to Cobalt group that used the Provider or occurred near or in the same month of GC’s activities. Hence, we excluded Cobalt’s activities occurring in January, February, and March 2018. Additionally, this reporting only includes intelligence obtained until October 2018.
Indicators of Compromise
Payment Details REF # 18110486098
Payment Details REF # 18110486098
Re: Payment Ref 34981***** receive problem
Re: Bank query / S-170526–005399
Fund Transfer 08-October-2018
Confirmations on October 16, 2018
Email Attachments (Not-Malicious PDF with Google Redirector)
Google Redirector links
Description of my complaint about your service
Email Attachments (Not-Malicious PDF with Google Redirector)
Google Redirector links
GC Maas C2 infrastructure