28 C
Mumbai
Thursday, March 28, 2024
HomeCyber AttacksClasiopa hackers use new malware in targeted attacks

Clasiopa hackers use new malware in targeted attacks

Date:

Related stories

Remote Access Trojan (RAT): Their Types, Mitigation & Removal

Remote Access Trojan (RAT): Their Types, Mitigation & Removal Post...

Chinese Hackers Exploited Barracuda’s ESG Appliances

Chinese Hackers Exploited Barracuda's ESG Appliances Barracuda has revealed that...

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government Agencies

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government...

Most Important Cyber Security Tips 2023

Most Important Cyber Security Tips 2023 Important Cyber Security Security...

Every Business Owner 10 Essential Cybersecurity Facts Must Know

Every Business Owner 10 Essential Cybersecurity Facts Must Know In...

Clasiopa hackers use new malware in targeted attacks

On Feb. 22, Symantec revealed evidence of a previously undocumented threat actor it’s calling “Clasiopa.” Clasiopa has been observed deploying a unique malware backdoor called “Atharvan” in its campaign against a materials manufacturer based in Asia.

Security researchers have observed a hacking group targeting companies in the materials research sector with a unique toolset that includes a custom remote access trojan (RAT) called Atharvan.

Clasiopa attack details

Although there is no strong data to indicate a particular initial infection vector, Symantec researchers found hints suggesting that Clasiopa uses brute force to gain access to public facing servers.

Symantec reports that the attackers perform various actions post-compromise, including:

  • checking the IP address of the breached system
  • disabling endpoint protection products by stopping their services
  • deploying malware that can scan for specific files and exfiltrate them as ZIP archives
  • clearing Sysmon logs and eventlogs to wipe the traces of the malicious activity
  • creating a scheduled task (“network service”) to list file names

Symantec’s investigation revealed that along with its backdoor, Clasiopa also used legitimate software such as Agile DGS and Agile FD, signed with old certificates.

The hackers relied on two backdoors for their attack: the custom Atharvan and the open source Lilith RAT. The latter can be used to execute commands, run PowerShell scripts, and to manipulate processes on the breached system.

Clasiopa also used a custom proxy tool and “Thumbsender,” a utility that lists files on the host and saves them locally in a database that can be exfiltrated at a later time to a specified IP address.

Atharvan capabilities

Atharvan is the most interesting of the tools used by Clasiopa because it is a custom backdoor not seen in any other attacks in the wild.

Upon execution, it creates a mutex to prevent multiple processes of itself running and then contacts a hardcoded command and control (C2) address in an unusual location, the  Amazon Web Services infrastructure in Seoul, South Korea.

Below is a sample of the backdoor’s communication with the C2 server, formatted as HTTP POST requests to an allegedly legitimate host, Microsoft’s update server.

Sample of the malware’s HTTP POST requests (Symantec)

In terms of its capabilities, Atharvan download files on the compromised computer, run executables, execute commands and send back their output.

Commands supported by Atharvan
Commands supported by Atharvan (Symantec)

The researchers note that Atharvan’s communications with the C2 are protected using a simple algorithm to XOR each byte of the plaintext with the value “2” to produce the ciphertext. This does not achieve a strong encryption result but can still help the malware evade some network traffic monitoring tools.

Simple encryption scheme used for C2 communications
Simple encryption scheme used for C2 communications (Symantec)

The hint pointing to a threat actor in India is a mutex in Hindi that the researchers discovered in the custom backdoor: “SAPTARISHI-ATHARVAN-101,” Atharvan referring to a legendary priest in Vedic mythology, the son of Brahmā, the Creator. Another hint is a password the attacker used for a ZIP archive, which was “iloveindea1998^_^.”

Both clues, however, could very well be a false flags planted for erroneous attribution.

Atharvan backdoor is largely undetected at the moment. There is only one sample available on the VirusTotal scanning platform and it is marked as a threat by just two antivirus engines.

AtharvanRAT detection rate

Clasiopa’s goals remain unclear at the moment but cyberespionage appears to be the motivation behind the attacks. The researchers say that the threat actor has been targeting victims in Asia.

Symantec’s report provides a set of hashes for the malware discovered in malicious campaigns attributed to Clasiopa.

Who Is Clasiopa?

The clues to learning about Clasiopa may lie in its unique malware, Atharvan — “a classic backdoor,” as O’Brien says. “It allows the attackers to maintain an open communication channel with the infected computer, install additional tools, and send back information to the attackers.”

Function aside, its name may be its most notable feature. The name derives from “SAPTARISHI ATHARVAN-101,” a mutual exclusion object (“mutex”) the malware creates after infecting a target machine, to ensure multiple copies of itself aren’t running at once. “Saptarishi,” in ancient Indian astronomy, is the word for the arrangement of stars in the Big Dipper. Atharvan is the name of a mythic Hindu sage.

And there was another breadcrumb indicating Indian origin. One of the passwords Clasiopa used for a zip archive was iloveindea1998^_^.

However, these clues are actually so obvious that they invite suspicion. “While these details could suggest that the group is based in India,” the researchers hypothesized, “it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue.”

Many other details about the group remain undisclosed or unknown. This may be in part due to the stealth tactics utilized in the campaign, some subtle and some overt. For now, threat analysts should stay tuned: To learn anything more about Clasiopa, we may need to wait until it strikes again.

Found this article interesting then share with your friends.

For cyber security related free consultation click here

Technogeek Online
Technogeek Onlinehttps://technogeek.online
Technogeek Online mission is to be a digital for technical decision-makers to gain knowledge about transformative technology. We deliver essential information on cyber technologies and strategies to guide you as you lead your organizations. We are inviting you to become a member of our community.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here