Clasiopa hackers use new malware in targeted attacks
On Feb. 22, Symantec revealed evidence of a previously undocumented threat actor it’s calling “Clasiopa.” Clasiopa has been observed deploying a unique malware backdoor called “Atharvan” in its campaign against a materials manufacturer based in Asia.
Security researchers have observed a hacking group targeting companies in the materials research sector with a unique toolset that includes a custom remote access trojan (RAT) called Atharvan.
Clasiopa attack details
Although there is no strong data to indicate a particular initial infection vector, Symantec researchers found hints suggesting that Clasiopa uses brute force to gain access to public facing servers.
Symantec reports that the attackers perform various actions post-compromise, including:
- checking the IP address of the breached system
- disabling endpoint protection products by stopping their services
- deploying malware that can scan for specific files and exfiltrate them as ZIP archives
- clearing Sysmon logs and eventlogs to wipe the traces of the malicious activity
- creating a scheduled task (“network service”) to list file names
Symantec’s investigation revealed that along with its backdoor, Clasiopa also used legitimate software such as Agile DGS and Agile FD, signed with old certificates.
The hackers relied on two backdoors for their attack: the custom Atharvan and the open source Lilith RAT. The latter can be used to execute commands, run PowerShell scripts, and to manipulate processes on the breached system.
Clasiopa also used a custom proxy tool and “Thumbsender,” a utility that lists files on the host and saves them locally in a database that can be exfiltrated at a later time to a specified IP address.
Atharvan is the most interesting of the tools used by Clasiopa because it is a custom backdoor not seen in any other attacks in the wild.
Upon execution, it creates a mutex to prevent multiple processes of itself running and then contacts a hardcoded command and control (C2) address in an unusual location, the Amazon Web Services infrastructure in Seoul, South Korea.
Below is a sample of the backdoor’s communication with the C2 server, formatted as HTTP POST requests to an allegedly legitimate host, Microsoft’s update server.
In terms of its capabilities, Atharvan download files on the compromised computer, run executables, execute commands and send back their output.
The researchers note that Atharvan’s communications with the C2 are protected using a simple algorithm to XOR each byte of the plaintext with the value “2” to produce the ciphertext. This does not achieve a strong encryption result but can still help the malware evade some network traffic monitoring tools.
The hint pointing to a threat actor in India is a mutex in Hindi that the researchers discovered in the custom backdoor: “SAPTARISHI-ATHARVAN-101,” Atharvan referring to a legendary priest in Vedic mythology, the son of Brahmā, the Creator. Another hint is a password the attacker used for a ZIP archive, which was “iloveindea1998^_^.”
Both clues, however, could very well be a false flags planted for erroneous attribution.
Atharvan backdoor is largely undetected at the moment. There is only one sample available on the VirusTotal scanning platform and it is marked as a threat by just two antivirus engines.
Clasiopa’s goals remain unclear at the moment but cyberespionage appears to be the motivation behind the attacks. The researchers say that the threat actor has been targeting victims in Asia.
Symantec’s report provides a set of hashes for the malware discovered in malicious campaigns attributed to Clasiopa.
Who Is Clasiopa?
The clues to learning about Clasiopa may lie in its unique malware, Atharvan — “a classic backdoor,” as O’Brien says. “It allows the attackers to maintain an open communication channel with the infected computer, install additional tools, and send back information to the attackers.”
Function aside, its name may be its most notable feature. The name derives from “SAPTARISHI ATHARVAN-101,” a mutual exclusion object (“mutex”) the malware creates after infecting a target machine, to ensure multiple copies of itself aren’t running at once. “Saptarishi,” in ancient Indian astronomy, is the word for the arrangement of stars in the Big Dipper. Atharvan is the name of a mythic Hindu sage.
And there was another breadcrumb indicating Indian origin. One of the passwords Clasiopa used for a zip archive was iloveindea1998^_^.
However, these clues are actually so obvious that they invite suspicion. “While these details could suggest that the group is based in India,” the researchers hypothesized, “it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue.”
Many other details about the group remain undisclosed or unknown. This may be in part due to the stealth tactics utilized in the campaign, some subtle and some overt. For now, threat analysts should stay tuned: To learn anything more about Clasiopa, we may need to wait until it strikes again.
Found this article interesting then share with your friends.
For cyber security related free consultation click here