Karkoff 2020: a new APT34 espionage operation involves Lebanon Government

03/02/2020

Introduction

In November 2018, researchers from Cisco Talos tracked and detailed a “DNSEspionage” campaign against targets in Lebanon and UAE. At the time of the report, the threat actor carried out a cyber espionage campaign by redirecting DNS traffic from domains owned by the Lebanon government to target entities in the country.

In April 2019, Cisco Talos discovered evidence of the link between APT34 (codename Helix Kitten or OilRig) and the “DNSEspionage” operation. Talos analysts discovered several overlaps in the infrastructure employed by attackers and identified common TTPs. They tracked this new implant “Karkoff”.

Experts from Cybaze/ Yoroi Zlab, as part of ordinary Threat Intelligence activities, spotted a new sample which they believe to be an update of the Karkoff implant. It could prove that APT34 is still active and threat actors used it in a new campaign that appears to be active at the time of writing. The APT group made some changes in its technique, tactics, and procedures, but the target is the same, the Lebanon Government.

In this campaign, the APT group may have compromised a Microsoft Exchange Server belonging to a Lebanon government entity, in fact, we found some evidence in the communication logic.

This new implant has some similarities with the samples of Karkoff involved in past campaigns, including:

similar Macro structure
.NET modular implant with similar logic
exploit Microsoft Exchange Server as communication channel

Moreover, the new Karkoff implant implements a new reconnaissance logic in order to drop the final payload only to specific targets, gathering system information, the domain name, hostname and running Operating System.

Update

A few hours before this report has been publicly disclosed, malware researchers at the Italian cyber security firm Telsy also published their analysis.

Both reports are related to the same sample, but let me suggest reading both analyses to have a clear vision of the threat actors and all the technical details related to the implant. The report published by Telsy is available here: LINK.

Technical Analysis

Hash	926e29f9242feb3e11c532616f7c90c5d7acab115d38ebf748cabaaa6a2a3667
Threat	APT34 Karkoff macro loader
Brief Description	Malicious Excel macro
Ssdeep	24576:zLNkxqHOPi1K5sLMKd2rVIehO/KBhjPyVuVX/+2PPbK:wl4E

Table 1. Sample information

The Malware is an Excel Document with a malicious macro embedded. The following image (Fig:1) shows the highlights of the extracted code.

Fig.1. Malicious Macro: drop and execute monitor.exe

The macro extracts a custom base64 code from the body of the file and, after a decoding routine, it downloads an executable file into the following path “C:\Users\public\.Monitor\monitor.exe”. Persistence is assured by scheduling a new task named SystemExchangeService.

Fig.2.Persistence with SystemExchangeService

The extracted payload is summed up as follows: :

Fig.3.Static details of monitor.exe

The payload were not obfuscated at all. This made a simple and quick analysis.

As shown in the above figure, the creation date is on 29 February, this is an indicator of the recent build of this implant. Moreover, a small file size (1.13MB) allows malicious content to be downloaded and executed quickly.

Fig.4. details of compromised mail exchange server parameters

As the first step, as shown in Fig 4, the sample tries to connect to its own command and control server, which happens to be an Exchange mail server belonging to the Lebanon government. Once it connects, the C2 answers back with the list of available commands as attachments in a replied e-mail. Fig 5 shows the GetList function from where we might appreciate the eMail body decoding process. From the body, a custom encoded string is decoded and later it is interpreted as a command.

Fig.5. detail of GetList function responsible for getting the list of available commands as mail attachments

Following our analysis, we noticed the malware tries to connect back and forth to its C2 to get authorization and to share detailed information about the infected system. It used “UserAgent” of the exchange client. Fig 6 shows details on what is hijacked from the victim’s side.

Fig.6. details of Information stolen on the victim’s machine

Another evidence is the domain registration of the second command control: it has been registered on January, 27, probably indicating the date of the beginning of the new attack.

Fig.7. details of domain registration godoycrus[.com

Conclusions

APT34 is still active, and this campaign against the Lebanon government demonstrates it. The new version of the Karkoff malware is the demonstration that the Iran-linked APT34 cyberespionage group continues to improve its arsenal. The sample involved in this campaign implements new reconnaissance capabilities, it implements a covert and effective C2 communication channel through the use of the Microsoft Exchange Protocol.

The Group likely exploited or brute-forced a Lebanon related mail account with another tool of its arsenal, the JASON tool. The Jason tool was leaked at the end of 2019, it could be used by attackers to carry out bruteforce attacks on exchange servers.

Indicators of Compromise

Hashes
- 59cbc7e788425120c2dde50f037afbf3b1d2108c0b7e27540e924cad2463fe5b
- 26995a1cd99a5c70fd7bfa925cb0bbbdbd419bedc2d664dffd3b7c57ad07de66
- 1b2c5354eb567132a341c1b15ad5cc71c3f5ba8e2788b67c0fbc0e7993beb1d2
- ebae23be2e24139245cc32ceda4b05c77ba393442482109cc69a6cecc6ad1393
- 678d59bcd469e4cf236c7af7517c54ab9ad643523383875bd875131d7130941f
C2
- godoycrus[.com
Persistence
- Set Task scheduler

Yara Rules

rule Karkoff_Attack_2020_Excel_macro {
	meta:
  	description = "Yara Rule for new APT34 Karkoff campaign excel malicious macro"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-03-02"
  	tlp = "white"
  	category = "informational"

	strings:
	
	   $a1 = "EncodedData0"
	   $a2 = "NewTask9"
	   $a3 = "EAAMYEKwUAAEsEWQUAAMYEnQUAAMYEqAUAAJwSrgU"
	   $a4 = "TVqQAAMAAAAEAAAA"
    condition:
	all of them

}


rule Karkoff_Campaign_2020 {
	meta:
		description = "Yara Rule for new APT34 Karkoff campaign"
		author = "Cybaze Zlab_Yoroi"
		last_updated = "2020-03-02"
		tlp = "white"
		category = "informational"

	strings:
	
	   $a1 = "SystemExchangeService" ascii wide
	   $a2 = "getWindowsVersion" ascii wide
	   $a3 = "GetCommands" ascii wide
	   $s1 = {0A 7A 1E 02 7B 9C 12 00 04 2A}

    condition:
	uint16(0) == 0x5A4D and all of them

}

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_gat_gtag_UA_209986505_1	1 minute	Set by Google to distinguish users.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.