A malicious campaign attributed to the group “CL-STA-1020” has been observed targeting government agencies in Southeast Asia, leveraging a previously undocumented Windows backdoor, dubbed HazyBeacon.
According to a security researcher from Unit 42, “This backdoor leverages a novel C2 technique in which the backdoor establishes C2 communication via AWS Lambda URLs.” Additionally, the motive behind this campaign appears to be intelligence gathering, targeting government data related to trade disputes.
_____________________________
A. Nature of Attack
Execution & Defense Evasion
The threat actor leveraged DLL sideloading to load HazyBeacon onto the targeted machine. A malicious DLL was placed in the same directory as mscorsvw.exe, a legitimate Windows executable related to the Microsoft .NET Framework. Once mscorsvw.exe was triggered, it loaded the malicious DLL, which then connected to an AWS Lambda instance used by the malicious actor as a C2 server.
Persistence
The threat actor created a Windows service for persistence to ensure that the malicious DLL would load even after rebooting the compromised system.
Command and Control
Once the malicious DLL(mscorsvc.dll) has established connections to the C2 server, it can now receive commands and download additional payloads to the compromised system.
Discovery and Collection
Based on the observed activity, the first payload executed (igfx.exe) is a file collector. It collects files matching specific extensions within a given time range and creates a single ZIP archive containing them, named after the machine. After this ZIP file is created, the attackers then used 7z.exe to split it into multiple 200 MB-sized parts.
Additionally, the threat actor performed file discovery to search for documents related to the ongoing war trade.
Exfiltration
In this campaign, the threat actor was observed exfiltrating the collected files via cloud services such as Google Drive and Dropbox.
_____________________________
B. Indicators of Compromise(IoCs)
| Hashes |
| 279e60e77207444c7ec7421e811048267971b0db42f4b4d3e975c7d0af7f511e |
| 304c615f4a8c2c2b36478b693db767d41be998032252c8159cc22c18a65ab498 |
| 3255798db8936b5b3ae9fed6292413ce20da48131b27394c844ecec186a1e92f |
| 4931df8650521cfd686782919bda0f376475f9fc5f1fee9d7cf3a4e0d9c73e30 |
| d20b536c88ecd326f79d7a9180f41a2e47a40fcf2cc6a2b02d68a081c89eaeaa |
| d961aca6c2899cc1495c0e64a29b85aa226f40cf9d42dadc291c4f601d6e27c3 |
| f0c9481513156b0cdd216d6dfb53772839438a2215d9c5b895445f418b64b886 |
_____________________________
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Proactively monitor logs and network traffic on identified systems and devices for any suspicious or malicious activities.
- Indicators of compromise are included in this report to support threat hunting and blocking purposes
- For additional information, kindly refer to the official report
- https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication/