Researchers at FireEye-owned Mandiant have conducted a detailed analysis of a stealthy backdoor used by the Russia-linked cyberespionage group APT29 to maintain access to targeted systems.
Dubbed “POSHSPY,” the malware is believed to be a secondary backdoor used by the cyberspies in case they lose access to their primary backdoors. Mandiant first spotted POSHSPY in 2015 during an incident response engagement, and identified it on the networks of several organizations over the past two years.
Similar to other pieces of malware used by APT29, POSHSPY leverages PowerShell and the Windows Management Instrumentation (WMI) administrative framework.
WMI can be used to obtain system information, start and stop processes, and configure conditional triggers. In the case of POSHSPY, WMI is used to run a PowerShell command that decrypts and executes the backdoor code directly from a WMI property, thus ensuring that no artifacts are left on the hard drive.
The WMI component of POSHSPY executes the PowerShell component on every Monday, Tuesday, Thursday, Friday and Saturday at 11:33 AM local time.
Experts pointed out that the use of legitimate Windows tools and the other techniques employed in these attacks increase the backdoor’s chances of evading detection.
“POSHSPY’s use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory,” explained Matthew Dunwoody, incident response consultant at Mandiant.
“The backdoor’s infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert,” Dunwoody added.
The malware allows attackers to download and execute additional PowerShell code and executable files. The threat communicates with command and control (C&C) servers located at URLs generated using a domain generation algorithm (DGA) that relies on lists of domain names, TLDs, subdomains, URIs, file names and file extensions. C&C communications are encrypted using AES and RSA public key cryptography.
FireEye has not shared any information on which countries or what types of organizations have been targeted in attacks involving the POSHSPY backdoor.
The APT29 group has put some effort into making its operations more difficult to detect. Earlier this month, FireEye detailed the threat actor’s use of a technique called “domain fronting” to disguise the malicious traffic generated by its tools.
APT29 is also known as The Dukes, Cozy Bear and Cozy Duke. The group is believed to be behind the recent election-related attacks in the U.S. and a campaign targeting high-profile organizations in Norway.