Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



ChamelGang Hackers Target Energy, Aviation, and Government Sectors

New “ChamelGang” APT group group has not been associated with any existing threat actor

New “ChamelGang” APT group group has not been associated with any existing threat actor

A new advanced threat group has been detected targeting energy and aviation firms in Russia, and institutions including governments in nine other countries. The group has not been associated with any existing APT, nor is its country of origin known. It has been named ChamelGang after its practice of blending into the background like a chameleon. 

ChamelGang was first detected following repeated anti-virus alerts on the presence of Cobalt Strike Beacon in RAM at a Russian Energy organization. This breach was investigated and analyzed by Positive Technologies (PT). Using what it learned, PT discovered and analyzed a second attack by the same threat group against an organization in the Russian aviation sector.

PT subsequently found attacks against institutions in nine other countries, including the United States, India, Nepal, Taiwan, and Japan, where in five countries, researchers discovered compromised government servers. These other attacks have not been analyzed in PT’s report on ChamelGang, but all of the victims have been notified by their national CERTs. Since the gang uses the ProxyShell vulnerabilities in its attack chain, PT thinks it possible that vulnerable servers in the UK will be targeted in the future.

The attack against the Russian energy organization made use of a trusted relationship compromise. Such attacks differ from supply chain attacks: the former makes use of the legitimate communication channels in a trusted relationship, while the latter compromises goods (hardware or software) supplied from one company to another. In this case, ChamelGang exploited a JBoss Application Server vulnerability (CVE-2017-12149, patched by RedHat more than four years ago) in a subsidiary organization.

It took only two weeks for the gang to cross to the primary target. They acquired the dictionary password of the local administrator on one of the servers, and used RDP to penetrate the network. They remained on the network for three months, gaining control of most of it, before being detected.

In the second attack analyzed by PT, the gang used the ProxyShell chain of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). In this case, however, they were resident for just eight days before being expelled, and had little time to do serious damage.

Advertisement. Scroll to continue reading.

“Targeting the fuel and energy complex and aviation industry in Russia isn’t unique – this sector is one of the three most frequently attacked,” comments Denis Kuvshinov, head of threat analysis at PT. “Most often such attacks lead to financial or data loss – in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.”

A distinctive feature of the ChamelGang attacks is the use of three previously unknown malwares: ProxyT, BeaconLoader, and the DoorMe backdoor. The gang also employed the better-known Cobalt Strike Beacon, FRP and Tiny Shell.

PT found the DoorMe backdoor to be one of the most interesting new artefacts. “This is a native IIS module that is registered as a filter through which HTTP requests and responses are processed,” explains Denis Goydenko, head of information security threat response at PT. “Its principle of operation is unusual: the backdoor processes only those requests in which the correct cookie parameter is set. At the time of the incident investigation, DoorMe was not detected by antivirus tools, and although the technique of installing this backdoor is known, we haven’t seen its use in recent times.”

In the first compromise, the DoorMe variant could receive six commands: return current directory, username, and hostname; run an arbitrary command by cmd.exe/c; run a command by creating a new process; write a file (to different methods; and copy the timestamps from one file to another.

In the second compromise, DoorMe had been expanded and the method of obfuscation changed. The number of commands it can receive had been expanded to 11, with the addition of, return the current working directory of the application (two methods); get information on the content of a selected directory; get a list of processes; and terminate and delete a specified process.

Of the other two new malwares, ProxyT is designed to check whether there is a connection to a remote URL. BeaconLoader is uploaded using DLL Hijacking. It receives the addresses of the functions and libraries necessary for its operation, and then it checks the name of the parent process and the privilege type. 

A second version of BeaconLoader was also discovered, this time uploaded using the IKEEXT service. This version was similar but not identical to the first version. In both cases, Cobalt Strike Beacon was the ultimate payload.

The common factor in the ChamelGang compromises seems to be the existence of vulnerable versions of Microsoft Exchange Server and use of the ProxyShell and ProxyLogon vulnerabilities. Rapid patching is the most obvious preventative measure – but it is worth noting that on August 31, 2021, Trustwave found that 21.17% of Exchange Servers were still susceptible to the ProxyShell and ProxyLogon vulnerabilities, while 5.92% were vulnerable to ProxyLogon. Until these servers are patched, they will continue to be attacked by both ChamelGang and other threat actors.

Related: CISA Warns Organizations of ProxyShell Attacks on Exchange Servers

Related: Hackers Deploying Backdoors on Exchange Servers via ProxyShell Vulnerabilities

Related: Sanctioned Russian IT Firm Was Partner with Microsoft, IBM

Related: At Least 30k Internet-Exposed Exchange Servers Vulnerable to ProxyShell Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...