New “ChamelGang” APT group group has not been associated with any existing threat actor
A new advanced threat group has been detected targeting energy and aviation firms in Russia, and institutions including governments in nine other countries. The group has not been associated with any existing APT, nor is its country of origin known. It has been named ChamelGang after its practice of blending into the background like a chameleon.
ChamelGang was first detected following repeated anti-virus alerts on the presence of Cobalt Strike Beacon in RAM at a Russian Energy organization. This breach was investigated and analyzed by Positive Technologies (PT). Using what it learned, PT discovered and analyzed a second attack by the same threat group against an organization in the Russian aviation sector.
PT subsequently found attacks against institutions in nine other countries, including the United States, India, Nepal, Taiwan, and Japan, where in five countries, researchers discovered compromised government servers. These other attacks have not been analyzed in PT’s report on ChamelGang, but all of the victims have been notified by their national CERTs. Since the gang uses the ProxyShell vulnerabilities in its attack chain, PT thinks it possible that vulnerable servers in the UK will be targeted in the future.
The attack against the Russian energy organization made use of a trusted relationship compromise. Such attacks differ from supply chain attacks: the former makes use of the legitimate communication channels in a trusted relationship, while the latter compromises goods (hardware or software) supplied from one company to another. In this case, ChamelGang exploited a JBoss Application Server vulnerability (CVE-2017-12149, patched by RedHat more than four years ago) in a subsidiary organization.
It took only two weeks for the gang to cross to the primary target. They acquired the dictionary password of the local administrator on one of the servers, and used RDP to penetrate the network. They remained on the network for three months, gaining control of most of it, before being detected.
In the second attack analyzed by PT, the gang used the ProxyShell chain of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). In this case, however, they were resident for just eight days before being expelled, and had little time to do serious damage.
“Targeting the fuel and energy complex and aviation industry in Russia isn’t unique – this sector is one of the three most frequently attacked,” comments Denis Kuvshinov, head of threat analysis at PT. “Most often such attacks lead to financial or data loss – in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.”
A distinctive feature of the ChamelGang attacks is the use of three previously unknown malwares: ProxyT, BeaconLoader, and the DoorMe backdoor. The gang also employed the better-known Cobalt Strike Beacon, FRP and Tiny Shell.
PT found the DoorMe backdoor to be one of the most interesting new artefacts. “This is a native IIS module that is registered as a filter through which HTTP requests and responses are processed,” explains Denis Goydenko, head of information security threat response at PT. “Its principle of operation is unusual: the backdoor processes only those requests in which the correct cookie parameter is set. At the time of the incident investigation, DoorMe was not detected by antivirus tools, and although the technique of installing this backdoor is known, we haven’t seen its use in recent times.”
In the first compromise, the DoorMe variant could receive six commands: return current directory, username, and hostname; run an arbitrary command by cmd.exe/c; run a command by creating a new process; write a file (to different methods; and copy the timestamps from one file to another.
In the second compromise, DoorMe had been expanded and the method of obfuscation changed. The number of commands it can receive had been expanded to 11, with the addition of, return the current working directory of the application (two methods); get information on the content of a selected directory; get a list of processes; and terminate and delete a specified process.
Of the other two new malwares, ProxyT is designed to check whether there is a connection to a remote URL. BeaconLoader is uploaded using DLL Hijacking. It receives the addresses of the functions and libraries necessary for its operation, and then it checks the name of the parent process and the privilege type.
A second version of BeaconLoader was also discovered, this time uploaded using the IKEEXT service. This version was similar but not identical to the first version. In both cases, Cobalt Strike Beacon was the ultimate payload.
The common factor in the ChamelGang compromises seems to be the existence of vulnerable versions of Microsoft Exchange Server and use of the ProxyShell and ProxyLogon vulnerabilities. Rapid patching is the most obvious preventative measure – but it is worth noting that on August 31, 2021, Trustwave found that 21.17% of Exchange Servers were still susceptible to the ProxyShell and ProxyLogon vulnerabilities, while 5.92% were vulnerable to ProxyLogon. Until these servers are patched, they will continue to be attacked by both ChamelGang and other threat actors.