Catching the White Stork in Flight
- Arista’s Awake Labs team responded to a cybersecurity incident with a campaign that has been active since at least October 2020, which we are labeling Operation White Stork.
- This campaign utilized multiple techniques and tools including Cobalt Strike Beacon, the MetaSploit Framework, Mimikatz, SharpSploit and exfiltration using rclone.
- Awake’s analysis showed that the attackers remotely authenticated to the customer’s VPN and externally facing remote desktop gateway using previously compromised credentials, coming in through Tor exit nodes.
- Lateral movement was achieved primarily using Windows Remote Desktop (RDP) and PsExec.
- This investigation demonstrates the importance of monitoring for exfiltration and lateral movement as well as hardening external access points for members of staff and contractors, particularly when many people are working remotely.
Operation White Stork
In this post we break down several aspects of this operation, including:
- Industries and Geography
- Tactics and Techniques
- Investigation and Technical Analysis
- Indicators of Compromise (IOCs)
- Detecting the Techniques
Industries and Geographies
Awake’s analysis of this event shows that the actor appears to have specifically targeted an organization in the industrial gas sector.
The locations of the attack were isolated to the United States. However, the attackers downloaded an attacker toolset with a Russian name (sborka5.zip – ‘sborka’ translates from Russian to ‘assembly’ in English) from the Russian site wdfiles[.]ru and exfiltrated data to a server hosted in Lithuania.
Tactics and Techniques
The investigation identified several tactics and techniques across the MITRE ATT&CK Framework used by the threat actor. These are detailed below.
|Initial Access (TA0001)||T1133 – External Remote Services|
T1078 – Valid Accounts
|Execution (TA0002)||T1059.001 – PowerShell|
T1569.002 – Service Execution
|Credential Access (TA0006)||T1110 – Brute Force|
T1003.001 – OS Credential Dumping: LSASS Memory
|Discovery (TA0007)||T1087.002 – Account Discovery: Domain Account|
T1482 – Domain Trust Discovery
T1083 – File and Directory Discovery
T1046 – Network Service Scanning
T1135 – Network Share Discovery
|Lateral Movement (TA0008)||T1570 – Lateral Tool Transfer|
T1021.001 – Remote Desktop Protocol
T1021.002 – SMB / Windows Admin Shares
|Collection (TA0009)||T1560.001 – Archive via Utility|
T1119 – Automated Collection
T1039 – Data from Network Shared Drive
T1074.001 – Local Data Staging
T1074.002 Remote Data Staging
|Exfiltration (TA0010)||T1048 – Exfiltration Over Alternative Protocol|
Incident Timeline and Technical Analysis
The incident was first detected around 160 days after the initial activity when Mimikatz was detected on an endpoint.
Figure 1: Incident Timeline Summary
In total, the activity from the threat actor continued for more than 170 days before containment. Figure 1 provides a summary of each major stage of the incident, while additional technical details are described below.
The Awake Labs team’s forensic investigation revealed a timeline that begins with repeated failed attempts to connect to several key endpoints within the customer environment. These connections, using SMB, occurred from a source IP address within the VPN range. During this time two Windows Service creation events were observed which indicated malicious PowerShell code had been executed on one of the hosts, injecting a Meterpreter payload into memory.
Figure 2 shows the content of the Image Path field for the service named ‘gaZtYZWmtJFOorGy’ while Figure 3 shows the decoded, decompressed code:
Figure 3: Decoded and decompressed base64 section taken from Figure 2
This second base64 encoded string was decoded and found to contain additional code containing the following command:
This file was no longer present when the incident response team tried to retrieve it.
Additional analysis of the code showed thread injection into C:\Windows\System32\ntvdm.exe.
The code in the Image Path of the second Windows Service event referenced previously was very similar, and had the Service name: ‘vrzvySWAmvRsgZCh’.
The attacker then logged into the same system via RDP, using an administrative account, with the source IP again coming from the VPN pool. Minutes after this connection, a zip archive named sborka5.zip was downloaded from hxxps[://]wdfiles[.]ru. This archive contained many tools, such as those typically used for reconnaissance activity and lateral movement (Mimikatz, AdFind, NetScan, PsExec) as well as exploit tools such as those related to Eternal Blue. Interestingly, ‘sborka’ in Russian translates to ‘assembly’ in English. Not all of these tools were used by the attackers, but it was noteworthy to see them all hosted together in one place.
Following this, the execution of Mimikatz was logged and the file sek.log was created. This file was recovered and found to be a dump of credentials, created using Mimikatz.
Shortly after this, a different administrative account was used to log in to the same system via RDP, once again originating from an IP address in the VPN range. The attacker then used RDP to move laterally, and once again a zip archive named ‘sborka5.zip’ was downloaded from the same domain as earlier. This was followed by the execution of adfind.bat (see Figure 4) and netscanner64.exe, from within that toolset.
Figure 4: Screenshot of the contents of adfind.bat
As you can see, such information can give the threat actor a lot of information about the domain infrastructure. Each of the output files referenced in Figure 4, other than ad.7z, were found on the system during the incident response process.
The actor then leveraged an administrative user account to move laterally to a domain controller via RDP and execute adfind.bat and netscan64.exe and then disconnected their session.
The threat actor then appeared to lay low for more than a month before leveraging the previous compromised credentials to connect directly to a domain controller via RDP. Once again the access originated from an IP address within the VPN range. During this session, the file lsass.dmp was created in the user’s AppData\Local\Temp\8\ directory. Loading this file into WinDBG confirmed it was a dump of the lsass.exe process:
Figure 5: WinDBG analysis of the lsass.dmp file indicated this was a dump of the lsass.exe process
There was then no other evidence of attacker activity for almost two months until logon activity towards several key servers and workstations was observed in the analysed logs. These logons once again originated from IP addresses within the VPN range. The file c:\programdata\rundll32.dll was created on several systems. These instances were launched using the rundll32.exe utility with the command line:
The attackers then used PsExec to push and execute this DLL on remote systems. This was found to be a Cobalt Strike binary. Analysis showed it attempting to connect to the following URLs:
This domain resolved to IP address: 23[.]81[.]246[.]123, which, as you will see later, was involved in a clear beaconing pattern.
The attacker continued using RDP to connect to key servers via the VPN and push and execute the Cobalt Strike DLL on multiple systems.
At one point the actor launched the Windows Password Recovery tool and procdump.exe from the c:\perflogs directory. Shortly after this, the Cobalt Strike instance that had been running on one system spawned an instance of cmd.exe and attempted to map a shared drive with the command:
About a week later, analysis showed lateral movement via RDP between systems, and the threat actor used an administrative account to launch another PowerShell script to pull down a second stage payload:
Following this, the file csharp-streamer.exe was executed from the same user’s \AppData\Local\Temp\6\ directory. This was found to be a version of SharpSploit (a post exploitation library written in C#).
Following this activity, another malicious PowerShell command (shown below) was executed using a different administrative user account. Note, the IP address in this command was found to be related to Cobalt Strike activity observed elsewhere during the incident.
|The above PowerShell commands were pulled from the ConsoleHost_history.txt file from the users’ \AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine directories – a useful file to pull as part of any investigation. This file is of additional interest if the last modification time of the file lines up with malicious activity. In our case it did, and these were the only commands in the files.|
The file winspool.drv was created in the same user’s AppData\Roaming\WinRAR\Version\ directory. This file was found to be the remote access tool RMS RAT.
Shortly after this, the same user logged into a remote desktop server via an externally facing gateway, accessible via a web interface, and the file Desktop.exe was executed. This file was found to be the remote access tool RMS RAT – the compressed parent of the RMS RAT instance referenced previously.
Following this, the file c:\perflogs\procdump64.exe was created on the system, and shortly after, ADRecon was launched by the same user via the PowerShell script C:\PerfLogs\obfs.ps1. Minutes later, there were two instances of PowerShell commands launching what appeared to be Cobalt Strike Beacon, one example is shown in Figure 6:
Figure 6: Obfuscated code found in PowerShell event logs
Figure 7: Decompressing and decoding the base64 encoded string in Figure 6
The remainder of the code contains shellcode that will be reflectively injected into process memory on the system as shown in Figure 8:
Figure 8: Encoded shellcode that will be reflectively loaded into process memory
This was decoded and analysed and found to be reaching out to pull down hxxp[://]89[.]238[.]185[.]28/Rr5c – a file that was no longer live when the team attempted to retrieve it. The identified user agent was Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER) (which can also be indicative of Metasploit). The process created and injected code into C:\Windows\system32\ntvdm.exe.
Shortly after this, attacker tools such as Advanced_IP_Scanner_2.5.3850.exe and Mimikatz were executed from the c:\support directory by the same user.
Approximately 30 minutes later, a different account was used to access another remote desktop server from the externally facing gateway and launch a PowerShell script that had exactly the same functionality as those in Figures 7 and 8. Following this, the same user moved laterally to a domain controller via RDP and created another lsass.dmp file.
Additional Windows Service creation events were also observed on one of the domain controllers which were indicative of Cobalt Strike:
Figure 9: Base64 encoded PowerShell command being launched as a service
The Service name was 9dcbd6f.
Decoding this and analysing the shellcode, the Awake Labs team saw thread injection into C:\Windows\system32\ntvdm.exe. This time, rather than attempting to call back to a domain, the following named pipe was created: \\.\pipe\win_service_ohm5iYaaNoo7po7koaTi
Thanks to an excellent write up from CrowdStrike, we can see that this activity indicated the jump psexec_psh Cobalt Strike Beacon command had been used to establish an instance of Beacon remotely on this system.
In addition, the following Windows Service creation events indicated that Cobalt Strike Beacon had been pushed remotely to the same, plus one other, domain controller seconds later:
|Service name||Image path|
These files were not recovered, but thanks to the same CrowdStrike article, we can see that this activity was indicative that the jump psexec Cobalt Strike Beacon command had been used to establish a Beacon remotely on this system.
In the same period, the attackers used RDP to access critical devices and move laterally, once again via the VPN. SharpSploit was run on another system, this time using a critical management account with administrative privileges. On the same day, the user executed C:\PerfLogs\x64.exe. When analysed, this was found to launch an instance of sethc.exe (Windows ‘Sticky Keys’ accessibility feature) in a suspended state, inject code into it, then exit, leaving sethc.exe running as an orphaned process. In addition, we could see that the process connected to datatransferdc[.]com over IPv6
A few days later, the Cobalt Strike Beacon processes (rundll32.dll) running on several systems started beaconing out to 23[.]81[.]246[.]123:443, approximately every 31 minutes.
On one of these systems, a legitimate version of sethc.exe spawned the process dfrgui.exe (Microsoft Disk Defragmentation process), which made several outbound network connections over the next few days:
|Domain name||IP address|
Several hours later, the same dfrgui.exe process launched an instance of PowerShell that attempted to pull down another payload from the known malicious IP address shown below:
The process made several additional network connections:
|Domain name||IP address|
The final connection listed (89[.]238[.]185[.]28) was to port 50050, indicating this IP address is likely running Cobalt Strike Teamserver listening on its default port.
During this two day period of activity, the same process made connections to several internal IP addresses over port 3389, indicating further attempts to use RDP in an attempt to move laterally. For instance, on one of the systems that was connected to in this manner, the team observed several instances of the following commands:
- Disable the firewall:
2. Download a malicious second stage payload from 89[.]238[.]185[.]28:
Shortly after this, rclone was invoked via Powershell to begin exfiltrating data on a file share to an SFTP server based in Lithuania:
The contents of the rclone configuration file are shown in Figure 10 below:
The contents of filter-file.txt are shown in Figure 11 below:
Figure 11: Filter file used to tell rclone which files to upload
A review of the firewall logs showed several gigabytes of data uploaded to the IP address 91[.]103[.]255[.]177 at this time.
The dfrgui.exe process continued to make internal network connections over port 3389, as well as outbound connections to 80[.]153[.]159[.]29 over port 3390, and 45[.]130[.]138[.]81 towards port 50050 indicating this was also likely related to Cobalt Strike.
At this point the Awake Labs team began taking actions to contain the incident and shut off the exfiltration while in process.
After the containment started, the firewall logs showed there were several attempts made to authenticate to the VPN from multiple users; which eventually proved successful. These connections all came from the same source: Tor exit node IP address 185[.]220[.]100[.]252 (AS205100 F3 Netze e.V. out of Germany.)
During this session, the actor successfully logged on to another server and created several files associated with Mimikatz and Tor, such as c:\users\<user>\downloads\mimidrv.zip and c:\users\<user>\desktop\tor.zip.
Shortly after this, the firewall logs showed the same user authenticated to the VPN from a known Tor exit node: 91[.]218[.]203[.]59. During this VPN session, several systems were logged into via RDP.
During these sessions, the user installed and ran Tor by creating and launching:
Which in turn launched:
Another lsass.dmp file was created in another compromised administrator account’s \appdata\local\temp\ directory. The file 12212.7z was created at the same time on the same user’s Desktop; neither file was recovered.
Containment and remediation measures were then put fully into place with ongoing monitoring. Since the containment was enacted, we are yet to see evidence of the threat actor’s return.
Conclusions and Recommendations
In this instance a threat actor was able to access the network through the VPN, move laterally via Windows Remote Desktop protocol and PsExec, download a toolset from a Russian file sharing site – which contained a vast array of attacker tools – install some backdoors, and from there were able to reach their target and begin to exfiltrate data.
Company staff are working remotely now more than ever. As a result, external access points are relied upon more and more for staff to carry out their work duties in the same efficient manner as if they were in the office. Awake Labs sees breaches where initial access is achieved through external access points (such as VPN or Remote Desktop Gateway) frequently. It is vital that measures are put in place to harden remote endpoints and exposed external infrastructure. Awake recommends the following items are enforced at a minimum:
- Multi-Factor Authentication (MFA) for external access to any company resources (VPN, internal services, etc.).
- A strong password policy, whereby passwords should meet a required minimum length; should contain a combination of upper and lower case letters, numbers and special characters; and should be changed regularly.
- Regular user education on security and the risks of poor hygiene.
- Remain up to date on vulnerability patching and mitigation for externally facing services.
- Asset tracking and management of remote devices. Ensure any devices being used for work purposes are identifiable and have company standard security tools installed, are actively monitored and up to date (anti-virus, EDR, etc.).
Once an external user has authenticated to a VPN, it is important to make sure they can only access systems they need to access for business purposes. It is also important to only allow access between network segments that is required for business purposes. Ultimately, implementing a Zero Trust model is recommended.
Host based IOCs
Contents of sborka5.zip archive file (note some of these are not IOCs per se, but have been kept in for completeness):
|File path||sha256 hash||Contents|
|AdFind/adfind.bat||014db7075dc15953ade603627b5f990c79ae35c098129a99876705dc3dc20dd3||See Figure 3|
cmd /c net user petr 2k3X8X57 /add
cmd /c net localgroup administrators petr /add
mimikatz # privilege::debug
mimikatz # inject::process lsass.exe sekurlsa.dll
mimikatz # @getLogonPasswords
mimikatz privilege::debug sekurlsa::logonPasswords exit > c.txt
Other host based IOCs:
|gaZtYZWmtJFOorGy||Service name||Service name for injecting meterpreter shellcode – note this is changeable but provided for reference|
|vrzvySWAmvRsgZCh||Service name||Service name for injecting meterpreter shellcode – note this is changeable but provided for reference|
|%comspec%||Service image path||Indication that a service is launching a command prompt. Seeing a service Image Path start with this is suspicious|
|sborka5.zip||Filename||Archive containing attacker tools and files|
|ad_users.txt||Filename||Output from adfind.exe|
|ad_computers.txt||Filename||Output from adfind.exe|
|ad_ous.txt||Filename||Output from adfind.exe|
|ad_subnets.txt||Filename||Output from adfind.exe|
|ad_group.txt||Filename||Output from adfind.exe|
|ad_trustdmp.txt||Filename||Output from adfind.exe|
|ad.7z||Filename||Archive containing adfind output files|
|lsass.dmp||Filename||Dump of lsass.exe process|
|AppData\Local\Temp\<num>\||File path||Staging directory|
|c:\programdata\rundll32.dll||File path||Cobalt Strike|
|82900aea8a8617f0d49e1c036d1bc23cc768e71b746a0ee5d2bf5cbf43841768||Sha256 hash||Cobalt Strike (rundll32.dll)|
|rundll32.exe C:\ProgramData\rundll32.dll vvsection||Command line argument||Command line argument to launch Cobalt Strike DLL|
|C:\perflogs\||File path||Staging directory used by attackers|
|procdump.exe||Filename||Tool for dumping process memory|
|WPR.exe||Filename||Windows Password Recovery tool|
|net use \\<ipaddress>\c$||Command line argument||Command used by attacker to map shared drives|
|csharp-streamer.exe||Filename||Version of SharpSploit post exploitation tool kit|
|ad5c06b52b468711f4f1ce1bf6957506b805b07e52c9be331035536672505160||Sha256 hash||Version of SharpSploit post exploitation tool kit|
|cd43f4c2f4590e1993991b5f7c890919cd0bb6b378c222c21a7ce956759c8a94||Sha256 hash||RMS RAT|
|6184e4c8915a3924a9a12e26c42cffef35a1d1380a8c0a236ef65df71b20c217||Sha256 hash||RMS RAT|
|C:\PerfLogs\obfs.ps1||File path||PowerShell script used to launch ADRecon|
|C:\support\||File path||Staging directory|
|Service name with 7, apparently random alphanumeric characters||Service name||Indicative of Cobalt Strike, example: 2a419f7|
|\\127.0.0.1\ADMIN$\<7 alphanumeric chars>.exe||Service Image Path|
Indicative of Cobalt Strike, example:
|C:\PerfLogs\x64.exe||File path||Cobalt Strike|
|53031ae7cdd8627c57f341934290e96b757b38beab29ce847fc09140e29349ab||Sha256 hash||Cobalt Strike|
|rclone.exe||Filename||Used to exfiltrate data|
|fc03b8c51889be55b73a02efe02f59eb2836e63f5f032aa00dd611ff07e76d0c||sha256 hash||Sha256 hash of rclone.exe|
|filter-file.txt||Filename||Filter file used by rclone|
|C:\Windows\System32\AppLocker\start.bat||File path||Batch script used to start Tor|
|C:\Windows\System32\AppLocker\torrc||File path||Tor configuration file|
|12212.7z||Filename||Archive file – unrecovered|
|loader.exe||Filename||Component of Windows Password Recovery service|
|loader64.exe||Filename||Component of Windows Password Recovery service|
|hxxps[://]wdfiles[.]ru||Domain||Staged attacker tools|
|hxxp[://]194[.]61[.]53[.]10:80/a213||URL||Second stage payload|
|194[.]61[.]53[.]10||IPv4||IP address hosting second stage payload|
|89[.]238[.]185[.]28||IPv4||IP address associated with second stage payload|
|hxxp[://]89[.]238[.]185[.]28/a||URL||Second stage payload|
|hxxp[://]89[.]238[.]185[.]28:4151/a||URL||Second stage payload|
|hxxp[://]89[.]238[.]185[.]28/Rr5c||URL||Second stage payload|
|Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER)||User agent||Indicative of Metasploit|
|45[.]146[.]164[.]193||IPv4||IP reached out to by Meterpreter to pull down second stage payload and inject it into memory|
|hxxp[://]45[.]146[.]164[.]193:8712/awq||URL||Second stage payload|
|\\.\pipe\win_service_ohm5iYaaNoo7po7koaTi||Named pipe||Cobalt Strike|
|telemetry[.]distrib000[.]com||Domain||Connected to by malicious instance of dfrgui.exe|
|stats[.]0293432094823904832048234[.]work||Domain||Connected to by malicious instance of dfrgui.exe|
|ping[.]12093130987381731037123[.]work||Domain||Connected to by malicious instance of dfrgui.exe|
|dash[.]92834298473247204972349234[.]work||Domain||Connected to by malicious instance of dfrgui.exe|
|dns[.]09123312093812039813[.]work||Domain||Connected to by malicious instance of dfrgui.exe|
|datatransferdc[.]com||Domain||Connected to by malicious instance of dfrgui.exe|
|2606[:]4700[:]3037[:][:]ac43[:]8ca0||IPv6||IPv6 address used by malware to connect to datatransferdc[.]com|
|172[.]67[.]193[.]215||IPv4||Connected to by malicious instance of dfrgui.exe|
|172[.]67[.]223[.]63||IPv4||Connected to by malicious instance of dfrgui.exe|
|104[.]21[.]21[.]133||IPv4||Connected to by malicious instance of dfrgui.exe|
|172[.]67[.]158[.]54||IPv4||Connected to by malicious instance of dfrgui.exe|
|104[.]21[.]79[.]23||IPv4||Connected to by malicious instance of dfrgui.exe|
|104[.]21[.]76[.]117||IPv4||Connected to by malicious instance of dfrgui.exe|
|104[.]21[.]62[.]240||IPv4||Connected to by malicious instance of dfrgui.exe|
|172[.]67[.]140[.]160||IPv4||Connected to by malicious instance of dfrgui.exe|
|172[.]67[.]198[.]213||IPv4||Connected to by malicious instance of dfrgui.exe|
|172[.]67[.]168[.]181||IPv4||Connected to by malicious instance of dfrgui.exe|
|52[.]178[.]182[.]73||IPv4||Connected to by malicious instance of dfrgui.exe|
|51[.]144[.]113[.]175||IPv4||Connected to by malicious instance of dfrgui.exe|
|50050||Port||Default Cobalt Strike TeamServer port|
|91[.]103[.]255[.]177||IPv4||SFTP server used for exfiltration|
|80[.]153[.]159[.]29||IPv4||Connected to by malicious instance of dfrgui.exe (resolves to p50999f1d[.]dip0[.]t-ipconnect[.]de)|
|45[.]130[.]138[.]81||IPv4||Connected to by malicious instance of dfrgui.exe – connection made using default Cobalt Strike TeamServer port|
Detecting the Techniques
|Carbon Black Cloud|
|Awake Security Platform|
By Kieran Evans and Jason Bevis
If you liked what you just read, subscribe to hear about our threat research and security analysis.
Threat Hunting and Incident Response Specialist
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…