Malware researchers at FireEye branch Mandiant have uncovered an attack pattern, deployed by Russian cyberespionage group APT29. This hacker organization is also known as Cozy Bear, Cozy Duke and The Dukes. The attackers were found to be using a piece of spyware dubbed POSHSPY to maintain access to targeted devices.
Mandiant are credited for discovering the POSHSPY tool. They first detected the malware during an incident response engagement back in 2015. The researchers have been monitoring the activity of the program ever since. Over the course of the past two years, the researchers found POSHSPY on the networks of several organizations.
APT29 often use PowerShell and the Windows Management Instrumentation (WMI) administrative framework in their attack patterns. POSHSPY is among the malware which utilizes these tools.
WMI can assist malware tools for different purposes, including data theft, configuring conditional triggers, launching and ending processes. The framework allows POSHSPY to execute a PowerShell command which decrypts and executes the backdoor code directly from a WMI property. By running the process this way, the spyware makes sure that no artifacts would be left on the hard drive.
POSHSPY runs the PowerShell command per schedule on Monday, Tuesday, Thursday, Friday and Saturday at 11:33 AM local time.
Employing legitimate Windows components in an attack gives the backdoor a better chance to evade detection.
Matthew Dunwoody, incident response consultant at Mandiant, explained how the pattern works: “POSHSPY’s use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory.”
“The backdoor’s infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert,” concluded Dunwoody.
The hackers download additional PowerShell code and executable files with the help of POSHSPY. They send out commands to the malware from command and control (C&C) servers. The host URLs for the servers are generated using a domain generation algorithm (DGA) which relies on lists of domain names, subdomains, URIs, TLDs, file names and file extensions. The hackers encrypt the communications with the C&C servers via AES and RSA public keys.
APT29 are constantly working to improve their craft. In March, FireEye researchers reported about another innovation the renegade developers had adopted. The hackers had started using a technique called domain fronting to disguise the traffic their rogue utilities generate.
Just recently, APT29 were linked to the attacks surrounding the presidential elections in the U.S., as well as a campaign which targeted high-profile organizations in Norway. FireEye have yet to report which countries are targeted by the POSHSPY attacks.