APT group ChamelGang attacks fuel and energy complex and aviation industry

APT group ChamelGang
Written by Emma Davis

Positive Technologies specialists have identified a new, previously unknown APT group ChamelGang, the first attacks of which were recorded in March 2021.The main targets of hackers so far are the companies of the fuel and energy complex and the aviation industry, and the cybercriminals are interested in stealing data from compromised networks.

The group got its name ChamelGang (from the English chameleon) for using plausible phishing domains and operating system features to disguise malware and network infrastructure. For example, cybercriminals register phishing domains that imitate legitimate services from large international companies (Microsoft, TrendMicro, McAfee, IBM, and Google), including support, content delivery, and update services.

So, in the course of studying the activity of the group, experts discovered the domains newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com, mcafee-upgrade.com. The hackers also placed SSL certificates on their servers, which imitated legitimate ones (github.com, www.ibm.com, jquery.com, update.microsoft-support.net).

The researchers write that ChamelGang mainly uses the current type of attack – trusted relationship. For example, in one case, in order to gain access to a target enterprise’s network, hackers compromised a subsidiary by using a vulnerable version of a web application on the open source JBoss Application Server platform. Having exploited the CVE-2017-12149 vulnerability, closed by Red Hat more than four years ago, hackers were able to remotely execute commands on the node.

Two weeks later (which, according to experts, very quickly), the group was able to compromise the parent company: the attackers learned the dictionary password of the local administrator on one of the servers in the isolated segment and entered its network via RDP. The attackers stayed undetected on the corporate network for three months; by studying it, they gained control over most of it, including critical servers and nodes in different segments. As the investigation showed, the group was interested in the data, which they managed to steal.

In the second case, in order to penetrate the target’s infrastructure, the attackers used a chain of related ProxyShell vulnerabilities discovered in Microsoft Exchange this summer (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

Hackers gained access to the company’s mail servers using a backdoor, which at the time of the attack was not detected by most anti-virus solutions. As in the first case, the group was aimed at stealing data, however, rapid detection of the attack made it possible to prevent theft of information: the attackers were present in the infrastructure of the attacked organization for only eight days and did not have time to inflict significant damage.

A distinctive feature of the ChamelGang attacks is the use of the new, previously unknown malware ProxyT, BeaconLoader and the DoorMe backdoor. The latter is a passive backdoor, which makes it much more difficult to detect. In addition, the group uses well-known malware in its toolkit, in particular FRP, Cobalt Strike Beacon, Tiny shell.

Among the malware samples we found, the most interesting is the DoorMe backdoor. Basically, it is a native IIS module that registers itself as a filter through which HTTP requests and responses are processed. Its principle of operation is not common: the backdoor processes only those requests in which the correct cookie parameter is set. At the time of the investigation of the incident, DoorMe was not detected by anti-virus protection, and although the technique for installing this backdoor is known, recently we have seen its use for the first time. The backdoor gives attackers quite ample opportunities in captured systems: it is able to execute commands via cmd.exe and create a new process, write files in two ways, and copy time stamps. A total of six different teams have been implemented.says Denis Goidenko, Head of Information Security Threat Response Department at Positive Technologies.

Positive Technologies experts have not yet linked ChamelGang to any particular country. In addition to targeting the fuel and energy complex and the aviation industry in Russia, the group also targeted institutions in ten countries, including India, Nepal, the United States, Taiwan, Japan and Germany. At the same time, in some countries, experts found compromised government servers. All affected companies have already received national CERT notifications.

Let me remind you that we also talked about the fact that Hackers Attack Russian Defense Contractor Through MHTML Bug.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.