![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2023\/06\/Fig-3.1.jpg\")
<\/a><\/figure>\n<\/div>\n\n\nFigure 3.1 Attack process used by the RedBeard in activities targeting Borusan Holding<\/p>\n\n\n\n
In this activity, the RedBeard first intruded and controlled a network device belonging to Borusan Holding (the corresponding IP address is 5.252.4.51), and deployed a Trojan horse control terminal in the device to implement phishing attacks against this company.<\/p>\n\n\n\n
It has not been confirmed how the RedBeard invaded the network device.<\/p>\n\n\n\n
The RedBeard deployed Apache HTTP server version 2.4.41 on the invaded network device and forged the Google Drive download page as shown below:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 3.2 Forged site by the RedBeard for watering hole attacks<\/p>\n\n\n\n
Looking at the source code of the webpage, we can find that the watering hole site was modified and generated from the corresponding Google Drive page in the Turkish language.<\/p>\n\n\n\n
After clicking the Download button on the page, a phishing file named borusan.xlsm will be downloaded from https[:]\/\/borusan.drive-myaccount.com\/?download=.<\/p>\n\n\n\n
The following content will be displayed when opening the phishing document:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 3.3 Phishing document used by the RedBeard in activity targeting Borusan Holding<\/p>\n\n\n\n
The phishing document contained the trademark of Borusan Holding and blurred it, and deceive the victim to do as Turkish prompt information to run the macro code in the document.<\/p>\n\n\n\n
After the code in the phishing document is run, basic information and screenshots of the victim’s host will be collected and sent to the 5.252.4.51 network device controlled by the RedBeard.<\/p>\n\n\n\n
The above attack method is in line with the commonly used asset detection and information collection logic of threat actors in the post-penetration stage. It can be inferred that the direct target of the RedBeard is staff in Borusan Holding company. Using the staff device, the threat actor probed the target assets and got prepared for subsequent malicious behaviors.<\/p>\n\n\n\n
In this attack activity, a unique feature is that the RedBeard ultimately chose phishing documents to implement information collection operations, which may be to bypass firewalls and traffic detection devices.<\/p>\n\n\n\n
Judging from the status of the above watering hole sites this attack lasted more than 5 months.<\/p>\n\n\n\n
3.2 Attack against Turkcell<\/h2>\n\n\n\n
During the period from March to April 2023, the RedBeard used similar tactics to carry out attacks against Turkcell, a communication operator in Turkey.<\/p>\n\n\n\n
The attack process of this activity is shown in the figure below:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 3.4 Attack process used by the RedBeard in activity targeting Turkcell<\/p>\n\n\n\n
In this activity, the RedBeard posted a phishing document:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 3.5 Phishing document used by the RedBeard in activity targeting Turkcell<\/p>\n\n\n\n
This phishing document inherits RedBeard’s thinking of social engineering, and is composed of vague document pictures and deceptive information in Turkish language. Analyzing the blurry image reveals that the icon is the same as the Turkcell’s icons.<\/p>\n\n\n\n
The function of this phishing document is not the same as the document for Borusan company. The malicious macro in this document will download and decrypt a piece of data located at http:\/\/167.71.11[.]62\/res.txt, extract the Trojan horse program from it and run it.<\/p>\n\n\n\n
The Trojan horse program is a new Golang backdoor through which RedBeard can control the victim’s host to execute attack commands or download and run other Trojan horse files.<\/p>\n\n\n\n
NSFOCUS Security Labs has named the Trojan horse program GoBeard.<\/p>\n\n\n\n
3.3 Spear phishing targeting banks and Internet companies<\/h2>\n\n\n\n
From February to April 2023, the RedBeard also launched a phishing attack against companies located in Istanbul using a general bait document of social engineering.<\/p>\n\n\n\n
The bait content for such attacks is shown in the following figure:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 3.6 Phishing documents used by the RedBeard in spear phishing against companies in Istanbul<\/p>\n\n\n\n
This document is disguised as a document of the Ministry of Justice transmitted by the National Electronic Notification System (UETS) of Turkey, and the target is required to view its contents.<\/p>\n\n\n\n
The table content in this document is empty, with the aim of tricking the victim to enable Office’s document editing function, thereby triggering malicious macro code within it.<\/p>\n\n\n\n
The RedBeard used this template to send phishing documents to multiple companies, and the company name at the header of the document was adjusted according to the target company. The currently known affected companies are shown in the table below: <\/p>\n\n\n\n
Table 3.1 Known victim companies in RedBeard spear phishing attack<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nSince the above-affected companies are not directly related, it is speculated that the attack activity is a non-directional spear phishing mainly targeting companies or groups set up in Istanbul and Turkey.<\/p>\n\n\n\n
After running the above phishing documents, the GoBeard Trojan horse was also downloaded and run to control the victim host.<\/p>\n\n\n\n
IV. Attack Tools<\/h1>\n\n\n\n4.1 GoBread Trojan horse<\/h2>\n\n\n\n
The RedBeard used a new type of Trojan horse in attacks against Turkcell and spear fishing attacks against multiple Istanbul companies. NSFOCUS Security Labs named the Trojan horse GoBeard according to the information in the file.<\/p>\n\n\n\n
The GoBeard Trojan horse is a malicious program written in Golang. The author compiles it with the Golang version 1.20.1 and uses UPX to shell the program. The main functions of this Trojan horse are to execute specified commands, download files from URI, inject specified ShellCodes, etc.
GoBeard uses TCP to communicate with CnC, and uses Base64 encoding for AES encryption of communication content, increasing the difficulty of being detected.<\/p>\n\n\n\n
4.1.1 Network analysis<\/h3>\n\n\n\n
The Trojan horse uses TCP protocol to communicate:<\/p>\n\n\n\n
After the program starts, the decrypted string gets “TCP”, which is passed in with the hard coded CnC IP named net_ Dial’s function, loop until the connection is successful:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 4.1 GoBeard and CnC connection<\/p>\n\n\n\n
After successfully connecting, use the network function implemented by the author and wait for CnC to send instructions:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 4.2 Waiting for CnC instruction<\/p>\n\n\n\n
This function first performs Base64 decoding on the received data, then decrypts the data using AES and parses the instructions to execute the function:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 4.3 Operations on data in receiving functions<\/p>\n\n\n\n
4.1.2 Detailed analysis<\/h3>\n\n\n\n4.1.2.1 Encryption method<\/h4>\n\n\n\n
The GoBeard Trojan horse encrypts key strings and APIs, and decrypts them when used.<\/p>\n\n\n\n
GoBeard uses the same encryption method for key strings and network communication data, using AES-256-CTR encryption and transcoding to base64 encoding.<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 4.4 AES encryption in GoBeard<\/p>\n\n\n\n
The key used for AES encryption is 42EA995F878C0EC96135EEAAA0CA4CDFEAF3F031F5C0AC917A36582ECC74083D, with Vi of 094A2DB87CA55321D3FBE7B7A8DB7421. <\/p>\n\n\n\n
4.1.2.2 Execution process<\/h4>\n\n\n\n
GoBeard first decrypts the string and then connects to CnC (if the connection is not successful, it loops for the connection). After the connection is successful, it waits for the CnC command to be received. After the command is parsed, it compares the functional commands to execute subsequent functions. If the command program that does not exist in the Trojan horse is sent, it sends “COMMAND NOT FOUND” to CnC:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 4.5 GoBeard execution process<\/p>\n\n\n\n
4.1.2.3 Major functions<\/h4>\n\n\n\n
The main functions of GoBeard include executing specified commands, injecting specified shellcode, and downloading files from URLs.<\/p>\n\n\n\n
The Trojan horse executes the specified command. It encrypts the key string and API, and decrypts them when used, increasing the difficulty of being detected.<\/p>\n\n\n\n
By sending a packet, It is proved that the program is running on the target system, and the packet contains the encrypted string ‘Hello C&C’:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 4.6 Send online packets<\/p>\n\n\n\n
After successfully executing the specified command, the command for execution is sent to CnC while an error message is sent when failed:<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nFigure 4.7 Send specified command<\/p>\n\n\n\n
Table 4.1 GoBeard Command Function Comparison Table<\/p>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nGoBeard’s shell code execution capability enables it to load mainstream Trojan horses such as CobaltStrike stager to help attackers execute tasks in the post-penetration phase.<\/p>\n\n\n\n
4.2 Stager loader<\/h2>\n\n\n\n
The RedBeard used a special shell code loader during its attack in December 2022, mainly to load the stager shell code payload generated by running the CobaltStrike penetration framework.<\/p>\n\n\n\n
The loader program used the common dynamic loading Windows API technology of shellcode, and encrypts each string used by the program using different XOR keys.<\/p>\n\n\n