On April 18, 2019 a hacker\/hacker organization sold a toolkit of the APT34 group, under the false name of Lab Dookhtegan, on a Telegram channel. The organization also posted screenshots of the tool’s backend panels, where victim data had been collected. Early in the middle of March 2019, this hacker\/hacker organization had released and sold this toolkit on the Internet. Interestingly, the CEO of a security company in Kuwait took to Twitter to stress in particular the authenticity of this post.<\/p>\n
Tools included in the leaked toolkit are listed as follows:<\/p>\n NSFOCUS Security Labs and NSFOCUS M01N Security Research Team made an analysis of this toolkit together and found that tools included in the leaked toolkit differed from the previously released attacks tools of the APT34 group. In this report, we have made a detailed analysis of the leaked tools from the perspectives of tactics, techniques and procedures (TTPs).<\/p>\n In addition to countries in the Middle East, APT34 has also hit China Mainland, Â China Taiwan, Turkey, Albania, and other countries and regions. China Mainland and China Taiwan both received a large proportion of attacks.<\/p>\n Through analysis, we have found 12 malicious WebShell files used to target China Energy Conservation and Environmental Protection Group, China Railway Construction Corporation, and Western Securities Co., Ltd. among other Chinese companies, as well as six such files used to be against companies in Hong Kong, Macao, and Taiwan.<\/p>\n The released toolkit also contains a lot of passwords which are packaged and released in different archives according to information sources.<\/p>\n From the above figure, we can see that the archive names contain airport names and oil company names. More than 12,000 weak passwords were disclosed this time.<\/p>\n The APT34 group, named by FireEye, uses tools and attack approaches that bear a high resemblance to the OilRig organization, an organization active in the Middle East followed up by Palo Alto Networks. The APT34 group started to carry out malicious activities as early as in 2014, targeting governments and the financial, energy, chemical, and telecom sectors. This group, though often seen in the Middle East, also hits China, as indicated in files leaked this time.<\/p>\n On November 4, 2017, FireEye discovered that this group exploited the vulnerability (CVE-2017-11882) to launch attacks by leveraging tools similar to those leaked this time.<\/p>\n During the functional analysis of APT34’s leaked sample, we have ascertained the attack tactics and techniques used by this hacking group, via a reverse deduction based on attack procedures. Overall, four phases of the kill chain are involved: privilege escalation, collection, exfiltration, and command and control.<\/p>\n Privilege Escalation<\/strong><\/p>\n This leaked sample uses multiple WebShell backdoor programs like HighShell, HyperShell, and MinionProject, each of which is a .NET program. Some of these programs encrypt the communications in order to evade defense measures. By reference to the tool use record documents included in the leaked files and the list of websites compromised by APT34, we can see that this hacking group mainly uses these WebShell programs, placed in \/owa\/auth\/, to target the Outlook email system of the Exchange server. This sample’s attack targets are found all around the world, including 14 enterprises in the energy and securities sectors in the Chinese mainland. By the time this report is released, some of those WebShell backdoor programs are still active.<\/p>\n The following figure shows WebShell backdoors targeting companies in China:<\/p>\n The following table lists URLs of active WebShells:<\/p>\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/11\/1109-1.jpg\")
<\/a><\/p>\n\n
<\/a>1.1 Distribution of Attack Targets by Industry<\/strong><\/h3>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a>1.2 About APT34<\/strong><\/h3>\n
<\/a>2 TTPs<\/strong><\/h2>\n
<\/a><\/p>\n<\/a><\/p>\n