I. Summary

Recently, NSFOCUS Security Labs observed some phishing attacks targeting Turkish companies, including the Turkish industrial group Borusan Holding, communication operator Turkcell, bank Vakıf Katılım, and online lottery service company Nesine. The attacker placed different types of phishing documents and new Trojan programs in this group of activities to steal file data of the target companies and plan for long-term control of these companies’ devices.

The attacker claimed to be The RedBeard in the malicious code. So in this report, RedBeard will be referred to as the attacker.

II. About RedBeard

Through correlation analysis, NSFOCUS Security Labs determined that the RedBeard in this incident was a new threat actor group or individual, mainly targeting various companies in Turkey. It is speculated that its profit comes from selling they steal.

The RedBeard uses simple and effective attacks, but also has some innovation in the choice of attack tools and attack ideas. It prefers to launch internal watering hole attacks using the target compromised website as a springboard.

The RedBeard’s known tool library includes a macro document for collecting victim information, a CoblatStrike penetration framework, a stager loader, and a new Trojan horse GoBeard.

Currently, the RedBeard has not disclosed any information related to its geographical location.

III. Attack Activities

3.1 Attack Targeting Borusan Holding

The earliest traceable activity of the RedBeard began in November 2022, mainly targeting a company called Borusan Holding.

The general attack process of the RedBeard in this activity is shown as below:

Figure 3.1 Attack process used by the RedBeard in activities targeting Borusan Holding

In this activity, the RedBeard first intruded and controlled a network device belonging to Borusan Holding (the corresponding IP address is 5.252.4.51), and deployed a Trojan horse control terminal in the device to implement phishing attacks against this company.

It has not been confirmed how the RedBeard invaded the network device.

The RedBeard deployed Apache HTTP server version 2.4.41 on the invaded network device and forged the Google Drive download page as shown below:

Figure 3.2 Forged site by the RedBeard for watering hole attacks

Looking at the source code of the webpage, we can find that the watering hole site was modified and generated from the corresponding Google Drive page in the Turkish language.

After clicking the Download button on the page, a phishing file named borusan.xlsm will be downloaded from https[:]//borusan.drive-myaccount.com/?download=.

The following content will be displayed when opening the phishing document:

Figure 3.3 Phishing document used by the RedBeard in activity targeting Borusan Holding

The phishing document contained the trademark of Borusan Holding and blurred it, and deceive the victim to do as Turkish prompt information to run the macro code in the document.

After the code in the phishing document is run, basic information and screenshots of the victim’s host will be collected and sent to the 5.252.4.51 network device controlled by the RedBeard.

The above attack method is in line with the commonly used asset detection and information collection logic of threat actors in the post-penetration stage. It can be inferred that the direct target of the RedBeard is staff in Borusan Holding company. Using the staff device, the threat actor probed the target assets and got prepared for subsequent malicious behaviors.

In this attack activity, a unique feature is that the RedBeard ultimately chose phishing documents to implement information collection operations, which may be to bypass firewalls and traffic detection devices.

Judging from the status of the above watering hole sites this attack lasted more than 5 months.

3.2 Attack against Turkcell

During the period from March to April 2023, the RedBeard used similar tactics to carry out attacks against Turkcell, a communication operator in Turkey.

The attack process of this activity is shown in the figure below:

Figure 3.4 Attack process used by the RedBeard in activity targeting Turkcell

In this activity, the RedBeard posted a phishing document:

Figure 3.5 Phishing document used by the RedBeard in activity targeting Turkcell

This phishing document inherits RedBeard’s thinking of social engineering, and is composed of vague document pictures and deceptive information in Turkish language. Analyzing the blurry image reveals that the icon is the same as the Turkcell’s icons.

The function of this phishing document is not the same as the document for Borusan company. The malicious macro in this document will download and decrypt a piece of data located at http://167.71.11[.]62/res.txt, extract the Trojan horse program from it and run it.

The Trojan horse program is a new Golang backdoor through which RedBeard can control the victim’s host to execute attack commands or download and run other Trojan horse files.

NSFOCUS Security Labs has named the Trojan horse program GoBeard.

3.3 Spear phishing targeting banks and Internet companies

From February to April 2023, the RedBeard also launched a phishing attack against companies located in Istanbul using a general bait document of social engineering.

The bait content for such attacks is shown in the following figure:

Figure 3.6 Phishing documents used by the RedBeard in spear phishing against companies in Istanbul

This document is disguised as a document of the Ministry of Justice transmitted by the National Electronic Notification System (UETS) of Turkey, and the target is required to view its contents.

The table content in this document is empty, with the aim of tricking the victim to enable Office’s document editing function, thereby triggering malicious macro code within it.

The RedBeard used this template to send phishing documents to multiple companies, and the company name at the header of the document was adjusted according to the target company. The currently known affected companies are shown in the table below:

Table 3.1 Known victim companies in RedBeard spear phishing attack

Since the above-affected companies are not directly related, it is speculated that the attack activity is a non-directional spear phishing mainly targeting companies or groups set up in Istanbul and Turkey.

After running the above phishing documents, the GoBeard Trojan horse was also downloaded and run to control the victim host.

IV. Attack Tools

4.1 GoBread Trojan horse

The RedBeard used a new type of Trojan horse in attacks against Turkcell and spear fishing attacks against multiple Istanbul companies. NSFOCUS Security Labs named the Trojan horse GoBeard according to the information in the file.

The GoBeard Trojan horse is a malicious program written in Golang. The author compiles it with the Golang version 1.20.1 and uses UPX to shell the program. The main functions of this Trojan horse are to execute specified commands, download files from URI, inject specified ShellCodes, etc.
GoBeard uses TCP to communicate with CnC, and uses Base64 encoding for AES encryption of communication content, increasing the difficulty of being detected.

4.1.1 Network analysis

The Trojan horse uses TCP protocol to communicate:

After the program starts, the decrypted string gets “TCP”, which is passed in with the hard coded CnC IP named net_ Dial’s function, loop until the connection is successful:

Figure 4.1 GoBeard and CnC connection

After successfully connecting, use the network function implemented by the author and wait for CnC to send instructions:

Figure 4.2 Waiting for CnC instruction

This function first performs Base64 decoding on the received data, then decrypts the data using AES and parses the instructions to execute the function:

Figure 4.3 Operations on data in receiving functions

4.1.2 Detailed analysis

4.1.2.1 Encryption method

The GoBeard Trojan horse encrypts key strings and APIs, and decrypts them when used.

GoBeard uses the same encryption method for key strings and network communication data, using AES-256-CTR encryption and transcoding to base64 encoding.

Figure 4.4 AES encryption in GoBeard

The key used for AES encryption is 42EA995F878C0EC96135EEAAA0CA4CDFEAF3F031F5C0AC917A36582ECC74083D, with Vi of 094A2DB87CA55321D3FBE7B7A8DB7421.

4.1.2.2 Execution process

GoBeard first decrypts the string and then connects to CnC (if the connection is not successful, it loops for the connection). After the connection is successful, it waits for the CnC command to be received. After the command is parsed, it compares the functional commands to execute subsequent functions. If the command program that does not exist in the Trojan horse is sent, it sends “COMMAND NOT FOUND” to CnC:

Figure 4.5 GoBeard execution process

4.1.2.3 Major functions

The main functions of GoBeard include executing specified commands, injecting specified shellcode, and downloading files from URLs.

The Trojan horse executes the specified command. It encrypts the key string and API, and decrypts them when used, increasing the difficulty of being detected.

By sending a packet, It is proved that the program is running on the target system, and the packet contains the encrypted string ‘Hello C&C’:

Figure 4.6 Send online packets

After successfully executing the specified command, the command for execution is sent to CnC while an error message is sent when failed:

Figure 4.7 Send specified command

Table 4.1 GoBeard Command Function Comparison Table

GoBeard’s shell code execution capability enables it to load mainstream Trojan horses such as CobaltStrike stager to help attackers execute tasks in the post-penetration phase.

4.2 Stager loader

The RedBeard used a special shell code loader during its attack in December 2022, mainly to load the stager shell code payload generated by running the CobaltStrike penetration framework.

The loader program used the common dynamic loading Windows API technology of shellcode, and encrypts each string used by the program using different XOR keys.

Figure 4.8 String encryption strategy in the Stager Loader used by the RedBeard

This program runs the stager payload within it by injecting itself. It has been found that the CnC of the stager carried in the sample is 167.71.11.62, which is consistent with the CnC address used in the RedBeard’s attack against Turkcell.

Figure 4.9 The stager information carried in the stager loader used by the RedBeard

V. Conclusion

NSFOCUS Security Labs observed that phishing attacks against Turkey have continuously been increasing since 2022. The RedBeard attack disclosed this time is a representative of such events.

The attack tactics of the RedBeard are simple and effective. The events that have occurred show that the tactic of watering hole sites in the white list that RedBeard relies on is the key to its successful lateral movement.

In response to such attack ideas, how to avoid the abuse of vulnerable devices and how to defend against secondary infiltration behavior carried out through internal devices should become the focus of attention for companies when building a defense system.

VI. IoCs

Phishing documents:

461a297aad0cc43ae86dcb3347615b224778e86fb57ad3eb781cc0A863438326

7fefbddf11970fea1dec8c2618f8c3819544c79309bf595207f6f601d1861ef5

E61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e

7986f166a864c4b19bac2ccacdd91cecf46b95f073ecc78ed521e8b4fa307053

E4aa4ba8503fac18dcbed4285d3186d5b4fc80f5584b5eacde2bf3026f068f49

Stager loader Trojan horse:

1f7c495e77ffcc0b160ff675bc9b8c774fe3fbc2acb416ecae60dcae2fcb7ca3

GoBeard Trojan horses:

063edf9cb113941Eb73b3db4a34ac0c9f82a756ded9b0dc974dc9a85b466c169

1e27243ac8e2edff7d5be32a012530add1bae71ad5452064dfcd35e69d95f313

GoBeard CnC:

146.190.207.64:8080

167.71.11.62:8080

Site used for watering hole attack

5.252.4.51