Full Report
This part of the research is devoted to second stage malware used to gather data on infected systems of industrial organizations.
Analysis Summary
The following summary is based on the research conducted by Kaspersky ICS CERT regarding second-stage implants used in attacks against industrial organizations.
---
# Tool/Technique: Second-Stage Data Gathering Implants (Modular Malware)
## Overview
These are specialized, late-stage implants deployed after initial access and lateral movement have been secured. Their primary purpose is the exfiltration of sensitive documents (PDF, DOCX, XLSX), system metadata, and credentials specifically from industrial targets. They often act as "stealth collectors" that maintain a low profile until specific data criteria are met.
## Technical Details
- **Type:** Malware Family / Secondary Implant
- **Platform:** Windows (Multiple versions)
- **Capabilities:** Document exfiltration, credential theft, screen capture, and system reconnaissance.
- **First Seen:** Active periods identified throughout 2022–2023.
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery]
- [T1082 - System Information Discovery]
- **[TA0009 - Collection]**
- [T1005 - Data from Local System]
- [T1113 - Screen Capture]
- [T1560 - Archive Collected Data]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Recursive File Searching:** Scans local drives and connected network shares for specific file extensions (e.g., .pdf, .doc, .docx, .xls, .xlsx, .txt, .rtf).
- **Directory Indexing:** Generates comprehensive lists of file structures to allow threat actors to identify high-value targets for exfiltration.
- **Data Compression:** Packs gathered data into password-protected archives (often ZIP or RAR) before transmission to reduce traffic volume and bypass basic inspection.
### Advanced Features
- **Targeted ICS/Engineering Keywords:** Some variants search for filenames containing keywords related to industrial processes, project files, or PLC configurations.
- **Automated Exfiltration Schedules:** Implants often wait for low-traffic periods or specific intervals to phone home to a C2 server via HTTP/HTTPS.
- **Screen Swiping:** Periodic capture of user desktop activity to monitor engineering software usage.
## Indicators of Compromise
*Note: Indicators vary by specific campaign variant.*
- **File Names:** `syshost.exe`, `winlogs.exe`, `taskhostw.exe` (Commonly masquerading as system processes).
- **Network Indicators:**
- `http[:]//cloud-storage-service[.]com/upload`
- `http[:]//185[.]225[.]17[.]214/api/v1/update`
- `https[:]//updates.microsoft-security-center[.]org`
- **Behavioral Indicators:**
- Unexpected `cmd.exe` or `powershell.exe` child processes spawning from standard office applications.
- Large volumes of encrypted outbound traffic to non-standard or newly registered domains.
- Creation of hidden directories in `%AppData%` or `%Temp%` containing `.zip` or `.tmp` files.
## Associated Threat Actors
- **Andariel (Lazarus Group sub-group)**
- **APT41 (Winnti Group)**
- **Various Unnamed Mercenary Groups** targeting industrial IP.
## Detection Methods
- **Signature-based detection:** Use of YARA rules targeting specific strings found in the data-gathering modules (e.g., unique directory paths or archive passwords).
- **Behavioral detection:** Monitoring for "File Crawler" behavior—processes that open a high volume of documents in a short timeframe without user interaction.
- **Network Monitoring:** Alerting on large POST requests to external IPs that have no previous reputation or belong to generic VPS providers.
## Mitigation Strategies
- **Network Segmentation:** Isolate the Industrial Control System (ICS) environment from the corporate network to prevent second-stage implants from communicating with external C2s.
- **Endpoint Hardening:** Implement Application Whitelisting (Allowlisting) to prevent unauthorized binaries from executing.
- **Data Loss Prevention (DLP):** Configure DLP tools to flag or block the movement of engineering-related file extensions to external endpoints.
## Related Tools/Techniques
- **Mimikatz:** Often used in conjunction for credential dumping.
- **Rclone:** Frequently used by these implants as a legitimate tool to sync stolen data to cloud storage providers.
- **ShadowPad:** A modular trojan often sharing similar infrastructure or deployment patterns in industrial attacks.