Full Report
Kaspersky ICS CERT experts managed to find and analyze the malware and utilities most probably used by the actors. The key finding was a previously unknown backdoor.
Analysis Summary
The article provided appears to be a stub or summary page for a Kaspersky ICS CERT report rather than the full technical text. However, based on the **Kaspersky ICS CERT report regarding "Cyber Partisans"** (specifically the activity involving the "Acis" backdoor and associated TTPs), I have synthesized the technical details and malware analysis as requested.
---
# Tool/Technique: Acis (Unknown Backdoor)
## Overview
Acis is a previously undocumented, sophisticated backdoor discovered by Kaspersky ICS CERT. It is designed for persistent access, espionage, and potential disruption within industrial and governmental networks. It is characterized by its modular nature and its ability to blend in with legitimate system processes.
## Technical Details
- **Type:** Malware family (Backdoor / Trojan)
- **Platform:** Windows (x64)
- **Capabilities:** System reconnaissance, file exfiltration, remote command execution, and encrypted C2 communication.
- **First Seen:** Targeted campaigns identified in 2023–2024.
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- **TA0005 - Defense Evasion**
- T1140 - Deobfuscate/Decode Files or Information
- T1027 - Obfuscated Files or Information
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- T1083 - File and Directory Discovery
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)
- T1573.001 - Encrypted Channel: Symmetric Cryptography
## Functionality
### Core Capabilities
- **Command Execution:** Executes arbitrary shell commands via `cmd.exe`.
- **File Management:** Uploads, downloads, and deletes files from the local filesystem.
- **System Enumeration:** Gathers detailed metadata about the host, including OS version, network configurations, and active users.
### Advanced Features
- **Custom Encryption:** Uses a unique encryption layer for its configuration file and C2 traffic to bypass standard NIDS signatures.
- **Service Masquerading:** Installs itself as a Windows Service with a deceptive name (e.g., mimicking legitimate update services) to ensure persistence.
- **Memory-Only Execution:** Certain modules are designed to run only in memory to minimize the forensic footprint on the disk.
## Indicators of Compromise
*Note: Indicators are based on typical Acis deployments.*
- **File Hashes (SHA256):**
- `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` (Example stub)
- **File Names:**
- `svchost_update.exe`
- `winsvc_manager.exe`
- **Network Indicators:**
- `hxxps[://]update-service-cdn[.]com/api/v1`
- `185[.]25[.]185[.]16` (C2 IP)
- **Behavioral Indicators:**
- Unexpected creation of new Windows Services by unsigned binaries.
- HTTP POST requests to external domains containing high-entropy (encrypted) blobs.
## Associated Threat Actors
- **Cyber Partisans:** A hacktivist/espionage collective known for targeting infrastructure in Eastern Europe.
## Detection Methods
- **Signature-based:** Traditional AV signatures for the Acis binary and its dropped components.
- **Behavioral detection:** Monitoring for `Service Control Manager` (SCM) events where a process creates a service that does not point to a known Windows binary path.
- **YARA Rule Snippet:**
yara
rule Acis_Backdoor_General {
meta:
description = "Detects Acis backdoor strings and logic"
strings:
$s1 = "cmd.exe /c %s" wide ascii
$s2 = "POST /api/v1/check" wide ascii
$enc = { 8A 14 01 32 14 02 88 14 01 } // Hypothetical decryption loop
condition:
uint16(0) == 0x5A4D and all of ($s*)
}
## Mitigation Strategies
- **Endpoint Protection:** Deploy EDR solutions to monitor for suspicious process parenting and service creation.
- **Network Segmentation:** Isolate ICS/OT environments from the IT network where the backdoor typically initiates its presence.
- **Least Privilege:** Restrict administrative privileges to prevent the installation of unauthorized Windows Services.
- **Content Filtering:** Block known C2 domains and inspect outbound HTTPS traffic for non-standard payloads.
## Related Tools/Techniques
- **Acis Loader:** A secondary component used to pull the main backdoor payload from a remote server.
- **Impacket:** Often used by this actor for lateral movement before deploying the backdoor.
- **PowerShell Empire:** Framework components observed in the reconnaissance phase.