430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

New APT ChamelGang Targets energy and aviation companies in Russia

ChamelGang APT is a new cyberespionage group that focuses on fuel and energy organizations and aviation industry in Russia ChamelGang is a new APT group that was first spotted in March by researchers at security firm Positive Technologies, it targets Russian companies in the energy and aviation industry. In March, the cyberespionage group was observed leveraging […]

ChamelGang backdoor

ChamelGang APT is a new cyberespionage group that focuses on fuel and energy organizations and aviation industry in Russia

ChamelGang is a new APT group that was first spotted in March by researchers at security firm Positive Technologies, it targets Russian companies in the energy and aviation industry.

In March, the cyberespionage group was observed leveraging ProxyShell against targets in 10 countries and used a variety of malware in its campaign.

Now the group is targeting organizations in Russia by exploiting known vulnerabilities like Microsoft Exchange ProxyShell issues, it also used a new set of malware to exfiltrate sensitive information from target networks.

The name ChamelGang comes from the word “chameleon” that was used because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.

The threat actors used domains mimicking legitimate ones (newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com, mcafee-upgrade.com) and installed SSL certificates on its servers that imitated legitimate ones (github.com, www.ibm.com, jquery.com, update.microsoft-support.net) on its servers.

Experts pointed out that the ChamelGang group was also involved in supply chain attacks in order to hit the actual victims.

The analysis of the techniques used by the threat actors revealed that the ChamelGang group used both known malicious software (i.e. FRP, Cobalt Strike Beacon, and Tiny Shell) and previously undetected malware tracked as ProxyT, BeaconLoader and the DoorMe backdoor.

Positive Technologies experts investigated two attacks conducted by APT that took place in March and August respectively.

The March attack was spotted after the experts noticed that the antivirus software installed on the systems of a Russia-based energy company repeatedly reported the presence of the Cobalt Strike Beacon in RAM.

“At the end of March 2021, the attackers compromised a subsidiary organization to gain access to the energy company’s network, using a vulnerable version of a web application on the JBoss Application Server platform. The investigation revealed that the attackers, having exploited vulnerability CVE-2017-12149, were able to remotely execute commands on the host.” reads the analysis published by the experts. “When analyzing the server logs, vuln6581362514513155613jboss records were found on the compromised host, indicating that the public exploit jboss-_CVE-2017-12149 had been used.”

Once gained access to the target network through a supply chain attack, the attackers deployed post-exploitations tools to maintain persistence and exfiltrate information. Experts reported the use of the Tiny Shell and the Cobalt Strike Beacon.

The attackers placed collected data on web servers on the compromised network and then downloaded them using the Wget utility.

The August attack was aimed at a Russian organization from the industry.

“We notified the affected company on time—four days after the server was compromised—and, in cooperation with its employees, promptly eliminated the threat. In total, the attackers remained in the victim’s network for eight days, and two weeks passed from the moment of notification to the completion of the incident response and investigation.” continues the report. “According to our data, the APT group did not expect that its backdoors would be detected so quickly, so it did not have time to develop the attack further.”

Experts reported that the threat actors used ProxyShell flaws in this second attack and installed the backdoor DoorMe v2 on two mail servers (Microsoft Exchange Server) on the victim’s network. 

ChamelGang backdoor

Then the attackers used BeaconLoader for lateral movement and the Cobalt Strike Beacon.

Positive Technologies researchers determined that the hackers have compromised another 13 organizations in the US, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In most of the attacks, threat actors compromised Microsoft Exchange Servers by exploiting ProxyLogon and ProxyShell flaws.

“Trusted relationship attacks are rare today due to the complexity of their execution. Using this method in the first case, the ChamelGang group was able to achieve its goal and steal data from the compromised network. Also, the group tried to disguise its activity as legitimate, using OS features and plausible phishing domains. In addition, the attackers left a passive backdoor DoorMe in the form of a module for the IIS server.” concludes the report. “We predict that the trend using the supply chain method will continue. New APT groups using this method to achieve their goals will appear on stage.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ChamelGang)

[adrotate banner=”5″]

[adrotate banner=”13″]