Overview
QiAnXin Threat Intelligence Center observed an unknown threat actor group towards the end of 2022. They were impersonating some common software download pages and buying Google search ranking to deploy these fake websites ahead of official websites. Their aim was to induce victims into downloading installation packages that had unofficial but valid signatures, repackaged using Inno Setup.
Due to the complexity of their attack chain and the need for manual operations by the attackers, the final payload remained elusive. This made it difficult to attribute the attacks until mid-2023 when we noticed the delivery of TeamViewer's DLL Sideloading component via SFTP to compromised endpoints in East Asia and North America. This activity led us to believe that this group was related to the attacks against security researchers disclosed by Zscaler ThreatLab in 2021 [1].
The phishing activity timeline for this group in the past year is as follows:
Attack Chain
The attack chain for Operation HideBear's recent phishing activity is as follows:
The focus of the entire execution chain is on SSH reverse tunnels. Since OpenSSH is a legitimate white file, it's relatively easy to bypass EDR endpoint detections. In the end, the attackers used sftp-server.exe to deliver the TeamViewer hijacking component to the victim's machine. After analyzing the sample obfuscated with Themida, we discovered it was the MINEBRIDGE RAT. Furthermore, we found the use of AnyDesk and an attempt to propagate laterally using PsExec. During the decryption of keys, the attackers utilized the [System.Security.Cryptography.ProtectedData]::Unprotect function, indicating that data decryption can only be performed within the victim machine's user context.
In this phishing campaign, four legitimate signatures were used. Some of these signatures were still valid as of the completion of the report. Further analysis found that the group had also employed the Amadey commercial Trojan, although its purpose remained unknown.
| - | - |
|---|---|
| Thumbprint | Signature |
| FC2BDF5BD23470669F63B9A5BAE6305160DCBC67 | GUTON LLC |
| A05536924F1BA8F99BA6B1AA3C97B809E32A477E | NTB CONSULTING SERVICES INC. |
| A1C753F5271F24B8067AC864BB4192C37265840C | OOO RIMMA |
| 9A865A28A85CABC3F79C88BE54AF3B20962BC35C | KATEN LLC |
We have also discovered the latest variant of MINEBRIDGE RAT. The sample appears to have undergone obfuscation via LLVM, removing some older C&C instructions. Upon execution, it retrieves a DLL from the C&C server and loads it into memory. The primary function of this DLL is to create a pipeline for executing PowerShell commands delivered by the C&C server, and the executed PowerShell scripts are consistent with the scripts used for downloading the SSH component as mentioned above.
Attribution and Impact
The registration times of the front domains accessed in the Inno Setup installation packages suggest that the group has been active since 2021. However, during this time, there were very few reports in the OSINT community about MINEBRIDGE. In this vacuum, the attackers' activities seemed to be challenging to trace. We discovered several built-in domains in MINEBRIDGE, including one with a CN ending. Some of these domains have expired. Historical resolution records indicate that they once used Cloudflare CDN nodes to conceal their real IP between 2021 and 2022.
| - | - |
|---|---|
| Start Time for CDN Node Resolution | End Time for CDN Node Resolution |
| 2021-10-01 | 2022-09-01 |
| 2021-09-04 | 2022-09-03 |
| 2021-10-01 | 2022-04-24 |
Based on the data rolled back by QiAnXin's big data, we found that during the period when malicious domains resolved to Cloudflare CDN nodes, there was communication with the domains from corporate dedicated lines and home broadband in mainland China. The enterprises involved were in sectors like cryptocurrency, electronic components, technology, investment, and healthcare.
Operation HideBear's infrastructure distribution is as follows:
This implies that MINEBRIDGE's activities are not solely economically motivated, but there is also an objective of stealing electronic information technology and medical technology. Mandiant first disclosed [2] MINEBRIDGE in 2020, mentioning that it might be a subset of TA505 or an entirely new group. Subsequent reports from other vendors have attributed it to TA505. From the information we currently have, it seems more likely that MINEBRIDGE is operated by a new threat group. This threat group has been disclosed by Microsoft Threat Intelligence Center as Storm-0978 (RomCom) [3]. The phishing techniques used in Operation HideBear are similar to those used by Storm-0978. Both activities involve the forgery of the Advanced IP Scanner installer package. More importantly, we found that the Operation HideBear campaign and Storm-0978 (RomCom) used an identical framework to create the fake websites. Hence, we have medium to high confidence that Storm-0978 (RomCom), TA505, and MINEBRIDGE have deep connections.
Summary
Currently, all products of QiAnXin Threat Intelligence Center, including QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, support accurate detection of such attacks.
IOC
For detailed indicators of compromise (IOCs) related to this threat actor, please contact QiAnXin Threat Intelligence Center at ti.qianxin.com.
Reference Links
[1].https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures
[2].https://www.mandiant.com/resources/blog/stomp-2-dis-brilliance-in-the-visual-basics
[3].https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/