Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks

Pierluigi Paganini June 08, 2019

Cisco Talos experts uncovered a new wave of attacks tracked as Frankenstein campaign, attackers used tools built by combining four open-source techniques.

Security experts at Cisco Talos uncovered a series of highly targeted attacks, tracked as Frankenstein campaign, hackers used tools built by combining four different open-source techniques.

Attackers behind the Frankenstein campaign carried out several malware-based attacks between January and April 2019. Talos researchers discovered a low volume of documents in various malware repositories.

“Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the Frankenstein campaign.” reads the analysis published by Cisco Talos. “We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors’ ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.”

Researchers at Talos team believe the attackers are moderately sophisticated but highly resourceful.

The attackers used multiple anti-detection techniques such as checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the malicious code was running in a virtualized environment.

Other anti-detection techniques such as only responding to GET requests that contained predefined fields, and using encryption to protect data in transit.

Talos experts identified two weaponized Word documents used in the Frankenstein campaign that were likely sent to the victims via emails. The first document named “MinutesofMeeting-2May19.docx“, displays the national flag of Jordan, once opened it will fetch a remote template and trigger the CVE-2017-11882 exploit to execute code on the target machine.

“Once the victim opens the document, it fetches a remove template from the actor-controlled website, hxxp://droobox[.]online:80/luncher.doc. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim’s machine. After the exploit, the file would run a command script to set up persistence as a scheduled task named “WinUpdate”.” continues the analysis. 

“/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR” That scheduled task would run a series of base64-encoded PowerShell commands that acted as a stager.”

frankenstein campaign

The second sample prompts the victim to enable macros and run a Visual Basic script. 

One of the documents detected by the experts appears as a document created by the security firm Kaspersky, in other two cases attackers used documents specifically designed to target Middle Eastern entities.

Experts also described a

In the second scenario observed by Talos, threat actors used a weaponized document. When the macro is enabled, it executes a Visual Basic Application (VBA) script implementing two anti-analysis features. 

The script first queries Windows Management Instrumentation (WMI) to check if specific applications are running: VMWare, Vbox, Process Explorer, Process Hacker, ProcMon, Visual Basic, Fiddler, and WireShark. Then the script checks if specific tasks are running: VMWare, Vbox, VxStream, AutoIT, VMtools, TCPView, WireShark, Process Explorer, Visual Basic, and Fiddler. 

If the script finds one of the above apps or tasks it halts its execution, otherwise it calls WMI and determines the number of cores allocated to the system and exits if the number of cores is less than two. 

Once the evasion checks were complete, the attackers used MSbuild to execute an actor-created file named “LOCALAPPDATA\Intel\instal.xml”. According to Talos, threat actors chose MSBuild because it is a signed Microsoft binary, this feature allows to bypass application whitelisting controls on the host when being used to execute arbitrary code. 

Attackers used a PowerShell Empire agent to gather information on the local system, including Username, Domain name, Machine name, Public IP address, administrative privileges, currently running processes, operating system version, and the security system’s SHA256 HMAC. 

Then the data is sent back to the C&C server via an encrypted channel.

“A campaign that leverages custom tools is more easily attributed to the tools’ developers. One example of this was the code overlap in the VPNFilter malware that allowed us to associate the activity with the BlackEnergy malware.” Talos concludes. “By contrast, operations performed with open-source frameworks are extremely difficult to attribute without additional insights or intelligence.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Frankenstein campaign, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment