Skip to content

This is a simulation of attack by Fancy Bear group (APT28) targeting high-ranking government officials Western Asia and Eastern Europe

Notifications You must be signed in to change notification settings

S3N4T0R-0X0/APT28-Adversary-Simulation

Repository files navigation

Fancy Bear APT28 Adversary Simulation

This is a simulation of attack by Fancy Bear group (APT28) targeting high-ranking government officials Western Asia and Eastern Europe the attack campaign was active from October to November 2021, The attack chain starts with the execution of an Excel downloader sent to the victim via email which exploits an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory, I relied on trellix tofigure out the details to make this simulation: https://www.trellix.com/blogs/research/prime-ministers-office-compromised/

photo_2024-04-06_23-42-01

This attack included several stages including exploitation of the CVE-2021-40444 vulnerability through which remote access execution can be accessed through word file this is done by injecting the DLL into Word file through this exploit, Also use OneDrive c2 Server to get command and control and this is to data exfiltration with hide malicious activities among the legitimate traffic to OneDrive.

1.Create dll downloads files through base64, This is to download two files the first is (dfsvc.dll) the second is (Stager.dll).

2.Exploiting the zero-day vulnerability to inject the DLL file into Word File and create an execution for DLL by opening Word File.

3.Word File is running and the actual payload is downloaded through DLLDownloader.dll and we have two files Stager.dll and dfsvc.dll.

4.The Stager decrypts the actual payload and runs it which in turn is responsible for command and control.

5.Data exfiltration over OneDrive API C2 Channe, This integrates OneDrive API functionality to facilitate communication between the compromised system and the attacker-controlled server thereby potentially hiding the traffic within legitimate OneDrive communication.

6.Get Command and Control through payload uses the OneDrive API to upload data including command output to OneDrive, the payload calculates the CRC32 checksum of the MachineGuid and includes it in the communication with the server for identification purposes.

Screenshot from 2024-04-08 01-28-29

The first stage (delivery technique)

First the attackers created DLL executable (DLLDownloader.dll) this DLL it can download two payloads by command line to make payload base64 base64 dfsvc.dll -w 0 and base64 Stager.dll -w 0 the first is (dfsvc.dll) the second is (Stager.dll), This DLL will be used in the next stage by injecting it into a Word file via the Zero-day vulnerability.

Screenshot from 2024-04-16 21-38-27

The Second stage (implanting technique)

second the attackers exploited the Zero-day vulnerability (CVE-2021-40444) https://github.com/lockedbyte/CVE-2021-40444/ this vulnerability works by injecting a DLL file into Microsoft Word When the file is opened it executes the DLL payload, which is responsible for downloading two other payload (dfsvc.dll) and (Stager.dll).

Screenshot from 2024-04-13 01-09-30

When a victim opens the malicious Office document using Microsoft Office, the application parses the document's content, including the embedded objects. The flaw in the MSHTML component is triggered during this parsing process, allowing the attacker's malicious code to be executed within the context of the Office application.

The third stage (execution technique)

Now i have a Word file when i open it performs an execution for the DLL Downloader and thus downloads the two files (dfsvc.dll) and (Stager.dll) this is through the vulnerability CVE-2021-40444.

Screenshot from 2024-04-16 17-21-17

After that the stager decrypts the payload using the Decrypt-Payload function (you need to implement the decryption algorithm) and then executes the payload using the Execute-Payload function, In this simulation i made the build perform an execution directly without the need for the stager script, and it can be modified to suit the stager making an execution for the actual payload.

Screenshot from 2024-04-16 17-59-42

The fourth stage (Data Exfiltration) over OneDrive API C2 Channe

The attackers used the OneDrive C2 (Command and Control) API as a means to establish a communication channel between their payload and the attacker's server, By using OneDrive as a C2 server, attackers can hide their malicious activities among the legitimate traffic to OneDrive, making it harder for security teams to detect the threat. First, we need to create a Microsoft Azure account and activate its permissions, as shown in the following figure.

We will use the Application (client) ID for the inputs needed by the C2 server

photo_2024-04-14_16-24-06

After that, we will go to the Certificates & secrets menu to generate the Secret ID for the Microsoft Azure account, and this is what we will use in OneDrive C2.

photo_2024-04-14_16-24-14

To make simulation of this attack at the present time i did not use the PowerShell Empire to avoid detection and i make customization of the OneDrive C2 server, This script integrates OneDrive API functionality to facilitate communication between the compromised system and the attacker-controlled server, thereby potentially hiding the traffic within legitimate OneDrive communication and i used AES Encryption to secure the connection just like the PowerShell Empire server that the attackers used in the actual attack, The customization OneDrive C2 Server inspired by PowerShell Empire.

photo_2024-04-14_02-55-02

The fifth stage (payload with OneDrive API requests)

This payload establishes covert communication via socket to a remote server, disguising traffic within OneDrive API requests. It identifies machines using CRC32 checksums of their MachineGuids. Commands are executed locally, with outputs sent back to the server or uploaded to OneDrive. Its dynamic configuration enables flexible and stealthy remote control and data exfiltration.

Screenshot from 2024-04-14 16-59-47

1.Covert communication: The payload initiates a socket connection to a specified IP address and port.

2.Identification mechanism: It retrieves the MachineGuid from the Windows registry and calculates its CRC32 checksum.

171351508026027259

3.Command execution: The payload enters a loop to receive commands from the remote server or OneDrive.

4.Data exfiltration: After execution it captures output and sends it back to the server or uploads it to OneDrive.

5.Stealthy communication: Utilizing OneDrive API it blends network traffic with legitimate OneDrive traffic.

6.Dynamic configuration: Behavior is configured by specifying IP address, port and optionally an access token for OneDrive.

Screenshot from 2024-04-14 22-43-29

Final result: payload connect to OneDrive C2 server

the final step in this process involves the execution of the final payload. After being decrypted and loaded into the current process, the final payload is designed to beacon out to both OneDrive API-based C2 server.

received_1514138585843943.mp4

About

This is a simulation of attack by Fancy Bear group (APT28) targeting high-ranking government officials Western Asia and Eastern Europe

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published