Government servers and Russian energy and aviation industries seem to be the primary targets of a new advanced persistent threat (APT) group that has attacked organizations in 10 countries, using the supply chain to move laterally.
The ChamelGang, discovered by researchers at Positive Technologies, has been exploiting ProxyShell flaws to infect Microsoft Exchange. They use relationship attacks—hacking third-party organizations whose employees can legitimately access a victim’s resource—to steal data, the researchers said.
The PT Expert Security Center cited one case in which the cybercriminals lurked in the corporate network of an energy company, then seized control over much of it. “After studying the company’s network for about two months and gaining control over most of it (including critical servers and hosts in different network segments), attackers installed a malicious module on one of the IIS servers (in this case, the Exchange server), which turned out to be a DoorMe backdoor and worked in the context of the web server process w3wp.exe,” the researchers said. “We assume that this was done to reserve the management channel of the compromised infrastructure. The technique has become more popular among attackers.”
The APT group is using new malware strains, including ProxyT, BeaconLoader and DoorMe. DoorMe is a passive backdoor that doesn’t interact with an attacker’s server, making detecting ChamelGang difficult. In fact, when Positive researchers were investigating, antivirus tools did not detect DoorMe.
The new group’s name is derived from its chameleon-like attributes—the group disguises “malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM and Google,” the researchers said, adding that the gang uses two methods.
“They acquired domains that imitate legitimate ones (newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com, mcafee-upgrade.com) and, in addition, the APT group placed SSL certificates that also imitated legitimate ones (github.com, www.ibm.com, jquery.com, update.microsoft-support.net) on its servers,” they wrote. “To achieve their goal, the attackers used a trending penetration method—supply chain. The group compromised a subsidiary and penetrated the target company’s network through it.”
ChamelGang “used the software supply chain to their advantage in order to compromise multiple organizations at once,” said Hank Schless, senior manager, solutions, at Lookout. “They also managed to install a backdoor known as DoorMe in a few instances, which was key to both SolarWinds and the Colonial Pipeline attacks. The group also appears to “take advantage of unpatched Microsoft Exchange servers, which have been problematic in the past.”
In an August 16 incident, the PT ESC team ran across “another successful attack (server compromise), identified a new victim and notified the affected organization,” they said. In that attack, the bad actors hit a Russian company in aviation production, penetrating using a chain of ProxyShell vulnerabilities.
“The recent activity attributed to ChamelGang serves as a reminder that supply chain threats will almost certainly continue to impact companies for the remainder of 2021 and into 2022,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. “Little is known about ChamelGang. However, a combination of off-the-shelf and custom-made malware—in addition to several sophisticated methods of gaining access to targeted networks—demonstrates a highly capable threat group.”
Positive’s research and findings “really shows how flexible and adaptable APT threats are,” said John Bambenek, senior threat hunter at Netenrich. “Here we see the use of old exploits, new exploits, living off the land, using off-the-shelf tools and developing their own malware.”
“One of the things that stands out to me as an overlooked but easy security win exposed by this report is taking a look at DNS resolver logs to look for aberrant DNS queries that indicate command-and-control or information exfiltration,” said Bambenek. “Attackers have to use DNS just like we do, and looking for patterns and brand impersonation is key for early detection of these threats.”
Morgan noted that several cybercriminal gangs also exploit the three Microsoft Exchange vulnerabilities known as ProxyShell. “ProxyShell is reportedly assisting ransomware actors by significantly decreasing the time required to enable persistence on a target network,” he said. “As a result, its use will almost certainly continue during live attacks.”
He believes “ChamelGang is likely associated with a nation-state; however, further context on their origins or motivations remains unclear.”