Russian Actors Weaponize Legitimate Services in Multi-Malware Attack

Written by

A novel cyber campaign by Russian speaking actors abused legitimate internet services, such as GitHub and FileZilla, to deploy multiple malware variants, Recorded Future has reported.

The adaptive tactics and advanced capabilities used present significant challenges in tracking and defending against this type of threat, the researchers said.

The threat actor, likely located in the Commonwealth of Independent States (CIS), strategically targeted a spectrum of operating systems (OS) and computer architectures in the credential harvesting campaign, including Windows and macOS, highlighting their adaptability to evolving technological landscapes.

This includes the deployment of Atomic macOS Stealer (AMOS), the current version of which is capable of infecting both Intel-based and ARM-based Macs.

Alexander Leslie, threat intelligence analyst at Recorded Future, told Infosecurity that this campaign is the most prominent example of a threat actor abusing legitimate services for targeting credentials across multiple platforms and architecture.

“It’s [leverage legitimate services] done out of convenience – it’s very adaptable and that’s what’s really concerning,” he said.

Users Lured into Downloading Malware

During an investigation of the AMOS stealer, Recorded Future’s Insikt Group discovered 12 websites that impersonated legitimate macOS applications, such as CleanShotX, 1Password and Bartender.

These domains all redirected users to a GitHub profile belonging to a user named “papinyurii33,” prompting them to download macOS installation media resulting in an AMOS infostealer infection.

The malicious papinyurii33 account was created on January 16, 2024, and its last observed contribution was on March 7.

Image credit: Wirestock Creators / Shutterstock.com
Image credit: Wirestock Creators / Shutterstock.com

All versions of AMOS hosted on the account performed HTTP POST requests to the endpoint /psp. However, in the file paths for other known endpoints for AMOS, /sendlog and /joinsystem, the user HTTP POST variable supplied in the command and control (C2) communications was the username associated with the threat actor's AMOS subscription.

The GitHub account was also observed hosting other files beyond AMOS under the “2132” repository, including a dropper for the Windows-based Lumma and Vidar stealers as well as an Octo Android banking trojan.

Another repository, “22” has not had malware submitted to it since early February 2024.

Legitimate Services Used to Execute Malicious Files

The researchers observed how the threat actor executed various DocCloud files to deploy a range of infostealers on victim devices.

The DocCloud.exe accessed a FileZilla file transfer protocol (FTP) server at IP address 193.149.189[.]199 using hardcoded credentials.

After a connection was established, a child process of DocCloud.exe accessed and RC4 decrypted a .ENC file and combined the decrypted data with shellcode stored within a Python script. The constructed payload was then run as an argument to pythonw.exe.

Multiple executions were observed using this process, resulting in Lumma and Vidar infostealers being dropped.

In a separate process, a version of DocCloud.zip uploaded to GitHub by papinyurii33 on March 7, 2024, accessed FileZilla file server at IP address 188.120.227[.]9 and used new hardcoded credentials. Multiple files in this zip archive displayed the DLL file extension but were cleartext Python scripts.

Insikt then observed a “distinct change” in the execution and communication patterns over the course of February and into early March 2024.

In these cases, the processes reaching out to the FTP server remained static, including the filename accessed on the server, as well as the shellcode present in the bundled Python scripts.

In earlier iterations, the malware retrieved the .ENC file and then proceeded to conduct multiple DNS lookups for domains previously associated with Lumma Stealer.

In more recent executions, the same .ENC file was retrieved, but the malware proceeded to check user profiles for Steam Community and Telegram accounts, where it obtained the respective C2 server and continued to complete POST requests to these follow-on C2 servers.

The researchers believe this indicates that instructions for the next-stage infection were altered within the .ENC file on the FTP server between executions, although the dropper remains unchanged.

Insikt also identified four additional IP addresses that are likely related to the threat actor’s network infrastructure. These addresses revealed C2 infrastructure for the trojan DARKCOMET RAT and an additional FileZilla FTP server responsible for deploying DARKCOMET RAT.

The connectivity of the infrastructure stemming from the GitHub-hosted “DocCloud” files suggests are more organized campaign targeting victim devices, the researchers noted.

Concerning Evolution in Threat Actor Tactics

Leslie said this campaign is unique, partly because of the number of different malware families being deployed, and also the threat actor’s reliance on legitimate internet services and shared C2 infrastructure.

Therefore, while use of multiple tools and malware families makes the campaign highly sophisticated, the attackers employed relatively unsophisticated methods for C2 and exfiltration.

“It's very agile, you can spin up GitHub profiles quickly, you can spin up temporary FileZilla servers quickly, you can find a burner Telegram account quickly,” he explained.

This makes it difficult for traditional defensive measures to detect and respond fast enough.

Leslie added: “You’re not looking for malware C2 or infrastructure, you’re not doing network traffic analysis on victims. This actor is just stealing files and uploading them to FileZilla and then calling it a day.”

The Insikt analysis also highlighted parallels between the tactics used in this campaigns and other recent reports, suggesting similar approaches are becoming more common.

This includes the discovery of a website delivering AMOS malware, coupled with Rhadamanthys, via purportedly legitimate software. However, the malware is not directly hosted on the fake application website and instead redirects the user to various file-sharing services, including Dropbox and Bitbucket.

The researchers expect to see an increased volume of campaigns that resemble the one highlighted in their report.

Mitigation Advice for Organizations

The report urged organizations to enforce an enterprise-wide code review process for all code obtained from external repositories before integrating it into production environments.

They should also consider implementing a comprehensive application control strategy, including blocking third-party and unapproved applications to prevent the spread of malware.

Additionally, employees must be educated on this technique. Leslie noted: “Your employees should never be downloading cracked and unverified software on any operating system.”

Leslie added that there is a wider question of how internet services, such as GitHub and FileZilla, prevent such abuse of their platforms.

“If we’re going to be dealing with this persistent issue of legitimate internet service abuse, it gets into the question of that service’s own governance and its terms of service and monitoring those services themselves,” he said.

What’s hot on Infosecurity Magazine?