BLUELIGHT

The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT.

The malware is distributed through a phishing attack... The phishing emails originated from the account of the former director of South Korea’s National Intelligence Service (NIS), who APT37 previously compromised.

MITRE ATT&CK techniques... ScarCruft used malicious JavaScript for a watering-hole attack.

MITRE ATT&CK techniques... ScarCruft exploits CVE-2020-1380 to compromise victims.

The Python loader includes a script and shellcode, launching a multi-step XOR-decryption, process creation, etc., eventually resulting in the execution of the Dolphin payload in a newly created memory process.

The content repeatedly describes adversaries using Base64, XOR, RC4, AES, hexadecimal encoding, string encryption, code flattening, custom crypters, and other obfuscation methods to hide payloads, strings, configuration data, URLs, and scripts.

The Python loader includes a script and shellcode, launching a multi-step XOR-decryption, process creation, etc., eventually resulting in the execution of the Dolphin payload in a newly created memory process.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

"...used custom malware to steal login and cookie data from common browsers..."; "...extracts the web session cookie and sends it to the C2 server..."; "...stole Chrome browser cookies by copying the Chrome profile directories..."

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

"AppleSeed has compressed collected data before exfiltration."; "APT28 used a publicly available tool to gather and compress multiple documents..."; "Aria-body has used ZIP to compress data..."; "Cadelspy...compress stolen data into a .cab file."; "Daserf hides collected data in password-protected .rar archives."; "FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration."; "Lazarus Group has compressed exfiltrated data with RAR...archive specified directories in .zip format"; "XCSSET will compress entire ~/Desktop folders..."

Several entries describe broader use of HTTP/HTTPS and related web mechanisms for C2, including "Crutch has conducted C2 communications with a Dropbox account using the HTTP API," "BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API," and "Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS."

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

The adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.