APT Groups Target U.S. Government Agencies with CovalentStealer

The report highlights

• The attackers combined a new custom malware called CovalentStealer, the open-source Impacket collection of Python classes, HyperBro RAT, and over a dozen China Chopper webshell samples.
• To gain initial access through the victim’s network, the attackers attempted to exploit ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in Microsoft Exchange Server.

The attack timeline

• In mid-January 2021, hackers gained access to the organization’s Exchange Server and started mailbox searches. They used a compromised administrator account belonging to a former employee to access the Exchange Web Services (EWS) API.
• At the beginning of February 2021, hackers accessed the network again using the same admin credentials through a VPN connection and engaged in reconnaissance activity using a command shell.
• In early March, they exploited the ProxyLogon vulnerabilities to install approximately 17 China Chopper web shells on the Microsoft Exchange Server.
• In April 2021, the attackers started establishing persistence on the network and moved laterally with the Impacket framework to obtain a service account with higher privileges, which enabled remote access, using two VPN and virtual private server providers, M247 and SurfShark, from multiple external IP addresses.
• Between late July and early October 2022, the hackers used the custom-built CovalentStealer to upload additional sensitive files to a Microsoft OneDrive location.

Summation