A new APT threat group, dubbed ChamelGang, has been discovered targeting fuel, energy, and aviation industries in Russia. Active since March, the APT group was found exploiting known ProxyShell vulnerabilities in Microsoft Exchange Server.

What happened?

Positive Technologies discovered that the ChamelGang APT group had already targeted ten countries by using ProxyShell and multiple malware.
  • To stay under the radar, the group hides its malicious infrastructure by using legitimate services by established firms such as Microsoft, TrendMicro, McAfee, IBM, and Google by using various methods.
  • One such method is to obtain domains that resemble legitimate counterparts such as newtrendmicro[.]com, mcafee-upgrade[.]com, microsoft-support[.]net, centralgoogle[.]com, and cdn-chrome[.]com. 
  • Additionally, it uses fake SSL certificates for github[.]com, ibm[.]com, jquery[.]com, and update[.]microsoft-support[.]net.
  • The group had also used new malware such as ProxyT, BeaconLoader, and DoorMe, and some known variants including FRP, Cobalt Strike Beacon, and Tiny Shell.

Describing the two attack campaigns

Researchers observed two attacks - one in March and the other in August. 
  • The first investigation was launched after a Russian energy firm’s antivirus protection reported the existence of a Cobalt Strike Beacon in RAM.
  • They gained access to the firm’s network via a supply chain attack, where they exploited a vulnerable (CVE-2017-12149) version of a subsidiary firm’s JBoss Application Server.
  • Once inside the network, the group moved laterally, deploying a number of tools along the way. These tools are Tiny Shell, UNIX backdoor Cobalt Strike Beacon, and Wget.
  • The second attack was aimed at a Russian aviation production company. The firm was alerted four days after being compromised and then attempted to remove the threat.
  • The group abused ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to compromise a network and then deployed DoorMe v2 on two Exchange mail servers.

Conclusion

Cybercriminals behind ChamelGang have used a variety of malware to exploit known bugs in targeted systems, many of which could have been prevented. Updating systems frequently and applying security patches as soon they are released is necessary for organizations, and they must not skip or delay it.
Cyware Publisher

Publisher

Cyware