Clasiopa Group Uses Distinct Toolset to Targeting Asian Research Organizations

How the campaign works

• According to Symantec researchers, Clasiopa possibly uses brute force to gain access to public-facing servers.
• The adversary performs various actions post-compromise, including checking the IP address of the breached system, disabling Symantec endpoint protection by stopping its service, and creating a scheduled task to list file names.
• Hackers deploy multiple backdoors to build lists of file names and exfiltrate them as ZIP archives and clear system monitor logs (using wsmprovhost) and event logs (using PowerShell) to wipe the traces of the malicious activity.
• They used legitimate software packages such as HCL Domino and Agile DGS signed with old certificates and Agile FD servers used old vulnerable libraries.

Clasiopa’s toolset: Atharvan, Lilith, and Thumbsender

• Atharvan RAT creates a mutex upon execution to prevent running multiple copies of itself. Further, it communicates with a hardcoded C2 address using Amazon AWS in Seoul, South Korea.
• Interestingly, the malware can be configured for scheduled communication with the C2 and can even be set to attempt connections during specific days of the week or month.
• It downloads files on the compromised computer, runs executables, executes commands, and sends back command outputs or error messages. Moreover, the malware is capable of evading some network traffic monitoring tools.
• Lilith is capable of executing commands, running PowerShell scripts, manipulating processes on the breached system, and uninstalling itself.
• Thumbsender is a utility that lists files on the host when it receives a command from a C2 server. It saves them locally in a database that can be exfiltrated later to a specific IP address.

Conclusion