Go to listing page

APT Groups Target U.S. Government Agencies with CovalentStealer

APT Groups Target U.S. Government Agencies with CovalentStealer
Recently, the CISA, the FBI, and the NSA released a joint report providing technical details about attacks on a U.S. defense organization using new custom malware.

The report highlights

Multiple APT groups have been found targeting the enterprise network of a U.S. organization in the Defense Industrial Base (DIB) sector to steal sensitive data.
  • The attackers combined a new custom malware called CovalentStealer, the open-source Impacket collection of Python classes, HyperBro RAT, and over a dozen China Chopper webshell samples.
  • To gain initial access through the victim’s network, the attackers attempted to exploit ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in Microsoft Exchange Server.

The attack timeline

The initial access vector for the attack is unknown, however, it seems the activity began in November 2021 and went on till mid-October this year.
  • In mid-January 2021, hackers gained access to the organization’s Exchange Server and started mailbox searches. They used a compromised administrator account belonging to a former employee to access the Exchange Web Services (EWS) API.
  • At the beginning of February 2021, hackers accessed the network again using the same admin credentials through a VPN connection and engaged in reconnaissance activity using a command shell.
  • In early March, they exploited the ProxyLogon vulnerabilities to install approximately 17 China Chopper web shells on the Microsoft Exchange Server.
  • In April 2021, the attackers started establishing persistence on the network and moved laterally with the Impacket framework to obtain a service account with higher privileges, which enabled remote access, using two VPN and virtual private server providers, M247 and SurfShark, from multiple external IP addresses.
  • Between late July and early October 2022, the hackers used the custom-built CovalentStealer to upload additional sensitive files to a Microsoft OneDrive location.

Summation

The use of CovalentStealer, HyperBro, and China Chopper all together by different hacking groups points toward a higher level of threat in the near future. Users and administrators are recommended to follow the best practices and leverage the IOCs shared by federal agencies to strengthen the security posture of their organization.
Cyware Publisher

Publisher

Cyware