Xintra Assassin Kitty Lab (APT29)

Introduction

This report details a sophisticated cyberattack against Assassin Kitty Company, where an advanced persistent threat (APT) actor, linked to APT29, exploited an unpatched vulnerability (CVE-2021-34473, ProxyShell) to gain initial access. The attacker infiltrated the network via an Exchange server (MAIL01), escalated privileges, deployed webshells, and conducted credential dumping, lateral movement, and data exfiltration.

Key findings include the use of Golden SAML and OAuth abuse for cloud compromise, evasion techniques such as Defender disabling and timestomping, and exfiltration via cloud storage tools like MEGA and OneDrive. The attacker maintained persistence through backdoors, scheduled tasks, and registry modifications, ultimately extracting sensitive data.

N-Day Exploitation

Threat actor exploit a non patched vulnerability to get foot hold on the assassin kitty company network

a threat actor APT29 related IP provided by USCert 4.198.67.125 , proxy logs looks a good starting points as proxy is the point of connection with internet, by checking source IP of the attacker its confirmed that 2023-04-02 02:36:07 is the first time the attacker IP connecting to the company network

Almost 30 second after injecting his arbitrary encoded command and got initial access

After decode

From log message we can see that thew exploited CVE is CVE-2021-34473 ProxyShell attack, this is used because the Exchange server is not patched to this vulnerability.

From the logs it confirmed that server with IP address 10.0.0.5 is the compromised one which is MAIL01

MSexchange Management contains what the attacker have done after getting initial access

To escalate his privilege the attacker assign new management role to the user henry with is Mailbox import export

The flow is creating New Mailbox Export request , uploading the .aspx and after that remove the MailExportRequest

Also the Attacker create secret new mailbox account with first name Eaves

At this point, the attacker takes advantage of an unpatched vulnerability, gets initial access, and ramps up his privileges. He uploads several webshells for later use and creates a new mailbox account to use down the line. Everything is set, and the threat actor is ready for the next step.

Webshells

One of the webshells named download.aspx uploaded to MAIL01 server at 2023-04-11 06:00 to the location C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\

A total of 10 webshells are uploaded to the EMAIL01 server and some of them are deleted from the disk

We can notice also the user agent device info contains Spider which is confirm malicious activity

The webshell kzNpYqWU6R.aspx contains a file named cupiditate-deserunt.docx embedded on it

from the logs we can notice clearly that the attacker interact with directory C:\Windows\Temp through the webshell download.aspx also using C:\Windows\Temp\Tools as staging folder

further the threat actor exfiltrate the archive Upload.zip through the webshell download.aspx

Credential Dumping

After getting foothold on the DC01 ,The threat actor use the vssadmin.exe process to extract the ntds.dit to c:\extract folder at 2023-04-09 03:29:08

Also at the same day 9 april 2023 the attacker dumped the lsass.exe process

A day before while the threat actor is still in MAIL01 server he performed a lsass dump t get credential and these credentials mostly used to love to the DC01 and extract ntds.dit

and at exactly 2023-04-08 01:36:04 the lsass.exe process was dumped in Email01 server

to get more and higher access the threat actor dumped credentials from exchange server , domain controller and the workstation PC01

Malware & Persistence

Now is the time the attacker need to maintain his access by create new accounts , installing backdoors ,etc...

A new account named pcmanage created on the PC01 workstation

Two backdoors with names WindowsUpdateAssistant.exe and werfault.exe are detected by windows defender

On PC02

On PC01

Notepad.lnk was quarantine by windows defender

Further the attacker create schedule task in ADFSSERVER using the compromise account Winston

leveraging the same account and create another schedule task on the workstation PC02 which is used to run WindowsUpdateAssistant.exe on logon

A day after the schedule task is deleted

in the next days the attacker leveraged the user henry to create a Notepad.lnk shortcut that attached to C:\Windows\SystemApps\notepad.exe , the file was deleted after that at 2023-04-11 08:29:33

in the other hand the attacker installed a service named PowerShellUpdater.exe in the DC01 with display name PowerShell updater

also the attacker create a schedule task called PowerShellUpdate on the ADFSserver

malware beaconing also and be extracted from the wmi logs on the EMAIL01 server where this link is used http://20.92.20.220:80/a

Also the attacker modified the registry key HKCU@S-1-5-21-3057726683-376574677-2430473855-1104\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\faultChecker to run the executable werfault.exe on the DC01

Lateral Movement

After compromising the PC02 the attacker used the user winston to access shared files in \\DC01\KittyShare starting from 2023-04-09

The attacker used the user account henry to move laterally from DC01 to PC01 by running Psexec.exe from the directory C:\Windows\Temp\Tools\PsExec64.exe.

Further the attacker used wmiexec.py from impacket to move from MAIL01 to DC01 where the involved user is henry

Golden SAML

i order to move to the cloud infrastructure the attacker abusing AFSserver and perform pass the ticket attack .

We can detect this using event code 4624 with logon type 9 (runas) where the user account winston login as aadcsvc$

So for that we redirect to PowerShell transcript for the user account Winston on the ADFSserver , we can notice that the attacker used AADInternals to forge SAML tokens after the Golden SAML attack took place

After extraction the certificate it stored on C:\Windows\Temp\out.txt

Two users assumeed to be compromised

OAuth Abuse

OAuth abused and winston@assasinkity.com is the email consented to the application with bunch of permission granted

for Oauth abuse the attacker Add service principal and inject redirect URL

Email Compromise

using AzureCLI on ADFSserver the attacker is able to list key vaults

An email with subject introductions sent by winston to sombra

Defense Evasion

The attacker disable Defender the first time on 2023-04-08 03:48:13

On MAIL01 server the attacker used AppExtension.exe to timestoping files

6XgVzNz5bd6.aspx timestomped on 2023-04-12 06:42:00

Threat actor used SDELETE to delete 3 files on MAIL01

6XgVzNz5bd6.aspx was interacted with through the Proxy on 8 april 2023

Registry Timestomping

The attacker perform registry Machine\Software\Microsoft\Windows\CurrentVersion\Run timestomping sing the adbapi.exe

Exfiltration

The threat actor download the file upload.zip using the webshell download.aspx

also installed MEGAsyncSetup64.exe on PC02 for cloud exfiltration

Megasync logs also shown which account in Mega use for exfiltration

also we identify the upload queue for exfiltration to the Mega cloud storage

On the other hand the attacker used personal OneDrive on DC01 for exfiltration

Further we can identity the Email used in personal Onedrive cloud exfiltration by leveraging Microsoft-Windows-LiveId log providerand event id 6117 o the DC01