The attack vector of Russian state-sponsored advanced persistent threat (APT) attackers is extended across various countries. Multiple cybercriminal groups from Russia have targeted several international critical agencies across the globe. But surprisingly, security researchers from Positive Technologies uncovered a new APT group targeting the fuel, energy, and aviation industries in Russia. Tracked as ChamelGang, the threat actor group also targeted critical agencies in other countries, including the U.S., India, Nepal, Taiwan, and Japan.
ChamelGang Phishing Attacks
ChamelGang was found using phishing domains and features of operating systems to disguise their malicious activities. The attackers have registered various phishing domains impersonating popular brands, including Microsoft, TrendMicro, McAfee, IBM, and Google. The researchers found different phishing domains like newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com, and mcafee-upgrade.com.
Exploiting Vulnerabilities
Researchers analyzed two recent cyberattacks by ChamelGang. In one attack, ChamelGang was found exploiting vulnerability CVE-2017-12149 to compromise a web application on the open-source JBoss Application Server platform. The attackers were able to execute commands on the node remotely and obtained the dictionary password of the local administrator on one of the servers. The attackers remained unnoticed in the corporate network for three months and compromised critical servers and nodes in different segments.
In another incident, ChamelGang exploited multiple ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in Microsoft Exchange. The attackers reportedly gained access to the corporate mail servers using a backdoor that most antivirus tools had not detected during the attack.
Using New Malware Variants
In most attacks, ChamelGang leveraged new malware variants such as ProxyT, BeaconLoader, and the DoorMe backdoor to hide its identity and complicate its detection. However, the group also used better-known malware variants such as FRP, Cobalt Strike Beacon, and Tiny shell.
Commenting on the new malware campaign, Denis Kuvshinov, Head of Threat Analysis at Positive Technologies, said, “Targeting the fuel and energy complex and aviation industry in Russia isn’t unique — this sector is one of the three most frequently attacked. However, the consequences are serious. Most often, such attacks lead to financial or data loss — in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage. Also, industrial companies often can’t detect a targeted cyberattack on their own. But in practice, attackers can penetrate the corporate network of an industrial enterprise more than 90% of the time, and almost every such invasion leads to complete loss of control over the infrastructure. More than half of these attacks lead to the theft of data on company partners and employees, mail correspondence, and internal documentation.”