In the next edition of our ice cream activity cluster blog series, we’re shining the spotlight on another historic actor that undertook a significant remodeling of their tactics, techniques and procedures (TTPs) when they expanded their target scope to include Windows machines.
Before diving into this activity cluster, be sure to read the series introduction here.
And continue with the rest of the series by clicking the links below:
When we have sufficient evidence to suggest that the same threat actors are behind different activities, but we observe a significant shift to either the TTPs, capabilities, attacker infrastructure, or target victims, we build upon the established flavor (in this case, Strawberry) with a topping, such as sprinkles. This is to represent that although the same actors are likely behind the activity, the way in which we track or cluster the new activity is different.
We still believe that this activity is Strawberry, but it has superficially and significantly evolved enough to warrant: Strawberry Sprinkles.
Evolution of Strawberry to Strawberry Sprinkles
The TTPs and overall capabilities demonstrated by Strawberry Sprinkles in the Alert Logic dataset is drastically different from those documented as Strawberry.
What remained consistent is the type of flavor infrastructure observed, as well as the final action on objective they deployed before Alert Logic Threat Security Experts (TSX) were able to notify customers of the compromise and work together to contain and remediate infected hosts.
The evolution in TTPs appears to have followed success with the Confluence Object-Graph Navigation Language (OGNL) vulnerability (CVE-2021-26084).
As the vulnerability exists in OGNL, the open-source expression language for Java, the Confluence application which uses OGNL, can run on both Linux and Windows Machines. Strawberry was a Linux focused actor and so had developed TTPs for moving along the kill chain on Linux machines.
They now had access to confluence servers running an underlying Windows operating system, meaning that they could not progress with their existing TTPs, leaving them unable to monetize the access gained via the exploit.
As discussed in the original Strawberry blog, Alert Logic’s threat hunters and customer base had early warning of the confluence exploit, due to the foresight of our threat intelligence team who invested in network-based signatures designed to catch future derivatives, or novel, OGNL exploits.
Strawberry Sprinkles appeared to develop Windows TTPs quickly and were able to progress onto the next attack phases, while compromised customers were quickly made aware of the unauthorized access. The infrastructure used remained consistent with that observed in Strawberry’s Linux campaign, favoring Korean AWS IP addresses which they could spin up at a moment’s notice, and hosting files used for installation as Pastes on Pastebin[.]com.
Catching Strawberry Sprinkle’s exploits and installation attempts were fairly easy too. They used base64 encoded commands to pull installation files/scripts in an attempt to obfuscate their intentions. In reality, this narrowed our search down, as we could query the packets captured by the OGNL signature for any base64 encoding and simply import the data into a decryption tool to work out where to look next.
In some instances, encoding server requests with something like base64 is legitimate, but for the most part, it is suspicious. While encryption can be an easy way to obfuscate malicious commands from a tool that focuses on prevention, it stands out like a sore thumb for human analysts as a great candidate for investigation. This highlights the strength of employing a defence in depth approach that includes both prevention and detection.
.ps1 and .txt files hosted on Pastebin were pulled down in the initial remote code execution exploit. The names of each changed frequently as they had many versions of these files spread across the Pastebin site so admins could not locate and remove them all.
The scripts and files enabled Strawberry Sprinkles to set up persistence via scheduled tasks, but not before attempting to kill off the access and persistence mechanisms set up by any competing threat actors.
Killing off the Competition
The competition killing scripts observed from Strawberry Sprinkles were a combination of targeted commands, seemingly going after TTPs used by actors known to them (likely seen as rivals) as well as employing larger, generic copy and pastes to eliminate as much other competition as possible.
The next actions offer an explanation for killing off competing threat actors, as Strawberry Sprinkles looked to setup a cryto-miner which would hijack the resources of the Confluence server, redirecting the energy and compute power towards facilitating mining transactions.
Any conflicting miners, or other intensive processes, will subtract from the output of their miner. This move maximizes the monetization of the compromised resources.
Strawberry Sprinkles uses the same action on objective seen in Strawberry by pulling an XMRIG crypto-miner and accompanying config files, setting it up and logging into the miner pool before writing an output to confirm “Miner Running.” It is unclear whether mining was the final objective or simply a method to monetize access while they worked out their next objective. An example could be lateral movement to other machines to achieve data exfiltration or deploy ransomware.
Although we did not observe these actions during the windows of compromise, it is worth acknowledging the potential for other actions on objectives had Strawberry Sprinkles had prolonged access.
Known Exploits Used
- CVE-2021-26084 [exp]
- Active Scanning – T1595 [recon]
- Exploit Public-Facing Application – T1190 [recon/delivery/exploit]
- schtasks /delete /tn * /F
- Schtasks [inst persistence] with Downloadstrings
- Scheduled Task/Job: Scheduled Task – T1053.005
- Killscript (via schtasks, wmic, get-process)
- Exposed Windows Confluence servers
- AWS – South Korean region [recon, deliv, exp]
- pastebin[.]com [inst]
- South Korean IPs (not attribution)
- Google LLC [inst]
Actions on Objectives
- Crypto mining (XMRIG)
Next in the series: