During our daily threat hunting activities in our 4000+ customer base, we have gained an intimate understanding of the adversaries behind the threats. This unique insight has been organized by our hunters and security researchers to create threat activity clusters. By clustering these adversaries, we know how to better mitigate the threat they present.
Activity clusters separate adversaries into distinct threat group “flavors.” Once understood, the threat posed become manageable, and we believe they should have a suitably unintimidating identifier. So, what could be less intimidating than ice cream?
To learn more about Project Ice Cream, read the series’ introductory blog here.
Introducing Strawberry with Sprinkles
This historic actor undertook a significant remodeling of their tactics, techniques and procedures (TTPs) when they expanded their target scope to include Windows machines. A similar evolution was observed when Mint developed into Mint with Sprinkles. Introducing the Strawberry with Sprinkles threat activity cluster.
When we have sufficient evidence to suggest that the same threat actors are behind different activities, but we observe a significant shift to either the TTPs, capabilities, attacker infrastructure, or target victims, we build upon the established flavor (in this case, Strawberry) with a topping, such as sprinkles. This is to represent that although the same actors are likely behind the activity, the way in which we track or cluster the new activity is different.
We believe that this activity is Strawberry, but has superficially and significantly evolved enough to warrant: Strawberry with Sprinkles.
Strawberry Evolving to Strawberry with Sprinkles
The TTPs and overall capabilities demonstrated by Strawberry with Sprinkles in the Alert Logic dataset is drastically different from those documented as Strawberry.
What remained consistent is the type of flavor infrastructure observed, as well as the final action on objective they deployed before Alert Logic Threat Security Experts (TSX) were able to notify customers of the compromise and work together to contain and remediate infected hosts.
The evolution in TTPs appears to have followed success with the Confluence Object-Graph Navigation Language (OGNL) vulnerability (CVE-2021-26084).
As the vulnerability exists in OGNL, the open-source expression language for Java, the Confluence application which uses OGNL, can run on both Linux and Windows Machines. Strawberry was a Linux focused actor and so had developed TTPs for moving along the kill chain on Linux machines.
They now had access to confluence servers running an underlying Windows operating system, meaning that they could not progress with their existing TTPs, leaving them unable to monetize the access gained via the exploit.
As discussed in the original Strawberry blog, Alert Logic’s threat hunters and customer base had early warning of the confluence exploit, due to the foresight of our threat intelligence team who invested in network-based signatures designed to catch future derivatives, or novel, OGNL exploits.
Strawberry with Sprinkles appeared to develop Windows TTPs quickly and were able to progress onto the next attack phases, while compromised customers were quickly made aware of the unauthorized access. The infrastructure used remained consistent with that observed in Strawberry’s Linux campaign, favoring Korean AWS IP addresses which they could spin up at a moment’s notice, and hosting files used for installation as Pastes on Pastebin[.]com.
Catching Strawberry with Sprinkle’s exploits and installation attempts were fairly easy too. They used base64 encoded commands to pull installation files/scripts in an attempt to obfuscate their intentions. In reality, this narrowed our search down, as we could query the packets captured by the OGNL signature for any base64 encoding and simply import the data into a decryption tool to work out where to look next.
In some instances, encoding server requests with something like base64 is legitimate, but for the most part, it is suspicious. While encryption can be an easy way to obfuscate malicious commands from a tool that focuses on prevention, it stands out like a sore thumb for human analysts as a great candidate for investigation. This highlights the strength of employing a defense in depth approach that includes both prevention and detection.
.ps1 and .txt files hosted on Pastebin were pulled down in the initial remote code execution exploit. The names of each changed frequently as they had many versions of these files spread across the Pastebin site so admins could not locate and remove them all.
The scripts and files enabled Strawberry with Sprinkles to set up persistence via scheduled tasks, but not before attempting to kill off the access and persistence mechanisms set up by any competing threat actors.
Killing off the Competition
The competition killing scripts observed from Strawberry with Sprinkles were a combination of targeted commands, seemingly going after TTPs used by actors known to them (likely seen as rivals) as well as employing larger, generic copy and pastes to eliminate as much other competition as possible.
The next actions offer an explanation for killing off competing threat actors, as Strawberry with Sprinkles looked to setup a cryto-miner which would hijack the resources of the Confluence server, redirecting the energy and compute power towards facilitating mining transactions.
Any conflicting miners, or other intensive processes, will subtract from the output of their miner. This move maximizes the monetization of the compromised resources.
Strawberry with Sprinkles uses the same action on objective seen in Strawberry by pulling an XMRIG crypto-miner and accompanying config files, setting it up and logging into the miner pool before writing an output to confirm “Miner Running.” It is unclear whether mining was the final objective or simply a method to monetize access while they worked out their next objective. An example could be lateral movement to other machines to achieve data exfiltration or deploy ransomware.
Although we did not observe these actions during the windows of compromise, it is worth acknowledging the potential for other actions on objectives had Strawberry with prinkles had prolonged access.
Known Exploits Used
- CVE-2021-26084 [exp]
- Active Scanning – T1595 [recon]
- Exploit Public-Facing Application – T1190 [recon/delivery/exploit]
- schtasks /delete /tn * /F
- Schtasks [inst persistence] with Downloadstrings
- Scheduled Task/Job: Scheduled Task – T1053.005
- Killscript (via schtasks, wmic, get-process)
- Exposed Windows Confluence servers
- AWS – South Korean region [recon, deliv, exp]
- pastebin[.]com [inst]
- South Korean IPs (not attribution)
- Google LLC [inst]
Actions on Objectives
- Crypto mining (XMRIG)
Find out how Alert Logic can support your organization in tackling existing and emerging threats used by actors like Strawberry with Sprinkles by scheduling a personalized MDR demo.
Explore Alert Logic’s Project Ice Cream threat activity clusters blog series: