Rewterz Threat Alert – APT Group Palmerworm Wages Cyber Espionage Campaign

Severity

High

Analysis Summary

Palmerworm, an advanced persistent threat group that’s been active since 2013, is waging a cyber espionage campaign targeting organizations in the U.S. and Asia. Palmerworm hackers are using new customized malware as well as “living off the land” techniques – manipulating tools and commands already built into an operating system for malicious purposes. The APT group, which is also known as BlackTech, has waged long-term espionage campaigns that target a variety of industries. In its earlier campaign, which started in August 2019, the hackers have targeted news media, electronics and finance companies in Taiwan, an engineering company based in Japan and a construction company in China as well as U.S. organizations.

While we cannot see what Palmerworm is exfiltrating from these victims, the group is considered an espionage group, and its likely motivation is considered to be stealing information from targeted companies. Although it’s not clear how the threat actor gained initial access in this campaign, they have previously used spear-phishing emails. The APT group is using previously unseen malware families lebelled Backdoor.Consock, Backdoor.Waship, Backdoor.Dalwit and Backdoor.Nomri. The malware, however, might be new versions of earlier malware variants used by the gang. Palmerworm also uses a custom loader, called Trojan Horse, and a network reconnaissance tool known as Hacktool. The APT group uses the dual-use tools Putty, PsExec, SNScan and WinRaR, which other hacking groups also frequently weaponize. These tools provide attackers with a good degree of access to victim systems. Palmerworm also uses stolen code-signing certificates for its payloads as an obfuscation technique.

Impact

• Information Theft
• Unauthorized Access

Indicators of Compromise

Domain Name

• asiainfo[.]hpcloudnews[.]com
• loop[.]microsoftmse[.]com

MD5

• 0263cd7a6b920e83cebd8f4469d48038
• c2452dea557e3d6fc8ac61b8126f8ea2
• 773adf87ee49f9bf32851d33662dea79
• 2f8b90170a52ee8dd305641a30e25604
• 50e358d44420ad65c05d24f6b1fa5346
• 2962a89c61c01b48849f8f5ad6b9e7e4

SHA-256

• 9e3ecda0f8e23116e1e8f2853cf07837dd5bc0e2e4a70d927b37cfe4f6e69431
• 28ca0c218e14041b9f32a0b9a17d6ee5804e4ff52e9ef228a1f0f8b00ba24c11
• a7f3b8afb963528b4821b6151d259cf05ae970bc4400b805f7713bd8a0902a42
• 6d40c289a154142cdd5298e345bcea30b13f26b9eddfe2d9634e71e1fb935fbe
• eed2ab9f2c09e47c7689204ad7f91e5aef3cb25a41ea524004a48bb7dc59f969
• 35bd3c96abbf9e4da9f7a4433d72f90bfe230e3e897a7aaf6f3d54e9ff66a05a

SHA1

• e7ee07f06806085621700fd68b1e926d066c2782
• ca3e90e188ba377718f214ecd00f8b774fa6c986
• 918cd28648d4ef9213c7d7a93c19f096d8ccb21f
• c08dab41fc5006020b370bb0c123f0023af6bf5b
• c413d109c15d0e736c2b71cfff24ca8b7368c53d
• d586a55723c12cce3687db31a59af69b2373198e

Source IP

• 45[.]77[.]181[.]203
• 103[.]40[.]112[.]228
• 172[.]104[.]92[.]110

Remediation

• Block the threat indicators at their respective controls.
• Do not download attachments found in untrusted emails.
• Keep all systems and software updated to latest patched versions.