The Greenbug espionage group is actively targeting telecommunications companies in South Asia, with activity seen as recently as April 2020.Some indications suggest that at least one of the companies was first targeted as early as April 2019.Email appears to be the initial infection vector used by the group. Greenbug is using a mixture of off-the-shelf tools and living-off-the-land techniques in these attacks. It appears the group is interested in gaining access to database servers; we see it stealing credentials then testing connectivity to these servers using the stolen credentials.Analysis revealed that Across multiple victim machines, a file named proposal_pakistan110.chm:error.html was executed via an internet browser. We also see the same file being opened by archiver tools. While we were unable to retrieve the file for analysis, the same technique has been leveraged by Greenbug in the past, as early as 2016. In these earlier attacks, emails were sent to targets containing a link to a likely compromised site, which hosted an archive file. This archive contains a malicious CHM file (compiled HTML Help file), which includes an ADS (alternative data steam) to hide its payload, which is installed when executed. This file usually also contains a decoy PDF file containing an error message that says the file could not be opened correctly.
Greenbug’s activity in this campaign seems to make it clear that its main focus with these victims is to steal credentials, and to maintain a low profile on the victim’s network so the attackers can remain on it for a substantial period of time. This is typical of the activity we have seen in Greenbug victims in the past, with maintaining persistence on a victim network appearing to be one of the group’s primary goals. Greenbug has also been observed targeting telecoms companies in this same region in previous attack campaigns. The setting up of tunnels shows how important keeping a low-profile is for this group. Its focus on stealing credentials, and on establishing connections with database servers, shows that it is aiming to achieve a high level of access to a victim’s network – access that if exploited could cause havoc on a compromised network very quickly. This level of access, if leveraged by actors using disruptive malware or ransomware, could shut down an organization’s entire network very quickly.
Active since at least June 2016, Greenbug most likely uses email to compromise targeted organizations. Symantec believes the group has exclusive access to the malware Trojan.Ismdoor. The group uses additional tools to compromise other computers on the network and steal user names and passwords from operating systems, email accounts, and web browsers.The group mainly targets middle eastern entities for espionage.Greenbug is believed to likely be based out of Iran, and there has been speculation in the past that it has connections to the destructive Shamoon group, which has carried out disk-wiping attacks against organizations in Saudi Arabia.