Rewterz Threat Alert – Stealthy Gelsemium APT Group Launches Attack Against Southeast Asian Government – Active IOCs

Severity

High

Analysis Summary

A sophisticated and covert Advanced Persistent Threat (APT) known as “Gelsemium” was detected in a series of attacks targeting a government entity in Southeast Asia. These attacks persisted over a duration of six months, spanning from 2022 to 2023. Gelsemium group has been operational in cyberespionage attacks since as long as 2014, with its main targeted sectors being government, electronic manufacturers and education.

The group is considered “quiet” as it has been successful in evading detection for many years, showing the advanced technology and knowledge they possess. A recent report shows how the latest Gelsemium campaign utilized rarely-used backdoors from other threat actors.

Gelsemium achieves initial access to targeted systems by installing web shells after exploiting vulnerabilities in servers that face the internet. Most of these web shells are publicly available, like ‘reGeorg,’ ‘China Chopper’ and ‘AspxSpy’, and are used frequently by various threat actors. This makes linking the attack to an actor difficult.

These web shells are used to move laterally on the network after doing some basic network reconnaissance. Afterwards, additional payloads are fetched that also help further in lateral movement, privilege escalation and data collection. The tools used are Cobalt Strike, OwlProxy, SessionManager, EarthWorm and SpoolFool.

EarthWorm, CobaltStrike and SpooFool are widely used legitimate tools, so they aren’t specific to Gelsemium. Whereas, OwlProxy is a custom-made, unique HTTP proxy and a backdoor tool that Gelsemium has reportedly used in a past attack.

In their latest campaign, Gelsemium used an executable file that saved an embedded DLL into the compromised system’s disk. It also created a service that runs the DLL, which is a variant of OwlProxy. It creates an HTTP service used to monitor incoming requests for particular URL patterns hiding commands.

The reason why the threat group started using EarthWorm was because the targeted system prevented OwlProxy from running. The sample that was used in the most recent attack monitored incoming HTTP requests to search for a specific Cookie field carrying the commands for execution. These commands help in uploading files between the C2 server and the breached system, starting applications, carrying out commands, and proxying connections to any additional systems.

Due to the presence of proxy functionality, it becomes clear that the intention of the threat actors is to use the breached server as a gateway to communicate with other systems that are present on the network.

“The findings of this investigation highlight the urgent need for enhanced security measures, vigilant monitoring and proactive threat intelligence sharing among government entities and affected industries in Southeast Asia. By adopting a multilayered defense approach and staying informed about emerging threats, organizations can better protect themselves against the persistent and evolving tactics employed by threat actors such as Gelsemium”, they conclude.

Impact

• Cyber Espionage
• Data Theft

Indicators of Compromise

IP

27.124.26.86

MD5

• 056b431e7d1837728d5262fd4c5fe291
• 7b21a76c955b0eec20b1e181d9189b64
• cf56cb65c4e5b4d7794147daeed0bf66
• 19afd572720b56cada666600945a4b75
• 3cbea05bf7a1affb821e379b1966d89c
• ab9091f25a5ad44bef898588764f1990
• 4bafbdca775375283a90f47952e182d9
• b8458d393443ca9b59f4d32a5d31e4f7
• 29274ca90e6dcf5ae4762739fcbadf01
• 12b5f256f015a67753dc2c70c1c8e80a
• acdae8914ed98213f10518fe657f87bb
• 31eb70dc11af05ec4d5cda652396970c
• 1b167409f594ce3cac5dc0bb516743e8

SHA-256

• 4dcdce3fd7f0ab80bc34b924ecaa640165ee49aa1a22179b3f580b2f74705dd9
• 17392669a04f17fda068d18ae5850d135f3912d08b4e2eee81fce915849887b3
• 3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6
• 181feef51991b162bdff5d49bb7fd368d9ec2b535475b88bc197d70d73eef886
• fd0b9f09770685ed6f40ecabcd31bc467fa22801164b52fdc638334009b7c06f
• 77e82c3d5fea369f6598339dcd97b73f670ff0ad373bf7fc3a2d8586f58d9d32
• f0761ad307781bdf8da94765abd1a2041ac12a52c7fdde85f00b2b2cab6d6ce8
• 29cc79a451f73bac43dbe9455d2184770beae69f4e6bc2d824abd2cfbedf53f1
• 3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2
• 527063cb9da5eec2e4b290019eaac5edd47ff3807fec74efa0f1b7ddf5a1b271
• b9a9e43e3d10cf6b5548b8be78e01dc0a034955b149a20e212a79a2cf7bee956
• c0a7a797f39b509fd2d895b5731e79b57b350b85b20be5a51c0a1bda19321bd0
• c254dc53b3cf9c7d81d92f4e060a5c44a4f51a228049fd1e2d90fafa9c0a44ee

SHA-1

• e095249f9fe185a40f70be528e1cccab436d7946
• 8b8bc1708bc9bd19edd3a2424752401ef5f9b40e
• c3f5d5d52890fe72bd2fc4c08aaf538da73016d7
• 7f7bd5ab5a608e68f7e14af926fc6505990effcc
• 95f90554fb2ef20a64be9f6e81ff35c353392093
• c822f6100333e84bd0ec87675ca79d65cb01a01e
• 663a254350fbc379d8d7f69c50ead3117ee8b634
• 613efd1d13d461c7f0833c8c9410e0ccf414e7d9
• e007edd4688c5f94a714fee036590a11684d6a3a
• 183a2bb4baa18461e47a21c2b4b62ef44187c374
• 8f18618ca9084506d26b84330629c844a226f2ff
• 2aee1f5306e38d080d16a96b6c23895ffc6ee2fc
• e222758869452afcd795a798cdf6cffa4ad4a642

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Deploy reliable endpoint protection solutions that include antivirus, anti-malware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Enhance web application security by implementing web application firewalls (WAFs) to defend against web shell attacks and other web-based threats.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Implement network segmentation to limit lateral movement within your network. Isolate sensitive systems from less critical ones.
• Enforce the principle of least privilege (PoLP) to restrict user and system access rights. Only grant necessary permissions to users and systems.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the threat actors.