This is an analysis of a threat actor that goes by many names including Pawn Storm, APT28, and Fancy Bear. The bad actor seems to be a group based in Russia with alleged strong links to the Russian military particularly the GRU (Russian military intelligence).
Pawn Storm is known for using a variety of compromise methods, but gathering user credentials appears to be the method used most often. Well-known, reputable email addresses are collected through obfuscated routing to avoid being traced. These emails are then used in phishing campaigns.
Once inside networks Pawn Storm uses classic lateral movement techniques including, credential dumping, pass the hash techniques, bootkits, rootkits, and access token manipulation to achieve its goal. These targets the Windows Operating System and modern hardware platforms. For example, the threat actor designed a rootkit trojan, called LoJax, that targets the Unified Extensible Firmware Interface (UEFI) firmware. LoJax's main purpose is to maintain the persistence of remote access software. LoJax can load an embedded driver that modifies NTFS partitions on infected systems. The trojan can also use the Windows Registry by modifying a specific key for longer-term persistence.
Changes: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
From a phishing perspective, Pawn Storm uses shared/commercial VPNs to connect to server infrastructure. The server setup usually involves a dedicated server which is used to facilitate communications with the desired target. When setting up the VPN, Pawn Storm uses the OpenVPN option when connecting to their spam servers and likes to maintain careful network paths to avoid DNS leaks. It utilizes DNS SPF (Sender Policy Framework) to avoid spam filtering. They do this by having certain domain names show up in the EHLO command when the spam messages are being sent. This means when any message is received, a DNS request goes out from the target’s email server to the domain name provided in the EHLO command. The goal of their phishing campaigns is to gain credentials which they can use to get initial access to the target’s network.
From an enumeration perspective, Pawn Storm is quite loud when they scan for vulnerable systems. The ports they like to target are Ports 445/TCP (SMB) and 1433/TCP (Microsoft SQL Server) originating from the same server IP. These scans reach far and wide looking for vulnerable systems that can be cataloged for later exploitation.
A successful attack could result in a myriad of actions including the following:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.