The PRODAFT Threat Intelligence Team has published a report (pdf) that gives an unusually clear look at the size and structure of organized cybercrime.
It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools—including its own malware testing sandbox—and has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.
The research team managed to do a full investigation of one of the SilverFish group’s Command and Control (C2) servers, after detecting an online domain (databasegalore[.]com) from previously published Identifiers of Compromise (IOCs).
It was possible for researchers to create a unique fingerprint of one of the online servers by using multiple metrics, such as installed software. After 12 hours of global scans of the IP4 range, they identified more than 200 other hosts with a very similar setup.
According to the report this "enabled the PTI Team to access the management infrastructure" of the group and learn significant information about how the group worked, who it had attacked, and how.
What the researchers found was a highly sophisticated group of cybercriminals targeting large corporations and public institutions worldwide, with a focus on the EU and the US. They named this organization the SilverFish group.
By linking together the C2 servers they found, and comparing them to known IOCs, the researchers were able to connect the SilverFish group to the infamous SolarWinds attacks.
A large subset of the servers the researchers identified were also used by the infamous EvilCorp group, which modified the TrickBot infrastructure for the purpose of a large-scale cyber espionage campaign.
Links to SolarWinds
The report describes a "significant overlap" between the 4,700 victims identified during the investigation and organizations affected by the SolarWinds attacks. A significant part of the large infrastructure was found to have strong connections with the SolarWinds IOCs shared by three different security companies. The conclusion being that these servers most likely took part in the SolarWinds campaign.
Links to Trickbot
By looking at the group's tactics, techniques, and procedures (TTP), combined with the technical complexity of the SilverFish group’s attacks, PRODAFT was able to detect similar findings in the c2 server, command statistics, infection dates, targeted sectors and countries, tools used during the attacks, executed commands, and other information that was very similar to those used by TrickBot.
So, is this group related with TrickBot? Not likely, but the research shows that the SilverFish group is using a similar version of the TrickBot infrastructure and codebase. It also found evidence of WastedLocker malware and other TTPs that matched with both EvilCorp and SolarWinds.
Links to EvilCorp
EvilCorp is the name of a vast, international cybercrime network. The alleged leaders of this network are very high on the FBI’s wanted list. In 2019, US authorities filed charges against EvilCorp's alleged leaders, Maksim Yakubets and Igor Turashev, accusing them of using malware to steal millions of dollars from groups, including schools and religious organizations, in over 40 countries. EvilCorp is held responsible for the development and distribution of the Dridex and WastedLocker malware.
Malwarebytes’ Threat Intel Team commented:
Prodaft also mentions ties with the WastedLocker ransomware thought to be operated by EvilCorp, likely from the Traffic Distribution System analysis. One of the hostnames in particular is related to the SocGholish social engineering toolkit and is used to fingerprint victims before distribution of the final payload.
According to PRODAFT, the main dashboard of the SilverFish C2 control panel features a section named "Active Teams". SilverFish uses a team-based workflow model and a triage system similar to modern project management applications. Each user can write comments about each victim. Based on these (mainly Russian) comments, the researchers gained a better understanding of the motivation of the group and the prioritization of the victims—operations were prioritized based on these comments.
A hierarchy was also found to be present in the comments on the C2 server, enabling management of different targets, assignment of these targets to different groups and triage of incoming victims.
The main areas of focus for the SilverFish group appear to be the US and Europe, with each region serviced by different teams. They also seem to primarily target critical infrastructure. Successfully compromised victims were found in nearly all critical infrastructures (as defined in the NIST Cyber Security Framework).
The SilverFish group predominantly targets critical entities like energy, defense, and government or Fortune 500 enterprises. Second, the researchers found comments in the C2 servers that indicate ignoring victims like universities, small companies, and other systems which they consider worthless.
Approximately half of the victims were found to be corporations which have a market value of more than $100 million USD, as per their public financial statements.
In contrast to traditional attacks that use a domain name purchased via means of anonymous payments, SilverFish is using hacked domains for redirecting traffic to their C2 control panel.
To avoid disrupting the legitimate traffic of the hacked website, the SilverFish group creates new subdomains, which makes it almost impossible for a website owner to understand that their domain is being exploited in an attack. The frequency in which they change domains would imply that the SilverFish group has more than 1,000 already compromised websites, which are rotated almost every other day.
A significant number of these compromised websites were using WordPress. The report notes that while it is possible to buy login credentials from underground markets, "the amount of compromised websites with the same software shows us that the SilverFish group might also be leveraging 0-day or N-day exploits." WordPress is, by far, the world's most commonly used web Content Management System, and out-of-date installations and vulnerable plugins provide no shortage of targets.
Executed Cobalt Strike beacons use domain fronting for communicating to the C2 server. Domain fronting obscures the eventual destination of HTTP traffic by relaying it from the server listed in the publicly-readable SNI portion of a request, to a different server listed in the private (encrypted) Host header.
The main goals of the SilverFish group are likely to be covert reconnaissance and data exfiltration. According to PRODAFT, the commands and scripts the SilverFish group use "strongly indicates sophistication and an advanced post-exploitation skillset".
The most astounding find the researchers uncovered was that the SilverFish group has designed an unprecedented malware detection sandbox, formed by actual enterprise victims, which enables the adversaries to test their malicious payloads on live systems with different enterprise AV and EDR solutions (enterprise systems can be hard for criminals to acquire).
Malwarebytes Threat Intel Team commented:
Machines are profiled and used as a testing ground, a sort of live antivirus testing platform featuring many different EDR products.
The SilverFish attackers were using this system to periodically test their malicious payloads on more than 6,000 victim devices, scripts, and implants. According to the report, the SilverFish group members appear to be tracking the detection rate of their payloads in real time.
Level of sophistication
PRODAFT says "we believe this case to be an important cornerstone in terms of understanding capabilities of organized threat actors", and it is hard to disagree.
Although ransomware groups can be well organised, they are mostly engaged in noisy smash-and-grab raids. The SilverFish group is something different. According to PRODAFT it is an "organization that operates in an organized and disciplined manner in a hierarchical environment, one that is even highly compartmentalized," that takes a "structured approach to covert cyber-espionage."
The Prodaft researchers refrain from attribution, but there are some strong pointers which can be found in their extensive report.
- Russian comments and use of Russian slang words on the C2 servers.
- Indications that the group is sparing countries that were part of the former USSR and still have strong ties with Russia.
- The group is active during European work hours, with most of its activity recorded between 08:00 and 20:00 (UTC).
- The attention to critical infrastructure, and major companies in the US and Europe.
Attribution is hard and sometimes the conclusion you come to is the one the threat-actors want you to reach. But if it walks like a duck and quacks like a duck....