For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware.
As of October 2023, IBM X-Force has also observed a significant increase in Hive0051’s activity featuring the new multi-channel approach of rapidly rotating C2 infrastructure facilitating at least 1,027 active infections featuring more than 327 unique malicious domains observed in a single 24-hour period. While Hive0051 has leveraged DNS fluxing to avoid detection since at least as early as December 2022, the automated synchronized fluxing of dynamic DNS records across Telegram channels and Telegraph sites at scale points to a potential elevation in actor resources and capability devoted to ongoing operations. In addition, by deploying multiple consecutive stages of Hive0051’s exclusive Gamma variant malware, the actor is able to remap victims to separate sets of actor-controlled C2 fluxing clusters.
Based on X-Force observations, these Gamma variants have evolved over time from the initial VBS-based GammaLoad variant, to include multiple obfuscation stages and several scripts designed to enumerate victims and spread malware via connected USB devices. Of note, the most recent iterations of the GammaLoad PowerShell variant moved to a fileless approach and stored all malicious code dispersed in the registry. Likewise, the same has been observed for the GammaSteel PowerShell variant used to exfiltrate files upon infection.
X-Force assesses with high confidence that the evolution of rapid remapping of infrastructure to include multi-channel DNS fluxing, continuous malware development and the growing sophistication of malware and obfuscation is evidence of Hive0051’s increasingly elevated level of capability.
Key findings
-
For at least the last 12 months, Hive0051 has utilized a “multi-channel” fluxing approach to rapidly remap infrastructure to conduct operations and obfuscate activity.
-
X-Force is tracking multiple infrastructure clusters with dedicated Telegram channels, DNS apex domains, and Telegraph sites.
-
Hive0051 is able to graduate victims from one cluster to another by deploying multiple consecutive stages of Gamma variants.
-
Based on X-Force observations, Hive0051 has continuously evolved its malware development, experimenting with new techniques, adding obfuscation and several scripts designed to enumerate victims and spread malware to connected USB devices.
-
The recent PowerShell variant of the Gamma malware has switched to using a fileless approach, storing all malicious code dispersed in the Windows registry. The same has been observed for the GammaSteel PowerShell variant used to exfiltrate files and credentials upon infection.
-
It is highly likely that Hive0051 will continue to foster evolving methodologies to facilitate operations potentially indicating increasingly elevated levels of capability.
Analysis
What is multi-channel DNS fluxing?
Standard DNS fluxing or fast-fluxing, is a technique threat actors use to rapidly rotate infrastructure by regularly changing the IP address their C2 domain points to in public DNS records. Hive0051 has adopted the novel use of multiple channels to store DNS records as opposed to a traditional DNS record configuration. In this methodology, public Telegram channels and Telegraph sites are essentially used as DNS servers and are fluxed in synchrony together with the DNS records. This enables Hive0051 to fallback to secondary channels in order to resolve the currently active C2 server, should the domain be blocked via any of the other channels.
Infection chain
The use of fast fluxing in place of definite subdomains to facilitate operations is a relatively new technique employed by Hive0051 to obfuscate activity and avoid threat detection. During the course of routine tracking of Hive0051 activity, X-Force uncovered new HTA files delivering Hive0051’s exclusive GammaLoad malware. The machine-translated text of collected HTA filenames pointing to a wscript.exe executable, appear in multiple Slavic languages and are crafted to appear as legitimate legal or project notifications to manufacture a sense of urgency. Given past Hive0051 operations, the files were likely delivered via phishing campaigns; however, X-Force observed the added functionality featured in the uncovered VBS and PS GammaLoad variants which enables its spread via USB drives signaling the potential use of physical access via infected USB devices.
Activation of the malicious links initiates the infection chain illustrated in the following diagram, which visualizes the various stages of a GammaLoad infection observed by X-Force.
Fig. 1: GammaLoad multi-stage infection graph
Infection vector
GammaLoad infections can be traced back to a number of malicious .XHMTL files. These contain obfuscated and Base64 encoded data, revealing a JavaScript dropper.
Fig. 2: .XHMTL file containing space separated Base64 data
Fig. 3: JavaScript dropper
The dropper contains a payload which is decoded and downloaded by the browser as a RAR file. It also loads a remotely hosted resource, only displayed as a single pixel, in order to track successful downloads.
The resulting RAR archive contains a folder and an .HTA file (HTML Application), both using enticing names designed to trick victims into opening it:
Fig. 4: .HTA file with filename lure
Once opened, the .HTA file runs a short VBScript block to download and execute another remote .HTA file via the windows binary mshta.exe.
Fig. 5: .HTA downloader
GammaDrop: HTA variant
The downloaded .HTA is the VBScript-based GammaLoad installer, which has been used consistently for several months as of October 2023. It drops the embedded GammaLoad payload as a text file to:
Scroll to view full table
Note that the filename differs among samples.
The most recent variants also search for a specific process running on the host: QHActiveDefense.exe. This process is part of the 360 Total Security anti-virus software. If it is detected, the embedded GammaLoad payload is run using the command:
Scroll to view full table
without establishing persistence in the registry.
If the installer does not detect the anti-virus process, it additionally writes the above command into a registry key at:
Scroll to view full table
The name of the registry key also varies between samples.
Lastly, the installer attempts to open a document located at:
Scroll to view full table
This may intentionally throw an unobtrusive error.
GammaLoad: VBS variant
One of the most commonly observed variants of GammaLoad is written in VBS. It runs its main function in regular intervals of approx. 90 seconds. During a run, it will start by resolving its C2 server. GammaLoad has several techniques to accomplish this, also depending on the variant. All variants support resolving an IP via DNS. GammaLoad uses a unique mechanism, by executing a WMI query:
Scroll to view full table
This runs the ping command against a specific domain. The prefix used is often a hardcoded keyword found in VBScript, for example, “FileExists” or “Asc”. It is then concatenated with a random integer between 1 and 100 that is generated at runtime. Each sample also contains a hardcoded apex domain, which is used to build the subdomain for the DNS query. A few such example domains would be:
Scroll to view full table
Secondary mechanisms to resolve C2 IPs include querying hardcoded Telegram channels or Telegraph websites.
Fig. 6: Telegram channel
Fig. 7: GammaLoad parsing C2 IP from Telegram
Fig. 8: Telegraph site displaying C2 IP and Telegram channel ID
The more recent variants would not only resolve an IP address but also a corresponding Telegram channel ID. Both are written into text files and dropped to the %TEMP% directory or a folder within %APPDATA%.
Once GammaLoad retrieves an active C2 IP address, it goes on to craft multiple HTTP requests. The target URLs would often contain multiple random integers at specific locations, as well as hardcoded paths. These differ between samples, just like the custom HTTP headers added to the requests. Below is a list of different attempted header variants incorporating hardcoded values:
Scroll to view full table
Note that some of these headers are actually overwritten by the MSXML2.XMLHTTP object and cannot be manually set by the malware (such as Content-Length). This may be used to identify requests crafted by researchers, as well as non-matching hardcoded values such as Cookie.
The User-Agent string follows a specific format. It usually contains a real user agent, followed by the C-drive serial number and the computer name environment variable. The information is likely used to register a victim with the C2 server and control further payloads.
Scroll to view full table
As a response, GammaLoad expects two types of payloads. If the response is between 5 and 20 characters long, it treats it as a new telegram ID and updates the corresponding file. Any longer response is deobfuscated, base64-decoded and executed as VBScript in memory.
GammaDrop: VBS variant
One of the GammaLoad payloads X-Force observed is a more sophisticated variant of GammaDrop. It consists of a large VBScript file, with multiple encoded and hardcoded payloads. Each of the components accomplishes a different task, by either deobfuscating others, establishing persistence, or being the next payload.
This variant of GammaDrop creates a new scheduled task after dropping its payload. The payload is another variant of GammaLoad. Of note, GammaDrop already writes the two text files GammaLoad needs, containing a hardcoded IP address and Telegram chat ID. By deploying another variant of GammaLoad on an already infected host, the threat actor is able to sort victims and transfer them to a new C2 cluster.
USB Spreader
GammaLoad also has the capability to spread via USB drives. It does this by copying itself recursively into subfolders of connected USB drives. In order to lure victims into executing it, GammaLoad uses enticing filenames for Windows shortcut files pointing to wscript.exe with a hidden payload.
Fig. 9: Deobfuscated GammaLoad USB spreader
The USB drives’ subfolders are recursively infected up to a depth of 3.
GammaLoad: Fileless PS variant
In addition to the VBScript-based variants, there is also a PowerShell version. Most of its functionality such as the USB spreading, C2 resolving and communication works very similarly. One observed advantage of the PowerShell version is the storing of all necessary code in the registry, making it almost completely fileless:
Fig. 10: GammaLoad code stored in the registry
In order to run, this variant dynamically loads and stores PowerShell code under the registry path
Scroll to view full table
The following diagram illustrates how the different PowerShell execution blocks are used:
Fig. 11: GammaLoad PowerShell registry execution
Most of the code is executed as a PowerShell job after being loaded from the registry. Before copying to the USB drive, GammaLoad makes sure to merge all of the codebase back into a single PowerShell template, which also writes the initial registry persistence key and populates the registry again for the next victim.
Just like the VBS variant, it chooses from a list of potentially luring filenames to create malicious shortcut files:
Fig. 12: GammaLoad preparing shortcut file
The PowerShell variant of GammaLoad also uses a different prefix for resolving its C2 address and is likely operated by a separate cluster of C2 servers.
C2 infrastructure
GammaLoad uses several different mechanisms to resolve its C2 server’s IP address. To avoid detection and takedown, the C2 infrastructure also makes use of a technique known as fast-fluxing.
Every GammaLoad sample contains (or receives) a hardcoded apex domain, as well as a telegram channel ID. In some cases, there is an additional telegraph URL, which is used as well. The apex domain is set up with a wildcard DNS record, causing all subdomains to resolve. Since GammaLoad chooses random subdomains of a specific pattern, the DNS queries are always for a different subdomain.
The C2 infrastructure consists of a large cluster of IP addresses. A GammaLoad sample’s apex domain rotates through these IP addresses, by having its DNS records changed frequently. Currently the IP addresses are updated between 1-3 times a day.
Below is a table outlining the scale of one campaign. A large quantity of actor-controlled domain names resolves to one active C2 IP address.
Fig. 13: Passive DNS results for GammaLoad (VBS) C2
The subdomains contain a specific keyword, which is hardcoded in each sample. For instance, a single day of activity in late September 2023 and a single C2 server, hosted more than 120 unique apex domains found in passive DNS data. Using the hardcoded prefixes X-Force was able to estimate a lower bound of infected victims within that 24-hour period – adding up to at least 247 infections. It is virtuality certain the actual number of infections is higher, as these calculations are based solely on directly observed unique keyword+apex pairs and DNS requests whose visibility is limited by the scope of available DNS telemetry. However, the number of infections may also be impacted by “intentional” infections caused by the engagement of researchers executing payloads within sandbox environments.
Over the course of X-Force monitoring, Hive0051 has demonstrated a notable increase in volume of attacks. In late October 2023, a single C2 server hosted a minimum of 1,027 active GammaLoad VBS infections spanning across 327 unique domains in a single 24-hour period.
For comparison, GammaLoad’s PowerShell variant uses a different prefix for its apex domains, consisting only of a random integer, in order to avoid generating duplicate subdomains:
Fig. 14: Passive DNS results for GammaLoad (PS) C2
By looking at the domain history of some of these domains, we can pivot to find further IP addresses used for C2 communication:
Fig. 15: Domain history for apex domain antarcticos[.]ru
Fig. 16: Domain history for apex domain garibdo[.]ru
Both domains show the same pool of rotated IP addresses in their historic DNS records, with only a few exceptions. This is an indicator that both domains are used by the same campaign and GammaLoad variant.
Of note, GammaLoad fluxes its DNS records in sync with its multi-channel infrastructure; like Telegram and Telegraph. Every time the DNS record is updated, the corresponding telegram channel’s operator deletes the last message and sends a new one containing the latest IP address. This “multi-channel-fluxing” technique ensures correct dynamic IP resolving, even if the apex domain has been found and blocked by a DNS server.
Secondary payloads
After connecting to its C2 server, GammaLoad quickly downloads and executes further payloads. These are often VBS/PS scripts with different objectives. Firstly, it is not uncommon for GammaLoad to drop another stage of GammaLoad onto an infected host. This is often a different variant, containing a new apex domain and telegram channel ID. Presumably, this is done to “graduate” infected machines into another cluster after initial infection, making it easier to sort victim machines. The new C2 apex and telegram combination often has little to no overlap with the previous one. The next stage of GammaLoad may include additional functions that support more payloads, enumeration or USB spreading.
GammaLoad also downloads data exfiltration and reconnaissance scripts within minutes of infection. These are often PowerShell-based, per the example below:
Fig. 17: PowerShell reconnaissance script
The full script collects the following information:
-
Screenshot
-
Anti-virus products
-
System info
GammaSteel
X-Force also observed a PowerShell-based GammaSteel variant residing in the registry, dispersed among different keys just like GammaLoad. GammaSteel makes use of a database file “layout.xml” to store pseudo-hashes of exfiltrated files and avoid duplicate uploads. The files are selected based on hardcoded extensions and copied into a temporary directory before the upload.
Fig. 18: GammaSteel PowerShell variant
This particular sample also used a hardcoded IP address as a fallback C2 server, obfuscated as an integer array:
Fig. 19: GammaSteel script defining configuration values
Conclusion
Hive0051’s signature style is the use of relatively simple yet effective malware. Evidence of this is this group’s wide arsenal of different variants as well as the large scale of its campaigns and infrastructure, observed in passive DNS data. Hive0051 does not appear to focus on staying under the radar but rather relies on increasing obfuscation and using longer infection chains before deploying more novel or advanced variants. Over time Hive0051 has exhibited the tendency to reuse code, TTPs, and infrastructure. Nevertheless, Hive0051 has steadily introduced credible improvements and explored new techniques such as moving code to the registry, dispersing payloads, switching C2 request patterns, and adding further functionality to its toolsets.
It is highly likely Hive0051 will continue to focus activity against entities based in and surrounding Ukraine given its established mission space and demonstrated operations tempo. The observed malware undergoes constant improvement, making it more resilient against detection and blocking. The new use of multi-channel DNS Fluxing capability to rapidly remap infrastructure to conduct activity may possibly point to an elevated threat capability. X-Force recommends entities in-region remain at heightened level of defensive security.
Recommendations
-
Monitor for suspicious connections to Telegram and Telegraph services
-
Hunt for registry keys containing PowerShell code.
-
Search for existing signs of the indicated IoCs in your environment.
-
Keep applications and operating systems running at the current released patch level.
-
Exercise caution with attachments and links in emails.
To learn how IBM Security X-Force can help with anything regarding cybersecurity including incident response, threat intelligence or offensive security services, schedule a meeting here: IBM Security X-Force Scheduler.
If you are experiencing cybersecurity issues or an incident, contact IBM Security X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.
X-Force Threat Intelligence, IBM
Senior Strategic Cyber Threat Analyst, IBM
Cyber Threat Researcher - IBM X-Force