IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former members of ITG23 (Conti/Trickbot group). Following law enforcement efforts known as Operation Endgame, Hive0137 was found delivering a new backdoor known as WarmCookie.

After continuously following Hive0137 phishing operations, X-Force believes it is likely that the emails used in current Hive0137 campaigns are being created using Large Language Models (LLMs), which has greatly improved their authenticity and resilience against signature-based detection. Interestingly, this capability was also demonstrated in an Italian campaign delivering Dave-crypted X-Worm attributed to a different distributor, which featured similar techniques to Hive0137. In addition, potential Hive0137 tooling discovered by X-Force appears to have been created using Generative AI, signifying the group’s willingness to adopt new technologies for malicious purposes.

Key Findings:

• Hive0137 is a highly active email spammer distributing malware used for initial access in ransomware attacks
• Crypters used for Hive0137 payloads suggest a close relationship with former members of ITG23 (Conti/Trickbot group)
• Following Operation Endgame, X-Force observed a new Hive0137 payload known as WarmCookie
• X-Force believes Hive0137 likely leverages LLMs to assist in script development, as well as create authentic and unique phishing emails
• Suspected LLM-based phishing was also observed in Italian campaigns delivering Dave-crypted X-Worm

Hive0137 background

Hive0137 is an email distributor tracked by X-Force since October 2023. The group is capable of executing unusually complex infection chains first reported by X-Force in February. Analysis revealed Hive0137 delivering emails containing malicious PDF attachments or URLs leading to DarkGate, NetSupport and a new loader dubbed “T34-Loader.” Hive0137 campaigns overlap with Proofpoint’s TA571 cluster, which also noted the complexity of their email campaigns. In a December 2023 campaign, Hive0137 made use of Snow crypter to inject the new T34-Loader. Of note, the Snow crypter was developed by former members of the Trickbot/Conti syndicate (aka ITG23), suggesting a relationship between threat actors for developing or using T34-Loader and ITG23. X-Force further suspects payloads delivered by Hive0137 may be used for initial access leading to ransomware attacks.

Previous campaigns

Throughout early 2024, X-Force recorded several Hive0137 campaigns using new payloads and crypters. Hive0137 emails are composed primarily in English and use a variety of themes including reimbursement requests, invoices, project budget reviews, report analyses and meeting presentations.

Beginning in mid-February 2024, X-Force observed Hive0137 experimenting with new attachment types, demonstrating at least a temporary shift away from previously preferred methods including PDFs delivering malicious URLs. The campaigns leveraged Excel attachments containing a malicious URL in the form of a UNC file path e.g. \\147.182.156[.]154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs, which when clicked, downloads the next stage; typically a VBS or JavaScript file. Then, the file will download and execute a final DarkGate payload.

Of particular interest, the change of techniques was observed in parallel Hive0118 (aka TA577) campaigns. Hive0118 is an email distributor that frequently provides initial access for ransomware attacks conducted by threat actors with ties to the Trickbot/Conti syndicate (ITG23). This group uses thread hijacking/stolen emails and targets entities globally in widespread campaigns. In the observed case the group distributed Dave-crypted PikaBot samples. In previous campaigns, Hive0118 delivered malware including DarkGate, Qakbot and IcedID using various ITG23-related crypters such as Forest, Snow and Quicksand.

In late March 2024, Hive0137 also distributed Dave-crypted Pikabot payloads. These were delivered through malicious HTML files leveraging the “search-ms” protocol to stage payloads from remote SMB shares. The delivery of Pikabot reinforces X-Force’s assessment that Hive0137 campaigns are used for initial access leading to ransomware attacks. The Pikabot loader, which has been active since early 2023, shares several similarities with Qakbot and has been delivered frequently by Hive0118, particularly in late 2023 following Qakbot’s disruption. Like Qakbot, Pikabot infections have typically led to BlackBasta ransomware.

Post-Endgame activity

At the end of May, Operation Endgame, a global law enforcement takedown operation took action against several malware botnets including Pikabot. Following this, Hive0137 once again changed its payload to NetSupport, leveraging Microsoft Project (.mpp) files with embedded macros designed to download the final payload from a remote server. The NetSupport payload was delivered in the form of an MSIX file. Later NetSupport campaigns by Hive0137 used a new technique in HTML files to copy malicious PowerShell code into the user’s clipboard and prompt the user to unknowingly execute it.

In mid-June, a Hive0137 email campaign used the same HTML clipboard technique in combination with a double Base64 encoding for obfuscation. In this campaign, the payload was a new Forest-crypted backdoor called WarmCookie, first reported on by Elastic Security Labs in June 2024. Previous WarmCookie infection chains from late April 2024 relied on JavaScript and PowerShell stages to download and execute the backdoor.

Fig. 1: Hive0137 campaign distributing Forest-crypted WarmCookie.

Similar to other persistent malware botnets such as Qakbot or Pikabot, WarmCookie supports several C2 commands to enumerate the infected machine, take screenshots, download and upload files and run arbitrary commands.

Of note, X-Force observed a larger campaign at the beginning of July 2024 targeting exclusively Italian-speaking victims. After analyzing the emails, we concluded that these were distributed by a different spammer than Hive0137, but still employ similar techniques to generate unique subjects and email bodies.

Fig. 2: Paypal-themed campaign targeting Italian-speaking victims.

The emails delivered ZIP archives containing .URL files linked to payloads on remote SMB servers. The final payloads were identified as Dave-crypted X-Worm. Dave-crypter is among the ITG23 crypters used by both Hive0118 and Hive0137. However, it is unusual to be paired with a commodity RAT such as X-Worm.

X-Force’s observation of Hive0137 exploring new payloads using the same crypters may suggest an experimental phase following the fallout of Operation Endgame. It is possible the groups are working towards the goal of identifying suitable successors to Pikabot and other previously used malware backdoors to facilitate their future operations.

Phishing – An AI use case

Cat-and-mouse game

For initial access brokers (IAB) specializing in malware delivery through phishing, the threat landscape has seen several new interesting techniques appear over the years. One of the most effective techniques, made famous by Emotet and still used by Hive0118, is known as thread hijacking. The effectiveness of thread hijacking is largely due to its authenticity. By hijacking a stolen email thread with a malicious email, victims can easily be fooled into believing it was part of the original stolen conversation. However, as email security solutions began to catch up, threat actors were forced to continue to evolve in an ever-lasting cat-and-mouse game. Modern phishing detection uses threat intelligence not just to identify known malicious hashes, but also email subjects, attachment filenames and email bodies among others. As a result, threat actors have started to adapt, by introducing random scrambling of these properties, trying to ensure that every email in their campaign has a unique attachment hash, filename, subject and body.

For example, both Hive0137 and Hive0118 use filename patterns to accomplish this. Hive0137 relies on an alphanumeric random string, whereas Hive0118 uses wordlist-based scrambling in the examples below.

Fig. 3: Hive0137 HTML campaign delivering NetSupport.

Fig. 4: Hive0118 PDF campaign leading to Adversary-in-the-Middle (AitM) phishing.

Similar techniques are used for email subjects. In the first few phases of thread-hijack campaigns, the stolen email subjects would generally be preceded with “Re: ” or “FWD:” or similar strings. Hive0118 then started to remove these, and in their latest campaigns have tried to scramble the original subject by removing and adding single characters within the subject attempting to evade signature detection.

X-Force observed Hive0137 favoring a separate approach. Unlike most other distributors, instead of relying on scrambling techniques by adding random ID numbers to email subjects, the group is believed to be employing LLMs to generate or paraphrase phishing emails. With the widening availability of AI technology, it is logical an actor may use the capability to generate thousands of unique and natural-sounding phishing emails. Each recently observed Hive0137 campaign usually had at least one specific phishing theme such as paycheck notifications, payment details or project updates. This may indicate that all emails within a campaign were likely generated by very few parent phishing emails used as prompts to create paraphrased versions to distribute.

X-Force observations indicate that Hive0137’s use of likely LLM-generated paraphrasing can be traced back until October 2023. In several campaigns, they used a mixture of both paraphrasing and random number scrambling techniques. The following examples show different subjects used in Hive0137 campaigns.

09 May 2024 (PDF and XLSX campaign): The early May 2024 campaign used previously known subject-scrambling techniques of adding random numbers.

14 May 2024 (HTML campaign): The mid-May 2024 campaign used traditional scrambling in addition to a technique where subjects are repeatedly paraphrased.

28 May 2024 (HTML campaign): This campaign used subjects from the 14 May campaign as well as the ones below.

26 June 2024 (PDF campaign):

Hive0137 appears to have applied the same methodology to the body of their phishing emails. In most campaigns, the message bodies follow a set topic and format which is then paraphrased. Below are two sets of three examples from the June 26 campaign, grouped by their parent prompt:

Parent prompt 1:

Parent prompt 2:

After analyzing the email bodies and subjects, X-Force asserts a high likelihood of these being generated by a LLM, for the following reasons:

1. The email structure is very consistent, indicating that these were generated in an automated process.
2. The paraphrasing goes above simple single-word substitution with synonyms. There are multiple occurrences of restructured sentences, which would require a large database of phrases and specific logic to piece together without any errors.
3. The content does not appear very creative, making it less likely to have been written by a human.
4. The emails also display a lack of creativity when it comes to choosing synonyms for frequently used words. Research indicates that LLMs may use certain words excessively. After analyzing thousands of emails, X-Force found a clear bias towards certain words regardless of paraphrasing, which is unlikely to result from human-written text.
5. X-Force reproduced similar emails by prompting an LLM to paraphrase an example email.

Multilingual variants in July

On 30 June and 01 July 2024, X-Force observed a large phishing campaign targeting Italy with PayPal-themes leading to the delivery of Dave-crypted X-Worm. We believe that it was sent by a different email distributor, but it still bears several similarities with previous Hive0137 campaigns. It is the first occasion X-Force has observed the use of suspected LLM-generated emails in another language. For comparison, below are sample paraphrased excerpts from the campaign:

Of note, the subjects remain in English:

As a result, X-Force expects Hive0137 and other related email distributors to continue expanding their phishing email generation techniques to more languages in the future.

LLM-aided scripting

PDF-based phishing emails used by Hive0137 often leverage Adclick (doubleclick), a popular online marketing platform. URLs supplied in phishing emails redirect the victim to malicious downloads of various types. On 20 June 2024, X-Force re-analyzed a previously collected Adclick URL, and found that it now redirected to a different host:

The URL led to the download of payment_june_2024-7a613.mpp (86ea22f95841f79ff10391858c1f38f8a694adf625a5d7cc49e47903c55dc8a8), a Python file with multiple Russian language comments. Files using the .mpp extension are typically associated with the Microsoft Project File format containing the project timeline, budget and other relevant data. X-Force recently observed Hive0137 using MPP files to distribute NetSupport RAT and it is unusual for the downloaded .MPP file contained Python code.

The downloaded Python script functions as a tool to inject malicious JavaScript into compromised WordPress sites. The site hosting the JavaScript can be retrieved from a text file hosted within a GitHub repository:

This text file contained the URL:

Upon examination of the GitHub repository, multiple text files consisting of several URLs linking to awards2tools[.]shop were discovered and likely used by the actor for conducting operations.

Extensive Russian comments inside the Python file and the coding style led X-Force to believe that it was likely created using a LLM, with a Russian prompt. To verify the capabilities of an LLM to generate a script similar to the one discovered, researchers attempted to reproduce the script using a LLM The following prompt yielded AI-generated code with similar comment strings to payment_june_2024-7a613.mpp.

Fig. 6: the actor obtained a Python script.

Fig. 7: X-Force AI generated research script used for comparison.

The Python file contains Russian language strings throughout the code. The table below outlines a machine translation of the strings.

The similarities observed between the actor-obtained Python file and AI-generated research code show another possibility of how Hive0137 employs AI to assist in cyber operations. It is likely a momentary misconfiguration of the actor’s infrastructure that led to the download of the Python file.

Conclusion

Being one of the most active malware distributors, Hive0137 demonstrates a willingness to explore new payloads and technologies such as GenAI. They have quickly moved onto the same level as other high-profile distributors such as TA577, and will likely be responsible for future phishing campaigns, facilitating initial access for ransomware affiliates. Hive0137’s combination of intent, capabilities and relationships with other groups presents a direct threat to organizations all over the world. As threat actors pick up the pace and increasingly adopt AI technologies for malicious purposes, it is important that organizations are aware of the most recent threats and their capabilities to maintain a strong security posture.

Recommendations:

We encourage organizations to review the following security recommendations:

• Regularly update and patch applications
• Ensure anti-virus software and associated files are up to date
• Train users to exercise extreme caution with email links and attachments and refrain from opening unusual file types
• Consider blocking script execution such as PowerShell/VBS/HTA/JS/BAT or change the default application to Notepad
• Implement multi-factor authentication and monitor for leaked enterprise credentials

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.