eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Attackers Use Corrupted Files to Evade Detection
Bottom Line: Threat actors are utilizing corrupted documents and the recovery functionality of Word documents to hide malicious content.
On December 5th, researchers from Any.Run released a technical report on a novel phishing attack that exploits corrupted Word documents to bypass security systems. The campaign has reportedly been active since August 2024 and takes advantage of Microsoft (MS) Word’s built-in recovery feature, allowing the malicious files to remain undetected by most antivirus software.
The phishing campaign uses intentionally corrupted Word documents in emails that pretend to be from payroll and human resources departments. These emails often contain attachments related to employee benefits and bonuses. The filenames contain a base64-encoded string. When the recipient opens the attachment, MS Word detects that the file is corrupted and displays a message stating that it "found unreadable content" in the file. Word then prompts the user to recover the file. Despite being corrupted, the files are designed in a way that they can be easily recovered, and when opened, they display a message asking the user to scan a QR code in order to retrieve the document. The QR code leads the user to a phishing site that masquerades as a Microsoft login page in an attempt to steal the user's credentials. According to Any.Run, when the corrupted file was submitted to VirusTotal, no antivirus solutions flagged it as malicious. This is because most antivirus software and automated tools lack the recovery functionality found in applications like Word, which prevents them from accurately identifying the nature of the corrupted file.
The report also delves into the structure of Word documents, which, since the mid-2000s, have been organized as archives containing various parts of the document. The "Local File Header (LFH)", "End of Central Directory Record" (EOCD) and "Central Directory File Header" (CDFH) are key components in this structure. Attackers can manipulate these parts of the archive to corrupt the document while keeping it recoverable by Word. Through hypothesis testing, the researchers found that Word is more resilient to file corruption compared to other software, such as ZIP archivers. Word was able to recover files even when the CDFH and EOCD were damaged, whereas ZIP software failed in similar scenarios.
eSentire Threat Intelligence Analysis:
As companies work on reducing their attack surface, threat actors are coming up with ingenious ways such as utilization of corrupted Word documents to deliver phishing payloads to targeted victims. eSentire has observed activity that matches the description provided by Any.Run. Observations from such incidents indicate that the end goal of these attacks is to deceive users into opening suspicious documents, with embed QR codes that, when scanned, redirect victims to fraudulent websites or fake login pages for credential theft. Since these documents are not embedded with traditional malicious code but instead present QR codes or phishing links, they further evade signature-based detection. This shift from embedded malware to socially engineered phishing tactics complicates detection efforts.
In the past, attackers have exploited common file formats, such as Microsoft Office documents, to deliver malware or phishing attacks, often using techniques like embedding malicious macros, which have been linked to trojans like Dridex and Emotet. Additionally, attackers leverage polyglot files, which combine multiple file types to evade detection, such as embedding a Word document within a PDF or mixing JavaScript with images. QR codes have also become an emerging vector for phishing (quishing), often delivered via email. While many email security systems now scan QR codes, attackers continue to enhance their methods, adding layers of obfuscation to bypass detection. QR code phishing is especially concerning as it requires the end user to scan the code with a mobile device. In most cases, this will result in the malicious actions occurring on an unmonitored device, increasing the difficulty in investigations.
While this recent campaign bypasses email spam filters, several steps can be taken to mitigate this threat. It is essential to implement a multi-layered security approach, incorporating real-time scanning of all file types and increased vigilance around QR code links. End-user training remains a critical line of defense, as educating users to recognize suspicious attachments, unexpected requests, and the risks of interacting with unverified QR codes can significantly reduce the likelihood of compromise. Finally, implementing strict email filtering policies that flag or quarantine potentially malicious file formats and links could further reduce the attack surface.
In response to these observations, eSentire’s Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
Secret Blizzard compromising Storm-0156
Bottom Line: A Russian state-sponsored APT group has been identified targeting other APTs. This is done to gain access to both victim organizations and sophisticated tools, while increasing the difficulty for defenders to attribute malicious activity to a specific group.
On December 4th, Lumen’s Black Lotus Labs and Microsoft released reports outlining the Russian state- sponsored APT group Secret Blizzard’s (aka. Turla, Venomous Bear, Waterbug, Snake, Turla Team, and Turla APT Group) attack on the infrastructure of the Pakistan state-sponsored threat actor group Storm-0156 (this group overlaps with Side-Copy, Transparent Tribe, and APT36).
Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB). Secret Blizzard targets various sectors, primarily focusing on ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies globally. The group aims to establish long-term access to systems for intelligence gathering. They utilize extensive resources, including multiple backdoors featuring peer-to-peer functionality and several Command-and-Control (C2) communication channels. Storm-0156 is a Pakistan state-sponsored APT group known to target government agencies, mainly from Afghanistan, and government agencies and critical infrastructure in India. The threat actor has been observed to use a mix of open-source tools and custom remote access trojans in their campaigns.
Microsoft and Lumen identified that by early November 2022, Secret Blizzard had infiltrated the Storm-0156 C2 infrastructure, and by mid-2023, they had expanded their control to include several C2 servers linked to the Storm-0156 actor. This enabled Secret Blizzard to gain insights into Storm-0156's tools, access credentials for both C2 servers and targeted networks, and exfiltrate data from earlier operations of Storm-0156. The reports did not identify the means of initial access to Storm-0156's network. Upon the successful compromise of C2, the threat actor leveraged the access obtained by the Storm-0156 to deploy their own malware, TwoDash (Tiny Turla backdoor; a .NET backdoor) and Statuezy (Clipboard monitoring tool) into several networks linked to Afghan government entities. By mid-2024, the group used malware families previously utilized by the Storm-0156 group in attacks against Indian government agencies, such as Wainscot (a Golang-based backdoor) and CrimsonRAT (.NET-based backdoor).
Storm-0156's C2 compromise impacted Afghan government entities, such as the Ministry of Foreign Affairs, the General Directorate of Intelligence (GDI), and Afghan foreign consulates, as the Secret Blizzard group deployed backdoors on their devices. The group avoided targeting Indian organizations, with only one instance observed where Secret Blizzard used a Storm-0156 backdoor to deploy the TwoDash backdoor on a target desktop in India.
Secret Blizzard has previously also compromised other APT groups and leveraged the tools of these groups to conduct their malicious activities. In 2017, Secret Blizzard accessed tools and infrastructure associated with the Iranian state-sponsored threat actor Hazel Sandstorm (also known as OilRig, APT-34, and Crambus), as reported by Symantec and US and UK intelligence agencies. In 2022, the group reused Andromeda malware to deploy the KopiLuwak and QuietCanary backdoors, as reported by Mandiant. Additionally, a report by Kaspersky revealed that in 2022, Secret Blizzard attempted to deploy QuietCanary using the backdoor of the Kazakhstan-based threat actor Storm-0473 (also called Tomiris).
eSentire Threat Intelligence Analysis:
Secret Blizzard’s strategy of compromising other APT groups’ networks enables them to leverage the campaigns of these groups without deploying their own infrastructure, thereby reducing the operational costs of their cyberattacks. This approach also provides access to the tools and resources of the compromised APTs. The overlap in infrastructure, tools, and tactics often causes misattribution, complicating the defenders’ ability to accurately identify the perpetrators. The implication of this activity is that an organization compromised by a single APT, may be at risk of having data stolen by multiple threat actor groups. This bears a resemblance to supply chain campaigns, in which a single organization is targeted, leading to compromises across their client base.
The case of Secret Blizzard compromising Storm-0156's infrastructure highlights that the group's differing approach in Afghanistan and India may be influenced by political factors within the Russian leadership and distinct regional responsibilities within the FSB. These campaigns targeting other APTs allow Russian APTs to assess the capabilities of rival groups, including the sophistication of their C2 infrastructure, malware tools, the impact on victim organizations, and their ability to execute stealthy cyberattacks while remaining undetected for extended periods. While Secret Blizzard was able to leverage Storm-0156's network to access information related to the victim organizations, it is possible that the intelligence gathering requirements between threat actor groups differed, limiting the overall value of infections for Secret Blizzard.
eSentire's Threat Intelligence Team recommends that organizations implement robust endpoint and network security solutions to identify suspicious activity from an APT group. Organizations must perform in-depth investigations and remediation actions upon identifying an attack by an APT group. These highly sophisticated actors establish multiple persistence mechanisms to ensure persistent access to victim devices. In rare cases like those reported by Black Lotus Labs and Microsoft, that access may be abused by separate threat actor groups.
eSentire MDR for Network detects KopiLuwak, TwoDash, and CrimsonRAT. The eSentire Threat Intelligence team is performing indicator-based threat hunting across the client base. eSentire is actively tracking this topic for additional details and detection opportunities.
Chinese APT Activity and Five Eyes Recommendations
Bottom Line: This week, multiple security companies and intelligence agencies have discussed the threat of Chinese state-sponsored threat actors targeting critical infrastructure, including telecommunication companies. Five Eye’s Intelligence agencies have provided a list of best practices for defending against these attacks.
Chinese state-sponsored APT groups remain in the headlines this week with two recent reports on ongoing campaigns. On December 6th, Microsoft’s Redmond Security Research Group shared information on Storm-0227, a threat actor that is confirmed to have targeted critical infrastructure organizations and U.S. government agencies as recently as December 5th . On December 3rd, Five Eyes intelligence agencies (CISA, NSA, FBI, ASD, ACSC, NCSC-NZ) released a joint publication warning of ongoing attacks by People’s Republic of China (PRC) affiliated threat actors against organizations in the telecommunications industry.
Storm-0227 is a PRC affiliated threat group that has been active since at least January 2024. They primarily target U.S. organizations in the “defense industrial base, aviation, telecommunications, financial and legal services industries, plus government and non-governmental agencies”. Information on the group’s ongoing campaign is minimal, but Storm-0227 is reported to target vulnerabilities in Internet-facing applications, as well as employing spear-phishing emails with malicious attachments and links, for initial access into victim organizations. This activity resulted in the deployment of malware and theft of cloud credentials leading to the exfiltration of emails and other sensitive files.
According to the recent report from Five Eyes intelligence agencies, “People’s Republic of China (PRC)- affiliated threat actors compromised networks of major global telecommunications providers to conduct a broad and significant cyber espionage campaign. ” In response to this campaign against telecommunication organizations, a list of recommendations and security best practices for both Network Defenders and Network Engineers has been released. In total, the report includes 39 technical recommendations, a subset of which are shown below.
Network Defenders:
- Implement a monitoring and network management capability that, at a minimum, enforces configuration management, automates routine administrative functions, and alerts on changes
- Conduct port-scanning and scanning of known Internet-facing infrastructure
- Disable any unnecessary, unused, exploitable, or plaintext services and protocols, such as Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c
- Require phishing-resistant Multi-Factor Authentication (MFA) for all accounts that access company systems, networks, and applications
Network Engineers:
- Closely scrutinize and investigate any configuration modifications or alterations to network devices such as switches, routers, and firewalls
- Implement a strong network flow monitoring solution
- Harden and secure Virtual Private Network (VPN) gateways by limiting external exposure, if possible, and limiting the port exposure to what is minimally required
- Employ strong network segmentation via the use of router ACLs, stateful packet inspection, firewall capabilities, and demilitarized zone (DMZ) constructs
eSentire Threat Intelligence Analysis:
Multiple PRC affiliated APT groups have recently been identified targeting international telecommunication organizations, leading to the compromise of at least eight companies including Verizon, AT&T, and Lumen. T-Mobile has confirmed recent attacks against the company but has not attributed the activity to a specific group. PRC sponsored APT groups that are now confirmed to target telecommunication organizations include Storm-0227, Salt Typhoon, Volt Typhoon, Liminal Panda, Mulberry Typhoon, and Flax Typhoon. While these groups all employ different Tactics, Techniques, and Procedures (TTPs), the goal of this activity remains the same. These campaigns are carried out for espionage purposes, with threat actors exfiltrating phone records, which may provide valuable intelligence on specific high-profile individuals, such as politicians.
The decision by Five Eye’s intelligence agencies to publish an advisory of best practices for defending against this activity highlights the criticality of the threat. According to the U.S. deputy national security adviser, Anne Neuberger, in at least some cases, PRC affiliated actors continue to maintain access to compromised telecommunication companies. Organizations are strongly recommended to review the full advisory and implement all applicable recommendations.
eSentire maintains a variety of detections for known Chinese APT TTPs. The eSentire Threat Intelligence team is actively monitoring this topic for additional details and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
