Security experts from Microsoft have observed a cyber threat actor dubbed GADOLINIUM that uses new attack techniques via cloud services and open source tools.
The Microsoft Threat Intelligence Center (MSTIC) has been carefully monitoring GADOLINIUM over the past several years. The group has been known to target maritime and healthcare industries over the past decade.
According to a recent blog post, the Microsoft security team explained how GADOLINIUM uses cloud services and open source tools “to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection.”
“These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel.”
The MSTIC team also observed the group has been expanding its targets against the Asia Pacific region and also higher education and regional government organizations.
Microsoft observed GADOLINIUM experimenting with cloud services back in 2016 by establishing a Technet profile. The actors embedded a very small text link with an encoded command for malware to read.
In 2018, the threat actors expanded into using GitHub to host commands. For instance, Microsoft described how actors controlled a forked repository in GitHub and also updated markdown text used to execute new commands targeting victim computers.
Microsoft was then able to work with GitHub to take down GADOLINIUM accounts and operations on the GitHub platform.
Open source tools
Similar to recent nation-state actor behaviors, GADOLINIUM further evolved their techniques to weaponize open source tools over the past couple of years (2019-2020).
“MSTIC assesses this move is an attempt to make discovery and attribution more difficult. The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost,” Microsoft explained.
To guard against open source vulnerabilities, GitHub launched GitHub Security Lab late last year with objective to secure open source software.
Command and Control
The GADOLINIUM actors have also evolved their command and control (C2) techniques since last year.
Throughout 2019, the actors used Outlook Tasks as C2 mechanism.
“It uses a GADOLINIUM-controlled OAuth access token with login.microsoftonline.com and uses it to call the Outlook Task API to check for tasks,” Microsoft explained.
“The attacker uses attachments to Outlook tasks as a means of sending commands or .NET payloads to execute; at the victim end, the malware adds the output from executing these commands as a further attachment to the Outlook task.”
Furthermore, GADOLINIUM also used PowerShell scripts to execute file commands or SMB commands to potentially exfiltrate data. The actors also used a tool called LazyCat to launch privilege escalation or dump credentials to allow lateral movement.
In 2020, Microsoft detected COVID-19 pandemic themed spear-phishing emails were sent by GADOLINIUM with malicious file attachments.
One of the file attachments, a malicious doc1.dotm, had two payloads. One of the payloads was a PowerShell script disguised as a .png file used to download and upload fake .png files that used the Microsoft Graph API.
To add, Microsoft found that the GADOLINIUM PowerShell is just a modified version of the opensource PowershellEmpire toolkit.
GADOLINIUM PowerShell leverages a C2 module and its own Microsoft OneDrive account to “execute commands and retrieve results between attacker and victim systems.”
Web shell attacks
Finally, Microsoft said the GADOLINIUM campaigns further install web shells on victim web sites used for C2 or traffic redirection.
Earlier this year, Microsoft Security experts revealed threat actors increased web shell attacks in their campaigns.
Microsoft’s investigation revealed actors such as ZINC, KRYPTON, and GALLIUM, exploit known vulnerabilities to implant web shells on internet-facing web servers.