Security researchers have observed a hacking group targeting companies in the materials research sector with a unique toolset that includes a custom remote access trojan (RAT) called Atharvan.
The threat actor is being tracked as Clasiopa by Symantec, a Broadcom company, whose analysts found a clue pointing to an Indian threat actor. However, attribution remains unclear because there is little evidence to support any theory.
Clasiopa attack details
Although there is no strong data to indicate a particular initial infection vector, Symantec researchers found hints suggesting that Clasiopa uses brute force to gain access to public facing servers.
Symantec reports that the attackers perform various actions post-compromise, including:
- checking the IP address of the breached system
- disabling endpoint protection products by stopping their services
- deploying malware that can scan for specific files and exfiltrate them as ZIP archives
- clearing Sysmon logs and eventlogs to wipe the traces of the malicious activity
- creating a scheduled task (“network service”) to list file names
Symantec’s investigation revealed that along with its backdoor, Clasiopa also used legitimate software such as Agile DGS and Agile FD, signed with old certificates.
The hackers relied on two backdoors for their attack: the custom Atharvan and the open source Lilith RAT. The latter can be used to execute commands, run PowerShell scripts, and to manipulate processes on the breached system.
Clasiopa also used a custom proxy tool and “Thumbsender,” a utility that lists files on the host and saves them locally in a database that can be exfiltrated at a later time to a specified IP address.
Atharvan is the most interesting of the tools used by Clasiopa because it is a custom backdoor not seen in any other attacks in the wild.
Upon execution, it creates a mutex to prevent multiple processes of itself running and then contacts a hardcoded command and control (C2) address in an unusual location, the Amazon Web Services infrastructure in Seoul, South Korea.
Below is a sample of the backdoor’s communication with the C2 server, formatted as HTTP POST requests to an allegedly legitimate host, Microsoft’s update server.
Sample of the malware’s HTTP POST requests (Symantec)
Another unusual feature is that it can be configured for scheduled communication with the C2 and can even be set to attempt connections during specific days of the week or the month.
In terms of its capabilities, Atharvan download files on the compromised computer, run executables, execute commands and send back their output.
Commands supported by Atharvan (Symantec)
The researchers note that Atharvan’s communications with the C2 are protected using a simple algorithm to XOR each byte of the plaintext with the value “2” to produce the ciphertext. This does not achieve a strong encryption result but can still help the malware evade some network traffic monitoring tools.
Simple encryption scheme used for C2 communications (Symantec)
The hint pointing to a threat actor in India is a mutex in Hindi that the researchers discovered in the custom backdoor: “SAPTARISHI-ATHARVAN-101,” Atharvan referring to a legendary priest in Vedic mythology, the son of Brahmā, the Creator. Another hint is a password the attacker used for a ZIP archive, which was “iloveindea1998^_^.”
Both clues, however, could very well be a false flags planted for erroneous attribution.
Atharvan backdoor is largely undetected at the moment. There is only one sample available on the VirusTotal scanning platform and it is marked as a threat by just two antivirus engines.
Clasiopa’s goals remain unclear at the moment but cyberespionage appears to be the motivation behind the attacks. The researchers say that the threat actor has been targeting victims in Asia.
Symantec’s report provides a set of hashes for the malware discovered in malicious campaigns attributed to Clasiopa.
The indicators of compromise include hashes for the the two backdoors (Atharvan and Lilith) as well as the tools the threat actor used in attacks.