TTP Tuesday: GTsST - Sandworm
Russian GRU attack against Centreon discovered by the ANSSI
For this week's release, we're introducing a new chain theme based on GTsST and specifically Sandworm. In 2021, the ANSSI (Agence nationale de la sécurité des systèmes d'information) published an advisory warning that hackers with links to Sandworm, a group within Russia's GTsST, had breached several French organizations. The agency describes those victims as "mostly" IT firms and particularly web hosting companies. ANSSI states the intrusion campaign dates back to late 2017 and continued until 2020.
Little is known about the intentions the attackers had with the access they had obtained. Sandworm is known to be destructive and malicious in their actions. As an example, GTsST is linked to the attack against Ukraine that left hundreds of thousands of residents without electricity during the winter.
According to Joe Slowik, a researcher for security firm DomainTools who has tracked Sandworm's activities for years:
"Even though there's no known endgame linked to this campaign documented by the French authorities, the fact that it's taking place is concerning, because the end goal of most Sandworm operations is to cause some noticeable disruptive effect. We should be paying attention."
There were three types of payloads present on the compromised machines used by the attackers.
Setuid Privilege Escalation
A suid payload that executed shell commands. This was a custom payload written in c and compiled directly on the machine. This payload was used to execute their malware as root and also to set root persistence.
After exploiting Centreon and achieving initial access, they installed a custom malware categorized as exaramel. This type of malware was written in Go-Lang and acted as a very simple command and control agent. The agent installs itself and ensures no other instance of it is running. Then it will check if persistence has already been applied. If not, it will check the system environment and install.
Once the exaramel malware launches, it checks whether the System service environment is Systemd, SystemV, or Upstart. If it's one of those three, it will install a service called syslogd.service in order to hide and establish persistence. If it does not identify the service environment as one of the three, it'll run a cronjob that executes every minute.
The impact is currently unknown as the intentions of Sandworm group is still not clear. However, what we do know is that they remained undetected for 3 years (2017-2020). This was a well thought out attack that hit many IT corporations across France.
Thanks for reading! We’ll be back next week with another TTP Tuesday release.
Check it out on the Prelude chains website.
Watch a demonstration:
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg