During our daily threat hunting activities in our customer base, we have gained an intimate understanding of the adversaries behind the threats. This unique insight has been organized by our hunters and security researchers to create threat activity clusters. By clustering these adversaries, we know how to better mitigate the threat they present.
Activity clusters separate adversaries into distinct threat group “flavors.” Once understood, the threat posed become manageable, and we believe they should have a suitably unintimidating identifier. So, what could be less intimidating than ice cream?
To learn more about Project Ice Cream, read the series’ introductory blog here.
Introducing Pistachio
First observed in our dataset in 2019, this threat activity cluster has been well documented in the security community with APT41, Lead, Wicked Panda, and Vanadinite demonstrating significant overlap in activity, making it likely that each represents activity involving the same threat group. We are grateful for the contributions of these and other threat researchers who have helped inform the security community’s understanding of this actor.
This prominent APT has a footprint across numerous organizations, and the information shared has aided Alert Logic in detecting malicious actions within our customer base.
During our constant threat hunts, we have gleaned information that may complement the existing understanding of this group, due to our unique insight into 40PB of customer threat data ingested monthly.
APTs are difficult to detect and even harder to track, as they recycle and modify indicators and TTPs to evade detection and increase their success rate. Therefore, the activity we have observed is better understood as this flavor has a tendency to perform documented actions, rather than there being a definitive pattern. This is a distinct difference from previous threat flavors documented in this series.
A sophisticated threat deserves a sophisticated flavor, so the Alert Logic identifier for this activity cluster is Pistachio.
Exploit
Alert Logic threat hunters identified Pistachio during our emerging threat process when active exploits of CVE-2019-19781 and CVE-2021-26084 first surfaced in January 2020 and September 2021, respectively.
This flavor would target exposed confluence servers and Citrix ADC systems, usually preferring to compromise Windows-based systems used by organizations in the healthcare, telecom, technology, and video game industries. The confluence and Citrix ADC exploits allowed for full remote code execution, effectively granting the group complete control of the vulnerable server.
Installation and C2
In the instances where Pistachio was observed among Alert Logic customers, the flavor gained initial access and then abused certutil.exe as part of a “living off the land” attack, using the native command line program intended for certificate services to download a batch script (x.bat) from a host controlled by the group.
The batch script runs commands via PowerShell to download further programs, including a dynamic link library (DLL), which is then installed as a Windows service.
The malicious service DLL is unpackaged to launch Cobalt Strike to establish command and control (C2) of the compromised machine. The flavor also uses the known hacker tool, Metasploit, usually to advance further into the network. The C2 profiles observed were intended to look like benign internet traffic and were unlikely to be caught or blacklisted when viewed in isolation.
Using the native programs (certutil and PowerShell) helps to bypass preventive controls (such as EDR) as the attacker masquerades as a legitimate program.
It is worth noting that the certutil abuse and subsequent file download(s) was caught in routine threat-hunting activities, not as part of a focused emerging threat hunt. Searching for signs of compromise like this helped provide early warning of the Citrix and Confluence emerging threat.
While those exploits were brand new at the time, threat actors cannot rely entirely on novel tactics throughout the kill chain. This demonstrates the necessity to hunt across the kill chain and the complementary relationship of pairing advanced detection capabilities with preventive tools.
Flavor Infrastructure
Flavor infrastructure is where we have seen the greatest variance. Pistachio frequently moves onto new attacker infrastructure to carry out actions across the kill chain. Monitoring attacker IPs has proven to be inefficient long term, as they are usually only active during small windows.
Pistachio appears to have the ability and resources to take over new hosts and use these in their campaigns. This includes using routers, or an organization’s compromised hosts to take control of more infrastructure, both internally and externally. This is in stark contrast to previous actors we observed, such as Strawberry, which simply spin up new hosts within the same AWS hosted VPC.
Pistachio, under its many other names, has been determined by other threat researchers as likely a Chinese state-sponsored group based on targeted intrusions tending to align with Chinese Communist Party objectives. Alert Logic has no data to support this attribution, but it has assisted our understanding of the activity cluster.
The geo-locational data of the IP addresses recorded in our dataset and open-source intelligence contain a vast variety of countries with a significant lack of Chinese addresses. The geo-locational data, coupled with the frequent renewal of attacker infrastructure, has led Alert Logic threat hunters to theorize there may be a concerted effort to use fewer Chinese IP addresses in order to mask attribution.
Actions on Objectives – and a thank you to OSint
We have not observed any specific AOs in the Alert Logic customer base, thanks to the work of our threat hunters and the intelligence provided by the wider security community, which has enabled us to act quickly when compromise was observed.
Known Exploits Used
- CVE-2021-26084 [exp]
- CVE-2019-19781 [exp]
TTPs
- certutil
- Bat files
- Downloadstrings
- powershell
- Dll’s
- Masquerading: Masquerade Task or Service — T1036.004
- Create or Modify System Process: Windows Service — T1543.003
- System Services: Service Execution — T1569.002
Targets
- Confluence servers
- Citrix ADC
- Windows
- Health care
- Telecom organizations
- Technology companies
- Video game studios
Flavor Infrastructure
- 213[.]152[.]165[.]29 [inst]
- 103[.]30[.]41[.]91
- 4245c6e0b025d5e34b8aec767bf1d2aa085b7554 (SSL certificate)
Actions on Objectives
Pistachio actions on objectives are not available in the historic Alert Logic dataset.
Find out how Alert Logic can support your organization in tackling existing and emerging threats used by actors like Pistachio by scheduling a personalized MDR demo.
Additional Resources
Explore Alert Logic’s Project Ice Cream threat activity clusters blog series: