Threat Research

Bellingcat Malware Investigation

Introduction

Bellingcat, known for its investigative journalism, recently became the target of a sophisticated cyber attack. The analysis revolves around an email campaign that aimed to compromise Bellingcat’s systems. Here are the key details:

  1. Attack Vector:
    • The attackers used an email campaign to deliver a malicious zip fileto Bellingcat.
    • The zip file contained a series of components that facilitated the attack.
  2. Infection Chain:
    • Malicious Zip Archive: The attackers sent an email with an attachment—a seemingly innocuous zip file.
    • Fake PDF Shortcut (.lnk): Inside the zip file, there was a disguised PDF shortcut (.lnkfile).
    • PowerShell Reverse Shell: When the user clicked the fake PDF shortcut, it executed a PowerShell script. This script established a reverse shell, allowing the attacker to gain control over the victim’s system.
    • Data Exfiltration: The reverse shell enabled the exfiltration of sensitive data from Bellingcat’s network.

Statistics and Insights

While the exact statistics related to this specific attack are not publicly available, we can draw insights from similar incidents and general trends:

  1. Targeted Attacks on Journalists:
    • Journalists and media organizations are often targeted by state-sponsored actors, hacktivists, or cybercriminals.
    • These attacks aim to compromise the integrity of news reporting, suppress dissent, or gain access to sensitive information.
  2. Sophistication Level:
    • The multi-stage attack involving a malicious zip archive, disguised shortcut, and PowerShell script indicates a high level of sophistication.
    • Attackers invest time and effort to evade detection and achieve their objectives.
  3. Attribution Challenges:
    • Attribution in cyber attacks is notoriously difficult. While some attacks can be linked to specific threat actors, others remain anonymous.
    • Bellingcat itself specializes in open-source intelligence (OSINT) investigations, which often involve attributing cyber attacks to specific entities.

Technical Analysis:

Stage 1: Malicious Zip Archive

SHA256:506A64C619580BC91A51BDE3A3C3F5ACED3ED1106413AC11A721C56817B04573

In the tweet referenced earlier, Bellingcat provided a comprehensive account of the infection chain associated with the malicious message they received.

Additionally, they highlighted the specific domain from which the email originated, which also served as the host for the malicious content. Notably, this domain, usaid[.]pm, is no longer active, as confirmed by subsequent investigations. However, due to limited exposure in online sandboxes and the absence of an enterprise-level VirusTotal license, the sample remains relatively unexplored.

Stage 2: .Lnk Masquerading as a PDF

SHA256: 86F504DEA07FD952253904C468D83D9014A290E1FF5F2D103059638E07D14B09

The malicious actors employ a .lnk file, which essentially serves as a shortcut to another file or executes specific commands. In this case, they disguise the .lnk file as a PDF document, enticing victims to click on it under the false pretense that they are about to access a USAID annual report. Notably, the .lnk extension may remain hidden depending on the victim’s computer settings, further enhancing the deception.

Bellingcat Malware

  1. The .lnkfile initiates the following steps:
    • It runs exein the background.
    • Within the exesession, it executes the findstr command.
    • The findstrcommand performs a regex search for the string “CiRFcnJvckFjdGlvbl”.
    • The search results are redirected to a file named jpgin the temporary directory.
  2. Next, the .lnkfile launches a hidden PowerShell session:
    • In this session, it runs a command to read the content of jpg.
    • The content is interpreted as a Base64
    • The Base64string is then converted to UTF8.
    • Finally, the converted string is executed using PowerShell.

This intricate sequence of steps allows the malicious actors to execute their payload while maintaining deception by disguising the initial .lnk file as a harmless PDF.

Stage 3: Reverse Shell

SHA256 (dumped to ps1 file): 615F7677613534FCD5E6548B4FEE48FBFC85AF0C5ECDAD5B2046495869D1A668

In the previous stage, we observed that the target of the .lnk file included the command findstr /R “CiRFcnJvckFjdGlvbl” 2023_Annual_Report.pdf.lnk. This command effectively dumps the output to a .jpg file, decodes its content, and subsequently executes it using PowerShell. However, the content executed by PowerShell can be extracted by simply running the aforementioned findstr command.

Bellingcat Malware

Upon base64 decoding the content ourselves, we are left with a reverse shell. Notably, analysis conducted by the team indicates that the reverse shell corresponds to an open-source penetration testing tool called “HTTP-Shell.” It’s worth noting that while the shell is based on the project, it is not a direc

t copy-paste implementation.

Bellingcat Malware

Inspecting the shell reveals several obviously malicious functionalities and configuration details that the threat actors hard-coded into the script.

  1. Decoy PDF Creation:
    • The .lnkfile executes the findstr command, searching for the string “JVBERi0xLjcNJeLjz9” against the .lnk file itself.
    • This action results in the creation of a decoy PDF named “pdf.”
    • The purpose of this decoy PDF is to act as a diversion, leading victims to believe they have clicked on a legitimate PDF document.
    • In this specific case, the decoy PDF contains interview instructions for USAID, which are ostensibly meant for media contacts.
  2. C2 (Command and Control) Domain:
    • The threat actors hard-code the domain “pdf-online[.]top” as the C2 for the shell.
    • This domain serves as the central point for communication and control between the victim’s compromised system and the attackers.
  3. C2 Endpoints:
    • The following endpoints are utilized in requests to the C2:
      • api/v1/Client/Info
      • api/v1/Client/Token
      • api/v1/Client/Debug
    • These endpoints facilitate communication and data exchange between the victim’s machine and the C2 server.
  4. Data Exchange and Encoding:
    • The malware sends victim computer information to the C2.
    • Additionally, data uploaded and downloaded from the victim’s device is encoded to obfuscate its content.

The combination of these actions allows the threat actors to maintain control over the compromised system while employing various deceptive tactics to avoid detection.

Conclusion

The Bellingcat Malware Investigation sheds light on the ongoing battle between cyber attackers and defenders. As journalists and organizations continue to face threats, robust security practices, user awareness, and timely incident response remain crucial.

IOC’s

Type Value Comment
sha256 506a64c619580bc91a51bde3a3c3f5aced3ed1106 413ac11a721c56817b04573 zip file downloaded from usaid[.]pm called “USAID_Partners_Report_2023.zip”
sha256 86f504dea07fd952253904c468d8 3d9014a290e1ff 5f2d103059638e07d14b09 LNK file masquerading as a PDF, called “2023_Annual_Report.pdf.lnk”
sha256 615f7677613534fcd5e6548b4fee48 fbfc85af0c5ec dad5b2046495869d1a668 Reverse Shell written in Powershell.
sha256 84f026998c5a547c8cc3ba8d86d34 25097c501ae8 5a207c121288f6c1cf72710 Decoy PDF called “Important.pdf”
link https://blog.cluster25.duskrise.com/2024/01/30/ russian-apt-opposition Article containing research on expanded view of campaign
sha256 e058bc966a436982aef3b2cbc78a38 0be324e80fd 0789716d0c069dd441d9a48 [Cluster25] ZIP file dropping malicious LNK
sha256 c3faaa3a6b0831f1d3974fcee805888 12ca7afeb53 cc173e0b83bcb6787fa13e [Cluster25] ZIP file dropping malicious LNK
sha256 9341cd36d012f03d8829234a12b9ff 4e0045cb233 e86127ef322dc1c2bb0b585 [Cluster25] ZIP file dropping malicious LNK
sha256 61edbae96a0e64d68f457fdc0fc4f4a 66df61436a3 83b8e4ea2a30d9c9c2adde [Cluster25] ZIP file dropping malicious LNK
sha256 36c7b7eb073a72ca37bab88b242cda dfc3cd5da7b 4f714004bc63cdcee331970 [Cluster25] ZIP file dropping malicious LNK
sha256 f080eec275f07aec6b7a617e215d034 e67e011184 e1de5b2e71e441a6dd8027f [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell.
sha256 114935488cc5f5d1664dbc4c305d97 a7d356b0f6d 823e282978792045f1c7ddb [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell.
sha256 5fa3d13366348e7c999cca9a06e4d2f 5ec7f518aca 3b36f0366ecedba5f2b057 [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell.
sha256 a5270b4e69f042fd7232b2bfc529c72 416a8867b2 82b197f4aea1045fd327921 [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell.
sha256 975c708b22b084d4b0d503b4c8129d 1ffee057a06 36b1beed59c448dd76bbad1 [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell.
domain usaid.pm domain seen in URL in malicious email, which drops a malicious zip file.
domain pdf-online.top C2 domain contacted by Reverse Shell.
domain nasta.network [Cluster25] Domain which drops the malicious zip file, delivered via email.
domain zdg.re [Cluster25] Domain which drops the malicious zip file, delivered via email.
domain news4you.top [Cluster25] Domain which drops the malicious zip file, delivered via email.
domain api-gate.xyz [Cluster25] C2 domain for HTTP reverse shell.
ip-dst 80.78.26.183 [Cluster25] IP address used in Bellingcat campaign infrastructure that previously hosted a SilverC2 beacon

 

About the Author:Rudra Pratap

Rudra Pratap, Security Research Manager, Gurucul

Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.