Bellingcat, known for its investigative journalism, recently became the target of a sophisticated cyber attack. The analysis revolves around an email campaign that aimed to compromise Bellingcat’s systems. Here are the key details:
While the exact statistics related to this specific attack are not publicly available, we can draw insights from similar incidents and general trends:
SHA256:506A64C619580BC91A51BDE3A3C3F5ACED3ED1106413AC11A721C56817B04573
In the tweet referenced earlier, Bellingcat provided a comprehensive account of the infection chain associated with the malicious message they received.
We’ve recently been subjected to a phishing attack via email. The email was made to appear as if it came from USAID and encouraged readers to click a link which downloads a malicious file. We’ve reported it to @USAID. pic.twitter.com/SAsCjbZUe6
— Bellingcat (@bellingcat) December 22, 2023
Additionally, they highlighted the specific domain from which the email originated, which also served as the host for the malicious content. Notably, this domain, usaid[.]pm, is no longer active, as confirmed by subsequent investigations. However, due to limited exposure in online sandboxes and the absence of an enterprise-level VirusTotal license, the sample remains relatively unexplored.
SHA256: 86F504DEA07FD952253904C468D83D9014A290E1FF5F2D103059638E07D14B09
The malicious actors employ a .lnk file, which essentially serves as a shortcut to another file or executes specific commands. In this case, they disguise the .lnk file as a PDF document, enticing victims to click on it under the false pretense that they are about to access a USAID annual report. Notably, the .lnk extension may remain hidden depending on the victim’s computer settings, further enhancing the deception.
This intricate sequence of steps allows the malicious actors to execute their payload while maintaining deception by disguising the initial .lnk file as a harmless PDF.
SHA256 (dumped to ps1 file): 615F7677613534FCD5E6548B4FEE48FBFC85AF0C5ECDAD5B2046495869D1A668
In the previous stage, we observed that the target of the .lnk file included the command findstr /R “CiRFcnJvckFjdGlvbl” 2023_Annual_Report.pdf.lnk. This command effectively dumps the output to a .jpg file, decodes its content, and subsequently executes it using PowerShell. However, the content executed by PowerShell can be extracted by simply running the aforementioned findstr command.
Upon base64 decoding the content ourselves, we are left with a reverse shell. Notably, analysis conducted by the team indicates that the reverse shell corresponds to an open-source penetration testing tool called “HTTP-Shell.” It’s worth noting that while the shell is based on the project, it is not a direc
t copy-paste implementation.
Inspecting the shell reveals several obviously malicious functionalities and configuration details that the threat actors hard-coded into the script.
The combination of these actions allows the threat actors to maintain control over the compromised system while employing various deceptive tactics to avoid detection.
The Bellingcat Malware Investigation sheds light on the ongoing battle between cyber attackers and defenders. As journalists and organizations continue to face threats, robust security practices, user awareness, and timely incident response remain crucial.
Type | Value | Comment |
sha256 | 506a64c619580bc91a51bde3a3c3f5aced3ed1106 413ac11a721c56817b04573 | zip file downloaded from usaid[.]pm called “USAID_Partners_Report_2023.zip” |
sha256 | 86f504dea07fd952253904c468d8 3d9014a290e1ff 5f2d103059638e07d14b09 | LNK file masquerading as a PDF, called “2023_Annual_Report.pdf.lnk” |
sha256 | 615f7677613534fcd5e6548b4fee48 fbfc85af0c5ec dad5b2046495869d1a668 | Reverse Shell written in Powershell. |
sha256 | 84f026998c5a547c8cc3ba8d86d34 25097c501ae8 5a207c121288f6c1cf72710 | Decoy PDF called “Important.pdf” |
link | https://blog.cluster25.duskrise.com/2024/01/30/ russian-apt-opposition | Article containing research on expanded view of campaign |
sha256 | e058bc966a436982aef3b2cbc78a38 0be324e80fd 0789716d0c069dd441d9a48 | [Cluster25] ZIP file dropping malicious LNK |
sha256 | c3faaa3a6b0831f1d3974fcee805888 12ca7afeb53 cc173e0b83bcb6787fa13e | [Cluster25] ZIP file dropping malicious LNK |
sha256 | 9341cd36d012f03d8829234a12b9ff 4e0045cb233 e86127ef322dc1c2bb0b585 | [Cluster25] ZIP file dropping malicious LNK |
sha256 | 61edbae96a0e64d68f457fdc0fc4f4a 66df61436a3 83b8e4ea2a30d9c9c2adde | [Cluster25] ZIP file dropping malicious LNK |
sha256 | 36c7b7eb073a72ca37bab88b242cda dfc3cd5da7b 4f714004bc63cdcee331970 | [Cluster25] ZIP file dropping malicious LNK |
sha256 | f080eec275f07aec6b7a617e215d034 e67e011184 e1de5b2e71e441a6dd8027f | [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell. |
sha256 | 114935488cc5f5d1664dbc4c305d97 a7d356b0f6d 823e282978792045f1c7ddb | [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell. |
sha256 | 5fa3d13366348e7c999cca9a06e4d2f 5ec7f518aca 3b36f0366ecedba5f2b057 | [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell. |
sha256 | a5270b4e69f042fd7232b2bfc529c72 416a8867b2 82b197f4aea1045fd327921 | [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell. |
sha256 | 975c708b22b084d4b0d503b4c8129d 1ffee057a06 36b1beed59c448dd76bbad1 | [Cluster25] Malicious LNK file masquerading as a PDF which will lead to an HTTP reverse shell. |
domain | usaid.pm | domain seen in URL in malicious email, which drops a malicious zip file. |
domain | pdf-online.top | C2 domain contacted by Reverse Shell. |
domain | nasta.network | [Cluster25] Domain which drops the malicious zip file, delivered via email. |
domain | zdg.re | [Cluster25] Domain which drops the malicious zip file, delivered via email. |
domain | news4you.top | [Cluster25] Domain which drops the malicious zip file, delivered via email. |
domain | api-gate.xyz | [Cluster25] C2 domain for HTTP reverse shell. |
ip-dst | 80.78.26.183 | [Cluster25] IP address used in Bellingcat campaign infrastructure that previously hosted a SilverC2 beacon |
About the Author:
Rudra Pratap, Security Research Manager, Gurucul
Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.