Proofpoint Inc.

10/27/2021 | News release | Distributed by Public on 10/27/2021 03:09

New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns

Key Findings

  • Proofpoint identified a new cybercriminal threat actor, TA2722.
  • This group impersonates Philippine health, labor, and customs organizations as well as other entities based in the Philippines.
  • TA2722 typically targets Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy entities, among others. Geographic targeting includes North America, Europe, and Southeast Asia.
  • TA2722 distributes Remcos and NanoCore remote access trojans (RATs).

Overview

Proofpoint identified a new and highly active cybercriminal threat actor, TA2722, colloquially referred to by Proofpoint threat researchers as the Balikbayan Foxes. Throughout 2021, a series of campaigns impersonated multiple Philippine government entities including the Department of Health, the Philippine Overseas Employment Administration (POEA), and the Bureau of Customs. Other related campaigns masqueraded as the Manila embassy for the Kingdom of Saudi Arabia (KSA) and DHL Philippines. The messages were intended for a variety of industries in North America, Europe, and Southeast Asia, with the top sectors including Shipping, Logistics, Manufacturing, Business Services, Pharmaceutical, Energy, and Finance.

Proofpoint assesses this actor is targeting organizations directly or indirectly engaged with the Philippine government based on a continuous pattern of spoofing email addresses and delivering lures designed to impersonate government entities. For example, the shipping, transportation, and logistics companies would frequently engage with customs officials at ports of call. Additionally, the manufacturing and energy companies support and maintain large supply chain operations, likely requiring correspondence with both labor and customs organizations.

All the campaigns distributed either Remcos or NanoCore remote access trojans (RATs). Remcos and NanoCore are typically used for information gathering, data theft operations, monitoring and control of compromised computers. While the malware's associated infrastructure changed over time, the sender emails were reused for a long period of time.

In 2020, Philippine government entities issued multiplealerts warning users of the activity related to lures using themes such as COVID-19 infection information in the Philippines and the POEA labor information.

Campaign Details

Proofpoint researchers identified a series of campaigns distributing Remcos and NanoCore RATs masquerading as the Kingdom of Saudi Arabia (KSA) embassy in Manila and the Philippine Overseas Employment Administration (POEA) in mid-2021. Upon further investigation, Proofpoint identified additional, separate campaigns distributing the same malware masquerading as the Philippine Department of Health and Bureau of Customs.

Proofpoint separated campaigns into two distinct threat activity clusters. In all cases, message lures were in English. They contained multiple threat distribution mechanisms including:

  • OneDrive URLs linking to RAR files with embedded UUE files
  • PDF email attachment with an embedded OneDrive link or other malicious URL leading to compressed executables (.iso files) that download and run malware
  • Compressed MS Excel documents containing macros which, if enabled, download malware

Remcos is a commodity remote access tool available for purchase online. NanoCore is also commodity malware and written in .NET by "Aeonhack". The code is obfuscated with Eazfuscator.NET 3.3. NanoCore RAT is sold on various hack forums. NanoCore includes many features and plugins. Both Remcos and NanoCore RAT are distributed by numerous cybercrime threat actors with many different delivery techniques and lures.

Threat Cluster Shahzad73

Proofpoint named the first identified cluster Shahzad73 based on the command and control (C2) domains used by the threat actor:

shahzad73[.]ddns[.]net

shahzad73[.]casacam[.]net

Although Proofpoint began regularly tracking this activity cluster in April 2021, historic data suggests the activity dates as far back as August 2020. The threat actor generally leverages themes purporting to be labor-related messages, including spoofing the Philippine Overseas Employment Administration (POEA) and the Saudi Arabian consulate in Manila. Other, less frequent threats observed in Shahzad73 campaigns were associated with billing/invoice lures. The messages impacted hundreds of customers globally including entities in the Transportation, Energy, Construction, Manufacturing, Finance, and Business Services industries.

Messages purported to be, for example:

From: POEA <_info140_poea.gov.ph>

Subject: "POEA ADVISORY ON DELISTED AGENCIES."

Figure 1: Email sample purporting to be from Philippine Overseas Employment Administration (POEA).

Additional samples include:

From: "ksa.Consulate manila " <_consulate_ksa_emb40_gmail.com>

Subject: "Memorandum from the Saudi Embassy"

Figure 2: Email sample purporting to be from the Kingdom of Saudi Arabia (KSA) consulate.

Saudi Arabia is reportedly one of the most popular destinations for the country's overseas workers, with over one million Filipinos working there. In May 2021, the Philippines temporarily suspended sending workers to the Kingdom after receiving reports Filipino workers were being charged for COVID-19 testing and quarantine. Proofpoint identified a campaign spoofing the KSA embassy in Manila targeting transportation entities, among others, around the same time.

Most of these messages contain either UUE or RAR attachments ultimately leading to the installation of Remcos remote access trojan (RAT) or NanoCore RAT. Each campaign featured a dynamic DNS C2 domain containing the keyword shahzad73.

Example attachment file names:

memorandum from the saudi embassy.pdf.uue.rar

Memorandum from the Saudi Embassy.pdf.uue

POEA Memo-Circular No 019-22.pdf.uue

POEA Memo-Circular No 002-06.pdf.exe

poea memo on delisted agencies ! reminder.uue.rar

poea advisory on delisted agencies.pdf.uue

swiftusd33,980_soa005673452425.uue.rar

The observed Remcos samples included the following example configuration:

C2: shahzad73[.]casacam[.]net:2404

C2: shahzad73[.]ddns[.]net:2404

license: 9C98D5D48F9EA32282C07700F23815A0

version: 2.7.2 Pro

Observed NanoCore RAT samples included the following example configuration:

GCThreshold: 10485760

KeyboardLogging: True

WanTimeout: 8000

Version: 1.2.2.0

Mutex: Global\{a58bb08a-85df-4191-824c-1b90cbce1024}

RestartDelay: 5000

BackupDnsServer: 8.8.4.4

PrimaryDnsServer: 8.8.8.8

ConnectionPort: 9036

MaxPacketSize: 10485760

BufferSize: 65535

ClearZoneIdentifier: True

DefaultGroup: ENDING-JUNE

LanTimeout: 2500

BackupConnectionHost: shahzad73[.]ddns[.]net

BuildTime: 2021-07-26 13:34:18 UTC

UseCustomDnsServer: True

MutexTimeout: 5000

KeepAliveTimeout: 30000

PrimaryConnectionHost: shahzad73[.]casacam[.]net

TimeoutInterval: 5000

PreventSystemSleep: True

ConnectDelay: 4000

Threat Cluster CPRS

Proofpoint named the second identified threat cluster CPRS based on the actor regularly spoofing the Philippines Bureau of Customs - Client Profile Registration System (CPRS) in ongoing campaigns. The identified Remcos RAT campaigns impacted nearly 150 customers globally, with a focus on Shipping and Logistics, Manufacturing, Industry, and Energy sectors.

Proofpoint began tracking this activity cluster in December 2019. The actor appeared to conduct multiple campaigns per month through October 2020. Activity restarted again in September 2021. Historic data suggests the activity dates as far back as 2018. The threat actor generally leverages themes purporting to be entities related to the Philippine government, most frequently the Bureau of Customs CPRS. Other emails masqueraded as the country's Department of Health distributing COVID-19 information. Other, less frequently observed threats in related campaigns were associated invoice, shipping, or Finance/Treasury themes.

Messages purported to be, for example:

From: cprs@customs[.]gov[.]ph

Subject: "E-Mail Alert for Status: PROVISIONAL GOODS DECLARATION REFERENCE NO.C-1075027-21"


Figure 3: Email purporting to be a Bureau of Customs declaration.

Other message samples include:

From: [email protected]

Subject: "Covid-19 Data Cases Report in Your Location-The Department of Health (DOH)"

Figure 4: Message purporting to be COVID-19 information from the Philippine Department of Health.

Example attachment file names:

covid-19 pcr test report checklist.pdf

covid-19 data cases report.pdf

notice to submit.pdf

The emails contain either a OneDrive URL or a PDF attachment with a OneDrive URL leading to the download of a compressed executable (e.g. Covid-19 Data Report Checklist_pdf.iso) which, if executed, leads to Remcos RAT.

The most recent Remcos configuration is as follows:

C2: cato[.]fingusti[.]club

License: 4E7867F67DE525ADF9F3A74DBEB02869

Version: 2.7.2 Pro

Mutex: nan

use_tls: nan

2020 campaigns included the following Remcos configuration:

C2: remcos[.]got-game[.]org:2265:pass

license: D77341DCD207EB897C3383385A6676C2

version: 2.5.0 Pro

On 27 September 2021, the threat actor appeared to change tactics. Proofpoint researchers observed corporate credential capture attempts targeting many of the same companies as previously observed Remcos activity. The phishing emails masqueraded as the Philippines Bureau of Customs CPRS and contained actor-hosted URLs linking to a credential harvesting page.

Figure 5: Credential capture landing page.

Despite an expansion of TTPs to include credential harvesting campaigns, Proofpoint assesses with high confidence credential capture activities are likely temporary and the threat actor maintains ongoing high levels of malware distribution activity.

Threat Cluster Overlap

Proofpoint assesses with high confidence the two observed threat clusters are associated with the same threat actor, TA2722. Of note, both clusters targeted a frequently overlapping set of customers, and shared the same sender IP address. Based on observed infrastructure, the two clusters share similar hosting providers, netblocks, and registrars. There are also dozens of unrelated domains that appear to distribute RATs hosted on the same infrastructure.

Threat Cluster

C2 IP

Last Seen

First Seen

ASN

Host Org

Netblock

Country

Registrar

CPRS

185.140.53[.]189

9/22/21

9/22/21

AS208476 - PRIVACYFIRST

Danilenko, Artyom

185.140.53[.]0/24

SE

RIPE

CPRS

79.134.225[.]107

9/20/21

9/7/21

AS6775 - FINK-TELECOM-SERVICES

Andreas Fink trading as Fink Telecom Services GmbH

79.134.224[.]0/19

CH

RIPE

CPRS

79.134.225[.]92

8/11/21

1/22/21

AS6775 - FINK-TELECOM-SERVICES

Andreas Fink trading as Fink Telecom Services GmbH

79.134.224[.]0/19

CH

RIPE

CPRS

185.244.30[.]70

1/9/21

1/6/21

AS208476 - PRIVACYFIRST

Danilenko, Artyom

185.244.30[.]0/24

NL

RIPE

CPRS

185.140.53[.]225

12/27/20

12/14/20

AS208476 - PRIVACYFIRST

Danilenko, Artyom

185.140.53[.]0/24

SE

RIPE

Shahzad73

185.140.53[.]8

9/23/21

8/9/21

AS208476 - PRIVACYFIRST

Danilenko, Artyom

185.140.53[.]0/24

SE

RIPE

Shahzad73

185.19.85[.]139

7/29/21

5/11/21

AS48971 - DATAWIRE-AS

DATAWIRE AG

185.19.84[.]0/22

CH

RIPE

Shahzad73

79.134.225[.]9

5/10/21

4/7/21

AS6775 - FINK-TELECOM-SERVICES

Andreas Fink trading as Fink Telecom Services GmbH

79.134.224[.]0/19

CH

RIPE

Shahzad73

91.212.153[.]84

4/4/21

2/2/21

AS24961 - MYLOC-AS

myLoc managed IT AG

91.212.153[.]0/24

DE

RIPE

Additionally, Proofpoint identified a common registration email associated with multiple command and control IPs and domains that overlapped with the observed activity:

anthony.marshall.1986@gmail[.]com

This email was previously associated with Adwind RAT campaigns reported in 2017.

Conclusion

Proofpoint assesses with high confidence TA2722 is a highly active threat actor leveraging Philippine government themes and targeting a variety of organizations in Southeast Asia, Europe, and North America. It is likely this threat actor is attempting to gain remote access to target computers, which could be used for information gathering or to install follow-on malware or engage in business email compromise (BEC) activity.

Example indicators of compromise:

Indicator

Description

de5992f7c92351d1011fbece2d4bf74ecfc3b09f84aedb12997a2c3bf869de2c

Remcos SHA256

098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525

NanoCore SHA256

shahzad73[.]casacam[.]net

Remcos/NanoCore C2

shahzad73[.]ddns[.]net

Remcos/NanoCore C2

cato[.]fingusti[.]club

Remcos C2

remcos[.]got-game[.]org

Remcos C2

info1@poea[.]gov[.]ph

Sender Email

cprs@customs[.]gov[.]ph

Sender Email

consulate_ksa_emb@gmail[.]com

Sender Email

de5992f7c92351d1011fbece2d4bf74ecfc3b09f84aedb12997a2c3bf869de2c

Remcos SHA256

66.248.240[.]80

Sender IP