On March 19, 2024 a CISA fact sheet was issued on a current malicious campaign being undertaken by a Chinese state-sponsored threat actor dubbed VoltTyphoon that is placing backdoors in US Critical Infrastructure facilities. This followed closely behind a February 7, 2024 Joint CISA/FBI/NSA Advisory on the activities of the threat actor.
Researchers at CTIN have discovered current digital forensics evidence that may provide material support to these advisories. This evidence is provided below in an effort to provide detailed cyber observables for cyber defense teams in their efforts to harden servers and hosts against such attacks.
In a nutshell, a Backdoor Trojan called by some antivirus firms ‘Beaugrit’ which has been active since 2017, has been identified beaconing out to a command and control server through a MooseFS distributed network. Its purpose is to deploy espionage-type malware from a dropper malicious infrastructure network located in China and the US. The artifacts from the cyber observable threat hunt (COTH) shows evidence of Chinese origin. The following article outlines some of the key artifacts found by the COTH team.
MooseFS – Distributed Architecture Used
Inbound traffic to a virtual private server (VPS) of an unnamed customer was from the IP address 14.14.14.14 on port 9421. Port 9421 is typically used by the MooseFS distributed file system for client communication with master servers. Investigation into historical passive DNS (pDNS) records showed the the detection of Beaugrit (Comodo, TrendMicro). Beaugrit is primarily used by attackers to gain unauthorized access to systems, which can then be exploited for various malicious activities, including data theft, system manipulation, and further malware distribution. The presence of Beaugrit on a system can lead to significant security breaches, data loss, and potential damage to the system’s integrity. An image of CTIN’s Graph analysis available on VirusTotal is given below.
These OSINT data can be accessed directly at: https://www.virustotal.com/graph/embed/g8bef3f03792a45b4a62fb1a56df3b806cc49967032cd41a1af160bcdc7c9ca98?theme=light
This suggests that the traffic might be part of a malicious attempt to exploit the MooseFS infrastructure, potentially using the backdoor capabilities of Beaugrit to gain unauthorized access and control using the distributed file system and infected hosts. And, given the evidence presented below, it appears that this backdoor which has been lying dormant for several years, has not been invoked to carry out a new campaign. This new campaign is current as of 72 hours ago, based on newly uploaded files to VirusTotal.
MooseFS, short for Moose File System, is an open-source, POSIX-compliant distributed file system. It’s designed to be fault-tolerant, highly available, and high-performing. Here are some key features of MooseFS:
- Fault-Tolerant: MooseFS is designed to be resilient to failures. It keeps metadata of the file system in two or more copies on physically redundant servers. User data is redundantly spread across the storage servers in the system.
- Highly Available: MooseFS ensures that your data is always accessible. It achieves this by spreading data over several physical locations (servers), which are visible to the user as one resource.
- High Performance: MooseFS is designed to support high-performance I/O operations. User data can be read/written simultaneously on many storage nodes, thereby avoiding single central server or single network connection bottlenecks.
- Scalable: The storage can be extended up to 16 exabytes (~16000 petabytes), which allows us to store more than 2 billion files.
- POSIX Compliant: MooseFS is POSIX compliant and acts like any other Unix-like file system supporting hierarchical structure, files and folders, file attributes, special files, symbolic and hard links, security attributes and ACLs.
- Data Tiering: MooseFS supports different storage policies for different files/directories in Storage Classes mechanism.
Mid-October 2023 Campaign
The COTH team then discovered that on October 9th and 12th, 2023 the adversaries used the following domains to distribute malware through large-scale phishing campaigns:
- us-psjkf[.]com
- us-pskyh[.]com
- us-pslgp[.]com
On those dates these domains were resolving to this IPv4: 47.91.170.222. The themes from phishing activity associated with this IP were financial (HSBC, Shopify), consumer products (Amazon) and a Russian retail chain ‘Magnit’, and automotive (Toyota). Using these domains the COTH team was able to reveal a May 10, 2024 campaign that implanted the malware as seen on the adjacent screenshot.
May 17, 2024 Campaign Surfacing Knigsfot Trojan
Central to this most recent campaign is a file named: x7_c[.]caj. The SHA256 File Hash is: e95b634fa6ffbd85b165dac9fe5a48b4f8900147bf79f4a8fe7dadc9fb60a1a5. The image below gives a Graph representation of the malware, resolving IPs and domains, and communicating files. It has been named by more than seven of the key global antivirus research firms as ‘Knigsfot’ as shown at VirusTotal: [https://www.virustotal.com/gui/file/e95b634fa6ffbd85b165dac9fe5a48b4f8900147bf79f4a8fe7dadc9fb60a1a5].
The reader can get access to this OSINT data at: https://www.virustotal.com/graph/g8563258fe2f24447a1b8a479b783da2165ba16779ecf4fb693b95b40075b7a72. The virus has been identified as a Trojan Downloader. Florian Roth and his team at Nextron have developed a Sigma Rule for the virus which is available on the ‘Detection’ tab at the VirusTotal URL given above. Importantly, the file makes an HTTP GET request to: hxxp://t.ukad.com/kingsoft.cab as shown on the ‘Behavior’ tab of the same analysis.
Conclusion
The artifacts discovered in this blog article may or may not be associated with the Volt Typhoon campaign. They do, however, have similarity to the characteristics of a campaign intended to establish and maintain an undetected backdoor that beacons out to a command and control server: reconnaissance and initial access. If defenders identify any of the cyber observables published in this article you should search diligently for signs of lateral movement.
The CISA Fact Sheet cited at the beginning of the article provides a set of best practices for owner/operators of critical infrastructure that may be targeted by Volt Typhoon and other state-sponsored Chinese cyber threat actors. These are duplicated here for the reader’s convenience:
- Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
- Implement phishing-resistant MFA.
- Ensure logging is turned on for application, access, and security logs and store logs in a central system.
- Plan “end of life” for technology beyond manufacturer’s supported lifecycle.
Sound Advise. Let’s keep them left of boom.