Threat Activity Cluster #5: Pistachio

This blog was originally published by Alert Logic here.

Written by Josh Davies and Gareth Protheroe, Alert Logic.

The ice cream blog series continues by documenting another activity cluster first observed in our dataset in 2019. This threat cluster has been well documented in the security community with, APT41, Lead, Wicked Panda, and Vanadinite demonstrating significant overlap in activity, making it likely that each reports activity involving the same threat group. We are grateful for the contributions of these and other threat researchers who have helped inform the security community’s understanding of this actor.

To catch up on the rest of the series, click the links below:

• Intro: Threat Activity Clusters
• Cluster 1: Mint
• Cluster 2: Mint Sprinkles
• Cluster 3: Strawberry
• Cluster 4: Strawberry Sprinkles

This prominent APT has a footprint across numerous organizations. During our constant threat hunts, we have gleaned information that may complement the existing understanding of this group, due to our unique insight into 40PB of customer threat data ingested monthly. This blog will share our perspective of this advanced persistent threat.

APTs are difficult to detect and even harder to track, as they recycle and modify indicators and TTPs to evade detection and increase their success rate. Therefore, the activity we have observed is better understood as this flavor having a tendency to perform documented actions, rather than there being a definitive pattern. This is a distinct difference from previous threat flavors documented in this series.

A sophisticated threat deserves a sophisticated flavor, so our identifier for this activity cluster is Pistachio.

Exploit

Alert Logic threat hunters identified Pistachio during our emerging threat process when active exploits of CVE-2019-19781 and CVE-2021-26084 first surfaced in January 2020 and September 2021, respectively.

This flavor would target exposed confluence servers and Citrix ADC systems, usually preferring to compromise windows-based systems used by organizations in the healthcare, telecom, technology, and video game industries. The confluence and Citrix ADC exploits allowed for full remote code execution, effectively granting the group complete control of the vulnerable server.

Installation and C2

In the instances where Pistachio was observed among customers, the flavor gained initial access and then abused certutil.exe as part of a “living off the land” attack, using the native command line program intended for certificate services to download a batch script (x.bat) from a host controlled by the group.

The batch script runs commands via PowerShell to download further programs, including a dynamic link library (DLL), which is then installed as a windows service.

The malicious service DLL is unpackaged to launch Cobalt Strike to establish command and control (C2) of the compromised machine. The flavor also uses the known hacker tool, Metasploit, usually to advance further into the network. The C2 profiles observed were intended to look like benign internet traffic and were unlikely to be caught or blacklisted when viewed in isolation.

Utilizing the native programs (certutil and PowerShell) helps to bypass preventative controls (such as EDR) as the attacker masquerades as a legitimate program.

It is worth noting that the certutil abuse and subsequent file download(s) was caught in routine threat hunting activities, not as part of a focused emerging threat, threat hunt. Searching for signs of compromise like this helped provide early warning of the Citrix and Confluence emerging threat.

While those exploits were brand new at the time, threat actors cannot rely entirely on novel tactics throughout the kill chain. This demonstrates the necessity to hunt across the kill chain and the complementary relationship of pairing advanced detection capabilities with preventative tools.

Flavor Infrastructure

Flavor infrastructure is where we have seen the greatest variance. Pistachio frequently moves onto new attacker infrastructure to carry out actions across the kill chain. Monitoring attacker IPs has proven to be inefficient long term, as they are usually only active during small windows.

Pistachio appears to have the ability and resources to take over new hosts and use these in their campaigns. This includes using routers, or an organization’s compromised hosts to take control of more infrastructure, both internally and externally. This is a stark contrast to previous actors we have observed, such as Strawberry, who simply spin up new hosts within the same AWS hosted VPC.

Pistachio, under its many other names, has been determined by other threat researchers as likely a Chinese state sponsored group based on targeted intrusions tending to align with Chinese Communist Party Objectives. Our team has no data to support this attribution, but it has assisted our understanding of the activity cluster.

The geo-locational data of the IP addresses recorded in our dataset and opensource intelligence contain a vast variety of countries with a significant lack of Chinese addresses. The geo-locational data, coupled with the frequent renewal of attacker infrastructure, has led our threat hunters to theorize that there may be a concerted effort to use fewer Chinese IP addresses in order to mask attribution.

About the Authors

Josh Davies is a Product Manager at Alert Logic by HelpSystems. Formerly a Security Analyst and Solutions Architect, Josh has extensive experience working with mid-market and enterprise organisations; conducting incident response and threat hunting activities as an analyst before working with organisations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.

Gareth Protheroe is a Sans certified (GCTI) senior security analyst at Alert Logic by HelpSystems. Gareth has a background in chemical science and currently spearheads Alert Logic’s threat hunting activities conducted by the SOC and threat intelligence teams.