![\"An](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/07\/GADOLINIUM-1.png\")
<\/p>\nMicrosoft consistently tracks the most advanced threat actors and evolving attack techniques. We use these findings to harden our products and platform and share them with the security community to help defenders everywhere better protect the planet.<\/p>\n
Recently, the Microsoft Threat Intelligence Center (MSTIC) observed the evolution of attacker techniques by an actor we call GADOLINIUM using cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection. These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel.<\/p>\n
As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure. This action helped transparently protect our customers without requiring additional work on their end.<\/p>\n
GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.<\/p>\n
Recently, MSTIC has observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organizations. As GADOLINIUM has evolved, MSTIC has continued to monitor its activity and work alongside our product security teams to implement customer protections against these attacks.<\/p>\n
Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.<\/p>\n
The following GADOLINIUM technique profile is designed to give security practitioners who may be targeted by this specific actor\u2019s activity insight and information that will help them better protect from these attacks.<\/p>\n
GADOLINIUM has been experimenting with using cloud services to deliver their attacks to increase both operation speed and scale for years. The image in Figure 1 is from a GADOLINIUM controlled Microsoft TechNet profile established in 2016. This early use of a TechNet profiles\u2019 contact widget involved embedding a very small text link that contained an encoded command for malware to read.<\/p>\n
<\/p>\n
Figure 1: GADOLINIUM controlled TechNet profile with embedded malware link.<\/em><\/p>\n In 2018 GADOLINIUM returned to using Cloud services, but this time it chose to use GitHub to host commands. The image in Figure 2 shows GitHub Commit history on a forked repository GADOLINIUM controlled. In this repository, the actors updated markdown text to issue new commands to victim computers. MSTIC has worked with our colleagues at GitHub to take down the actor accounts and disrupt GADOLINIUM operations on the GitHub platform.<\/p>\n Figure 2: GitHub repository controlled by GADOLINIUM.<\/em><\/p>\n GADOLINIUM\u2019s evolving techniques Weaponization Delivery & Exploitation (2019) Figure 3: VBA setting config and calling the “Run” function of the payload<\/em><\/p>\n Command and Control (2019) Interestingly, the malware had code compiled in a manner that doesn\u2019t seem to be used in the attacks we saw. In addition to the Outlook Tasks API method described above, the extra code contains two other ways of using Office365 as C2, via either the Outlook Contacts API (get and add contacts) or the OneDrive API (list directory, get and add a file).<\/p>\n Actions on Objective (2019) LazyCat, one of the tools used by GADOLINIUM, includes privilege escalation and credential dumping capability to enable lateral movement across a victim network. Microsoft Defender for Endpoint detects the privilege escalation technique used:<\/p>\n LazyCat performs credential dumping through usage of the\u00a0MiniDumpWriteDump<\/em> Windows API call, also detected by Microsoft Defender for Endpoint:<\/p>\n Delivery (2020) Command and Control (2020) The .png is actually PowerShell which downloads and uploads fake png files using the Microsoft Graph API to https:\/\/graph.microsoft.com\/v1.0\/drive\/root:\/onlinework\/contact\/$($ID)_1.png:\/content<\/em><\/a>\u00a0where $ID is the ID of the malware. The GADOLINIUM PowerShell is a modified version of the opensource\u00a0PowershellEmpire toolkit<\/a>.<\/p>\n Actions on Objectives (2020) Command and Control\u2014Server compromise <\/p>\n Figure 6: Microsoft Defender for Endpoint alerts of suspicious web shell attacks.<\/em><\/p>\n Web shell alerts from Microsoft Defender for Endpoint can be explored in Azure Sentinel and enriched with additional information that can give key insights into the attack. MSTIC\u2019s Azure Sentinel team recently published a blog outlining how such insights can be derived by analyzing events from the W3CIISLog<\/a>.<\/p>\n Microsoft\u2019s proactive steps to defend customers As part of Microsoft\u2019s broader work to foster a secure and trustworthy app ecosystem, we research and develop detection techniques for both known and novel malicious applications. Applications exhibiting malicious behavior are quickly suspended to ensure our customers are protected.<\/p>\n GADOLINIUM will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft customers, we will continue to build detections and implement protections to defend against them. For security practitioners looking to expand your own hunting on GADOLINIUM, we are sharing the below indicators of compromise (IOCs) associated with their activity.<\/p>\n Hashes from malicious document attachments<\/strong><\/p>\n faebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675 Actor-owned email addresses<\/strong><\/p>\n Chris.sukkar@hotmail.com Azure Active Directory App IDs associated with malicious apps<\/strong><\/p>\n ae213805-a6a2-476c-9c82-c37dfc0b6a6c To learn more about Microsoft Security solutions visit our website.<\/a>\u00a0 Bookmark the\u00a0Security blog<\/a>\u00a0to keep up with our expert coverage on security matters. Also, follow us at\u00a0@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":" Microsoft threat analysts have detected another evolution in GADOLINIUM\u2019s tooling that the security community should understand when establishing defenses.<\/p>\n","protected":false},"author":96,"featured_media":91621,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3662],"topic":[3667,3685],"products":[3726],"threat-intelligence":[],"tags":[3742],"coauthors":[2366,2367,2368],"class_list":["post-91604","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-cloud-security","topic-siem-and-xdr","products-microsoft-sentinel","tag-azure"],"yoast_head":"\n2018: Developing attacks in the cloud<\/h3>\n
![\"An](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/07\/GADOLINIUM-2.png\")
<\/p>\n2019-2020: Hiding in plain sight using open source<\/h3>\n
\n<\/strong>Two of the most recent attack chains in 2019 and 2020 were delivered from GADOLINIUM using similar tactics and techniques. Below is a summary view of how these attacks techniques have evolved followed by a detailed analysis of each step that security practitioners can use to better understand the threat and what defenses to implement to counter the attacks.<\/p>\n![\"A](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/07\/GADOLINIUM-3.png\")
<\/p>\n
\n<\/strong>In the last year, Microsoft has observed GADOLINIUM migrate portions of its toolchain techniques based on open source kits. GADOLINIUM is not alone in this move. MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years. MSTIC assesses this move is an attempt to make discovery and attribution more difficult. The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost. However, using open source tools isn\u2019t always a silver bullet for obfuscation and blending into the noise.<\/p>\n
\n<\/strong>In 2019, we discovered GADOLINIUM delivering malicious Access database files to targets. The initial malicious file was an Access 2013 database (.accde format). This dropped a fake Word document that was opened along with an Excel spreadsheet and a file called\u00a0mm.accdb.core<\/em>\u00a0which was subsequently executed. The file\u00a0mm.accdb.core<\/em>\u00a0is a VBA dropper, based on the\u00a0CactusTorch VBA module<\/a>, which loads a .NET DLL payload, sets configuration information, and then runs the payload. Defender for Office 365 detects and blocks malicious Microsoft Access database attachments in email. A redacted example of the configuration is displayed below.<\/p>\n![\"An](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/07\/GADOLINIUM-4.png\")
<\/p>\n
\n<\/strong>Having gained access to a victim machine the payload then uses attachments to Outlook Tasks as a mechanism for command and control (C2). It uses a GADOLINIUM-controlled OAuth access token with login.microsoftonline.com and uses it to call the Outlook Task API to check for tasks. The attacker uses attachments to Outlook tasks as a means of sending commands or .NET payloads to execute; at the victim end, the malware adds the output from executing these commands as a further attachment to the Outlook task.<\/p>\n
\n<\/strong>GADOLINIUM used several different payloads to achieve its exploitation or intrusion objectives including a range of PowerShell scripts to execute file commands (read\/write\/list etc.) to enable C2 or perform SMB commands (upload\/download\/delete etc.) to potentially exfiltrate data.<\/p>\n![\"An](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/07\/GADOLINIUM-5.png\")
<\/p>\n![\"An](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/07\/GADOLINIUM-6.png\")
<\/p>\n
\n<\/strong>In mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious attachments. The filenames of these attachments were named to appeal to the target\u2019s interest in the COVID-19 pandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt),<\/em>\u00a0when run, would drop a file,\u00a0doc1.dotm<\/em>. Similarly, to the 2019 example, Microsoft Defender for Office detects and blocks emails with these malicious PowerPoint and Word attachments.<\/p>\n
\n<\/strong>The malicious doc1.dotm had two payloads which run in succession.<\/p>\n\n
\n<\/strong>The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a\u00a0command and control module<\/a> that uses the attacker\u2019s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems. The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker\u2019s own Microsoft OneDrive storage. From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. Later in this blog post, we will provide additional information about how Microsoft proactively prevents attackers from using our cloud infrastructure in these ways.<\/p>\n
\n<\/strong>GADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or traffic redirection. Microsoft Defender for Endpoint detects web shells by analyzing web server telemetry such as process creation and file modifications. Microsoft blogged earlier in the year on the us<\/a>e of web shells by multiple groups\u00a0and how we detect such activities.<\/p>\n![\"Microsoft](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/07\/GADOLINIUM-7.png\")
<\/p>\n![\"Microsoft](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/07\/GADOLINIUM-8.png\")
<\/p>\n
\n<\/strong>In addition to detecting many of the individual components of the attacks through Microsoft\u2019s security products and services such as Microsoft Defender for Endpoint and for Microsoft Defender for Office as described above, we also take proactive steps to prevent attackers from using our cloud infrastructure to perpetrate attacks. As a cloud provider, Microsoft is uniquely positioned to disrupt this attacker technique. The PowerShell Empire scenario is a good example of this. During April 2020, the Microsoft Identity Security team suspended 18 Azure Active Directory applications that we determined to be part of GADOLINIUM\u2019s PowerShell Empire infrastructure (Application IDs listed in IOC section below). Such action is particularly beneficial to customers as suspending these applications protects all customers transparently without any action being required at their end.)<\/p>\nList of related GADOLINIUM indicators<\/h3>\n
\nf61212ab1362dffd3fa6258116973fb924068217317d2bc562481b037c806a0a<\/p>\n
\nPhillipAdamsthird@hotmail.com
\nsdfwfde234sdws@outlook.com
\njenny1235667@outlook.com
\nfghfert32423dsa@outlook.com
\nsroggeveen@outlook.com
\nRobertFetter.fdmed@hotmail.com
\nHeather.mayx@outlook.com<\/p>\n
\nafd7a273-982b-4873-984a-063d0d3ca23d
\n58e2e113-b4c9-4f1a-927a-ae29e2e1cdeb
\n8ba5106c-692d-4a86-ad3f-fc76f01b890d
\nbe561020-ba37-47b2-99ab-29dd1a4312c4
\n574b7f3b-36da-41ee-86b9-c076f999b1de
\n941ec5a5-d5bf-419e-aa93-c5afd0b01eff
\nd9404c7d-796d-4500-877e-d1b49f02c9df
\n67e2bb25-1f61-47b6-9ae3-c6104e587882
\n9085bb9e-9b56-4b84-b21e-bd5d5c7b0de0
\n289d71ad-54ee-44a4-8d9a-9294f19b0069
\na5ea2576-4191-4e9a-bfed-760fff616fbf
\n802172dc-8014-42a9-b765-133c07039f9f
\nfb33785b-f3f7-4b2b-b5c1-f688d3de1bde
\nc196c17d-1e3c-4049-a989-c62f7afaf7f3
\n79128217-d61e-41f9-a165-e06e1d672069
\nf4a41d96-2045-4d75-a0ec-9970b0150b52
\n88d43534-4128-4969-b5c4-ceefd9b31d02<\/p>\n