CBROVER | |
Type of Malware | Backdoor |
Country of Origin | China |
Targeted Countries | United States |
Date of Initial Activity | 2022 |
Associated Groups | Mustand Panda |
Motivation | Cyberwarfare |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Overview
CBROVER is a sophisticated malware variant that has been observed as part of a multi-stage infection chain used by advanced persistent threat (APT) actors, particularly in high-stakes cyberattacks targeting government entities and organizations across the Asia-Pacific region. It operates as a versatile tool for espionage, data exfiltration, and persistence, contributing to larger malicious campaigns like those executed by the Earth Preta threat group. In this article, we delve into the core functionalities of CBROVER, its infection mechanisms, and the impact it has on compromised systems.
CBROVER is designed to be deployed through spear-phishing attacks, a tactic frequently used by cybercriminals to gain initial access to a network. In these campaigns, CBROVER typically arrives as a secondary payload after the initial downloader, such as PULLBAIT, is executed. The malware can be introduced through malicious attachments, like URL files that lead to the downloading of the payload. Once inside the target system, CBROVER establishes a foothold and facilitates further infection stages, often loading additional malicious tools such as PLUGX, which serve to maintain persistence and further compromise the system.
Targets
Information, Credentials
How they operate
The attack cycle of CBROVER begins with initial access, primarily through spear-phishing campaigns. The malware is commonly embedded in attachments such as malicious macros or links in documents. When users interact with the attachments, the malware is executed, often via a command and scripting interpreter (T1059). In some cases, CBROVER leverages exploitation for initial access (T1203), taking advantage of vulnerabilities in the victim’s software or operating system to bypass security measures and gain unauthorized access. Once executed, CBROVER typically downloads additional components from a command-and-control (C2) server, expanding its functionality and preparing for further exploitation.
Following successful execution, CBROVER establishes persistence on the compromised system. It achieves this by modifying critical system settings, such as adding itself to the startup folder or creating new registry run keys (T1547). These modifications ensure that CBROVER continues to operate even after the system is rebooted. The malware may also set up scheduled tasks (T1053), allowing it to execute at predetermined times or intervals. By embedding itself deeply into the system, CBROVER evades simple detection and removal, creating an obstacle for system administrators attempting to mitigate the infection.
CBROVER seeks to escalate its privileges
Once persistent on the system, CBROVER seeks to escalate its privileges, often through exploitation for privilege escalation (T1203). By exploiting security flaws or misconfigurations in the operating system, CBROVER can gain higher-level access, which is critical for carrying out its objectives. The malware then engages in lateral movement, scanning the network for other vulnerable machines. Techniques like remote desktop protocol (RDP) (T1076) and remote file copy (T1105) are used to spread CBROVER to other machines on the network, allowing it to widen its reach and compromise more systems.
CBROVER also gathers valuable intelligence from the compromised system using techniques such as system information discovery (T1082) and network share discovery (T1135). By harvesting system details and network shares, it identifies potential targets for data exfiltration or further attacks. Credential dumping (T1003) is another key function of the malware, allowing it to collect sensitive login credentials, which can be leveraged for additional lateral movement or even escalate attacks to higher-value targets within the network.
One of the defining characteristics of CBROVER is its ability to avoid detection by traditional security measures. The malware employs obfuscation techniques (T1027), including encryption and packing of its payloads, to bypass signature-based detection systems. Additionally, CBROVER may manipulate system timestamps using timestomping (T1070.006) to make forensic analysis more challenging for investigators. Its low and slow approach enables it to remain dormant for long periods while continuing to gather data or execute tasks at specified intervals.
Data Exfiltration Mode
Once CBROVER has gathered enough intelligence, it engages in data exfiltration. The malware uses exfiltration over command and control channels (T1041), typically sending data back to its C2 server using encrypted communications. This allows attackers to siphon sensitive information, such as login credentials, intellectual property, or personal data, without drawing attention to the operation. In some cases, CBROVER is also configured to destroy data (T1485) or inhibit system recovery (T1490), either to disrupt operations or cover its tracks before system restoration is attempted.
In conclusion, CBROVER operates as a highly adaptable and resilient threat, capable of infiltrating networks, evading detection, and exfiltrating critical information. Its modular design allows it to evolve and adjust to various system environments, making it a formidable threat to both individuals and organizations. Understanding its technical operations is crucial for developing effective countermeasures and mitigating the risks posed by such advanced malware strains. Detecting early indicators of compromise and applying layered defenses are key to reducing the impact of CBROVER attacks.
MITRE Tactics and Techniques
1. Initial Access
Spearphishing Attachment (T1566.001): CBROVER is often delivered through spear-phishing emails with malicious attachments, such as documents or URLs. These attachments serve as the initial access vector for the malware.
Exploitation for Initial Access (T1203): CBROVER may exploit vulnerabilities in software or systems to gain initial access, such as through exploits in email clients or web applications.
2. Execution
User Execution (T1204): After the spear-phishing email attachment is opened by the victim, CBROVER executes through user interaction, such as launching a malicious document or file.
Command and Scripting Interpreter (T1059): CBROVER may use scripts or command-line tools to execute commands on the infected system.
3. Persistence
Registry Run Keys / Startup Folder (T1547.001): CBROVER can establish persistence by modifying registry keys or adding itself to startup folders to ensure it runs automatically on system boot.
Scheduled Task (T1053): CBROVER may use scheduled tasks or cron jobs to maintain persistence on the system, allowing it to continue executing even after a system reboot.
4. Privilege Escalation
Exploitation for Privilege Escalation (T1203): CBROVER can exploit vulnerabilities in the operating system or software to escalate its privileges, gaining higher-level access to the compromised system.
5. Defense Evasion
Obfuscated Files or Information (T1027): To avoid detection by antivirus software and other security tools, CBROVER may use obfuscation techniques, such as encoding or encrypting its payload to hide its presence.
Timestomp (T1070.006): CBROVER might use timestomping techniques to alter file timestamps, making it harder for security teams to trace the malware’s actions and identify when it was first introduced.
6. Credential Access
Credential Dumping (T1003): CBROVER may attempt to dump credentials stored on the system, such as password hashes or account information, to facilitate lateral movement within the network.
7. Discovery
System Information Discovery (T1082): Once installed, CBROVER gathers information about the infected system, including operating system details, hardware configurations, and installed software.
Network Share Discovery (T1135): CBROVER may scan the network to discover shared resources and identify potential targets for further exploitation or data exfiltration.
8. Lateral Movement
Remote Desktop Protocol (RDP) (T1076): CBROVER could leverage RDP to move laterally within the network, allowing the attacker to access other systems and expand the infection.
Remote File Copy (T1105): CBROVER may copy itself to other machines in the network, establishing persistence on additional systems.
9. Collection
Data from Information Repositories (T1213): CBROVER can gather sensitive data stored in documents, databases, or other information repositories.
Screen Capture (T1113): It can take screenshots of the infected system to capture valuable information or monitor user activity.
10. Exfiltration
Exfiltration Over Command and Control Channel (T1041): CBROVER exfiltrates data over the same communication channel it uses for command and control, often through FTP or other network protocols.
Exfiltration Over Other Network Medium (T1048): In some cases, CBROVER may exfiltrate data via other network methods, including cloud storage or alternative network protocols.
11. Impact
Data Destruction (T1485): In some campaigns, CBROVER could be used in conjunction with other tools to destroy or corrupt data on compromised systems, impacting operations or preventing recovery.
Inhibit System Recovery (T1490): CBROVER may disable or block recovery mechanisms to hinder the restoration of systems from backups, complicating the cleanup process.