StealthVector | |
Type of Malware | Dropper |
Country of Origin | China |
Targeted Countries | India |
Date of initial activity | 2020 |
Associated Groups | APT41 |
Motivation | Espionage |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Overview
StealthVector is a sophisticated and highly effective piece of malware identified as part of a larger cyberespionage campaign attributed to the Earth Baku APT group, also known as APT41. This malware, written in C/C++, functions as a shellcode loader, enabling attackers to infiltrate and compromise targeted systems with remarkable stealth. Once deployed, StealthVector executes malicious payloads within a compromised environment, playing a crucial role in Earth Baku’s ongoing espionage activities. What sets StealthVector apart from many other malicious tools is its remarkable adaptability, allowing attackers to configure its features without needing to modify its core code. This flexibility enhances its utility in various cyberattack scenarios, making it a versatile tool in the hands of skilled cybercriminals.
One of the standout features of StealthVector is its ability to evade detection by using advanced anti-forensic techniques. Among these, the malware’s capability to disable Event Tracing for Windows (ETW) is particularly noteworthy. ETW is a built-in security feature designed to log and monitor system activity, helping security tools identify suspicious behavior. By disabling this logging mechanism, StealthVector ensures that its operations remain undetected by traditional security measures, allowing it to infiltrate systems without raising alarms. Furthermore, StealthVector employs the ChaCha20 encryption algorithm to secure its configuration, adding an extra layer of protection against reverse engineering and making it more difficult for defenders to uncover its inner workings.
Targets
Information
Manufacturing
Transportation and Warehousing
How they operate
At its core, StealthVector is written in C/C++ and is deployed to load and execute payloads in a targeted environment. The malware is highly modular, with a configuration that allows its behavior to be easily tailored for different attacks. Upon infection, StealthVector first checks for a variety of conditions to ensure it is operating in an environment suitable for its payload execution. For instance, it can disable Event Tracing for Windows (ETW), a security feature used by Windows to log system activity. By doing so, StealthVector prevents the detection of its actions by security tools and logging mechanisms that rely on ETW. This capability makes it difficult for defenders to track the malware’s movement within the system and identify it during routine monitoring.
StealthVector’s configuration is another key feature that enhances its stealthiness. The malware’s encrypted configuration uses the ChaCha20 encryption algorithm, a robust cryptographic method designed to make reverse engineering more challenging. The configuration file contains critical information such as payload locations, execution settings, and other parameters that control the loader’s behavior. By using ChaCha20 with a fixed custom initial counter, StealthVector ensures that the malware’s configuration remains obfuscated, complicating any attempts to analyze its inner workings without first decrypting the configuration. This encryption mechanism provides attackers with an additional layer of security, ensuring that the loader can evade detection for longer periods.
Once deployed, StealthVector’s payloads are executed in a way that maximizes their chances of remaining undetected. It can employ techniques such as process hollowing, where the malware injects itself into the memory space of a legitimate process. This technique allows StealthVector to run its payload without leaving traces of its execution in the file system, further minimizing the chances of detection. In some samples, StealthVector uses AES-256-ECB encryption to decrypt its payload before execution, while older versions have been observed using XOR encryption. The use of strong encryption algorithms ensures that only the intended payload can be decrypted and executed, making it more difficult for security researchers to identify the threat quickly.
In addition to its core functionality, StealthVector is often used in conjunction with other malware tools, such as ScrambleCross, a backdoor that facilitates communication between the compromised system and the attacker’s command-and-control (C&C) server. ScrambleCross enables the attacker to issue commands, manipulate the system, and potentially exfiltrate data. The loader’s ability to handle multiple payloads and its integration with advanced tools like ScrambleCross make it a versatile asset for cyberespionage campaigns. Its design also allows for the easy modification of configurations, making it adaptable to different target environments and use cases.
In summary, StealthVector represents a highly advanced and adaptable tool for cybercriminals, enabling them to infiltrate, maintain persistence, and exfiltrate sensitive information from targeted systems with minimal detection. The malware’s use of encryption, evasion techniques, and its modular architecture make it a formidable threat in the hands of skilled threat actors. As cyberespionage campaigns become more sophisticated, understanding the inner workings of malware like StealthVector is crucial for improving defensive measures and mitigating the risks posed by advanced persistent threats.
MITRE Tactics and Techniques
Initial Access (T1071: Application Layer Protocol)
StealthVector may exploit legitimate communication protocols to establish an initial foothold on a target system. This could involve using techniques like malicious web shells or SQL injection, as seen in Earth Baku’s campaigns.
Execution (T1203: Exploitation for Client Execution)
StealthVector is delivered and executed via various methods, including exploitation of vulnerabilities such as those in Microsoft Exchange Server (CVE-2021-26855). This allows it to run malicious code on the target system without user interaction.
Persistence (T1053: Scheduled Task/Job)
To maintain persistence, StealthVector may schedule tasks to execute at regular intervals, ensuring it remains active on the compromised system even after system reboots.
Privilege Escalation (T1548: Abuse Elevation Control Mechanism)
StealthVector may attempt to escalate privileges to gain higher levels of access within the system, allowing attackers to move laterally within the network or execute further payloads with elevated rights.
Defense Evasion (T1070: Indicator Removal from Tools)
One of the key tactics employed by StealthVector is its ability to disable Event Tracing for Windows (ETW). This helps evade detection by security tools, as ETW is responsible for logging system events, including malicious activity.
Credential Access (T1081: Credentials in Files)
Though not directly focused on credential theft, StealthVector may assist in the extraction of credentials by facilitating the installation and operation of additional tools like ScrambleCross, which could collect and exfiltrate credentials.
Command and Control (T1071: Application Layer Protocol)
StealthVector likely communicates with its command and control (C&C) server over standard application layer protocols to receive commands or further instructions. This enables attackers to maintain control over compromised systems.
Exfiltration (T1041: Exfiltration Over Command and Control Channel)
As part of a larger cyberespionage operation, StealthVector may be used to facilitate the exfiltration of data, with the malware aiding in the communication between the compromised system and the C&C server.
