GTsST Sandworm Team
Locate misconfigured and privileged SUID binaries capable of executing shell commands then leverage them to spawn and persist an agent of our choice on startup based on the running environment.

TTP Tuesday: GTsST: Sandworm Team

Privilege escalation and service level persistence

Theme Overview

For this week's release, we're introducing a new chain theme based on GTsST and specifically Sandworm. In 2021, the ANSSI (Agence nationale de la sécurité des systèmes d'information) published an advisory warning that hackers with links to Sandworm, a group within Russia's GTsST, had breached several French organizations. The agency describes those victims as "mostly" IT firms and particularly web hosting companies. ANSSI states the intrusion campaign dates back to late 2017 and continued until 2020.

Intentions

Little is known about the intentions the attackers had with the access they had obtained. Sandworm is known to be destructive and malicious in their actions. As an example, GTsST is linked to the attack against Ukraine that left hundreds of thousands of residents without electricity during the winter.

"Even though there's no known endgame linked to this campaign documented by the French authorities, the fact that it's taking place is concerning, because the end goal of most Sandworm operations is to cause some noticeable disruptive effect. We should be paying attention."
Said Joe Slowik a researcher for security firm DomainTools who has tracked Sandworm's activities for years.

Attacker Payloads

There were three types of payloads present on the compromised machines used by the attackers.

Setuid Privilege Escalation

A suid payload that executed shell commands. This was a custom payload written in c and compiled directly on the machine. This payload was used to execute their malware as root and also to set root persistence.

Exaramel Malware

After exploiting Centreon and achieving initial access, they installed a custom malware categorized as exaramel. This type of malware was written in Go-Lang and acted as a very simple command and control agent. The agent installs itself and ensures no other instance of it is running. Then it will check if persistence has already been applied. If not, it will check the system environment and install.

Exaramel Persistence

Once the exaramel malware launches, it checks whether the System service environment is Systemd, SystemV, or Upstart. If it's one of those three, it will install a service called syslogd.service in order to hide and establish persistence. If it does not identify the service environment as one of the three, it'll run a cronjob that executes every minute.

Impact

The impact is currently unknown as the intentions of Sandworm group is still not clear. However, what we do know is that they remained undetected for 3 years (2017-2020). This was a well thought out attack that hit many IT corporations across France.

Thanks for reading! We’ll be back next week with more examples of GTsST's destruction!

Check it out on the Prelude chains website.

Watch a demonstration: GTsST Sandworm.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VV_X_7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Enumerate exploitable SUID binaries
Compile malicious binary using vulnerable SUID
Spawn elevated Pneuma and relocate agent binary
Enumerate underlying system manager
Systemd service persistence
Upstart service persistence
SystemV service persistence
Cron job persistence