Microsoft issues fresh warning about nation-state actor Gadolinium

Microsoft has warned organisations about the use of cloud services and open source tools by a nation-state hacker group named Gadolinium to target a variety of organisations primarily in the healthcare and maritime sectors.

The software giant said in a blog post that Gadolinium, which has been targeting and compromising a number of organisations worldwide for a nearly a decade, is now using cloud services and open source tools to enhance weaponisation of its malware payload and to gain command and control all the way to the server.

In the cyber security industry, Gadolinium is known as a Chinese hacker group that enjoys state support and is known by names such as Leviathan and APT40. According to Microsoft, the hacker group uses custom-crafted malware families to target organisations and over the past year, has begun using open-source toolkits to obfuscate its activities.

In order to increase the scale and speed of its attacks, Gadolinium has been using cloud services as well as GitHub to issue new commands to victim computers. Since April this year, Gadolinium has also been sending COVID-19-themed phishing emails to targeted organisations, attaching malicious PowerPoint files that install several payloads once downloaded on a computer.

In April, Microsoft discovered and suspended as many as eighteen Azure Active Directory applications that were being used by the hacker group as part of its malicious PowerShell Empire infrastructure. While Microsoft said the move will protect end users, the hackers are expected to quickly set up new cloud applications and use new open-source tools to carry out malicious activities.

"The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the attacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems," Microsoft said.

"The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.

"From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario, no OAuth permissions consent prompts occur," it added. The company has shared indicators of compromise (IOCs) associated with Gadolinium's activities to enable security workers to defend against the group's attacks. These are listed below:

Hashes from malicious document attachments

faebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675
f61212ab1362dffd3fa6258116973fb924068217317d2bc562481b037c806a0a

Actor-owned email addresses

Chris.sukkar@hotmail.com
PhillipAdamsthird@hotmail.com
sdfwfde234sdws@outlook.com
jenny1235667@outlook.com
fghfert32423dsa@outlook.com
sroggeveen@outlook.com
RobertFetter.fdmed@hotmail.com
Heather.mayx@outlook.com

Azure Active Directory App IDs associated with malicious apps

ae213805-a6a2-476c-9c82-c37dfc0b6a6c
afd7a273-982b-4873-984a-063d0d3ca23d
58e2e113-b4c9-4f1a-927a-ae29e2e1cdeb
8ba5106c-692d-4a86-ad3f-fc76f01b890d
be561020-ba37-47b2-99ab-29dd1a4312c4
574b7f3b-36da-41ee-86b9-c076f999b1de
941ec5a5-d5bf-419e-aa93-c5afd0b01eff
d9404c7d-796d-4500-877e-d1b49f02c9df
67e2bb25-1f61-47b6-9ae3-c6104e587882
9085bb9e-9b56-4b84-b21e-bd5d5c7b0de0
289d71ad-54ee-44a4-8d9a-9294f19b0069
a5ea2576-4191-4e9a-bfed-760fff616fbf
802172dc-8014-42a9-b765-133c07039f9f
fb33785b-f3f7-4b2b-b5c1-f688d3de1bde
c196c17d-1e3c-4049-a989-c62f7afaf7f3
79128217-d61e-41f9-a165-e06e1d672069
f4a41d96-2045-4d75-a0ec-9970b0150b52
88d43534-4128-4969-b5c4-ceefd9b31d02

Read More: Hackers distributing NetSupport Manager RAT via phishing emails, Microsoft warns

MORE ABOUT: