Threat Research: Clasiopa Threat Actor 

In recent years, cyberattacks targeting research organizations have been on the rise. These attacks are often carried out by sophisticated threat actors, seeking to gain access to valuable intellectual property, research findings, and other sensitive information. One such group that has recently been observed is Clasiopa, a previously unknown threat actor that has been targeting a materials research organization in Asia. 

What sets Clasiopa apart from other threat actors is their use of a distinct toolset, which includes a custom piece of malware known as Backdoor.Atharvan. This malware allows Clasiopa to gain unauthorized access to the targeted organization’s systems, providing them with the ability to steal sensitive information or disrupt operations. 

Despite extensive investigation, there are few clues as to the origins of Clasiopa. It is unclear whether the group is state-sponsored or operates independently, and their motives remain unclear. However, their attacks demonstrate a high level of sophistication and suggest that they are a formidable adversary in the world of cyber threats. 

In this article, we will delve deeper into Clasiopa’s toolset and tactics, as well as the potential implications of their attacks on the materials research organization. We will also explore possible motives and origins of this enigmatic threat actor, shedding light on the evolving landscape of cyber threats targeting research organizations. 

Clasiopa Tactics, Techniques, and Procedures (TTPs): 

Clasiopa is a sophisticated threat actor that utilizes various TTPs to carry out their attacks. One of the primary methods of infection used by Clasiopa is currently unknown, although there is evidence to suggest that the attackers gain access through brute force attacks on public-facing servers. 

Apart from the distinct toolset used by Clasiopa, there are several other attack hallmarks observed. One of the techniques used by the attackers is checking the IP addresses of the computers they are on using the website https://ifconfig.me/ip. This allows them to identify the network they are using, and potentially identify other vulnerable systems to target. 

Another technique employed by Clasiopa is attempting to disable Symantec Endpoint Protection (SEP) by stopping the SepMasterService. The attackers use the “smc -stop” command to disable SEP, and they check the result of the query before attempting it. It is worth noting that any attempts to disable SEP will only work if the attacker has administrative credentials and the SEP administrator has disabled anti-tamper protection. 

Clasiopa uses multiple backdoors to build lists of file names and exfiltrate them, which are then saved either in a Thumb.db file or a ZIP (file format) archive. The attackers clear Sysmon logs using “wsmprovhost” and all event logs using PowerShell to cover their tracks. They also create a scheduled task named “network service” to list file names. 

There is evidence to suggest that Clasiopa uses two legitimate software packages in their attacks. One compromised computer was running Agile Digital Government Society (DGS) and Agile File Distribution (FD) servers, which are software developed by Jiangsu and used for document security and protection in transit. The attackers dropped malicious files into a folder named “dgs,” and one of the backdoors used was renamed from atharvan.exe to agile_update.exe. It is unclear if these software packages are being injected into or installed by the attackers. 

Another software package that Clasiopa appears to have used is HCL Domino (formerly IBM Domino), which was running on a compromised machine in close proximity to the execution of backdoors. However, it is unclear whether this was a coincidence or not. Both the Domino and Agile software packages seem to be using old certificates and vulnerable libraries. These findings suggest that Clasiopa is a well-resourced and technically proficient threat actor that poses a significant risk to organizations in the materials research industry. 

Clasiopa, the newly discovered threat actor targeting materials research organizations, has been observed utilizing a distinct toolset to carry out their attacks. These tools are highly specialized and designed to evade detection, making it difficult for researchers to identify the source of the attack. Below is a detailed description of the tools that Clasiopa has been observed using: 

Tools: 

Atharvan:  

Atharvan is a custom-developed Remote Access Trojan (RAT) that is unique to Clasiopa. The malware is used to establish a backdoor into a victim’s system, providing the attackers with full access to the compromised machine. Atharvan is designed to evade detection by using sophisticated anti-analysis techniques, such as code obfuscation and encryption. Once installed on a target system, Atharvan can perform a range of tasks, such as downloading and executing files, monitoring user activity, and exfiltrating sensitive data. Atharvan is a custom-developed Remote Access Trojan (RAT) used by Clasiopa to establish a backdoor into a victim’s system. Atharvan is named after a Hindu priest who was believed to have supernatural powers, and it creates a mutex named “SAPTARISHI-ATHARVAN-101” to ensure that only one copy of the malware is running on the compromised system. 

Once Atharvan is running on a victim’s system, it contacts a hardcoded Command-and-Control (C&C) server using HTTP POST requests. The C&C server is hardcoded to a specific location, which is not a common location for C&C infrastructure. In one of the samples analyzed, the hardcoded C&C addresses seen were for Amazon AWS South Korea (Seoul) region.  

The C&C communications are formatted as Hypertext Transfer Protocol (HTTP) POST requests, where the Host header is hardcoded as “update.microsoft.com.” The request body includes several parameters, including the “id” parameter, which is a hardcoded string “Atharvan,” and the “code” parameter, which represents the request’s purpose. The code parameter can be one of the following: 

• 101: Fetches commands 
• 102: Sends command outputs or error messages 

• 103: Fetches file body to write when processing command 0x12 

The communication schedule is another unusual feature of Atharvan. When configuring a communication schedule, the command parameters specify the times and days for the communication attempts. The days are interpreted as no restrictions, a bitmask specifying days of the month, or a bitmask specifying days of the week. Several different times can be specified, with the hour and minute of the day encoded. 

The malware uses its own simplistic HTTP parser to extract the body from the server response, and the extracted body is decrypted using a custom encryption algorithm. When fetching commands, the decrypted body is expected to contain a sequence of strings separated by the “\x1A” character. The first byte of each string specifies the command to execute, and the remaining bytes are interpreted as command parameters. 

Atharvan is a highly specialized malware tool that Clasiopa uses to establish a backdoor into a victim’s system. The malware uses a unique communication schedule and a custom encryption algorithm to evade detection, making it difficult for security researchers to identify and neutralize the threat. It is clear that Clasiopa is a well-resourced and technically proficient threat actor that poses a significant risk to organizations in the materials research industry. 

Lilith:  

Clasiopa has also been observed using modified versions of the publicly available Lilith RAT. Lilith is a powerful remote administration tool that can be used to control a compromised machine from a remote location. The modified versions of Lilith used by Clasiopa can carry out a range of tasks, including killing or restarting processes, modifying sleep intervals, uninstalling the RAT, executing remote commands or PowerShell scripts, and exiting the process. The modified versions of Lilith used by Clasiopa are highly versatile and can carry out a range of tasks, including: 

• Killing or restarting processes: The attackers can use Lilith to stop or restart processes running on the compromised system. This feature is useful for evading detection or interfering with normal system operations. 
• Modifying sleep intervals: Lilith can modify the sleep interval, which is the amount of time that the RAT waits between sending commands to the compromised system. By adjusting this interval, the attackers can control how often the compromised system communicates with the C&C server. 
• Uninstalling the RAT: The attackers can use Lilith to uninstall the RAT from the compromised system, thereby removing their access to the system. 
• Executing remote commands or PowerShell scripts: Lilith can be used to execute remote commands or PowerShell scripts on the compromised system. This feature allows the attackers to perform a range of actions, such as downloading and executing additional malware or stealing sensitive data. 

• Exiting the process: Lilith can be used to exit the process running on the compromised system. This feature is useful for evading detection or for terminating the RAT if the attackers no longer need access to the compromised system. 

Lilith is a powerful and versatile tool that provides Clasiopa with full control over a compromised system. The modified versions used by Clasiopa allow them to evade detection and maintain persistent access to the compromised systems, posing a significant threat to organizations in the materials research industry. 

Thumbsender:  

Thumbsender is a hacking tool that is used to gather information about a compromised machine. When the tool receives a command from a C&C server, it lists file names on the computer and saves them in a file called “Thumb.db” before sending them to a specified IP address. This tool is particularly useful for the attackers, as it allows them to gather information about the contents of a compromised system and determine which files are of value. 

Thumbsender is a lightweight and straightforward tool that does not have any advanced features like those found in Atharvan or Lilith. However, it is still a valuable tool for the attackers as it allows them to gather information about the compromised system. By listing the file names on the computer, the attackers can determine which files are of value and exfiltrate them. 

One of the unique features of Thumbsender is its ability to create a Thumb.db file to store the list of file names. This file is created in a location that is not usually monitored by security software, making it difficult to detect. Once the file has been created, Thumbsender sends it to a specified IP address. This IP address is usually a C&C server controlled by the attackers, allowing them to access the information remotely. 

Thumbsender is just one of the many tools used by Clasiopa to carry out their attacks. Although it is a relatively simple tool, it is still a valuable asset for the attackers, allowing them to gather important information about the compromised system. The use of Thumbsender highlights the need for organizations to implement comprehensive security measures to protect against such attacks. 

Custom Proxy Tool:  

Clasiopa has also developed a custom proxy tool that is used to obscure their activity on the victim’s system. The tool is designed to bypass firewalls and other security measures that may be in place, allowing the attackers to communicate with their C&C servers undetected. This tool is particularly useful for the attackers as it allows them to maintain a persistent presence on the victim’s system and evade detection for longer periods. 

The custom proxy tool is designed to be highly stealthy and difficult to detect. It operates by creating a proxy connection between the victim’s system and the attacker’s C&C server. This connection is designed to look like legitimate traffic, making it difficult for security software to identify the connection as malicious. 

One of the key features of the custom proxy tool is its ability to bypass firewalls and other security measures that may be in place. The tool is designed to be highly adaptable and can adjust its behavior based on security measures. This allows the attackers to maintain their access to the victim’s system, even if security measures are upgraded or changed. 

The use of a custom proxy tool highlights the sophistication of Clasiopa’s attack capabilities. By developing their own tools, the attackers can create highly specialized software that is tailored to their specific needs. This allows them to carry out attacks that are highly targeted and difficult to detect. 

The custom proxy tool developed by Clasiopa is a valuable asset for the attackers, allowing them to maintain a persistent presence on the victim’s system and evade detection for longer periods. The tool is designed to be highly adaptable and can bypass firewalls and other security measures that may be in place.  

Attribution: 

While the details of Clasiopa’s TTPs are becoming more apparent, the group’s origins and motivations remain unknown. The use of a Hindi mutex in the Atharvan backdoor, “SAPTARISHI-ATHARVAN-101,” suggests that the group may have ties to India, as Atharvan is a legendary Vedic sage of Hinduism. However, this could also be a deliberate attempt to mislead researchers, and false flags have been used in the past to misattribute attacks. 

Another piece of evidence that may suggest a link to India is the password used by the attackers for a ZIP archive, “iloveindea1998^_^.” While this could be seen as an overly obvious clue, it could also indicate a connection to India. However, it is important to note that this information should be considered with caution, as attackers often use false flags to misdirect investigators. 

The post request sent by Atharvan to the C&C server includes the arguments “d=%s&code=%d&cid=%s&time=%dtharvan.” While this does not provide any definitive evidence of Clasiopa’s location, it is possible that this information could be used in conjunction with other data to help identify the group’s location. 

Clasiopa Conclusion: Preventative Measures and Rapid Incident Response 

Clasiopa is a sophisticated attack group that poses a significant threat to organizations in the materials research industry. The group is characterized by a distinct toolset that includes a custom developed remote access Trojan (RAT) called Atharvan, modified versions of the publicly available Lilith RAT, a custom proxy tool, and a hacking tool called Thumbsender. These tools allow Clasiopa to maintain persistent access to compromised systems, evade detection, and gather valuable information about their targets.  

While there are some indications that Clasiopa may be based in India, the evidence is not conclusive. It is also possible that the group is deliberately attempting to mislead researchers. As such, more research and analysis will be needed to determine the group’s origins and motivations with any certainty. Organizations in the materials research industry should implement comprehensive security measures to protect against such attacks, including regular software updates, employee education, and the use of advanced threat detection tools. Additionally, it is critical that organizations remain vigilant and prepared to respond quickly and effectively in the event of an attack. Only through a combination of preventative measures and rapid incident response can organizations hope to protect themselves against the evolving threat landscape.