Malware Campaign Deploys Godzilla Webshells To Flatten Healthcare, Defense And Energy Systems

This weekend, cyber-security firm Palo Alto Networks released a detailed analysis of an ongoing hacking campaign targeting technology, defense, healthcare, energy, and education industries. The attack targets Zoho's ManageEngine ADSelfService Plus password management system and uses vulnerability CVE-2021-40539 to gain remote code execution on the affected servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning of the then-ongoing attacks way back on September 16. Ever since then, Palo Alto Networks has been monitoring the attacks and has found that "at least nine global entities" have been compromised out of some 370 vulnerable systems.

Once the attackers gained access, they would drop in the Godzilla webshell, and sometimes, the NGLite backdoor. Using the functions provided by those tools, the attackers traversed the networks to find domain controllers, where they would install what Palo Alto calls "KdcSponge," a new credential-stealing tool. According to Palo Alto Networks, the goal of the attackers seemed to be primarily to open a hole and maintain access to these networks, although privileged data was also stolen.

Godzilla is a webshell like many others, allowing remote access to the compromised machine via HTTP requests. The primary unique feature of this particular shell is that it uses AES encryption for all of its network traffic. That, along with various other aspects of its design, lend it an extremely low detection rate across the range of security products on the market.

Meanwhile, NGLite is a backdoor trojan that will only accept commands through its command and control (C2) channel. That's not unusual in and of itself, but NGLite's C2 channel is: it uses the New Kind of Network (NKN) decentralized blockchain to communicate between the compromised system and the threat actors. Because of the decentralized nature of NKN, it's very difficult to block or detect access to NGLite after infection.

Finally, KdcSponge is a new tool apparently created by the threat actors behind these attacks, and it hooks into Windows' Local Security Authority Subsystem Service (LSASS) to snake credentials. It uses undocumented API functions in the Kerberos module to do so. Once the credentials have been stolen, it writes them in simple encrypted format to a file called "system.dat" where they can be retrieved by one of the other tools.

Palo Alto Networks is unwilling to credit the attacks to any particular agency or group, but notes that the methodology for these attacks exactly matches that of "Threat Group 3390", also known as Emissary Panda, APT27, Iron Tiger, Bronze Union, and other names. TG-3390 is a threat group sponsored by the Chinese government. If you think you've been impacted in these attacks, Palo Alto has an e-mail address for you to contact at the bottom of its blog post.