Avast Threat Intelligence Team stated that it tried to notify the agency about the intrusion but didn’t receive any favorable response, which is why it decided to disclose its findings.
Czech security firm Avast reported that a backdoor was identified in a US federal agency’s network, the United States Commission on International Religious Freedom (USCIRF).
Reportedly, the attackers targeted the agency in an APT-inspired operation and installed a backdoor to compromise its internal network.
Avast Threat Intelligence Team stated that it tried to notify the agency about the intrusion but didn’t receive any favorable response, which is why it decided to disclose its findings. Though Avast didn’t reveal the agency’s name in its report, its representative later disclosed the name.
“We contacted the agency and spoke to its executive director in May. We also reached out to the incident response wing of the federal government over the proper channels, providing all the information we had collected over this case, including a malware sample. CISA was one of the agencies we talked to in order to help us reach the victim, ,” Avast’s representative stated.
The attack allowed attackers to intercept and exfiltrate all local network traffic on the compromised systems. The attackers gained total network visibility and obtained full control of the system, which they used as the initial step in their multi-stage attack to penetrate the agency’s networks deeply.
According to Avast, the attack was conducted in two stages. The attacker(s) deployed two malicious binaries to enable internet traffic interception, execute the code of their choice, and gain control of the infected system by abusing Windows’ WinDivert packet capturing utility.
Flowchart shared by Avast:
Avast revealed that at the moment, it has information about a few “parts of the attacking puzzle,” and many critical aspects are yet to be discovered. Such as the nature of the initial access vector attackers used to breach the agency’s network, post-exploitation actions sequence, and the breach’s overall impact on the agency.
“It is reasonable to presume that some form of data gathering and exfiltration of network traffic happened, but that is informed speculation. That said, we have no way to know for sure the size and scope of this attack beyond what we’ve seen,” researchers noted.
How does the Backdoor Works?
The backdoor replaces a standard Windows file named oci.dll with two malicious files. One is used in the first stage and the other during the later stage. The first file implements WinDivert, through which the attackers download and execute malicious code on the compromised system, bypass firewalls, and monitor the network.
Researchers identified that during the second stage, the attackers replaced the oci.dll downloader with a code that decrypted a malicious file named SecurityHealthServer.dll, which is then loaded into its memory.
This decryptor is pretty similar to another executable rcview40u.dll identified by Trend Micro in 2018 during the Operation Red Signature supply chain attack targeted against South Korean organizations.
Avast researchers suspect that the attackers who targeted USCIRF had access to the source code of the executable.