As soon as behind the captive portal, the web page initiates the Home windows Take a look at Connectivity Standing Indicator, a professional service that determines whether or not a tool has Web entry by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect. That web site, in flip, redirects the browser to msn[.]com. As Thursday’s submit defined:
As soon as the system opens the browser window to this deal with, the system is redirected to a separate actor-controlled area that doubtless shows a certificates validation error which prompts the goal to obtain and execute ApolloShadow. Following execution, ApolloShadow checks for the privilege degree of the ProcessToken and if the gadget just isn’t working on default administrative settings, then the malware shows the consumer entry management (UAC) pop-up window to immediate the consumer to put in certificates with the file title CertificateDB.exe, which masquerades as a Kaspersky installer to put in root certificates and permit the actor to achieve elevated privileges within the system.
The next diagram illustrates the an infection chain:
ApolloShadow invokes the GetTokenInformationType API to test if it has ample system rights to put in the foundation certificates. If not, the malware makes use of a classy course of that spoofs a web page at hxxp://timestamp.digicert[.]com/registered, which in flip sends the system a second-stage payload within the type of a VBScript.
As soon as decoded, ApolloShadow relaunches itself and presents the consumer with a Person Entry Management window in search of to raise its system entry. (Microsoft supplied many extra technical particulars concerning the approach in Thursday’s submit.)
If ApolloShadow already has ample system rights, the malware configures all networks the host connects to as non-public.
“This induces a number of adjustments together with permitting the host gadget to turn out to be discoverable and stress-free firewall guidelines to allow file sharing,” Microsoft defined. “Whereas we didn’t see any direct makes an attempt for lateral motion, the principle purpose for these modifications is prone to scale back the problem of lateral motion on the community.” (The Microsoft submit additionally supplied technical particulars about this method.)
Microsoft mentioned the flexibility to trigger contaminated gadgets to belief malicious websites permits the menace actor to take care of persistence, doubtless to be used in intelligence assortment.
The corporate is advising all prospects working in Moscow, notably delicate organizations, to tunnel their visitors by way of encrypted tunnels that hook up with a trusted ISP.
