DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”,
which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two
additional articles (here and here) were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.
The WINDSHIFT activity observed by Unit 42 falls between January and May of 2018.
Middle Eastern Government Agency Attack Timeline
The first attack occurred in early January of 2018 with an inbound WINDTAIL sample (the
backdoor family used by WINDSHIFT) originating from the remote IP address
109.235.51[.]110 to a single internal IP address within the government agency. At the time this event occurred, the IP address 109.235.51[.]110 was
associated with the domain flux2key[.]com, a known WINDSHIFT domain. Upon further
analysis, Unit 42 determined the sample’s corresponding C2 server IP address was
109.235.51[.]153. At the time this event occurred, that IP was associated with the domain string2me[.]com, which is a known WINDSHIFT domain. While Unit 42 does not have any insight into the attempted infection methodology in this case, the actor’s TTPs would suggest that spearphishing was almost certainly involved.
After the initial infection attempt, several additional WINDTAIL samples from the same external IP address, 109.235.51[.]110, were directed at the same internal IP address from January through May of 2018 (see Figure 2 for additional details). All related WINDTAIL samples were Mac OSX app bundles in zip archives, which is consistent with WINDSHIFT TTPS.
Conclusion
By analyzing this attack in detail, Unit 42 was able to gain valuable insight into the real-world TTPs of a known threat actor group. Of particular importance are the following findings:
- Unit 42 assesses with high confidence that both the IP address 185.25.50[.]189 and
the domain domforworld[.]com is associated with WINDSHIFT activity.
Additionally, the IP addresses 109.235.51[.]110 and 109.235.51[.]153,
corresponding to the previously validated WINDSHIFT domains flux2key[.]com and
string2me[.]com,respectively, were also observed in use during this campaign.
- The attacker-owned IP address 109.235.50[.]191 was subsequently identified in a
Norman Security report from as being associated with Hangover threat actor activity,
and both IP addresses 109.235.51[.]110 and 109.235.50[.]191 shared the
name “XENEUROPE” within their organizational registrant WHOIS information. This
organizational name is tied to a number of IP addresses of Hangover-associated
infrastructure as per the Norman report. Collectively, this evidence serves to strengthen
the implication from other security researchers that Operation Hangover and
WINDSHIFT activity are possibly related.
- Based on Unit 42’s observations of multiple inbound WINDTAIL samples directed at the
same internal IP address, Unit 42 assesses with moderate confidence that that the
attackers were not able to establish persistence within the targeted environment.
Evidence of this can be seen in the table of observed samples shown above, as
filenames and hashes for inbound WINDTAIL samples changed several times. While Unit
42 cannot definitively determine the attempted delivery vector of these samples,
WINDTAIL TTPs would indicate that it was likely standard spearphishing chicanery.
- One of two of the Mac OSX developer certificates tied to the WINDTAIL samples shown
in DarkMatter’s original presentation, Caren Van (4F9G49SUXB), was also tied to
the WINDTAIL samples within this blog. Additionally, a newly identified certificate,
warren portman (95RKE2AA8F), was found to be directly affiliated with WINDSHIFT
malware as shown in the table above.
Palo Alto Networks customers are protected from this threat.
