For the last few months, OnNet has witnessed a growth of new cyber gangs with some that broke off the major known groups and using some of the TTPs noticed from those groups. Though OnNet is still collecting and attributing to these so “new” operational actors behind the heists, a new wave of attacking Education Centers, Travel/Accommodation companies, Insurance organizations and hospitals has increased. One of major actors behind most of these intrusions are from a faction that broke out of SilentCads late 2019 to form a Finacial Threat group tracked by OnNet as The Consultants. Late 2019, after a money heist from a Crediting firm, OnNet team running counter cyber against this group, witnessed several uploads of scanned customer cheques to a Command Control server overseas during a penetration and active heist by The Consultants. This was also witnessed on accomodation and travel company in Nairobi that lost a lot of funds this January, 2020.
The Consultant have evolved to use of dwagent from www.dwservice.net which allows them to deploy an agent written as a service in C/C++ winapi as seen below.
void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
void WINAPI ServiceCtrlHandler(DWORD Opcode);
typedef bool (*FUPDATER)();
typedef void (*CallbackType)(const wchar_t*);
typedef bool (*FCALLBACKLOG)(CallbackType);
void trim(wstring& str, wchar_t c) {
string::size_type pos = str.find_last_not_of(c);
if (pos != string::npos) {
str.erase(pos + 1);
pos = str.find_first_not_of(c);
if (pos != string::npos) str.erase(0, pos);
} else str.erase(str.begin(), str.end());
}Dwagent as service has other utils like screencapture which is used by The Consultants teams to deploy capability to either view screen and capture screenshots during a cyber intrusion of a targeted organization.
The Remote Access Tool also has several python scripts for resources needed by the agent and for sustaining audit trail of each connection by dwservice. The logs generated by dwagent always disclose an incredible detailed information about the actor behind the screen during the intrusion..
The Terminal capability on a targeted system is run via a python toolkit as shown.
SHELL_INTERVALL_TIMEOUT = 45; #Seconds
class Shell():
def __init__(self, agent_main):
self._agent_main=agent_main
self._list = {}
self._list_semaphore = threading.Condition()
def destroy(self,bforce):
if not bforce:
self._list_semaphore.acquire()
try:
if len(self._list)>0:
return False
finally:
self._list_semaphore.release()
return TrueThis actor changes the name of the installation folder to hide the service directory of this Remote Access Toolkit, but this service spawns a process called dwagent.exe that connects to 85.10.192.135.
This actor has almost the same type of keylogger Silentcards uses, but with a few changes. During development of the code the actors named the python scripts, either voda.py or koko.py on their laptops/PCs. The keylogger is currently tracked as KoKologger by OnNet CTI team.
https://www.virustotal.com/gui/file/86b3d95efad0a74c324e3cc17156e511e5323a8a50a97df1d123a5f848d39902/detectionMD5 928f59d3701e9572c36530a526698372
SHA-1 193b25d17060ea878e0ef3a30419d561245621ebSHA-25686b3d95efad0a74c324e3cc17156e511e5323a8a50a97df1d123a5f848d39902
http://gryfeededy.livejournal.com
http://zolotaya-sonka.livejournal.com
http://pinaeva-lena.livejournal.com
https://islamnews.ru/V-Kirovskoj-oblasti-planiruetsja-razvitija-aviacionnogo-turizma