Cybersecurity researchers have detailed a sophisticated cyberespionage campaign identified as PassiveNeuron, which targeted servers belonging to high-profile organizations. The operation leveraged custom-built Advanced Persistent Threat (APT) implants alongside the Cobalt Strike framework to infiltrate and persist within victim networks.

The targets of the PassiveNeuron campaign included entities in the telecommunications, finance, and government sectors, with a specific geographical focus observed in the Middle East. The initial point of entry for the attackers was through the exploitation of vulnerabilities in public-facing servers, including Microsoft Exchange.

Attack Framework and Technical Execution

Following a successful breach, the operators deployed the Cobalt Strike framework to facilitate post-exploitation activities, such as lateral movement and internal network reconnaissance. A key component of the campaign was the use of a custom modular backdoor named LightBeacon. This implant was engineered for stealthy operations, establishing communication with its command-and-control (C2) infrastructure via HTTP/S.

LightBeacon’s functionality included the ability to execute shell commands, manage file transfers, and load additional malicious modules. The threat actors also utilized another custom tool, a downloader called DownEx, to fetch subsequent payloads. The campaign’s operators demonstrated a high degree of operational security by taking steps to clean up artifacts and traces of their activity to avoid detection.

Malware Arsenal and TTP Overlaps

The PassiveNeuron toolset is distinguished by its custom malware. The LightBeacon implant served as the primary tool for maintaining long-term access and control over compromised systems. Its modular architecture allowed the attackers to deploy specific functionalities as needed for their objectives. The use of the DownEx downloader illustrates a staged infection process designed to minimize the initial compromise footprint.

Analysis of the tactics, techniques, and procedures (TTPs) associated with PassiveNeuron shows overlaps with the activity of the threat actor known as Gallium (also tracked as Softcell). This connection is based on similarities in infrastructure and malware characteristics observed across campaigns attributed to the group.

Source: https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/