Governmental entities in the Middle East and Africa have been targeted in a cyber-espionage campaign by a likely state-backed threat actor that employs previously undocumented rare credential theft and Exchange email exfiltration techniques.

The attacks, spotted by Palo Alto’s Cortex Threat Research team, have been linked to a threat cluster it currently is tracking under the temporary name CL-STA-0043 described as “a highly capable APT threat actor.”

The goal of the campaign was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs.

While analyzing the attacks, the researchers discovered new evasive techniques and tools such as an in-memory VBS implant to run webshell clandestinely, as well as a novel Exchange email exfiltration and rare credential theft technique first seen in the wild.

The infection chain starts with the threat actor exploiting vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange serves to breach target networks. The researchers say they observed failed attempts to deploy the China Chopper webshell followed by an attempt to deploy an in-memory VBscript implant from the Exchange Server.

Upon gaining access to the target network, the threat actor performed reconnaissance activity to identify critical assets such as admin accounts, domain controllers, web servers, Exchange servers, FTP servers, and SQL databases.

The attackers then used native Windows privilege escalation tools (the Potato suite) to create administrative accounts and to run various tools that require elevated privileges.

CL-STA-0043 leveraged a variety of tools used for credential theft like Mimikatz, Dumping the Sam key, Forcing WDigest to store credentials in plaintext and Dumping NTDS.dit file from the Active Directory using ntdsutil.exe. The most notable aspect, however, was the use of a proof-of-concept (PoC) technique first reported in August 2022 that previously was never observed in real-world attacks.

“Using this method, the attackers executed a PowerShell script that registered a new network provider, named “ntos”, set to execute a malicious DLL, ntos.dll, dropped by the attacker in the C:\Windows\system32 folder,” Palo Alto explained in a technical write-up.

The group was also observed using an open-source penetration toolset named Yasso to perform a NTLM spray attack and exploiting the Exchange Management Shell and PowerShell snap-in (PSSnapins) to steal emails of interest. A variation of the latter method was previously seen in attacks linked to a Chines cyber-espionage group known as Hafnium or Silk Typhoon.

“While the research is still ongoing, and the full identity of the threat actor/s is still being studied, we believe that the level of sophistication, determination and espionage motives bear the hallmarks of a true advanced persistent threat, potentially operating on behalf of nation-state interests. In the same vein, this sheds light on how threat actors seek to obtain non-public and confidential information about geopolitical related topics and high-ranking public service individuals,” the researchers concluded.