SoreFang Downloader

SoreFang is a newly observed trojan designed by APT29 to act as a first-stage implant and downloader for their other tools. It targets a number of previously unknown vulnerabilities in SangFor network devices.

Threat ID:: CC-3570
Category:: Backdoor
Threat Severity:: Medium
Threat Vector:: Drive by download, Exploit, Insecure network
Published:: 22 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all

Microsoft Windows

Threat details

Introduction

SoreFang is a newly observed backdoor and downloader believed to have been created by the APT29 advanced persistent threat group for use as a first-stage in their campaigns.

COVID-19 Vaccine Campaigns

Beginning in early 2020, APT29 started conducting campaigns using SangFor, among other tools, against COVID-19 vaccine research and development organisations.

Delivery

As with other APT29-developed tools, SoreFang is delivered after a period of extensive network reconnaissance against targets to ascertain if they have exposed or vulnerable services, specifically those related to SangFor VPN systems. The group then deploys a number of previously unseen exploits against these services to gain access.

APT29 will also use sophisticated spear-phishing attacks to obtain credentials for internet-facing login pages.

Activities

Once delivered, SoreFang will attempt to replace the firmware on all SangFor VPN servers on the network; as VPN clients connect to these servers SoreFang is installed in place of the original firmware.

SoreFang then checks for the presence of a number of files on affected clients, collecting system and file enumeration information if they are not present. This information is then encrypted and sent to a command and control server where it is used to determine the type of payload to be delivered.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

103.216.221[.]19

File indicators

SHA256 hashes

58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75
a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064

NCSC link

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

Definitive source of threat updates

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a

Last edited: 23 July 2020 10:19 am