- APT -

Last update 09.10.2017 12:41:24

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 

PROMETHIUM and NEODYMIUM APTs used same Zero-Day to Target Turkish citizens
16.12.2016 securityaffairs

Microsoft discovered two distinct APT groups, PROMETHIUM and NEODYMIUM, that exploited the same Flash Player zero-day flaw on same targets.
Security researchers have discovered two distinct APT groups, PROMETHIUM and NEODYMIUM, that exploited the same Flash Player zero-day vulnerability (CVE-2016-4117) in cyber espionage campaigns on Turkish citizens living in Turkey and various other European countries. Both groups exploited the flaw before its public disclosure and against the same type of targets.

We have already read about the activities of the PROMETHIUM APT group in a report published by Kaspersky Lab that named it StrongPity. In October, Kaspersky published a report on cyber espionage activities conducted by StrongPity APT that most targeted Italians and Belgians with watering holes attacks.

The experts noticed many similarities in the operation of both groups, a circumstance that suggests a possible link between them. The ATP groups used different infrastructure and malware, but there are some similarities that indicate a possible connection at a higher organizational level.

The flaw was patched by Adobe on May 12, but according to the experts from the firm Recorded Future published a report on the most common vulnerabilities used by threat actors in the exploit kits.

The PROMETHIUM APT has been active since at least 2012, the hackers used instant messaging applications as the attack vector and shared malicious links that pointed to documents to exploit the CVE-2016-4117 vulnerabilities. Microsoft observed that the attacker used a specific strain of malware dubbed Truvasys that was designed to compromise target devices with Turkish locale settings.

“The attack itself began with certain individuals receiving links in instant messenger clients. These links led to malicious documents that invoked exploit code and eventually executed a piece of malware called Truvasys on unsuspecting victims’ computers” states the Microsoft Security Intelligence Report.

The PROMETHIUM APT also used another malware dubbed Myntor in targeted attacks.

The NEODYMIUM also exploited the CVE-2016-4117 flaw in targeted attacks in May via spear-phishing messages. This second APT leveraged a backdoor, dubbed Wingbird, that shows many similarities with surveillance software FinFisher.

“NEODYMIUM used a backdoor detected by Windows Defender as Wingbird, whose characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicates that it is typically used to attack individuals and individual computers instead of networks” continues the Report.


The vast majority of the NEODYMIUM victims was located in Turkey (80%), but several infections were also detected in the U.S., Germany and the U.K.

Let me suggest reading the Microsoft Security Intelligence Report to have more details on PROMETHIUM and NEODYMIUM, including indicators of compromise (IoC).

APT 28 group is ramping up information warfare against Germany

11.12.2016 securityaffairs APT

According to the German Intelligence, the APT 28 group, also known as Fancy Bear, is ramping up information warfare against Germany and the rest of West.
US intelligence agencies blame the Russian government for ramping up infowar against the US and the West. According to the US Government, Russian-state hackers hacked the Democratic National Committee (DNC) and other political organizations worldwide.

Hackers conducted campaigns to interfere with the internal affairs of foreign states, last victim in order of time is Germany, this is the opinion of the Germany’s chief of domestic intelligence who warned of this threat last week.

On December 8, the Germany’s Bundesamt für Verfassungsshutz (BfV) has issued a press release warning of a rise in Russian propaganda and hacking campaigns.

“We see aggressive and increased cyber spying and cyber operations that could potentially endanger German government officials, members of parliament and employees of democratic parties,” reads a statement issued by Hans-Georg Maassen, head of the BfV agency

The goal of Russian hackers is to spread uncertainty, strengthen extremist groups and parties, with the intent of “weaken or destabilise the Federal Republic of Germany.”

Both the heads of the German foreign intelligence agency (BND), Bruno Kahl, and the domestic intelligence agency (BfV), Hans-Georg Maassen, have warned about increasing Russian cyber operations in the country.

APT 28 against Germany
Foto: Johannes Simon/ ddp

Social media are becoming a new battlefield, the BfV observed a spike in propaganda activities as part of PSYOps and noted an increased number of “spear phishing attacks against German political parties and parliamentary groups.” The German intelligence confirmed that hackers are using the strain of malware that were used to broke in the system of the US Democratic National Committee.
“Spear-phishing against political parties and parliamentary groups have increased dramatically. They are attributed to the APT 28 campaign, which was also responsible for the DNC hack. APT 28 successfully exfiltrated data from the German Bundestag in 2015.”

In March security experts at Trend Micro, who follow a long time the operations of the Russian-linked Pawn Storm cyber spies (aka APT 28, Sednit, Sofacy, Fancy Bear and Tsar Team) discovered that the Russian spies targeted the political party of Chancellor Angela Merkel, the Christian Democratic Union.

Some experts speculate that also the recent attack against the Deutsche Telekom routers was powered is linked to Russia.

The German Parliament, the Bundestag, was targeted by hackers that also hit a number of German politicians, including the Chancellor Angela Merkel.

“Such cyber-attacks, or hybrid conflicts as they are known in Russian doctrine, are now part of daily life and we must learn to cope with them.” commented the Chancellor Angela Merkel.

“There are findings that cyber-attacks take place which have no other meaning than to create political uncertainty. There is a kind of pressure on public discourse and on democracy, which is unacceptable.”Kahl told the Süddeutsche Zeitung, “Attribution to a state actor is technically difficult, but there is some evidence that it is at least tolerated or desired by the state.”

The German intelligence observed a rise in Russian online propaganda in Germani since the start of the Ukraine crisis.

“Since the start of the Ukraine crisis, we have seen a significant increase in Russian propaganda and disinformation campaigns in Germany.” reads a statement issued by the BfV.

The German intelligence has explicitly blamed the APT28 as the threat actors behind the hacking campaign used for disinformation activities, the group appears to be specialized in false flag activities. Something similar occurred when Russian Hackers have broken into the French TV5 pretending to be an ISIS-linked group.

“This approach represents a previously unseen methodology in campaigns that are controlled by Russia.”

According to Maassen, APT 28 activity is responsible for an unprecedented disinformation campaign.

“Propaganda, disinformation, cyber-attacks, cyber espionage and cyber sabotage are part of hybrid threats against western democracies.” said Maassen warning of significant an increase in political cyber espionage.”

“Stolen information could be used in the election campaign to discredit German politicians.”

On the other side, the Kremlin denies involvement and warns the US and asked Washington clarifications for US cyber threats.

Chinese hackers behind the CNACOM campaign hit Taiwan website

6.12.2016 securityaffairs APT

Security firm Zscaler have been monitoring a cyber espionage campaign dubbed ‘CNACOM’ that was targeting government organization in Taiwan.
Security researchers from the firm Zscaler have been monitoring a cyber espionage campaign dubbed ‘CNACOM‘ that was targeting government organization in Taiwan. According to the researchers, the hackers behind the CNACOM campaign are linked to China and exploited an IE vulnerability, tracked as CVE-2016-0189, patched by Microsoft early 2016.

The CVE-2016-0189 had been exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

In order to trigger the vulnerability, victims have to visit a compromised website or open a spear-phishing email containing a malicious link.

The threat actors used watering hole attacks to spread a malware, among the sites compromised by the hackers, there is a major public service organization in Taiwan.

Experts from startup Theori have made a reverse engineering of the MS16-053 that fixed the CVE-2016-0189 flaw and published a PoC exploit for the vulnerability.

The PoC code works on Internet Explorer 11 running on Windows 10, a great gift for fraudsters that included it in the Neutrino EK as confirmed by FireEye.

Since researchers released the full proof of concept for the CVE-2016-0189 flaw, experts at Zscaler ThreatLabZ have been closely tracking its proliferation.

The exploit code for the flaw was first spotted as part of the Sundown exploit kit (EK), later it was included in the Magnitude and the KaiXin EK.

“This blog details CNACOM, a web-based campaign that appears to be related to a well-known nation-state actor more commonly associated with spear-phishing attacks.” reads the analysis published by Zscaler. “On November 7, we spotted a malicious injection on the registration page of a major Taiwanese public service website. An iframe was injected into the footer of the page, which then loaded a unique landing page containing the CVE-2016-0189 exploit code.”

cnacom campaign

The hackers behind the CNACOM campaign used the same PoC code, but they leveraged on another Internet Explorer privilege escalation flaw, tracked as CVE-2015-0016.

The experts highlighted that that CNACOM campaign specifically targeted Taiwanese government entities. The exploit code collects information from the device, including its IP address. If the victim uses the IE and the IP address belongs to the Taiwanese government, the exploit delivers a strain of the Ixeshe malware.

The Ixeshe malware has been around since at least 2009, in August 2013 security experts at FireEye observed a series of cyber attacks conducted by the Chinese APT group known as APT12 targeting the US media. The experts linked the threat actors to the campaign that targeted the New York Times in 2012.

The variant of Ixeshe malware used in the CNACOM campaign is different from older ones.

“Unlike many historical IXESHE samples, it appears that this variant doesn’t utilize campaign codes embedded in the malware itself. This may be due to a more centralized tracking system that only relies on the malware reporting a machine ID.” continues the analysis.

Government agencies and private firms in Taiwan are often victims of cyber espionage likely launched by Chinese hackers, a few weeks ago the Tropic Trooper APT hit government Taiwanese organizations and companies in the energy sector.

Tropic Trooper APT targets Taiwanese Government and companies in the energy sector
23.11.2016 securityaffairs APT

The Tropic Trooper APT continues to target Asia, this time government Taiwanese organizations and companies in the energy sector.
The Tropic Trooper APT that has been active at least since 2012, it was first spotted last year by security experts at Trend Micro when it targeted government ministries and heavy industries in Taiwan and the military in the Philippines.

Now researchers from Palo Alto Networks targeted the secretary general of Taiwan’s Executive Yuan and a fossil fuel provider with a strain of malware called Yahoyah. The attackers leverage an exploit for the CVE 2012-0158 vulnerability, the same flaw was exploited by many other APT groups, including Lotus Blossom, NetTraveller, and The Four Element Sword ATP.

Palo Alto Networks discovered that the group used Poison Ivy for his campaigns, a circumstance that emerged in the analysis of TrendMicro.

“The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware, but the other attack deployed the widely available Poison Ivy RAT.” state the report published by Palo Alto Networks. “This confirms the actors are using Poison Ivy as part of their toolkit, something speculated in the original Trend Micro report but not confirmed by them. Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family, which has not been previously tied to the group.”

The hackers launched a spear-phishing campaign to trick victims into opening specially crafted decoy documents. The Excel file sent to the Executive Yuan purports to come from a staff member at the Democratic Progressive Party, the document is related to political issues.

Tropic Trooper APT targets Taiwanese Government

After infecting the target machine, the malware displays to the victim a clean document that contains the content of interest.

“All of the text uses Traditional Chinese, in contrast to Simplified Chinese, which is the official written language of the People’s Republic of China. Traditional Chinese is used in Taiwan, Hong Kong, Macau, and many overseas Chinese communities. The overarching theme of the spreadsheet is documenting protestor activity and/or progressive reform attempts in progress across Taiwan and the tone of the spreadsheet suggests it was compiled by progressive supporters.” continues the report.

If you are interested in more info on Tropic Trooper APT, including IoC for its malware give a look at the report.

Pawn Storm APT conducted spear-phishing attacks before zero-days was fixed
18.11.2016 securityaffairs APT

The Pawn Storm APT group exploited some zero-days vulnerabilities in targeted attacks across the world before they get patched.
The Pawn Storm APT group, also known as APT28 and Fancy Bear, exploited some zero-days flaw in targeted attacks before they get patched.

The threat actors powered spear phishing attacks between the discovery of the zero-days and the release of the security patches. This is what has happened between October and early November when the Pawn Storm APT targeted governments and embassies around the world.

The zero-days exploited by the Pawn Storm are the Adobe’s Flash CVE-2016-7855 flaw that was fixed on October 26, and the privilege escalation CVE-2016-7255 flaw in Windows OSthat was fixed on November 8, 2016.

After the CVE-2016-7855 was fixed, the Pawn Storm started to use it in several spear phishing campaigns against still-high-profile targets since October 28 until early November.

In November the Pawn Storm ATP launched spear-phishing campaigns against various governments leveraging on emails with the subject line “European Parliament statement on nuclear threats.” The attackers forged the email addresses of press officer working for the media relations office of the European Union.

When the victim clicks on the link in the spear-phishing e-mail is it redirected to a domain hosting the exploit kit of Pawn Storm.

“The exploit kit will first fingerprint its targets with invasive JavaScript, which uploads OS details, time zone, installed browser plugins, and language settings to the exploit server. The exploit server may then send back an exploit or simply redirect to a benign server.” reads the analysis published by Trend Micro.


The researchers also detected other spear-phishing attacks From October 28 until early November 2016, attackers leveraged on a fake invitation for a real “Cyber Threat Intelligence and Incident Response conference in November” organized by Defense IQ.

The spear-phishing e-mail contained an RTF (Rich Text Format) document called “Programm Details.doc.”

The document has an embedded Flash file (SWF_CONEX.A) that downloads additional files from a remote server.

“Apart from these two campaigns, several others were also launched by Pawn Storm in the period between the discovery of the zero-days and the release of Adobe’s and Microsoft’s patches on October 26 and November 8, 2016.” continues the analysis. “This shows that Pawn Storm ramped up their spear-phishing attacks shortly after its zero-days were discovered. Not all organizations may have been able to immediately patch Adobe’s Flash, and the Windows vulnerability wasn’t patched until November 8, 2016.”

The analysis also includes the IoC for the above attacks.

FruityArmor APT exploited Windows Zero-Day flaws in attacks in the wild

21.10.2016 securityaffairs APT

Experts from Kaspersky have discovered a new APT dubbed FruityArmor APT using a zero-day vulnerability patched this month by Microsoft.
A new APT group, dubbed FruityArmor, targeted activists, researchers, and individuals related to government organizations.
According to experts at Kaspersky Lab, the FruityArmor APT conducted targeted attacks leveraging on a Windows zero-day vulnerability, tracked as CVE-2016-3393, recently patched by Microsoft.

The security bulletins issued by Microsoft in October patched four zero-day flaws, including the CVE-2016-3393 one that it a remote code execution vulnerability.

FruityArmor APT zero-day

The experts have observed victims in different countries, including Iran, Algeria, Thailand, Yemen, Saudi Arabia and Sweden.

According to Kaspersky Lab, the hackers behind FruityArmor exploited several zero-day vulnerabilities and used an attack platform built around the Microsoft PowerShell framework.

“FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built entirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands from the operators are also sent in the form of PowerShell scripts.” reads a blog post published on Thursday by Kaspersky.

Another peculiarity of the group is the use of the Windows Management Instrumentation (WMI) for persistence.

The malicious code used by the APT is hard to detect, the experts from Kaspersky highlighted that its payloads run directly in memory.

According to the experts, the FruityArmor APT group exploits the zero-day flaw for privilege escalation, that combined with browser exploits allow the attackers to escape the browser sandbox.

“To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine.” reads the blog post.

“In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C.”

For further details give a look at the Kaspersky analysis.

Shadow Brokers launched a crowdfunding campaign to raise 10,000 bitcoins

18.10.2016 securityaffairs APT

The group calling itself The Shadow Brokers who hacked the NSA-linked Equation Group announced the launch of a crowdfunding campaign for the stolen arsenal.
This summer the hacker group Shadow Brokers hacked the NSA-linked group known as the Equation Group and leaked 300 Mb of hacking tools, exploits, and implants.

The Shadow Brokers launched an all-pay auction for the full archive containing the entire arsenal of the Equation Group. Early October, The Shadow Brokers have complained that no one has offered money for their precious archive.

Shadow Brokers hacked Equation Group

The auction received offers for less than two bitcoins, so the hacker group decided to launch a crowdfunding.

The Shadow Brokers team has collected bids for a total of 1.76 bitcoins (roughly $1,100), but the dreaded team was expecting to earn as far as $1 million.

But probably we misunderstood the intent of the hackers because the hackers’ crowdfunding campaign aims to raise 10,000 bitcoins (roughly $6.4 million).

“TheShadowBrokers is being bored with auction so no more auction. Auction off. Auction finish. Auction done. No winners. So who is wanting password? TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins). Same bitcoin address, same file, password is crowdfunding. Sharing risk. Sharing reward. Everyone winning.” reads the announcement published by the group.

But unfortunately, the crowdfunding campaign is not obtaining the expected results.

Who is the behind the Shadow Brokers crew?

Some experts speculate it is a group of Russian state-sponsored hackers, government, other believe that it is a group of hackers that has simply found the arsenal that was mistakenly left unattended by an employee or a contractor on a remote server.

The ShadowBrokers hackers then have discovered the server and raided it.

“NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.” reported the Reuters.

“That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.”

On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users
13.10.2016 Kaspersky APT
The StrongPity APT is a technically capable group operating under the radar for several years. The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group’s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.

Encryption Tools
Clearly this APT is interested in encrypted data and communications. The tools targeted by this group enable practices for securing secrecy and integrity of data. For example, WinRAR packs and encrypts files with strong suites like AES-256, and TrueCrypt encrypts full hard drives all in one swoop. Both WinRAR and TrueCrypt help provide strong and reliable encryption. WinRAR enables a person to encrypt a file with AES-256 in CBC mode with a strong PBKDF2 HMAC-SHA256 based key. And, TrueCrypt provides an effective open-source full disk encryption solution for Windows, Apple, Linux, and Android systems. Using both of these tools together, a sort of one off, poor man’s end-to-end encryption can be maintained for free by putting these two solutions together with free file sharing services.

Other software applications help to support encrypted sessions and communications. Well known applications supporting end-to-end encryption are used by hundreds of millions of folks, sometimes unknowingly, every day. IM clients like Microsoft’s Skype implement 256-bit AES encrypted communications, while Putty, Winscp and Windows Remote Desktop help provide private communications and sessions with fully encrypted communications as well. Most of these communications across the wire are currently unbreakable when intercepted, at least, when the applications are configured properly.

Summer 2016 Watering Hole Resources and Trickery – WinRAR and TrueCrypt
This actor set up a particularly clever site to deliver trojanized WinRAR installers in the summer of 2016, appears to have compromised another, and this activity reminds us somewhat of the early 2014 Crouching Yeti activity. Much of the Crouching Yeti intrusions were enabled by trojanizing legitimate ICS-related IT software installers like SCADA environment vpn client installers and industrial camera software driver installers. Then, they would compromise the legitimate company software distribution sites and replace the legitimate installers with the Crouching Yeti trojanized versions. The tactics effectively compromised ICS and SCADA related facilities and networks around the world. Simply put, even when visiting a legitimate company distribution site, IT staff was downloading and installing ICS-focused malware. StrongPity’s efforts did much the same.

In the case of StrongPity, the attackers were not focused on ICS or SCADA. They set up a domain name (ralrab[.]com) mimicking the legitimate WinRAR distribution site (rarlab[.]com), and then placed links on a legitimate “certified distributor” site in Europe to redirect to their poisoned installers hosted on ralrab[.]com. In Belgium, the attackers placed a “recommended” link to their ralrab[.]com site in the middle of the localized WinRAR distribution page on winrar[.]be. The big blue recommended button (here in French) linked to the malicious installer, while all the other links on the page directed to legitimate software:

Winrar[.]be site with “recommended link” leading to malicious ralrab[.]com

The winrar[.]be site evaluated what “recommended” package a visitor may need based on browser localization and processor capability, and accordingly offered up appropriate trojanized versions. Installer resources named for french and dutch versions, along with 32-bit versus 64-bit compiled executables were provided over the summer:


Directory listing, poisoned StrongPity installers, at rarlrab[.]com

The first available visitor redirects from winrar[.]be to ralrab[.]com first appeared on May 28th, 2016, from the dutch speaking version of the winrar.be site. And around the same time, another “certified distributor” winrar[.]it served trojanized installers as well. The major difference here is that we didn’t record redirections to ralrab[.]com, but it appears the site directly served StrongPity trojanized installers:

The site started serving these executables a couple of days earlier on 5/24, where a large majority of Italian visitors where affected.

Download page, winrar[.]it

Quite simply, the download links on this site directed visitors to trojanized WinRAR installers hosted from the winrar.it site itself. It’s interesting to note that both of the sites are “distributors”, where the sites are owned and managed not by rarlabs, but by local owners in individual countries.

StrongPity also directed specific visitors from popular, localized software sharing sites directly to their trojanized installers. This activity continued into late September 2016. In particular, the group redirected visitors from software aggregation and sharing site tamindir[.]com to their attacker-controlled site at true-crypt[.]com. The StrongPity controlled Truecrypt site is a complete rip of the legitimate site, now hosted by Sourceforge. Here is the Tamindir truecrypt page, looks harmless enough.

TrueCrypt page, tamindir software sharing site

Unlike the newer poisoned WinRAR installers, StrongPity hosted several Much like the poisoned WinRAR installers, multiple filenames have been used to keep up with visitor interests. Visitors may have been directed to the site by other means and downloaded directly from the ripped and persuasive site.

true-crypt[.]com malicious StrongPity distribution site

At the very bottom of the page, there are a couple of links to the poisoned installers:

Referrers include these localized software aggregates and sharers:

It’s interesting that Ksn recorded appearance of the the file on two unique systems in December 2015, a third in January 2016, all in Turkey, and then nothing until May 2016. Then, deployment of the installers continued mostly within Turkey in July and September 2016.

Summer 2016 Watering Hole Victim Geolocations – WinRAR and TrueCrypt
Over the course of a little over a week, malware delivered from winrar.it appeared on over 600 systems throughout Europe and Northern Africa/Middle East. Likely, many more infections actually occurred. Accordingly, the country with the overwhelming number of detections was in Italy followed by Belgium and Algeria. The top countries with StrongPity malware from the winrar.it site from May 25th through the first few days of June are Italy, Belgium, Algeria, Cote D’Ivoire, Morroco, France, and Tunisia.

winrar[.]it StrongPity component geolocation distribution

In a similar time-span, the over sixty visitors redirected from winrar.be to ralrab.com for malicious file download were overwhelmingly located in one country. The top countries directed to StrongPity malware from the winrar.be site from May 25th through the first few days of June are Belgium, Algeria, Morroco, Netherlands, Canada, Cote D’Ivoire, and Tunisia.

winrar[.]be StrongPity component geolocation distribution

StrongPity previously set up TrueCrypt themed watering holes in late 2015. But their offensive activity surged in late summer 2016. The group set up a site directly pulled from the contents of the legitimate TrueCrypt website. From mid July to early September, dozens of visitors were redirected from tamindir[.]com to true-crypt[.]com with unsurprisingly almost all of the focus on systems in Turkey, with victims in the Netherlands as well.

tamindir[.]com to true-crypt[.]com poisoned TrueCrypt installer redirects

StrongPity Malware
The StrongPity droppers were often signed with unusual digital certificates, dropping multiple components that not only provide complete control of the victim system, but effectively steal disk contents, and can download components for further collection of various communications and contacts. Because we are talking about StrongPity watering holes, let’s take a quick look at what is being delivered by the group from these sites.

When we count all systems from 2016 infected with any one of the StrongPity components or a dropper, we see a more expansive picture. This data includes over 1,000 systems infected with a StrongPity component. The top five countries include Italy, Turkey, Belgium, Algeria, and France.

In the case of the winrar[.]be/ralrab[.]com watering hole malware, each one of the six droppers that we observed created a similar set of dropped components on disk. And, in these cases, the attackers did not re-use their fake digital certificates. In addition to installing the legitimate version of WinRAR, the dropper installed the following StrongPity components:

Of these files, two are configurable and encrypted with the same keyless cipher, “wrlck.cab” and “prst.cab”. While one maintains several callback c2 for the backdoor to fetch more instructions and upload installed software and file paths, the other maintains something a bit more unusual. “prst.cab” maintains an encrypted list of programs that maintain encrypted connections. This simple encoding takes the most significant nibble for each character, swaps the nibbles of that byte, and xors the result against the original value. Its code looks something like this:

x = s[i];
j = ((x & 0xF0)>>4);
y = x ^ j;
Using that cipher in the ralrab[.]com malware, the package is configured to seek out several crypto-enabled software applications, highlighting the group’s interest in users of more encryption-supported software suites.

putty.exe (a windows SSH client)
filezilla.exe (supports ftps uploads)
winscp.exe (a windows secure copy application, providing encrypted and secure file transfer)
mstsc.exe (Windows Remote Desktop client, providing an encrypted connection to remote systems)
mRemoteNG.exe (a remote connections manager supporting SSH, RDP, and other encrypted protocols)
Also included in StrongPity components are keyloggers and additional data stealers.

Widely available, strong cryptography software tools help provide secure and private communications that are now easily obtained and usable. In the summer of 2016, multiple encryption-enabled software applications were targeted with watering hole, social engineering tactics, and spyware by the StrongPity APT. While watering holes and poisoned installers are tactics that have been effectively used by other APT, we have never seen the same focus on cryptographic-enabled software. When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers. We have seen other APT such as Crouching Yeti and Darkhotel distribute poisoned installers and poisoned executable code, then redistribute them through similar tactics and over p2p networks. Hopefully, simpler verification systems than the current batch of PGP and SSL applications will arise to be adopted in larger numbers. Until then, strong anti-malware and dynamic whitelisting solutions will be more necessary than ever.

StrongPity APT – Waterhole attacks against Italian and Belgian users
12.10.2016 securityaffairs APT

Kaspersky published a report on cyber espionage activities conducted by StrongPity APT that most targeted Italians and Belgians with watering holes attacks.
Experts from Kaspersky Lab have published a detailed report on the cyber espionage activities conducted by the StrongPity APT. The group is very sophisticated, its operations leverage on watering holes attacks and malware to target users of software designed for encrypting data and communications.

The StrongPity APT targeted users Europe, the Middle East, and Northern Africa.

StrongPity set up the website ralrab.com aiming to mimic the legitimate rarlab.com website, the website was used as a landing domain to deliver poisoned installers of popular software. The group used to compromise the sites of certified distributors from Europe in an effort to redirect users to ralrab.com that was hosting the trojanized version of the legitimate application.

StrongPity group set up a rogue TrueCrypt website hosted at true-crypt.com, it was used to redirect users from software downloads website Tamindir. Kaspersky reported that StrongPity started setting up TrueCrypt-themed watering hole attacks in late 2015, but the experts of the company noticed a peak in the number of attacks this summer. The majority of the users that were victims of this attack were located in Turkey and some in the Netherlands.

Italian visitors of the legitimate distributor website winrar.it were redirected to trojanized WinRAR installers hosted from the winrar.it website itself.

“Over the course of a little over a week, malware delivered from winrar.it appeared on over 600 systems throughout Europe and Northern Africa/Middle East. Likely, many more infections actually occurred. Accordingly, the country with the overwhelming number of detections was in Italy followed by Belgium and Algeria. The top countries with StrongPity malware from the winrar.it site from May 25th through the first few days of June are Italy, Belgium, Algeria, Cote D’Ivoire, Morroco, France, and Tunisia.” states the report.

winrar it StrongPity component geolocation distribution
winrar[.]it StrongPity component geolocation distribution

In the arsenal of the StrongPity APT there are multiple components that allow attackers to gain complete control of the target system and effectively exfiltrate data from the machine. According to Kaspersky, the droppers used by the group were often signed with unusual digital certificates.

“Because we are talking about StrongPity watering holes, let’s take a quick look at what is being delivered by the group from these sites.” continues the report reporting more than systems infected with a StrongPity malware.

“When we count all systems from 2016 infected with any one of the StrongPity components or a dropper, we see a more expansive picture. This data includes over 1,000 systems infected with a StrongPity component. The top five countries include Italy, Turkey, Belgium, Algeria, and France.”

The group used a component that looks for encryption-supported software suites, including the SSH and telnet client Putty, the FTP tool FileZilla, remote connections manager mRemoteNG, Microsoft’s Mstsc remote desktop client, and the SFTP and FTP client WinSCP.

“When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers,” states the report.

winrar it StrongPity component geolocation distribution

According to Kurt Baumgartner, principal security researcher at Kaspersky Lab, the TTPs observed for the StrongPity APT are similar to the ones of another Russian threat actor known as Energetic Bear/ Crouching Yeti /Dragonfly).

In 2014, Kaspersky published an interesting analysis on the Crouching Yeti group that used a large network of hacked websites (219 domains) as command and control infrastructure. The vast majority of these websites were legitimate and were used to serve malware and instruct bot agents worldwide to collect information on target systems. Most of the 2,800 companies identified as victims of the attack were in the industrial/machinery market and hacker most-targeted countries like the United States, Spain, Japan, and Germany.

”They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.” reports the report published by Kaspersky Lab.

Energetic Bear APT campaign Kaspersky

The attackers used the following attack scheme to infect victims:

Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
Trojanized software installers
Waterhole attacks using a variety of re-used exploits

The France TV5Monde was almost destroyed by the Russian APT28 group
11.10.2016 securityaffairs APT

The TV5Monde director-general has told the BBC that his TV was almost destroyed by a targeted cyber attack conducted by the Russian APT28 group.
On April 2015, the TV5Monde was hit by a severe cyber attack that compromised broadcasting of transmissions across its medium. The attackers also hijacked the Channel TV5Monde website and social media accounts of the French broadcaster.

TV5Monde is controlled by the French Government, hackers of the Cyber Caliphate took the responsibility for shutting down broadcasting across its 12 channels for several hours causing the interruption of the transmission.

Now new revelations on the facts are disclosed by Yves Bigot, the director-general of TV5Monde. Mr. Bigot told the BBC that the cyber-attack came close to destroying the network of the French TV, however, further investigation suggests the involvement of different threat actors, on the facts are disclosed by Yves Bigot, the director-general of TV5Monde. Mr. Bigot told the BBC that the cyber-attack came close to destroying the network of the French TV, however, further investigation suggests the involvement of different threat actors, Russian hackers.

“It’s the worst thing that can happen to you in television,” Mr Bigot told BBC

“We were a couple of hours from having the whole station gone for good.”

“We were saved from total destruction by the fact we had launched the channel that day and the technicians were there,”

“One of them was able to locate the very machine where the attack was taking place and he was able to cut out this machine from the internet and it stopped the attack.”

“We owe a lot to the engineer who unplugged that particular machine. He is a hero here,”

The hackers compromised the network of the French TV at least 10 weeks before (on 23 January 2015) launching the final attack with a custom malware software that was designed to target encoder systems used to transmit programmes.

The hackers carried out reconnaissance of TV5Monde network to figure out the way it broadcast its transmissions, then they used the malware to destroy the internet-connected hardware that controlled the TV station’s operations.

“The attack was far more sophisticated and targeted than reported at the time. The perpetrators had first penetrated the network on 23 January.” reported the BBC.

The investigators have discovered multiple entry points used by the attackers, such as supplier networks and remote controlled cameras used in studios.

The involvement of a Russian threat actor, the APT 28 group, was also suggested by the security firm FireEye.

According to security experts at FireEye, the Russian ATP28 (also known as Pawn Storm, Tsar Team, Fancy Bear and Sednit) may have used the name of ISIS as a diversionary strategy, the experts noticed a number of similarities in the TTPs used by the Russian group and the one who breached the network at TV5Monde.

“There are a number of data points here in common,” said Jen Weedon, manager of threat intelligence at FireEye. “The ‘Cyber Caliphate website,’ where they posted the data on the TV5Monde hack was hosted on an IP block which is the same IP block as other known APT28 infrastructure, and used the same server and registrar that APT28 used in the past.”

Weedon confirmed that at the time of the TV5Monde attack, other journalists were targeted by the APT28 group and the attacks were coordinated by the same hacking infrastructure used by the team.

Experts at FireEye published a detailed report on ATP28 in October 2014, speculating that the group is composed by state-sponsored hackers that are managing a long-running cyber espionage campaign on US defense contractors, European security organizations and Eastern European government entities.

Mr. Bigot confirmed that the French cyber-agency told him that hackers had used the ISIS brand to cover their tracks.

ISIS cyber Caliphate TV5Monde 2

The TV5Monde director was later told evidence had been found that the attack was conducted by the Russian APT 28 group.

Mr. Bigot explained that he has absolutely no idea the chosen of TV5Monde as the target.

“There are two things that the investigation won’t probably be able to achieve,” he added. “The first one is why us – why TV5Monde?” “And the second one is: Who gave the order and the money to that Russian group of hackers to actually do it?”

According to the BBC, that cited intelligence analysts in the UK and US, and France, the cyber attack against the French TV was a highly-targeted attack conducted by Russian hackers most likely in the attempt hackers most likely in the attempt “to test forms of cyber-weaponry as part of an increasingly aggressive posture”.

Regardless of whoever is the culprit, there is one certainty, the cyber attack cost the TV station €5m ($5.6m) and left it with an increased reoccurring bill of €3m ($3.4m) due to the necessity to implement and adopt further security countermeasures.

ShadowBrokers complain nobody wants the Euquation Group’s full dump
3.10.2016 securityaffairs APT

The ShadowBrokers behind the Equation Group hack is very upset that no one is still bidding on the full dump of the NSA arsenal.
Once again we are here to report about the NSA-linked Equation Group and its hacking arsenal leaked online by a group of hackers who called itself TheShadowBrokers. The group of hackers claimed to have hacked the NSA Equation Group, then he tried to sell the hacking tools and exploits in an online auction.

According to the Reuters, sources close to the investigation revealed that the NSA knew about the data breach for three years but it maintained the secret in the case.

The sources provided further elements of the alleged attack against the US Intelligence Agency, the NSA itself wasn’t directly hacked by the ShadowBrokers group and the NSA hacking tools and exploits were not stolen by the popular whistleblower Edward Snowden.

According to the sources, it seems that an employee or a contractor mistakenly left the NSA hacking tools unattended on a remote server about three years ago during a cyber operation. The NSA was aware of the incident and did not inform the companies of the risks related to the exposure of the exploits.

Now TheShadowBrokers complain that no one seems to be bidding on their precious archive, early Saturday morning, an alleged member of the hacker group expressed its dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

Equation Group Targets

At the time of this writing, the ShadowBrokers team has collected bids for a total of 1.76 bitcoins (roughly $1,100), but the dreaded team was expecting to earn as far as $1 million.

“Peoples is having interest in free files.https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html But people is no interest in #EQGRP_Auction.https://blockchain.info/address/19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK TheShadowBrokers is thinking this is information communication problem. You people be thinking as TheShadowBrokers. How you sell secrets? Making most money? Quickly? Least amount effort? Maintaining anonymity? You be making suggestion #EQGRP_Auction.” the ShadowBrokers’s member wrote in a post published on Medium.

Who is behind the attack?
There is still no evidence that TheShadowBrokers is a nation-state actor, neither it is currently working with the Kremlin.

Back to the story, I’m not surprised that the remaining part of the hacking arsenal was not requested by any actor in the wild. The NSA avoided to disclose the alleged mistake in order to track and hack back the thieves.

The NSA TAO team was able to scan the Internet for evidence of the use of the powerful tools. Another element to consider is that probably most of the exploit in the arsenal are no more effective because the data were stolen year ago.

Hong Kong Government Hacked by APT3 Group before elections
4.9.2016 securityaffairs APT

Two Hong Hong government departments were targeted by Chinese hackers belonging the APT3 group just before the legislative elections.
Security experts from FireEye have discovered a new cyber espionage campaign launched by the Chinese APT3 group against Hong Kong Government before upcoming parliamentary elections that are to be held today September 4.

The hackers targeted two Hong Kong government departments to steal information related upcoming elections.
APT3 hackers used spear-phishing emails to lure victims to websites used to deliver malicious code on victims’ PC. According to FireEye, the malicious phishing emails claimed to include information about a report on election results, they include a link to the malicious website.


APT3 was first spotted by FireEye in 2014, the ATP group was using exploits targeting recently disclosed vulnerabilities in Windows. The experts at FireEye speculated the APT3 is the same actor behind the “Operation Clandestine Fox” uncovered by the company in April 2014. The hackers exploited an IE zero-day vulnerability in a series of targeted attacks.

FireEye reported in a blog post the details of the attacks run by the APT3 that exploited the Windows OLE bug and also another Windows privilege escalation vulnerability (CVE-2014-4113).

Cyber espionage campaigns conducted to gather information about government and political activities in Southeast Asia are not a novelty, the Government of Beijing is one of the most active in this sense.

“Typically when we see government attacks on other governments, it’s about intelligence gathering and trying to gain access to information they can’t get via other means,” Bryce Boland, FireEye CTO for the Asia-Pac, told Agence France-Presse.

China always made political pressure on the local Honk Kong government to discredit political opponents and those candidates that fight for the independence of the country.

Remote Butler attack: APT groups’ dream come true

8.8.2016 helpnetsecurity APT

Microsoft security researchers have come up with an extension of the “Evil Maid” attack that allows attackers to bypass local Windows authentication to defeat full disk encryption: “Remote Butler”.

Evil Maid and Remote Butler attacks, illustrated (triangles are Domain Controllers)

Evil Maid and Remote Butler attacks, illustrated (triangles are Domain Controllers)

Demonstrated at Black Hat USA 2016 by researchers Tal Be’ery and Chaim Hoch, the Remote Butler attack has one crucial improvement over Evil Maid: it can be effected by attackers who do not have physical access to the target Windows computer that has, at one time, been part of a domain, i.e. enterprise virtual network, and was authenticated to it via a domain controller.

Evil Maid attacks got the name from the fact that even a hotel maid (or someone posing as one) could execute the attack while the computer is left unattended in a hotel room.

The most recent of those was demonstrated by researcher Ian Haken at Black Hat Europe 2015, when he managed to access the target user’s data even when the disk of its computer was encrypted by BitLocker, Windows’ full disk encryption feature.

The vulnerability that allowed this attack was definitely patched by Microsoft in February 2016, and the good news is that this patch also prevents attackers from effecting a “Remote Butler” attack.

But its unlikely that everybody applied the patch.

“While being a clever attack, the physical access requirement for [Haken’s Evil Maid attack] seems to be prohibitive and would prevent it from being used on most APT campaigns. As a result, defenders might not correctly prioritize the importance of patching it,” Be’ery and Hoch explained, and urged those admins who haven’t already implemented it to do so as soon as possible.

Or, if that’s not possible, to implement some network and system hardening and defense-in-depth policy to minimize the risk of the attack being executed.

More technical details about the attack, as well as mitigation options are detailed in this whitepaper.

PLATINUM APT targeted organizations in South and Southeast Asia

28.4.2016 APT

Microsoft issued a detailed report on the activity of the hacking crew dubbed Platinum APT group that leveraged a Windows patching system in its attacks.
The hacker crew discovered by Microsoft and dubbed Platinum APT group conducted cyber espionage against organizations in South and Southeast Asia leveraging a Windows patching system.

According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.

Platinum APT group

The hackers don’t appear to be financially motivated, this consideration and the type of targeted entities suggest the Platinum APT is a group of state-sponsored hackers of hackers that intend to resell the stolen information to Government.

The experts at the Microsoft Windows Defender Advanced Threat Hunting team have discovered that the Platinum APT group has been exploiting a feature called hotpatching to hide its operations.

The Hotpatching feature allows the installation of updates on Windows systems without having to reboot or restart a process. The mechanism could be abused to inject malicious code into processes without being detected by security solutions.

The feature was introducted with Windows 2003 server and recently removed with the release of Windows 8 OS.

According to the experts at Microsoft, this is the first time the Hotpatching feature is exploited by hackers in the wild.

The Platinum APT group exploited the Hotpatching feature to inject a backdoor into the svchost process.

“Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.” Microsoft wrote in a blog post. “What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.”

Experts at Microsoft who investigated the activity of the Platinum APT group discovered that it conducted many other campaigns in the last years. The group always spent a significant effort in developing custom-built malware with advanced evading detection mechanisms.

The APT group used several zero-day exploits to remain hidden, and researchers also speculated that the group has considerable financial resources.

“The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.” states a detailed analysis published by Microsoft on the Platinum APT group.

“Any of these traits by themselves could be the work of a single resourceful attacker or a small group of like-minded individuals, but the presence of all of them is a clear indication of a well resourced, focused, and disciplined group of attackers vying for information from government related entities.”

APT Groups don’t go under the grid after a successful attack!

16.2.2016 APT

What happened to some of the APT groups behind clamorous cyber attacks? Why they don’t go dark anymore after being outed, a behavior completely different from the past.
I’m sure everyone remembers the Sony attack occurred in 2014, when the US Government blamed the North Korean Government for the attack, materially executed by a hacking group dubbed GOP. In the past, the APT groups behind major attacks went underground for some time until the dust settles in, but now, more and more hacking crews remain active after a big score, using information gathered from the successful attack to target more victims.

Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab. Said expressed his opinion on the Sony hack.

“They didn’t disappear when the dust settled” ha said.
Last week, during the summit in Tenerife, Guerrero-Saade and Jaime Blasco provided some news about Sony hackers:

“It took us two years to correlate all of the information we had … The same people were launching campaigns using information from the Sony attack,”
Why threat groups don’t remain under the radar after a big score?

Kurt Baumgartner, principal security researcher at Kaspersky Lab argues that in the past APT groups “would immediately shut down their infrastructure when they were reported on”, “You just didn’t see the return of an actor sometimes for years at a time.”

Baumgartner used the example of Darkhotel, a Korean-speaking attack group mostly known for hacking WiFi networks at luxury hotels, with the purpose of targeting high -evel executives. Even thought Darkhotel its not attacking hotels anymore, they are not hidden neither, in fact in July was discovered that Darkhotel was using a zero-day Adobe Flash exploit (disclosed from the Hacking Team data breach),

“Within 48 hours, they took the Flash exploit down … They left a loosely configured server”.

Darkhotel doesn’t look worried about exposure, “The hotel [attack] activity focused on business travelers has come to an end, but the other operations are highly active,”.

It is assumed that several groups have a similar behavior, the Equation Group for example that many experts linked to the NSA is believed has changed communication methods to avoid detection.

“I would assume they are active but just changed their” communications, explained Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “We don’t detect them anymore.”

Equation Group Targets APT groups

This pattern is found over and over hackers groups, and it looks like notoriety doesn’t stop these groups anymore.

BlackEnergy infected also Ukrainian Mining and Railway Systems
13.2.2016 APT

Experts at Trend Micro discovered strains of BlackEnergy malware involved in the recent attacks against Ukrainian Mining and Railway Systems.
BlackEnergy was in the headlines when the security industry examined the power outage occurred in Ukraine in December 2015.

The BlackEnergy malware is a threat improved to target SCADA systems, the latest variant includes the KillDisk component developed to wipe the disks and make systems inoperable.

The Ukrainian government accused Russia of being involved in the attack that caused the power outages, but further analysis revealed that the BlackEnergy malware was not directly responsible for the outages.

Now Trend Micro announced that have spotted BlackEnergy and KillDisk samples on the systems of a Ukrainian mining company and a major railway operator.

The experts noticed that the systems at the mining company were also infected with multiple variants of KillDisk, these samples implements the same features observed in the KillDisk component that infected the power utilities in Ukraine.

The security researchers believe that the threat actors behind them is the same that targeted the Ukrainian power companies.

The researchers noticed many similarities between the samples, naming conventions, control infrastructure, and the timing of the attacks.

TrendMicro spotted several samples similar to the BlackEnergy variant that infected the Ukrainian power utility, the malware used the same command and control (C&C) servers.

“Like the attacks against the Ukrainian mining company, we also witnessed KillDisk possibly being used against a large Ukrainian railway company that is part of the national Ukrainian railway system. The file tsk.exe (SHA1: f3e41eb94c4d72a98cd743bbb02d248f510ad925) was flagged as KillDisk and used in the electric utility attack as well as against the rail company. This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network.” states a blog post published by Trend Micro.

Blackenergy Figure_1_config_example

The experts elaborated several theories about the attack, one of the most plausible is the offensive of a politically motivated persistent attacker that intends to hit Ukrainian critical infrastructure to destabilize the country.

“One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities,” Wilhoit said. “Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.”

Whichever is the case, cyber attacks against critical infrastructures represent a serious threat against any government.

APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks
8.2.2016 Zdroj: Kaspersky APT

In late 2014, Kaspersky Lab researchers made a worrying prediction: financially-motivated cyber-criminals would adopt sophisticated tactics and techniques from APT groups for use in bank robberies.

Just a few months later, in February 2015, we announced the discovery of Carbanak, a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries.

Since then, we have seen an increase in these covert, APT-style attacks that combine the use of reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence to steal money from financial institutions (particularly ATMs and money transfer systems).

In summer 2015, a #bank in #Russia lost millions of rubles in a one night #bankingAPT #TheSAS2016
Today at the Security Analyst Summit (SAS 2016), Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights.

In 2015, Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups.

Due to the active nature of law enforcement investigations and non-disclosure agreements with victim organizations, Kaspersky Lab cannot provide extensive details of the attacks. Kaspersky Lab is releasing crucial Indicators of Compromise (IOC) and other data to help organizations search for traces of these attack groups in their corporate networks (see below).

The story of Metel – ATM balance rollbacks

In summer 2015, a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions. The bank’s clients were making withdrawals from ATMs belonging to other banks and were able to cash out huge sums of money while their balances remained untouched. The victim bank didn’t realize this until it tried to recoup the money withdrawn from the other banks’ ATMs.

During our incident response, we discovered the solution to this puzzle: Metel, a modular malware program also known as Corkow.

The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems.

Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines.

Encrypted configuration for Metel malware plugins

Our investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. With the automated rollback in place the money was instantly returned to the account after the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes at several locations.

GCMAN group planted cron script into #bank server, stealing $200/min #bankingAPT #TheSAS2016
In all, we discovered Metel in more than 30 financial institutions, but Kaspersky Lab’s incident responders were able to clean the networks before any major damage could be done. It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware.

The Metel criminal group is still active. At the moment, we don’t have any information about any victims outside Russia.

GCMAN – penetration testing tools gone bad

A second group, which we call GCMAN because the malware is based on code compiled on the GCC compiler, emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services.

The initial infection mechanism is handled by spear-phishing financial institution targets with e-mails carrying a malicious RAR archive to. Upon opening the RAR archive, an executable is started instead of a Microsoft Word document, resulting in infection.

Once inside the network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement. Our investigation revealed an attack where the group then planted a cron script into bank’s server, sending financial transactions at the rate of $200 per minute. A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank.

Decompiled code of GCMAN malware that is responsible for connecting to CnC

In a stroke of luck, the financial institutions discovered the suspicious activity on their network in time to neutralize the threat and cancel the transactions.

One interesting observation is that the real attack happened approximately 18 months before it was discovered. The group used an MS SQL injection in commercial software running on one of bank’s public web services, and about a year and a half later, they came back to cash out. During that time they poked 70 internal hosts, compromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers).

We discovered that about two months before the incident someone was trying different passwords for an admin account on a banking server. They were really persistent but doing it only three times a week and then only on Saturdays, in an effort to stay under the radar.

Kaspersky Lab’s research team responded to three financial institutions in Russia that were infected with the GCMAN malware. It is likely that this threat is far more widespread and we urge banks to sweep their networks for signs of this cyber-criminal group.

Carbanak 2.0: new targets beyond banks

After our exposure of the Carbanak group exactly a year ago, the group disappeared for about five months, leading us to believe that the operation was disbanded. However, in September last year, our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers.

In December 2015, we confirmed that the group was still active. Kaspersky Lab discovered signs of Carbanak in two institutions – a telecommunications company and a financial institution.

Executable files founded in SHIM during Carbanak incident response

One interesting characteristic of Carbanak 2.0 is a different victim profile. The group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them, using the same APT-style tools and techniques.

In one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company. The information was modified to name a money mule as a shareholder of the company, displaying their IDs. It’s unclear how they wanted to make use of this information in future.

#Carbanak gang is now targeting budgeting & accounting departments #bankingAPT #TheSAS2016
Kaspersky Lab products successfully detect and block the malware used by the Carbanak 2.0, Metel and GCMAN threat actors with the following detection names:

Kaspersky Lab urges all organizations to carefully scan their networks for the presence of Carbanak, Metel and GCMAN and, if detected, to disinfect their systems/computers/networks and report the intrusion to law enforcement.

All this information has been made available to customers of our APT intelligence reporting service and they received the indicators of compromise and context information as soon as they became available.