- CyberSpy -
Last update 09.10.2017 12:36:27
Introduction List Kategorie Subcategory 0 1 2 3 4 5
Chinese Hackers Use 'Datper' Trojan in Recent Campaign
21.10.2018 securityweek CyberSpy Virus
A China-linked cyber espionage group known as Tick was observed using the Datper malware in a recent campaign, Cisco Talos security researchers reveal.
Also referred to as Redbaldknight and Bronze Butler, Tick has been launching various cyber-attacks against entities in South Korea and Japan over the past couple of years. The campaign Talos analyzed also used compromised websites located in the two countries as command and control (C&C) servers.
Although Tick has been using custom tools in each campaign, the researchers observed a series of recurring patterns in the use of infrastructure, such as overlaps in hijacked C&C domains or the use of the same IP.
Based on these infrastructure patterns, the experts discovered similarities between the Datper, xxmm backdoor, and Emdivi malware families that the threat actor has used in attacks.
Datper, the malware used in the campaign Talos analyzed, can execute shell commands on the victim machine, while also obtaining hostnames and drive information. The used infection vector, however, is unknown, Talos says.
The analyzed Datper variant used the compromised website of a legitimate Korean laundry service to host their C&C. Located at whitepia[.]co.kr, the site does not use SSL encryption or certificates, which rendered it vulnerable to attacks.
The security researchers observed other compromised websites as well being used as C&C servers as part of the attack. This led to the hypothesis that the malware could be delivered via web-based assaults, such as drive-by downloads or watering hole attacks.
Talos also discovered hosts that were being used as C&C servers although they were not connected to compromised websites. This would suggest that the hackers initially deployed the C&C infrastructure on legitimately obtained (and potentially purchased) hosts.
“The actor behind this campaign deployed and managed their C&X infrastructure mainly in South Korea and Japan. We confirmed that the actor periodically changed their C&C infrastructure and appears to have a history of identifying and penetrating vulnerable websites located in these countries,” Talos says.
Once on the infected machine, Datper would create a mutex object and retrieve several pieces of information from the victim machine, including system information and keyboard layout. Next, the malware attempts to issue an HTTP GET request to the C&C server (which was unavailable during investigation).
Some of the compromised websites were also used as C&C domains for the xxmm backdoor, also known as Murim or Wrim, which was previously associated with the threat actor, and which allows attackers to install additional malicious tools onto the infected machines. The two samples also use similar GET request URI paths.
A Datper variant compiled in March 2018 was observed using a legitimate website as C&C, resolving to the same IP used for the C&C infrastructure of the Emdivi malware family. This Trojan opens a backdoor on the compromised machines and was previously attributed to the threat actor behind the campaign "Blue termite."
“Talos’ investigation into attacks conducted by this actor indicates commonalities between the Datper, xxmm backdoor, and Emdivi malware families. Specifically, these similarities are in the C&C infrastructure of attacks utilizing these malware families. Some C&C domains used in these attacks resolve to hijacked, legitimate South Korean and Japanese hosts and may have been purchased by the attacker,” Talos concludes.
MartyMcFly Malware: new Cyber-Espionage Campaign targeting Italian Naval Industry
20.10.2018 securityweek CyberSpy Virus
Yoroi security firm uncovered a targeted attack against one of the most important companies in the Italian Naval Industry leveraging MartyMcFly Malware.
Today I’d like to share an interesting analysis of a Targeted Attack found and dissected by Yoroi (technical details are available here). The victim was one of the most important leaders in the field of security and defensive military grade Naval ecosystem in Italy. Everything started from a well-crafted email targeting the right office asking for naval engine spare parts prices. The mail was quite clear, written in a great language within detailed spare parts matching the real engine parts. The analyzed email presented two attachments to the victim:
A company profile, aiming to present the company who was asking for spare parts
A Microsoft.XLSX where (apparently) the list of the needed spare parts was available
The attacker asked for a quotation of the entire spare part list available on the spreadsheet. In such a way the victim needed to open-up the included Microsoft spreadsheet in order to enumerate the “fake customer” needs. Opening up The Excel File it gets infected.
Let’s go deep into that file and see what is happening there. At a first sight, the office document had an encrypted content available on OleObj.1 and OleObj.2. Those objects are real Encrypted Ole Objects where the Encrypted payload sits on “EncryptedPackage” section and information on how to decrypt it are available on “EncryptionInfo” xml descriptor. However, in that time, the EncryptionInfo was holding the encryption algorithm and additional information regarding the payload but no keys were provided. The question here was disruptive. How Microsoft Excel is able to decrypt such a content if no password is requested to the end user? In another way, if the victim opens the document and he/she is not aware of “secret key” how can he/she get infected? And why the attacker used an encrypted payload if the victim cannot open it?
Stage1: Encrypted Content
Using an encrypted payload is quite a common way to evade Antivirus, since the encrypted payload changes depending on the used key. But what is the key?
Well, on Microsoft Excel there is a common way to open documents called “Read Only”. In “Read Only” mode the file could be opened even if encrypted. Microsoft excel asks the user a decryption key only if the user wants to save, to print or to modify the content. In that case, Microsoft programmers used a special and static key to decrypt the “Read Only” documents. Such a key sees the following value: “VelvetSweatshop” (a nice old article on that). Let’s try to use this “key” to try to decrypt the content! The following image shows a brand new stage where a valid extracted xlsx file wraps more objects, we define it as Stage2.
Stage2: OleOBj inclusion (click to expand it)
A quick analysis of the Stage2 exposes a new object inclusion. (as shown in picture Stage2: OleOBJ inclusion). That object was crafted on 2018-10-09 but it was seen only on 2018-10-12. At this time the extracted object is clear text and not encrypted content was find at all. The following image shows the extracted object from Stage2.
Stage2: extracted Payload
It’s not hard to see what the payload does (CVE-2017-11882 ), but if you run it on a dynamic engine you would probably have more chances to prove it. The Payload exploits CVE-2017-11882 by spawning the Equation Editor, dropping and executing an external PE file. We might define the Equation Editor dropping and executing as the Stage3. The following image shows the connection to a dropping website performed by EquationEditor (click to magnify it).
Stage3: Equation Editor Spawned and connecting to Dropping URL
Evidence of what dissected is shown on the following image (Introducing Stage4) where the EquationEditor network trace is provided. We are introducing a new stage: the Stage4. GEqy87.exe(Stage4) is a common windows PE. It’s placed inside an unconventional folder (js/jquery/file/… ) into a compromised and thematic website. This placement usually has a double target: (a) old school or un-configured IDS bypassing (b) hiding malicious software an into well-known and trusted folder structure in order to persist over website upgrades.
Introducing Stage4. PE file dropped and executed
Stage4 is pretty interesting per-se. It’s a nice piece of software written in Borland Delphi 7. According to VirusTotal the software was “seen in the Wild” in 2010 but submitted only on 2018-10-12! This is pretty interesting, isn’t it? Maybe hash collision over multiple years? Maybe a buggy variable on VirusTotal? Or maybe not, something more sophisticated and complex is happening out there.
Stage4: According to Virus Total
Looking into GEqy87 is quite clear that the sample was hiding an additional windows PE. On one, hand it builds up the new PE directly on memory by running decryption loops (not reversed here). On the other, hand it fires up 0xEIP to pre-allocated memory section in order to reach new available code section.
Stage5: Windows PE hidden into GEqy87.exe
Stage5 deploys many evasion tricks such as GetLastInputIn, SleepX, and GetLocalTime to trick debuggers and SandBoxes. It makes an explicit date control check to 0x7E1 (2017). If the current date is less or equals to 0x7E1 it ends up by skipping the real behavior while if the current date is, for example, 2018, it runs its behavior by calling “0xEAX” (typical control flow redirection on memory crafted).
For more technical details, please have a look here. What it looks very interesting, at least in my personal point of view, are the following evidence:
Assuming there were no hash collisions over years
Assuming VirusTotal: “First Seen in The Wild” is right (and not bugged)
We might think that: “we are facing a new threat targeting (as today) Naval Industry planned in 2010 and run in 2018″.
The name MartyMcFly comes pretty naturally here since the “interesting date-back from Virus Total”. I am not confident about that date, but I can only assume VirusTotal is Right.
For IoC please visit the analysis from here.
Further details on the MartyMcFly malware are reported in the original analysis published by Marco Ramilli on his blog.
Yoroi also launched his a new blog where it is possible to find several interesting analysis, including the one on the MartyMcFly malware.
'GreyEnergy' Cyberspies Target Ukraine, Poland
19.10.2018 securityweek APT CyberSpy ICS
Over the past three years, ESET security researchers have been tracking a cyber-espionage group linked to the infamous BlackEnergy hackers.
BlackEnergy has been around since at least 2007, but rose to prominence in December 2015 when it caused a major blackout. The newly documented group, which ESET refers to as GreyEnergy, emerged around the same time.
Another group that emerged around the same time is TeleBots, which is said to have orchestrated the massive NotPetya outbreak last year. Recently, the security researchers managed to link the group to Industroyer, which is considered the most powerful modern malware targeting industrial control systems (ICS).
According to an ESET report published on Wednesday (PDF), the BlackEnergy threat actor evolved into two separate groups, namely TeleBots and GreyEnergy. The former is focused on launching cybersabotage attacks on Ukraine, through computer network attack (CNA) operations.
Over the past three years, GreyEnergy was observed being involved in attacks targeting entities in Ukraine and Poland, but mainly focused on cyber-espionage and reconnaissance. The group's operations have been aimed at energy sector, transportation, and other high-value targets.
The GreyEnergy malware features a modular architecture, meaning that its capabilities are dependent on the modules the operator chooses to deploy. These modules, however, include backdoor, file extraction, screenshot capturing, keylogging, password and credential stealing, and other functionality.
“We have not observed any modules that specifically target Industrial Control Systems software or devices. We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers,” Anton Cherepanov, a senior security researcher at ESET, reveals.
None of the malware’s modules, ESET says, is capable of affecting ICS, but its operators did use, on at least one occasion, a disk-wiping component to disrupt operating processes. One of the GreyEnergy samples was using a valid digital certificate likely stolen from Taiwanese company Advantech.
The actor is targeting organizations either through compromised self-hosted web services or via spear-phishing emails with malicious attachments.
The attackers would also deploy additional backdoors to the compromised web servers that are accessible from the Internet. The hackers favor PHP backdoors and use several layers of obfuscation and encryption to hide the malicious code.
The attachments of spear-phishing emails would first drop a lightweight first-stage backdoor dubbed GreyEnergy mini (and also known as FELIXROOT) to map the network and collect admin credentials using tools such as Nmap and Mimikatz.
The collected credentials are then used to deploy the main GreyEnergy malware, which requires administrator privileges. The backdoor is deployed on servers with high uptime and workstations used to control ICS environments. Additional software (proxies deployed on internal servers) is used to communicate with the command and control (C&C) server as stealthily as possible.
Written in C and compiled using Visual Studio, the GreyEnergy malware is usually deployed in two modes: in-memory-only mode, when no persistence is required, and using Service DLL persistence, to survive system reboots. The functionality of the malware is the same in both cases.
The GreyEnergy modules researchers have observed to date are meant to inject a PE binary into a remote process; collect information about the system and event logs; perform file system operations; grab screenshots; harvest key strokes; collect saved passwords from various applications; use Mimikatz to steal Windows credentials; use Plink to create SSH tunnels; and use 3proxy to create proxies.
The malware leverages Tor relay software when active, with the C&C infrastructure setup similar to that of BlackEnergy, TeleBots, and Industroyer. Furthermore, GreyEnergy and BlackEnergy have a similar design and a similar set of modules and features, although they are implemented differently.
Furthermore, ESET researchers discovered a worm that appears to be the predecessor of NotPetya, and which they call Moonraker Petya. The malware, which contains code that makes the computer unbootable, was deployed against a small number of organizations and has limited spreading capabilities.
Moonraker Petya shows a cooperation between TeleBots and GreyEnergy, or at least reveals they are sharing some ideas and code. The main difference between the two is that TeleBots focuses solely on Ukraine, while GreyEnergy operates outside the country’s borders as well.
“GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that has been terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy toolkit. The main reasons for this conclusion are the similar malware design, specific choice of targeted victims, and modus operandi,” ESET concludes.
MuddyWater Threat Actor Expands Targets List
11.10.2018 securityweek CyberSpy
The MuddyWater cyber-espionage campaign was observed using spear-phishing emails to target entities in more countries, Kaspersky Lab reports.
The MuddyWater threat actor was first detailed last year, focusing mainly on governmental targets in Iraq and Saudi Arabia. Attribution appears difficult and numerous new attacks were linked to the group this year.
Recently, the group was observed targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan. Other victims were detected in Mali, Austria, Russia, Iran, and Bahrain, and the initially discovered attacks on Iraq and Saudi Arabia continued as well.
The attacks used new spear-phishing documents and relied on social engineering to trick users into enable malicious macros. Password-protected to hinder analysis, the macros in the malicious documents execute obfuscated VBA code when enabled.
Base64-encoded, the macro payload drops three files in the “ProgramData” folder and also adds a registry entry in the current user’s RUN key (HKCU) to ensure execution when the user next logs in. Sometimes, the macro spawns the malicious payload/process instantly and doesn’t wait for the next user login.
The attacks leverage legitimate executables from Microsoft, all of which are whitelisted, thus ensuring the payload’s execution. The macro drops either INF, SCT, and text files or VBS and text files.
In the second scenario, the VBS file decodes itself and calls mshta.exe. One line of VBScript code passed to mshta spawns a PowerShell one-liner to consume the text file.
The one-liner PowerShell code reads the encoded text file dropped in ProgramData and decodes it to obfuscated code.
The code disables the Macro Warnings and Protected View in Office, to ensure future attacks can be performed without user interaction. It also checks the running processes against a hardcoded list and reboots the machine if it finds any match.
For communication with the command and control (C&C) server, the code randomly selects a URL from a list. If communication fails, it attempts to connect to another randomly selected URL from that list, then sleeps from one to 30 seconds and loops again.
Once a machine has been infected, the code attempts to obtain the victim’s public IP and sends the information along with OS version, internal IP, machine name, domain name, and username to the C&C, which allows the attackers to filter victims.
Based on commands received from the C&C, the code can take screenshots, retrieve another stage of the PowerShell code that is executed via Excel, Outlook, or Explorer.exe, download files from the C&C and save them to “ProgramData,” destroy the disk drives C, D, E, F and then reboot the system, or simply reboot or shut down the victim’s machine.
Most of the group’s victims are in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan, but Russia, Iran, Bahrain, Austria and Mali were also impacted. The attacks, Kaspersky notes, are geopolitically motivated, targeting sensitive personnel and organizations.
“The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques. The attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services,” Kaspersky concludes.
Cyberspy Group 'Gallmaker' Targets Military, Government Organizations
11.10.2018 securityweek CyberSpy
A previously undocumented cyber espionage group has been targeting entities in the government, military and defense sectors since at least 2017, according to a report published on Wednesday by Symantec.
The threat actor, tracked by the security firm as Gallmaker, has launched attacks on several overseas embassies of an unnamed Eastern European country, and military and defense organizations in the Middle East.
Symantec researchers noted that Gallmaker attacks appear highly targeted, with all known victims being related to the government, military or defense sectors.
The group has been active since at least December 2017 and its most recent attacks were observed in June 2018 – a spike in Gallmaker activity was seen in April. Gallmaker has focused on cyber espionage and experts believe it's likely sponsored by a nation state.
Asked by SecurityWeek about links to other threat actors and the possible location of the hackers, Symantec noted that it tracks Gallmaker as a new cyber espionage group and said it had no information to share on who may be behind the attacks or where the attackers are located.
The security firm pointed out that Gallmaker is interesting because it does not use any actual malware in its operations and instead relies on publicly available tools – this is known in the industry as "living off the land."
Gallmaker attacks start with a specially crafted Office document most likely delivered via phishing emails. The documents are designed to exploit the Dynamic Update Exchange (DDE) protocol to execute commands in the memory of the targeted device.
"By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect," Symantec's Attack Investigations Team wrote in a blog post.
Microsoft disabled DDE last year after malicious actors started exploiting it in their attacks. However, Symantec said Gallmaker victims failed to install the Microsoft update that disabled the problematic feature.
Once they gain access to a machine, the attackers use various tools to achieve their objectives. The list includes the reverse_tcp reverse shell from Metasploit, the WindowsRoamingToolsTask PowerShell scheduler, the WinZip console, and an open source library named Rex PowerShell, which helps create PowerShell scripts for Metasploit exploits.
Researchers also noticed that the attackers have deleted some of their tools from compromised machines once they were done, likely in an effort to hide their activities.
Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company
1.10.2018 securityaffairs CyberSpy
Estonian sues Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company that caused their recall in 2017.
Estonian authorities sue the security firm Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company that caused their recall in 2017.
“Estonian police are seeking to recover 152 million euros ($178 mln) in a lawsuit filed on Thursday against digital security firm Gemalto, following a recall last year when security flaws were found in citizen ID cards produced by the firm.” reported the Reuters.
“The vulnerabilities to hacker attacks found in government- issued ID cards supplied by the Franco-Dutch company marked an embarrassing setback for Estonia, which has billed itself as the world’s most digitalised “e-government”.”
In November 2017, Estonia announced that it would suspend security digital certificates for up to 760,000 state-issued electronic ID-cards that are using the buggy chips to mitigate the risk of identity theft.
The decision comes after IT security researchers recently discovered a vulnerability in the chips used in the cards manufactured by the Gemalto-owned company Trub AG that open the doors to malware-based attacks.
At the time, Estonia had issued 1.3 million electronic ID cards offering citizens online access to a huge number of services through the “e-government” state portal. The Estonian electronic ID cards have been manufactured by the Swiss company Trub AG and its successor Gemalto AG since 2001.
According to Estonia’s Police and Border Guard Board (PPA), Gemalto failed to protect private keys with card’s chip exposing the government IDs vulnerable to cyber attack.
“It turned out that our partner had violated this principle for years, and we see this as a very serious breach of contract,” said PPA’s deputy director-general Krista Aas.
Estonia replaced Gemalto and its predecessor for the supply of ID cards since 2002, with the company Idemia.
“The PPA also said it planned to file separate claims for other breaches of the contract. Estonia had used Gemalto and its predecessor for its ID cards since 2002, but replaced the manufacturer with Idemia after it found serious security flaws last year.“continues the Reuters.
Gemalto hasn’t yet commented the news.
Russian Cyberspies Use UEFI Rootkit in Attacks
27.9.2018 securityweek APT CyberSpy
Russian cyber-espionage group Fancy Bear is the first threat actor to have used a Unified Extensible Firmware Interface (UEFI) rootkit in a malicious campaign, ESET’s security researchers claim.
Several years ago, Italy-based surveillance software maker Hacking Team was said to have used a UEFI rootkit to ensure the persistence of its software on targeted systems, but no UEFI rootkit had “ever been detected in the wild,” the security firm claims.
A recently discovered Fancy Bear campaign, however, changes that: the actor was able to successfully deploy a malicious UEFI module on a victim’s system. Not only does this prove that UEFI rootkits are a real threat, but also shows that Fancy Bear may be even more dangerous than thought, ESET says.
Active for the past decade and a half, the actor, which is also referred to as APT28, Strontium, Sofacy and Sednit, is believed to have orchestrated a variety of high profile attacks, such as the DNC hack before the US 2016 elections.
Earlier this year, after the group’s Zerbrocy malware was found on systems infected with Turla’s Mosquito backdoor, security researchers concluded that the threat actor’s activities overlap with other state-sponsored operations.
“Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement,” ESET reveals in a report published today.
In May, Fancy Bear was revealed to have abused LoJack (a Trojanized version of the tool, which ESET calls LoJax) in their attacks. Deeper analysis of the campaign revealed not only that the actor attempted to mimic the tool’s persistence method, but also that additional tools were used for accessing and modifying UEFI/BIOS settings.
These include a kernel driver and three tools to (1) dump information about low level system settings, (2) save an image of the system firmware, and (3) add a malicious UEFI module to the image. The third tool would then write the modified firmware image back to the SPI flash memory, thus effectively installing the UEFI rootkit on the system.
“If the platform allows write operations to the SPI flash memory, it will just go ahead and write to it. If not, it actually implements an exploit against a known vulnerability,” ESET reveals.
The UEFI rootkit was designed to drop malware onto the Windows operating system partition and make sure that it is executed at startup.
The observed LoJax samples used command and control (C&C) servers previously associated with Fancy Bear’s SedUploader first-stage backdoor, which, combined with the presence of other Sednit tools on LoJax-infected machines (SedUploader, XAgent backdoor, and Xtunnel network proxy tool), suggested that this threat actor was behind the attacks.
Sednit’s UEFI rootkit, ESET discovered, is not properly signed, meaning that Secure Boot would be able to block it. The security researchers also note that the attack can write the modified firmware image only if SPI flash memory protections are vulnerable or misconfigured.
“The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats and such targets should always be on the lookout for signs of compromise. Also, one thing that this research taught us is that it is always important to dig as deep as you can go!” ESET concludes.
Swiss, Russian FMs to Meet Next Week on Spy Row
20.9.2018 securityweek CyberSpy
Switzerland's foreign minister said Monday that he will meet his Russian counterpart next week after details emerged of alleged attempts by two Russian spies to hack sensitive Swiss targets.
Swiss officials have said that Russian agents, arrested in the Netherlands earlier this year, launched separate cyber attacks on the Spiez laboratory in Bern and the Lausanne office of the World Anti-Doping Agency (WADA).
The lab, which does analytical work for the Hague-based Organisation for the Prohibition of Chemical Weapons (OPCW), was investigating the poisoning of Russian double agent Sergei Skripal in Britain.
WADA for its part has been a thorn in Moscow's side for several years over drug cheating in Russian sport.
Switzerland's foreign minister Ignazio Cassis told public radio broadcaster SRF that he will meet his Russian counterpart Sergei Lavrov next week to discuss what he called the "escalation" of Russian espionage on Swiss soil.
Foreign ministry spokesman Pierre-Alain Eltschinger told AFP that the meeting will take place in New York, on the sidelines of the United Nations General Assembly.
"Activities by intelligence agencies happen daily, not just by Russia but by other states," Cassis said.
"But there is now a certain escalation with Russia," he added.
"We've had various bilateral contacts at different levels this year to clearly state that we will not tolerate such activities in Switzerland."
Cassis also said that Switzerland had in recent weeks denied accreditation to "certain Russian diplomats".
Lavrov has condemned reports that Moscow's spies targeted the Spiez lab, saying he could not believe the arrests would not have been picked up at the time by the media.
NSO mobile Pegasus Spyware used in operations in 45 countries
19.9.2018 securityaffairs CyberSpy
A new report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.
A new investigation of the Citizen Lab revealed that the powerful Pegasus mobile spyware was used against targets across 45 countries around the world over the last two years.
Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.
Earlier August, Citizen Lab shared evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.
COUNTRY NEXUS REPORTED CASES OF INDIVIDUALS TARGETED YEAR(S) IN WHICH SPYWARE INFECTION WAS ATTEMPTED
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018
A report published by Amnesty International confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.
Now a new report published by Citizen Lab shows that the number of Pegasus infections is greater than initially thought.
Between August 2016 and August 2018, the researchers scanned the web for servers associated with Pegasus spyware and uncovered 36 distinct Pegasus systems in 45 countries by using a novel technique dubbed Athena.
The experts found 1,091 IP addresses that matched their fingerprint and 1,014 domain names that pointed to them.
At least ten of the operators identified by NSO appear to be actively engaged in cross-border surveillance, at least six countries with significant Pegasus operations (Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates) have been accused in the past of spying civil society.
“We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.” reads the report published by Citizen Lab.
“Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.”
Pegasus infections were observed in Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.
The experts determined the location of the infections using country-level geolocation of DNS servers, but they warn of possible inaccuracies because targets could have used VPNs and satellite connections.
NSO Group spokesperson released a statement in response to the report, he highlighted that the company never broke any laws, including export control regulations.
“Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws,” reads the statement from NSO Group spokesperson Shalev Hulio.
“NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”
The NSO Group also denied selling in many of the countries listed in the report.
Russian Spies Arrested on Suspicion of Plans to Hack Swiss Laboratory
15.9.2018 securityweek CyberSpy
Dutch 'Expelled Two Russian Spies Over Novichok Lab Plot'
Dutch intelligence services arrested two alleged Russian spies on suspicion of planning to hack a Swiss laboratory investigating the poisoning of double agent Sergei Skripal, reports and officials said Friday.
The two agents, believed to be working for Russia's GRU military intelligence service, targeted the Spiez laboratory near Bern, Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger said.
They were arrested earlier this year and then expelled by the Netherlands, they said.
But Russian Foreign Minister Sergei Lavrov condemned the reports, saying he could not believe the arrests would have not have been picked up at the time by the media.
The two were detained "early this year" by Dutch military intelligence (MIVD) working together with several other countries, and then expelled from the Netherlands, the newspapers reported.
"The duo, according to sources within the investigation, carried equipment which they wanted to use to break into the computer network" of the Spiez laboratory.
At the time, Spiez was analysing data related to poison gas attacks in Syria, as well as the March 4 attack using the nerve agent Novichok on Russian double agent Sergei Skripal and his daughter in Salisbury, they reported.
The laboratory does analytical work for the Hague-based Organisation for the Prohibition of Chemical Weapons (OPCW), the global chemical arms watchdog.
Exact details of the alleged agents' arrest are unknown.
But on March 26, Dutch Prime Minister Mark Rutte announced that his cabinet had decided to expel "two Russian intelligence workers from the Russian embassy" as a result of the Skripal attack, without giving further details.
Swiss intelligence officials Friday confirmed they were aware of the incident.
- 'In the crosshairs' -
"The case of the Russian spies discovered in The Hague and then expelled from The Hague is known to Swiss authorities," Isabelle Graber, spokeswoman for the Swiss intelligence services (SRC), told AFP.
The Swiss spy agency "actively participated in this operation in collaboration with its Dutch and British partners in prevention of illegal actions against critical Swiss infrastructure," she said.
The Spiez laboratory confirmed it had been targeted by hackers earlier this year, but had no comment on the specific claims about the Russians arrested by the Netherlands.
"We had indications in the past few months that we were in the crosshairs of some hacking attempts and took precautions and weren't compromised," Andreas Bucher, a spokesman for the Spiez lab, told AFP.
Bucher cited a case in June where hackers took documents from the lab's website and "distributed a very malicious malware virus" to affiliated agencies.
The same malware was used to attack the Winter Olympics in South Korea, he added.
Dutch intelligence services declined to comment when contacted by AFP, saying "we don't give information about operations".
Russia's SVR foreign intelligence service information head Sergei Ivanov also told the RIA Novosti state news agency that "the SVR does not comment on this information".
However, in April Lavrov accused the OPCW of "manipulating" the results of the Skripal probe by omitting findings from the Spiez laboratory.
According to the results from Spiez, the samples sent by the OPCW contained a nerve agent called "BZ" which was manufactured by the West, Lavrov said, citing "confidential information".
Commenting on the latest reports, Lavrov said "I cannot believe that such an event involving three European countries escaped the attention of the media," seemingly inferring that it did not happen.
Two men who were accused by Britain of being GRU agents involved in the murder attempt on Skripal insisted in an interview that they were merely tourists who had come to visit Salisbury cathedral.
But the two men in the interview, named by British security services as Alexander Petrov and Ruslan Boshirov, "were not the two agents intercepted" by the Netherlands, the papers said.
China-linked Hackers Use Signed Network Filtering Driver in Recent Attacks
10.9.2018 securityweek CyberSpy
A cyber-espionage group believed to be operating out of China has been using a digitally signed network filtering driver as part of recent attacks, Kaspersky Lab reports.
Tracked as LuckyMouse, Emissary Panda, APT27 and Threat Group 3390, the actor has been active since at least 2010, hitting hundreds of organizations worldwide (U.S. defense contractors, financial services firms, a European drone maker, and a national data center in Central Asia, among others).
Over the past several months, the actor has been abusing the digitally signed 32- and 64-bit network filtering driver NDISProxy to inject a previously unknown Trojan into the lsass.exe system process memory.
The most interesting aspect of the incidents, however, was that the driver was signed with a digital certificate belonging to Shenzhen, Guangdong-based information security software developer LeagSoft. The company was notified of the certificate abuse.
Highly targeted at Middle Asian government entities, Kaspersky is confident that LuckyMouse is behind it.
As part of the campaign, the actor used a dropper supposedly distributed through networks that were already compromised, and not through spear-phishing emails. The executable files can install both 32-bit and 64-bit drivers, depending on the target, and log all installation process steps.
The installer sets an autorun Windows service running NDISProxy and achieves persistency, and also adds the encrypted in-memory Trojan to the system registry. The network filtering driver decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic to inject the command and control (C&C) communication into it.
The final payload in the attack is a C++ Trojan that works as an HTTPS server and which waits passively for communications from the C&C.
These three modules (installer, driver, and Trojan) allow attackers to silently move laterally across infected infrastructure. However, because no communication with the C&C is available if the infected host only has a LAN IP, the Earthworm SOCKS tunneler is used to connect the LAN of the infected host to the external C&C server.
“They also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) which they use to spread malware with administrative passwords, compromised with keyloggers,” Kaspersky reveals.
The injected Trojan is a full-featured RAT that can execute common tasks onto the compromised machine, including running commands and downloading/uploading files. The malware is used for data harvesting, lateral movement, and for the creation of SOCKS tunnels to the C&C.
The use of the publicly-available Earthworm tunneler is common to Chinese-speaking actors and one of the commands used by the attackers creates a tunnel to a previously known LuckyMouse server, which, paired with the choice of victims in this campaign, suggests that this actor is behind the attacks, Kaspersky says.
“We have observed a gradual shift in several Chinese-speaking campaigns towards a combination of publicly available tools (such as Metasploit or CobaltStrike) and custom malware (like the C++ last stage RAT described in this report). We have also observed how different actors adopt code from GitHub repositories on a regular basis. All this combines to make attribution more difficult,” Kaspersky concludes.
Hackers can easily access 3D printers exposed online for sabotage and espionage
5.9.2018 securityaffairs CyberSpy
Security researchers at the SANS Internet Storm Center discovered that thousands of 3D printers are exposed online without proper defense.
The news is worrisome, thousands of 3D printers are exposed online to remote cyber attacks. According to the experts at SANS Internet Storm Center that scanned the internet for vulnerable 3D printers, a Shodan query has found more than 3,700 instances of OctoPrint interfaces exposed online, most in the United States (1,600).
The OctoPrint is a free and open source web interface for 3D printers that could be used to remotely monitor and control the devices.
Users can control print jobs through the interface, unauthorized accesses could be used for malicious activities, including sabotage and cyber espionage.
“So, what can go wrong with this kind of interface? It’s just another unauthenticated access to an online device. Sure but the printer owners could face very bad situations.” reads the analysis published by the experts.
“The interface allows downloading the 3D objects loaded in the printer. Those objects are in G-code format. To make it simple, G-code is a language in which people tell computerized machine tools how to make something. G-code files are simple text files and are not encrypted:”
Experts warn that G-code files can be downloaded and manipulated by attackers for sabotage or and lead to potentially trade secret data leak.
“Indeed, many companies R&D departments are using 3D printers to develop and test some pieces of their future product.” continues the experts.
3D printers interface“Worse, what if the attacker downloads a G-code file, alters it and re-upload it. Be changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used.” concludes the experts.
“Think about 3D-printer guns but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”
Experts highlighted that 3D printers could be also used to start a fire given the high temperatures during printing operations. Attackers can also abuse the monitoring feature that uses an embedded webcam can be accessed remotely.
The OctoPrint development team recommends enabling the Access Control feature to avoid that anyone can remotely gain full control over the printer and urges the implementation of additional measures to secure the 3D printers if remote access is required.
“If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint,” states the OctoPrint documentation.
Lawsuit Lays Bare Israel-made Hack Tools in Mideast, Mexico
4.9.2018 securityweek CyberSpy
PARIS (AP) — One day late last year, Qatari newspaper editor Abdullah Al-Athbah came home, removed the SIM card from his iPhone 7 and smashed it to pieces with a hammer.
A source had just handed Al-Athbah a cache of emails suggesting that his phone had been targeted by hacking software made by Israel's NSO Group. He told The Associated Press he considered the phone compromised.
"I feared that someone could get back into it," he said in an interview Friday. "I needed to protect my sources."
Al-Athbah, who edits Qatar's Al-Arab newspaper, now has a new phone, a new SIM card and a new approach to email attachments and links. He says he never opens anything, "even from the most trusted circles in my life."
Al-Athbah's discovery touched off a process that has led, months later, to parallel lawsuits filed in Israel and Cyprus — and provided a behind-the-scenes look at how government-grade spyware is used to eavesdrop on everyone from Mexican reporters to Arab royalty.
The NSO Group did not immediately return messages seeking comment.
The first lawsuit , filed in a Tel Aviv court on Thursday, carries a claim from five Mexican journalists and activists who allege they were spied on using NSO Group software. The second, filed in Cyprus, adds Al-Athbah to the list of plaintiffs.
Both draw heavily on the leaked material handed to the editor several months ago. Portions of the material — which appears to have been carefully picked and exhaustively annotated by an unknown party — appear to show officials in the United Arab Emirates discussing whether to hack into the phones of senior figures in Saudi Arabia and Qatar, including members of the Qatari royal family.
Al-Athba declined to identify his source and the AP was not immediately able to verify the authenticity of the material, some of which has already been entered into evidence in the Israeli case, according to Mazen Masri, a member of Al-Athbah's legal team. But The New York Times, which first reported on the lawsuits earlier Friday, indicated that it had verified some of the cache, including a reference to an intercepted telephone conversation involving senior Arab journalist Abdulaziz Alkhamis. The Times said Alkhamis confirmed having had the conversation and said he was unaware that he was under surveillance.
The parallel lawsuits underline the growing notoriety of the NSO Group, which is owned by U.S. private equity firm Francisco Partners.
One of the Mexican plaintiffs, childhood anti-obesity campaigner Alejandro Calvillo, drew global attention last year when he was revealed to have been targeted using the Israeli company's spyware. The NSO Group's programs have since been implicated in a massive espionage scandal in Panama. A month ago, respected human rights organization Amnesty International accused the company of having crafted the digital tools used to target one of its staffers.
The five Mexican plaintiffs, who were advised by Mexico City-based digital activism group widely known by its acronym R3D, are seeking 2.5 million Israeli shekels ($693,000) in compensation and an injunction to prevent the NSO Group from helping anyone spy on them.
Al-Athbah said he wanted the case to go even further and spawn restrictions on the trade in hacking tools.
"I hope selling such technology should be stopped very soon," he said.
BusyGasper spyware remained undetected for two years while spying Russians
31.8.2018 securityaffairs Android CyberSpy
Security experts from Kaspersky Lab have uncovered a new strain of Android malware dubbed BusyGasper that remained hidden for two years.
The BusyGasper Android spyware has been active since May 2016, it implements unusual features for this type of malware. Experts explained it is a unique spy implant with stand-out features such as device sensors listeners. BusyGasper can spy on all device sensors and enable GPS/network tracking, and it can run multiple initial commands if an incoming SMS contains a specific string.
The malware has an incredibly wide-ranging protocol, it is able to support about 100 commands and to bypass the Doze battery saver.
BusyGasper can exfiltrate data from several messaging applications, including WhatsApp, Viber, Facebook, and implements keylogging capabilities.
“Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat.” reads the report published by Kaspersky.
“The sample has a multicomponent structure and can download a payload or updates from its C&C server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz.”
According to the researchers, the malware is installed manually through physical access to the target devices, Kaspersky has identified less than 10 victims to date, all of them located in Russia.
The Android malware also supports the IRC protocol that is very uncommon for Android malware.
The malicious code can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.
The analysis of the malware revealed the attackers used the malware to gather victims’ personal data, including messages from IM applications and SMS banking messages.
“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor.” continues Kaspersky.
“At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware”
The first module installed on the targeted device can be controlled over the IRC protocol and allows attackers to deploy additional components. The module seems to have root privileges, but malware researchers did not find evidence of the user of an exploit.
The module supports a wide range of commands including start/stop IRC, manage IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.
The second module writes a log of the command execution history to a file named “lock,” which is later uploaded on the C&C server. Log messages can also be sent via SMS to the attacker’s number.
“Log files can be uploaded to the FTP server and sent to the attacker’s email inbox. It’s even possible to send log messages via SMS to the attacker’s number.” continues Kaspersky.
“As the screenshot above shows, the malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter. A full list of all possible commands with descriptions can be found in Appendix II below.”
Experts discovered a hidden menu that could be used for manual operator control, it can be activated if the operator calls the hardcoded number “9909” from the infected device.
Kaspersky included in the report the IoCs.
IT threat evolution Q2 2018
8.8.2018 Kaspersky CyberSpy
Targeted attacks and malware campaigns
In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the MENA (Middle East and North Africa) region, especially Palestine. The attacks, which started early in 2017, target parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others.
The attackers have taken great care to stay under the radar, imitating another attack group in the region. The targeting of victims is unlike that of previous campaigns in the Middle East, by Gaza Cybergang or Desert Falcons, and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 (Command-and-Control) servers. The attacks seem to have slowed down since the start of 2018, probably after the attackers achieved their objectives.
The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute any scripts or commands and receive the result via HTTP requests.
This campaign is a further symptom of escalating tensions in the Middle East.
Crouching Yeti (aka Energetic Bear) is an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing e-mails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC).
In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017.
Our findings are as follows.
With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
The diversity of victims may indicate the diversity of the attackers’ interests.
It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.
You can read the full report here.
The use of mobile platforms for cyber-espionage has been growing in recent years – not surprising, given the widespread use of mobile devices by businesses and consumers alike. ZooPark is one such operation. The attackers have been focusing on targets in the Middle East since at least June 2015, using several generations of malware to target Android devices, which we have labelled versions one to four.
Each version marks a progression – from very basic first and second versions, to the commercial spyware fork in the third version and then to the complex spyware that is the fourth version. The last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.
This suggests that the latest version may have been bought from a vendor of specialist surveillance tools. This wouldn’t be surprising, since the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East. At this point, we cannot confirm attribution to any known threat actor. If you would like to learn more about our intelligence reports, or request more information on a specific report, contact us at email@example.com.
We have seen two main distribution vectors for ZooPark – Telegram channels and watering-holes. The second of these has been the preferred method: we found several news websites that have been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs. Some of the themes observed in the campaign include ‘Kurdistan referendum’, ‘TelegramGroups’ and ‘Alnaharegypt news’, among others.
The target profile has evolved in the last few years of the campaign, focusing on victims in Egypt, Jordan, Morocco, Lebanon and Iran.
Some of the samples we have analyzed provide clues about the intended targets. For example, one sample mimics a voting application for the independence referendum in Kurdistan. Other possible high-profile targets include the United Nations Relief and Works Agency (UNRWA) for Palestine refugees in the Near East in Amman, Jordan.
The king is dead, long live the king!
On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents.
This turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) –patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability.
The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode.
Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document).
To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.
In May, researchers from Cisco Talos published the results of their investigation into VPNFilter, malware used to infect different brands of routers – mainly in Ukraine, although affecting routers in 54 countries in total. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.
The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions.
Further research by Cisco Talos showed that the malware is able to infect more than just targeted devices. It is also spread into networks supported by the device, thereby extending the scope of the attack. Researchers also identified a new stage-three module capable of injecting malicious code into web traffic.
The C2 mechanism has several stages. First, the malware tries to visit a number of gallery pages hosted on ‘photobucket[.]com’ and fetches the image from the page. If this fails, the malware tries to fetch an image from the hard-coded domain ‘toknowall[.]com’ (this C2 domain is currently sink-holed by the FBI). If this fails also, the malware goes into passive backdoor mode, in which it processes network traffic on the infected device, waiting for the attacker’s commands. Researchers in the Global Research and Analysis Team (GReAT) at Kaspersky Lab analyzed the EXIF processing mechanism.
One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).
In March 2018, we detected an ongoing campaign targeting a national data center in Central Asia. The choice of target of the campaign, which has been active since autumn 2017, is especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks.
We attribute this campaign to the Chinese-speaking threat actor LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain, update.iaacstudio[.]com, was previously used by this group and because they have previously targeted government organizations, including those in Central Asia.
The initial infection vector used in the attack against the data centre is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.
The attackers used the HyperBro Trojan as their last-stage, in-memory remote administration tool (RAT) and their anti-detection launcher and decompressor makes extensive use of the Metasploit ‘shikata_ga_nai’ encoder as well as LZNT1 compression.
The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to an IP address that belongs to a Ukrainian ISP network, held by a MikroTik router using version 6.34.4 (March 2016) of the firmware with SMBv1 on board. We suspect that this router was hacked as part of the campaign in order to process the malware’s HTTP requests.
The initial module drops three files that are typical for Chinese-speaking threat actors – a legitimate Symantec pcAnywhere file (‘intgstat.exe’) for DLL side-loading, a DLL launcher (‘pcalocalresloader.dll’) and the last-stage decompressor (‘thumb.db’). As a result of all these steps, the last-stage Trojan is injected into the process memory of ‘svchost.exe’.
The launcher module, obfuscated with the notorious Metasploit ‘shikata_ga_nai’ encoder, is the same for all the droppers. The resulting de-obfuscated code performs typical side-loading: it patches the pcAnywhere image in memory at its entry-point. The patched code jumps back to the second ‘shikata_ga_nai’ iteration of the decryptor, but this time as part of the white-listed application.
The Metasploit encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps ‘thumb.db’ into the memory of the same process (i.e. pcAnywhere). The first instructions in the mapped ‘thumb.db’ are for a new iteration of ‘shikata_ga_nai’. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with ‘RtlCompressBuffer()’ using LZNT1 and maps it into memory.
In our first report on Olympic Destroyer, the cyberattack on the PyeongChang Winter Olympics, we highlighted a specific spear-phishing attack as the initial infection vector. The threat actor sent weaponized documents, disguised as Olympic-related content, to relevant persons and organizations.
We have continued to track this APT group’s activities and recently noticed that they have started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we have analysed, indicate that the attackers behind Olympic Destroyer are now targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine.
The group continues to use a non-executable infection vector and highly obfuscated scripts to evade detection.
The earlier Olympic Destroyer attacks – designed to destroy and paralyse infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. It’s possible that the new activities are part of another reconnaissance stage that will be followed by a wave of destructive attacks with new motives. This is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.
The variety of financial and non-financial targets could indicate that the same malware is being used by several groups with different interests. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state threat actors. However, it’s also possible that the financial targets might be another false flag operation by a threat actor that has already shown that they excel at this during their last campaign.
It would be possible to draw certain conclusions about who is behind this campaign, based on the motives and selection of targets. However, it would be easy to make a mistake with only the fragments of the picture that are visible to researchers. The appearance of Olympic Destroyer at the start of this year, with its sophisticated deception efforts, changed the attribution game forever. In our view, it is no longer possible to draw conclusions based on a few attribution vectors discovered during a regular investigation. The response to threats such as Olympic Destroyer should be based on co-operation between the private sector and governments across national borders. Unfortunately, the current geo-political situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.
When we download popular apps with good ratings from official app stores, we assume they are safe. This is partially true, because usually these apps have been developed with security in mind and have been reviewed by the app store’s security team. Recently, we looked at 13 million APKs and discovered that around a quarter of them transmit unencrypted data over the internet. This was unexpected, because most apps were using HTTPS to communicate with their servers. But among the HTTPS requests, there were unencrypted requests to third-party servers. Some of these apps were very popular – in some cases they could boast hundreds of millions of downloads. On further inspection, it became clear that the apps were exposing customer data because of third-party SDKs – with advertising SDKs usually to blame. They collect data so that they can show relevant ads, but often fail to protect that data when sending it to their servers.
In most cases the apps were exposing IMEI, IMSI, Android ID, device information (e.g. manufacturer, model, screen resolution, system version and app name). Some apps were also exposing personal information, mostly the customer’s name, age, gender, phone number, e-mail address and even their income.
Information transmitted over HTTP is sent in plain text, allowing almost anyone to read it. Moreover, there are likely to be several ‘transit points’ en route from the app to the third-party server – devices that receive and store information for a certain period of time. Any network equipment, including your home router, could be vulnerable. If hacked, it will give the attackers access to your data. Some of the device information gathered (specifically IMEI and IMSI numbers) is enough to monitor your further actions. The more complete the information, the more of an open book you are to outsiders — from advertisers to fake friends offering malicious files for download. However, data leakage is only part of the problem. It’s also possible for unencrypted information to be substituted. For example, in response to an HTTP request from an app, the server might return a video ad, which cybercriminals can intercept and replace with a malicious version. Or they might simply change the link inside an ad so that it downloads malware.
You can find the research here, including our advice to developers and consumers.
SynAck targeted ransomware uses the Doppelganging technique
In April 2018, we saw a version of the SynAck ransomware Trojan that employs the Process Doppelganging technique. This technique, first presented in December 2017 at the BlackHat conference, has been used by several threat actors to try and bypass modern security solutions. It involves using NTFS transactions to launch a malicious process from the transacted file so that it looks like a legitimate process.
Malware developers often use custom packers to try and protect their code. In most cases, they can be effortlessly packed to reveal the original Trojan executable so that it can then be analyzed. However, the authors of SynAck obfuscated their code prior to compilation, further complicating the analysis process.
SynAck checks the directory where its executable is started from. If an attempt is made to launch it from an ‘incorrect’ directory, the Trojan simply exits. This is designed to counter automatic sandbox analysis.
The Trojan also checks to see if is being launched on a PC with the keyboard set to a Cyrillic script. If it is, it sleeps for 300 seconds and then exits, to prevent encryption of files belonging to victims from countries where Cyrillic is used.
Like other ransomware, SynAck uses a combination of symmetric and asymmetric encryption algorithms. You can find the details here.
The attacks are highly targeted, with a limited number of attacks observed against targets in the US, Kuwait, Germany and Iran. The ransom demands can be as high as $3,000.
In May we published our analysis of a mobile banking Trojan, Roaming Mantis. We called it this because of its propagation via smartphones roaming between different Wi-Fi networks, although the malware is also known as ‘Moqhao’ and ‘XLoader’. This malicious Android app is spread using DNS hijacking through compromised routers. The victims are redirected to malicious IP addresses used to install malicious apps – called ‘facebook.apk’ and ‘chrome.apk’. The attackers count on the fact that victims are unlikely to be suspicious as long as the browser displays the legitimate URL.
The malware is designed to steal user information, including credentials for two-factor authentication, and give the attackers full control over compromised Android devices. The malware seems to be financially motivated and the low OPSEC suggests that this is the work of cybercriminals.
Our telemetry indicates that the malware was detected more than 6,000 times between February 9 and April 9, although the reports came from just 150 unique victims – some of whom saw the same malware appear again and again on their network. Our research revealed that there were thousands of daily connections to the attackers’ C2 infrastructure.
The malware contains Android application IDs for popular mobile banking and game applications in South Korea. It seems the malicious app was initially targeted at victims in South Korea and this is where the malware was most prevalent. We also saw infections in China, India and Bangladesh.
It’s unclear how the attackers were able to hijack the router settings. If you are concerned about DNS settings on your router, you should check the user manual to verify that your DNS settings haven’t been tampered with, or contact your ISP for support. We would also strongly recommend that you change the default login and password for the admin web interface of the router, don’t install firmware from third-party sources and update the router firmware regularly to prevent similar attacks.
Some clues left behind by the attackers – for example, comments in the HTML source, malware strings and a hardcoded legitimate website – point to Simplified Chinese. So we believe the cybercriminals are familiar with both Simplified Chinese and Korean.
Following our report, we continued to track this campaign. Less than a month later, Roaming Mantis had rapidly expanded its activities to include countries in Europe, the Middle East and beyond, supporting 27 languages in total.
The attackers also extended their activities beyond Android devices. On iOS, Roaming Mantis uses a phishing site to steal the victim’s credentials. When the victim connects to the landing page from an iOS device, they are redirected to fake ‘http://security.apple.com/’ webpage where the attackers steal user ID, password, card number, card expiry date and CVV.
On PCs, Roaming Mantis runs the CoinHive mining script to generate crypto-currency for the attackers – drastically increasing the victim’s CPU usage.
The evasion techniques used by Roaming Mantis have also become more sophisticated. They include a new method of retrieving the C2 by using the e-mail POP protocol, server-side dynamic auto-generation of APK file/filenames and the inclusion of an additional command to potentially assist in identifying research environments.
The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.
If it’s smart, it’s potentially vulnerable
Our many years of experience in researching cyberthreats suggests that if a device is connected to the internet, eventually someone will try to hack it. This includes children’s CCTV cameras, baby monitors, household appliances and even children’s toys.
This also applies to routers – the gateway into a home network. In May, we described four vulnerabilities and hardcoded accounts in the firmware of the D-Link DIR-620 router – this runs on various D-Link routers supplied to customers by one of the biggest ISPs in Russia.
You can read the details on the vulnerabilities here.
In May, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities.
Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to Man-in-the-Middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.
GPS trackers have been used successfully in many areas, but using them to track the location of pets is a step beyond their traditional scope of application. For this, they need to be upgraded with new ‘user communication interfaces’ and ‘trained’ to work with cloud services, etc. If security is not properly addressed, user data becomes accessible to intruders, potentially endangering both users and pets.
Some of our researchers recently looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data.
Not only was it possible to work out if the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to determine the moments when a computer password entered with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information.
In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.
An MitM extension for Chrome
Many browser extensions make our lives easier, hiding obtrusive advertising, translating text, helping us to choose the goods we want in online stores, etc. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. Then there are extensions whose main aim is to steal money. In the course of our work, we analyse a large number of extensions from different sources. Recently, a particular browser extension caught our eye because it communicated with a suspicious domain.
This extension, named ‘Desbloquear Conteúdo’ (which means ‘Unblock Content’ in Portuguese) targeted customers of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil.
The aim of this malicious extension is to harvest logins and passwords and then steal money from the victims’ bank accounts. Such extensions are quite rare, but they need to be taken seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.
By the time we published our report on this malicious extension, it had already been removed from the Chrome Web Store.
The World Cup of fraud
Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events. The FIFA World Cup is no different. Long before anyone kicked a football in Russia, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes.
This included notifications of fake lottery wins, informing recipients that they had won cash in a lottery supposedly held by FIFA or official partners and sponsors.
They typically contain attached documents congratulating the ‘winner’ and asking for personal details such as name, address, e-mail address, telephone number, etc. Sometimes such messages also contain malicious programs, such as banking Trojans.
Sometimes recipients are invited to take part in a ticket giveaway, or they are offered the chance to win a trip to a match. Such messages are sent in the name of FIFA, usually from addresses on recently registered domains. The purpose of such schemes is mainly to update e-mail databases used to distribute more spam.
One of the most popular ways to steal banking and other credentials is to create counterfeit imitations of official partner websites. Partner organizations often arrange ticket giveaways for clients, and attackers exploit this to lure their victims onto fake promotion sites. Such pages look very convincing: they are well-designed, with a working interface, and are hard to distinguish from the real thing. Some fraudsters buy SSL certificates to add further credibility to their fake sites. Cybercriminals are particularly keen to target clients of Visa, the tournament’s commercial sponsor, offering prize giveaways in Visa’s name. To take part, people need to follow a link that points to a phishing site where they are asked to enter their bank card details, including the CVV/CVC code.
Cybercriminals also try to extract data by mimicking official FIFA notifications. The victim is informed that the security system has been updated and all personal data must be re-entered to avoid being locked out. The link in the message takes the victim to a fake account and all the data they enter is harvested by the scammers.
In the run up to the tournament, we also registered a lot of spam advertising soccer-related merchandise, though sometimes the scammers try to sell other things too – for example, pharmaceutical products.
You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We’ve provided some tips on how to avoid phishing scams – advice that holds good for any phishing scams, not just for those related to the World Cup.
In the run up to the tournament, we also analyzed wireless access points in 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points.
More than a fifth of Wi-Fi hotspots use unreliable networks. This means that criminals simply need to be located near an access point to intercept the traffic and get their hands on people’s data. Around three quarters of all access points use WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.
You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that holds good wherever you may be – not just at the World Cup.
Iran-Linked Actor Targets U.S. Electric Utility Firms
3.8.2018 securityweek CyberSpy
Likely operating out of Iran, the Leafminer cyber-espionage group has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.
The group was previously said to have been targeting government and other types of organizations in the Middle East since at least early 2017, but it appears that its target list is much broader.
Dragos, which calls the actor RASPITE, says the entity has been targeting industrial control systems in numerous countries, including access operations in the electric utility sector in the United States.
Initial access to target networks is obtained through strategic website compromise (also known as watering hole attacks), the security firm says. Similar to DYMALLOY and ALLANITE threat actors, the group embeds a link to a resource to prompt an SMB connection to harvests Windows credentials.
Next, the actor deploys scripts to install a malicious service that connect to the RASPITE-controlled infrastructure and provide remotely access the victim machine.
Although it did focus on ICS-operating entities, RASPITE has yet to demonstrated an ICS-specific capability. At the moment, there is no indication that the actor can launch destructive ICS attacks such as the widespread blackouts that hit Ukraine.
In a report on the group last week, Symantec revealed that both custom-built malware and publicly-available tools were leveraged in observed campaigns, including a modified version of Mimikatz. Some of the tools were linked to other groups apparently tied to Iran, Symantec said, noting that the actor appears to be inspired by the Russia-linked Dragonfly group.
“Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” Sergio Caltagirone, Director of Threat Intelligence, Dragos, said.
“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups,” Caltagirone continued.
Iranian Hackers Use QUADAGENT Backdoor in Recent Attacks
28.7.2018 securityweek CyberSpy
A series of recent attacks attributed to an Iran-linked cyber-espionage group delivered a PowerShell backdoor onto compromised machines, Palo Alto Networks has discovered.
The attacks, observed between May and June 2018, were attributed to the OilRig group, which is also known as APT34 and Helix Kitten. Active since around 2015, the actor was seen using two new backdoors (RGDoor and OopsIE) earlier this year, as well as a new data exfiltration technique.
Aimed at a technology services provider and a government entity in the Middle East, the new attacks were “made to appear to have originated from other entities in the same country” and employed the QUADAGENT backdoor, Palo Alto Networks reveals.
Both the backdoor and other attack artifacts have been previously associated with the OilRig group.
The samples were nearly identical to each other, but featured different command and control (C&C) servers and randomized obfuscation (performed with the open-source toolkit called Invoke-Obfuscation).
Between May and June, the actor launched three attacks, each involving a spear phishing email appearing to originate from a government agency based in the Middle East. The account was likely compromised via credential theft.
The first two attack waves (aimed at a technology services provider) targeted email addresses that weren’t easily discoverable via search engines. The emails contained an attached exe file (converted from .bat) that was designed to install the QUADAGENT backdoor and execute it.
The dropper would run silently, would download the backdoor, create a scheduled task for persistency, and then execute the payload. The malware used rdppath[.]com as the C&C and would attempt to connect to it via HTTPS, then HTTP, then via DNS tunneling.
The third wave (against the government entity) also used a simple PE file attachment, but compiled using the Microsoft .NET Framework instead of being converted. The victim was served a fake error box when executing the malware, in an attempt to reduce suspicion. Once dropped and executed, the backdoor would connect to the C&C at cpuproc[.]com.
A third sample collected by Palo Alto Networks did not use a PE attachment but relied on a Word document containing a malicious macro for delivery. The document displayed a decoy image and asked the user to enable content, but did not use additional decoy content after execution.
The use of Word documents as a delivery mechanism has been associated with the threat actor before, and the delivery of QUADAGENT in this manner was previously documented by ClearSky Cyber Security. The sample ClearSky analyzed appears identical with the one used in the attacks against the technology services provider, Palo Alto Networks says.
“While [OilRig’s] delivery techniques are fairly simple, the various tools we have attributed as part of their arsenal reveal sophistication. In this instance, they illustrated a typical behavior of adversary groups, wherein the same tool was reused in multiple attacks, but each had enough modifications via infrastructure change, additional obfuscation, and repackaging that each sample may appear different enough to bypass security controls,” the security firm concludes.
Iran-Linked 'Leafminer' Espionage Campaign Targets Middle East
28.7.2018 securityweek CyberSpy
A group of cyberspies believed to be operating out of Iran has targeted government and other types of organizations in the Middle East since at least early 2017, Symantec revealed on Wednesday.
According to the security firm, which tracks the threat actor as Leafminer, this is a previously undocumented campaign. Symantec has detected malware and tools associated with this group on 44 systems in Saudi Arabia, Lebanon, Israel, Kuwait and other countries, but researchers uncovered a list – written in Iran’s Farsi language – of more than 800 targets whose systems were apparently scanned by the attackers. This list shows that the targeted countries also include the United Arab Emirates, Qatar, Bahrain, Egypt and Afghanistan.
A significant percentage of targets were in the financial, government and energy sectors, but several other industries were targeted as well.
Leafminer has used both custom-built malware and publicly available tools in its campaign. Its attack techniques include the use of compromised web servers as watering holes, scanning and exploitation of vulnerable network services, and dictionary attacks aimed at authentication services.
One of the servers used by Leafminer stored 112 files, including malware, tools and log files generated as a result of scans and post-compromise activities.
Some of the tools in Leafminer’s arsenal were linked to other groups with apparent ties to Iran. The hackers have also leveraged widely available tools and exploits, such as the Inception Framework leaked by Shadow Brokers, which includes the infamous EternalBlue exploit.
Leafminer has also developed its own malware, including Trojan.Imecab and Backdoor.Sorgu. Sorgu provides the attackers remote access to compromised machines, while Imecab provides persistent access with a hardcoded password.
Another custom tool used by the threat actor is a modified version of the popular Mimikatz post-exploitation tool. The attackers attempt to avoid detection using a technique dubbed Process Doppelgänging, which researchers disclosed late last year. Symantec has also seen attempts to find systems vulnerable to Heartbleed attacks.
Leafminer also appears to be inspired by the Russia-linked Dragonfly group. A technique used by Dragonfly in watering hole attacks has also been spotted in the Leafminer campaign, researchers said.
Symantec pointed out that the group is “eager to learn from and capitalize on tools and techniques used by more advanced threat actors” and that it has been “tracking developments in the world of cyber security.”
“However, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools,” Symantec said.
Leafminer cyber espionage group targets Middle East
28.7.2018 securityaffairs CyberSpy
Hackers belonging an Iran-linked APT group tracked as ‘Leafminer’ have targeted government and various organizations in the Middle East.
An Iran-linked APT group tracked as ‘Leafminer’ has targeted government and businesses in the Middle.
According to the experts from Symantec, the Leafminer group has been active at least since early 2017.
“Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organizations and business verticals in various regions in the Middle East since at least early 2017. ” reads the analysis published by Symantec.
The experts detected malicious code and hacking tools associated with the cyber espionage group on 44 systems in Saudi Arabia, Lebanon, Israel, Kuwait and other countries.
The extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.
The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.
Most of the targets were in the financial, government and energy sectors.
The hackers used publicly available tools and custom-malware in their attacks.
“On a broad level, it has followed the recent trend among targeted attack groups for “living off the land”—using a mixture of publicly available tools alongside its own custom malware.” continues the report.
“More specifically, it mimicked Dragonfly’s use of a watering hole to harvest network credentials. It also capitalized on the Shadow Brokers release of Inception Framework tools, making use of the leaked Fuzzbunch framework by developing its own exploit payloads for it.”
Researchers discovered that hackers used three main techniques for initial intrusion of target networks:
Compromised web servers used for watering hole attacks
Scans/exploits for vulnerabilities of network services
Dictionary attacks against logins of network services
While analyzing the attacks conducted by the group, the experts discovered a download URL for a malware payload used to compromise the victims. The URL pointed out to a compromised web server on the domain e-qht[.]az that had been used to distribute Leafminer malware, payloads, and tools within the group and make them available for download from victim machines.
“As of early June 2018, the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers. In addition to malware and tools, the served files also included uploads of log files seemingly originating from vulnerability scans and post-compromise tools.” continues the report.
“The web shell is a modification of the PhpSpy backdoor and references the author MagicCoder while linking to the (deleted) domain magiccoder.ir. Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army.”
Symantec discovered two custom malware used by the Leafminer group, tracked as Trojan.Imecab and Backdoor.Sorgu, the former provides persistent access with a hardcoded password, the latter implements classic backdoor features.
The group also leveraged a modified version of the popular Mimikatz post-exploitation tool. To avoid detection, the group used a technique dubbed Process Doppelgänging, discovered in December 2017 by researchers from Ensilo security firm.
The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.
“However, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools,” concludes Symantec.
Cyber espionage campaign targets Samsung service centers in Italy
19.7.2018 securityaffairs CyberSpy
Security researchers from Italian security firm TG Soft have uncovered an ongoing malware campaigns targeting Samsung service centers in Italy.
“TG Soft’s Research Centre (C.R.A.M.) has analyzed the campaign of spear-phishing on 2 april 2018 targeting the service centers of Samsung Italy.” reads the analysis published by TG Soft.
“The campaign analyzed is targeting only the service centers of Samsung Italy, it’s an attack multi-stage and we have monitored it until July 2018″
The campaign has similarities with the attacks campaigns that targeted similar electronics service centers in Russia that was discovered by Fortinet in June. The attackers’ motivation is still unclear, experts explained that the malicious code is not particularly sophisticated.
The attackers used spear-phishing emails sent to Samsung Italy service center workers. The messages have attached weaponized Excel documents.
The documents trigger the CVE-2017-11882 Office Equation Editor vulnerability to infect users.
According to a technical report published by the experts, this attack and the one against Russian service centers offering maintenance and support for various electronic goods started in the same period, in March.
While Russian service centers were hit by the Imminent Monitor RAT, the attacks on Samsung Italy service centers also involved other RATs, such Netwire and njRAT.
The quality of the spear phishing messages was high in both campaigns, they appear to have been written by a native in Italian and Russian, respectively.
The attachment used in this campaign is an Excel document titled “QRS non autorizzati.xlsx,” while the phishing messages are signed with the name of the Samsung IT Service Manager, a real employee of Samsung Italia, and includes the email and phone numbers of the employee.
At the time, the experts were not able to attribute the attack to a specific threat actor. The electronics service centers appear not particularly interesting for attackers because the volume of data it manage is little.
Probably the attackers want to compromise remote management tools used by these services in order to gain control over the computers of the customers that request support to the electronics service centers.
“Command and control servers use services like noip.me or ddns.net, which in combination with a VPN, allow hiding the IP address of the server where the exfiltrated data is sent.” concludes the report.
“During the analysis in some cases, the C2 servers were not online and the RAT failed to contract them, and then returns active after a few tens of hours with a new IP address.
The actors behind this attack remain unknown …”
The Italian version of the report that includes also the IoCs is available here.
'Blackgear' Cyberspies Resurface With New Tools, Techniques
19.7.2018 securityweek CyberSpy
The hackers behind a cyberespionage campaign known as Blackgear are back with improved malware that abuses social media websites, including Facebook, for command and control (C&C) communications.
The threat group, also known as Topgear and Comnie, has been around since at least 2008, mainly targeting entities in Taiwan, South Korea and Japan. Their objectives include organizations in the telecommunications, defense, government, aerospace, and high-tech sectors. Some limited evidence suggests that the attacks may be conducted by Chinese state-sponsored actors.
Previous Blackgear attacks involved malware tracked as Elirks and Protux, which the hackers created themselves. The latest attacks, analyzed by Trend Micro, relied on a new version of the Protux backdoor and a downloader named Marade.
One interesting technique leveraged by the threat group involves using blogs and social media websites for C&C communications, which helps it easily change C&C servers and improve its chances of evading detection. In the past, the actor posted encrypted C&C configurations on websites such as github.com, tumblr.com and blogspot.com. The more recent attacks also abuse Facebook to store and retrieve C&C data.
The more recent attacks start with an email delivering a fake installer or decoy document, which drop the Marade downloader. The downloader is placed in a file whose size exceeds 50 Mb in an effort to bypass traditional sandbox products.
Marade checks the infected system for an antivirus solution and retrieves C&C data from a blog or social media post. If the compromised machine is of interest, the Protux backdoor is downloaded.
Protux allows the attackers to list all the files, processes, services and registries on the compromised host, along with taking screenshots and creating a shell that provides access to the system.
“Blackgear has been targeting various industries since its emergence a decade ago. Its apparent staying power stems from the furtive ways with which its attacks can evade traditional security solutions,” Trend Micro researchers explained. “For instance, Blackgear employs two stages of infection for each of its attacks. The potential victim may not be able to notice the intrusions as the first stage involves only profiling and reconnaissance. And once infection with a backdoor occurs, typical red flags may not be raised as it abuses microblogging and social media services to retrieve information needed for C&C communication.”
Researchers have also stumbled upon a tool that provides the user interface from which the hackers control the Protux and Marade malware.
“Based on the controller’s behavior, we can posit that both Marade and Protux were authored by the same threat actors,” experts noted.
Cyber-Espionage Campaigns Target Tibetan Community in India
28.6.2018 securityweek CyberSpy
Two cyberespionage campaigns targeting the Tibetan community based in India appear to be the work of Chinese threat actors, a new Recorded Future report reveals.
Referred to as RedAlpha, the campaigns have been ongoing for the past two years, focused on cyber-espionage. As part of these attacks, which share light reconnaissance and selective targeting, various malicious tools were used, including new malware families.
The newly uncovered campaigns took place in 2017 (involving a custom dropper and the NetHelp infostealer implant) and 2018 (when a custom validator and the njRAT commodity malware were used). The latter campaign is still ongoing.
While the second campaign leveraged a scaled-down infrastructure, likely to reduce the impact of discovery, both attacks used payloads configured with several command and control (C&C) servers, but the malware employed the doc.internetdocss[.]com C&C domain in both cases.
The security researchers also observed the attackers using a malicious Microsoft Word document that exploited CVE-2017-0199 and managed to connect the attacks to previous activity due to the use of FF-RAT and common infrastructure used by NetTraveler, Icefog, and DeputyDog APTs, as well as the MILE TEA campaign.
Over the years, the Tibetan and Uyghur communities have been targeted by many threat actors, including Chinese attackers such as the original Winnti group, LuckyCat, and NetTraveler, but also MiniDuke.
As part of the RedAlpha campaigns, the actor used a “careful combination of victim reconnaissance and fingerprinting, followed by selective targeting with multi-stage malware,” Recorded Future reports.
The first campaign started in June 2017 using two stages of largely custom malware for both 32- and 64-bit Windows systems: a straightforward dropper that would fetch a payload and establish persistence, and the NetHelp infostealer to collect system information, compress files and directories, and exfiltrate them. The attackers relied on a dual C&C infrastructure.
The email address used to register a C&C site was used to register a domain that resolves to a Hong Kong IP that was previously associated with a phishing campaign against Tibetans in 2016 and 2017. Thus, the researchers believe the same actor has been behind all three attacks.
A report on the phishing campaign suggested that a “low-level contractor” exhibiting “sloppy” tradecraft and utilizing inexpensive infrastructure was behind it. Thus, the 2017 campaign suggests “an increased level of sophistication for the attacker,” Recorded Future says.
The 2018 campaign started in January and continued until at least late April, showing a departure from the custom first-stage dropper and the adoption of a validator-style implant instead (which also checked PCs for security software). Based on the information gathered on the victim systems, the attackers would then selectively deploy njRAT onto specific machines.
This shift is part of a trend observed in the APT research community: both criminal and nation-state sponsored groups are increasingly relying on commodity malware and penetration testing tools, which not only allows them to blend in, but also means lower cost of retooling upon discovery.
Analyzing IPs and domains associated with these campaigns, the security researchers also discovered that Tibetans weren’t the only targets and say that the same group might have hit multiple targets since 2015.
The campaigns also appear connected to the FF-RAT malware that has been around since at least 2012, and which has been associated with Chinese APT activity exclusively. In 2015, the FBI said the malware was used to target the U.S. Office of Personnel Management (OPM).
“We assess FF-RAT was likely used by the same threat actors behind RedAlpha, possibly as early as 2016,” Recorded Future says.
“We do not currently possess enough evidence to categorically prove that the RedAlpha campaigns were conducted by a new threat actor. We have outlined some tentative connections, through infrastructure registrations to existing Chinese APTs, but a firm attribution requires further detail on the individuals and organizations behind the malicious activity,” the security firm concludes.