- APT -

Last update 09.10.2017 12:41:24

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 

Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor
28.1.2018 securityweek APT

The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, when targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The hackers used the RGDoor backdoor to target Middle Eastern government organizations and financial and educational institutions.

According to the researchers, RGDoor is a secondary backdoor that allows the hackers to regain access to a compromised Web server when primary TwoFace webshell is discovered and removed.

OilRig hackers are using the TwoFace webshell since at least June 2016, the backdoor

“Unlike TwoFace, the actors did not develop RGDoor in C# to be interacted with at specific URLs hosted by the targeted IIS web server. Instead, the developer created RGDoor using C++, which results in a compiled dynamic link library (DLL).” states the analysis from PaloAlto Networks.

“The DLL has an exported function named “RegisterModule”, which is important as it led us to believe that this DLL was used as a custom native-code HTTP module that the threat actor would load into IIS.”

The attackers exploited the IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, in this way they could carry out custom actions on requests

The “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.


Malware researchers from Paloalto Networks discovered that the code calls the RegisterModule function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests.

When the IIS server receives an inbound HTTP POST request, the backdoor parses the requests searching for the string in HTTP “Cookie” field.

The find was used to issue cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands.

“RGDoor then constructs its own HTTP response by first setting the “Content-Type” field within the HTTP header to “text/plain”.” continues the analysis.

The choice of the Cookie fields makes it hard to analyze inbound requests related to RGDoor backdoor because IIS does not log the values within these specific fields of inbound HTTP requests by default.

“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated.” concluded Palo Alto Networks.

Technical details, including IoCs are reported in the analysis published by PaloAlto Networks.

A look into the cyber arsenal used by Lazarus APT hackers in recent attacks against financial institutions
25.1.2018 securityaffairs APT

Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions.
Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

In the last campaigns against financial firms, the cyber spies launched watering hole attacks and leveraged a variant of the Lazarus-linked RATANKBA Trojan.

“The malware known as RATANKBA is just one of the weapons in Lazarus’ arsenal. This malicious software, which could have been active since late 2016, was used in a recent campaign targeting financial institutions using watering hole attacks. The variant used during these attacks (TROJ_RATANKBA.A) delivered multiple payloads that include hacking tools and software targeting banking systems.” reads the analysis published by Trend Micro.

“We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL–A), discovered in June 2017, that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified.“

The researchers identified and hacked in some servers used by the cyber spies for temporarily storing stolen data, the analysis of the backend revealed that around 55% of the victims were located in India and neighboring countries.

The majority of the victims were not using enterprise versions of Microsoft software, less than 5% of the victims were Microsoft Windows Enterprise users.

The IP addresses of the victims don’t belong to a large bank or a financial institution, according to Trend Micro victims are likely employees of three web software development companies in India and one in South Korea.

The RATANKBA Trojan is delivered via weaponized Office documents (containing topics related to cryptocurrencies and software development), CHM files, and script downloaders.

Experts noticed that attackers don’t implement a real-time communication with the malware. Once compromised a target machine, the attackers will use a Remote Controller tool to send jobs to the system, the queue of jobs is then processed by RATANKBA.

“During our analysis, we collected a copy of the RATANKBA malware’s Lazarus Remote Controller tool. The remote controller provides a user interface that allows attackers to send jobs to any compromised endpoint. The controller gives the attackers the ability to manipulate the victims’ host by queueing tasks on the main server. RATANKBA retrieves and executes the tasks, and retrieves the collected information.” continues the analysis.

The controller tools used by the Lazarus APT implements a graphical UI interface that allows hackers to push code to the server and download victim profiles from it.


Trend Micro also provided a profile of the members of the Lazarus APT group, the hackers appear to be native Korean speakers and at least one of them is believed to also understand Chinese.

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities.” concluded Trend Micro.

Dark Caracal APT – Lebanese intelligence is spying on targets for years
19.1.2018 securityaffairs APT

A new long-running player emerged in the cyber arena, it is the Dark Caracal APT, a hacking crew associated with to the Lebanese General Directorate of General Security that already conducted many stealth hacking campaigns.
Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

New nation-state actors continue to improve offensive cyber capabilities and almost any state-sponsored group is able to conduct widespread multi-platform cyber-espionage campaigns.

This discovery confirms that the barrier to entry in the cyber-warfare arena has continued to
decrease and new players are becoming even more dangerous.

The news was reported in a detailed joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation.

The APT group was tracked as Dark Caracal by the researchers, its campaigns leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.
“Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen
data includes enterprise intellectual property and personally identifiable information.” states the report.
The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.


The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.

Unfortunately, the APT group also used another powerful surveillance software in its campaign, the malware is the dreaded FinFisher, a spyware that is often marketed to law enforcement and government agencies.

Researchers from Lookout and the EFF discovered a number of test devices that appeared to be located in the Beirut building of the Lebanese General Directorate of General Security, suggesting that Dark Caracal APT is linked to the Government
“Devices for testing and operating the campaign were traced back to a building belonging to the Lebanese General Directorate of General Security (GDGS), one of Lebanon’s intelligence agencies. Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal. ” continues the report.

Dark Caracal also has a Windows malware in its arsenal, the malicious code was able to collect screenshots and files from the infected PCs.


Lookout and the EFF launched their investigation in July 2017, the researchers were able to identify the Command and Control infrastructure and determined that the Dark Caracal hackers were running six unique campaigns. Some of the hacking campaigns had been ongoing for years targeting a large number of targets in many countries, including China, the United States, India, and Russia.

“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”

Further details are provided in the technical report that includes more than 90 indicators of
compromise (IOC).

Russia-Linked Attacks on Political Organizations Continue
19.1.2018 securityweek APT

The cyber-espionage group known as Fancy Bear was highly active in the second half of 2017, hitting political organizations worldwide, Trend Micro said this week.

Also known as APT28, Pawn Storm, Sofacy, Group 74, Sednit, Tsar Team, and Strontium, the group is said to have ties with the Russian government. Since 2015, the group has been associated with attacks on political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.

During the second half of 2017, such attacks continued, without revealing much technical innovation over time. However, the attacks are well prepared, persistent, and often hard to defend against, the security researchers say.

“Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released,” Trend Micro points out.

During the second half of 2017, the group was observed targeting organizations with credential phishing and spear phishing attacks. In August and September, the hackers used tabnabbing against Yahoo! users, a method that involves changing a browser tab to point to a phishing site after distracting the target.

In attacks observed in October and November 2017, the group used credential phishing emails to target specific organizations. One incident employed an email claiming to inform the target of an expired password, while the other claimed a new file was present on the company’s OneDrive system.

During the past six months, Pawn Storm also targeted several International Olympic Wintersport Federations, including the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation, and the International Luge Federation.

The attacks appear to be related to several Russian Olympic players being banned for life in fall 2017. A recent incident involving the leak of emails exchanged between officials of the International Olympic Committee (IOC) and other individuals involved with the Olympics also appears to be related to the state-sponsored actor.

Some of the group’s political targets included chmail.ir webmail users, who received credential phishing emails on May 18, 2017, one day before the presidential elections in Iran. Similar incidents were observed targeting political organizations globally, Trend Micro says.

In June 2017, the actor set up phishing sites mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. In attacks observed during fall 2017, the group was abusing Google’s Blogspot service to target Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.

Individuals interested in the CyCon U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point were also targeted by Pawn Storm last year.

Moving forth, the group is expected to continue targeting political organizations, while also likely focusing on influencing public opinion via social media, given that social media algorithms are “susceptible to abuse by various actors with bad intentions.”

“Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools. While a successful influence campaign might seem relatively easy to do, it needs a lot of planning, persistence, and resources to be successful. Some of the basic tools and services, like ones used to spread fake news on social media, are already being offered as a service in the underground economy,” Trend Micro notes.

Other actors too might start campaigns attempting to influence politics and issues of interest domestically and abroad, the researchers say. Pawn Storm, however, is expected to continue to be highly active, especially with the Olympics and several significant global elections taking place in 2018.

North Korea Group 123 involved in at least 6 different hacking campaigns in 2017
19.1.2018 securityaffairs APT

North Korean hackers belonging to the North Korea Group 123 have conducted at least six different massive malware campaigns during 2017.
North Korean hackers have conducted at least six different massive malware campaigns during 2017, most of them against targets in South Korea. Security researchers from Cisco’s Talos group who have monitored the situation for 12 months have identified a North Korean threat actor tracked by the experts as Group 123 that conducted numerous malware attacks against entities in the South.

In three differed phishing campaigns tracked as “Golden Time”, “Evil New Year” and “North Korean Human Rights” South Korean victims were specifically infected with the Remote Access Trojan ROKRAT.

“On January 2nd of 2018, the “Evil New Year 2018” was started. This campaign copies the approach of the 2017 “Evil New Year” campaign.

The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns.” reads the analysis published by Talos.

“Based on our analysis, the “Golden Time”, both “Evil New Year” and the “North Korean Human Rights” campaigns specifically targeted South Korean users.”

The ROKRAT RAT was used to target Korean targets using the popular Korean Microsoft Word alternative Hangul Word Processor (HWP). In the past, we saw other attacks against people using the HWP application.


The three campaigns leveraged on a payload in the Hancom Hangul Office Suite, North Korean hackers exploited vulnerabilities such as the CVE-2013-0808 EPS viewer bug to deliver the RAT.

The attackers also used specially crafted files to trigger the arbitrary code execution vulnerability CVE-2017-0199. Group 123 also launched the FreeMilk campaign against financial institutions outside South Korea.

The hackers in this campaign used phishing message with a weaponized Microsoft Office document that was able to trigger the vulnerability CVE-2017-0199.

“Group 123 used this vulnerability less than one month after its public disclosure. During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki.” continues the analysis.”PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.”

The last campaign analyzed by Talos group was tracked as “Are You Happy,” it is a sabotage campaign that targeted the victims using a module from ROKRAT designed to wipe the first sectors of the victim’s hard drive.

According to Talos, this actor was very active in 2017, and likely will continue its campaigns in the next months, especially against targets in the South.

“The actor has the following demonstrated capabilities:

To include exploits (for Hangul and Microsoft Office) in its workflows.
To modify its campaigns by splitting the payload in to multiple stages
To use compromised web servers or legitimate cloud based platforms.
To use HTTPS communications to make it harder to perform traffic analysis.
To compromise third parties to forge realistic spear phishing campaigns (i.e. Yonsei university in the “Golden Time” campaign).
To constantly evolve, the new fileless capability included in 2018 is a proof.” concluded Talos.

The report includes the IoCs for each campaign.

Turla APT group’s espionage campaigns now employs Adobe Flash Installer and ingenious social engineering
10.1.2018 securityaffairs APT

Turla APT group’s espionage campaigns now employs Adobe Flash Installer and an ingenious social engineering technique, the backdoor is downloaded from what appears to be legitimate Adobe URLs and IP addresses.
Security researchers from ESET who have analyzed recent cyber espionage campaigns conducted by the dreaded Turla APT group reported that hackers leverage on malware downloaded from what appears to be legitimate Adobe URLs and IP addresses.

Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

In the most recent attacks, the group is packaging its macOS backdoor with a real Adobe Flash installer and downloading the malware on victim systems from endpoint systems that use a remote IP belonging to Akamai, the Content Delivery Network that is also used by Adobe for its supply chain. Legitimate Flash installer, in fact, are also distributed through the Akamai network.

“In recent months, we have observed a strange, new behavior, leading to compromise by one of Turla’s backdoors. Not only is it packaged with the real Flash installer, but it also appears to be downloaded from adobe.com.” reads the report published by ESET.

“From the endpoint’s perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash
installer. “

Researchers noted that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016, data were sent back to legitimate URLs at Adobe.com. The download attempts observed by ESET observed were made through HTTP and not via HTTPS, the researchers state with confidence that Adobe was not compromised.

The social engineering technique adopted by Turla group to trick victims into believing they are downloading a legitimate software from Adobe server is very ingenious.

Data collected by the experts revealed that most of the victims belong to the former USSR, targeted entities include embassies and consulates located in East Europe.

At the time of the report is still unclear how the Turla APT group distributed the backdoor through Adobe.com.

Experts speculate that this is possible by compromising a machine on the victim’s network to perform a local man-in-the-middle attack. In this attack scenario, the threat actors redirect traffic from a target system through the compromised server and modifying it on the fly. Another possibility is to leverage on a compromised local gateway that could allow the attackers to potentially intercept and modify traffic for the whole organization.

Other attacks scenarios see Turla executing a man-in-the-middle attack at the ISP level, or BGP hijacking.

“We quickly discarded the hypothesis of a rogue DNS server, since the IP address corresponds to the servers used by Adobe to distribute Flash.” continues the report. “Thus, these are the hypotheses that remain: ➊ a Man-in-theMiddle
(MitM) attack from an already-compromised machine in the local network, ➋ a compromised gateway or proxy of the organization, ➌ a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers.”


Researchers believe the most likely scenario sees attackers controlling the router for the traffic hijacking.

Such kind of attack is any way possible because the files are downloaded via HTTP, for this reason, it is important to avoid installing any update or software that was downloaded through unsecured connections.

Administrators must also check that Flash Player installers downloaded are properly signed with a valid Adobe certificate.

Further information, including the IOCs are included in the report published by ESET.

Force 47 – The Vietnamese brigade tasked with fighting “wrongful views” spreading online
2.1.2017 securityaffairs APT

Force 47 is a brigade composed of 10,000 cyber warriors to fight online dissent in Vietnam, a new threat to freedom of speech in the country.
Like many other Governments, also Vietnam is deploying a cyber army of 10000 cyber experts to fight online dissent in the country.

The news was revealed by a top Vietnamese general last week, the official that the brigade dubbed ‘Force 47’ has been tasked with fighting “wrongful views” spreading online.

More than half of the population (around 93 million people) has access to the Internet.

According to web watchdog Freedom House, the Internet in Vietnam is “not free”, the organization ranked it second only to China in Asia.

Human Rights Watch deputy Asia director Phil Robertson believes that the brigade Force 47 is a “shocking new dimension to Vietnam’s crackdown on dissent”.

“This is just the latest plank in a campaign to curb internet freedoms at all costs,” Shawn Crispin, Committee to Protect Journalists’ Southeast Asia representative, told AFP Friday.

“While they can’t unplug Facebook, Instagram and the likes outright, they can apply more and more pressure on those platforms and it looks like these cyber troops are their latest attempt to do that.”

The activist Nguyen Chi Tuyen (aka Anh Chi) said the new brigade is an important step in ahead of online repression.

“The main purpose for Force 47 is to try and control news and public opinion on the internet… they want to protect the party, not protect the country,” explained Tuyen.

The Vietnamese Government is applying a strict online monitoring, it continues to ask tech giants like Facebook and YouTube to remove any “toxic content” from their platforms.

The Vietnamese Government believes that hostile groups and foreign governments could use social media and the Internet to destabilize the country and threaten the “prestige of the party’s leaders and the state”.

According to Amnesty International, many dissidents have already been identified and arrested in the country, at least 15 people this year.

Madeline Earp, a senior research analyst with Freedom House, explained that the unit Force 47 is likely to include commentators tasked of spreading online pro-government content and counter critics.

“Vietnam very much follows China’s example when suppressing internet freedom, particularly when it comes to blocking websites and arresting dissidents,” she told AFP.

Vietnam had built up considerable cyber capabilities in across the years, according to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape.

Happy IR in the New Year!
1.1.2018 Kaspersky  APT
At the end of last year Mr. Jake Williams from aka @MalwareJake asked a very important question about Lack of visibility during detecting APT intrusions in twitter. Results show us that endpoint analysis is the most important part of any research connected with APTs. Also, for sure endpoint forensics is critical during any Incident Response (IR) because in many cases the initial intrusion happened too far away in time so there are no relevant logs and no backups to identify the first victim and the way how attackers were moving from one computer to another. At least once a year we have such issues during IR activities with our customers. In these cases we use a very simple script that is uploaded to every Windows computer in the corporate network to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers were moving through the network. It’s holiday season and it is our pleasure to share this script with you. We hope it will help to save a lot of time during IR and any malware/APT investigations providing the so much needed visibility into potentially infected endpoint PCs.

Let’s start with collecting the collect file system information from the computer using the wonderful forensics tool FLS (administrative privileges required) from the open source package Sleuthkit. The only thing that the official Windows build lacks is Windows XP/2003 support. If you are planning to run the tool on Windows XP/2003 machines then you may need to recompile FLS from sources using MinGW or download our our pre-compiled version (see the end of this blog post). We also do not want to write the results to the computers’ hard drive to avoid wiping its unallocated space. So the tool is going to utilize a big (approx. 300 MB free space for one corporate computer ) share folder that should be prepared in advance and should be accessible from all computer in the network that will execute the script:

set data_share=”\\corp_share\data_share”
net use y: %data_share%
mkdir y:\%COMPUTERNAME%_report
set dp=y:\%COMPUTERNAME%_report
echo %date% %time% %COMPUTERNAME% > %dp%\report.log
fls.exe -lpr \\.\c: >> %dp%\fls.log

It will take several (dozens of) minutes to create the full list of filesystem entries for the computer’s system drive. After that we are ready to extract the inode numbers of Windows registry files that are interesting to us. We will use the ICAT tool from the same Sleuthkit package and the RegLookup utility to grab modification timestamps of every windows registry key. At the end we want to collect all the strings (using the tools either by Mr. Mark Russinovich or from http://pubs.opengroup.org/onlinepubs/9699919799/utilities/strings.html tool (our choice)) from the registry files to search for any data from the unallocated space and deleted keys:

::Get Windows reg files
findstr /i “windows\/system32\/config\/system ” %dp%\fls.log | findstr /vi “profile” | findstr /vi log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\system.reg.inode
for /f “tokens=1” %%a in (%dp%\system.reg.inode) do icat \\.\c: %%a > %dp%\system.reg
findstr /i “windows\/system32\/config\/software ” %dp%\fls.log | findstr /vi “profile” | findstr /vi log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\software.reg.inode
for /f “tokens=1” %%a in (%dp%\software.reg.inode) do icat \\.\c: %%a > %dp%\software.reg
::Convert reg files
reglookup.exe %dp%\system.reg > %dp%\system.reg.log
reglookup.exe %dp%\software.reg > %dp%\\software.reg.log
::Get strings from reg files
strings -afel %dp%\system.reg > %dp%\system.str.log
strings -afeb %dp%\system.reg >> %dp%\system.str.log
strings -afel %dp%\software.reg > %dp%\software.str.log
strings -afeb %dp%\software.reg >> %dp%\software.str.log

Once finished, we are ready to do the same with the Windows system and security eventlog files. To parse log the files will we use the open source tools evtxexport and evtexport by Mr. Joachim Metz

::Get Logs
findstr -i “windows\/system32\/winevt/logs/system.evtx” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\system.evtx.inode
for /f “tokens=1” %%a in (%dp%\system.evtx.inode) do icat \\.\c: %%a > %dp%\system.evtx
findstr /i “windows\/system32\/winevt/logs/security.evtx” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\security.evtx.inode
for /f “tokens=1” %%a in (%dp%\security.evtx.inode) do icat \\.\c: %%a > %dp%\security.evtx
strings -afeb %dp%\system.evtx > %dp%\system.evtx.str.log
strings -afel %dp%\system.evtx >> %dp%\system.evtx.str.log
strings -afeb %dp%\security.evtx > %dp%\security.evtx.str.log
strings -afel %dp%\security.evtx >> %dp%\security.evtx.str.log
::Conv evtx
evtxexport.exe %dp%\system.evtx > %dp%\system.evtx.res.log
::get evt logs
findstr /i “windows\/system32\/config/SysEvent.Evt” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\SysEvent.Evt.inode
for /f “tokens=1” %%a in (%dp%\SysEvent.Evt.inode) do icat \\.\c: %%a > %dp%\SysEvent.Evt
findstr /i “windows\/system32\/config/SecEvent.Evt” %dp%\fls.log | cut -f2 -d” ” | cut -f1 -d”:” > %dp%\SecEvent.Evt.inode
for /f “tokens=1” %%a in (%dp%\SecEvent.Evt.inode) do icat \\.\c: %%a > %dp%\SecEvent.Evt
::get strings from evt
strings -afeb %dp%\SysEvent.Evt > %dp%\SysEvent.Evt.str.log
strings -afel %dp%\SysEvent.Evt >> %dp%\SysEvent.Evt.str.log
strings -afeb %dp%\SecEvent.Evt > %dp%\SecEvent.Evt.str.log
strings -afel %dp%\SecEvent.Evt >> %dp%\SecEvent.Evt.str.log
::Conv evt
evtexport.exe %dp%\SysEvent.Evt > %dp%\SysEvent.Evt.res.log

Actually this is it. All logs will be collected in our share’s folder so we may search for something interesting. In the latest cases with Carbanak we were looking for mentions of the malicious Powershell scripts so let’s add the following string in our version of this script:

findstr /i “powershell” %dp%\*.log >> %dp%\report.log

This will provide us with a complete picture of how the attackers were moving from one computer to another with exact timestamps and artifacts on NTFS, registry and logs that is critical for fast and effective IR with no lack of endpoint visibility. GLHF and HAPPY IR in NEW YEAR!


SHA256 (HappyNewYear.zip) = c166d1e150db24ea27014e1d4a9eeb79f9e317ded9918a623fee8e66a010f9fa

Financially motivated attacks reveal the interests of the Lazarus APT Group
25.12.2017 securityaffairs APT

Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies, the group’s arsenal of tools, implants, and exploits is extensive and under constant development.
Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies. The North Korea-Linked hackers launched several multistage attacks that use cryptocurrency-related lures to infect victims with malware.

The malicious code aims to steal credentials for cryptocurrency wallets and exchanges, but there is much more.

“Proofpoint researchers have uncovered a number of multistage attacks that use cryptocurrency-related lures to infect victims with sophisticated backdoors and reconnaissance malware that we attribute to the Lazarus Group.” reads the analysis published by Proofpoint. “Victims of interest are then infected with additional malware including Gh0st RAT to steal credentials for cryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing Bitcoin and other cryptocurrencies.”

The Lazarus APT group has increasingly focused on financially motivated attacks in the attempt to exploit the media interest in the skyrocketing prices for cryptocurrencies.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Lazarus is believed to be the first nation state attacker that is targeting a point-of-sale using a framework to steal payment card data.

The timing is perfect, the hackers are intensifying their operation around Christmas shopping season.

The arsenal of the Lazarus APT group includes sophisticated custom-made malware, DDoS botnets, and wiper malware.

The research paper published by the experts detail a new implant dubbed PowerRatankba, a PowerShell-based malware variant that closely resembles the original Ratankba implant.

Experts also documented a new and emerging threat dubbed RatankbaPOS targeting the point-of-sale systems.


“The Lazarus Group is a sophisticated, state-sponsored APT group with a long history of successful destructive, disruptive, and costly attacks on worldwide targets. State-sponsored groups are generally focused on espionage and disruption. However, our findings on their recent activities relate to the financially motivated arm of Lazarus, the operations of which are peculiar to the North Korean group.” said Patrick Wheeler, director of threat intelligence, Proofpoint.

“These actions, including the targeting of cryptocurrency exchange credentials and point-of-sale infrastructure, are significant for a number of reasons:

This appears to be the first publicly documented instance of a state-sponsored actor attacking point-of-sale infrastructure for financial gain.

Cryptocurrencies are nothing new to threat actors, state-sponsored or otherwise. However, in this case we were able to extensively document the custom-built tools and procedures that Lazarus group is using to perform cryptocurrency theft.

This group now appears to be targeting individuals rather than just organisations: individuals are softer targets, often lacking resources and knowledge to defend themselves and providing new avenues of monetisation for a state-sponsored threat actor’s toolkit. Bringing the tools and resources of a state-sponsored attack group to bear against individuals and infrastructure used by large numbers of private citizens raises the stakes considerably when assessing potential impact.

We were able to differentiate the actions of the financially motivated team within Lazarus from those of their espionage and disruption groups that have recently grabbed headlines, providing better insight into their operations and the worldwide threat represented by Lazarus.”

Russian Fancy Bear APT Group improves its weapons in ongoing campaigns
24.12.2017 securityaffairs APT

Fancy Bear APT group refactored its backdoor and improved encryption to make it stealthier and harder to stop.
The operations conducted by Russian Fancy Bear APT group (aka Sednit, APT28, and Sofacy, Pawn Storm, and Strontium) are even more sophisticated and hard to detect due to.
According to a new report published by experts from security firm ESET, the APT group recently refurbished one of its most popular backdoor, Xagent, that was significantly improved by implementing new functionalities that make it more stealthier and harder to stop.
Vxers have redesigned the architecture of the malware so it has become harder to recognize previously discovered infection patterns.
The X-Agent backdoor (aka Sofacy) was associated with several espionage campaigns attributed to the APT group Fancy Bear, across the years, experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs, and early 2017 researchers at Bitdefender spotted the first version of the X-Agent that was developed to compromise MAC OS systems.

The latest version of the X-Agent backdoor, the fourth one, implements new techniques for obfuscating strings and all run-time type information. Cyberspies upgraded some of the code used for C&C purposes and added a new domain generation algorithm (DGA) feature in the WinHttp channel for quickly creating fallback C&C domains.

ESET observed a significant improvement in the encryption algorithm and DGA implementation that makes domain takeover more difficult.

Fancy Bear also implemented internal improvements, including new commands that can be used for hiding malware configuration data and other data on an infected system.

The attack chain remained largely unchanged, the APT group Fancy Bear still relies heavily on “very cleverly crafted phishing emails.”

“The attack usually starts with an email containing either a malicious link or malicious attachment. We have seen a shift in the methods they use ‘in the course of the year’, though. Sedkit was their preferred attack vector in the past, but that exploit kit has completely disappeared since late 2016.” reads the report published by ESET. “The DealersChoice exploit platform has been their preferred method since the publication of our white paper, but we saw other methods being used by this group, such as macros or the use of Microsoft Word Dynamic Data Exchange.”

Fancy Bear mail_merrychristmas

The group stopped using Sedkit exploit kit and has increasingly begun using a platform called DealersChoice, a Flash exploit framework also used by the group against Montenegro.

DealersChoice generates documents with embedded Adobe Flash Player exploits based on the target’ s configuration.

Fancy Bear’s operations are still focused on government departments and embassies all over the world.

The thin line between BlackEnergy, DragonFly and TeamSpy attacks
19.12.2017 securityaffairs APT

Experts from McAfee Labs collected evidence that links DragonFly malware to other hacking campaigns, like BlackEnergy and TeamSpy attacks.
On September 6, Symantec published a detailed analysis of the Dragonfly 2.0 campaign that targeted dozens of energy companies this year. Threat actor is the same behind the Dragonfly campaign observed in 2014.

Further analysis conducted by McAfee Labs lead the experts into believing that the Operation Dragonfly is linked to earlier attacks.

The investigation conducted by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries.

The experts noticed the same techniques, tactics, and procedures (i.e. spear phishing, watering holes, and exploits of supply-chain technologies) were the same used in previous campaigns.

“By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.” reads the analysis published by McAfee Labs.

Once compromised the target network, attackers used remote-desktop protocol to hop among internal or external systems, they connect either to a control server or use an internal compromised server to conduct operations.

Researchers observed threat actors using several backdoors and utilities, in one case a Trojan used in 2017 attacks was also used in a July 2013 attack.

Experts correlated the malware by analyzing their hashes, both contained the same TeamViewer that was spotted by the Hungarian security company Crysys in a report about the TeamSpy malware.

The TeamSpy hackers hit a large variety of high-level subjects including Russia-based Embassy for a not revealed undisclosed country belonging to both NATO and the European Union, multiple research and educational organizations in France and Belgium, an electronics company located in Iran and an industrial manufacturer located in Russia

Crysys researchers mentioned the same hash used in the recent attacks and correlated it to a sample that was compiled on 2011:09:07 – 09:27:58+01:00.

“Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?” continues McAfee Labs.

The experts discovered that the 2017 sample contained code blocks associated with BlackEnergy malware.

BlackEnergy code
BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017. (Source McAfee)

“Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.” continues the analysis.

“The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.”


The experts pointed out an evolution of the code in the backdoors developed by the threat actors and the reuse of code in their campaigns.

The malicious code is fairly sophisticated in hiding details of their attacks, making hard the attribution through the use of false flags.

Triton malware was developed by Iran and used to target Saudi Arabia
16.12.2017 securityaffairs APT  ICS

CyberX who analyzed samples of the Triton malware believes it was likely developed by Iran and used to target an organization in Saudi Arabia.
Security experts from security firms FireEye and Dragos reported this week the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS).

Both FireEye and Dragos would not attribute the Triton malware to a specific threat actor.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, it caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

According to report published by ICS cyber security firm Dragos, which tracked the threat as “TRISIS”, the victim was an industrial asset owner in the Middle East.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Now, security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Iranian hackers are becoming even more aggressive, but experts always highlighted that they are not particularly sophisticated.

In October, the OilRig gang was spotted using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

In February, researchers at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.

The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.

Iran was responsible for destructive attacks on Saudi Aramco systems in 2012, and now CyberX is attributing the Triton malware to the Government of Teheran.

According to the experts, the shutdown was likely an accident during the reconnaissance phase conducted by the threat actors whose final goal was the sabotage.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests avoiding leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

According to Phil Neray, VP of Industrial Cybersecurity for CyberX OT environments are ‘vulnerable by design’ for this reason they are a privileged target for hackers that could use them as an entry point in industrial environment.

“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Phil Neray told SecurityWeek. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”

Lazarus APT Group targets a London cryptocurrency company
16.12.2017 securityaffairs APT

Security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.
The dreaded Lazarus APT group is back and launched a spearphishing campaign against a London cryptocurrency company to steal employee credentials.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.

Lazarus targets Bitcoin company

According to the experts at Secureworks, the Lazarus APT group is behind a targeted email campaign aiming to trick victims into clicking on a compromised link for a job opening for a chief financial officer role at a London cryptocurrency company.
“Those who clicked on the hiring link were infected by malicious code from an attached document in the email that installed software to take remote control of a victim’s device, allowing hackers to download further malware or steal data.” reported the Reuters.

“This malware shares technical links with former campaigns staged by the mysterious cybercrime group Lazarus, which Secureworks has labeled “Nickel Academy”. Secureworks did not say whether anyone who received the email actually clicked on the link.”

Researchers found many similarities between the TTPs (techniques, tactics, and procedures) observed in this attack and previous ones attributed to the Lazarus APT group.

“The so-called “spearphishing” attempt appears to have been delivered on October 25, but initial activity was observed by Secureworks researchers dating back to 2016. The researchers said in a statement they believe the efforts to steal credentials are still on-going.” reported the Reuters.

“Recent intrusions into several bitcoin exchanges in South Korea have been tentatively attributed to North Korea, it said.”

Secureworks found evidence dating back to 2013 of North Korean interest in bitcoin, when multiple states sponsored hackers used a collection of usernames originating from computers using North Korean internet addresses were found researching bitcoin.

The same internet addresses were linked to previous North Korean operations.

The researchers believe the Lazarus phishing campaign is still ongoing and is warning of potential effects.

“Given the current rise in bitcoin prices, CTU suspects that North Korea’s interest in cryptocurrency remains high and (it) is likely continuing its activities surrounding the cryptocurrency,” Secureworks said in a statement to Reuters.

Secureworks announced the publishing of a detailed report.

HBO hacker linked to the Iranian Charming Kitten APT group
7.12.2017 securityweek APT

A new report published by ClearSky linked a man accused by U.S. authorities of hacking into the systems of HBO to the Iranian cyber espionage group Charming Kitten.
Experts from the security firm ClearSky have published a new detailed report on the activities of Charming Kitten APT group, also known as Newscaster and NewsBeef.

The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHTPartners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.

The threat actor targeted numerous entities in Iran, the U.S., Israel, the U.K. and other countries. The hackers also hit individuals involved in academic research, human rights, and the media.

ClearSky detailed the group’s activities during 2016-2017, the report includes information related to the infrastructure used by the APT and to a new strain of malware dubbed DownPaper.

The report also linked the hacker behind the HBO security breach to the Charming Kitten, and reveals the identities of two other alleged members of the group.

Last month, the United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO Hack, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.

The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data unless HBO paid a $6 million ransom in Bitcoin.

Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.

“MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.” continues the DoJ.

“At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym “Skote Vahshat” against websites in the United States and elsewhere.”

Experts discovered that Masri and Charming Kitten were linked through the member of Turk Black Hat group “ArYaIeIrAN.” another member of Turk Black Hat.

Charming Kitten

The email addresses associated with this individual have been used to register several domains used by the Charming Kitten. ClearSky also discovered that the same email address was also used by threat actors to registered a domain for an Iranian hosting firm named MahanServer, which has hosted Charming Kitten infrastructure.

“To sum up, the HBO hacker – Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn, who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari, who is a Facebook friend of Behzad Mesri’s.” states the report. “We tend to identify ArYaIeIrAn with Mohammadamin Keshvari, because the latter is the only other employee of Mahanserver and works in a company whose domain was registered by the former (and both have a similar and unique profile picture). We estimate with medium certainty that the three are directly connected to Charming Kitten, and potentially, along with others – are Charming Kitten”

Iranian hackers are becoming even more aggressive even if experts believe that they are not particularly sophisticated.

Recently we discussed the OilRig gang has been using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

US indicts Chinese hackers belonging to APT3 for espionage on Siemens and Moody’s
28.11.2017 securityaffairs APT

US authorities have filed official charges against three Chinese hackers part of the elite cyber-espionage unit APT3.
US authorities charged three China-based hackers for stealing sensitive information from US based companies, including Siemens AG, and accessing a high-profile email account at Moody’s.

The three Chinese citizens, Wu Yingzhuo, Dong Hao and Xia Lei, work for the Chinese cybersecurity company Guangzhou Bo Yu Information Technology Company Limited, also known as “Boyusec.”

While Wu and Dong are founding members and shareholders of the China-based company, Xia is just an employee.

Do you remember the Boyusec name?

Several reports published in May 2017 linked the Boyusec firm to the infamous APT3 group, a cyber-espionage group under the control of the Chinese Government.

The APT3, also known as UPS, Gothic Panda, and TG-011, has been active since 2010.

APT3 China

On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.

The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers. This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).

Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.

“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”

The Chinese men have been charged in Pittsburgh with using malware to steal data from the international corporations, including Siemens AG, which has Pittsburgh offices.

The federal indictment filed in September was unsealed Monday, the men were charged by a grand jury for cyber-attacks against three corporations in the financial, engineering and technology industries between 2011 and May 2017. Victims are Moody’s Analytics, Siemens, and GPS technology firm Trimble.

“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said. “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”

According to the indictment, the hackers:

• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.

• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.

• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.

All three indicted suspects are still at large and currently residing in China.

Lazarus APT uses an Android app to target Samsung users in the South Korea
22.11.2017 securityaffairs APT

The North Korea linked group Lazarus APT has been using a new strain of Android malware to target smartphone users in South Korea.
The hacking campaign was spotted by McAfee and Palo Alto Networks, both security firms attributed the attacks to the Hidden Cobra APT.

The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The malicious code used in this last campaign is an Android malware delivered as an APK file that has been designed to mimic a Korean bible app that was published in the Google Play by a developer named GODpeople.

The malicious APK wasn’t available on the Google Play store and it is still unclear how the APT distributed it.

“The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)” states McAfee.

“The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.”

Lazarus APT APK

According to McAfee, the malware delivers a backdoor as an executable and linkable format (ELF) file, it allows to take full control of the infected device.

The list of command and control (C&C) servers used by the Android backdoor includes IP addresses previously associated with to the Lazarus group.

Lazarus APT APK 2.png

Experts from Palo Alto Networks pointed out that the campaign appears to be aimed at Samsung device owners in South Korea.

“Unit 42 has discovered a new cluster of malware samples, which targets Samsung devices and Korean language speakers, with relationships to the malware used in Operation Blockbuster. The specific points of connection between these new samples and Operation Blockbuster include:

payloads delivered by the macros discussed in Operation Blockbuster Sequel
malware used by the HiddenCobra threat group
malware used in the 2016 attack on the Bangladesh SWIFT banking system
APK samples mimicking legitimate APKs hosted on Google Play”
states the analysis from Palo alto Networks.

Experts from Unit 42 analyzed a PE file uploaded to VirusTotal that was used to deliver ELF ARM files and APK files from an HTTP server. The APK allows the attacker to gain full control on the target device.

Palo Alto Networks has collected evidence that links the malware with the Lazarus’s attack on the SWIFT banking system and the on Operation Blockbuster. The C&C infrastructure used in the latest attack is the same used in Lazarus’s campaigns.

“It is clear that source code was reused between previously reported samples and the cluster of new samples outlined by Unit 42. Additionally, command and control IPv4 addresses were reused by the malware discussed in this analysis. Technical indicators as well as soft indicators, such as APK themes and names, provide soft and tenable ties to the actors behind Operation Blockbuster and the HiddenCobra group.” concluded Palo alto Networks.

APT Trends report Q3 2017
16.11.2017 Kaspersky Analysis  APT
Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting. This report serves as the next installment, focusing on important reports produced during Q3 of 2017.

As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: intelreports@kaspersky.com.

Chinese-Speaking Actors
The third quarter demonstrated to us that Chinese-speaking actors have not “disappeared” and are still very much active, conducting espionage against a wide range of countries and industry verticals. In total, 10 of the 24 reports produced centered around activity attributed to multiple actors in this region.

The most interesting of these reports focused on two specific supply chain attacks; Netsarang / ShadowPad and CCleaner. In July 2017, we discovered a previously unknown malware framework (ShadowPad) embedded inside the installation packages hosted on the Netsarang distribution site. Netsarang is a popular server management software used throughout the world. The ShadowPad framework contained a remotely activated backdoor which could be triggered by the threat actor through a specific value in a DNS TXT record. Others in the research community have loosely attributed this attack to the threat actor Microsoft refers to as BARIUM. Following up on this supply chain attack, another was reported initially by Cisco Talos in September involving CCleaner, a popular cleaner / optimization tool for PCs. The actors responsible signed the malicious installation packages with a legitimate Piriform code signing certificate and pushed the malware between August and September.

Q3 also showed China is very interested in policies and negotiations involving Russia with other countries. We reported on two separate campaigns demonstrating this interest. To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first. IronHusky was a campaign we first discovered in July targeting Russian and Mongolian government, aviation companies, and research institutes. Earlier in April, both conducted talks related to modernizing the Mongolian air defenses with Russia’s help. Shortly after these talks, the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor. In June, India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries. Very soon after, both countries energy sector were targeted with a new piece of malware we refer to as “H2ODecomposition”. In some case this malware was masquerading as a popular Indian antivirus solution (QuickHeal). The name of the malware was derived from an initial RC5 string used in the encryption process (2H2O=2H2+O2) which describes a chemical reaction used in hydrogen fuel cells.

Other reports published in the third quarter under chinese-speaking actors were mainly updates to TTPs by known adversaries such as Spring Dragon, Ocean Lotus, Blue Termite, and Bald Knight. The Spring Dragon report summarized the evolution of their malware to date. Ocean Lotus was observed conducting watering hole attacks on the ASEAN website (as done previously) but with a new toolkit. A new testing version of Emdivi was discovered in use by Blue Termite as well as their testing of CVE-2017-0199 for use. Finally, Bald Knight (AKA – Tick) was seen using their popular XXMM malware family to target Japan and South Korea.

Below is a summary of report titles produced for the Chinese region. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to intelreports@kaspersky.com.

Analysis and evolution of Spring Dragon tools
EnergyMobster – Campaign targeting Russian-Indian energy project
IronHusky – Intelligence of Russian-Mongolian military negotiations
The Bald Knight Rises
Massive watering holes campaign targeting Asia-Pacific
Massive Watering Holes Campaign Targeting AsiaPacific – The Toolset
NetSarang software backdoored in supply chain attack – early warning
ShadowPad – popular server management software hit in supply chain attack
New BlueTermite samples and potential new wave of attacks
CCleaner backdoored – more supply chain attacks
Russian-Speaking Actors
The third quarter was a bit slower with respect to Russian speaking threat actors. We produced four total reports, two of which focused on ATM malware, one on financial targeting in Ukraine and Russia, and finally a sort of wrap-up of Sofacy activity over the summer.

The ATM related reports centered around Russian speaking actors using two previously unknown pieces of malware designed specifically for certain models. “Cutlet Maker” and “ATMProxy” both ultimately allowed the users to dispense cash at will from a chosen cartridge within the ATMs. ATMProxy was interesting since it would sit dormant on an ATM until a card with a specific hard coded number was inserted, at which point it would dispense more cash than what was requested.

Another report discussed a new technique utilizing highly targeted watering holes to target financial entities in Ukraine and Russia with Buhtrap. Buhtrap has been around since at least 2014, but this new wave of attacks was leveraging search engine optimization (SEO) to float malicious watering hole sites to the top of search results, thus providing more of a chance for valid targets to visit the malicious sites.

Finally, we produced a summary report on Sofacy’s summertime activity. Nothing here was groundbreaking, but rather showed the group remained active with their payloads of choice; SPLM, GAMEFISH, and XTUNNEL. Targeting also remained the same, focusing on European defense entities, Turkey, and former republics.

Below is a list of report titles for reference:

ATMProxy – A new way to rob ATMs
Cutlet maker – Newly identified ATM malware families sold on Darknet
Summertime Sofacy – July 2017
Buhtrap – New wave of attacks on financial targets
English-Speaking Actors
The last quarter also had us reporting on yet another member of the Lamberts family. Red Lambert was discovered during our previous analysis of Grey Lambert and utilized hard coded SSL certificates in its command and control communications. What was most interesting about the Red Lambert is that we discovered a possible operational security (OPSEC) failure on the actor’s part, leading us to a specific company who may have been responsible, in whole or in part, for the development of this Lambert malware.

The Red Lambert
Korean-Speaking Actors
We were also able to produce two reports on Korean speaking actors, specifically involving Scarcruft and Bluenoroff. Scarcruft was seen targeting high profile, political entities in South Korea using both destructive malware as well as malware designed more for espionage. Bluenoroff, the financially motivated arm of Lazarus, targeted a Costa Rican casino using Manuscrypt. Interestingly enough, this casino was compromised by Bluenoroff six months prior as well, indicating they potentially lost access and were attempting to get back in.

Report titles focusing on Korean-speaking actors:

Scent of ScarCruft
Bluenoroff hit Casino with Manuscrypt
Other Activity
Finally, we also wrote seven other reports on “uncategorized” actors in the third quarter. Without going into detail on each of these reports, we will focus on two. The first being a report on the Shadowbrokers’ June 2017 malware dump. An anonymous “customer” who paid to get access to the dump of files posted the hashes of the files for the month, mainly due to their displeasure in what was provided for the money. We were only able to verify one of nine file hashes, which ended up being an already known version of Triple Fantasy.

The other report we’d like to highlight (“Pisco Gone Sour”) is one involving an unknown actor targeting Chilean critical institutions with Veil , Meterpreter, and Powershell Empire. We are constantly searching for new adversaries in our daily routine and this appears to be just that. The use of publicly available tools makes it difficult to attribute this activity to a specific group, but our current assessment based on targeting is that the actor may be based somewhere in South America.

Dark Cyrene – politically motivated campaign in the Middle East
Pisco Gone Sour – Cyber Espionage Campaign Targeting Chile
Crystal Finance Millennium website used to launch a new wave of attacks in Ukraine
New Machete activity – August 2017
Shadowbroker June 2017 Pack
The Silence – new trojan attacking financial organizations
Final Thoughts
Normally we would end this report with some predictions for the next quarter, but as it will be the end of the year soon, we will be doing a separate predictions report for 2018. Instead, we would like to point out one alarming trend we’ve observed over the last two quarters which is an increase in supply chain attacks. Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia. While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous. Successfully compromising the supply chain provides easy access to a much wider target base than available through traditional means such as spear phishing. As an added benefit, these attacks can remain undetected for months, if not longer. It remains to be seen if this trend will continue into 2018, but given the successes from the five mentioned above, we feel we haven’t seen the last of this type of attack in the near future.

Russian 'Fancy Bear' Hackers Using (Unpatched) Microsoft Office DDE Exploit

10.11.2017 thehackernews APT

Cybercriminals, including state-sponsored hackers, have started actively exploiting a newly discovered Microsoft Office vulnerability that Microsoft does not consider as a security issue and has already denied to patch it.
Last month, we reported how hackers could leverage a built-in feature of Microsoft Office feature, called Dynamic Data Exchange (DDE), to perform code execution on the targeted device without requiring Macros enabled or memory corruption.
DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data.
The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another.
Soon after the details of DDE attack went public, several reports emerged about various widespread attack campaigns abusing this technique in the wild to target several organisations with malware.
Now, for the first time, this DDE attack technique has been found leveraging by an Advanced Persistent Threat (APT) hacking group—APT28, which is well known as Fancy Bear and is widely believed to be backed by the Russian government.
Russian Hackers Using New York Terror Attack to Lure Victims
While analyzing a new spear phishing campaign, security researchers discovered that the Fancy Bear hackers have been leveraging the DDE vulnerability since late October, according to a recent report published Tuesday by McAfee researchers.
The campaign involved documents referencing the recent terrorist attack in New York City in an attempt to trick victims into clicking on the malicious documents, which eventually infects their systems with malware.
Since DDE is a Microsoft's legitimate feature, most antivirus solutions don't flag any warning or block the documents with DDE fields.
Therefore, anyone who clicks on the malicious attachment (with names like SabreGuard2017.docx or IsisAttackInNewYork.docx) inadvertently runs malicious code on his/her computer without any restriction or detection.
Once opened, the document runs contacts a command-and-control server to install the first stage of the malware called Seduploader on victims' machines using PowerShell commands.
Seduploader then profiles prospective victims by pulling basic host information from the infected system to the hackers. If the system is of interest, the attackers later install a more fully featured piece of spyware—X-Agent and Sedreco.
"APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections but can also rapidly incorporate new exploitation techniques to increase its success," Mcafee researchers concluded.
"Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses."
This is not first malware campaign that has been spotted abusing the DDE attack technique.
Soon after the details of DDE attack technique went public, Cisco's Talos threat research group uncovered an attack campaign that was actively exploiting this attack technique to target several organisations with a fileless remote access trojan called DNSMessenger.
Late last month, researchers discovered a campaign that spread Locky ransomware and TrickBot banking trojan via Word documents that leveraged the DDE technique.
Another separate malware spam campaign discovered by security researchers also found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit.
Protection Against DDE Malware Attacks
Since Microsoft does not provide any protection against such attacks, you can easily prevent yourself from falling victim to any malicious document abusing the Microsoft's DDE feature by disabling it entirely.
If you use Microsoft Word 2016 or Microsoft Excel 2016, go to Options → Advanced, and then remove the checkmark from "Update automatic links at open" which is listed under the general group on the page.
In MS Excel, you can also consider checking "Ignore other applications that use Dynamic Data Exchange (DDE)."

Moreover, Disable DDEAuto is a Registry file maintained on GitHub that disables the "update links" as well as "embedded files" functionality in MS Office documents when run.
You can detect Office documents abusing the DDE feature via a set of YARA rules in Office Open XML files published by the researchers at NVISO Labs.
However, the best way to protect yourself from such malware attacks is always to be suspicious of uninvited documents sent via emails and never click on links inside those documents unless adequately verifying the source.

Russia-Linked APT28 group observed using DDE attack to deliver malware
9.11.2017 securityaffairs APT

Security experts at McAfee observed the Russian APT28 group using the recently reported the DDE attack technique to deliver malware in espionage campaign.
Security experts at McAfee observed the Russian APT group APT28 using the recently reported the DDE technique to deliver malware in targeted attacks.

The cyber spies were conducting a cyber espionage campaign that involved blank documents whose name referenced the recent terrorist attack in New York City.

“During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28.” reported McAfee.

The Dynamic Data Exchange (DDE) is a protocol designed to allow data transferring between applications, attackers have devised a method to achieve the execution of malicious code embedded in Office documents without user’s interaction by using DDE.

The DDE protocol allows an Office application to load data from another Office application, it was replaced by Microsoft with Object Linking and Embedding (OLE), but it is still supported.

The DDE technique was implemented by several threat actors such as the FIN7 APT group in DNSMessenger malware attacks, and the operators behind the Hancitor malware campaign spotted and detailed by Internet Storm Center (ISC) handler Brad Duncan.

Recently the technique was used by threat actors behind the Necurs botnet to deliver the Locky ransomware.

Unfortunately, Microsoft doesn’t plan to introduce security countermeasures to mitigate the DDE attack because the tech giant considers the feature as legit.

In the recent campaign conducted by APT28, hackers used a document referencing the New York City attack to deliver the first-stage payload tracked as Seduploader.

The Seduploader malware, also known as GAMEFISH backdoor, Sednit, JHUHUGIT and Sofacy, is a strain of malware that has been already used by the threat actor in other campaigns against NATO representatives.

The Seduploader is a reconnaissance malware that was used for years by APT28, it is composed of 2 files: a dropper and a payload.

The malware is downloaded from a remote server using PowerShell commands, experts

The analysis of the malware and command and control (C&C) domains used in the campaign revealed the campaign involving DDE started on October 25.

According to the experts, the recent attacks are part of a campaign that also involved documents referencing Saber Guardian, a multinational military exercise involving approximately 25,000 military personnel from over 20 participating nations. The military exercise was conducted by the U.S. Army in Eastern Europe in an effort to deter an invasion (by Russia) into NATO territory.

Just two week ago, researchers with Cisco Talos have spotted another cyber espionage campaign conducted by the APT28 group targeting individuals with spear-phishing messages using documents referencing a NATO cybersecurity conference.

The hackers targeted individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point on November 7-8 in Washington, D.C.

“APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections, but can also rapidly incorporate new exploitation techniques to increase its success. Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses.” concluded McAfee. “Finally, the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28’s ability and interest in exploiting geopolitical events for their operations.”

Symantec uncovered a new APT, the cyber espionage Sowbug group
8.11.2017 securityaffairs APT

Malware researchers from Symantec have spotted a new cyber espionage APT dubbed Sowbug group that has been active at least since 2015.
A new cyber espionage group dubbed Sowbug appeared in the threat landscape, according to the experts it has been active since 2015 and was involved in highly targeted attacks against a host of government organizations in South America and Southeast Asia.

Sowbug group

“Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ” reads the analysis published by Symantec.

The group was spotted by experts from Symantec who uncovered clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru, and Malaysia.

The Sowbug group uses a strain of malware dubbed Felismus to compromise target systems. The malicious code was first detected in March by researchers at Forcepoint, but only Symantec experts linked it with the Sowbug group.

“Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.” stated Forcepoint.

Felismus is a sophisticated remote access Trojan (RAT) with a modular structure that allows the backdoor trojan to extend its capabilities.
“Symantec saw the first evidence of Sowbug-related activity with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia. ” continues Symantec. “We have subsequently identified further victims on both sides of the Pacific Ocean. While the Felismus tool was first identified in March of this year, its association with Sowbug was unknown until now. Symantec has also been able to connect earlier attack campaigns with Sowbug, demonstrating that it has been active since at least early-2015 and may have been operating even earlier.”
The Felismus backdoor allows attackers to take full control of an infected system, researchers were able to link previous attack campaigns with the Sowbug hacking group. They concluded that the group is at least active since early-2015.

“To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia,” reads the Symantec report.

“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organisations.”

According to the malware researchers, the Sowbug group uses fake, malicious software updates of Windows or Adobe Reader to compromise the target systems. In the arsenal of the group, there is also a tool called Starloader used by hackers to deploy additional malware and tools, such as credential dumpers and keyloggers on the target system.

The Starloader tool was spread as software updates entitled AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others.
“Rather, it gives its tools file names similar to those used by the software and places them in directory trees that could be mistaken for those used by the legitimate software. This allows the attackers to hide in plain sight, as their appearance in process listings is unlikely to arouse suspicion.” states Symantec.
The Sowbug hackers took further measures to remain under the radar by operating outside of standard office hours. In one case, the hackers remained undetected on the target’s network for up to six months between September 2016 and March 2017.

Vietnamese APT32 group is one of the most advanced APTs in the threat landscape
7.11.2017 securityaffairs APT

According to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape
According to the incident response firm Volexity, the cyber espionage campaigns associated with a group operating out of Vietnam and tracked as tracked as OceanLotus and APT32 have become increasingly sophisticated.
Researchers at Volexity has been tracking the threat actor since May 2017, they observed attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations.

“In May 2017, Volexity identified and started tracking a very sophisticated and extremely widespread mass digital surveillance and attack campaign targeting several Asian nations, the ASEAN organization, and hundreds of individuals and organizations tied to media, human rights and civil society causes.” reads the analysis published by Volexity. “These attacks are being conducted through numerous strategically compromised websites and have occurred over several high-profile ASEAN summits. Volexity has tied this attack campaign to an advanced persistent threat (APT) group first identified as OceanLotus by SkyEye Labs in 2015.”

The researcher compared the hacker group with the dreaded s Russia-linked Turla APT.

APT32 group

The APT32 group, also known as OceanLotus Group, has been active since at least 2012, according to the experts it is a state-sponsored hacking group.

The hackers targeted organizations across multiple industries and foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

“APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.” states the analysis published by FireEye in May.

FireEye highlighted that currently, it is impossible to precisely link the group to the Vietnamese government even if the information gathered by the hackers would be of very little use to any other state.

The APT32 has used both Windows and Mac malware in its campaign, the group devised sophisticated techniques to evade detection.

“Volexity believes the size and scale of this attack campaign have only previously been rivaled by a Russian APT group commonly referred to as Turla,” continues the firm.

APT32 conducted a large-scale campaign powering watering hole attacks the involved more than 100 compromised websites belonging to government, military, media, civil society, human rights and oil exploitation entities.

The attacks were surgical, the compromised websites only served malware to visitors who were on a whitelist. Victims have displayed a fake screen designed to trick them into authorizing a malicious Google app that could access their emails and contacts.

Other websites were used to deliver malicious code, including backdoors and custom malware.

Volexity published key findings of its analysis related to the last wave of attacks that are still ongoing:

Massive digital profiling and information collection campaign via strategically compromised websites
Over 100 websites of individuals and organizations tied to Government, Military, Human Rights, Civil Society, Media, State Oil Exploration, and more used to launch attacks around the globe
Use of whitelists to target only specific individuals and organizations
Custom Google Apps designed for gaining access to victim Gmail accounts to steal e-mail and contacts
Strategic and targeted JavaScript delivery to modify the view of compromised websites to facilitate social engineering of visitors to install malware or provide access to e-mail accounts
Large distributed attack infrastructure spanning numerous hosting providers and countries
Numerous attacker created domains designed to mimic legitimate online services and organizations such as AddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, Google, and others
Heavy uses of Let’s Encrypt SSL/TLS certificates
Use of multiple backdoors, such as Cobalt Strike and others, believed to be developed and solely used by OceanLotus
The APT32 has rapidly evolved and increased its capabilities, for this reason the experts consider this threat actor one of the most advanced in the current threat landscape.

“Volexity believes the OceanLotus threat group has rapidly advanced its capabilities and is now one of the more sophisticated APT actors currently in operation,” the company concluded.

Vietnamese Spies Rival Notorious Russian Group in Sophistication
7.11.2017 securityweek APT
The campaigns of a cyber espionage group believed to be operating out of Vietnam have become increasingly sophisticated, up to the point where they rival operations launched by the notorious Russia-linked advanced persistent threat (APT) actor known as Turla, incident response firm Volexity said on Monday.

The group, tracked as OceanLotus and APT32, has been around since at least 2012, targeting various types of organizations in Southeast Asian countries such as Vietnam, Philippines and China, with some campaigns extending to Europe and the United States. The list of targeted entities includes governments, journalists, activists, tech firms, consumer product manufacturers, banks, and organizations in the hospitality sector.

OceanLotus has used both Windows and Mac malware in its operations, along with some clever techniques that have allowed the group to evade detection.

Volexity has been tracking the threat actor since May 2017, specifically attacks aimed at the Association of Southeast Asian Nations (ASEAN), and media, human rights, and civil society organizations. The security firm agrees with FireEye’s previous assessment that OceanLotus is likely based in Vietnam.

“Volexity believes the size and scale of this attack campaign have only previously been rivaled by a Russian APT group commonly referred to as Turla,” the security firm said in a blog post.

Volexity’s analysis showed that OceanLotus’s watering hole attacks involved more than 100 compromised websites belonging to government, military, media, civil society, human rights and oil exploitation entities.

Researchers determined that the group’s attacks are highly targeted; the compromised sites served malicious code only to visitors who were on a whitelist. Targeted users are shown a fake screen designed to trick them into authorizing a malicious Google app that could access the victim’s emails and contacts. Some of the compromised websites were also set up to deliver backdoors and other types of tools, including legitimate software (e.g. Cobalt Strike) and custom malware.

Researchers also noticed that the attackers created many fake domains designed to mimic legitimate services such as AddThis, Akamai, Baidu, Cloudflare, Disqus, Facebook and Google. Many of these websites leveraged SSL certificates provided by Let’s Encrypt, whose services have been increasingly abused by cybercriminals.

“Volexity believes the OceanLotus threat group has rapidly advanced its capabilities and is now one of the more sophisticated APT actors currently in operation,” the company concluded.

OceanLotus’ sophistication was also described recently in a report from Cybereason, which detailed the group’s cat-and-mouse games within the systems of a global company operating in Asia.

Latest Russia-linked APT28 campaign targeting security experts
24.10.2017 securityaffairs APT

Russian cyber espionage group APT28 targeted individuals with spear-phishing messages using documents referencing a NATO cybersecurity conference.
Researchers with Cisco Talos have spotted a Russian cyber espionage group targeting individuals with spear-phishing messages using documents referencing a NATO cybersecurity conference.

Experts attributed the attack to the dreaded Russian APT28 group, aka Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium.

The hackers targeted individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point on November 7-8 in Washington, D.C.

The state-sponsored hackers used bait documents containing content copied from the official CyCon U.S. website, the attackers were clearly interested in spying on cybersecurity experts.

“Cisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a deceptive flyer relating to the Cyber Conflict U.S. conference. CyCon US is a collaborative effort between the Army Cyber Institute at the United States Military Academy and the NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence.” states the report published by CISCO Talos.

“Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security.”


The technique to use cyber security conferences as a lure in cyber espionage operations is well known, other threat actors in the past used the same tactic. Last year, a Chinese cyber espionage group known as Lotus Blossom attempted to lure victims with fake invitations to a Palo Alto Networks’ Cybersecurity Summit.

The attackers didn’t use any zero-day vulnerabilities in this last campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader (also known as GAMEFISH backdoor, Sednit, JHUHUGIT and Sofacy).

The Seduploader malware, also known as GAMEFISH backdoor, Sednit, JHUHUGIT and Sofacy, is a strain of malware that has been already used by the threat actor in other campaigns against NATO representatives.

“In the previous campaign where adversaries used Office document exploits as an infection vector, the payload was executed in the Office word process. In this campaign, adversaries did not use any exploit. Instead, the payload is executed in standalone mode by rundll32.exe,” continues the report.

The Seduploader is a reconnaissance malware that was used for years by APT28, it is composed of 2 files: a dropper and a payload. The experts noticed that dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys.

Hackers made these modifications to avoid detection of security solutions.

The CCDCOE published an alert on its website to warn people interested in the CyCon conference about the attack.

“Information from CyCon U.S. website has been used in a Word document with an intent to deliver malware. This type of attack, where legitimate information is used to attract the attention of victims, is rather common and normally detected and prevented in information systems with widely used safeguards.” reads the alert.

“This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security,”

APT28 group is rushing to exploit recent CVE-2017-11292 Flash 0-Day before users apply the patches
23.10.2017 securityaffairs APT

The APT28 group is trying to exploit the CVE-2017-11292 Flash zero-day before users receive patches or update their systems.
Security experts at Proofpoint collected evidence of several malware campaigns, powered by the Russian APT28 group, that rely on a Flash zero-day vulnerability that Adobe patched earlier this week.

According to the experts who observed attacks on organizations across Europe and in the US, the APT28 group is trying to exploit the CVE-2017-11292 zero-day before users receive patches or update their systems.

The state-sponsored hackers focused their attacks on state departments and private-sector businesses in the aerospace industry.

“On Tuesday, October 18, Proofpoint researchers detected a malicious Microsoft Word attachment exploiting a recently patched Adobe Flash vulnerability, CVE-2017-11292. We attributed this attack to APT28 (also known as Sofacy), a Russian state-sponsored group.” states the report published by Proofpoint.

“Targeting data for this campaign is limited but some emails were sent to foreign government entities equivalent to the State Department and private-sector businesses in the aerospace industry. The known geographical targeting appears broad, including Europe and the United States. The emails were sent from free email services.”

The patch was released on Monday, October 16, at that time Kaspersky detected attacks leveraging the CVE-2017-11292 allegedly conducted by the BlackOasis APT group.

Researchers believe that APT28 was also in possession of the exploit (whether purchased, discovered on their own, or reverse engineered from the BlackOasis attack), and is trying to use it in targeted attacks.

The APT28 rushed to assemble the exploit and the distribution campaign, reusing code from past attacks, the APT28 hackers did the same in May after Microsoft patched three zero-days flaws exploited by the Russian APT group.

Back to the present, researchers believe the APT28 found a way to exploit the CVE-2017-11292, it is unclear if they purchased the zero-day or reverse engineered it from the BlackOasis attack.

The researchers noticed that the recent attacks exploiting the CVE-2017-11292 flaw employed the same old DealersChoice malware, a Flash exploit framework also used by the APT28 group against Montenegro.

When the target user opens these the weaponized files, DealersChoice contacts the remote server to download the CVE-2017-11292 exploit code and execute it.

“The document “World War 3.docx” contacts DealersChoice.B, APT28’s attack framework that allows loading exploit code on-demand from a command and control (C&C) server. DealersChoice has previously been used to exploit a variety of Flash vulnerabilities, including CVE-2015-7645, CVE-2016-1019, CVE-2016-4117, and CVE-2016-7855 via embedded objects in crafted Microsoft Word documents.” continues the report.

apt28 CVE-2017-11292

The Proofpoint researcher Kafeine, confirmed his company currently trying to take down C&C servers associated with the DealersChoice attack framework used in the CVE-2017-11292 attacks.

“APT28 appears to be moving rapidly to exploit this newly documented vulnerability before the available patch is widely deployed. Because Flash is still present on a high percentage of systems and this vulnerability affects all major operating systems, it is critical that organizations and end users apply the Adobe patch immediately. ” concluded Proofpoint.

Further technical details are available in the report published by Proofpoint, including the IOCs.

BAE Systems report links Taiwan heist to North Korean LAZARUS APT
18.10.2017 securityaffairs APT

Researchers at BAE Systems investigated the recent cyber-heist that targeted a bank in Taiwan and linked the action to the notorious Lazarus APT group.
The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The Lazarus group, tracked by the U.S. government as Hidden Cobra, seems to be behind recent attacks against U.S. defense contractors, likely in cooperation with other hacker groups.

Back to the recent attack, hackers exploited the SWIFT global financial network to steal roughly $60 million from Taiwan’s Far Eastern International Bank.

Reports of $60M being stolen are not correct, the overall amount actually stolen by the hackers were considerably lower.

The hackers transferred the money outside the island, but the bank claimed it had managed to recover most of it.

The Sri Lanka police have recently arrested two men allegedly involved in the cyberheist, the suspects are accused to have hacked into computers at a Taiwan bank and stole millions of dollars

Researchers at BAE Systems have identified some of the tools used in the cyber heist and linked them to the Lazarus‘s arsenal.

Researchers believe attackers used a piece of ransomware known as Hermes as a distraction tactic. According to researchers at McAfee, the Hermes variant used in the attack on the Taiwanese bank did not display a ransom note, a circumstance that suggests it wasn’t used for a different purpose, distraction.

“Was the ransomware used to distract the real purpose of this attack? We strongly believe so,” McAfee researchers said. “Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.”

Lazarus operators likely used the Hermes ransomware on the bank’s network to interfere with the investigations and destroy evidence of their attack.

“The Hermes strain used on FEIB’s network did not change the infected computer’s wallpaper and didn’t leave a flashy ransom note behind, like the original Hermes note, portrayed below.” reported Bleeping computer.

“Instead, the Hermes version used in the FEIB attacks only showed a popup with the text “finish work” and left a file named “UNIQUE_ID_DO_NOT_REMOVE” in every directory.”

The Hermes samples analyzed by researchers at BAE Systems drop a ransom note in each encrypted folder.

The experts also analyzed another strain of malware used in the attack dubbed Bitsran, it is a loader used to spreads a malicious payload on the targeted network. The analysis of its code revealed the presence of hardcoded credentials for the network of the Far Eastern International Bank. The malware was likely used in a reconnaissance phase.

“Sample #2 [Bitsran] is designed to run and spread a malicious payload on the victim’s network.” states the report.

“The malware then enumerates all processes, searching for specific anti-virus processes and attempts to kill these using the command line tool taskkill.”

Other malware used by the attackers are the same used by the Lazarus group, including in attacks aimed at financial organizations in Poland and Mexico.

Lazarus APT Taiwan attack

The malicious code contains string written in the Russian Language, but researchers believe is a false flag to deceive them.

The sample of Hermes ransomware analyzed by the experts checks the infected machine’s language settings and stopped running if use Russian, Ukrainian or Belarusian languages. This feature widely adopted by Russian and Ukrainian vxers who often avoid targeting machines in their country. However, experts speculate this could also be a false flag.

“The ransomware calls GetSystemDefaultLangID() to obtain language identifier for the system locale. It contains a list of three system language codes: 0x0419 (Russian), 0x0422 (Ukrainian), and 0x0423 (Belarusian). However, it only checks against the last two, and, if matching, the malware quits. Whether this is a false-flag or not is unknown.” states the analysis.

Below the hallmarks of the Lazarus group that were recognized by BAE experts in the attack on the Taiwanese Far Eastern International Bank:

Destination beneficiary accounts in Sri Lanka and Cambodia – both countries have been used previously as destinations for Lazarus’ bank heist activity;
Use of malware previously seen in Lazarus’ Poland and Mexico bank attacks. Where these files were found and the context of their use needs to be confirmed, but could provide a crucial attributive link;
Use of unusual ransomware, potentially as a distraction.
“Despite their continued success in getting onto payment systems in banks, the Lazarus group still struggle getting the cash in the end, with payments being reversed soon after the attacks are uncovered,” concluded BAE Systems.

“The group may be trying new tricks to disrupt victims and delay their ability to respond – such as different message formats, and the deployment of ransomware across the victim’s network as a smokescreen for their other activity. It’s likely they’ll continue their heist attempts against banks in the coming months and we expect they will evolve their modus operandi to incorporate new ways of disrupting victims (and possibly the wider community) from responding,”

BlackOasis APT leverages new Flash zero-day exploit to deploy FinSpy
17.10.2017 securityaffairs
Vulnerebility  APT

Security researchers from Kaspersky Labs spotted the BlackOasis APT group exploiting a new zero-day RCE vulnerability in Adobe Flash.
Security researchers from Kaspersky Labs have discovered a new zero-day remote code execution vulnerability in Adobe Flash, tracked as CVE-2017-11292, which was being actively exploited by hackers in the wild to deliver the surveillance software FinSpy.

BlackOasis APT

Hackers belonging to the APT group known as BlackOasis are leveraging the Adobe Flash zero-day exploit in attacks against high-profile targets.

The critical type confusion vulnerability affects Flash Player for Windows, Macintosh, Linux and Chrome OS.

“On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today:” reads the analysis published by Kaspersky.

The experts speculate the BlackOasis APT group is the same crew that exploited another RCE zero-day vulnerability, tracked CVE-2017-8759, discovered by FireEye researchers in September 2017.

According to FireEye, the CVE-2017-8759 was actively been exploited by an APT group to deliver the surveillance malware FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July.

In both attacks, the BlackOasis APT exploited a zero-day exploit to deliver the FinSpy spyware, the hackers shared the same command and control (C&C).

The experts who monitored the activity of the BlackOasis group across the year confirmed it has utilized at least five zero days since June 2015:

CVE-2015-5119 – June 2015
CVE-2016-0984 – June 2015
CVE-2016-4117 – May 2016
CVE-2017-8759 – Sept 2017
CVE-2017-11292 – Oct 2017
BlackOasis hackers targeted individuals in numerous countries, including Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.

“BlackOasis’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents.” continues the analysis. “During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.”

Researchers reported the zero-day exploit is delivered through Microsoft Office documents, particularly Word, attached to a spam email. The documents include an ActiveX object which contains the Flash exploit used to deliver the FinSpy spyware.

“The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits,” the Kaspersky Labs researchers say.

FinSpy leveraged various attack vectors, including spear phishing, manual installation with physical access to the affected device, zero-day exploits, and watering hole attacks.

According to the experts, the number of attacks relying on FinFisher software, supported by zero-day exploits will continue to grow.

“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” conclude Kaspersky Lab lead malware analyst Anton Ivanov

“Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”

Kaspersky Lab reported the flaw to Adobe that addressed it with the release of Adobe Flash Player versions and

CSE CybSec ZLAB Malware Analysis Report: APT28 Hospitality malware
5.10.2017 securityaffairs APT

The CSE CybSec Z-Lab Malware Lab analyzed the Hospitality malware used by the Russian APT28 group to target hotels in several European countries.
The Russian hacker group APT28, also known as Sofacy or Fancy Bear, is believed to be behind a series of attacks in last July against travelers staying in hotels in Europe and Middle East.

This attack is performed by sending spear phishing emails to the victims, masquerading as a hotel reservation form that, if opened and macros are enabled, installs a malware in the machine’s victim.

Why should Fancy bear do this? According to FireEye and other security firms, Sofacy is a cyberespionage group and a good tool to get info about people (possibly businessmen and politicians) hosted in important hotels, is to deceive them to install a spyware with a Command and Control that monitors the actions of all the victims.


Figure 1 – Screen of Word dropper.

The above figure shows an example of the weaponized document used by hackers as an attachment in spear phishing emails. The document contains a payload achievable when macro is enabled. In fact, the macro is a Visual Basic script used to decode the malicious payload and to create a series of files, according to the following scheme:

Figure 2 – Files’ creation and execution scheme

The file “mvtband.dat” is the core of the malware that contains a C2C client, which tries to connect to servers, “mvtband.net” and “mvband.net” in order to send the info gathered about the victim’s host and receive new commands to execute on it. In particular, the malware contacts these C&C servers with POST request on a random path. The body contains some info, among them the list of the executing processes, info about system settings, browser preferences, encrypted using its own algorithm. Moreover, from our advanced analysis, we discovered that Hospitality Malware takes screenshots of the machine that most likely it sends to the C2C together with other info. But, nowadays, these servers are blacklisted so we can’t analyze all the complete behavior of Hospitality Malware.

You can download the full ZLAB Malware Analysis Report at the following URL:


Intezer researchers link CCleaner hack to Chinese APT17 hackers
4.10.2017 securityaffairs  APT

Researchers from security firm Intezer speculate that the attack was powered by nation-state actor, likely the Chinese APT17 group.
Security experts continue to investigate the recent attack against the supply chain of the popular software CCleaner.

The hackers first compromised in July a CCleaner server, then exploited it to deliver a backdoored version of the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. It has been estimated that between August 15 and September 12, over 2.27 million users downloaded the tainted version of CCleaner application.

The experts at Cisco Talos team that investigated the incident, while analyzing the command-and-control (C2) server used by the threat actor discovered a lightweight backdoor module (GeeSetup_x86.dll) that was delivered to a specific list of machines used by certain organizations.

The experts discovered that the threat actor that recently compromised the supply chain of the CCleaner software to distribute a tainted version of the popular software targeted at least 20 major international technology firms with a second-stage malware.

The experts analyzed a backup of a deleted database containing information on the infected machines, they discovered that the malicious code infected a total of 1,646,536 machines (based on MAC addresses), but just 40 of them received the second-stage backdoor.

Security experts who investigated the case discovered a link with a Chinese group of hackers.

Now, researchers from Intezer speculate that the attack was powered by nation-state actor, likely Chinese hackers belonging to the Axiom group, also known as APT17 or DeputyDog.

The most popular campaign attributed to the APT17 group is the attack on the Google’s infrastructure, also known as Operation Aurora. For almost a decade the APT17 targeted government organizations in several Southeast Asian countries and the US, NGOs, defense contractors, law firms, IT firms, and mining companies.

According to malware experts at Intezer, the first payload has many similarities with the code used by the Axiom group.

“Not only did the first payload have shared code between the Axiom group and CCBkdr, but the second did as well.” reads the analysis published by Intezer.

The stage 2 payload contains the same portion of code found in APT17 malware and that isn’t included in any public repository.

APT17 code CCleaner

“The author probably copied and pasted the code, which is what often happens to avoid duplicative efforts: rewriting the same code for the same functionality twice. Due to the uniqueness of the shared code, we strongly concluded that the code was written by the same attacker,” said Intezer.

The researchers concluded that the level of complexity of the attack suggests the involvement of a state-sponsored actor, likely the APT17 group.

“The complexity and quality of this particular attack has led our team to conclude that it was most likely state-sponsored. Considering this new evidence, the malware can be attributed to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout that our technology was able to uncover,” concluded Intezer.

Iranian cyber spies APT33 target aerospace and energy organizations
21.9.2017 securityaffairs APT

The Iran-linked APT33 group has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.
According to security firm FireEye, a cyber espionage group linked to the Iranian Government, dubbed APT33, has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.

“From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.” reads a blog post published by FireEye.

“During the same time period, APT33 also targeted a South Korean company involved in oil refining and petrochemicals. More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.”

According to the experts, the APT33 group is gathering information on Saudi Arabia’s military aviation capabilities to gain insight into rivals in the MiddleEast.

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” continues FireEye.

“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,”

The cyberspies leverage spear phishing emails sent to employees whose jobs related to the aviation industry.

APT33 phishing

The recruitment themed messages contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be of interest for the victims.

The experts noticed APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send phishing messages to targeted individuals in 2016.

The attackers set up several domains that appeared as belonging to Saudi aviation firms and other companies that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.

The malware used by the APT33 group includes a dropper dubbed DROPSHOT that has been linked to the wiper malware SHAPESHIFT, tracked by Kaspersky as StoneDrill, used in targeted attacks against organizations in Saudi Arabia. The arsenal of the group also includes a backdoor called TURNEDUP.

Kaspersky experts linked the StoneDrill malware to the Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef), a threat actor believed to be operating out of Iran.

The researchers identified an actor using the handle “xman_1365_x” that has been involved in the development and use of the TURNEDUP backdoor.

“Xman_1365_x was also a community manager in the Barnamenevis Iranian programming and software engineering forum, and registered accounts in the well-known Iranian Shabgard and Ashiyane forums, though we did not find evidence to suggest that this actor was ever a formal member of the Shabgard or Ashiyane hacktivist groups.” continues FireEye.

FireEye cited open source reporting links the “xman_1365_x” actor to the “Nasr Institute,” which is the equivalent to Iran’s “cyber army” and directly controlled by the Iranian government.