Category Archives: APT

Experts detailed new StrongPity cyberespionage campaigns

Experts at AT&T’s Alien Labs recently discovered an ongoing campaign conducted by StrongPity threat actor that abuses malicious WinBox installers to infect victims.

AT&T’s Alien Labs experts recently discovered an ongoing campaign conducted by StrongPity APT group that abuses malicious WinBox installers to infect victims.

The activity of the group was initially uncovered in 2016 when experts at Kaspersky observed the cyberespionage group targeting users in Europe, in the Middle East, and in Northern Africa. The group set up malicious sites mimicking legitimate ones to carry out watering holes to deliver tainted installers and malware.

The new campaign started in the second half of 2018, attackers used once again tainted version of popular software like WinRAR to compromise victims’ systems.

“Alien Labs has identified an unreported and ongoing malware campaign, which we attribute with high confidence to the adversary publicly reported as “StrongPity”. Based on compilation times, infrastructure, and public distribution of samples – we assess the campaign operated from the second half of 2018 into today (July 2019).” reads the analysis published by the researchers. “We have also identified StrongPity deploying malicious versions of the WinBox router management software, WinRAR, and other trusted software to compromise targets.”

The new malware samples analyzed in July 2019 appear to have been rebuild by the group in response to public reporting on the group’s activities. The analysis of compilation times, infrastructure build and use, and public distribution of samples allowed the experts to attribute the activity to StrongPity group.

One of the samples employed by the hackers in the recent campaign is a malicious installer for the WinBox, which is the management console for MikroTik’s RouterOS software.

The installer implements all of the features of the legitimate software, but it installs the StrongPity malware on the target’s machine.

winbox GUI StrongPity 2

The malware operates similarly to previously reported variants, it implements spyware capabilities and allows the attacker to get remote access to the compromised machine. The malicious code communicate with the command and control (C&C) infrastructure over SSL.

“The malicious WinBox installer drops the StrongPity sample into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous reports of StrongPity, the malware communicates with the C2 server over SSL.” Alien Labs notes.

“Reviewing the compilation timestamps of the identified malware, various clusters of individual campaign start times can be noticed, stretching back into the previous reports of early 2018,”

The APT group used also newer versions of tainted WinRAR software, as well as a tool called Internet Download Manager (IDM).

Experts were not able to exactly determine the delivery mechanism of the tainted installers, however, it is likely that methods used in past campaigns such as regional download redirecting from ISPs are still used.

The choice of using installers for software like WinRAR, WinBox, and IDM suggests that the StrongPity is continuing to target technically-oriented victims.

“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated.” concludes the report. “This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years.”

Pierluigi Paganini

(SecurityAffairs – StrongPity, APT)

The post Experts detailed new StrongPity cyberespionage campaigns appeared first on Security Affairs.

Turla APT group adds Topinambour Trojan to its arsenal

Kaspersky researchers revealed that since earlier this year, Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks.

Security experts at Kaspersky revealed that the Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks since early 2019.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In the past months, security experts reported the APT group has been updating its arsenal. In May, ESET experts revealed that Turla has been using a sophisticated backdoor, dubbed LightNeuron, to hijack Microsoft Exchange mail servers.

Now Kaspersky published a detailed analysis of a new modular tool dubbed Topinambour (aka Sunchoke – the Jerusalem artichoke). Kaspersky researchers also found .NET and PowerShell versions of the KopiLuwak Trojan that was involved in targeted attacks since the beginning of this year. 

Topinambour is spread via tainted legitimate software installers, the dropper includes a tiny .NET shell that is used to deliver commands to the target machine and deliver other modules via SMB.

“Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.” reads the analysis published by Kaspersky.

“These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”

The dropper sample analyzed by the experts is able to deliver the payload to a specific location, gain persistence for the malicious code with a scheduled task that starts every 30 minutes, and drop the original application the dropper tries to mimic. 

The tiny .NET shell dropped on the target system connects the C2 server and fetches the KopiLuwak dropper, that gains persistence and drops a JavaScript file that leads to the final stage Trojan.

Recent operations also involved another .NET Trojan along with the KopiLuwak JavaScript, it was called RocketMan and supports commands to download/upload a file, and to halt the Trojan activity. 

Hackers also used a PowerShell Trojan tracked as MiamiBeach, it differs from the RocketMan Trojan due to its ability to take a screenshot.

“The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-knownpublicly discussed JavaScript versions.” concludes Kaspersky.

“Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left,”

Pierluigi Paganini

(SecurityAffairs – Turla APT, Topinambour)

The post Turla APT group adds Topinambour Trojan to its arsenal appeared first on Security Affairs.

Sea Turtle Keeps on Swimming

By Danny Adamitis with contributions from Paul Rascagneres.

Executive summary

After several months of activity, the actors behind the “Sea Turtle” DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.

Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.

Read More >>

Forcing the Adversary to Pursue Insider Theft

Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.

Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.

This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.

When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.

We sought to make digital intrusions more expensive than physical intrusions.

In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.

In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!

This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.

The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.

Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.

Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.

Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.

In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.